selinux-policy/policy-20071130.patch

20891 lines
656 KiB
Diff

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.5/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/config/appconfig-mcs/failsafe_context 2007-12-19 05:38:08.000000000 -0500
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.5/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-mcs/guest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts 2008-01-02 11:19:34.000000000 -0500
@@ -1,11 +1,7 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.5/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/config/appconfig-mcs/seusers 2007-12-19 05:38:08.000000000 -0500
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+__default__:unconfined_u:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.2.5/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-mcs/unconfined_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,9 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.5/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/config/appconfig-mcs/userhelper_context 2007-12-19 05:38:08.000000000 -0500
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.5/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-mcs/xguest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_crond_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.5/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-mls/guest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.5/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-standard/guest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+system_r:crond_t guest_r:guest_crond_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts
--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts 2008-01-02 11:20:32.000000000 -0500
@@ -1,11 +1,7 @@
system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.5/Makefile
--- nsaserefpolicy/Makefile 2007-10-12 08:56:10.000000000 -0400
+++ serefpolicy-3.2.5/Makefile 2007-12-19 05:38:08.000000000 -0500
@@ -305,20 +305,22 @@
# parse-rolemap modulename,outputfile
define parse-rolemap
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ echo "" >> $2
+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# perrole-expansion modulename,outputfile
define perrole-expansion
- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
- $(call parse-rolemap-compat,$1,$2)
- $(verbose) echo "')" >> $2
+ echo "No longer doing perrole-expansion"
+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+# $(call parse-rolemap,$1,$2)
+# $(verbose) echo "')" >> $2
+
+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+# $(call parse-rolemap-compat,$1,$2)
+# $(verbose) echo "')" >> $2
endef
# create-base-per-role-tmpl modulenames,outputfile
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.2.5/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2007-10-12 08:56:10.000000000 -0400
+++ serefpolicy-3.2.5/man/man8/httpd_selinux.8 2008-01-15 09:08:57.000000000 -0500
@@ -93,6 +93,11 @@
.EE
.PP
+httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
+
+.EX
+setsebool -P httpd_can_sendmail 1
+.PP
httpd can be configured to turn off internal scripting (PHP). PHP and other
loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.5/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
+++ serefpolicy-3.2.5/policy/flask/access_vectors 2007-12-19 05:38:08.000000000 -0500
@@ -639,6 +639,8 @@
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.5/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/global_tunables 2007-12-19 05:38:08.000000000 -0500
@@ -34,7 +34,7 @@
## <desc>
## <p>
-## Enable polyinstantiated directory support.
+## Allow login programs to use polyinstantiated directories.
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)
@@ -61,15 +61,6 @@
## <desc>
## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-## </p>
-## </desc>
-gen_tunable(mail_read_content,false)
-
-## <desc>
-## <p>
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
@@ -129,3 +120,12 @@
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)
+
+## <desc>
+## <p>
+## Allow direct login to the console device. Required for System 390
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.5/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-10-29 18:02:32.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/admin/alsa.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,8 +1,11 @@
+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-
+/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.5/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/alsa.if 2007-12-19 05:38:08.000000000 -0500
@@ -74,3 +74,21 @@
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
')
+
+########################################
+## <summary>
+## Read alsa lib config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.5/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/alsa.te 2007-12-20 08:55:02.000000000 -0500
@@ -8,12 +8,15 @@
type alsa_t;
type alsa_exec_t;
-application_domain(alsa_t, alsa_exec_t)
+init_system_domain(alsa_t, alsa_exec_t)
role system_r types alsa_t;
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
+type alsa_var_lib_t;
+files_type(alsa_var_lib_t)
+
########################################
#
# Local policy
@@ -30,14 +33,23 @@
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+files_search_var_lib(alsa_t)
+manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+
kernel_read_system_state(alsa_t)
dev_read_sound(alsa_t)
dev_write_sound(alsa_t)
+corecmd_exec_bin(alsa_t)
+can_exec(alsa_t, alsa_exec_t)
+
files_search_home(alsa_t)
files_read_etc_files(alsa_t)
+auth_use_nsswitch(alsa_t)
+
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
@@ -48,10 +60,7 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_generic_user_home_dirs(alsa_t)
-
-optional_policy(`
- nscd_socket_use(alsa_t)
-')
+userdom_dontaudit_search_sysadm_home_dirs(alsa_t)
optional_policy(`
hal_use_fds(alsa_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.5/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/anaconda.te 2007-12-19 05:38:08.000000000 -0500
@@ -31,16 +31,13 @@
modutils_domtrans_insmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
unconfined_domain(anaconda_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
optional_policy(`
- dmesg_domtrans(anaconda_t)
-')
-
-optional_policy(`
kudzu_domtrans(anaconda_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.5/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/brctl.te 2007-12-19 05:38:08.000000000 -0500
@@ -40,4 +40,5 @@
optional_policy(`
xen_append_log(brctl_t)
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.5/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/consoletype.te 2007-12-19 05:38:08.000000000 -0500
@@ -8,9 +8,11 @@
type consoletype_t;
type consoletype_exec_t;
-application_executable_file(consoletype_exec_t)
-init_domain(consoletype_t,consoletype_exec_t)
-init_system_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+#init_system_domain(consoletype_t,consoletype_exec_t)
+application_domain(consoletype_t, consoletype_exec_t)
+
role system_r types consoletype_t;
########################################
@@ -43,12 +45,12 @@
mls_file_write_all_levels(consoletype_t)
term_use_console(consoletype_t)
-term_use_unallocated_ttys(consoletype_t)
+term_use_all_terms(consoletype_t)
init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
-init_write_script_pipes(consoletype_t)
+init_rw_script_pipes(consoletype_t)
domain_use_interactive_fds(consoletype_t)
@@ -88,6 +90,10 @@
')
optional_policy(`
+ hotplug_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
logrotate_dontaudit_use_fds(consoletype_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.5/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/firstboot.te 2007-12-19 05:38:08.000000000 -0500
@@ -120,6 +120,10 @@
usermanage_domtrans_admin_passwd(firstboot_t)
')
+optional_policy(`
+ xserver_xdm_rw_shm(firstboot_t)
+')
+
ifdef(`TODO',`
allow firstboot_t proc_t:file write;
@@ -132,7 +136,4 @@
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
')
-ifdef(`xserver.te', `
- domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.5/policy/modules/admin/kismet.fc
--- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/kismet.fc 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,5 @@
+
+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
+/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.5/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/kismet.if 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,275 @@
+
+## <summary>policy for kismet</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run kismet.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kismet_domtrans',`
+ gen_require(`
+ type kismet_t;
+ type kismet_exec_t;
+ ')
+
+ domtrans_pattern($1,kismet_exec_t,kismet_t)
+')
+
+
+########################################
+## <summary>
+## Read kismet PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_read_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 kismet_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage kismet var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_var_run',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,kismet_var_run_t,kismet_var_run_t)
+ manage_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
+ manage_lnk_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Search kismet lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_search_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read kismet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_read_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:file read_file_perms;
+ allow $1 kismet_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## kismet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:file manage_file_perms;
+ allow $1 kismet_var_lib_t:dir rw_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage kismet var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_var_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
+ manage_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
+ manage_lnk_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Allow the specified domain to read kismet's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_read_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## kismet log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kismet_append_log',`
+ gen_require(`
+ type var_log_t, kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage kismet log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1,kismet_log_t,kismet_log_t)
+ manage_files_pattern($1,kismet_log_t,kismet_log_t)
+ manage_lnk_files_pattern($1,kismet_log_t,kismet_log_t)
+')
+
+########################################
+## <summary>
+## Execute kismet in the kismet domain, and
+## allow the specified role the kismet domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the kismet domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`kismet_run',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ kismet_domtrans($1)
+ role $2 types kismet_t;
+ dontaudit kismet_t $3:chr_file rw_term_perms;
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate an kismet environment
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the kismet domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_admin',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ allow $2 kismet_t:process { ptrace signal_perms getattr };
+ read_files_pattern($2, kismet_t, kismet_t)
+
+
+ kismet_manage_var_run($2)
+
+ kismet_manage_var_lib($2)
+
+ kismet_manage_log($2)
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.5/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/kismet.te 2007-12-19 05:38:08.000000000 -0500
@@ -0,0 +1,58 @@
+policy_module(kismet,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kismet_t;
+type kismet_exec_t;
+application_domain(kismet_t, kismet_exec_t)
+role system_r types kismet_t;
+
+
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
+
+type kismet_var_lib_t;
+files_type(kismet_var_lib_t)
+
+type kismet_log_t;
+logging_log_file(kismet_log_t)
+
+########################################
+#
+# kismet local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+#============= kismet_t ==============
+allow kismet_t self:capability { net_admin setuid setgid };
+
+corecmd_exec_bin(kismet_t)
+
+auth_use_nsswitch(kismet_t)
+
+allow kismet_t self:fifo_file rw_file_perms;
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(kismet_t)
+
+libs_use_ld_so(kismet_t)
+libs_use_shared_libs(kismet_t)
+
+miscfiles_read_localization(kismet_t)
+
+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir })
+
+allow kismet_t kismet_var_lib_t:file manage_file_perms;
+allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
+files_var_lib_filetrans(kismet_t,kismet_var_lib_t, { file dir })
+
+allow kismet_t kismet_log_t:file manage_file_perms;
+allow kismet_t kismet_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(kismet_t,kismet_log_t,{ file dir })
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.5/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/kudzu.te 2007-12-19 05:38:08.000000000 -0500
@@ -21,8 +21,8 @@
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -68,6 +68,7 @@
modutils_read_module_deps(kudzu_t)
modutils_read_module_config(kudzu_t)
modutils_rename_module_config(kudzu_t)
+modutils_unlink_module_config(kudzu_t)
storage_read_scsi_generic(kudzu_t)
storage_read_tape(kudzu_t)
@@ -103,6 +104,8 @@
init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
init_stream_connect_script(kudzu_t)
+init_read_init_state(kudzu_t)
+init_ptrace_init_domain(kudzu_t)
# kudzu will telinit to make init re-read
# the inittab after configuring serial consoles
init_telinit(kudzu_t)
@@ -142,28 +145,6 @@
')
optional_policy(`
- # cjp: this was originally in the else block
- # of ifdef userhelper.te, but it seems to
- # make more sense here. also, require
- # blocks curently do not work in the
- # else block of optionals
+ unconfined_domtrans(kudzu_t)
unconfined_domain(kudzu_t)
')
-
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`
- allow kudzu_t printconf_t:file { getattr read };
-')
-optional_policy(`
- allow kudzu_t xserver_exec_t:file getattr;
-')
-optional_policy(`
- allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-optional_policy(`
- role system_r types sysadm_userhelper_t;
- domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.5/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/logrotate.te 2007-12-19 05:38:08.000000000 -0500
@@ -96,9 +96,11 @@
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
+files_getattr_generic_locks(logrotate_t)
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.5/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/logwatch.te 2007-12-19 05:38:08.000000000 -0500
@@ -59,10 +59,8 @@
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-files_dontaudit_search_home(logwatch_t)
-files_dontaudit_search_boot(logwatch_t)
# Execs df and if file system mounted with a context avc raised
-files_dontaudit_search_all_dirs(logwatch_t)
+files_search_all(logwatch_t)
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
@@ -88,9 +86,6 @@
sysnet_dns_name_resolve(logwatch_t)
-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-
mta_send_mail(logwatch_t)
optional_policy(`
@@ -132,4 +127,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.5/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/netutils.te 2007-12-19 05:38:08.000000000 -0500
@@ -94,6 +94,10 @@
')
optional_policy(`
+ vmware_append_log(netutils_t)
+')
+
+optional_policy(`
xen_append_log(netutils_t)
')
@@ -107,12 +111,14 @@
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:netlink_route_socket create_netlink_socket_perms;
corenet_all_recvfrom_unlabeled(ping_t)
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
+corenet_raw_bind_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.5/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/prelink.te 2007-12-19 05:38:08.000000000 -0500
@@ -26,7 +26,7 @@
# Local policy
#
-allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
@@ -40,7 +40,7 @@
read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
@@ -49,8 +49,7 @@
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
kernel_read_system_state(prelink_t)
-kernel_dontaudit_search_kernel_sysctl(prelink_t)
-kernel_dontaudit_search_sysctl(prelink_t)
+kernel_read_kernel_sysctls(prelink_t)
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
@@ -65,6 +64,8 @@
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -81,6 +82,11 @@
miscfiles_read_localization(prelink_t)
+# prelink executables in the user homedir
+userdom_manage_unpriv_users_home_content_files(prelink_t)
+userdom_mmap_unpriv_user_home_content_files(prelink_t)
+userdom_dontaudit_relabel_unpriv_user_home_content_files(prelink_t)
+
optional_policy(`
amanda_manage_lib(prelink_t)
')
@@ -88,3 +94,7 @@
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
+
+optional_policy(`
+ unconfined_domain(prelink_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.5/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/rpm.fc 2007-12-19 05:38:08.000000000 -0500
@@ -11,6 +11,7 @@
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -21,6 +22,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-11 15:53:03.000000000 -0500
@@ -152,6 +152,24 @@
########################################
## <summary>
+## dontaudit read and write an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
@@ -173,6 +191,27 @@
########################################
## <summary>
+## Send and receive messages from
+## rpm_script over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+ gen_require(`
+ type rpm_script_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_script_t:dbus send_msg;
+ allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
@@ -210,6 +249,24 @@
########################################
## <summary>
+## dontaudit and use file descriptors from RPM scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_use_script_fds',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ dontaudit $1 rpm_script_t:fd use;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
@@ -225,7 +282,29 @@
')
files_search_tmp($1)
+ manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+ manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+## read, RPM
+## script temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ read_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+ read_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
')
########################################
@@ -289,3 +368,137 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
+
+########################################
+## <summary>
+## Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_transition_script',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:process transition;
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write RPM tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ allow $1 rpm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## write RPM tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## write RPM shm
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_shm',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read/write rpm tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read/write rpm tmpfs files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_tmpfs_files',`
+ gen_require(`
+ type rpm_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 rpm_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+ read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an rpm script
+## </summary>
+## <desc>
+## <p>
+## Execute rpm script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+interface(`rpm_role_transition',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ role_transition $1 rpm_exec_t system_r;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.5/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/rpm.te 2007-12-19 05:38:08.000000000 -0500
@@ -179,7 +179,17 @@
')
optional_policy(`
- hal_dbus_chat(rpm_t)
+ optional_policy(`
+ hal_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ dbus_system_domain(rpm_t,rpm_exec_t)
+ ')
')
optional_policy(`
@@ -190,6 +200,7 @@
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
')
ifdef(`TODO',`
@@ -216,7 +227,7 @@
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
@@ -317,6 +328,7 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
@@ -342,6 +354,7 @@
optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
optional_policy(`
java_domtrans(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.5/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/sudo.if 2007-12-19 05:38:08.000000000 -0500
@@ -55,7 +55,7 @@
#
# Use capabilities.
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
@@ -68,27 +68,26 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
# Enter this derived domain from the user domain
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t,$2)
+ corecmd_bin_domtrans($1_sudo_t,$2)
allow $2 $1_sudo_t:fd use;
allow $2 $1_sudo_t:fifo_file rw_file_perms;
allow $2 $1_sudo_t:process sigchld;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
- kernel_search_key($1_sudo_t)
dev_read_urand($1_sudo_t)
fs_search_auto_mountpoints($1_sudo_t)
fs_getattr_xattr_fs($1_sudo_t)
- auth_domtrans_chk_passwd($1_sudo_t)
+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
auth_use_nsswitch($1_sudo_t)
@@ -106,12 +105,14 @@
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
+ files_list_tmp($1_sudo_t)
init_rw_utmp($1_sudo_t)
libs_use_ld_so($1_sudo_t)
libs_use_shared_libs($1_sudo_t)
+ logging_send_audit_msgs($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
@@ -125,13 +126,4 @@
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
- ifdef(`TODO',`
- # for when the network connection is killed
- dontaudit unpriv_userdomain $1_sudo_t:process signal;
-
- ifdef(`mta.te', `
- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
- ')
-
- ') dnl end TODO
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-08 05:34:26.000000000 -0500
@@ -41,15 +41,13 @@
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
- # Transition from the user domain to this domain.
domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
@@ -89,6 +87,7 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
+ logging_send_audit_msgs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
@@ -119,11 +118,6 @@
optional_policy(`
kerberos_use($1_su_t)
')
-
- ifdef(`TODO',`
- # Caused by su - init scripts
- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
- ') dnl end TODO
')
#######################################
@@ -172,13 +166,12 @@
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
- allow $2 $1_su_t:process signal;
+ allow $2 $1_su_t:process { getsched signal };
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
- allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:process { getsched setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
@@ -188,7 +181,7 @@
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
+ allow $2 $1_su_t:process { getsched signal sigchld };
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -203,15 +196,15 @@
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
- auth_domtrans_user_chk_passwd($1,$1_su_t)
+ auth_run_chk_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t })
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
- auth_rw_faillog($1_su_t)
- corecmd_search_bin($1_su_t)
+ corecmd_exec_bin($1_su_t)
domain_use_interactive_fds($1_su_t)
+ files_read_usr_symlinks($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
@@ -226,12 +219,14 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
+ logging_send_audit_msgs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
- userdom_use_user_terminals($1,$1_su_t)
+ userdom_search_sysadm_home_dirs($1_su_t)
userdom_search_user_home_dirs($1,$1_su_t)
+ userdom_use_user_terminals($1,$1_su_t)
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
@@ -295,13 +290,7 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
- ifdef(`TODO',`
- allow $1_su_t $1_home_t:file manage_file_perms;
-
- # Access sshd cookie files.
- allow $1_su_t sshd_tmp_t:file rw_file_perms;
- file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
- ') dnl end TODO
+ userdom_search_all_users_home_dirs($1_su_t)
')
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te 2007-12-19 05:38:08.000000000 -0500
@@ -28,6 +28,7 @@
files_purge_tmp(tmpreaper_t)
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
+files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
@@ -43,5 +44,10 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
optional_policy(`
+ kismet_manage_log(tmpreaper_t)
+')
+
+optional_policy(`
lpd_manage_spool(tmpreaper_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.5/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/usermanage.te 2007-12-19 05:38:08.000000000 -0500
@@ -97,6 +97,7 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
+corecmd_exec_bin(chfn_t)
domain_use_interactive_fds(chfn_t)
@@ -290,6 +291,7 @@
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
+auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
@@ -309,6 +311,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
@@ -518,6 +521,12 @@
')
optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
+')
+
+optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.5/policy/modules/admin/vpn.fc
--- nsaserefpolicy/policy/modules/admin/vpn.fc 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/vpn.fc 2007-12-19 05:38:08.000000000 -0500
@@ -7,3 +7,5 @@
# sbin
#
/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.5/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/vpn.if 2007-12-19 05:38:08.000000000 -0500
@@ -67,3 +67,25 @@
allow $1 vpnc_t:process signal;
')
+
+########################################
+## <summary>
+## Send and receive messages from
+## Vpnc over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpnc_dbus_chat',`
+ gen_require(`
+ type vpnc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 vpnc_t:dbus send_msg;
+ allow vpnc_t $1:dbus send_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.5/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/vpn.te 2007-12-19 05:38:08.000000000 -0500
@@ -22,10 +22,9 @@
# Local policy
#
-allow vpnc_t self:capability { net_admin ipc_lock net_raw };
+allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
allow vpnc_t self:process getsched;
allow vpnc_t self:fifo_file { getattr ioctl read write };
-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
@@ -38,8 +37,9 @@
manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
+manage_dirs_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
-files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
+files_pid_filetrans(vpnc_t,vpnc_var_run_t,{ file dir})
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -59,6 +59,7 @@
corenet_udp_bind_all_nodes(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_udp_bind_ipsecnat_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
@@ -92,13 +93,14 @@
locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
+logging_dontaudit_search_logs(vpnc_t)
miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
-sysnet_exec_ifconfig(vpnc_t)
+sysnet_domtrans_ifconfig(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.5/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:user_ethereal_home_t,s0)
/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.5/policy/modules/apps/ethereal.if
--- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.if 2007-12-19 05:38:08.000000000 -0500
@@ -48,12 +48,10 @@
application_domain($1_ethereal_t,ethereal_exec_t)
role $3 types $1_ethereal_t;
- type $1_ethereal_home_t alias $1_ethereal_rw_t;
- files_poly_member($1_ethereal_home_t)
- userdom_user_home_content($1,$1_ethereal_home_t)
-
- type $1_ethereal_tmp_t;
- files_tmp_file($1_ethereal_tmp_t)
+ ifelse(`$1',`user',`',`
+ typealias user_ethereal_home_t alias $1_ethereal_home_t;
+ typealias user_ethereal_tmp_t alias $1_ethereal_tmp_t;
+ ')
type $1_ethereal_tmpfs_t;
files_tmpfs_file($1_ethereal_tmpfs_t)
@@ -163,17 +161,6 @@
xserver_create_xdm_tmp_sockets($1_ethereal_t)
')
- ifdef(`TODO',`
- # Why does it write this?
- optional_policy(`
- dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
- ')
- #TODO
- gnome_application($1_ethereal, $1)
- gnome_file_dialog($1_ethereal, $1)
- # FIXME: policy is incomplete
- ')
-
')
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.5/policy/modules/apps/ethereal.te
--- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te 2008-01-11 13:39:25.000000000 -0500
@@ -16,6 +16,13 @@
type tethereal_tmp_t;
files_tmp_file(tethereal_tmp_t)
+type user_ethereal_home_t;
+files_poly_member(user_ethereal_home_t)
+userdom_user_home_content(user,user_ethereal_home_t)
+
+type user_ethereal_tmp_t;
+files_tmp_file(user_ethereal_tmp_t)
+
########################################
#
# Tethereal policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.5/policy/modules/apps/evolution.fc
--- nsaserefpolicy/policy/modules/apps/evolution.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/evolution.fc 2007-12-19 05:38:08.000000000 -0500
@@ -2,13 +2,13 @@
# HOME_DIR/
#
-HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:user_evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:user_evolution_home_t,s0)
#
# /tmp
#
-/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
+/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:user_evolution_exchange_tmp_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.5/policy/modules/apps/gift.fc
--- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/gift.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:user_gift_home_t,s0)
/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.5/policy/modules/apps/gift.if
--- nsaserefpolicy/policy/modules/apps/gift.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/gift.if 2007-12-19 05:38:08.000000000 -0500
@@ -43,9 +43,9 @@
application_domain($1_gift_t,gift_exec_t)
role $3 types $1_gift_t;
- type $1_gift_home_t alias $1_gift_rw_t;
- files_poly_member($1_gift_home_t)
- userdom_user_home_content($1,$1_gift_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_gift_home_t alias $1_gift_home_t;
+ ')
type $1_gift_tmpfs_t;
files_tmpfs_file($1_gift_tmpfs_t)
@@ -67,10 +67,10 @@
manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
- manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
- manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
- manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
- userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
+ manage_dirs_pattern($1_gift_t,user_gift_home_t,user_gift_home_t)
+ manage_files_pattern($1_gift_t,user_gift_home_t,user_gift_home_t)
+ manage_lnk_files_pattern($1_gift_t,user_gift_home_t,user_gift_home_t)
+ userdom_user_home_dir_filetrans($1,$1_gift_t,user_gift_home_t,dir)
# Launch gift daemon
domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
@@ -79,12 +79,12 @@
domtrans_pattern($2, gift_exec_t, $1_gift_t)
# user managed content
- manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
- manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
- manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
- relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
- relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
- relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
+ manage_dirs_pattern($2,user_gift_home_t,user_gift_home_t)
+ manage_files_pattern($2,user_gift_home_t,user_gift_home_t)
+ manage_lnk_files_pattern($2,user_gift_home_t,user_gift_home_t)
+ relabel_dirs_pattern($2,user_gift_home_t,user_gift_home_t)
+ relabel_files_pattern($2,user_gift_home_t,user_gift_home_t)
+ relabel_lnk_files_pattern($2,user_gift_home_t,user_gift_home_t)
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_gift_t)
@@ -143,10 +143,10 @@
allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
allow $1_giftd_t self:udp_socket create_socket_perms;
- manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
- manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
- manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
- userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
+ manage_dirs_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t)
+ manage_files_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t)
+ manage_lnk_files_pattern($1_giftd_t,user_gift_home_t,user_gift_home_t)
+ userdom_user_home_dir_filetrans($1,$1_giftd_t,user_gift_home_t,dir)
domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.5/policy/modules/apps/gift.te
--- nsaserefpolicy/policy/modules/apps/gift.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/gift.te 2007-12-19 05:38:08.000000000 -0500
@@ -11,3 +11,7 @@
type giftd_exec_t;
application_executable_file(giftd_exec_t)
+
+type user_gift_home_t alias user_gift_rw_t;
+userdom_user_home_content(user,user_gift_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.5/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,8 +1,7 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
-HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
+HOME_DIR/.gnome2(/.*)? gen_context(system_u:object_r:user_gnome_home_t,s0)
+HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:user_gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:user_gconf_home_t,s0)
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
-
-/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
+/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:user_gconf_tmp_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.5/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.if 2008-01-11 13:39:51.000000000 -0500
@@ -33,9 +33,60 @@
## </param>
#
template(`gnome_per_role_template',`
+
+ gen_require(`
+ type user_gnome_home_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+ ifelse(`$1',`user',`',`
+ typealias user_gnome_home_t alias $1_gnome_home_t;
+ ')
+
+ manage_dirs_pattern($2,user_gnome_home_t, user_gnome_home_t)
+ manage_files_pattern($2,user_gnome_home_t, user_gnome_home_t)
+')
+
+########################################
+## <summary>
+## The per role template for the gnome gconf module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is used
+## for gconf sessions.
+## </p>
+## <p>
+## This template is invoked automatically for each role, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_gconf_per_role_template',`
gen_require(`
type gconfd_exec_t;
attribute gnomedomain;
+ type user_gconf_home_t, user_gconf_tmp_t;
')
##############################
@@ -47,14 +98,10 @@
application_domain($1_gconfd_t, gconfd_exec_t)
role $3 types $1_gconfd_t;
- type $1_gconf_home_t;
- userdom_user_home_content($1, $1_gconf_home_t)
-
- type $1_gnome_home_t;
- userdom_user_home_content($1, $1_gnome_home_t)
-
- type $1_gconf_tmp_t;
- files_tmp_file($1_gconf_tmp_t)
+ ifelse(`$1',`user',`',`
+ typealias user_gconf_home_t alias $1_gconf_home_t;
+ typealias user_gconf_tmp_t alias $1_gconf_tmp_t;
+ ')
##############################
#
@@ -64,22 +111,19 @@
allow $1_gconfd_t self:process getsched;
allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
- manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
- manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
- userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
-
- manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
- manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
- userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file })
+ manage_dirs_pattern($1_gconfd_t,user_gconf_home_t,user_gconf_home_t)
+ manage_files_pattern($1_gconfd_t,user_gconf_home_t,user_gconf_home_t)
+ userdom_user_home_dir_filetrans($1, $1_gconfd_t, user_gconf_home_t, dir)
+
+ manage_dirs_pattern($1_gconfd_t,user_gconf_tmp_t,user_gconf_tmp_t)
+ manage_files_pattern($1_gconfd_t,user_gconf_tmp_t,user_gconf_tmp_t)
+ userdom_user_tmp_filetrans($1,$1_gconfd_t,user_gconf_tmp_t,{ dir file })
domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
allow $1_gconfd_t $2:fd use;
allow $1_gconfd_t $2:fifo_file write;
allow $1_gconfd_t $2:unix_stream_socket connectto;
- allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
-
ps_process_pattern($2,$1_gconfd_t)
dev_read_urand($1_gconfd_t)
@@ -100,7 +144,12 @@
gnome_stream_connect_gconf_template($1,$2)
optional_policy(`
+ mozilla_stream_connect_template($1,$1_gconfd_t)
+ ')
+
+ optional_policy(`
nscd_dontaudit_search_pid($1_gconfd_t)
+ nscd_socket_use($1_gconfd_t)
')
optional_policy(`
@@ -128,20 +177,39 @@
template(`gnome_stream_connect_gconf_template',`
gen_require(`
type $1_gconfd_t;
- type $1_gconf_tmp_t;
+ type user_gconf_tmp_t;
')
- read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t)
+ read_files_pattern($2,user_gconf_tmp_t,user_gconf_tmp_t)
allow $2 $1_gconfd_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## Send general signals to all gconf domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signal_all',`
+ gen_require(`
+ attribute gnomedomain;
+ ')
+
+ allow $1 gnomedomain:process signal;
+')
+
########################################
## <summary>
## Run gconfd in the role-specific gconfd domain.
## </summary>
## <desc>
## <p>
-## Run gconfd in the role-specfic gconfd domain.
+## Run gconfd in the role-specific gconfd domain.
## </p>
## <p>
## This is a templated interface, and should only
@@ -170,6 +238,30 @@
########################################
## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_read_user_gnome_config',`
+ gen_require(`
+ type user_gnome_home_t;
+ ')
+
+ read_files_pattern($2, user_gnome_home_t, user_gnome_home_t)
+')
+
+########################################
+## <summary>
## manage gnome homedir content (.config)
## </summary>
## <param name="userdomain_prefix">
@@ -186,9 +278,29 @@
#
template(`gnome_manage_user_gnome_config',`
gen_require(`
- type $1_gnome_home_t;
+ type user_gnome_home_t;
+ ')
+
+ manage_dirs_pattern($2, user_gnome_home_t, user_gnome_home_t)
+ manage_files_pattern($2, user_gnome_home_t, user_gnome_home_t)
+')
+
+########################################
+## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
')
- allow $2 $1_gnome_home_t:dir manage_dir_perms;
- allow $2 $1_gnome_home_t:file manage_file_perms;
+ can_exec($1, gconfd_exec_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.5/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/gnome.te 2008-01-11 13:40:13.000000000 -0500
@@ -8,8 +8,19 @@
attribute gnomedomain;
-type gconf_etc_t;
-files_type(gconf_etc_t)
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
+
+type user_gnome_home_t;
+userdom_user_home_type(user_gnome_home_t)
+userdom_user_home_content(user, user_gnome_home_t)
+
+type user_gconf_home_t;
+userdom_user_home_content(user, user_gconf_home_t)
+
+type user_gconf_tmp_t;
+files_tmp_file(user_gconf_tmp_t)
+
+typealias user_gnome_home_t alias unconfined_gnome_home_t;
+typealias user_gconf_home_t alias unconfined_gconf_home_t;
+typealias user_gconf_tmp_t alias unconfined_gconf_tmp_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2008-01-03 16:26:50.000000000 -0500
@@ -1,6 +1,6 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0)
-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-11 13:40:51.000000000 -0500
@@ -38,6 +38,10 @@
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
type gpg_agent_exec_t, pinentry_exec_t;
+ type gpg_t, gpg_helper_t;
+ type gpg_agent_t, gpg_pinentry_t;
+ type user_gpg_agent_tmp_t;
+ type user_gpg_secret_t;
')
########################################
@@ -45,275 +49,51 @@
# Declarations
#
- type $1_gpg_t;
- application_domain($1_gpg_t,gpg_exec_t)
- role $3 types $1_gpg_t;
-
- type $1_gpg_agent_t;
- application_domain($1_gpg_agent_t,gpg_agent_exec_t)
- role $3 types $1_gpg_agent_t;
-
- type $1_gpg_agent_tmp_t;
- files_tmp_file($1_gpg_agent_tmp_t)
-
- type $1_gpg_secret_t;
- userdom_user_home_content($1,$1_gpg_secret_t)
-
- type $1_gpg_helper_t;
- application_domain($1_gpg_helper_t,gpg_helper_exec_t)
- role $3 types $1_gpg_helper_t;
-
- type $1_gpg_pinentry_t;
- application_domain($1_gpg_pinentry_t,pinentry_exec_t)
- role $3 types $1_gpg_pinentry_t;
+ typealias gpg_t alias $1_gpg_t;
+ role $3 types gpg_t;
- ########################################
- #
- # GPG local policy
- #
-
- allow $1_gpg_t self:capability { ipc_lock setuid };
- allow { $2 $1_gpg_t } $1_gpg_t:process signal;
- # setrlimit is for ulimit -c 0
- allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
- allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
- allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
- # transition from the gpg domain to the helper domain
- domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
-
- manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
- allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
- userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
-
- # transition from the userdomain to the derived domain
- domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
-
- # allow ps to show gpg
- ps_process_pattern($2,$1_gpg_t)
-
- corenet_all_recvfrom_unlabeled($1_gpg_t)
- corenet_all_recvfrom_netlabel($1_gpg_t)
- corenet_tcp_sendrecv_all_if($1_gpg_t)
- corenet_udp_sendrecv_all_if($1_gpg_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_t)
- corenet_udp_sendrecv_all_ports($1_gpg_t)
- corenet_tcp_connect_all_ports($1_gpg_t)
- corenet_sendrecv_all_client_packets($1_gpg_t)
-
- dev_read_rand($1_gpg_t)
- dev_read_urand($1_gpg_t)
+ typealias gpg_agent_t alias $1_gpg_agent_t;
+ role $3 types gpg_agent_t;
- fs_getattr_xattr_fs($1_gpg_t)
+ typealias gpg_helper_t alias $1_gpg_helper_t;
+ role $3 types gpg_helper_t;
- domain_use_interactive_fds($1_gpg_t)
+ typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
+ role $3 types gpg_pinentry_t;
- files_read_etc_files($1_gpg_t)
- files_read_usr_files($1_gpg_t)
- files_dontaudit_search_var($1_gpg_t)
-
- libs_use_shared_libs($1_gpg_t)
- libs_use_ld_so($1_gpg_t)
-
- miscfiles_read_localization($1_gpg_t)
-
- logging_send_syslog_msg($1_gpg_t)
-
- sysnet_read_config($1_gpg_t)
-
- userdom_use_user_terminals($1,$1_gpg_t)
-
- optional_policy(`
- nis_use_ypbind($1_gpg_t)
+ ifelse(`$1',`user',`',`
+ typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
+ typealias user_gpg_secret_t alias $1_gpg_secret_t;
')
- ifdef(`TODO',`
- # Read content to encrypt/decrypt/sign
- read_content($1_gpg_t, $1)
-
- # Write content to encrypt/decrypt/sign
- write_trusted($1_gpg_t, $1)
- ') dnl end TODO
-
- ########################################
- #
- # GPG helper local policy
- #
-
- # for helper programs (which automatically fetch keys)
- # Note: this is only tested with the hkp interface. If you use eg the
- # mail interface you will likely need additional permissions.
-
- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
-
- # communicate with the user
- allow $1_gpg_helper_t $2:fd use;
- allow $1_gpg_helper_t $2:fifo_file write;
-
- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-
- corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
- corenet_all_recvfrom_netlabel($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
- corenet_raw_sendrecv_all_if($1_gpg_helper_t)
- corenet_udp_sendrecv_all_if($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_tcp_bind_all_nodes($1_gpg_helper_t)
- corenet_udp_bind_all_nodes($1_gpg_helper_t)
- corenet_tcp_connect_all_ports($1_gpg_helper_t)
-
- dev_read_urand($1_gpg_helper_t)
-
- files_read_etc_files($1_gpg_helper_t)
- # for nscd
- files_dontaudit_search_var($1_gpg_helper_t)
-
- libs_use_ld_so($1_gpg_helper_t)
- libs_use_shared_libs($1_gpg_helper_t)
-
- sysnet_read_config($1_gpg_helper_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_gpg_t)
- xserver_rw_xdm_pipes($1_gpg_t)
- ')
-
- ########################################
- #
- # GPG agent local policy
- #
-
- # rlimit: gpg-agent wants to prevent coredumps
- allow $1_gpg_agent_t self:process setrlimit;
+ # transition from the userdomain to the derived domain
+ domtrans_pattern($2,gpg_exec_t,gpg_t)
- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ allow $2 gpg_t:process signal_perms;
- # allow gpg to connect to the gpg agent
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
+ # allow ps to show gpg
+ ps_process_pattern($2,gpg_t)
# allow ps to show gpg-agent
ps_process_pattern($2,$1_gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
- allow $2 $1_gpg_agent_t:process { signal sigkill };
-
- manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
- manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
- manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
- files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
-
- corecmd_search_bin($1_gpg_agent_t)
-
- domain_use_interactive_fds($1_gpg_agent_t)
-
- libs_use_ld_so($1_gpg_agent_t)
- libs_use_shared_libs($1_gpg_agent_t)
-
- miscfiles_read_localization($1_gpg_agent_t)
+ allow $2 gpg_agent_t:process signal_perms;
+ userdom_use_user_terminals($1,gpg_t)
# Write to the user domain tty.
- userdom_use_user_terminals($1,$1_gpg_agent_t)
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- userdom_search_user_home_dirs($1,$1_gpg_agent_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_gpg_agent_t)
- fs_manage_nfs_files($1_gpg_agent_t)
- fs_manage_nfs_symlinks($1_gpg_agent_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_gpg_agent_t)
- fs_manage_cifs_files($1_gpg_agent_t)
- fs_manage_cifs_symlinks($1_gpg_agent_t)
- ')
-
- ##############################
- #
- # Pinentry local policy
- #
+ userdom_use_user_terminals($1,gpg_agent_t)
- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
- # we need to allow gpg-agent to call pinentry so it can get the passphrase
- # from the user.
- domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
-
- # read /proc/meminfo
- kernel_read_system_state($1_gpg_pinentry_t)
-
- files_read_usr_files($1_gpg_pinentry_t)
- # read /etc/X11/qtrc
- files_read_etc_files($1_gpg_pinentry_t)
-
- libs_use_ld_so($1_gpg_pinentry_t)
- libs_use_shared_libs($1_gpg_pinentry_t)
-
- miscfiles_read_fonts($1_gpg_pinentry_t)
- miscfiles_read_localization($1_gpg_pinentry_t)
-
- # for .Xauthority
- userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files($1_gpg_pinentry_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files($1_gpg_pinentry_t)
- ')
-
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
- ')
-
- ifdef(`TODO',`
- allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
- # wants to put some lock files into the user home dir, seems to work fine without
- dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
- dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
- tunable_policy(`use_nfs_home_dirs',`
- dontaudit $1_gpg_pinentry_t nfs_t:dir write;
- dontaudit $1_gpg_pinentry_t nfs_t:file write;
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
- dontaudit $1_gpg_pinentry_t cifs_t:file write;
- ')
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+ allow gpg_helper_t $2:fifo_file write;
- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
- ') dnl end TODO
+ manage_dirs_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+ manage_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+ manage_sock_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.5/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.te 2008-01-08 05:15:21.000000000 -0500
@@ -7,15 +7,225 @@
#
# Type for gpg or pgp executables.
+type gpg_t;
type gpg_exec_t;
+application_domain(gpg_t,gpg_exec_t)
+
+type gpg_helper_t;
type gpg_helper_exec_t;
-application_executable_file(gpg_exec_t)
-application_executable_file(gpg_helper_exec_t)
+application_domain(gpg_helper_t,gpg_helper_exec_t)
# Type for the gpg-agent executable.
+type gpg_agent_t;
type gpg_agent_exec_t;
-application_executable_file(gpg_agent_exec_t)
+application_domain(gpg_agent_t,gpg_agent_exec_t)
# type for the pinentry executable
+type gpg_pinentry_t;
type pinentry_exec_t;
-application_executable_file(pinentry_exec_t)
+application_domain(gpg_pinentry_t,pinentry_exec_t)
+
+type user_gpg_agent_tmp_t;
+files_tmp_file(user_gpg_agent_tmp_t)
+
+type user_gpg_secret_t;
+userdom_user_home_content(user,user_gpg_secret_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+allow gpg_t gpg_t:process signal;
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { setrlimit setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
+allow gpg_t user_gpg_secret_t:dir create_dir_perms;
+userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir)
+userdom_manage_user_home_content_files(user,gpg_t)
+userdom_manage_user_tmp_files(user,gpg_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_all_if(gpg_t)
+corenet_udp_sendrecv_all_if(gpg_t)
+corenet_tcp_sendrecv_all_nodes(gpg_t)
+corenet_udp_sendrecv_all_nodes(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+libs_use_shared_libs(gpg_t)
+libs_use_ld_so(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+sysnet_read_config(gpg_t)
+
+optional_policy(`
+ nis_use_ypbind(gpg_t)
+')
+
+########################################
+#
+# GPG helper local policy
+#
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t user_gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_all_if(gpg_helper_t)
+corenet_raw_sendrecv_all_if(gpg_helper_t)
+corenet_udp_sendrecv_all_if(gpg_helper_t)
+corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
+corenet_udp_sendrecv_all_nodes(gpg_helper_t)
+corenet_raw_sendrecv_all_nodes(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_all_nodes(gpg_helper_t)
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+dev_read_urand(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+# for nscd
+files_dontaudit_search_var(gpg_helper_t)
+
+libs_use_ld_so(gpg_helper_t)
+libs_use_shared_libs(gpg_helper_t)
+
+sysnet_read_config(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t)
+
+files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir })
+
+corecmd_search_bin(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+libs_use_ld_so(gpg_agent_t)
+libs_use_shared_libs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+userdom_search_user_home_dirs(user,gpg_agent_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_agent_t)
+ fs_manage_nfs_files(gpg_agent_t)
+ fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_agent_t)
+ fs_manage_cifs_files(gpg_agent_t)
+ fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t,pinentry_exec_t,gpg_pinentry_t)
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+libs_use_ld_so(gpg_pinentry_t)
+libs_use_shared_libs(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(user,gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm_xserver(gpg_pinentry_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.5/policy/modules/apps/irc.fc
--- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/irc.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,7 +1,7 @@
#
# /home
#
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0)
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:user_irc_home_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.5/policy/modules/apps/irc.if
--- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/irc.if 2007-12-19 05:38:08.000000000 -0500
@@ -50,12 +50,11 @@
userdom_user_home_content($1,$1_irc_exec_t)
application_domain($1_irc_t,$1_irc_exec_t)
- type $1_irc_home_t;
- userdom_user_home_content($1,$1_irc_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_irc_home_t alias $1_irc_home_t;
+ typealias user_irc_tmp_t alias $1_irc_tmp_t;
+ ')
- type $1_irc_tmp_t;
- userdom_user_home_content($1,$1_irc_tmp_t)
-
########################################
#
# Local policy
@@ -65,18 +64,18 @@
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
- manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
- manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
- manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
- userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
+ manage_dirs_pattern($1_irc_t,user_irc_home_t,user_irc_home_t)
+ manage_files_pattern($1_irc_t,user_irc_home_t,user_irc_home_t)
+ manage_lnk_files_pattern($1_irc_t,user_irc_home_t,user_irc_home_t)
+ userdom_user_home_dir_filetrans($1,$1_irc_t,user_irc_home_t,{ dir file lnk_file })
# access files under /tmp
- manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
- manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
- manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
- manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
- manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
- files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
+ manage_dirs_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t)
+ manage_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t)
+ manage_lnk_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t)
+ manage_fifo_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t)
+ manage_sock_files_pattern($1_irc_t,user_irc_tmp_t,user_irc_tmp_t)
+ files_tmp_filetrans($1_irc_t,user_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domtrans_pattern($2,irc_exec_t,$1_irc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.5/policy/modules/apps/irc.te
--- nsaserefpolicy/policy/modules/apps/irc.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/irc.te 2007-12-19 05:38:08.000000000 -0500
@@ -8,3 +8,10 @@
type irc_exec_t;
application_executable_file(irc_exec_t)
+
+type user_irc_home_t;
+userdom_user_home_content(user,user_irc_home_t)
+
+type user_irc_tmp_t;
+userdom_user_home_content(user,user_irc_tmp_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.5/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/java.fc 2007-12-19 05:38:08.000000000 -0500
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +21,11 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/java.if 2008-01-13 08:11:05.000000000 -0500
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`java_per_role_template',`
+template(`java_plugin_per_role_template',`
gen_require(`
type java_exec_t;
')
@@ -57,14 +57,16 @@
# Local policy
#
- allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
+ allow $1_javaplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched };
allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
- allow $1_javaplugin_t self:tcp_socket create_socket_perms;
+ allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
+ allow $1_javaplugin_t $1_t:process signull;
+ allow $1_javaplugin_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_javaplugin_t:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket { read write };
- userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
@@ -76,13 +78,9 @@
manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
- rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
- read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
-
can_exec($1_javaplugin_t, java_exec_t)
- # The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
+ domain_auto_trans($2, java_exec_t, $1_javaplugin_t)
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
@@ -94,7 +92,7 @@
kernel_read_system_state($1_javaplugin_t)
# Search bin directory under javaplugin for javaplugin executable
- corecmd_search_bin($1_javaplugin_t)
+ corecmd_exec_bin($1_javaplugin_t)
corenet_all_recvfrom_unlabeled($1_javaplugin_t)
corenet_all_recvfrom_netlabel($1_javaplugin_t)
@@ -107,10 +105,12 @@
corenet_tcp_connect_all_ports($1_javaplugin_t)
corenet_sendrecv_all_client_packets($1_javaplugin_t)
+ dev_list_sysfs($1_javaplugin_t)
dev_read_sound($1_javaplugin_t)
dev_write_sound($1_javaplugin_t)
dev_read_urand($1_javaplugin_t)
dev_read_rand($1_javaplugin_t)
+ dev_write_rand($1_javaplugin_t)
files_read_etc_files($1_javaplugin_t)
files_read_usr_files($1_javaplugin_t)
@@ -122,6 +122,9 @@
fs_getattr_xattr_fs($1_javaplugin_t)
fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+ fs_getattr_tmpfs($1_javaplugin_t)
+
+ auth_use_nsswitch($1_javaplugin_t)
libs_use_ld_so($1_javaplugin_t)
libs_use_shared_libs($1_javaplugin_t)
@@ -132,11 +135,14 @@
# Read global fonts and font config
miscfiles_read_fonts($1_javaplugin_t)
- sysnet_read_config($1_javaplugin_t)
-
+ userdom_manage_unpriv_users_home_content_files($1_javaplugin_t)
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
+ userdom_manage_user_tmp_dirs($1,$1_javaplugin_t)
+ userdom_manage_user_tmp_files($1,$1_javaplugin_t)
+ userdom_manage_user_tmp_sockets($1,$1_javaplugin_t)
+ userdom_read_user_tmpfs_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
userdom_manage_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
@@ -156,15 +162,63 @@
')
optional_policy(`
- nis_use_ypbind($1_javaplugin_t)
+ xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
- optional_policy(`
- nscd_socket_use($1_javaplugin_t)
+')
+
+#######################################
+## <summary>
+## The per role template for the java module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`java_per_role_template',`
+ gen_require(`
+ type java_exec_t;
')
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t,java_exec_t)
+ role $3 types $1_java_t;
+
+ domain_interactive_fd($1_java_t)
+
+ userdom_unpriv_usertype($1, $1_java_t)
+
+ allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
+ domtrans_pattern($2, java_exec_t, $1_java_t)
+
+ dev_read_urand($1_java_t)
+ dev_read_rand($1_java_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+
optional_policy(`
- xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
+ xserver_xdm_rw_shm($1_java_t)
')
')
@@ -219,3 +273,67 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
+
+########################################
+## <summary>
+## Execute a java in the specified domain
+## </summary>
+## <desc>
+## <p>
+## Execute the java command in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`java_spec_domtrans',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ domain_trans($1,java_exec_t,$2)
+ type_transition $1 java_exec_t:process $2;
+')
+
+########################################
+## <summary>
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the java domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the java domain to use.
+## </summary>
+## </param>
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.5/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/java.te 2007-12-19 16:44:59.000000000 -0500
@@ -6,16 +6,10 @@
# Declarations
#
-## <desc>
-## <p>
-## Allow java executable stack
-## </p>
-## </desc>
-gen_tunable(allow_java_execstack,false)
-
type java_t;
type java_exec_t;
init_system_domain(java_t,java_exec_t)
+typealias java_t alias unconfined_java_t;
########################################
#
@@ -23,11 +17,23 @@
#
# execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { getsched sigkill execheap execmem execstack };
-init_dbus_chat_script(java_t)
+optional_policy(`
+ init_dbus_chat_script(java_t)
+ optional_policy(`
+ hal_dbus_chat(java_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_chat(java_t)
+ ')
+')
optional_policy(`
unconfined_domain_noaudit(java_t)
- unconfined_dbus_chat(java_t)
+')
+
+optional_policy(`
+ xserver_xdm_rw_shm(java_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.5/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/loadkeys.te 2007-12-19 05:38:08.000000000 -0500
@@ -44,3 +44,5 @@
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
+
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.5/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2007-12-19 16:28:53.000000000 -0500
@@ -18,3 +18,105 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
+
+########################################
+## <summary>
+## Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mono domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the mono domain to use.
+## </summary>
+## </param>
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+ allow mono_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## The per role template for the mono module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mono applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`mono_per_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t,mono_exec_t)
+ role $3 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+
+ allow $1_mono_t self:process { execheap execmem };
+ allow $2 $1_mono_t:process noatsecure;
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_mono_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.5/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mono.te 2007-12-19 05:38:08.000000000 -0500
@@ -15,7 +15,7 @@
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { signal getsched execheap execmem };
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
@@ -46,3 +46,7 @@
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
')
+
+optional_policy(`
+ xserver_xdm_rw_shm(mono_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.5/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,8 +1,8 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:user_mozilla_home_t,s0)
#
# /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-13 08:06:37.000000000 -0500
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
+ type user_mozilla_home_t, user_mozilla_tmp_t;
')
+ gen_tunable(browser_confine_$1,false)
+ gen_tunable(browser_write_$1_data,false)
########################################
#
@@ -45,20 +48,26 @@
application_domain($1_mozilla_t,mozilla_exec_t)
role $3 types $1_mozilla_t;
- type $1_mozilla_home_t alias $1_mozilla_rw_t;
- files_poly_member($1_mozilla_home_t)
- userdom_user_home_content($1,$1_mozilla_home_t)
-
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
+ ifelse(`$1',`user',`',`
+ typealias user_mozilla_home_t alias $1_mozilla_home_t;
+ typealias user_mozilla_tmp_t alias $1_mozilla_tmp_t;
+ ')
+
+ ########################################
+ #
+ # Local booleans
+ #
+
########################################
#
# Local policy
#
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+ allow $1_mozilla_t self:process { ptrace sigkill signal setsched getsched setrlimit };
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
@@ -71,10 +80,15 @@
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
+ domain_read_all_domains_state($1_mozilla_t)
+
+ fs_getattr_tmpfs($1_mozilla_t)
+ fs_manage_tmpfs_files($1_mozilla_t)
+
# X access, Home files
- manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
- manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
- manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
+ manage_dirs_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t)
+ manage_files_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t)
+ manage_lnk_files_pattern($1_mozilla_t,user_mozilla_home_t,user_mozilla_home_t)
userdom_search_user_home_dirs($1,$1_mozilla_t)
# Mozpluggerrc
@@ -89,22 +103,48 @@
allow $2 $1_mozilla_t:unix_stream_socket connectto;
# X access, Home files
- manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
-
- manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
+ manage_dirs_pattern($2,user_mozilla_home_t,user_mozilla_home_t)
+ manage_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t)
+ manage_lnk_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t)
+ relabel_dirs_pattern($2,user_mozilla_home_t,user_mozilla_home_t)
+ relabel_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t)
+ relabel_lnk_files_pattern($2,user_mozilla_home_t,user_mozilla_home_t)
allow $1_mozilla_t $2:process signull;
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ tunable_policy(`browser_confine_$1',`
+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ ',`
+ can_exec($2, mozilla_exec_t)
+ ')
+
+ userdom_read_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_list_user_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
+ userdom_manage_user_tmp_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_tmp_filetrans_user_tmp($1,$1_mozilla_t, { file dir sock_file })
+ userdom_read_user_tmpfs_files($1,$1_mozilla_t)
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mozilla_t)
+ fs_read_removable_files($1_mozilla_t)
+ fs_read_removable_symlinks($1_mozilla_t)
+ ')
+
+ tunable_policy(`browser_write_$1_data',`
+ userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
+ userdom_manage_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_manage_user_home_content_pipes($1,$1_mozilla_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_mozilla_t, { file dir })
+ ', `
+ # helper apps will try to create .files
+ userdom_dontaudit_create_user_home_content_files($1,$1_mozilla_t)
+ userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir)
+ ')
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
@@ -112,11 +152,13 @@
ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
+ kernel_read_fs_sysctls($1_mozilla_t)
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
- kernel_read_net_sysctls($1_mozilla_t)
+ kernel_dontaudit_read_system_state($1_mozilla_t)
+# kernel_read_system_state($1_mozilla_t)
+# kernel_read_net_sysctls($1_mozilla_t)
# Look for plugins
corecmd_list_bin($1_mozilla_t)
@@ -165,10 +207,23 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
+ files_dontaudit_list_non_security($1_mozilla_t)
+ files_dontaudit_getattr_non_security_files($1_mozilla_t)
+ files_dontaudit_getattr_non_security_symlinks($1_mozilla_t)
+ files_dontaudit_getattr_non_security_pipes($1_mozilla_t)
+ files_dontaudit_getattr_non_security_sockets($1_mozilla_t)
+
+ dev_dontaudit_getattr_all_blk_files($1_mozilla_t)
+ dev_dontaudit_getattr_all_chr_files($1_mozilla_t)
fs_search_auto_mountpoints($1_mozilla_t)
fs_list_inotifyfs($1_mozilla_t)
+ fs_manage_dos_dirs($1_mozilla_t)
+ fs_manage_dos_files($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
+ fs_read_noxattr_fs_files($1_mozilla_t)
+
+ selinux_dontaudit_getattr_fs($1_mozilla_t)
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
@@ -184,12 +239,8 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
- userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
- userdom_manage_user_home_content_files($1,$1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
- userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
@@ -211,131 +262,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_nfs_files($1_mozilla_t)
- fs_read_nfs_symlinks($1_mozilla_t)
-
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_nfs_files($1_mozilla_t)
- fs_dontaudit_list_nfs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_cifs_files($1_mozilla_t)
- fs_read_cifs_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_cifs_files($1_mozilla_t)
- fs_dontaudit_list_cifs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content',`
- userdom_list_user_tmp($1,$1_mozilla_t)
- userdom_read_user_tmp_files($1,$1_mozilla_t)
- userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
- userdom_read_user_home_content_files($1,$1_mozilla_t)
- userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
-
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mozilla_t)
- fs_read_removable_files($1_mozilla_t)
- fs_read_removable_symlinks($1_mozilla_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_removable($1_mozilla_t)
- fs_dontaudit_read_removable_files($1_mozilla_t)
- userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_default_t',`
- files_list_default($1_mozilla_t)
- files_read_default_files($1_mozilla_t)
- files_read_default_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_read_default_files($1_mozilla_t)
- files_dontaudit_list_default($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_untrusted_content',`
- files_list_tmp($1_mozilla_t)
- files_list_home($1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
-
- userdom_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
- userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- ')
-
- # Save web pages
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
- fs_dontaudit_manage_nfs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
- fs_dontaudit_manage_cifs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mozilla_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
-
- userdom_manage_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- files_dontaudit_list_tmp($1_mozilla_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
-
+ optional_policy(`
+ alsa_read_rw_config($1_mozilla_t)
')
optional_policy(`
@@ -350,19 +278,27 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
+ cups_stream_connect($1_mozilla_t)
')
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_connectto_user_bus($1,$1_mozilla_t)
+ ')
+
+ optional_policy(`
+ gnome_exec_gconf($1_mozilla_t)
+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
')
optional_policy(`
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
optional_policy(`
- java_domtrans_user_javaplugin($1, $1_mozilla_t)
+ java_plugin_per_role_template($1, $1_mozilla_t, $1_r)
')
optional_policy(`
@@ -370,6 +306,10 @@
')
optional_policy(`
+ nsplugin_per_role_template($1, $1_mozilla_t, $1_r)
+ ')
+
+ optional_policy(`
mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
mplayer_read_user_home_files($1, $1_mozilla_t)
')
@@ -382,25 +322,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
- ifdef(`TODO',`
- #NOTE commented out in strict.
- ######### Launch email client, and make webcal links work
- #ifdef(`evolution.te', `
- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
- #')
-
- # Macros for mozilla/mozilla (or other browser) domains.
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # GNOME integration
- optional_policy(`
- gnome_application($1_mozilla, $1)
- gnome_file_dialog($1_mozilla, $1)
- ')
- ')
')
########################################
@@ -430,11 +351,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
- type $1_mozilla_home_t;
+ type user_mozilla_home_t;
')
- allow $2 $1_mozilla_home_t:dir list_dir_perms;
- allow $2 $1_mozilla_home_t:file read_file_perms;
+ allow $2 user_mozilla_home_t:dir list_dir_perms;
+ allow $2 user_mozilla_home_t:file read_file_perms;
')
########################################
@@ -464,11 +385,11 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
- type $1_mozilla_home_t;
+ type user_mozilla_home_t;
')
- allow $2 $1_mozilla_home_t:dir list_dir_perms;
- allow $2 $1_mozilla_home_t:file write;
+ allow $2 user_mozilla_home_t:dir list_dir_perms;
+ allow $2 user_mozilla_home_t:file write;
')
########################################
@@ -573,3 +494,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## mozilla connection template.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`mozilla_stream_connect_template',`
+ gen_require(`
+ type $1_mozilla_t;
+ ')
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.5/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te 2008-01-11 14:37:00.000000000 -0500
@@ -6,15 +6,15 @@
# Declarations
#
-## <desc>
-## <p>
-## Control mozilla content access
-## </p>
-## </desc>
-gen_tunable(mozilla_read_content,false)
-
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
type mozilla_exec_t;
application_executable_file(mozilla_exec_t)
+
+type user_mozilla_home_t alias user_mozilla_rw_t;
+files_poly_member(user_mozilla_home_t)
+userdom_user_home_content(user,user_mozilla_home_t)
+
+type user_mozilla_tmp_t;
+files_tmp_file(user_mozilla_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.5/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/mplayer.fc 2007-12-19 05:38:08.000000000 -0500
@@ -10,4 +10,4 @@
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.5/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/mplayer.if 2007-12-19 05:38:08.000000000 -0500
@@ -35,6 +35,7 @@
template(`mplayer_per_role_template',`
gen_require(`
type mencoder_exec_t, mplayer_exec_t;
+ type user_mplayer_home_t;
')
########################################
@@ -50,9 +51,9 @@
application_domain($1_mplayer_t,mplayer_exec_t)
role $3 types $1_mplayer_t;
- type $1_mplayer_home_t alias $1_mplayer_rw_t;
- files_poly_member($1_mplayer_home_t)
- userdom_user_home_content($1,$1_mplayer_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_mplayer_home_t alias $1_mplayer_home_t;
+ ')
type $1_mplayer_tmpfs_t;
files_tmpfs_file($1_mplayer_tmpfs_t)
@@ -62,9 +63,9 @@
# mencoder local policy
#
- manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
- manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
- manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_dirs_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t)
+ manage_files_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t)
+ manage_lnk_files_pattern($1_mencoder_t,user_mplayer_home_t,user_mplayer_home_t)
# Read global config
allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
@@ -256,9 +257,9 @@
allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
allow $1_mplayer_t self:sem create_sem_perms;
- manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
- manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
- manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_dirs_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t)
+ manage_files_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t)
+ manage_lnk_files_pattern($1_mplayer_t,user_mplayer_home_t,user_mplayer_home_t)
userdom_search_user_home_dirs($1,$1_mplayer_t)
manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
@@ -273,12 +274,12 @@
read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
# Home access
- manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
- manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
- manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
- relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
- relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
- relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_dirs_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
+ manage_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
+ manage_lnk_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
+ relabel_dirs_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
+ relabel_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
+ relabel_lnk_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
# domain transition
domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
@@ -503,8 +504,8 @@
#
template(`mplayer_read_user_home_files',`
gen_require(`
- type $1_mplayer_home_t;
+ type user_mplayer_home_t;
')
- read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ read_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.5/policy/modules/apps/mplayer.te
--- nsaserefpolicy/policy/modules/apps/mplayer.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mplayer.te 2007-12-19 05:38:08.000000000 -0500
@@ -22,3 +22,7 @@
type mplayer_exec_t;
corecmd_executable_file(mplayer_exec_t)
application_executable_file(mplayer_exec_t)
+
+type user_mplayer_home_t alias user_mplayer_rw_t;
+userdom_user_home_content(user,user_mplayer_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-03 15:47:01.000000000 -0500
@@ -0,0 +1,3 @@
+
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-04 09:00:08.000000000 -0500
@@ -0,0 +1,227 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run nsplugin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans',`
+ gen_require(`
+ type nsplugin_t;
+ type nsplugin_exec_t;
+ ')
+
+ domtrans_pattern($1,nsplugin_exec_t,nsplugin_t)
+')
+
+
+########################################
+## <summary>
+## Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1,nsplugin_rw_t,nsplugin_rw_t)
+ manage_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t)
+ manage_lnk_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t)
+')
+
+
+########################################
+## <summary>
+## Execute nsplugin in the nsplugin domain, and
+## allow the specified role the nsplugin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the nsplugin domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`nsplugin_run',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ nsplugin_domtrans($1)
+ role $2 types nsplugin_t;
+ dontaudit nsplugin_t $3:chr_file rw_term_perms;
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nsplugin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nsplugin_admin',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, nsplugin_t, nsplugin_t)
+ nsplugin_manage_rw($1)
+
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for nsplugin web browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`nsplugin_per_role_template',`
+ gen_require(`
+ type nsplugin_t;
+ type nsplugin_rw_t;
+ ')
+ nsplugin_domtrans($2)
+ role $3 types nsplugin_t;
+
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-03 15:49:43.000000000 -0500
@@ -0,0 +1,47 @@
+policy_module(nsplugin,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nsplugin_t;
+type nsplugin_exec_t;
+application_domain(nsplugin_t, nsplugin_exec_t)
+role system_r types nsplugin_t;
+
+
+type nsplugin_rw_t;
+files_type(nsplugin_rw_t)
+
+########################################
+#
+# nsplugin local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow nsplugin_t self:capability { setuid setgid };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(nsplugin_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+kernel_read_system_state(nsplugin_t)
+
+files_read_etc_files(nsplugin_t)
+files_dontaudit_search_home(nsplugin_t)
+
+libs_use_ld_so(nsplugin_t)
+libs_use_shared_libs(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+
+userdom_dontaudit_search_all_users_home_content(nsplugin_t)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,7 +1,7 @@
#
# /home
#
-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.5/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/screen.if 2007-12-19 05:38:08.000000000 -0500
@@ -50,8 +50,9 @@
type $1_screen_tmp_t;
files_tmp_file($1_screen_tmp_t)
- type $1_screen_ro_home_t;
- files_type($1_screen_ro_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_screen_ro_home_t alias $1_screen_ro_home_t;
+ ')
type $1_screen_var_run_t;
files_pid_file($1_screen_var_run_t)
@@ -81,9 +82,9 @@
filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
files_pid_filetrans($1_screen_t,screen_dir_t,dir)
- allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
- read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
- read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms;
+ read_files_pattern($1_screen_t,user_screen_ro_home_t,user_screen_ro_home_t)
+ read_lnk_files_pattern($1_screen_t,user_screen_ro_home_t,user_screen_ro_home_t)
allow $1_screen_t $2:process signal;
@@ -91,12 +92,12 @@
allow $2 $1_screen_t:process signal;
allow $1_screen_t $2:process signal;
- manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
- manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
- manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
- relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
- relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
- relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ manage_dirs_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t)
+ manage_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t)
+ manage_lnk_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t)
+ relabel_dirs_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t)
+ relabel_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t)
+ relabel_lnk_files_pattern($2,user_screen_ro_home_t,user_screen_ro_home_t)
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.5/policy/modules/apps/screen.te
--- nsaserefpolicy/policy/modules/apps/screen.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/screen.te 2007-12-19 05:38:08.000000000 -0500
@@ -11,3 +11,7 @@
type screen_exec_t;
application_executable_file(screen_exec_t)
+
+type user_screen_ro_home_t;
+userdom_user_home_content(user,user_screen_ro_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.2.5/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-10-02 09:54:50.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/slocate.te 2008-01-03 10:04:21.000000000 -0500
@@ -39,6 +39,7 @@
files_list_all(locate_t)
files_getattr_all_files(locate_t)
+files_getattr_all_pipes(locate_t)
files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
files_read_etc_files(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.5/policy/modules/apps/thunderbird.fc
--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/thunderbird.fc 2007-12-19 05:38:08.000000000 -0500
@@ -3,4 +3,4 @@
#
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
-HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.5/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-12-06 13:12:03.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/thunderbird.if 2007-12-19 05:38:08.000000000 -0500
@@ -43,9 +43,9 @@
application_domain($1_thunderbird_t,thunderbird_exec_t)
role $3 types $1_thunderbird_t;
- type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
- files_poly_member($1_thunderbird_home_t)
- userdom_user_home_content($1, $1_thunderbird_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_thunderbird_home_t alias $1_thunderbird_home_t;
+ ')
type $1_thunderbird_tmpfs_t;
files_tmpfs_file($1_thunderbird_tmpfs_t)
@@ -64,9 +64,9 @@
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
# Access ~/.thunderbird
- manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
- manage_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
- manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ manage_dirs_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t)
+ manage_files_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t)
+ manage_lnk_files_pattern($1_thunderbird_t,user_thunderbird_home_t,user_thunderbird_home_t)
userdom_search_user_home_dirs($1,$1_thunderbird_t)
manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
@@ -87,13 +87,13 @@
ps_process_pattern($2,$1_thunderbird_t)
# Access ~/.thunderbird
- manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
- manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
- manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
-
- relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
- relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
- relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ manage_dirs_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t)
+ manage_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t)
+ manage_lnk_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t)
+
+ relabel_dirs_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t)
+ relabel_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t)
+ relabel_lnk_files_pattern($2,user_thunderbird_home_t,user_thunderbird_home_t)
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.5/policy/modules/apps/thunderbird.te
--- nsaserefpolicy/policy/modules/apps/thunderbird.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/thunderbird.te 2007-12-19 05:38:08.000000000 -0500
@@ -8,3 +8,7 @@
type thunderbird_exec_t;
application_executable_file(thunderbird_exec_t)
+
+type user_thunderbird_home_t alias user_thunderbird_rw_t;
+userdom_user_home_content(user, user_thunderbird_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.5/policy/modules/apps/tvtime.if
--- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/tvtime.if 2007-12-19 05:38:08.000000000 -0500
@@ -46,12 +46,10 @@
application_domain($1_tvtime_t,tvtime_exec_t)
role $3 types $1_tvtime_t;
- type $1_tvtime_home_t alias $1_tvtime_rw_t;
- userdom_user_home_content($1,$1_tvtime_home_t)
- files_poly_member($1_tvtime_home_t)
-
- type $1_tvtime_tmp_t;
- files_tmp_file($1_tvtime_tmp_t)
+ ifelse(`$1',`user',`',`
+ typealias user_tvtime_home_t alias $1_tvtime_home_t;
+ typealias user_tvtime_tmp_t alias $1_tvtime_tmp_t;
+ ')
type $1_tvtime_tmpfs_t;
files_tmpfs_file($1_tvtime_tmpfs_t)
@@ -67,14 +65,14 @@
allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
# X access, Home files
- manage_dirs_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
- manage_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
- manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
- userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
-
- manage_dirs_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
- manage_files_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t,{ file dir })
+ manage_dirs_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t)
+ manage_files_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t)
+ manage_lnk_files_pattern($1_tvtime_t,user_tvtime_home_t,user_tvtime_home_t)
+ userdom_user_home_dir_filetrans($1,$1_tvtime_t,user_tvtime_home_t,dir)
+
+ manage_dirs_pattern($1_tvtime_t,user_tvtime_tmp_t,user_tvtime_tmp_t)
+ manage_files_pattern($1_tvtime_t,user_tvtime_tmp_t,user_tvtime_tmp_t)
+ files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t,{ file dir })
manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
@@ -86,12 +84,12 @@
domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
# X access, Home files
- manage_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
- manage_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
- manage_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
- relabel_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
- relabel_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
- relabel_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
+ manage_dirs_pattern($2,user_tvtime_home_t,user_tvtime_home_t)
+ manage_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t)
+ manage_lnk_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t)
+ relabel_dirs_pattern($2,user_tvtime_home_t,user_tvtime_home_t)
+ relabel_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t)
+ relabel_lnk_files_pattern($2,user_tvtime_home_t,user_tvtime_home_t)
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_tvtime_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.5/policy/modules/apps/tvtime.te
--- nsaserefpolicy/policy/modules/apps/tvtime.te 2007-10-02 09:54:50.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/tvtime.te 2007-12-19 05:38:08.000000000 -0500
@@ -11,3 +11,9 @@
type tvtime_dir_t;
files_pid_file(tvtime_dir_t)
+
+type user_tvtime_home_t alias user_tvtime_rw_t;
+userdom_user_home_content(user,user_tvtime_home_t)
+
+type user_tvtime_tmp_t;
+files_tmp_file(user_tvtime_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.5/policy/modules/apps/uml.fc
--- nsaserefpolicy/policy/modules/apps/uml.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/uml.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,7 +1,7 @@
#
# HOME_DIR/
#
-HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:user_uml_rw_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.5/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/userhelper.if 2007-12-19 05:38:08.000000000 -0500
@@ -181,24 +181,6 @@
nscd_socket_use($1_userhelper_t)
')
- ifdef(`TODO',`
- allow $1_userhelper_t xdm_t:fd use;
- allow $1_userhelper_t xdm_var_run_t:dir search;
- allow $1_userhelper_t xdm_t:fifo_file { getattr read write ioctl };
-
- optional_policy(`
- allow $1_userhelper_t gphdomain:fd use;
- ')
- optional_policy(`
- domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t)
- allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
- ')
- optional_policy(`
- domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
- ')
- # for when the network connection is killed
- dontaudit unpriv_userdomain $1_userhelper_t:process signal;
- ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.5/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/vmware.fc 2007-12-19 05:38:08.000000000 -0500
@@ -1,9 +1,9 @@
#
# HOME_DIR/
#
-HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:user_vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:user_vmware_conf_t,s0)
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:user_vmware_file_t,s0)
#
# /etc
@@ -21,19 +21,25 @@
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
ifdef(`distro_gentoo',`
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -49,3 +55,4 @@
/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
')
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.5/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/vmware.if 2007-12-19 05:38:08.000000000 -0500
@@ -202,3 +202,22 @@
allow $1 vmware_sys_conf_t:file append;
')
+
+########################################
+## <summary>
+## Append to VMWare log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_append_log',`
+ gen_require(`
+ type vmware_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1,vmware_log_t,vmware_log_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.5/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/vmware.te 2007-12-19 05:38:08.000000000 -0500
@@ -22,17 +22,21 @@
type vmware_var_run_t;
files_pid_file(vmware_var_run_t)
+type vmware_log_t;
+logging_log_file(vmware_log_t)
+
########################################
#
# VMWare host local policy
#
-allow vmware_host_t self:capability { setuid net_raw };
+allow vmware_host_t self:capability { setgid setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
+allow vmware_host_t self:tcp_socket create_socket_perms;
# cjp: the ro and rw files should be split up
manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
@@ -41,6 +45,11 @@
manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
+manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t)
+logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir })
+
+files_search_home(vmware_host_t)
+
kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
@@ -63,6 +72,7 @@
corenet_sendrecv_all_server_packets(vmware_host_t)
dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
@@ -99,6 +109,10 @@
')
netutils_domtrans_ping(vmware_host_t)
+optional_policy(`
+ xserver_xdm_rw_shm(vmware_host_t)
+')
+
ifdef(`TODO',`
# VMWare need access to pcmcia devices for network
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.5/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/wine.if 2007-12-19 05:38:08.000000000 -0500
@@ -49,3 +49,53 @@
role $2 types wine_t;
allow wine_t $3:chr_file rw_term_perms;
')
+
+#######################################
+## <summary>
+## The per role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`wine_per_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t,wine_exec_t)
+ role $3 types $1_wine_t;
+
+ domain_interactive_fd($1_wine_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+
+ allow $1_wine_t self:process { execheap execmem };
+
+ domtrans_pattern($2, wine_exec_t, $1_wine_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_wine_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.5/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/wine.te 2007-12-19 05:38:08.000000000 -0500
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t,wine_exec_t)
+role system_r types wine_t;
########################################
#
@@ -20,7 +21,12 @@
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
- optional_policy(`
- hal_dbus_chat(wine_t)
- ')
+')
+
+optional_policy(`
+ hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ xserver_xdm_rw_shm(wine_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-07 11:08:14.000000000 -0500
@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-
#
# /dev
#
@@ -58,6 +58,8 @@
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
@@ -127,6 +129,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /usr
#
@@ -147,7 +151,7 @@
/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -186,7 +190,10 @@
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -284,3 +291,6 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/usr/lib/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.5/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.if 2007-12-19 05:38:08.000000000 -0500
@@ -875,6 +875,7 @@
read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,chroot_exec_t)
+ allow $1 self:capability sys_chroot;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-14 13:32:12.000000000 -0500
@@ -82,6 +82,7 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
network_port(comsat, udp,512,s0)
+network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
@@ -122,6 +123,8 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
+network_port(mythtv, tcp,6543,s0, udp,6543,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
@@ -133,6 +136,7 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis 2007-12-31 07:12:10.000000000 -0500
@@ -0,0 +1,246 @@
+
+policy_module(corenetwork,1.2.14)
+
+########################################
+#
+# Declarations
+#
+
+attribute client_packet_type;
+attribute netif_type;
+attribute node_type;
+attribute packet_type;
+attribute port_type;
+attribute reserved_port_type;
+attribute rpc_port_type;
+attribute server_packet_type;
+
+attribute corenet_unconfined_type;
+
+type ppp_device_t;
+dev_node(ppp_device_t)
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t;
+dev_node(tun_tap_device_t)
+
+########################################
+#
+# Ports and packets
+#
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type client_packet_t, packet_type, client_packet_type;
+
+#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
+# port_t is the default type of INET port numbers.
+#
+type port_t, port_type;
+sid port gen_context(system_u:object_r:port_t,s0)
+
+#
+# reserved_port_t is the type of INET port numbers below 1024.
+#
+type reserved_port_t, port_type, reserved_port_type;
+
+#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
+#
+type server_packet_t, packet_type, server_packet_type;
+
+network_port(afs_bos, udp,7007,s0)
+network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
+network_port(afs_ka, udp,7004,s0)
+network_port(afs_pt, udp,7002,s0)
+network_port(afs_vl, udp,7003,s0)
+network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(amavisd_recv, tcp,10024,s0)
+network_port(amavisd_send, tcp,10025,s0)
+network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
+network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+network_port(auth, tcp,113,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+network_port(clamd, tcp,3310,s0)
+network_port(clockspeed, udp,4041,s0)
+network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
+network_port(comsat, udp,512,s0)
+network_port(cvs, tcp,2401,s0, udp,2401,s0)
+network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dbskkd, tcp,1178,s0)
+network_port(dhcpc, udp,68,s0)
+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
+network_port(dict, tcp,2628,s0)
+network_port(distccd, tcp,3632,s0)
+network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(fingerd, tcp,79,s0)
+network_port(ftp_data, tcp,20,s0)
+network_port(ftp, tcp,21,s0)
+network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(giftd, tcp,1213,s0)
+network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(howl, tcp,5335,s0, udp,5353,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(i18n_input, tcp,9010,s0)
+network_port(imaze, tcp,5323,s0, udp,5323,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(innd, tcp,119,s0)
+network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+network_port(ircd, tcp,6667,s0)
+network_port(isakmp, udp,500,s0)
+network_port(iscsi, tcp,3260,s0)
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+network_port(jabber_interserver, tcp,5269,s0)
+network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(ktalkd, udp,517,s0, udp,518,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+network_port(lmtp, tcp,24,s0, udp,24,s0)
+network_port(mail, tcp,2000,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(monopd, tcp,1234,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
+network_port(mythtv, tcp,6543,s0, udp,6543,s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+network_port(nessus, tcp,1241,s0)
+network_port(netsupport, tcp,5405,s0, udp,5405,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0)
+network_port(ntp, udp,123,s0)
+network_port(ocsp, tcp,9080,s0)
+network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(pegasus_http, tcp,5988,s0)
+network_port(pegasus_https, tcp,5989,s0)
+network_port(postfix_policyd, tcp,10031,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+network_port(portmap, udp,111,s0, tcp,111,s0)
+network_port(postgresql, tcp,5432,s0)
+network_port(postgrey, tcp,60000,s0)
+network_port(printer, tcp,515,s0)
+network_port(ptal, tcp,5703,s0)
+network_port(pxe, udp,4011,s0)
+network_port(pyzor, udp,24441,s0)
+network_port(radacct, udp,1646,s0, udp,1813,s0)
+network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(razor, tcp,2703,s0)
+network_port(ricci, tcp,11111,s0, udp,11111,s0)
+network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
+network_port(rlogind, tcp,513,s0)
+network_port(rndc, tcp,953,s0)
+network_port(router, udp,520,s0)
+network_port(rsh, tcp,514,s0)
+network_port(rsync, tcp,873,s0, udp,873,s0)
+network_port(rwho, udp,513,s0)
+network_port(smbd, tcp,139,s0, tcp,445,s0)
+network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(spamd, tcp,783,s0)
+network_port(ssh, tcp,22,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(swat, tcp,901,s0)
+network_port(syslogd, udp,514,s0)
+network_port(telnetd, tcp,23,s0)
+network_port(tftp, udp,69,s0)
+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
+network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
+network_port(transproxy, tcp,8081,s0)
+type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+network_port(uucpd, tcp,540,s0)
+network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
+network_port(xen, tcp,8002,s0)
+network_port(xfs, tcp,7100,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
+network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
+network_port(zope, tcp,8021,s0)
+
+# Defaults for reserved ports. Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+
+########################################
+#
+# Network nodes
+#
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+
+network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
+type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
+network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
+network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
+network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
+network_node(site_local, s0, fec0::, ffc0::)
+network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
+
+########################################
+#
+# Network Interfaces
+#
+
+#
+# netif_t is the default type of network interfaces.
+#
+type netif_t, netif_type;
+sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+
+build_option(`enable_mls',`
+network_interface(lo, lo,s0 - mls_systemhigh)
+',`
+typealias netif_t alias netif_lo_t;
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow corenet_unconfined_type node_type:node *;
+allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+# Bind to any network address.
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-31 08:18:04.000000000 -0500
@@ -22,6 +22,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -29,10 +30,13 @@
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.5/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.if 2008-01-02 13:28:34.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
relabelfrom_files_pattern($1,device_t,device_node)
- relabelfrom_lnk_files_pattern($1,device_t,device_node)
+ relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node })
relabelfrom_fifo_files_pattern($1,device_t,device_node)
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@@ -167,6 +167,25 @@
########################################
## <summary>
+## Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to relabel.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_dirs_pattern($1,device_t,device_t)
+')
+
+
+########################################
+## <summary>
## Delete a directory in the device directory.
## </summary>
## <param name="domain">
@@ -649,6 +668,7 @@
')
getattr_blk_files_pattern($1,device_t,device_node)
+
')
########################################
@@ -667,6 +687,7 @@
')
dontaudit $1 device_node:blk_file getattr;
+ dev_dontaudit_getattr_generic_blk_files($1)
')
########################################
@@ -704,6 +725,7 @@
')
dontaudit $1 device_node:chr_file getattr;
+ dev_dontaudit_getattr_generic_chr_files($1)
')
########################################
@@ -2787,6 +2809,97 @@
########################################
## <summary>
+## Read and write generic the USB fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_usb_pipes',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
+## Read the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ read_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ rw_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.5/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/devices.te 2007-12-31 08:18:37.000000000 -0500
@@ -66,12 +66,25 @@
dev_node(framebuf_device_t)
#
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
+#
# Type for /dev/kmsg
#
type kmsg_device_t;
dev_node(kmsg_device_t)
#
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+
+#
# Type for /dev/mapper/control
#
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.5/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/domain.te 2007-12-19 05:38:08.000000000 -0500
@@ -85,6 +85,7 @@
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
+userdom_dontaudit_search_all_users_keys(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
@@ -148,3 +149,16 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+optional_policy(`
+ rpm_rw_pipes(domain)
+ rpm_dontaudit_use_script_fds(domain)
+')
+
+optional_policy(`
+ rhgb_dontaudit_use_ptys(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/files.if 2007-12-20 16:15:45.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
## <summary>
+## Remove entries from the tmp directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
@@ -4717,7 +4735,6 @@
files_search_home($1)
corecmd_exec_bin($1)
seutil_domtrans_setfiles($1)
- mount_domtrans($1)
')
')
@@ -4756,3 +4773,54 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
+
+########################################
+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
+## <p>
+## Create a core file in /,
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
+
+########################################
+## <summary>
+## Create a default directory in /
+## </summary>
+## <desc>
+## <p>
+## Create a default_t direcrory in /
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ allow $1 default_t:dir create;
+ filetrans_pattern($1,root_t,default_t,dir)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.5/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2007-12-19 05:32:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/files.te 2007-12-19 05:38:09.000000000 -0500
@@ -55,6 +55,9 @@
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+typealias etc_t alias gconf_etc_t;
+typealias etc_t alias soundd_etc_t;
+typealias etc_t alias hplip_etc_t;
#
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if 2007-12-19 05:38:09.000000000 -0500
@@ -1171,6 +1171,25 @@
########################################
## <summary>
+## Create, read, write, and delete dirs
+## on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ manage_dirs_pattern($1,dosfs_t,dosfs_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete files
## on a DOS filesystem.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.5/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-12-19 05:32:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.te 2007-12-19 05:38:09.000000000 -0500
@@ -25,6 +25,8 @@
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -135,6 +137,11 @@
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
+type vmblock_t;
+fs_noxattr_type(vmblock_t)
+files_mountpoint(vmblock_t)
+genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
+
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.5/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/kernel.if 2007-12-19 05:38:09.000000000 -0500
@@ -851,9 +851,8 @@
type proc_t, proc_afs_t;
')
- read_files_pattern($1,proc_t,proc_afs_t)
-
list_dirs_pattern($1,proc_t,proc_t)
+ rw_files_pattern($1,proc_afs_t,proc_afs_t)
')
#######################################
@@ -1194,6 +1193,7 @@
')
dontaudit $1 proc_type:dir list_dir_perms;
+ dontaudit $1 proc_type:file getattr;
')
########################################
@@ -1764,6 +1764,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
+ dontaudit $1 sysctl_type:file getattr;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.2.5/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-12-19 05:32:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/kernel.te 2008-01-11 15:13:01.000000000 -0500
@@ -363,7 +363,7 @@
allow kern_unconfined proc_type:{ dir file lnk_file } *;
-allow kern_unconfined sysctl_t:{ dir file } *;
+allow kern_unconfined sysctl_type:{ dir file } *;
allow kern_unconfined kernel_t:system *;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.5/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-11-16 13:45:14.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/selinux.if 2007-12-19 05:38:09.000000000 -0500
@@ -164,6 +164,7 @@
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
')
@@ -185,6 +186,7 @@
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
@@ -265,6 +267,34 @@
########################################
## <summary>
+## Allow caller to read the state of Booleans
+## </summary>
+## <desc>
+## <p>
+## Allow caller read the state of Booleans
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The process type allowed to set the Boolean.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_get_boolean',`
+ gen_require(`
+ type security_t;
+ attribute booleans_type;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file read_file_perms;
+')
+
+########################################
+## <summary>
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
## </summary>
@@ -288,11 +318,13 @@
interface(`selinux_set_boolean',`
gen_require(`
type security_t;
+ attribute booleans_type;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file { getattr read write };
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
@@ -489,3 +521,23 @@
typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+## <summary>
+## Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute booleans_type;
+ ')
+
+ type $1, booleans_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.5/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-12-19 05:32:07.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/selinux.te 2007-12-19 05:38:09.000000000 -0500
@@ -10,6 +10,7 @@
attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;
+attribute booleans_type;
#
# security_t is the target type when checking
@@ -22,6 +23,11 @@
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+type boolean_t, booleans_type;
+fs_type(boolean_t)
+mls_trusted_object(boolean_t)
+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
+
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.2.5/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/storage.fc 2007-12-21 10:02:13.000000000 -0500
@@ -13,6 +13,7 @@
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.2.5/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/storage.if 2008-01-08 06:26:10.000000000 -0500
@@ -81,6 +81,26 @@
########################################
## <summary>
+## dontaudit the caller attempts to read from a fixed disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_read_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_read;
+ type fixed_disk_device_t;
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.5/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/terminal.if 2007-12-19 05:38:09.000000000 -0500
@@ -525,11 +525,13 @@
interface(`term_use_generic_ptys',`
gen_require(`
type devpts_t;
+ attribute server_ptynode;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:chr_file { rw_term_perms lock append };
+ allow $1 server_ptynode:chr_file { getattr read write ioctl };
')
########################################
@@ -547,9 +549,11 @@
interface(`term_dontaudit_use_generic_ptys',`
gen_require(`
type devpts_t;
+ attribute server_ptynode;
')
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ dontaudit $1 server_ptynode:chr_file { getattr read write ioctl };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.5/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/amavis.te 2008-01-14 13:46:45.000000000 -0500
@@ -65,6 +65,7 @@
# Spool Files
manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
manage_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
+manage_lnk_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file)
files_search_spool(amavis_t)
@@ -116,6 +117,7 @@
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
+corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.5/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/apache.fc 2007-12-19 05:38:09.000000000 -0500
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -71,5 +70,16 @@
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/apache.if 2007-12-31 07:06:22.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
@@ -71,7 +67,7 @@
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
@@ -87,7 +83,6 @@
manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -96,6 +91,7 @@
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
+ application_exec_all(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
@@ -177,48 +169,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
- corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_all_ports(httpd_$1_script_t)
- corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- optional_policy(`
- mta_send_mail(httpd_$1_script_t)
- ')
-
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
@@ -267,7 +217,7 @@
attribute httpdcontent, httpd_script_domains;
attribute httpd_exec_scripts, httpd_user_content_type;
attribute httpd_user_script_exec_type;
- type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
')
apache_content_template($1)
@@ -331,6 +281,7 @@
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
+ userdom_search_user_home_dirs($1,httpd_sys_script_t)
')
')
@@ -352,12 +303,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
- type httpd_$1_script_exec_t;
+ attribute httpd_user_script_exec_type;
')
-
- allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
- read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
- read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ allow $2 httpd_user_script_exec_type:dir list_dir_perms;
+ read_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
+ read_lnk_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
')
########################################
@@ -378,12 +328,12 @@
#
template(`apache_read_user_content',`
gen_require(`
- type httpd_$1_content_t;
+ attribute httpd_user_content_type;
')
- allow $2 httpd_$1_content_t:dir list_dir_perms;
- read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
- read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
+ allow $2 httpd_user_content_type:dir list_dir_perms;
+ read_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
+ read_lnk_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
')
########################################
@@ -761,6 +711,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
')
########################################
@@ -845,6 +796,10 @@
type httpd_sys_script_t;
')
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
@@ -932,7 +887,7 @@
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr read };
+ read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t)
')
########################################
@@ -1088,3 +1043,138 @@
allow httpd_t $1:process signal;
')
+
+########################################
+## <summary>
+## Allow the specified domain to search
+## apache bugzilla directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## bugzill script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute apache server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apache_script_domtrans',`
+ gen_require(`
+ type httpd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,httpd_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an apache environment
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the apache domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_admin',`
+
+ gen_require(`
+ type httpd_t, httpd_script_exec_t, httpd_config_t;
+ type httpd_log_t, httpd_modules_t, httpd_lock_t;
+ type httpd_var_run_t;
+ attribute httpdcontent;
+ attribute httpd_script_exec_type;
+ type httpd_bool_t;
+ ')
+
+ allow $1 httpd_t:process { getattr ptrace signal_perms };
+
+ # Allow $1 to restart the apache service
+ apache_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 httpd_script_exec_t system_r;
+ allow $2 system_r;
+
+ apache_manage_all_content($1)
+
+ files_search_etc($1)
+ manage_dirs_pattern($1,httpd_config_t,httpd_config_t)
+ manage_files_pattern($1,httpd_config_t,httpd_config_t)
+ read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1,httpd_log_t,httpd_log_t)
+ manage_files_pattern($1,httpd_log_t,httpd_log_t)
+ read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
+
+ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
+
+ allow $1 httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans($1, httpd_lock_t, file)
+
+ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
+ files_pid_filetrans($1,httpd_var_run_t, file)
+
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_t,httpd_t)
+ read_lnk_files_pattern($1,httpd_t,httpd_t)
+
+ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
+ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
+
+ seutil_domtrans_setfiles($1)
+
+# apache_set_booleans($1, $2, $3, httpd_bool_t )
+# seutil_setsebool_per_role_template($1, httpd, $3)
+# allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+# allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-31 07:20:25.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
## <desc>
## <p>
## Allow Apache to modify public files
@@ -31,10 +33,10 @@
## <desc>
## <p>
-## Allow Apache to use mod_auth_pam
+## Allow Apache to communicate with avahi service via dbus
## </p>
## </desc>
-gen_tunable(allow_httpd_mod_auth_pam,false)
+gen_tunable(allow_httpd_dbus_avahi,false)
## <desc>
## <p>
@@ -45,7 +47,14 @@
## <desc>
## <p>
-## Allow HTTPD scripts and modules to connect to the network using TCP.
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail,false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network
## </p>
## </desc>
gen_tunable(httpd_can_network_connect,false)
@@ -95,8 +104,8 @@
## <desc>
## <p>
-## Unify HTTPD to communicate with the terminal.
-## Needed for entering the passphrase for certificates at
+## Unify HTTPD to communicate with the terminal.
+## Needed for handling certificates at
## the terminal.
## </p>
## </desc>
@@ -109,6 +118,27 @@
## </desc>
gen_tunable(httpd_unified,false)
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs,false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs,false)
+
+## <desc>
+## <p>
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write,false)
+
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -147,6 +177,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
+type httpd_script_exec_t;
+init_script_type(httpd_script_exec_t)
+
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
@@ -207,7 +240,7 @@
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -249,6 +282,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
+read_lnk_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -289,6 +323,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -315,9 +350,7 @@
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -335,6 +368,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
@@ -351,8 +388,6 @@
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
@@ -361,6 +396,13 @@
#
# We need optionals to be able to be within booleans to make this work
#
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
')
@@ -370,6 +412,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_send_mail(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
@@ -382,6 +434,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -399,11 +455,21 @@
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_read_nfs_files(httpd_t)
+ fs_read_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -437,8 +503,14 @@
')
optional_policy(`
+ dbus_system_bus_client_template(httpd,httpd_t)
+ tunable_policy(`allow_httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
kerberos_use(httpd_t)
- kerberos_read_kdc_config(httpd_t)
+ kerberos_read_keytab(httpd_t)
')
optional_policy(`
@@ -450,19 +522,13 @@
')
optional_policy(`
- # Allow httpd to work with mysql
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
- ')
+ mysql_read_config(httpd_t)
')
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
')
optional_policy(`
@@ -472,13 +538,14 @@
openca_kill(httpd_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
+')
+
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
')
optional_policy(`
@@ -486,6 +553,7 @@
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -521,6 +589,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
+optional_policy(`
+ tunable_policy(`httpd_tty_comm',`
+ unconfined_use_terminals(httpd_helper_t)
+ ')
+')
+
+
########################################
#
# Apache PHP script local policy
@@ -550,18 +625,24 @@
fs_search_auto_mountpoints(httpd_php_t)
+auth_use_nsswitch(httpd_php_t)
+
libs_exec_lib_files(httpd_php_t)
libs_use_ld_so(httpd_php_t)
libs_use_shared_libs(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
-optional_policy(`
- mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
')
optional_policy(`
- nis_use_ypbind(httpd_php_t)
+ mysql_stream_connect(httpd_php_t)
+ mysql_read_config(httpd_php_t)
')
########################################
@@ -585,6 +666,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -593,9 +676,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -638,6 +719,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
@@ -655,10 +742,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
########################################
#
# Apache system script local policy
@@ -668,7 +751,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+apache_read_squirrelmail_data(httpd_sys_script_t)
+apache_append_squirrelmail_data(httpd_sys_script_t)
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
@@ -682,15 +766,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+sysnet_read_config(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+
+tunable_policy(`httpd_use_cifs', `
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -700,9 +813,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+')
+
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
')
########################################
@@ -724,3 +843,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.5/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/apcupsd.if 2007-12-31 16:41:36.000000000 -0500
@@ -90,10 +90,29 @@
## </summary>
## </param>
#
-interface(`httpd_apcupsd_cgi_script_domtrans',`
+interface(`apcupsd_cgi_script_domtrans',`
gen_require(`
type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
')
domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
')
+
+########################################
+## <summary>
+## Read apcupsd tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apcupsd_read_tmp_files',`
+ gen_require(`
+ type apcupsd_tmp_t;
+ ')
+
+ allow $1 apcupsd_tmp_t:file read_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.5/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/apcupsd.te 2007-12-19 05:38:09.000000000 -0500
@@ -86,6 +86,11 @@
miscfiles_read_localization(apcupsd_t)
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_unpriv_users_ttys(apcupsd_t)
+userdom_use_unpriv_users_ptys(apcupsd_t)
+
optional_policy(`
hostname_exec(apcupsd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.5/policy/modules/services/automount.fc
--- nsaserefpolicy/policy/modules/services/automount.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/automount.fc 2007-12-19 05:38:09.000000000 -0500
@@ -12,4 +12,4 @@
# /var
#
-/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.5/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/automount.if 2008-01-08 15:20:43.000000000 -0500
@@ -74,3 +74,21 @@
dontaudit $1 automount_tmp_t:dir getattr;
')
+
+########################################
+## <summary>
+## Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fd use;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.5/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/automount.te 2007-12-19 05:38:09.000000000 -0500
@@ -52,7 +52,8 @@
files_root_filetrans(automount_t,automount_tmp_t,dir)
manage_files_pattern(automount_t,automount_var_run_t,automount_var_run_t)
-files_pid_filetrans(automount_t,automount_var_run_t,file)
+manage_fifo_files_pattern(automount_t,automount_var_run_t,automount_var_run_t)
+files_pid_filetrans(automount_t,automount_var_run_t,{ file fifo_file })
kernel_read_kernel_sysctls(automount_t)
kernel_read_irq_sysctls(automount_t)
@@ -69,6 +70,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
@@ -126,6 +128,8 @@
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
+storage_rw_fuse(automount_t)
+
term_dontaudit_getattr_pty_dirs(automount_t)
libs_use_ld_so(automount_t)
@@ -170,6 +174,11 @@
')
optional_policy(`
+ samba_read_config(automount_t)
+ samba_read_var_files(automount_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(automount_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.5/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/avahi.te 2007-12-19 05:38:09.000000000 -0500
@@ -85,6 +85,7 @@
dbus_connect_system_bus(avahi_t)
init_dbus_chat_script(avahi_t)
+ dbus_system_domain(avahi_t,avahi_exec_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.2.5/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2007-09-17 15:56:47.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/bitlbee.te 2007-12-19 05:38:09.000000000 -0500
@@ -54,6 +54,9 @@
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
+
files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t)
# grant read-only access to the user help files
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.5/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.fc 2007-12-19 05:38:09.000000000 -0500
@@ -22,3 +22,4 @@
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.5/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2007-12-19 05:38:09.000000000 -0500
@@ -44,7 +44,7 @@
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
@@ -127,6 +127,7 @@
optional_policy(`
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
+ dbus_system_domain(bluetooth_t,bluetooth_exec_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.5/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc 2007-12-31 09:05:46.000000000 -0500
@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.5/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/clamav.te 2007-12-19 05:38:09.000000000 -0500
@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
@@ -120,6 +121,8 @@
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+mta_read_config(clamd_t)
+
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
@@ -127,6 +130,10 @@
amavis_create_pid_files(clamd_t)
')
+optional_policy(`
+ exim_read_spool_files(clamd_t)
+')
+
########################################
#
# Freshclam local policy
@@ -233,3 +240,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
+
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2007-12-19 05:38:09.000000000 -0500
@@ -36,6 +36,7 @@
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_etc_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
@@ -50,8 +51,16 @@
libs_use_ld_so(consolekit_t)
libs_use_shared_libs(consolekit_t)
+logging_send_syslog_msg(consolekit_t)
+
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
+userdom_dontaudit_read_unpriv_users_home_content_files(consolekit_t)
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_connect_system_bus(consolekit_t)
@@ -67,3 +76,8 @@
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
')
+
+optional_policy(`
+ #reading .Xauthity
+ unconfined_ptrace(consolekit_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.5/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cron.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/spool/anacron(/.*) gen_context(system_u:object_r:system_cron_spool_t,s0)
+
/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/at/[^/]* -- <<none>>
@@ -45,3 +47,4 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-31 15:17:06.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
gen_require(`
+ class context contains;
attribute cron_spool_type;
type crond_t, cron_spool_t, crontab_exec_t;
')
+ typealias $1_t alias $1_crond_t;
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
- type $1_crond_t;
- domain_type($1_crond_t)
- domain_cron_exemption_target($1_crond_t)
- corecmd_shell_entry_type($1_crond_t)
- role $3 types $1_crond_t;
+ domain_cron_exemption_target($1_t)
+ corecmd_shell_entry_type($1_t)
type $1_crontab_t;
application_domain($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
- type $1_crontab_tmp_t;
- files_tmp_file($1_crontab_tmp_t)
-
- ##############################
- #
- # $1_crond_t local policy
- #
-
- allow $1_crond_t self:capability dac_override;
- allow $1_crond_t self:process { signal_perms setsched };
- allow $1_crond_t self:fifo_file rw_fifo_file_perms;
- allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -74,116 +59,23 @@
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
- allow $1_crond_t $1_cron_spool_t:file entrypoint;
+ allow $1_t $1_cron_spool_t:file entrypoint;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
- allow crond_t $1_crond_t:process transition;
- dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t $1_crond_t:fd use;
- allow $1_crond_t crond_t:fd use;
- allow $1_crond_t crond_t:fifo_file rw_file_perms;
- allow $1_crond_t crond_t:process sigchld;
-
- kernel_read_system_state($1_crond_t)
- kernel_read_kernel_sysctls($1_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot($1_crond_t)
-
- corenet_all_recvfrom_unlabeled($1_crond_t)
- corenet_all_recvfrom_netlabel($1_crond_t)
- corenet_tcp_sendrecv_all_if($1_crond_t)
- corenet_udp_sendrecv_all_if($1_crond_t)
- corenet_tcp_sendrecv_all_nodes($1_crond_t)
- corenet_udp_sendrecv_all_nodes($1_crond_t)
- corenet_tcp_sendrecv_all_ports($1_crond_t)
- corenet_udp_sendrecv_all_ports($1_crond_t)
- corenet_tcp_connect_all_ports($1_crond_t)
- corenet_sendrecv_all_client_packets($1_crond_t)
-
- dev_read_urand($1_crond_t)
-
- fs_getattr_all_fs($1_crond_t)
-
- corecmd_exec_all_executables($1_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state($1_crond_t)
- domain_dontaudit_getattr_all_domains($1_crond_t)
-
- files_read_usr_files($1_crond_t)
- files_exec_etc_files($1_crond_t)
- # for nscd:
- files_dontaudit_search_pids($1_crond_t)
-
- libs_use_ld_so($1_crond_t)
- libs_use_shared_libs($1_crond_t)
- libs_exec_lib_files($1_crond_t)
- libs_exec_ld_so($1_crond_t)
-
- files_read_etc_runtime_files($1_crond_t)
- files_read_var_files($1_crond_t)
- files_search_spool($1_crond_t)
-
- logging_search_logs($1_crond_t)
-
- seutil_read_config($1_crond_t)
-
- miscfiles_read_localization($1_crond_t)
-
- userdom_manage_user_tmp_files($1,$1_crond_t)
- userdom_manage_user_tmp_symlinks($1,$1_crond_t)
- userdom_manage_user_tmp_pipes($1,$1_crond_t)
- userdom_manage_user_tmp_sockets($1,$1_crond_t)
- # Run scripts in user home directory and access shared libs.
- userdom_exec_user_home_content_files($1,$1_crond_t)
- # Access user files and dirs.
-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
- userdom_manage_user_home_content_files($1,$1_crond_t)
- userdom_manage_user_home_content_symlinks($1,$1_crond_t)
- userdom_manage_user_home_content_pipes($1,$1_crond_t)
- userdom_manage_user_home_content_sockets($1,$1_crond_t)
-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+ allow crond_t $1_t:process transition;
+ dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh };
+ allow crond_t $1_t:fd use;
+ allow $1_t crond_t:fd use;
+ allow $1_t crond_t:fifo_file rw_file_perms;
+ allow $1_t crond_t:process sigchld;
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file manage_file_perms;
')
- # need a per-role version of this:
- #optional_policy(`
- # mono_domtrans($1_crond_t)
- #')
-
- optional_policy(`
- dbus_stub($1_crond_t)
-
- allow $1_crond_t $2:dbus send_msg;
- ')
-
- optional_policy(`
- nis_use_ypbind($1_crond_t)
- ')
-
- ifdef(`TODO',`
- optional_policy(`
- create_dir_file($1_crond_t, httpd_$1_content_t)
- ')
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
-
- ifdef(`mta.te', `
- domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
- allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms;
-
- # $1_mail_t should only be reading from the cron fifo not needing to write
- dontaudit $1_mail_t crond_t:fifo_file write;
- allow mta_user_agent $1_crond_t:fd use;
- ')
- ') dnl endif TODO
-
##############################
#
# $1_crontab_t local policy
@@ -192,9 +84,13 @@
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
+ allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
+
+ auth_domtrans_chk_passwd($1_crontab_t)
# crontab shows up in user ps
ps_process_pattern($2,$1_crontab_t)
@@ -205,9 +101,6 @@
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
- allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
-
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
@@ -236,6 +129,7 @@
libs_use_shared_libs($1_crontab_t)
logging_send_syslog_msg($1_crontab_t)
+ logging_send_audit_msgs($1_crontab_t)
miscfiles_read_localization($1_crontab_t)
@@ -247,6 +141,7 @@
userdom_use_user_terminals($1,$1_crontab_t)
# Read user crontabs
userdom_read_user_home_content_files($1,$1_crontab_t)
+ userdom_transition_user_tmp($1,$1_crontab_t, { lnk_file file dir fifo_file })
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
@@ -285,14 +180,12 @@
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
- type $1_crontab_t, $1_crond_t;
+ type $1_crontab_t;
')
# Allow our crontab domain to unlink a user cron spool file.
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
- logging_read_generic_logs($1_crond_t)
-
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
@@ -438,6 +331,25 @@
########################################
## <summary>
+## Read temporary files from cron.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 crond_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
@@ -583,3 +495,23 @@
dontaudit $1 system_crond_tmp_t:file append;
')
+
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_crond_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-27 07:19:39.000000000 -0500
@@ -50,6 +50,7 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
@@ -71,6 +72,12 @@
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
+type system_crond_var_lib_t;
+files_type(system_crond_var_lib_t)
+
+type system_crond_var_run_t;
+files_pid_file(system_crond_var_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
@@ -80,7 +87,7 @@
# Cron Local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -99,15 +106,14 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t,cron_spool_t,cron_spool_t)
manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
files_tmp_filetrans(crond_t,crond_tmp_t,{ file dir })
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -133,6 +139,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
@@ -142,13 +150,16 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -163,9 +174,6 @@
mta_send_mail(crond_t)
ifdef(`distro_debian',`
- # pam_limits is used
- allow crond_t self:process setrlimit;
-
optional_policy(`
# Debian logcheck has the home dir set to its cache
logwatch_search_cache_dir(crond_t)
@@ -180,21 +188,45 @@
')
')
+tunable_policy(`allow_polyinstantiation',`
+ allow crond_t self:capability fowner;
+ files_search_tmp(crond_t)
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
+ amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_dbus_chat(system_crond_t)
')
optional_policy(`
@@ -267,9 +299,16 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
+# var/lib files for system_crond
+files_search_var_lib(system_crond_t)
+manage_files_pattern(system_crond_t,system_crond_var_lib_t,system_crond_var_lib_t)
+
+allow system_crond_t system_crond_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_crond_t,system_crond_var_run_t,file)
+
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir list_dir_perms;
-allow system_crond_t cron_spool_t:file read_file_perms;
+allow system_crond_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
@@ -323,7 +362,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_telinit(system_crond_t)
auth_use_nsswitch(system_crond_t)
@@ -333,6 +372,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
+logging_send_audit_msgs(system_crond_t)
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
@@ -383,6 +423,14 @@
')
optional_policy(`
+ lpd_list_spool(system_crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(system_crond_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_crond_t)
')
@@ -415,8 +463,7 @@
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_crond_t)
+ spamassassin_manage_lib_files(system_crond_t)
')
optional_policy(`
@@ -424,8 +471,13 @@
')
optional_policy(`
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_crond_t)
+')
+optional_policy(`
userdom_priveleged_home_dir_manager(system_crond_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.5/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cups.fc 2007-12-19 05:38:09.000000000 -0500
@@ -8,17 +8,15 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -26,6 +24,11 @@
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -33,7 +36,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/hplip/[^/]*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -50,3 +53,6 @@
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cups.te 2008-01-10 16:16:06.000000000 -0500
@@ -43,14 +43,12 @@
type cupsd_var_run_t;
files_pid_file(cupsd_var_run_t)
-mls_trusted_object(cupsd_var_run_t)
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t,hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
+domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
+domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
@@ -71,6 +69,8 @@
ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
+
+ mls_trusted_object(cupsd_var_run_t)
')
########################################
@@ -79,13 +79,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:process { setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -104,7 +105,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
@@ -116,13 +117,19 @@
manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+# This whole section needs to be moved to a smbspool policy
+# smbspool seems to be iterating through all existing tmp files.
+# Looking for kerberos files
+files_getattr_all_tmp_files(cupsd_t)
+userdom_read_unpriv_users_tmp_files(cupsd_t)
+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+
allow cupsd_t cupsd_var_run_t:dir setattr;
manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
-read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
-
+allow cupsd_t hplip_t:process sigkill;
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
@@ -149,32 +156,35 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-auth_domtrans_chk_passwd(cupsd_t)
-auth_dontaudit_read_pam_pid(cupsd_t)
-
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
@@ -186,7 +196,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
-files_search_var_lib(cupsd_t)
+files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
@@ -195,15 +205,15 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
-# smbspool seems to be iterating through all existing tmp files.
-# redhat bug #214953
-# cjp: this might be a broken behavior
-files_dontaudit_getattr_all_tmp_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
@@ -219,17 +229,22 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
-sysnet_read_config(cupsd_t)
-
+files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
ifdef(`enable_mls',`
lpd_relabel_spool(cupsd_t)
+
+ mls_trusted_object(cupsd_var_run_t)
+ init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
')
optional_policy(`
@@ -242,12 +257,21 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
+ dbus_send_system_bus(cupsd_t)
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
+ ')
')
optional_policy(`
@@ -263,6 +287,10 @@
')
optional_policy(`
+ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -326,6 +354,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -372,6 +401,10 @@
')
optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -387,6 +420,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -499,14 +533,12 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
-allow hplip_t cupsd_etc_t:dir search;
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
cups_stream_connect(hplip_t)
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
-read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
-files_search_etc(hplip_t)
+# For CUPS to run as a backend
+allow cupsd_t hplip_t:process signal;
+allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms;
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
@@ -537,14 +569,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
+
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
# for python
corecmd_exec_bin(hplip_t)
-
domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
@@ -565,6 +597,7 @@
userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
+lpd_manage_spool(hplip_t)
optional_policy(`
seutil_sigchld_newrole(hplip_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.5/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cvs.te 2007-12-19 05:38:09.000000000 -0500
@@ -69,6 +69,7 @@
fs_getattr_xattr_fs(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
+auth_use_nsswitch(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -86,8 +87,6 @@
miscfiles_read_localization(cvs_t)
-sysnet_read_config(cvs_t)
-
mta_send_mail(cvs_t)
# cjp: typeattribute doesnt work in conditionals yet
@@ -102,11 +101,3 @@
kerberos_read_config(cvs_t)
kerberos_dontaudit_write_config(cvs_t)
')
-
-optional_policy(`
- nis_use_ypbind(cvs_t)
-')
-
-optional_policy(`
- nscd_socket_use(cvs_t)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.2.5/policy/modules/services/cyphesis.fc
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cyphesis.fc 2008-01-14 13:52:50.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.2.5/policy/modules/services/cyphesis.if
--- nsaserefpolicy/policy/modules/services/cyphesis.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cyphesis.if 2008-01-14 13:52:25.000000000 -0500
@@ -0,0 +1,19 @@
+## <summary>policy for cyphesis</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run cyphesis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cyphesis_domtrans',`
+ gen_require(`
+ type cyphesis_t, cyphesis_exec_t;
+ ')
+
+ domtrans_pattern($1,cyphesis_exec_t,cyphesis_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.2.5/policy/modules/services/cyphesis.te
--- nsaserefpolicy/policy/modules/services/cyphesis.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cyphesis.te 2008-01-14 14:41:56.000000000 -0500
@@ -0,0 +1,97 @@
+policy_module(cyphesis,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyphesis_t;
+type cyphesis_exec_t;
+domain_type(cyphesis_t)
+init_daemon_domain(cyphesis_t, cyphesis_exec_t)
+
+type cyphesis_var_run_t;
+files_pid_file(cyphesis_var_run_t)
+
+type cyphesis_log_t;
+logging_file(cyphesis_log_t)
+
+type cyphesis_tmp_t;
+files_tmp_file(cyphesis_tmp_t)
+
+########################################
+#
+# cyphesis local policy
+#
+
+allow cyphesis_t self:process { setfscreate setsched signal };
+allow cyphesis_t self:fifo_file rw_fifo_file_perms;
+allow cyphesis_t self:tcp_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_dgram_socket create_socket_perms;
+allow cyphesis_t self:netlink_route_socket create_netlink_socket_perms;
+
+# DAN> What is cyphesis looking for in /bin?
+corecmd_search_bin(cyphesis_t)
+corecmd_getattr_bin_files(cyphesis_t)
+
+manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t)
+logging_log_filetrans(cyphesis_t,cyphesis_log_t,file)
+
+# DAN > Does cyphesis really create a sock_file in /tmp? Why?
+allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(cyphesis_t,cyphesis_tmp_t,file)
+
+manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file })
+
+dev_read_urand(cyphesis_t)
+
+files_read_etc_files(cyphesis_t)
+files_read_usr_files(cyphesis_t)
+
+libs_use_ld_so(cyphesis_t)
+libs_use_shared_libs(cyphesis_t)
+
+miscfiles_read_localization(cyphesis_t)
+
+logging_send_syslog_msg(cyphesis_t)
+
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(cyphesis_t)
+corenet_tcp_sendrecv_all_if(cyphesis_t)
+corenet_tcp_sendrecv_all_nodes(cyphesis_t)
+corenet_all_recvfrom_unlabeled(cyphesis_t)
+corenet_tcp_bind_all_nodes(cyphesis_t)
+corenet_tcp_cyphesis_bind(cyphesis_t)
+corenet_tcp_sendrecv_all_ports(cyphesis_t)
+
+# DAN Do you really need this?
+# For communication with the metaserver
+# allow cyphesis_t port_t:udp_socket { recv_msg send_msg };
+
+# Init script handling
+domain_use_interactive_fds(cyphesis_t)
+
+kernel_read_system_state(cyphesis_t)
+kernel_read_kernel_sysctls(cyphesis_t)
+
+# cyphesis wants to talk to avahi via dbus
+optional_policy(`
+
+ dbus_system_bus_client_template(cyphesis_t)
+
+ optional_policy(`
+ avahi_dbus_chat(cyphesis_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(cyphesis_t)
+')
+
+optional_policy(`
+ kerberos_use(cyphesis_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-14 14:20:38.000000000 -0500
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
class dbus { send_msg acquire_svc };
+ attribute dbusd_unconfined;
')
##############################
@@ -84,6 +85,9 @@
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+ allow dbusd_unconfined $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t dbusd_unconfined:dbus send_msg;
+
# For connecting to the bus
allow $2 $1_dbusd_t:unix_stream_socket connectto;
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
@@ -91,7 +95,9 @@
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t $2:dbus send_msg;
+ allow $2 $2:dbus send_msg;
+ allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@@ -104,8 +110,7 @@
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
allow $2 $1_dbusd_t:process { sigkill signal };
- # cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $2)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -161,7 +166,9 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
- userdom_read_user_home_content_files($1, $1_dbusd_t)
+ userdom_dontaudit_search_sysadm_home_dirs($1_dbusd_t)
+ userdom_read_unpriv_users_home_content_files($1_dbusd_t)
+ userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
@@ -182,6 +189,7 @@
optional_policy(`
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
+ xserver_dontaudit_xdm_lib_search($1_dbusd_t)
')
')
@@ -214,7 +222,7 @@
# SE-DBus specific permissions
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
- allow $2 { system_dbusd_t self }:dbus send_msg;
+ allow $2 { system_dbusd_t $2 }:dbus send_msg;
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
@@ -223,6 +231,10 @@
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
dbus_read_config($2)
+
+ optional_policy(`
+ rpm_script_dbus_chat($2)
+ ')
')
#######################################
@@ -251,6 +263,7 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
+ attribute dbusd_unconfined;
class dbus send_msg;
')
@@ -263,6 +276,7 @@
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
+ allow dbusd_unconfined $1_dbusd_t:dbus *;
')
########################################
@@ -292,6 +306,59 @@
########################################
## <summary>
+## connectto a message on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`dbus_connectto_user_bus',`
+ gen_require(`
+ type $1_dbusd_t;
+ ')
+
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Chat on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`dbus_chat_user_bus',`
+ gen_require(`
+ type $1_t;
+ type $1_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_dbusd_t:dbus send_msg;
+ allow $1_dbusd_t $2:dbus send_msg;
+ allow $2 $1_t:dbus send_msg;
+ allow $1_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
## Read dbus configuration.
## </summary>
## <param name="domain">
@@ -366,3 +433,53 @@
allow $1 system_dbusd_t:dbus *;
')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')
+
+########################################
+## <summary>
+## Create a domain for processes
+## which can be started by the system dbus
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t,$2,$1)
+
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.5/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.te 2007-12-21 02:47:39.000000000 -0500
@@ -9,6 +9,7 @@
#
# Delcarations
#
+attribute dbusd_unconfined;
type dbusd_etc_t alias etc_dbusd_t;
files_type(dbusd_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.5/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/dcc.if 2007-12-19 05:38:09.000000000 -0500
@@ -72,6 +72,24 @@
########################################
## <summary>
+## Send a signal to the dcc_client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_signal_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ allow $1 dcc_client_t:process signal;
+')
+
+########################################
+## <summary>
## Execute dcc_client in the dcc_client domain, and
## allow the specified role the dcc_client domain.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.5/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dcc.te 2008-01-04 09:52:10.000000000 -0500
@@ -124,7 +124,7 @@
# dcc procmail interface local policy
#
-allow dcc_client_t self:capability setuid;
+allow dcc_client_t self:capability { setgid setuid };
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
@@ -148,6 +148,10 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
+kernel_read_system_state(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
+
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
@@ -155,11 +159,8 @@
miscfiles_read_localization(dcc_client_t)
-sysnet_read_config(dcc_client_t)
-sysnet_dns_name_resolve(dcc_client_t)
-
optional_policy(`
- nscd_socket_use(dcc_client_t)
+ spamassassin_read_spamd_tmp_files(dcc_client_t)
')
########################################
@@ -275,9 +276,7 @@
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
-optional_policy(`
- nscd_socket_use(dccd_t)
-')
+auth_use_nsswitch(dccd_t)
optional_policy(`
seutil_sigchld_newrole(dccd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.5/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dictd.fc 2007-12-19 05:38:09.000000000 -0500
@@ -4,3 +4,4 @@
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.5/policy/modules/services/dictd.te
--- nsaserefpolicy/policy/modules/services/dictd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dictd.te 2007-12-19 05:38:09.000000000 -0500
@@ -16,6 +16,9 @@
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+
########################################
#
# Local policy
@@ -34,6 +37,9 @@
allow dictd_t dictd_var_lib_t:dir list_dir_perms;
allow dictd_t dictd_var_lib_t:file read_file_perms;
+manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t)
+files_pid_filetrans(dictd_t,dictd_var_run_t,file)
+
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.5/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dnsmasq.te 2007-12-19 05:38:09.000000000 -0500
@@ -94,3 +94,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
+
+optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.5/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dovecot.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17,19 +17,24 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.5/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dovecot.if 2007-12-19 05:38:09.000000000 -0500
@@ -18,3 +18,43 @@
manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
')
+
+########################################
+## <summary>
+## Connect to dovecot auth unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_auth_stream_connect',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ allow $1 dovecot_var_run_t:dir search;
+ allow $1 dovecot_var_run_t:sock_file write;
+ allow $1 dovecot_auth_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Execute dovecot_deliver in the dovecot_deliver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.5/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dovecot.te 2007-12-19 05:38:09.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t,dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
@@ -31,6 +37,9 @@
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@@ -46,7 +55,6 @@
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
@@ -98,7 +106,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -139,25 +147,34 @@
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl connectto };
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+# log files
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
+
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+dovecot_auth_stream_connect(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
@@ -166,6 +183,7 @@
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -184,5 +202,49 @@
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
+userdom_read_unpriv_users_tmp_files(dovecot_auth_t)
+userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t)
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_auth_stream_connect(dovecot_deliver_t)
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.5/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2007-10-24 15:00:24.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/exim.if 2007-12-19 05:38:09.000000000 -0500
@@ -117,6 +117,27 @@
########################################
## <summary>
+## Allow the specified domain to read exim's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_manage_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ manage_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+
+########################################
+## <summary>
## Read exim spool files.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.5/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/exim.te 2007-12-19 05:38:09.000000000 -0500
@@ -21,9 +21,20 @@
## </desc>
gen_tunable(exim_manage_user_files,false)
+## <desc>
+## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
+## </desc>
+gen_tunable(exim_can_connect_db,false)
+
type exim_t;
type exim_exec_t;
init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_mailclient(exim_exec_t)
type exim_log_t;
logging_log_file(exim_log_t)
@@ -37,15 +48,20 @@
type exim_var_run_t;
files_pid_file(exim_var_run_t)
+type exim_script_exec_t;
+init_script_type(exim_script_exec_t)
+
########################################
#
# exim local policy
#
-allow exim_t self:capability { dac_override dac_read_search setuid setgid };
-allow exim_t self:fifo_file rw_fifo_file_perms;
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
+allow exim_t self:fifo_file rw_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
can_exec(exim_t,exim_exec_t)
@@ -66,22 +82,39 @@
files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
kernel_read_kernel_sysctls(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
+kernel_read_network_state(exim_t)
corecmd_search_bin(exim_t)
corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
+corenet_udp_sendrecv_all_if(exim_t)
+corenet_udp_sendrecv_all_nodes(exim_t)
corenet_tcp_sendrecv_all_if(exim_t)
corenet_tcp_sendrecv_all_nodes(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
corenet_tcp_bind_all_nodes(exim_t)
corenet_tcp_bind_smtp_port(exim_t)
corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_sendrecv_smtp_port(exim_t)
+corenet_sendrecv_smtp_server_packets(exim_t)
+corenet_sendrecv_all_client_packets(exim_t)
+
corenet_tcp_connect_auth_port(exim_t)
corenet_tcp_connect_inetd_child_port(exim_t)
+corenet_tcp_sendrecv_auth_port(exim_t)
+
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
+corenet_tcp_sendrecv_spamd_port(exim_t)
# Init script handling
domain_use_interactive_fds(exim_t)
+files_search_usr(exim_t)
+files_search_var(exim_t)
files_read_etc_files(exim_t)
auth_use_nsswitch(exim_t)
@@ -92,14 +125,14 @@
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
+miscfiles_read_certs(exim_t)
-sysnet_dns_name_resolve(exim_t)
-
-userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-userdom_dontaudit_search_generic_user_home_dirs(exim_t)
+fs_getattr_xattr_fs(exim_t)
mta_read_aliases(exim_t)
-mta_rw_spool(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
tunable_policy(`exim_read_user_files',`
userdom_read_unpriv_users_home_content_files(exim_t)
@@ -111,3 +144,71 @@
userdom_read_unpriv_users_tmp_files(exim_t)
userdom_write_unpriv_users_tmp_files(exim_t)
')
+
+# TLS sessions need entropy
+dev_read_urand(exim_t)
+dev_read_rand(exim_t)
+
+tunable_policy(`exim_can_connect_db',`
+ corenet_tcp_connect_mysqld_port(exim_t)
+ corenet_sendrecv_mysqld_client_packets(exim_t)
+ corenet_tcp_connect_postgresql_port(exim_t)
+ corenet_sendrecv_postgresql_client_packets(exim_t)
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ postgresql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ mailman_read_data_files(exim_t)
+ mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+ procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+ sasl_connect(exim_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
+## receipt & validation
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
+ clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
+')
+
+# Debian uses a template based config generator which generates config
+# files under /var
+ifdef(`distro_debian',`
+ type exim_var_lib_t;
+ files_config_file(exim_var_lib_t)
+ exim_read_lib(exim_t)
+
+ type exim_lib_update_t;
+ type exim_lib_update_exec_t;
+ init_domain(exim_lib_update_t, exim_lib_update_exec_t)
+ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t)
+ exim_read_lib(exim_lib_update_t)
+ exim_manage_var_lib(exim_lib_update_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2008-01-08 13:32:00.000000000 -0500
@@ -1,3 +1,4 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.5/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/ftp.if 2007-12-19 05:38:09.000000000 -0500
@@ -28,11 +28,13 @@
type ftpd_t;
')
- userdom_manage_user_home_content_files($1,ftpd_t)
- userdom_manage_user_home_content_symlinks($1,ftpd_t)
- userdom_manage_user_home_content_sockets($1,ftpd_t)
- userdom_manage_user_home_content_pipes($1,ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ tunable_policy(`ftp_home_dir',`
+ userdom_manage_user_home_content_files($1,ftpd_t)
+ userdom_manage_user_home_content_symlinks($1,ftpd_t)
+ userdom_manage_user_home_content_sockets($1,ftpd_t)
+ userdom_manage_user_home_content_pipes($1,ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.5/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ftp.te 2007-12-19 05:38:09.000000000 -0500
@@ -106,9 +106,10 @@
manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
+files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} )
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
@@ -123,6 +124,7 @@
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
+kernel_search_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
@@ -169,7 +171,9 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
+logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
+logging_set_loginuid(ftpd_t)
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
@@ -218,6 +222,11 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
+ auth_manage_all_files_except_shadow(ftpd_t)
+
+ auth_read_all_dirs_except_shadow(ftpd_t)
+ auth_read_all_files_except_shadow(ftpd_t)
+ auth_read_all_symlinks_except_shadow(ftpd_t)
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -253,7 +262,10 @@
')
optional_policy(`
+ kerberos_use(ftpd_t)
kerberos_read_keytab(ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
+ selinux_validate_context(ftpd_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.5/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/hal.fc 2007-12-19 05:38:09.000000000 -0500
@@ -8,6 +8,7 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -16,10 +17,11 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
-
+/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.2.5/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2007-09-05 15:24:44.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/hal.if 2007-12-19 05:38:09.000000000 -0500
@@ -302,3 +302,42 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to hal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_getattr',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:process getattr;
+')
+
+########################################
+## <summary>
+##f Read hal system state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_read_state',`
+ gen_require(`
+ type hald_t;
+ ')
+ kernel_search_proc($1)
+ allow $1 hald_t:dir list_dir_perms;
+ read_files_pattern($1,hald_t,hald_t)
+ read_lnk_files_pattern($1,hald_t,hald_t)
+ dontaudit $1 hald_t:process ptrace;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/hal.te 2008-01-08 09:48:17.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
########################################
#
# Local policy
@@ -70,7 +73,7 @@
manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
# log files for hald
-allow hald_t hald_log_t:file manage_file_perms;
+manage_files_pattern(hald_t, hald_log_t, hald_log_t)
logging_log_filetrans(hald_t,hald_log_t,file)
manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
@@ -93,6 +96,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
+kernel_setsched(hald_t)
auth_read_pam_console_data(hald_t)
@@ -155,6 +159,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
+dev_read_raw_memory(hald_t)
+
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
@@ -265,6 +271,11 @@
')
optional_policy(`
+ polkit_domtrans_auth(hald_t)
+ polkit_read_lib(hald_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(hald_t)
')
@@ -291,6 +302,7 @@
#
allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
@@ -325,6 +337,11 @@
miscfiles_read_localization(hald_acl_t)
+optional_policy(`
+ polkit_domtrans_auth(hald_acl_t)
+ polkit_read_lib(hald_acl_t)
+')
+
########################################
#
# Local hald mac policy
@@ -338,10 +355,14 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
+dev_read_raw_memory(hald_mac_t)
dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
+kernel_read_system_state(hald_mac_t)
+
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
@@ -391,3 +412,7 @@
libs_use_shared_libs(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
+
+# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inetd.te 2007-12-19 05:38:09.000000000 -0500
@@ -30,6 +30,10 @@
type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
########################################
#
# Local policy
@@ -84,6 +88,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rlogind_port(inetd_t)
@@ -137,6 +142,7 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
+mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -164,6 +170,7 @@
')
optional_policy(`
+ unconfined_domain(inetd_t)
unconfined_domtrans(inetd_t)
')
@@ -180,6 +187,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:dir search;
+allow inetd_child_t self:{ lnk_file file } { getattr read };
+
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
@@ -226,3 +236,7 @@
optional_policy(`
unconfined_domain(inetd_child_t)
')
+
+optional_policy(`
+ inetd_service_domain(inetd_child_t,bin_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500
@@ -22,7 +22,7 @@
files_pid_file(innd_var_run_t)
type news_spool_t;
-files_type(news_spool_t)
+files_mountpoint(news_spool_t)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500
@@ -16,3 +16,4 @@
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.5/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.if 2007-12-19 05:38:09.000000000 -0500
@@ -43,7 +43,13 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ seutil_dontaudit_read_file_contexts($1)
+
tunable_policy(`allow_kerberos',`
+ fs_rw_tmpfs_files($1)
+
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
@@ -61,11 +67,7 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
-
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
')
-
optional_policy(`
tunable_policy(`allow_kerberos',`
pcscd_stream_connect($1)
@@ -172,3 +174,51 @@
allow $1 krb5kdc_conf_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ tunable_policy(`allow_kerberos',`
+ files_search_tmp($1)
+ allow $1 self:process setfscreate;
+ selinux_validate_context($1)
+ seutil_read_file_contexts($1)
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ ')
+ # creates files as system_u no matter what the selinux user
+ domain_obj_id_change_exemption($1)
+')
+
+########################################
+## <summary>
+## Connect to krb524 service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_524_connect',`
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:udp_socket create_socket_perms;
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_udp_bind_all_nodes($1)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.5/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.te 2007-12-19 05:38:09.000000000 -0500
@@ -54,6 +54,9 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
+type krb5_host_rcache_t;
+files_tmp_file(krb5_host_rcache_t)
+
########################################
#
# kadmind local policy
@@ -62,7 +65,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:process signal_perms;
+allow kadmind_t self:process { setfscreate signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -91,6 +94,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
@@ -118,6 +122,9 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
@@ -127,6 +134,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
+sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
@@ -137,6 +145,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
+ seutil_read_file_contexts(kadmind_t)
')
optional_policy(`
@@ -151,7 +160,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { setsched getsched signal_perms };
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
@@ -223,6 +232,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
+sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
@@ -233,6 +243,7 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
+ seutil_read_file_contexts(krb5kdc_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500
@@ -336,10 +336,8 @@
')
files_search_spool($1)
+ manage_dirs_pattern($1,print_spool_t,print_spool_t)
manage_files_pattern($1,print_spool_t,print_spool_t)
-
- # cjp: cups wants setattr
- allow $1 print_spool_t:dir setattr;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500
@@ -211,6 +211,7 @@
type mailman_data_t;
')
+ manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
manage_files_pattern($1,mailman_data_t,mailman_data_t)
')
@@ -252,6 +253,25 @@
#######################################
## <summary>
+## read
+## mailman logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ read_files_pattern($1,mailman_log_t,mailman_log_t)
+')
+
+#######################################
+## <summary>
## Append to mailman logs.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
- optional_policy(`
- nscd_socket_use(mailman_cgi_t)
- ')
')
########################################
@@ -65,6 +64,10 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:capability { setuid setgid };
+
+files_search_spool(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.5/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.5/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
+########################################
+## <summary>
+## Search mailscanner spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_search_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mailscanner_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## read mailscanner spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_read_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mailscanner spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_manage_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.5/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.te 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-11 14:28:39.000000000 -0500
@@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
')
#######################################
@@ -219,6 +225,11 @@
fs_manage_cifs_symlinks($1_mail_t)
')
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_mail_t)
+ fs_manage_nfs_symlinks($1_mail_t)
+ ')
+
optional_policy(`
allow $1_mail_t self:capability dac_override;
@@ -305,6 +316,42 @@
########################################
## <summary>
+## Make the specified type usable for a mta_send_mail.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_mailclient',`
+ gen_require(`
+ attribute mailclient_exec_type;
+ ')
+
+ typeattribute $1 mailclient_exec_type;
+')
+
+########################################
+## <summary>
+## Make the specified type readable for a system_mail_t
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_mailcontent',`
+ gen_require(`
+ attribute mailcontent_type;
+ ')
+
+ typeattribute $1 mailcontent_type;
+')
+
+########################################
+## <summary>
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
@@ -383,11 +430,13 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
+ append_files_pattern($1,mail_spool_t,mail_spool_t)
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
optional_policy(`
dovecot_manage_spool($1)
+ dovecot_domtrans_deliver($1)
')
optional_policy(`
@@ -422,6 +471,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
+ apache_append_log($1)
')
')
@@ -438,20 +488,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
- type system_mail_t, sendmail_exec_t;
+ type system_mail_t;
+ attribute mailclient_exec_type;
')
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
-
- allow $1 system_mail_t:fd use;
- allow system_mail_t $1:fd use;
- allow system_mail_t $1:fifo_file rw_file_perms;
- allow system_mail_t $1:process sigchld;
+ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
+ domtrans_pattern($1, mailclient_exec_type, system_mail_t)
+ allow system_mail_t mailclient_exec_type:file entrypoint;
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file { read write };
+
')
########################################
@@ -586,6 +634,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
+########################################
+## <summary>
+## manage mail aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_manage_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file manage_file_perms;
+')
#######################################
## <summary>
@@ -837,6 +904,25 @@
########################################
## <summary>
+## read mail queue files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mail queue files.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-11 14:28:19.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
+attribute mailcontent_type;
+attribute mailclient_exec_type;
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
@@ -27,6 +29,7 @@
type sendmail_exec_t;
application_executable_file(sendmail_exec_t)
+mta_mailclient(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
@@ -40,27 +43,40 @@
allow system_mail_t self:capability { dac_override };
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
init_use_script_ptys(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+userdom_dontaudit_search_all_users_home_content(system_mail_t)
+
+optional_policy(`
+ apcupsd_read_tmp_files(system_mail_t)
+')
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+ apache_search_bugzilla_dirs(system_mail_t)
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
')
optional_policy(`
@@ -73,6 +89,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
+ cron_read_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
')
@@ -81,6 +98,11 @@
')
optional_policy(`
+ exim_domtrans(system_mail_t)
+ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
@@ -136,11 +158,30 @@
')
optional_policy(`
+ clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
-# should break this up among sections:
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
+# should break this up among sections:
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
@@ -154,3 +195,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500
@@ -6,6 +6,7 @@
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500
@@ -37,14 +37,18 @@
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(munin_t, munin_exec_t)
allow munin_t munin_etc_t:dir list_dir_perms;
read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
files_search_etc(munin_t)
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t,munin_log_t,file)
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t,munin_log_t,{ file dir })
manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
@@ -73,6 +77,7 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
@@ -91,6 +96,7 @@
logging_send_syslog_msg(munin_t)
+miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
sysnet_read_config(munin_t)
@@ -118,3 +124,9 @@
optional_policy(`
udev_read_db(munin_t)
')
+
+#============= http munin policy ==============
+apache_content_template(munin)
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.5/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.fc 2007-12-19 05:38:09.000000000 -0500
@@ -22,3 +22,5 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.5/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.if 2007-12-19 05:38:09.000000000 -0500
@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
')
+
+########################################
+## <summary>
+## Execute mysql server in the mysqld domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mysql_script_domtrans',`
+ gen_require(`
+ type mysqld_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,mysqld_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the mysql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the mysql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+
+ gen_require(`
+ type mysqld_t;
+ type mysqld_var_run_t;
+ type mysqld_tmp_t;
+ type mysqld_db_t;
+ type mysqld_etc_t;
+ type mysqld_log_t;
+ type mysqld_script_exec_t;
+ ')
+
+ allow $1 mysqld_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, mysqld_t, mysqld_t)
+
+ # Allow $1 to restart the apache service
+ mysql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 mysqld_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+
+ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
+ manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
+
+ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
+ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)
+
+ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
+ manage_files_pattern($1,mysqld_log_t,mysqld_log_t)
+
+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 16:45:48.000000000 -0500
@@ -1,4 +1,3 @@
-
policy_module(mysql,1.6.0)
########################################
@@ -25,6 +24,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
+type mysqld_script_exec_t;
+init_script_type(mysqld_script_exec_t)
+
########################################
#
# Local policy
@@ -33,7 +35,8 @@
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
-allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500
@@ -4,13 +4,15 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.5/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.if 2007-12-19 05:38:09.000000000 -0500
@@ -44,25 +44,6 @@
########################################
## <summary>
-## Execute the nagios CGI with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nagios_domtrans_cgi',`
- gen_require(`
- type nagios_cgi_t, nagios_cgi_exec_t;
- ')
-
- domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t)
-')
-
-########################################
-## <summary>
## Execute the nagios NRPE with
## a domain transition.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.5/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.te 2007-12-19 05:38:09.000000000 -0500
@@ -8,11 +8,7 @@
type nagios_t;
type nagios_exec_t;
-init_daemon_domain(nagios_t, nagios_exec_t)
-
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
+init_daemon_domain(nagios_t,nagios_exec_t)
type nagios_etc_t;
files_config_file(nagios_etc_t)
@@ -26,9 +22,12 @@
type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
type nrpe_t;
type nrpe_exec_t;
-init_daemon_domain(nrpe_t, nrpe_exec_t)
+init_daemon_domain(nrpe_t,nrpe_exec_t)
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
@@ -60,6 +59,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -130,42 +131,31 @@
#
# Nagios CGI local policy
#
+apache_content_template(nagios)
+typealias httpd_nagios_script_t alias nagios_cgi_t;
+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
+allow httpd_nagios_script_t self:process signal_perms;
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
- apache_append_log(nagios_cgi_t)
-')
+logging_send_syslog_msg(httpd_nagios_script_t)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500
@@ -1,7 +1,9 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500
@@ -97,3 +97,21 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
########################################
#
# Local policy
@@ -20,7 +23,7 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +41,9 @@
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file)
+
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -86,6 +92,8 @@
init_read_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+auth_use_nsswitch(NetworkManager_t)
+
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
@@ -129,8 +137,11 @@
')
optional_policy(`
+ allow NetworkManager_t self:dbus send_msg;
+
dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
dbus_connect_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
')
optional_policy(`
@@ -138,12 +149,9 @@
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
-')
-
-optional_policy(`
- nscd_socket_use(NetworkManager_t)
nscd_signal(NetworkManager_t)
+ nscd_script_domtrans(NetworkManager_t)
+ nscd_domtrans(NetworkManager_t)
')
optional_policy(`
@@ -155,6 +163,7 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
')
optional_policy(`
@@ -166,11 +175,6 @@
')
optional_policy(`
- # Read gnome-keyring
- unconfined_read_home_content_files(NetworkManager_t)
-')
-
-optional_policy(`
vpn_domtrans(NetworkManager_t)
vpn_signal(NetworkManager_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nis.fc 2007-12-19 05:38:09.000000000 -0500
@@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.5/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/nis.if 2007-12-19 05:38:09.000000000 -0500
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_tcp_bind_reserved_port($1)
- corenet_udp_bind_reserved_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
@@ -87,6 +87,25 @@
########################################
## <summary>
+## Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ ')
+')
+
+########################################
+## <summary>
## Execute ypbind in the ypbind domain.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.5/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nis.te 2007-12-19 05:38:09.000000000 -0500
@@ -113,6 +113,17 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
+
+optional_policy(`
+ dbus_system_bus_client_template(ypbind,ypbind_t)
+ dbus_connect_system_bus(ypbind_t)
+ init_dbus_chat_script(ypbind_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(ypbind_t)
+ ')
+')
+
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
@@ -126,6 +137,7 @@
# yppasswdd local policy
#
+allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { setfscreate signal_perms };
@@ -156,8 +168,8 @@
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_all_nodes(yppasswdd_t)
corenet_udp_bind_all_nodes(yppasswdd_t)
-corenet_tcp_bind_reserved_port(yppasswdd_t)
-corenet_udp_bind_reserved_port(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
@@ -247,6 +259,8 @@
corenet_udp_bind_all_nodes(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
@@ -315,6 +329,8 @@
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.5/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nscd.fc 2007-12-19 05:38:09.000000000 -0500
@@ -9,3 +9,5 @@
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.5/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/nscd.if 2007-12-19 05:38:09.000000000 -0500
@@ -70,15 +70,14 @@
interface(`nscd_socket_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t)
dontaudit $1 nscd_var_run_t:file { getattr read };
@@ -204,3 +203,22 @@
role $2 types nscd_t;
dontaudit nscd_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Execute nscd server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nscd_script_domtrans',`
+ gen_require(`
+ type nscd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,nscd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.5/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nscd.te 2007-12-19 05:38:09.000000000 -0500
@@ -23,19 +23,22 @@
type nscd_log_t;
logging_log_file(nscd_log_t)
+type nscd_script_exec_t;
+init_script_type(nscd_script_exec_t)
+
########################################
#
# Local policy
#
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:process { getattr setcap setsched signal_perms };
allow nscd_t self:fifo_file { read write };
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
@@ -50,6 +53,8 @@
manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
+can_exec(nscd_t, nscd_exec_t)
+
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
@@ -73,6 +78,8 @@
corenet_udp_sendrecv_all_nodes(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
@@ -93,6 +100,7 @@
libs_use_ld_so(nscd_t)
libs_use_shared_libs(nscd_t)
+logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
@@ -114,3 +122,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.5/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ntp.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17,3 +17,8 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2007-12-19 05:38:09.000000000 -0500
@@ -53,3 +53,22 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ntp_script_domtrans',`
+ gen_require(`
+ type ntpd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,ntpd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.5/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ntp.te 2007-12-19 05:38:09.000000000 -0500
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
+type ntpd_script_exec_t;
+init_script_type(ntpd_script_exec_t)
+
########################################
#
# Local policy
@@ -36,6 +42,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -49,6 +56,8 @@
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
+read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t)
+
# for some reason it creates a file in /tmp
manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
@@ -82,6 +91,8 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
auth_use_nsswitch(ntpd_t)
@@ -105,6 +116,10 @@
miscfiles_read_localization(ntpd_t)
+sysnet_dontaudit_dhcpc_use_fds(ntpd_t)
+
+term_use_ptmx(ntpd_t)
+
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
@@ -120,6 +135,10 @@
')
optional_policy(`
+ hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
logrotate_exec(ntpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.2.5/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nx.fc 2008-01-15 13:47:19.000000000 -0500
@@ -1,3 +1,5 @@
+
+/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500
@@ -15,6 +15,7 @@
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
@@ -68,20 +69,38 @@
# oddjob_mkhomedir local policy
#
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file { read write };
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(oddjob_mkhomedir_t)
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
libs_use_ld_so(oddjob_mkhomedir_t)
libs_use_shared_libs(oddjob_mkhomedir_t)
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
miscfiles_read_localization(oddjob_mkhomedir_t)
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
# Add/remove user home directories
+userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t)
userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openct.te 2007-12-19 05:38:09.000000000 -0500
@@ -22,6 +22,7 @@
allow openct_t self:process signal_perms;
manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.5/policy/modules/services/openvpn.fc
--- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/openvpn.fc 2007-12-19 05:38:09.000000000 -0500
@@ -11,5 +11,5 @@
#
# /var
#
-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2008-01-08 13:31:47.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
## <p>
-## Allow openvpn to read home directories
+## Allow openvpn service access to users home directories
## </p>
## </desc>
gen_tunable(openvpn_enable_homedirs,false)
@@ -35,7 +35,7 @@
# openvpn local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -47,6 +47,7 @@
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
+can_exec(openvpn_t,openvpn_etc_t)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
@@ -77,6 +78,7 @@
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
+corenet_tcp_connect_http_port(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
@@ -110,3 +112,12 @@
networkmanager_dbus_chat(openvpn_t)
')
+
+
+# Need to interact with terminals if config option "auth-user-pass" is used
+userdom_use_sysadm_terms(openvpn_t)
+
+optional_policy(`
+ unconfined_use_terminals(openvpn_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.5/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pcscd.te 2007-12-19 05:38:09.000000000 -0500
@@ -45,6 +45,7 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
+term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
libs_use_ld_so(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.5/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pegasus.te 2007-12-19 05:38:09.000000000 -0500
@@ -42,6 +42,7 @@
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
@@ -95,13 +96,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
@@ -113,19 +113,16 @@
libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
miscfiles_read_localization(pegasus_t)
-sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
optional_policy(`
- logging_send_syslog_msg(pegasus_t)
-')
-
-optional_policy(`
rpm_exec(pegasus_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2007-12-19 09:37:14.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.5/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,60 @@
+
+## <summary>policy for polkit_auth</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`polkit_domtrans_auth',`
+ gen_require(`
+ type polkit_auth_t;
+ type polkit_auth_exec_t;
+ ')
+
+ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t)
+')
+
+########################################
+## <summary>
+## Search polkit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polkit_search_lib',`
+ gen_require(`
+ type polkit_var_lib_t;
+ ')
+
+ allow $1 polkit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## read polkit lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polkit_read_lib',`
+ gen_require(`
+ type polkit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 15:17:09.000000000 -0500
@@ -0,0 +1,63 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type polkit_auth_t;
+type polkit_auth_exec_t;
+domain_type(polkit_auth_t)
+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
+
+type polkit_var_lib_t;
+files_type(polkit_var_lib_t)
+
+type polkit_var_run_t;
+files_pid_file(polkit_var_run_t)
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow polkit_auth_t self:process getattr;
+
+allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
+allow polkit_auth_t self:fifo_file rw_file_perms;
+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(polkit_auth_t, polkit_auth_exec_t)
+corecmd_search_bin(polkit_auth_t)
+
+domain_use_interactive_fds(polkit_auth_t)
+
+files_read_etc_files(polkit_auth_t)
+files_read_usr_files(polkit_auth_t)
+
+auth_use_nsswitch(polkit_auth_t)
+
+libs_use_ld_so(polkit_auth_t)
+libs_use_shared_libs(polkit_auth_t)
+
+miscfiles_read_localization(polkit_auth_t)
+
+logging_send_syslog_msg(polkit_auth_t)
+
+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
+
+# pid file
+manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
+manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
+files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir })
+
+optional_policy(`
+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
+ consolekit_dbus_chat(polkit_auth_t)
+')
+
+optional_policy(`
+ hal_getattr(polkit_auth_t)
+ hal_read_state(polkit_auth_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/postfix.fc 2007-12-19 05:38:09.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-08 16:12:40.000000000 -0500
@@ -416,7 +416,7 @@
## </summary>
## </param>
#
-interface(`postfix_create_pivate_sockets',`
+interface(`postfix_create_private_sockets',`
gen_require(`
type postfix_private_t;
')
@@ -427,6 +427,26 @@
########################################
## <summary>
+## manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
+
+
+########################################
+## <summary>
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2008-01-11 14:27:52.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+##
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool,false)
+
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
@@ -27,6 +35,10 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+tunable_policy(`allow_postfix_local_write_mail_spool', `
+ mta_rw_spool(postfix_local_t)
+')
+
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
@@ -34,6 +46,7 @@
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t,postfix_map_exec_t)
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
@@ -99,6 +112,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -174,6 +188,7 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
optional_policy(`
cyrus_stream_connect(postfix_master_t)
@@ -248,6 +263,10 @@
corecmd_exec_bin(postfix_cleanup_t)
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
+
########################################
#
# Postfix local local policy
@@ -273,6 +292,8 @@
files_read_etc_files(postfix_local_t)
+logging_dontaudit_search_logs(postfix_local_t)
+
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
@@ -285,6 +306,8 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
')
optional_policy(`
@@ -295,8 +318,7 @@
#
# Postfix map local policy
#
-
-allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:capability { dac_override setgid setuid };
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -346,8 +368,6 @@
miscfiles_read_localization(postfix_map_t)
-seutil_read_config(postfix_map_t)
-
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
@@ -360,6 +380,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_map_t)
+')
+
########################################
#
# Postfix pickup local policy
@@ -392,6 +417,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
+optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
@@ -400,6 +429,10 @@
')
optional_policy(`
+ mta_manage_spool(postfix_pipe_t)
+')
+
+optional_policy(`
uucp_domtrans_uux(postfix_pipe_t)
')
@@ -532,9 +565,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-# Connect to policy server
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
@@ -557,6 +587,10 @@
sasl_connect(postfix_smtpd_t)
')
+optional_policy(`
+ dovecot_auth_stream_connect(postfix_smtpd_t)
+')
+
########################################
#
# Postfix virtual local policy
@@ -584,3 +618,4 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500
@@ -38,3 +38,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.5/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.if 2007-12-19 05:38:09.000000000 -0500
@@ -120,3 +120,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
+
+########################################
+## <summary>
+## Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+ gen_require(`
+ type postgresql_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postgresql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t;
+ type postgresql_var_run_t;
+ type postgresql_tmp_t;
+ type postgresql_db_t;
+ type postgresql_etc_t;
+ type postgresql_log_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, postgresql_t, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+
+ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t)
+ manage_files_pattern($1,postgresql_db_t,postgresql_db_t)
+
+ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t)
+ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t)
+
+ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t)
+ manage_files_pattern($1,postgresql_log_t,postgresql_log_t)
+
+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2007-12-19 05:38:09.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
########################################
#
# postgresql Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.2.5/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgrey.te 2008-01-08 16:15:30.000000000 -0500
@@ -24,7 +24,7 @@
# Local policy
#
-allow postgrey_t self:capability { chown setgid setuid };
+allow postgrey_t self:capability { chown dac_override setgid setuid };
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
@@ -85,6 +85,11 @@
')
optional_policy(`
+ postfix_read_config(postgrey_t)
+ postfix_read_spool_files(postgrey_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(postgrey_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500
@@ -25,7 +25,7 @@
#
# /var
#
-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
# Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 17:30:15.000000000 -0500
@@ -162,6 +162,8 @@
init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t)
+auth_use_nsswitch(pppd_t)
+
libs_use_ld_so(pppd_t)
libs_use_shared_libs(pppd_t)
@@ -194,14 +196,12 @@
optional_policy(`
mta_send_mail(pppd_t)
+ mta_mailcontent(pppd_etc_t)
+ mta_mailcontent(pppd_etc_rw_t)
')
optional_policy(`
- nis_use_ypbind(pppd_t)
-')
-
-optional_policy(`
- nscd_socket_use(pppd_t)
+ networkmanager_signal(pppd_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if
--- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500
@@ -39,3 +39,22 @@
corecmd_search_bin($1)
can_exec($1,procmail_exec_t)
')
+
+########################################
+## <summary>
+## Read procmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-08 11:05:41.000000000 -0500
@@ -102,6 +102,10 @@
')
optional_policy(`
+ cron_read_pipes(procmail_t)
+')
+
+optional_policy(`
munin_dontaudit_search_lib(procmail_t)
')
@@ -129,7 +133,9 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
- spamassassin_exec(procmail_t)
- spamassassin_exec_client(procmail_t)
- spamassassin_read_lib_files(procmail_t)
+ spamassassin_domtrans(procmail_t)
+')
+
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,6 +1,6 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:user_pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500
@@ -25,16 +25,18 @@
#
template(`pyzor_per_role_template',`
gen_require(`
- type pyzord_t;
+ type pyzor_t;
+ type user_pyzor_home_t;
')
- type $1_pyzor_home_t;
- userdom_user_home_content($1, $1_pyzor_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_pyzor_home_t alias $1_pyzor_home_t;
+ ')
- manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+ manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+ manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+ manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+ userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file })
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500
@@ -28,6 +28,9 @@
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
+type user_pyzor_home_t;
+userdom_user_home_content(user,user_pyzor_home_t)
+
########################################
#
# Pyzor local policy
@@ -68,6 +71,8 @@
miscfiles_read_localization(pyzor_t)
+mta_read_queue(pyzor_t)
+
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
optional_policy(`
@@ -76,8 +81,13 @@
')
optional_policy(`
+ procmail_read_tmp_files(pyzor_t)
+')
+
+optional_policy(`
spamassassin_signal_spamd(pyzor_t)
spamassassin_read_spamd_tmp_files(pyzor_t)
+ userdom_read_user_home_content_files(unconfined,pyzor_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te
--- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-07 16:36:33.000000000 -0500
@@ -85,6 +85,8 @@
libs_use_ld_so(qmail_inject_t)
libs_use_shared_libs(qmail_inject_t)
+miscfiles_read_localization(qmail_inject_t)
+
qmail_read_config(qmail_inject_t)
########################################
@@ -106,15 +108,25 @@
kernel_read_system_state(qmail_local_t)
+corecmd_exec_bin(qmail_local_t)
corecmd_exec_shell(qmail_local_t)
+can_exec(qmail_local_t, qmail_local_exec_t)
files_read_etc_files(qmail_local_t)
files_read_etc_runtime_files(qmail_local_t)
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog(qmail_local_t)
+
mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
+optional_policy(`
+ spamassassin_domtrans_spamc(qmail_local_t)
+')
+
########################################
#
# qmail-lspawn local policy
@@ -155,6 +167,10 @@
manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog(qmail_queue_t)
+
optional_policy(`
daemontools_ipc_domain(qmail_queue_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.if 2007-12-19 05:38:09.000000000 -0500
@@ -137,6 +137,7 @@
template(`razor_per_role_template',`
gen_require(`
type razor_exec_t;
+ type user_razor_home_t, user_razor_tmp_t;
')
type $1_razor_t;
@@ -145,12 +146,10 @@
razor_common_domain_template($1_razor)
role $3 types $1_razor_t;
- type $1_razor_home_t alias $1_razor_rw_t;
- files_poly_member($1_razor_home_t)
- userdom_user_home_content($1,$1_razor_home_t)
-
- type $1_razor_tmp_t;
- files_tmp_file($1_razor_tmp_t)
+ ifelse(`$1',`user',`',`
+ typealias user_razor_home_t alias $1_razor_home_t;
+ typealias user_razor_tmp_t alias $1_razor_tmp_t;
+ ')
##############################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/razor.te 2007-12-19 05:38:09.000000000 -0500
@@ -23,6 +23,12 @@
razor_common_domain_template(razor)
+type user_razor_home_t;
+userdom_user_home_content(user,user_razor_home_t)
+
+type user_razor_tmp_t;
+files_tmp_file(user_razor_tmp_t)
+
########################################
#
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.5/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.if 2007-12-19 05:38:09.000000000 -0500
@@ -18,3 +18,20 @@
auth_domtrans_login_program($1,remote_login_t)
')
+########################################
+## <summary>
+## allow Domain to signal remote login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`remotelogin_signal',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ allow $1 remote_login_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.5/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.te 2007-12-19 05:38:09.000000000 -0500
@@ -85,6 +85,7 @@
miscfiles_read_localization(remote_login_t)
+userdom_read_all_users_home_dirs_symlinks(remote_login_t)
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_all_users_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.5/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rlogin.te 2007-12-19 05:38:09.000000000 -0500
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
+domain_interactive_fd(rlogind_t)
+
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
@@ -82,23 +84,21 @@
miscfiles_read_localization(rlogind_t)
-seutil_dontaudit_search_config(rlogind_t)
+seutil_read_config(rlogind_t)
userdom_setattr_unpriv_users_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_all_users_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
optional_policy(`
+ kerberos_use(rlogind_t)
kerberos_read_keytab(rlogind_t)
+ kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
-
-ifdef(`TODO',`
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.5/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpcbind.te 2007-12-19 05:38:09.000000000 -0500
@@ -21,11 +21,13 @@
# rpcbind local policy
#
-allow rpcbind_t self:capability setuid;
+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
allow rpcbind_t self:fifo_file rw_file_perms;
allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
allow rpcbind_t self:udp_socket create_socket_perms;
+# BROKEN ...
+dontaudit rpcbind_t self:udp_socket listen;
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
@@ -37,6 +39,7 @@
manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.5/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpc.if 2007-12-19 05:38:09.000000000 -0500
@@ -88,8 +88,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
- corenet_udp_bind_reserved_port($1_t)
+ corenet_dontaudit_tcp_bind_all_ports($1_t)
+ corenet_dontaudit_udp_bind_all_ports($1_t)
corenet_sendrecv_generic_server_packets($1_t)
+ corenet_tcp_bind_all_rpc_ports($1_t)
+ corenet_udp_bind_all_rpc_ports($1_t)
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
@@ -208,6 +211,24 @@
########################################
## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ domtrans_pattern($1,rpcd_exec_t,rpcd_t)
+')
+
+########################################
+## <summary>
## Read NFS exported content.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2008-01-08 06:24:04.000000000 -0500
@@ -60,10 +60,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
+corecmd_exec_bin(rpcd_t)
+
kernel_read_system_state(rpcd_t)
-kernel_search_network_state(rpcd_t)
+kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
+kernel_getattr_core_if(nfsd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
@@ -77,11 +81,17 @@
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
+# automount -> mount -> rpcd
+optional_policy(`
+ automount_dontaudit_use_fds(rpcd_t)
+')
+
########################################
#
# NFSD local policy
@@ -92,9 +102,16 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+
+dev_read_lvm_control(nfsd_t)
+storage_dontaudit_raw_read_fixed_disk(nfsd_t)
+
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -124,6 +141,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir })
')
tunable_policy(`nfs_export_all_ro',`
@@ -144,6 +162,7 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -157,8 +176,13 @@
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
+auth_read_cache(gssd_t)
+
miscfiles_read_certs(gssd_t)
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
+userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.5/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rshd.te 2007-12-19 05:38:09.000000000 -0500
@@ -16,7 +16,7 @@
#
# Local policy
#
-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -33,6 +33,9 @@
corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
@@ -44,20 +47,22 @@
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
-auth_domtrans_chk_passwd(rshd_t)
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
files_list_home(rshd_t)
files_read_etc_files(rshd_t)
-files_search_tmp(rshd_t)
+files_manage_generic_tmp_dirs(rshd_t)
-auth_use_nsswitch(rshd_t)
+init_rw_utmp(rshd_t)
libs_use_ld_so(rshd_t)
libs_use_shared_libs(rshd_t)
logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
miscfiles_read_localization(rshd_t)
@@ -78,6 +83,8 @@
optional_policy(`
kerberos_use(rshd_t)
+ kerberos_read_keytab(rshd_t)
+ kerberos_manage_host_rcache(rshd_t)
')
optional_policy(`
@@ -86,4 +93,5 @@
optional_policy(`
unconfined_shell_domtrans(rshd_t)
+ unconfined_signal(rshd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.5/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rsync.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.5/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rsync.te 2007-12-19 05:38:09.000000000 -0500
@@ -31,6 +31,9 @@
type rsync_data_t;
files_type(rsync_data_t)
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
type rsync_tmp_t;
files_tmp_file(rsync_tmp_t)
@@ -42,7 +45,7 @@
# Local policy
#
-allow rsync_t self:capability sys_chroot;
+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -52,7 +55,6 @@
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
#end for identd
allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -95,7 +97,8 @@
libs_use_shared_libs(rsync_t)
logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
+logging_log_filetrans(rsync_t,rsync_log_t,file)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -117,7 +120,6 @@
')
tunable_policy(`rsync_export_all_ro',`
- allow rsync_t self:capability dac_override;
fs_read_noxattr_fs_files(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.5/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/samba.fc 2007-12-19 05:38:09.000000000 -0500
@@ -15,6 +15,7 @@
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
@@ -30,6 +31,8 @@
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/samba.if 2008-01-08 13:39:02.000000000 -0500
@@ -331,6 +331,25 @@
########################################
## <summary>
+## dontaudit the specified domain to
+## write samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
## Allow the specified domain to
## read and write samba /var files.
## </summary>
@@ -348,6 +367,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t)
+ manage_lnk_files_pattern($1,samba_var_t,samba_var_t)
')
########################################
@@ -492,3 +512,103 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
+
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ ')
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's shares
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_share_files',`
+ gen_require(`
+ type samba_share_t;
+ ')
+
+ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
+ ')
+
+ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
+')
+
+
+########################################
+## <summary>
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the smbcontrol domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`samba_run_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ ')
+
+ samba_domtrans_smbcontrol($1)
+ role $2 types smbcontrol_t;
+ dontaudit smbcontrol_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-08 13:40:20.000000000 -0500
@@ -26,28 +26,28 @@
## <desc>
## <p>
-## Allow samba to share users home directories.
+## Allow Samba to share users home directories
## </p>
## </desc>
gen_tunable(samba_enable_home_dirs,false)
## <desc>
## <p>
-## Allow samba to share any file/directory read only.
+## Allow Samba to share any file/directory read only
## </p>
## </desc>
gen_tunable(samba_export_all_ro,false)
## <desc>
## <p>
-## Allow samba to share any file/directory read/write.
+## Allow Samba to share any file/directory read/write
## </p>
## </desc>
gen_tunable(samba_export_all_rw,false)
## <desc>
## <p>
-## Allow samba to run unconfined scripts
+## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory
## </p>
## </desc>
gen_tunable(samba_run_unconfined,false)
@@ -139,6 +139,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
########################################
#
# Samba net local policy
@@ -193,6 +198,8 @@
miscfiles_read_localization(samba_net_t)
+samba_read_var_files(samba_net_t)
+
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
optional_policy(`
@@ -213,7 +220,7 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:sock_file read_file_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -221,10 +228,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
-allow smbd_t samba_log_t:dir setattr;
-dontaudit smbd_t samba_log_t:dir remove_name;
+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
allow smbd_t samba_net_tmp_t:file getattr;
@@ -234,6 +239,7 @@
manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
+allow smbd_t samba_share_t:filesystem getattr;
manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
@@ -251,7 +257,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
-allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -340,6 +346,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
+ fs_manage_nfs_symlinks(smbd_t)
+ fs_manage_nfs_named_pipes(smbd_t)
+ fs_manage_nfs_named_sockets(smbd_t)
+')
+
+optional_policy(`
+ kerberos_read_keytab(smbd_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(smbd_t)
')
optional_policy(`
@@ -391,7 +408,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:sock_file read_file_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -403,8 +420,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -439,6 +455,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
+fs_list_inotifyfs(nmbd_t)
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
@@ -522,6 +539,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
corecmd_list_bin(smbmount_t)
@@ -546,28 +564,37 @@
userdom_use_all_users_fds(smbmount_t)
+optional_policy(`
+ cups_read_rw_config(smbmount_t)
+')
+
########################################
#
# SWAT Local policy
#
-allow swat_t self:capability { setuid setgid };
-allow swat_t self:process signal_perms;
+allow swat_t self:capability { setuid setgid sys_resource };
+allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
-allow swat_t nmbd_exec_t:file { execute read };
+allow swat_t self:unix_stream_socket connectto;
+can_exec(swat_t, smbd_exec_t)
+allow swat_t smbd_port_t:tcp_socket name_bind;
+allow swat_t smbd_t:process { signal signull };
+allow swat_t smbd_var_run_t:file { lock unlink };
+
+can_exec(swat_t, nmbd_exec_t)
+allow swat_t nmbd_port_t:udp_socket name_bind;
+allow swat_t nmbd_t:process { signal signull };
+allow swat_t nmbd_var_run_t:file { lock read unlink };
rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
append_files_pattern(swat_t,samba_log_t,samba_log_t)
-allow swat_t smbd_exec_t:file execute ;
-
-allow swat_t smbd_t:process signull;
-
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
@@ -577,7 +604,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
-allow swat_t winbind_exec_t:file execute;
+can_exec(swat_t, winbind_exec_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -602,6 +631,7 @@
dev_read_urand(swat_t)
+files_list_var_lib(swat_t)
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
@@ -614,6 +644,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -631,6 +662,17 @@
kerberos_use(swat_t)
')
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
+create_files_pattern(swat_t,samba_log_t,samba_log_t)
+
+manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t)
+
+manage_files_pattern(swat_t,samba_var_t,samba_var_t)
+files_list_var_lib(swat_t)
+
########################################
#
# Winbind local policy
@@ -679,6 +721,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
+corecmd_exec_bin(winbind_t)
+
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
@@ -766,6 +810,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
')
########################################
@@ -790,3 +835,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(smbcontrol_t)
+
+libs_use_ld_so(smbcontrol_t)
+libs_use_shared_libs(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+files_search_var_lib(smbcontrol_t)
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+allow smbcontrol_t smbd_t:process signal;
+domain_use_interactive_fds(smbcontrol_t)
+allow smbd_t smbcontrol_t:process { signal signull };
+
+allow nmbd_t smbcontrol_t:process signal;
+allow smbcontrol_t nmbd_t:process { signal signull };
+
+allow smbcontrol_t winbind_t:process { signal signull };
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.5/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/sasl.te 2007-12-19 05:38:09.000000000 -0500
@@ -107,6 +107,10 @@
')
optional_policy(`
+ nis_authenticate(saslauthd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(saslauthd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.5/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.if 2007-12-19 05:38:09.000000000 -0500
@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
')
+
+########################################
+## <summary>
+## Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the sendmail domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the sendmail domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ sendmail_domtrans($1)
+ role $2 types sendmail_t;
+ allow sendmail_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t, sendmail_exec_t;
+ ')
+
+ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain, and
+## allow the specified role the unconfined sendmail domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the unconfined sendmail domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the unconfined sendmail domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ sendmail_domtrans_unconfined($1)
+ role $2 types unconfined_sendmail_t;
+ allow unconfined_sendmail_t $3:chr_file rw_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2008-01-14 11:54:22.000000000 -0500
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t,sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
########################################
#
# Sendmail local policy
#
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -47,6 +51,7 @@
kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
+kernel_read_network_state(sendmail_t)
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -69,6 +74,7 @@
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
domain_use_interactive_fds(sendmail_t)
@@ -97,20 +103,35 @@
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+userdom_read_all_users_home_content_files(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
# Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
+mta_manage_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+ cron_read_pipes(sendmail_t)
+')
optional_policy(`
clamav_search_lib(sendmail_t)
')
optional_policy(`
+ cyrus_stream_connect(sendmail_t)
+ clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
@@ -125,24 +146,25 @@
')
optional_policy(`
+ sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
udev_read_db(sendmail_t)
')
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file manage_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file manage_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t)
+')
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-09-04 15:22:23.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if 2008-01-15 12:19:51.000000000 -0500
@@ -16,8 +16,8 @@
')
files_search_pids($1)
- allow $1 setroubleshoot_var_run_t:sock_file write;
- allow $1 setroubleshootd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshoot_t)
+ allow $1 setroubleshoot_var_run_t:sock_file read;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-15 11:09:44.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signull signal getattr getsched };
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52,7 +52,9 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
@@ -68,13 +70,17 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
+dev_getattr_all_blk_files(setroubleshootd_t)
+dev_getattr_all_chr_files(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
-files_getattr_all_dirs(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
@@ -97,11 +103,13 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
+logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_auditd(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
+seutil_read_bin_policy(setroubleshootd_t)
sysnet_read_config(setroubleshootd_t)
@@ -110,6 +118,7 @@
optional_policy(`
dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.5/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/snmp.te 2007-12-19 05:38:09.000000000 -0500
@@ -81,8 +81,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
-files_getattr_boot_dirs(snmpd_t)
-files_dontaudit_getattr_home_dir(snmpd_t)
+auth_read_all_dirs_except_shadow(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.5/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/soundserver.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,5 +1,3 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
@@ -7,4 +5,6 @@
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
+
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.5/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/soundserver.te 2007-12-19 05:38:09.000000000 -0500
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
-type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
-
type soundd_state_t;
files_type(soundd_state_t)
@@ -28,20 +25,21 @@
########################################
#
-# Declarations
+# sound server local policy
#
+allow soundd_t self:capability dac_override;
dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms };
allow soundd_t self:tcp_socket create_stream_socket_perms;
allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+fs_getattr_all_fs(soundd_t)
+
# for yiff
allow soundd_t self:shm create_shm_perms;
-allow soundd_t soundd_etc_t:dir list_dir_perms;
-allow soundd_t soundd_etc_t:file read_file_perms;
-allow soundd_t soundd_etc_t:lnk_file { getattr read };
-
manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
@@ -55,8 +53,10 @@
manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
-files_pid_filetrans(soundd_t,soundd_var_run_t,file)
+manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
@@ -99,6 +99,10 @@
userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(soundd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-15 14:51:50.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
@@ -6,11 +6,16 @@
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
+
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-03 12:06:11.000000000 -0500
@@ -37,7 +37,9 @@
gen_require(`
type spamc_exec_t, spamassassin_exec_t;
- type spamd_t, spamd_tmp_t;
+ type spamc_t, spamd_t, spamd_tmp_t;
+ type user_spamassissin_home_t, user_spamassissin_tmp_t;
+ type user_spamc_tmp_t;
')
##############################
@@ -45,278 +47,28 @@
# Declarations
#
- type $1_spamc_t;
- application_domain($1_spamc_t,spamc_exec_t)
- role $3 types $1_spamc_t;
-
- type $1_spamc_tmp_t;
- files_tmp_file($1_spamc_tmp_t)
-
- type $1_spamassassin_t;
- application_domain($1_spamassassin_t,spamassassin_exec_t)
- role $3 types $1_spamassassin_t;
-
- type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
- userdom_user_home_content($1,$1_spamassassin_home_t)
- files_poly_member($1_spamassassin_home_t)
+ typealias spamc_t alias $1_spamc_t;
+ role $3 types spamc_t;
- type $1_spamassassin_tmp_t;
- files_tmp_file($1_spamassassin_tmp_t)
+ typealias spamassassin_t alias $1_spamassassin_t;
+ role $3 types spamassassin_t;
- ##############################
- #
- # $1_spamc_t local policy
- #
-
- allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_spamc_t self:fd use;
- allow $1_spamc_t self:fifo_file rw_fifo_file_perms;
- allow $1_spamc_t self:sock_file read_sock_file_perms;
- allow $1_spamc_t self:shm create_shm_perms;
- allow $1_spamc_t self:sem create_sem_perms;
- allow $1_spamc_t self:msgq create_msgq_perms;
- allow $1_spamc_t self:msg { send receive };
- allow $1_spamc_t self:unix_dgram_socket create_socket_perms;
- allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_spamc_t self:unix_dgram_socket sendto;
- allow $1_spamc_t self:unix_stream_socket connectto;
- allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
- allow $1_spamc_t self:udp_socket create_socket_perms;
-
- manage_dirs_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t)
- manage_files_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t)
- files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
-
- # Allow connecting to a local spamd
- allow $1_spamc_t spamd_t:unix_stream_socket connectto;
- allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
-
- domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
-
- kernel_read_kernel_sysctls($1_spamc_t)
-
- corenet_all_recvfrom_unlabeled($1_spamc_t)
- corenet_all_recvfrom_netlabel($1_spamc_t)
- corenet_tcp_sendrecv_generic_if($1_spamc_t)
- corenet_udp_sendrecv_generic_if($1_spamc_t)
- corenet_tcp_sendrecv_all_nodes($1_spamc_t)
- corenet_udp_sendrecv_all_nodes($1_spamc_t)
- corenet_tcp_sendrecv_all_ports($1_spamc_t)
- corenet_udp_sendrecv_all_ports($1_spamc_t)
- corenet_tcp_connect_all_ports($1_spamc_t)
- corenet_sendrecv_all_client_packets($1_spamc_t)
-
- fs_search_auto_mountpoints($1_spamc_t)
-
- # cjp: these should probably be removed:
- corecmd_list_bin($1_spamc_t)
- corecmd_read_bin_symlinks($1_spamc_t)
- corecmd_read_bin_files($1_spamc_t)
- corecmd_read_bin_pipes($1_spamc_t)
- corecmd_read_bin_sockets($1_spamc_t)
-
- domain_use_interactive_fds($1_spamc_t)
-
- files_read_etc_files($1_spamc_t)
- files_read_etc_runtime_files($1_spamc_t)
- files_read_usr_files($1_spamc_t)
- files_dontaudit_search_var($1_spamc_t)
- # cjp: this may be removable:
- files_list_home($1_spamc_t)
-
- libs_use_ld_so($1_spamc_t)
- libs_use_shared_libs($1_spamc_t)
-
- logging_send_syslog_msg($1_spamc_t)
-
- miscfiles_read_localization($1_spamc_t)
-
- # cjp: this should probably be removed:
- seutil_read_config($1_spamc_t)
-
- sysnet_read_config($1_spamc_t)
-
- userdom_use_unpriv_users_fds($1_spamc_t)
- # cjp: this really should just be the
- # terminal specific to the role
- userdom_use_unpriv_users_ptys($1_spamc_t)
-
- # cjp: this should probably be removed:
- tunable_policy(`read_default_t',`
- files_list_default($1_spamc_t)
- files_read_default_files($1_spamc_t)
- files_read_default_symlinks($1_spamc_t)
- files_read_default_sockets($1_spamc_t)
- files_read_default_pipes($1_spamc_t)
- ')
-
- optional_policy(`
- # Allow connection to spamd socket above
- evolution_stream_connect($1,$1_spamc_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_spamc_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_spamc_t)
- ')
-
- optional_policy(`
- mta_read_config($1_spamc_t)
- sendmail_stub($1_spamc_t)
- ')
-
- ##############################
- #
- # $1_spamassassin_t local policy
- #
-
- allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_spamassassin_t self:fd use;
- allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms;
- allow $1_spamassassin_t self:sock_file read_sock_file_perms;
- allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
- allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_spamassassin_t self:unix_dgram_socket sendto;
- allow $1_spamassassin_t self:unix_stream_socket connectto;
- allow $1_spamassassin_t self:shm create_shm_perms;
- allow $1_spamassassin_t self:sem create_sem_perms;
- allow $1_spamassassin_t self:msgq create_msgq_perms;
- allow $1_spamassassin_t self:msg { send receive };
-
- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-
- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
-
- manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
- relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
- relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
- relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
-
- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
-
- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
- userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
-
- kernel_read_kernel_sysctls($1_spamassassin_t)
-
- dev_read_urand($1_spamassassin_t)
-
- fs_search_auto_mountpoints($1_spamassassin_t)
-
- # this should probably be removed
- corecmd_list_bin($1_spamassassin_t)
- corecmd_read_bin_symlinks($1_spamassassin_t)
- corecmd_read_bin_files($1_spamassassin_t)
- corecmd_read_bin_pipes($1_spamassassin_t)
- corecmd_read_bin_sockets($1_spamassassin_t)
-
- domain_use_interactive_fds($1_spamassassin_t)
-
- files_read_etc_files($1_spamassassin_t)
- files_read_etc_runtime_files($1_spamassassin_t)
- files_list_home($1_spamassassin_t)
- files_read_usr_files($1_spamassassin_t)
- files_dontaudit_search_var($1_spamassassin_t)
-
- libs_use_ld_so($1_spamassassin_t)
- libs_use_shared_libs($1_spamassassin_t)
-
- logging_send_syslog_msg($1_spamassassin_t)
-
- miscfiles_read_localization($1_spamassassin_t)
-
- # cjp: this could probably be removed
- seutil_read_config($1_spamassassin_t)
-
- sysnet_dns_name_resolve($1_spamassassin_t)
-
- userdom_use_unpriv_users_fds($1_spamassassin_t)
- userdom_search_user_home_dirs($1,$1_spamassassin_t)
- # cjp: this really should just be the
- # terminal specific to the role
- userdom_use_unpriv_users_ptys($1_spamassassin_t)
-
- # this should probably be removed:
- tunable_policy(`read_default_t',`
- files_list_default($1_spamassassin_t)
- files_read_default_files($1_spamassassin_t)
- files_read_default_symlinks($1_spamassassin_t)
- files_read_default_sockets($1_spamassassin_t)
- files_read_default_pipes($1_spamassassin_t)
- ')
-
- # set tunable if you have spamassassin do DNS lookups
- tunable_policy(`spamassassin_can_network',`
- allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
- allow $1_spamassassin_t self:udp_socket create_socket_perms;
+ ifelse(`$1',`user',`',`
+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
+ typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
+ ')
+
+ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
- corenet_all_recvfrom_unlabeled($1_spamassassin_t)
- corenet_all_recvfrom_netlabel($1_spamassassin_t)
- corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
- corenet_udp_sendrecv_generic_if($1_spamassassin_t)
- corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
- corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
- corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
- corenet_udp_sendrecv_all_ports($1_spamassassin_t)
- corenet_tcp_connect_all_ports($1_spamassassin_t)
- corenet_sendrecv_all_client_packets($1_spamassassin_t)
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
- sysnet_read_config($1_spamassassin_t)
- ')
-
- tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_user_home_content_dirs($1,spamd_t)
- userdom_manage_user_home_content_files($1,spamd_t)
- userdom_manage_user_home_content_symlinks($1,spamd_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_spamassassin_t)
- fs_manage_nfs_files($1_spamassassin_t)
- fs_manage_nfs_symlinks($1_spamassassin_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_spamassassin_t)
- fs_manage_cifs_files($1_spamassassin_t)
- fs_manage_cifs_symlinks($1_spamassassin_t)
- ')
-
- optional_policy(`
- # Write pid file and socket in ~/.evolution/cache/tmp
- evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
- ')
-
- optional_policy(`
- # cjp: clearly some redundancy here
-
- nis_use_ypbind($1_spamassassin_t)
-
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
- nis_use_ypbind_uncond($1_spamassassin_t)
- ')
- ')
-
- optional_policy(`
- mta_read_config($1_spamassassin_t)
- sendmail_stub($1_spamassassin_t)
- ')
')
########################################
@@ -398,11 +150,65 @@
## </param>
#
template(`spamassassin_domtrans_user_client',`
+ spamassassin_domtrans_spamc($2)
+')
+
+########################################
+## <summary>
+## Execute spamassassin client in the spamassassin client domain.
+## </summary>
+## <desc>
+## <p>
+## This is a template and should only be called
+## from per user domain tempaltes.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`spamassassin_domtrans_spamc',`
gen_require(`
- type $1_spamc_t, spamc_exec_t;
+ type spamc_t, spamc_exec_t;
')
- domtrans_pattern($2,spamc_exec_t,$1_spamc_t)
+ domtrans_pattern($1,spamc_exec_t,spamc_t)
+')
+
+########################################
+## <summary>
+## Read spamassassin per user homedir
+## </summary>
+## <desc>
+## <p>
+## Read spamassassin per user homedir
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`spamassassin_read_user_home_files',`
+ gen_require(`
+ type user_spamassassin_home_t;
+ ')
+
+ allow $1 user_spamassassin_home_t:dir list_dir_perms;
+ allow $1 user_spamassassin_home_t:file read_file_perms;
')
########################################
@@ -446,11 +252,31 @@
## </param>
#
template(`spamassassin_domtrans_user_local_client',`
+ spamassassin_domtrans($2)
+')
+
+########################################
+## <summary>
+## Execute spamassassin in the user spamassassin domain.
+## </summary>
+## <desc>
+## <p>
+## This is a template and should only be called
+## from per user domain tempaltes.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`spamassassin_domtrans',`
gen_require(`
- type $1_spamassassin_t, spamassassin_exec_t;
+ type spamassassin_t, spamassassin_exec_t;
')
- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t)
+ domtrans_pattern($1,spamassassin_exec_t,spamassassin_t)
')
########################################
@@ -469,6 +295,7 @@
')
files_search_var_lib($1)
+ list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
@@ -528,3 +355,22 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
+
+########################################
+## <summary>
+## Connect to run spamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
+
+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-09 09:00:24.000000000 -0500
@@ -21,8 +21,9 @@
gen_tunable(spamd_enable_home_dirs,true)
# spamassassin client executable
+type spamc_t;
type spamc_exec_t;
-application_executable_file(spamc_exec_t)
+application_domain(spamc_t,spamc_exec_t)
type spamd_t;
type spamd_exec_t;
@@ -31,6 +32,9 @@
type spamd_spool_t;
files_type(spamd_spool_t)
+type spamd_log_t;
+logging_log_file(spamd_log_t)
+
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
@@ -42,7 +46,17 @@
files_pid_file(spamd_var_run_t)
type spamassassin_exec_t;
-application_executable_file(spamassassin_exec_t)
+type spamassassin_t;
+application_domain(spamassassin_t,spamassassin_exec_t)
+
+type user_spamassassin_home_t;
+userdom_user_home_content(user,user_spamassassin_home_t)
+
+type user_spamassassin_tmp_t;
+files_tmp_file(user_spamassassin_tmp_t)
+
+type user_spamc_tmp_t;
+files_tmp_file(user_spamc_tmp_t)
########################################
#
@@ -71,6 +85,9 @@
allow spamd_t self:udp_socket create_socket_perms;
allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t,spamd_log_t,file)
+
manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
@@ -81,10 +98,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
+manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
@@ -149,11 +167,31 @@
userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
+manage_dirs_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t)
+userdom_user_home_dir_filetrans(user,spamd_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
+
+optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file })
+')
+
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(user,spamd_t)
+ userdom_manage_user_home_content_files(user,spamd_t)
+ userdom_manage_user_home_content_symlinks(user,spamd_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamd_t)
fs_manage_nfs_files(spamd_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamd_t)
fs_manage_cifs_files(spamd_t)
')
@@ -171,6 +209,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
+ dcc_signal_client(spamd_t)
dcc_stream_connect_dccifd(spamd_t)
')
@@ -212,3 +251,206 @@
optional_policy(`
udev_read_db(spamd_t)
')
+
+##############################
+#
+# spamassassin_t local policy
+#
+
+allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamassassin_t self:fd use;
+allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+allow spamassassin_t self:unix_dgram_socket sendto;
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
+
+manage_dirs_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_lnk_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_fifo_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
+manage_sock_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t)
+userdom_user_home_dir_filetrans($1,spamassassin_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t)
+manage_files_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t)
+files_tmp_filetrans(spamassassin_t, user_spamassassin_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(spamassassin_t)
+
+dev_read_urand(spamassassin_t)
+
+fs_search_auto_mountpoints(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
+
+domain_use_interactive_fds(spamassassin_t)
+
+files_read_etc_files(spamassassin_t)
+files_read_etc_runtime_files(spamassassin_t)
+files_list_home(spamassassin_t)
+files_read_usr_files(spamassassin_t)
+files_dontaudit_search_var(spamassassin_t)
+
+libs_use_ld_so(spamassassin_t)
+libs_use_shared_libs(spamassassin_t)
+
+logging_send_syslog_msg(spamassassin_t)
+
+miscfiles_read_localization(spamassassin_t)
+
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
+
+sysnet_dns_name_resolve(spamassassin_t)
+
+userdom_use_unpriv_users_fds(spamassassin_t)
+userdom_search_user_home_dirs(user,spamassassin_t)
+# cjp: this really should just be the
+# terminal specific to the role
+userdom_use_unpriv_users_ptys(spamassassin_t)
+
+# set tunable if you have spamassassin do DNS lookups
+tunable_policy(`spamassassin_can_network',`
+ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+ allow spamassassin_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(spamassassin_t)
+ corenet_all_recvfrom_netlabel(spamassassin_t)
+ corenet_tcp_sendrecv_generic_if(spamassassin_t)
+ corenet_udp_sendrecv_generic_if(spamassassin_t)
+ corenet_tcp_sendrecv_all_nodes(spamassassin_t)
+ corenet_udp_sendrecv_all_nodes(spamassassin_t)
+ corenet_tcp_sendrecv_all_ports(spamassassin_t)
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
+ corenet_tcp_connect_all_ports(spamassassin_t)
+ corenet_sendrecv_all_client_packets(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamassassin_t)
+ fs_manage_nfs_files(spamassassin_t)
+ fs_manage_nfs_symlinks(spamassassin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamassassin_t)
+ fs_manage_cifs_files(spamassassin_t)
+ fs_manage_cifs_symlinks(spamassassin_t)
+')
+
+optional_policy(`
+ # cjp: clearly some redundancy here
+
+ nis_use_ypbind(spamassassin_t)
+
+ tunable_policy(`spamassassin_can_network && allow_ypbind',`
+ nis_use_ypbind_uncond(spamassassin_t)
+ ')
+')
+
+optional_policy(`
+ mta_read_config(spamassassin_t)
+ sendmail_stub(spamassassin_t)
+')
+
+##############################
+#
+# spamc_t local policy
+#
+
+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:fd use;
+allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+allow spamc_t self:unix_dgram_socket sendto;
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t)
+manage_files_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t)
+files_tmp_filetrans(spamc_t, user_spamc_tmp_t, { file dir })
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_file_perms;
+
+kernel_read_kernel_sysctls(spamc_t)
+
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_all_nodes(spamc_t)
+corenet_udp_sendrecv_all_nodes(spamc_t)
+corenet_tcp_sendrecv_all_ports(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
+corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
+
+domain_use_interactive_fds(spamc_t)
+
+files_read_etc_files(spamc_t)
+files_read_etc_runtime_files(spamc_t)
+files_read_usr_files(spamc_t)
+files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
+files_list_home(spamc_t)
+
+auth_use_nsswitch(spamc_t)
+
+libs_use_ld_so(spamc_t)
+libs_use_shared_libs(spamc_t)
+
+logging_send_syslog_msg(spamc_t)
+
+miscfiles_read_localization(spamc_t)
+
+# cjp: this should probably be removed:
+seutil_read_config(spamc_t)
+
+sysnet_read_config(spamc_t)
+
+userdom_use_unpriv_users_fds(spamc_t)
+# cjp: this really should just be the
+# terminal specific to the role
+userdom_use_unpriv_users_ptys(spamc_t)
+
+optional_policy(`
+ # Allow connection to spamd socket above
+ evolution_stream_connect(user,spamc_t)
+')
+
+optional_policy(`
+ mta_read_config(spamc_t)
+ sendmail_stub(spamc_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.5/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/squid.fc 2007-12-19 05:38:09.000000000 -0500
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.5/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 10:32:44.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/squid.if 2007-12-19 05:38:09.000000000 -0500
@@ -131,3 +131,22 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+## <summary>
+## Allow read and write squid
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_rw_stream_sockets',`
+ gen_require(`
+ type squid_t;
+ ')
+
+ allow $1 squid_t:unix_stream_socket { getattr read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.5/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/squid.te 2007-12-19 05:38:09.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
-allow squid_t self:capability { setgid setuid dac_override sys_resource };
+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
@@ -92,6 +92,7 @@
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
+corenet_udp_bind_wccp_port(squid_t)
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
@@ -109,6 +110,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
selinux_dontaudit_getattr_dir(squid_t)
@@ -148,11 +151,7 @@
')
optional_policy(`
- allow squid_t self:capability kill;
- cron_use_fds(squid_t)
- cron_use_system_job_fds(squid_t)
- cron_rw_pipes(squid_t)
- cron_write_system_job_pipes(squid_t)
+ cron_system_entry(squid_t,squid_exec_t)
')
optional_policy(`
@@ -167,7 +166,12 @@
udev_read_db(squid_t)
')
-ifdef(`TODO',`
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
+optional_policy(`
+ apache_content_template(squid)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+ squid_read_config(httpd_squid_script_t)
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+ sysnet_read_config(httpd_squid_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.5/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/ssh.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.5/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-23 10:20:13.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/ssh.if 2007-12-19 05:38:09.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+ type user_ssh_home_t, user_ssh_tmp_t;
')
##############################
@@ -47,8 +48,10 @@
application_domain($1_ssh_t,ssh_exec_t)
role $3 types $1_ssh_t;
- type $1_home_ssh_t;
- files_type($1_home_ssh_t)
+ ifelse(`$1',`user',`',`
+ typealias user_ssh_home_t alias $1_ssh_home_t;
+ typealias user_ssh_home_t alias $1_home_ssh_t;
+ ')
##############################
#
@@ -93,18 +96,18 @@
ps_process_pattern($2,$1_ssh_t)
# user can manage the keys and config
- manage_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
- manage_lnk_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
- manage_sock_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
+ manage_files_pattern($2,user_ssh_home_t,user_ssh_home_t)
+ manage_lnk_files_pattern($2,user_ssh_home_t,user_ssh_home_t)
+ manage_sock_files_pattern($2,user_ssh_home_t,user_ssh_home_t)
# ssh client can manage the keys and config
- manage_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
- read_lnk_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
+ manage_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t)
+ read_lnk_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t)
# ssh servers can read the user keys and config
- allow ssh_server $1_home_ssh_t:dir list_dir_perms;
- read_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t)
- read_lnk_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t)
+ allow ssh_server user_ssh_home_t:dir list_dir_perms;
+ read_files_pattern(ssh_server,user_ssh_home_t,user_ssh_home_t)
+ read_lnk_files_pattern(ssh_server,user_ssh_home_t,user_ssh_home_t)
kernel_read_kernel_sysctls($1_ssh_t)
@@ -202,6 +205,7 @@
#
template(`ssh_per_role_template',`
gen_require(`
+ type sshd_t;
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
@@ -212,7 +216,7 @@
ssh_basic_client_template($1,$2,$3)
- userdom_user_home_content($1,$1_home_ssh_t)
+ userdom_user_home_content($1,user_ssh_home_t)
type $1_ssh_agent_t;
application_domain($1_ssh_agent_t,ssh_agent_exec_t)
@@ -240,9 +244,9 @@
manage_sock_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
- manage_dirs_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
- manage_sock_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
- userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
+ manage_dirs_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t)
+ manage_sock_files_pattern($1_ssh_t,user_ssh_home_t,user_ssh_home_t)
+ userdom_user_home_dir_filetrans($1,$1_ssh_t,user_ssh_home_t,{ dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern($1_ssh_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t)
@@ -413,6 +417,25 @@
')
')
+########################################
+## <summary>
+## Execute the ssh agent client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_agent_exec',`
+ gen_require(`
+ type ssh_agent_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1,ssh_agent_exec_t)
+')
+
#######################################
## <summary>
## The template to define a ssh server.
@@ -443,13 +466,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
@@ -479,6 +503,10 @@
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
fs_dontaudit_getattr_all_fs($1_t)
@@ -506,12 +534,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
+ userdom_read_all_users_home_content_files($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
')
tunable_policy(`use_samba_home_dirs',`
@@ -520,6 +550,7 @@
optional_policy(`
kerberos_use($1_t)
+ kerberos_manage_host_rcache($1_t)
')
optional_policy(`
@@ -708,3 +739,4 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.5/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ssh.te 2007-12-19 05:38:09.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
+application_executable_file(ssh_agent_exec_t)
# ssh client executable.
type ssh_exec_t;
@@ -57,6 +57,12 @@
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
+type user_ssh_home_t;
+userdom_user_home_content(user,user_ssh_home_t)
+
+type user_ssh_tmp_t;
+files_tmp_file(user_ssh_tmp_t)
+
#################################
#
# sshd local policy
@@ -80,6 +86,10 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
+userdom_read_all_users_home_content_files(sshd_t)
+userdom_read_all_users_home_content_symlinks(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -101,6 +111,10 @@
')
optional_policy(`
+ xserver_getattr_xauth(sshd_t)
+')
+
+optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
@@ -119,7 +133,11 @@
')
optional_policy(`
- unconfined_domain(sshd_t)
+ usermanage_domtrans_passwd(sshd_t)
+ usermanage_read_crack_db(sshd_t)
+')
+
+optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.5/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/telnet.te 2007-12-19 05:38:09.000000000 -0500
@@ -37,6 +37,8 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
+domain_interactive_fd(telnetd_t)
+
manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
@@ -66,6 +68,7 @@
corecmd_search_bin(telnetd_t)
+files_read_usr_files(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
@@ -80,17 +83,26 @@
miscfiles_read_localization(telnetd_t)
-seutil_dontaudit_search_config(telnetd_t)
+seutil_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
+userdom_search_unpriv_users_home_dirs(telnetd_t)
+
# for identd; cjp: this should probably only be inetd_child rules?
optional_policy(`
kerberos_use(telnetd_t)
kerberos_read_keytab(telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
')
-ifdef(`TODO',`
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telnetd_t)
+ fs_manage_nfs_files(telnetd_t)
')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telnetd_t)
+ fs_manage_cifs_files(telnetd_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.5/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/tftp.fc 2008-01-14 12:49:13.000000000 -0500
@@ -4,3 +4,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.5/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/w3c.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.5/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/w3c.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+## <summary>W3C</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.5/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/w3c.te 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
+apache_content_template(w3c_validator)
+
+sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.5/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/xserver.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,13 +1,13 @@
#
# HOME_DIR
#
-HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
-HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
-HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
-HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:user_iceauth_home_t,s0)
+HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:user_xauth_home_t,s0)
+HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:user_xauth_home_t,s0)
#
# /dev
@@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-ifdef(`distro_redhat',`
-/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-')
-
#
# /opt
#
@@ -58,7 +53,7 @@
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -89,16 +84,21 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-08 11:18:17.000000000 -0500
@@ -15,6 +15,7 @@
template(`xserver_common_domain_template',`
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
+ type xdm_xserver_tmp_t;
')
##############################
@@ -45,7 +46,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
- allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+ allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_ptrace sys_tty_config mknod net_bind_service };
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_xserver_t self:memprotect mmap_zero;
@@ -115,18 +116,23 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
- dev_create_generic_dirs($1_xserver_t)
- dev_setattr_generic_dirs($1_xserver_t)
+ dev_manage_generic_dirs($1_xserver_t)
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t)
# for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc($1_xserver_t)
+ dev_setattr_xserver_misc_dev($1_xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
+ dev_read_urand($1_xserver_t)
+ dev_rw_generic_usb_dev($1_xserver_t)
+ dev_rw_generic_usb_pipes($1_xserver_t)
domain_mmap_low($1_xserver_t)
+ domain_read_all_domains_state($1_xserver_t)
+ domain_dontaudit_ptrace_all_domains($1_xserver_t)
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
@@ -140,12 +146,16 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
- fs_search_ramfs($1_xserver_t)
+ fs_manage_ramfs_files($1_xserver_t)
+ fs_list_inotifyfs($1_xserver_t)
auth_use_nsswitch($1_xserver_t)
init_getpgid($1_xserver_t)
+ miscfiles_read_hwdata($1_xserver_t)
+
+ term_search_ptys($1_xserver_t)
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
@@ -223,8 +233,10 @@
template(`xserver_per_role_template',`
gen_require(`
- type iceauth_exec_t, xauth_exec_t;
- attribute fonts_type, fonts_cache_type, fonts_config_type;
+ type iceauth_exec_t, iceauth_t, user_iceauth_home_t;
+ type xauth_t, xauth_exec_t, user_xauth_home_t;
+ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
+ type xdm_xserver_tmp_t, xdm_xserver_t;
')
##############################
@@ -232,66 +244,51 @@
# Declarations
#
+ ifelse(`$1',`user',`',`
+ typealias user_iceauth_home_t alias $1_iceauth_home_t;
+ typealias user_fonts_t alias $1_fonts_t;
+ typealias user_fonts_config_t alias $1_fonts_config_t;
+ typealias user_fonts_cache_t alias $1_fonts_cache_t;
+ ')
+
xserver_common_domain_template($1)
role $3 types $1_xserver_t;
- type $1_fonts_t, fonts_type;
- userdom_user_home_content($1,$1_fonts_t)
-
- type $1_fonts_cache_t, fonts_cache_type;
- userdom_user_home_content($1,$1_fonts_cache_t)
-
- type $1_fonts_config_t, fonts_config_type;
- userdom_user_home_content($1,$1_fonts_cache_t)
+ typealias xauth_t alias $1_xauth_t;
+ role $3 types xauth_t;
- type $1_iceauth_t;
- domain_type($1_iceauth_t)
- domain_entry_file($1_iceauth_t,iceauth_exec_t)
- role $3 types $1_iceauth_t;
-
- type $1_iceauth_home_t alias $1_iceauth_rw_t;
- files_poly_member($1_iceauth_home_t)
- userdom_user_home_content($1,$1_iceauth_home_t)
-
- type $1_xauth_t;
- domain_type($1_xauth_t)
- domain_entry_file($1_xauth_t,xauth_exec_t)
- role $3 types $1_xauth_t;
-
- type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
- files_poly_member($1_xauth_home_t)
- userdom_user_home_content($1,$1_xauth_home_t)
-
- type $1_xauth_tmp_t;
- files_tmp_file($1_xauth_tmp_t)
+ typealias iceauth_t alias $1_iceauth_t;
+ role $3 types iceauth_t;
##############################
#
# $1_xserver_t Local policy
#
+ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
-
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+ allow $1_xserver_t user_xauth_home_t:file { getattr read };
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
+ read_files_pattern($1_xserver_t, $2, $2)
allow $1_xserver_t $2:shm rw_shm_perms;
+ allow $1_xserver_t $2:file read_file_perms;
- manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
- manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
- relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
- relabel_files_pattern($2,$1_fonts_t,$1_fonts_t)
-
- manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
- manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
- relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
+ manage_dirs_pattern($2,user_fonts_t,user_fonts_t)
+ manage_files_pattern($2,user_fonts_t,user_fonts_t)
+ relabel_dirs_pattern($2,user_fonts_t,user_fonts_t)
+ relabel_files_pattern($2,user_fonts_t,user_fonts_t)
+
+ manage_dirs_pattern($2,user_fonts_config_t,user_fonts_config_t)
+ manage_files_pattern($2,user_fonts_config_t,user_fonts_config_t)
+ relabel_files_pattern($2,user_fonts_config_t,user_fonts_config_t)
# For startup relabel
- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+ allow $2 user_fonts_cache_t:{ dir file } { relabelto relabelfrom };
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
+ stream_connect_pattern($2,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
@@ -307,113 +304,49 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
+ userdom_rw_user_tmp_files($1,$1_xserver_t)
xserver_use_user_fonts($1,$1_xserver_t)
- xserver_rw_xdm_tmp_files($1_xauth_t)
optional_policy(`
userhelper_search_config($1_xserver_t)
')
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- allow $1_t xdm_tmp_t:sock_file unlink;
- allow $1_xserver_t xdm_var_run_t:dir search;
- ')
- ') dnl end TODO
-
##############################
#
- # $1_xauth_t Local policy
+ # xauth_t Local policy
#
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-
- allow $2 $1_xauth_t:process signal;
+ allow $2 xauth_t:process signal;
# allow ps to show xauth
- ps_process_pattern($2,$1_xauth_t)
-
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
-
- domain_use_interactive_fds($1_xauth_t)
-
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
-
- fs_getattr_xattr_fs($1_xauth_t)
- fs_search_auto_mountpoints($1_xauth_t)
+ ps_process_pattern($2,xauth_t)
- # cjp: why?
- term_use_ptmx($1_xauth_t)
-
- auth_use_nsswitch($1_xauth_t)
-
- libs_use_ld_so($1_xauth_t)
- libs_use_shared_libs($1_xauth_t)
-
- userdom_use_user_terminals($1,$1_xauth_t)
- userdom_read_user_tmp_files($1,$1_xauth_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_xauth_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_xauth_t)
- ')
+ userdom_use_user_terminals($1,xauth_t)
+ userdom_read_user_tmp_files($1,xauth_t)
optional_policy(`
- ssh_sigchld($1_xauth_t)
- ssh_read_pipes($1_xauth_t)
- ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
+ xserver_read_user_xauth($1, $2)
')
##############################
#
- # $1_iceauth_t Local policy
+ # iceauth_t Local policy
#
-
- domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
-
- allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
+ domtrans_pattern($2, iceauth_exec_t, iceauth_t)
# allow ps to show iceauth
- ps_process_pattern($2,$1_iceauth_t)
-
- allow $2 $1_iceauth_home_t:file manage_file_perms;
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
-
- fs_search_auto_mountpoints($1_iceauth_t)
+ ps_process_pattern($2,iceauth_t)
- libs_use_ld_so($1_iceauth_t)
- libs_use_shared_libs($1_iceauth_t)
+ allow $2 user_iceauth_home_t:file manage_file_perms;
+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
- userdom_use_user_terminals($1,$1_iceauth_t)
+ userdom_use_user_terminals($1,iceauth_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
')
')
@@ -523,17 +456,16 @@
template(`xserver_user_client_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+ type xdm_t, xdm_tmp_t, xdm_xserver_t;
+ type xdm_var_run_t;
')
- allow $2 self:shm create_shm_perms;
- allow $2 self:unix_dgram_socket create_socket_perms;
- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow $2 $2:shm create_shm_perms;
+ allow $2 $2:unix_dgram_socket create_socket_perms;
+ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms };
- # Read .Xauthority file
- allow $2 $1_xauth_home_t:file { getattr read };
- allow $2 $1_iceauth_home_t:file { getattr read };
+ # this should cause the .xsession-errors file to be written to /tmp
+ userdom_dontaudit_write_unpriv_user_home_content_files(xdm_t)
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -542,25 +474,55 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
+ # consolekit needs this for fast user switching
+ allow $2 xdm_var_run_t:dir search_dir_perms;
+ allow $2 xdm_var_run_t:sock_file getattr;
+
+ corenet_tcp_connect_xserver_port($2)
+
# Allow connections to X server.
files_search_tmp($2)
miscfiles_read_fonts($2)
userdom_search_user_home_dirs($1,$2)
- # for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1,$2)
+ userdom_manage_user_home_content_dirs($1, xdm_t)
+ userdom_manage_user_home_content_files($1, xdm_t)
+ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
+ userdom_manage_user_tmp_dirs($1, xdm_t)
+ userdom_manage_user_tmp_files($1, xdm_t)
xserver_ro_session_template(xdm,$2,$3)
- xserver_rw_session_template($1,$2,$3)
- xserver_use_user_fonts($1,$2)
xserver_read_xdm_tmp_files($2)
- # Client write xserver shm
- tunable_policy(`allow_write_xshm',`
- allow $2 $1_xserver_t:shm rw_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ xserver_xdm_stream_connect($2)
+
+ optional_policy(`
+ gnome_manage_user_gnome_config($1, xdm_t)
+ ')
+
+ optional_policy(`
+ userdom_read_all_users_home_content_files(xdm_t)
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
+ userdom_rw_user_tmpfs_files($1, xdm_xserver_t)
+ ')
+
+ # Read .Xauthority file
+ optional_policy(`
+ xserver_read_user_xauth($1, $2)
+ ')
+
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
+
+ optional_policy(`
+ xserver_use_user_fonts($1,$2)
+ ')
+
+ optional_policy(`
+ xserver_rw_session_template(xdm,$2,$3)
')
')
@@ -593,26 +555,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
')
# Read per user fonts
- allow $2 $1_fonts_t:dir list_dir_perms;
- allow $2 $1_fonts_t:file read_file_perms;
+ allow $2 user_fonts_t:dir list_dir_perms;
+ allow $2 user_fonts_t:file read_file_perms;
# Manipulate the global font cache
- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
- manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
+ manage_dirs_pattern($2,user_fonts_cache_t,user_fonts_cache_t)
+ manage_files_pattern($2,user_fonts_cache_t,user_fonts_cache_t)
# Read per user font config
- allow $2 $1_fonts_config_t:dir list_dir_perms;
- allow $2 $1_fonts_config_t:file read_file_perms;
+ allow $2 user_fonts_config_t:dir list_dir_perms;
+ allow $2 user_fonts_config_t:file read_file_perms;
userdom_search_user_home_dirs($1,$2)
')
########################################
## <summary>
+## Get the attributes of xauth executable
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_getattr_xauth',`
+ gen_require(`
+ type xauth_exec_t;
+ ')
+
+ allow $1 xauth_exec_t:file getattr;
+')
+
+########################################
+## <summary>
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -638,10 +618,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_exec_t, xauth_t;
+ ')
+
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
+########################################
+## <summary>
+## Read a user Xauthority domain.
+## </summary>
+## <desc>
+## <p>
+## read to a user Xauthority domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type user_xauth_home_t;
')
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ allow $2 user_xauth_home_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read a user Iceauthority domain.
+## </summary>
+## <desc>
+## <p>
+## read to a user Iceauthority domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_read_user_iceauth',`
+ gen_require(`
+ type user_iceauth_home_t;
+ ')
+
+ # Read .Iceauthority file
+ allow $2 user_iceauth_home_t:file { getattr read };
')
########################################
@@ -671,10 +718,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
- type $1_xauth_home_t;
+ type user_xauth_home_t;
')
- userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
+ userdom_user_home_dir_filetrans($1, $2, user_xauth_home_t, file)
')
########################################
@@ -760,7 +807,7 @@
type xconsole_device_t;
')
- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
+ allow $1 xconsole_device_t:fifo_file { getattr read write };
')
########################################
@@ -860,6 +907,25 @@
########################################
## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+ gen_require(`
+ type xdm_xserver_t, xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
+')
+
+########################################
+## <summary>
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
@@ -914,6 +980,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
+ allow $1 xdm_tmp_t:sock_file unlink;
')
########################################
@@ -937,7 +1004,7 @@
########################################
## <summary>
-## Read XDM var lib files.
+## dontaudit search of XDM var lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -945,12 +1012,12 @@
## </summary>
## </param>
#
-interface(`xserver_read_xdm_lib_files',`
+interface(`xserver_dontaudit_xdm_lib_search',`
gen_require(`
type xdm_var_lib_t;
')
- allow $1 xdm_var_lib_t:file { getattr read };
+ dontaudit $1 xdm_var_lib_t:dir search_dir_perms;
')
########################################
@@ -965,15 +1032,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
- type xdm_xserver_t, xserver_exec_t;
+ type xdm_xserver_t, xserver_exec_t, xdm_t;
')
allow $1 xdm_xserver_t:process siginh;
+ allow xdm_t $1:process sigchld;
domtrans_pattern($1,xserver_exec_t,xdm_xserver_t)
')
########################################
## <summary>
+## Execute xsever in the xdm_xserver domain, and
+## allow the specified role the xdm_xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xdm_xserver domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the xdm_xserver domain to use.
+## </summary>
+## </param>
+#
+interface(`xserver_run_xdm_xserver',`
+ gen_require(`
+ type xdm_xserver_t;
+ ')
+
+ xserver_domtrans_xdm_xserver($1)
+ role $2 types xdm_xserver_t;
+ allow xdm_xserver_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1123,7 +1222,7 @@
type xdm_xserver_tmp_t;
')
- allow $1 xdm_xserver_tmp_t:file { getattr read };
+ read_files_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
')
########################################
@@ -1312,3 +1411,45 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
+
+########################################
+## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_stream_connect',`
+ gen_require(`
+ type xdm_t, xdm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 xdm_var_run_t:sock_file write;
+ allow $1 xdm_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## xdm xserver RW shared memory socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_rw_shm',`
+ gen_require(`
+ type xdm_xserver_t;
+ ')
+
+ allow xdm_xserver_t $1:fd use;
+ allow $1 xdm_xserver_t:shm rw_shm_perms;
+ allow xdm_xserver_t $1:shm rw_shm_perms;
+
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-03 09:15:47.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem,false)
+
+## <desc>
+## <p>
## Allow xdm logins as sysadm
## </p>
## </desc>
@@ -26,11 +33,14 @@
attribute fonts_config_type;
attribute xauth_home_type;
+type iceauth_t;
type iceauth_exec_t;
-application_executable_file(iceauth_exec_t)
+application_domain(iceauth_t,iceauth_exec_t)
+type xauth_t;
type xauth_exec_t;
-application_executable_file(xauth_exec_t)
+application_domain(xauth_t, xauth_exec_t)
+role system_r types xauth_t;
# this is not actually a device, its a pipe
type xconsole_device_t;
@@ -56,6 +66,12 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
@@ -78,6 +94,29 @@
type xserver_log_t;
logging_log_file(xserver_log_t)
+type user_fonts_t, fonts_type;
+userdom_user_home_content(user,user_fonts_t)
+
+type user_fonts_cache_t, fonts_cache_type;
+userdom_user_home_content(user,user_fonts_cache_t)
+
+type user_fonts_config_t, fonts_config_type;
+userdom_user_home_content(user,user_fonts_config_t)
+
+type user_iceauth_home_t;
+files_poly_member(user_iceauth_home_t)
+userdom_user_home_content(user,user_iceauth_home_t)
+
+type user_xauth_home_t alias user_xauth_rw_t, xauth_home_type;
+files_poly_member(user_xauth_home_t)
+userdom_user_home_content(user,user_xauth_home_t)
+
+type admin_xauth_home_t;
+files_type(user_xauth_home_t)
+
+type user_xauth_tmp_t;
+files_tmp_file(user_xauth_tmp_t)
+
xserver_common_domain_template(xdm)
init_system_domain(xdm_xserver_t,xserver_exec_t)
@@ -96,7 +135,7 @@
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -109,6 +148,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -131,15 +172,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_rw_tmpfs_files(xdm_xserver_t)
+fs_getattr_all_fs(xdm_t)
+fs_search_inotifyfs(xdm_t)
+fs_list_all(xdm_t)
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+# Read machine-id
+files_read_var_lib_files(xdm_t)
manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
-files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
+manage_sock_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file sock_file })
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -153,6 +201,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t)
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
@@ -184,6 +233,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
+corenet_udp_bind_xdmcp_port(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
@@ -196,6 +246,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
+dev_rw_input_dev(xdm_t)
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
@@ -208,8 +259,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
-dev_getattr_sound_dev(xdm_t)
-dev_setattr_sound_dev(xdm_t)
+dev_read_sound(xdm_t)
+dev_write_sound(xdm_t)
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
@@ -245,6 +296,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -256,12 +308,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
+logging_send_audit_msgs(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-sysnet_read_config(xdm_t)
-
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -270,6 +321,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+#
+# Wants to delete .xsession-errors file
+#
+userdom_unlink_unpriv_users_home_content_files(xdm_t)
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
@@ -304,7 +359,16 @@
')
optional_policy(`
+ bootloader_domtrans(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
+ dbus_system_bus_client_template(xdm, xdm_t)
+ dbus_per_role_template(xdm, xdm_t, system_r)
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
')
optional_policy(`
@@ -322,6 +386,10 @@
')
optional_policy(`
+ gnome_exec_gconf(xdm_t)
+')
+
+optional_policy(`
loadkeys_exec(xdm_t)
')
@@ -343,8 +411,8 @@
')
optional_policy(`
- unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -380,7 +448,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+read_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -392,6 +460,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
+manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir)
+
+manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir)
+
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -404,6 +481,7 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
+userdom_manage_unpriv_users_tmp_files(xdm_xserver_t)
xserver_use_all_users_fonts(xdm_xserver_t)
@@ -420,6 +498,14 @@
')
optional_policy(`
+ locallogin_use_fds(xdm_xserver_t)
+')
+
+optional_policy(`
+ mono_rw_shm(xdm_xserver_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
@@ -429,47 +515,103 @@
')
optional_policy(`
- unconfined_domain_noaudit(xdm_xserver_t)
- unconfined_domtrans(xdm_xserver_t)
+ rpm_dontaudit_rw_shm(xdm_xserver_t)
+ rpm_rw_tmpfs_files(xdm_xserver_t)
+')
- ifndef(`distro_redhat',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+ unconfined_rw_tmpfs_files(xdm_xserver_t)
- ifdef(`distro_rhel4',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
+')
+
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
+')
+
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
')
-ifdef(`TODO',`
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file manage_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-tunable_policy(`allow_polyinstantiation',`
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
+ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
')
+##############################
#
-# Wants to delete .xsession-errors file
+# xauth_t Local policy
#
-allow xdm_t user_home_type:file unlink;
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
+
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
+xserver_rw_xdm_tmp_files(xauth_t)
+allow xauth_t self:process signal;
+allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xauth_t user_xauth_home_t:file manage_file_perms;
+allow xdm_t user_xauth_home_t:file append_file_perms;
+
+manage_dirs_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t)
+manage_files_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t)
+files_tmp_filetrans(xauth_t, user_xauth_tmp_t, { file dir })
+
+domain_use_interactive_fds(xauth_t)
+
+files_read_etc_files(xauth_t)
+files_search_pids(xauth_t)
+
+fs_getattr_xattr_fs(xauth_t)
+fs_search_auto_mountpoints(xauth_t)
+
+# cjp: why?
+term_use_ptmx(xauth_t)
+
+auth_use_nsswitch(xauth_t)
+
+libs_use_ld_so(xauth_t)
+libs_use_shared_libs(xauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(xauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(xauth_t)
+')
+
+optional_policy(`
+ ssh_sigchld(xauth_t)
+ ssh_read_pipes(xauth_t)
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
+')
+
+##############################
#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+# iceauth_t Local policy
#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
+
+allow xdm_t user_iceauth_home_t:file read_file_perms;
+
+fs_search_auto_mountpoints(iceauth_t)
+
+libs_use_ld_so(iceauth_t)
+libs_use_shared_libs(iceauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(iceauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(iceauth_t)
+')
+
+allow xauth_t admin_xauth_home_t:file manage_file_perms;
+userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.5/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.fc 2007-12-19 05:38:09.000000000 -0500
@@ -29,7 +29,6 @@
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
@@ -42,3 +41,6 @@
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-03 11:25:12.000000000 -0500
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
gen_require(`
- type system_chkpwd_t, shadow_t;
+ type system_chkpwd_t, shadow_t, updpwd_t;
')
authlogin_common_auth_domain_template($1)
@@ -169,6 +169,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t;
+ type auth_cache_t;
')
domain_type($1)
@@ -177,12 +178,23 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ # pam_keyring
+ allow $1 self:capability ipc_lock;
+ allow $1 self:process setkeycreate;
+ allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
+
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+ files_var_filetrans($1,auth_cache_t,dir)
+
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
@@ -221,11 +233,28 @@
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-# logging_set_loginuid($1)
+ logging_set_loginuid($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
+ userdom_set_rlimitnh($1)
+ userdom_unlink_unpriv_users_tmp_files($1)
+ userdom_unpriv_users_stream_connect($1)
+
+ optional_policy(`
+ mount_domtrans($1)
+ ')
+
+ optional_policy(`
+ nis_authenticate($1)
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ userdom_read_all_users_home_content_files($1)
+ ')
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
@@ -342,6 +371,8 @@
optional_policy(`
kerberos_use($1)
+ kerberos_read_keytab($1)
+ kerberos_524_connect($1)
')
optional_policy(`
@@ -356,6 +387,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
+ auth_domtrans_upd_passwd($1)
')
########################################
@@ -369,12 +401,12 @@
## </param>
## <param name="role">
## <summary>
-## The role to allow the chkpwd domain.
+## The role to allow the updpwd domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
-## The type of the terminal allow the chkpwd domain to use.
+## The type of the terminal allow the updpwd domain to use.
## </summary>
## </param>
#
@@ -386,6 +418,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
+ auth_run_upd_passwd($1, $2, $3)
')
########################################
@@ -1457,6 +1490,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
')
')
@@ -1491,3 +1525,23 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
+
+########################################
+## <summary>
+## Read authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-11 14:30:57.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
@@ -73,6 +76,9 @@
authlogin_common_auth_domain_template(system)
role system_r types system_chkpwd_t;
+# Read only version of updpwd
+domain_entry_file(system_chkpwd_t,updpwd_exec_t)
+
########################################
#
# PAM local policy
@@ -121,6 +127,11 @@
logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
+userdom_write_unpriv_users_tmp_files(pam_t)
+userdom_unlink_unpriv_users_tmp_files(pam_t)
+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_write_user_home_content_files(user, pam_t)
+userdom_append_unpriv_users_home_content_files(pam_t)
optional_policy(`
locallogin_use_fds(pam_t)
@@ -279,8 +290,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
-term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_all_user_ptys(updpwd_t)
+term_dontaudit_use_all_user_ttys(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
+term_dontaudit_use_generic_ptys(updpwd_t)
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
@@ -329,11 +342,6 @@
')
optional_policy(`
- # Allow utemper to write to /tmp/.xses-*
- unconfined_write_tmp_files(utempter_t)
-')
-
-optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.5/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/fstools.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -21,7 +20,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.5/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/fstools.if 2007-12-19 05:38:09.000000000 -0500
@@ -142,3 +142,20 @@
allow $1 swapfile_t:file getattr;
')
+
+########################################
+## <summary>
+## Create, read, write, and delete a nfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Not used
+## </summary>
+## </param>
+#
+interface(`fstools_manage_nfs',`
+ gen_require(`
+ type fsadm_t;
+ ')
+ fs_manage_nfs_files(fsadm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.5/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/fstools.te 2007-12-20 16:16:24.000000000 -0500
@@ -109,8 +109,7 @@
term_use_console(fsadm_t)
-corecmd_list_bin(fsadm_t)
-corecmd_read_bin_symlinks(fsadm_t)
+corecmd_exec_bin(fsadm_t)
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
@@ -132,6 +131,8 @@
# Access to /initrd devices
files_rw_isid_type_dirs(fsadm_t)
files_rw_isid_type_blk_files(fsadm_t)
+files_read_isid_type_files(fsadm_t)
+
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
@@ -183,4 +184,5 @@
optional_policy(`
xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.5/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/getty.te 2007-12-19 05:38:09.000000000 -0500
@@ -33,7 +33,8 @@
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+# getty requires sys_admin #209426
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid sys_admin };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.5/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/hostname.te 2007-12-19 05:38:09.000000000 -0500
@@ -8,7 +8,9 @@
type hostname_t;
type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+application_domain(hostname_t, hostname_exec_t)
role system_r types hostname_t;
########################################
@@ -60,3 +62,11 @@
xen_append_log(hostname_t)
xen_dontaudit_use_fds(hostname_t)
')
+
+optional_policy(`
+ xen_append_log(hostname_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.5/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/hotplug.te 2007-12-19 05:38:09.000000000 -0500
@@ -179,6 +179,7 @@
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
sysnet_domtrans_ifconfig(hotplug_t)
+ sysnet_signal_ifconfig(hotplug_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.5/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/init.if 2007-12-20 08:48:00.000000000 -0500
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
')
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_user_ttys($1)
+ term_use_all_user_ptys($1)
+ ', `
+ term_dontaudit_use_all_user_ttys($1)
+ term_dontaudit_use_all_user_ptys($1)
+ ')
')
########################################
@@ -242,11 +249,11 @@
init_system_domain($1,$2)
ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
+ range_transition initrc_t $2 $3;
')
ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
+ range_transition initrc_t $2 $3;
')
')
@@ -540,18 +547,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
')
files_list_etc($1)
- spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
+ spec_domtrans_pattern($1,initscript,initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 initscript:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 initscript:process s0 - mls_systemhigh;
')
')
@@ -567,18 +575,46 @@
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
+ ')
+
+ files_list_etc($1)
+ domtrans_pattern($1,initscript,initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 initscript:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 initscript:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute init a specific script with an automatic domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_script_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
')
files_list_etc($1)
- domtrans_pattern($1,initrc_exec_t,initrc_t)
+ domtrans_pattern($1,$2,initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 $2:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 $2:process s0 - mls_systemhigh;
')
')
@@ -609,11 +645,11 @@
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- domain_auto_trans($1,initrc_exec_t,$2)
+ domain_auto_trans($1,initscript,$2)
')
########################################
@@ -684,11 +720,11 @@
#
interface(`init_getattr_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- allow $1 initrc_exec_t:file getattr;
+ allow $1 initscript:file getattr;
')
########################################
@@ -703,11 +739,11 @@
#
interface(`init_exec_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- can_exec($1,initrc_exec_t)
+ can_exec($1,initscript)
')
########################################
@@ -931,6 +967,7 @@
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
+
########################################
## <summary>
## Send messages to init scripts over dbus.
@@ -1030,11 +1067,11 @@
#
interface(`init_read_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_search_etc($1)
- allow $1 initrc_exec_t:file read_file_perms;
+ allow $1 initscript:file read_file_perms;
')
########################################
@@ -1252,7 +1289,7 @@
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
@@ -1273,3 +1310,92 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_init_state',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file read_file_perms;
+ allow $1 init_t:lnk_file read_file_perms;
+')
+
+########################################
+## <summary>
+## Ptrace init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace_init_domain',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for initscripts
+## in a filesystem.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`init_script_type',`
+ gen_require(`
+ type initrc_t;
+ attribute initscript;
+ ')
+
+ typeattribute $1 initscript;
+ domain_entry_file(initrc_t,$1)
+
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an init script
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_role_transition',`
+ gen_require(`
+ attribute initscript;
+ ')
+
+ role_transition $1 initscript system_r;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-15 09:55:44.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty,false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core,false)
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
@@ -19,6 +33,8 @@
# Mark process types as daemons
attribute daemon;
+attribute initscript;
+
#
# init_t is the domain of the init process.
#
@@ -45,7 +61,7 @@
mls_trusted_object(initctl_t)
type initrc_t;
-type initrc_exec_t;
+type initrc_exec_t, initscript;
domain_type(initrc_t)
domain_entry_file(initrc_t,initrc_exec_t)
role system_r types initrc_t;
@@ -73,7 +89,7 @@
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -171,13 +187,13 @@
nscd_socket_use(init_t)
')
-optional_policy(`
- unconfined_domain(init_t)
-')
-
-# Run the shell in the sysadm_t domain for single-user mode.
-optional_policy(`
+# Run the shell in the unconfined_t or sysadm_t domain for single-user mode.
+ifdef(`enable_mls',`
userdom_shell_domtrans_sysadm(init_t)
+',`
+ optional_policy(`
+ unconfined_shell_domtrans(init_t)
+ ')
')
########################################
@@ -186,7 +202,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
@@ -200,10 +216,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
-# Going to single user mode
-init_exec(initrc_t)
+init_telinit(initrc_t)
-can_exec(initrc_t,initrc_exec_t)
+can_exec(initrc_t,initscript)
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
@@ -282,7 +297,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
-mls_fd_share_all_levels(initrc_t)
selinux_get_enforce_mode(initrc_t)
@@ -495,6 +509,31 @@
')
')
+domain_dontaudit_use_interactive_fds(daemon)
+
+userdom_dontaudit_search_sysadm_home_dirs(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_user_ttys(daemon)
+ term_use_all_user_ptys(daemon)
+', `
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_user_ttys(daemon)
+ term_dontaudit_use_all_user_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+ files_dump_core(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -630,12 +669,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-# cjp: require doesnt work in the else of optionals :\
-# this also would result in a type transition
-# conflict if sendmail is enabled
-#optional_policy(`',`
-# mta_send_mail(initrc_t)
-#')
optional_policy(`
ifdef(`distro_redhat',`
@@ -696,6 +729,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
')
optional_policy(`
@@ -708,9 +744,11 @@
squid_manage_logs(initrc_t)
')
-optional_policy(`
- # allow init scripts to su
- su_restricted_domain_template(initrc,initrc_t,system_r)
+ifndef(`targeted_policy',`
+ optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc,initrc_t,system_r)
+ ')
')
optional_policy(`
@@ -729,6 +767,11 @@
uml_setattr_util_sockets(initrc_t)
')
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+')
+
optional_policy(`
unconfined_domain(initrc_t)
@@ -743,6 +786,10 @@
')
optional_policy(`
+ rpm_dontaudit_rw_pipes(daemon)
+')
+
+optional_policy(`
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.2.5/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/ipsec.te 2007-12-19 05:38:09.000000000 -0500
@@ -302,6 +302,7 @@
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
+corenet_udp_bind_ipsecnat_port(racoon_t)
dev_read_urand(racoon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-14 12:58:45.000000000 -0500
@@ -133,6 +133,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -183,6 +184,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -242,7 +244,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -292,6 +294,8 @@
#
# /var
#
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -304,3 +308,4 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2008-01-02 15:02:58.000000000 -0500
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)
@@ -44,9 +47,11 @@
# ldconfig local policy
#
-allow ldconfig_t self:capability sys_chroot;
+allow ldconfig_t self:capability { dac_override sys_chroot };
+
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -60,8 +65,11 @@
fs_getattr_xattr_fs(ldconfig_t)
+corecmd_search_bin(ldconfig_t)
+
domain_use_interactive_fds(ldconfig_t)
+files_search_home(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
@@ -79,6 +87,9 @@
logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
+userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t)
+userdom_manage_unpriv_users_tmp_files(ldconfig_t)
+userdom_manage_unpriv_users_tmp_symlinks(ldconfig_t)
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -96,4 +107,6 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
+ # smart package manager needs the following for the same reason
+ rpm_rw_tmp_files(ldconfig_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.5/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/locallogin.te 2007-12-19 05:38:09.000000000 -0500
@@ -131,6 +131,7 @@
miscfiles_read_localization(local_login_t)
+userdom_read_all_users_home_dirs_symlinks(local_login_t)
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_all_users_home_content(local_login_t)
@@ -156,6 +157,11 @@
fs_read_cifs_symlinks(local_login_t)
')
+tunable_policy(`allow_console_login', `
+ term_relabel_console(local_login_t)
+ term_setattr_console(local_login_t)
+')
+
optional_policy(`
alsa_domtrans(local_login_t)
')
@@ -185,7 +191,7 @@
')
optional_policy(`
- unconfined_domain(local_login_t)
+ unconfined_shell_domtrans(local_login_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.5/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/logging.fc 2007-12-19 05:38:09.000000000 -0500
@@ -42,7 +42,7 @@
')
ifdef(`distro_redhat',`
-/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
@@ -57,3 +57,6 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.5/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/logging.if 2007-12-19 05:38:09.000000000 -0500
@@ -400,25 +400,6 @@
########################################
## <summary>
-## Read syslog configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`logging_read_syslog_config',`
- gen_require(`
- type syslog_conf_t;
- ')
-
- allow $1 syslog_conf_t:file read_file_perms;
-')
-
-########################################
-## <summary>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
@@ -596,6 +577,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
+ allow $1 logfile:dir { relabelfrom relabelto };
+ allow $1 logfile:file { relabelfrom relabelto };
')
########################################
@@ -705,6 +688,7 @@
interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
+ type auditd_script_exec_t;
type auditd_var_run_t;
')
@@ -719,6 +703,15 @@
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+ logging_run_auditctl($1, $2, $3)
+
+ # Allow $1 to restart the audit service
+ logging_audit_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_script_exec_t system_r;
+ allow $2 system_r;
+
')
########################################
@@ -749,6 +742,7 @@
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
+ type syslogd_script_exec_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
@@ -776,6 +770,13 @@
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
+
+ # Allow $1 to restart the syslog service
+ logging_syslog_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 syslogd_script_exec_t system_r;
+ allow $2 system_r;
+
')
########################################
@@ -804,3 +805,40 @@
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
')
+
+########################################
+## <summary>
+## Execute syslog server in the syslogd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`logging_syslog_script_domtrans',`
+ gen_require(`
+ type syslogd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,syslogd_script_exec_t)
+')
+
+########################################
+## <summary>
+## Execute audit server in the auditd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`logging_audit_script_domtrans',`
+ gen_require(`
+ type auditd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,auditd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.5/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/logging.te 2007-12-31 16:41:38.000000000 -0500
@@ -61,6 +61,12 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
+type auditd_script_exec_t;
+init_script_type(auditd_script_exec_t)
+
+type syslogd_script_exec_t;
+init_script_type(syslogd_script_exec_t)
+
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
@@ -165,6 +171,10 @@
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
optional_policy(`
+ mta_send_mail(auditd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
@@ -202,6 +212,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
+fs_search_tmpfs(klogd_t)
domain_use_interactive_fds(klogd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.5/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/lvm.te 2007-12-19 05:38:09.000000000 -0500
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
-allow clvmd_t self:capability { sys_admin mknod };
+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
dontaudit clvmd_t self:capability sys_tty_config;
-allow clvmd_t self:process signal_perms;
+allow clvmd_t self:process { signal_perms setsched };
dontaudit clvmd_t self:process ptrace;
allow clvmd_t self:socket create_socket_perms;
allow clvmd_t self:fifo_file rw_fifo_file_perms;
@@ -54,6 +54,8 @@
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
+init_dontaudit_getattr_initctl(clvmd_t)
+
manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t)
files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
@@ -85,10 +87,15 @@
corenet_sendrecv_generic_server_packets(clvmd_t)
dev_read_sysfs(clvmd_t)
+dev_manage_generic_symlinks(clvmd_t)
+dev_relabel_generic_dev_dirs(clvmd_t)
+dev_manage_generic_blk_files(clvmd_t)
dev_manage_generic_chr_files(clvmd_t)
dev_rw_lvm_control(clvmd_t)
dev_dontaudit_getattr_all_blk_files(clvmd_t)
dev_dontaudit_getattr_all_chr_files(clvmd_t)
+dev_create_generic_dirs(clvmd_t)
+dev_delete_generic_dirs(clvmd_t)
files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
@@ -99,9 +106,12 @@
fs_dontaudit_read_removable_files(clvmd_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
+storage_dev_filetrans_fixed_disk(clvmd_t)
+storage_manage_fixed_disk(clvmd_t)
domain_use_interactive_fds(clvmd_t)
+storage_relabel_fixed_disk(clvmd_t)
storage_raw_read_fixed_disk(clvmd_t)
auth_use_nsswitch(clvmd_t)
@@ -115,6 +125,9 @@
seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
+seutil_read_config(clvmd_t)
+seutil_read_file_contexts(clvmd_t)
+seutil_search_default_contexts(clvmd_t)
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
@@ -146,7 +159,8 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+# lvm needs net_admin for multipath
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
@@ -156,7 +170,8 @@
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow lvm_t clvmd_t:unix_stream_socket connectto;
+allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
@@ -188,6 +203,7 @@
manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
+files_search_mnt(lvm_t)
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
@@ -204,7 +220,6 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
-dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -224,6 +239,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
+dev_delete_generic_dirs(lvm_t)
+dev_rw_generic_files(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
@@ -242,6 +259,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
+mls_file_read_all_levels(lvm_t)
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
@@ -250,6 +268,7 @@
domain_use_interactive_fds(lvm_t)
+files_read_usr_files(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
@@ -271,6 +290,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
+userdom_dontaudit_search_sysadm_home_dirs(lvm_t)
+
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
@@ -289,5 +310,14 @@
')
optional_policy(`
+ modutils_domtrans_insmod(lvm_t)
+')
+
+optional_policy(`
udev_read_db(lvm_t)
')
+
+optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.5/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/modutils.if 2007-12-19 05:38:09.000000000 -0500
@@ -66,6 +66,25 @@
########################################
## <summary>
+## Unlink a file with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_unlink_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ allow $1 modules_conf_t:file unlink;
+')
+
+########################################
+## <summary>
## Unconditionally execute insmod in the insmod domain.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.5/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/modutils.te 2008-01-03 10:41:38.000000000 -0500
@@ -42,7 +42,7 @@
# insmod local policy
#
-allow insmod_t self:capability { dac_override net_raw sys_tty_config };
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
@@ -63,6 +63,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
+kernel_setsched(insmod_t)
files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
@@ -76,9 +77,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
-# cjp: why is this needed? insmod cannot mounton any dir
-# and it also transitions to mount
-dev_mount_usbfs(insmod_t)
+dev_create_generic_chr_files(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@@ -101,6 +100,7 @@
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
libs_use_ld_so(insmod_t)
libs_use_shared_libs(insmod_t)
@@ -112,11 +112,27 @@
seutil_read_file_contexts(insmod_t)
+term_dontaudit_use_unallocated_ttys(insmod_t)
+userdom_dontaudit_search_users_home_dirs(insmod_t)
+userdom_dontaudit_search_sysadm_home_dirs(insmod_t)
+
if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
optional_policy(`
+ alsa_domtrans(insmod_t)
+')
+
+optional_policy(`
+ firstboot_dontaudit_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+ hal_write_log(insmod_t)
+')
+
+optional_policy(`
hotplug_search_config(insmod_t)
')
@@ -149,10 +165,12 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
+ rpm_read_script_tmp_files(insmod_t)
')
optional_policy(`
unconfined_dontaudit_rw_pipes(insmod_t)
+ unconfined_dontaudit_use_terminals(insmod_t)
')
optional_policy(`
@@ -179,6 +197,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
+files_delete_kernel_modules(depmod_t)
fs_getattr_xattr_fs(depmod_t)
@@ -202,16 +221,19 @@
# Read System.map from home directories.
files_list_home(depmod_t)
-userdom_read_staff_home_content_files(depmod_t)
+userdom_read_unpriv_users_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t)
+userdom_dontaudit_use_sysadm_terms(depmod_t)
+
optional_policy(`
# Read System.map from home directories.
- unconfined_read_home_content_files(depmod_t)
+ unconfined_dontaudit_use_terminals(depmod_t)
')
optional_policy(`
rpm_rw_pipes(depmod_t)
+ rpm_manage_script_tmp_files(depmod_t)
')
#################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.5/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/mount.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,4 +1,3 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-14 10:34:15.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
## <p>
-## Allow the mount command to mount any directory or file.
+## Allow the mount command to mount any directory or file
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-# causes problems with interfaces when
-# this is optionally declared in monolithic
-# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t,mount_exec_t)
+role system_r types unconfined_mount_t;
########################################
#
@@ -36,23 +37,26 @@
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
can_exec(mount_t, mount_exec_t)
-files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
-
+# In order to mount reiserfs_t
+kernel_list_unlabeled(mount_t)
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
@@ -62,6 +66,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
@@ -100,6 +105,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
auth_use_nsswitch(mount_t)
@@ -161,6 +168,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
+
+ rpc_domtrans_rpcd(mount_t)
')
optional_policy(`
@@ -175,6 +184,11 @@
')
')
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+optional_policy(`
+ lvm_domtrans(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
@@ -182,6 +196,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
+ samba_read_config(mount_t)
')
########################################
@@ -192,4 +207,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
+ optional_policy(`
+ hal_dbus_chat(unconfined_mount_t)
+ ')
')
+
+########################################
+#
+# ntfs local policy
+#
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_shell(mount_t)
+
+modutils_domtrans_insmod(mount_t)
+
+optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_rw_pipes(mount_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.5/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/raid.te 2007-12-19 05:38:09.000000000 -0500
@@ -19,7 +19,7 @@
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+allow mdadm_t self:capability { dac_override mknod sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -39,6 +39,7 @@
dev_dontaudit_getattr_generic_files(mdadm_t)
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+dev_read_realtime_clock(mdadm_t)
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
@@ -85,3 +86,7 @@
optional_policy(`
udev_read_db(mdadm_t)
')
+
+optional_policy(`
+ unconfined_domain(mdadm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.5/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.fc 2007-12-19 05:38:09.000000000 -0500
@@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.5/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.if 2007-12-19 05:38:09.000000000 -0500
@@ -215,8 +215,6 @@
seutil_domtrans_newrole($1)
role $2 types newrole_t;
allow newrole_t $3:chr_file rw_term_perms;
-
- auth_run_upd_passwd(newrole_t, $2, $3)
')
########################################
@@ -587,7 +585,7 @@
type selinux_config_t;
')
- dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
')
########################################
@@ -606,7 +604,7 @@
type selinux_config_t;
')
- dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file { getattr read };
')
@@ -698,6 +696,7 @@
')
files_search_etc($1)
+ manage_dirs_pattern($1,selinux_config_t,selinux_config_t)
manage_files_pattern($1,selinux_config_t,selinux_config_t)
read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
@@ -807,6 +806,28 @@
########################################
## <summary>
+## dontaudit Read the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_dontaudit_read_file_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t, file_context_t;
+ ')
+
+ files_search_etc($1)
+ dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ dontaudit $1 file_context_t:dir search_dir_perms;
+ dontaudit $1 file_context_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read and write the file_contexts files.
## </summary>
## <param name="domain">
@@ -997,6 +1018,26 @@
########################################
## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setsebool',`
+ gen_require(`
+ type setsebool_t, setsebool_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1,setsebool_exec_t,setsebool_t)
+')
+
+########################################
+## <summary>
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
@@ -1008,7 +1049,7 @@
## </param>
## <param name="role">
## <summary>
-## The role to be allowed the checkpolicy domain.
+## The role to be allowed the semanage domain.
## </summary>
## </param>
## <param name="terminal">
@@ -1030,6 +1071,39 @@
########################################
## <summary>
+## Execute setsebool in the semanage domain, and
+## allow the specified role the semanage domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the semanage domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the semanage domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setsebool',`
+ gen_require(`
+ type semanage_t;
+ ')
+
+ seutil_domtrans_setsebool($1)
+ role $2 types setsebool_t;
+ allow setsebool_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
## Full management of the semanage
## module store.
## </summary>
@@ -1141,3 +1215,140 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
+
+#######################################
+## <summary>
+## The per role template for the setsebool module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for setsebool plugins that are executed by a browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`seutil_setsebool_per_role_template',`
+ gen_require(`
+ type setsebool_exec_t;
+ ')
+
+ type $1_setsebool_t;
+ domain_type($1_setsebool_t)
+ domain_entry_file($1_setsebool_t,setsebool_exec_t)
+ role $3 types $1_setsebool_t;
+
+ files_search_usr($2)
+ corecmd_search_bin($2)
+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t)
+ seutil_semanage_policy($1_setsebool_t)
+
+ # Need to define per type booleans
+ selinux_set_boolean($1_setsebool_t)
+
+ # Bug in semanage
+ seutil_domtrans_setfiles($1_setsebool_t)
+ seutil_manage_file_contexts($1_setsebool_t)
+ seutil_manage_default_contexts($1_setsebool_t)
+ seutil_manage_config($1_setsebool_t)
+')
+
+#######################################
+## <summary>
+## All rules necessary to run semanage command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_semanage_policy',`
+ gen_require(`
+ type semanage_tmp_t;
+ type policy_config_t;
+ ')
+ allow $1 self:capability { dac_override audit_write };
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
+
+ # Running genhomedircon requires this for finding all users
+ auth_use_nsswitch($1)
+
+ allow $1 policy_config_t:file { read write };
+
+ allow $1 semanage_tmp_t:dir manage_dir_perms;
+ allow $1 semanage_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_read_usr_files($1)
+ files_list_pids($1)
+ fs_list_inotifyfs($1)
+
+ mls_file_write_all_levels($1)
+ mls_file_read_all_levels($1)
+
+ selinux_getattr_fs($1)
+ selinux_validate_context($1)
+ selinux_get_enforce_mode($1)
+
+ term_use_all_terms($1)
+
+ libs_use_ld_so($1)
+ libs_use_shared_libs($1)
+
+ locallogin_use_fds($1)
+
+ logging_send_syslog_msg($1)
+
+ miscfiles_read_localization($1)
+
+ seutil_search_default_contexts($1)
+ seutil_domtrans_loadpolicy($1)
+ seutil_read_config($1)
+ seutil_manage_bin_policy($1)
+ seutil_use_newrole_fds($1)
+ seutil_manage_module_store($1)
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
+ userdom_dontaudit_write_unpriv_user_home_content_files($1)
+
+ optional_policy(`
+ rpm_dontaudit_rw_tmp_files($1)
+ rpm_dontaudit_rw_pipes($1)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te 2007-12-19 05:38:09.000000000 -0500
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
@@ -92,6 +91,10 @@
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
+type setsebool_t;
+type setsebool_exec_t;
+init_system_domain(setsebool_t, setsebool_exec_t)
+
type semanage_store_t;
files_type(semanage_store_t)
@@ -162,6 +165,7 @@
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
+fs_list_inotifyfs(load_policy_t)
mls_file_read_all_levels(load_policy_t)
@@ -183,15 +187,11 @@
userdom_use_all_users_fds(load_policy_t)
-ifdef(`hide_broken_symptoms',`
- # cjp: cover up stray file descriptors.
- dontaudit load_policy_t selinux_config_t:file write;
-
- optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
- ')
+optional_policy(`
+ usermanage_dontaudit_use_useradd_fds(load_policy_t)
')
+
########################################
#
# Newrole local policy
@@ -209,7 +209,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(newrole_t)
read_files_pattern(newrole_t,default_context_t,default_context_t)
read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
@@ -265,6 +265,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
+logging_send_audit_msgs(newrole_t)
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
@@ -329,6 +330,8 @@
seutil_libselinux_linked(restorecond_t)
+userdom_read_all_users_home_dirs_symlinks(restorecond_t)
+
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
@@ -341,7 +344,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(run_init_t)
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -404,72 +407,31 @@
# semodule local policy
#
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file { read write };
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
+seutil_semanage_policy(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
-domain_use_interactive_fds(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
-
-selinux_validate_context(semanage_t)
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
-selinux_set_boolean(semanage_t)
-
-term_use_all_terms(semanage_t)
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-libs_use_ld_so(semanage_t)
-libs_use_shared_libs(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
+
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
+userdom_search_sysadm_home_dirs(semanage_t)
+
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -477,26 +439,44 @@
# Handle pp files created in homedir and /tmp
userdom_read_sysadm_home_content_files(semanage_t)
userdom_read_sysadm_tmp_files(semanage_t)
-
- optional_policy(`
- unconfined_read_home_content_files(semanage_t)
- unconfined_read_tmp_files(semanage_t)
- ')
+ userdom_read_unpriv_users_home_content_files(semanage_t)
+ userdom_read_unpriv_users_tmp_files(semanage_t)
')
########################################
#
+# setsebool local policy
+#
+seutil_semanage_policy(setsebool_t)
+selinux_set_boolean(setsebool_t)
+
+init_dontaudit_use_fds(setsebool_t)
+
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+
+########################################
+#
# Setfiles local policy
#
allow setfiles_t self:capability { dac_override dac_read_search fowner };
dontaudit setfiles_t self:capability sys_tty_config;
allow setfiles_t self:fifo_file rw_file_perms;
+dontaudit setfiles_t self:dir relabelfrom;
+dontaudit setfiles_t self:file relabelfrom;
+dontaudit setfiles_t self:lnk_file relabelfrom;
+
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+logging_send_audit_msgs(setfiles_t)
+
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -518,9 +498,12 @@
files_read_etc_files(setfiles_t)
files_list_all(setfiles_t)
files_relabel_all_files(setfiles_t)
+files_list_isid_type_dirs(setfiles_t)
+files_read_isid_type_files(setfiles_t)
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
+fs_getattr_all_files(setfiles_t)
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
@@ -560,13 +543,6 @@
# for config files in a home directory
userdom_read_all_users_home_content_files(setfiles_t)
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-')
-
ifdef(`distro_redhat', `
fs_rw_tmpfs_chr_files(setfiles_t)
fs_rw_tmpfs_blk_files(setfiles_t)
@@ -574,18 +550,6 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
-ifdef(`hide_broken_symptoms',`
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
-
- # cjp: cover up stray file descriptors.
- optional_policy(`
- unconfined_dontaudit_read_pipes(setfiles_t)
- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
- ')
-')
-
optional_policy(`
hotplug_use_fds(setfiles_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.5/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/sysnetwork.if 2008-01-11 15:56:47.000000000 -0500
@@ -145,6 +145,25 @@
########################################
## <summary>
+## Send a generic signal to the ifconfig client.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the signal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ allow $1 ifconfig_t:process signal;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## dhcpc over dbus.
## </summary>
@@ -493,6 +512,10 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
+
+ optional_policy(`
+ avahi_stream_connect($1)
+ ')
')
########################################
@@ -522,6 +545,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
')
########################################
@@ -556,3 +581,49 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the SIGCHLD.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_dhcpc_use_fds',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an dhclient script
+## </summary>
+## <desc>
+## <p>
+## Execute dhclient script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+interface(`sysnet_role_transition_dhcpc',`
+ gen_require(`
+ type dhclient_exec_t;
+ ')
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.5/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/sysnetwork.te 2007-12-19 05:38:09.000000000 -0500
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
+allow dhcpc_t self:process { ptrace signal_perms };
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
@@ -136,6 +136,7 @@
modutils_domtrans_insmod(dhcpc_t)
+userdom_dontaudit_search_sysadm_home_dirs(dhcpc_t)
userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
ifdef(`distro_redhat', `
@@ -147,11 +148,19 @@
')
optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow dhcpc_t self:dbus send_msg;
+
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client_template(dhcpc,dhcpc_t)
dbus_connect_system_bus(dhcpc_t)
+ dbus_read_config(dhcpc_t)
+
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
@@ -180,6 +189,10 @@
')
optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+')
+
+optional_policy(`
nis_use_ypbind(dhcpc_t)
nis_signal_ypbind(dhcpc_t)
nis_read_ypbind_pid(dhcpc_t)
@@ -196,9 +209,7 @@
')
optional_policy(`
- # dhclient sometimes starts ntpd
- init_exec_script_files(dhcpc_t)
- ntp_domtrans(dhcpc_t)
+ ntp_script_domtrans(dhcpc_t)
')
optional_policy(`
@@ -209,6 +220,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
+ seutil_domtrans_setfiles(dhcpc_t)
')
optional_policy(`
@@ -220,6 +232,10 @@
')
optional_policy(`
+ vmware_append_log(dhcpc_t)
+')
+
+optional_policy(`
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
@@ -233,7 +249,6 @@
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
-dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -247,6 +262,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
+allow ifconfig_t net_conf_t:file read_file_perms;
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -263,6 +279,8 @@
kernel_read_network_state(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
kernel_rw_net_sysctls(ifconfig_t)
+# This should be put inside a boolean, but can not because of attributes
+kernel_load_module(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -273,8 +291,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+selinux_dontaudit_getattr_fs(ifconfig_t)
+
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -320,6 +341,14 @@
')
optional_policy(`
+ unconfined_dontaudit_rw_pipes(ifconfig_t)
+')
+
+optional_policy(`
+ vmware_append_log(ifconfig_t)
+')
+
+optional_policy(`
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.5/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/udev.te 2007-12-19 05:38:09.000000000 -0500
@@ -96,9 +96,6 @@
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
dev_relabel_all_dev_nodes(udev_t)
-# udev_node.c/node_symlink() symlink labels are explicitly
-# preserved, instead of short circuiting the relabel
-dev_relabel_generic_symlinks(udev_t)
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -189,6 +186,7 @@
optional_policy(`
alsa_domtrans(udev_t)
+ alsa_read_lib(udev_t)
alsa_read_rw_config(udev_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.5/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2007-12-19 05:38:09.000000000 -0500
@@ -10,7 +10,11 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
ifdef(`distro_gentoo',`
/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-21 02:48:29.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
- type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
- allow $1 self:capability *;
+ allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
@@ -27,12 +26,13 @@
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
+ allow $1 self:dir rw_dir_perms;
# Userland object managers
- allow $1 self:nscd *;
- allow $1 self:dbus *;
- allow $1 self:passwd *;
- allow $1 self:association *;
+ allow $1 self:nscd all_nscd_perms;
+ allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association_perms;
kernel_unconfined($1)
corenet_unconfined($1)
@@ -70,6 +70,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
')
optional_policy(`
@@ -581,7 +582,6 @@
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
- class dbus acquire_svc;
')
allow $1 unconfined_t:dbus acquire_svc;
@@ -589,7 +589,7 @@
########################################
## <summary>
-## Read files in unconfined users home directories.
+## Allow ptrace of unconfined domain
## </summary>
## <param name="domain">
## <summary>
@@ -597,20 +597,53 @@
## </summary>
## </param>
#
-interface(`unconfined_read_home_content_files',`
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
gen_require(`
- type unconfined_home_dir_t, unconfined_home_t;
+ type unconfined_t;
')
- files_search_home($1)
- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ allow $1 unconfined_t:shm rw_shm_perms;
')
########################################
## <summary>
-## Read unconfined users temporary files.
+## Read and write to unconfined execmem shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_rw_shm',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined_execmem domain.
## </summary>
## <param name="domain">
## <summary>
@@ -618,31 +651,132 @@
## </summary>
## </param>
#
-interface(`unconfined_read_tmp_files',`
+interface(`unconfined_execmem_domtrans',`
+
gen_require(`
- type unconfined_tmp_t;
+ type unconfined_execmem_t, unconfined_execmem_exec_t;
')
- files_search_tmp($1)
- allow $1 unconfined_tmp_t:dir list_dir_perms;
- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t)
')
########################################
## <summary>
-## Write unconfined users temporary files.
+## allow attempts to use unconfined ttys and ptys.
## </summary>
## <param name="domain">
## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_use_terminals',`
+ gen_require(`
+ type unconfined_devpts_t;
+ type unconfined_tty_device_t;
+ ')
+
+ allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
+ allow $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use unconfined ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_use_terminals',`
+ gen_require(`
+ type unconfined_devpts_t;
+ type unconfined_tty_device_t;
+ ')
+
+ dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
+ dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## unconfined with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_stream_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Read/write unconfined tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read/write unconfined tmpfs files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`unconfined_write_tmp_files',`
+interface(`unconfined_rw_tmpfs_files',`
gen_require(`
- type unconfined_tmp_t;
+ type unconfined_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
')
- allow $1 unconfined_tmp_t:file { getattr write append };
+ allow $1 unconfined_t:process getpgid;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-11 15:57:35.000000000 -0500
@@ -9,32 +9,48 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
+userdom_unpriv_user_template(unconfined)
+userdom_xwindows_client_template(unconfined)
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
type unconfined_execmem_t;
type unconfined_execmem_exec_t;
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
########################################
#
# Local policy
#
+dontaudit unconfined_t self:dir write;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+init_domtrans_script(unconfined_t)
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -42,7 +58,10 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
+seutil_run_setsebool(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -51,13 +70,13 @@
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
- ada_domtrans(unconfined_t)
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
+ # this is dissallowed usage:
unconfined_domain(httpd_unconfined_script_t)
')
@@ -69,11 +88,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
-optional_policy(`
- cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(unconfined_crond_t)
-')
+#optional_policy(`
+# cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+# unconfined_domain(unconfined_crontab_t)
+# role system_r types unconfined_crontab_t;
+#')
optional_policy(`
init_dbus_chat_script(unconfined_t)
@@ -107,6 +126,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
+
+ optional_policy(`
+ vpnc_dbus_chat(unconfined_t)
+ ')
')
optional_policy(`
@@ -118,11 +141,7 @@
')
optional_policy(`
- inn_domtrans(unconfined_t)
-')
-
-optional_policy(`
- java_domtrans(unconfined_t)
+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -134,14 +153,6 @@
')
optional_policy(`
- mono_domtrans(unconfined_t)
-')
-
-optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
-')
-
-optional_policy(`
oddjob_domtrans_mkhomedir(unconfined_t)
')
@@ -154,38 +165,27 @@
')
optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
-
-
-optional_policy(`
- pyzor_per_role_template(unconfined)
-')
-
-optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
-')
-
-optional_policy(`
rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_role_transition(unconfined_r)
')
optional_policy(`
samba_per_role_template(unconfined)
samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+ sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
')
optional_policy(`
@@ -205,11 +205,30 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
+')
+
+optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
+
+optional_policy(`
+ xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
@@ -219,14 +238,32 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition;
optional_policy(`
- dbus_stub(unconfined_execmem_t)
-
init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+')
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
+optional_policy(`
+ avahi_dbus_chat(unconfined_execmem_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
+')
+
+optional_policy(`
+ xserver_xdm_rw_shm(unconfined_execmem_t)
')
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.5/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,4 +1,5 @@
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
-
-/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
+HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-15 11:58:29.000000000 -0500
@@ -29,8 +29,9 @@
')
attribute $1_file_type;
+ attribute $1_usertype;
- type $1_t, userdomain;
+ type $1_t, userdomain, $1_usertype;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
@@ -45,66 +46,70 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:sem create_sem_perms;
- allow $1_t self:msgq create_msgq_perms;
- allow $1_t self:msg { send receive };
- allow $1_t self:context contains;
- dontaudit $1_t self:socket create;
-
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
-
- kernel_read_kernel_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
- kernel_dontaudit_getattr_unlabeled_files($1_t)
- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-
- dev_dontaudit_getattr_all_blk_files($1_t)
- dev_dontaudit_getattr_all_chr_files($1_t)
+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
+
+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_usertype $1_usertype:shm create_shm_perms;
+ allow $1_usertype $1_usertype:sem create_sem_perms;
+ allow $1_usertype $1_usertype:msgq create_msgq_perms;
+ allow $1_usertype $1_usertype:msg { send receive };
+ allow $1_usertype $1_usertype:context contains;
+ dontaudit $1_usertype $1_usertype:socket create;
+
+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ term_create_pty($1_usertype,$1_devpts_t)
+
+ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
+
+ application_exec_all($1_usertype)
+
+ kernel_read_kernel_sysctls($1_usertype)
+ kernel_dontaudit_list_unlabeled($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
- domain_dontaudit_read_all_domains_state($1_t)
- domain_dontaudit_getattr_all_domains($1_t)
- domain_dontaudit_getsession_all_domains($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_read_usr_files($1_t)
+ domain_dontaudit_read_all_domains_state($1_usertype)
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
+
+ files_read_etc_files($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
- files_read_world_readable_files($1_t)
- files_read_world_readable_symlinks($1_t)
- files_read_world_readable_pipes($1_t)
- files_read_world_readable_sockets($1_t)
+ files_list_world_readable($1_usertype)
+ files_read_world_readable_files($1_usertype)
+ files_read_world_readable_symlinks($1_usertype)
+ files_read_world_readable_pipes($1_usertype)
+ files_read_world_readable_sockets($1_usertype)
# old broswer_domain():
- files_dontaudit_list_non_security($1_t)
- files_dontaudit_getattr_non_security_files($1_t)
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
-
- miscfiles_read_localization($1_t)
- miscfiles_read_certs($1_t)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_non_security_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
+
+ dev_dontaudit_getattr_all_blk_files($1_usertype)
+ dev_dontaudit_getattr_all_chr_files($1_usertype)
+
+ auth_use_nsswitch($1_usertype)
+
+ libs_use_ld_so($1_usertype)
+ libs_use_shared_libs($1_usertype)
+ libs_exec_ld_so($1_usertype)
- sysnet_read_config($1_t)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
@@ -115,6 +120,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ')
')
#######################################
@@ -141,33 +150,13 @@
#
template(`userdom_ro_home_template',`
gen_require(`
- attribute home_type, home_dir_type, $1_file_type;
+ type user_home_t, user_home_dir_t;
')
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
- files_mountpoint($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_mountpoint($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
- files_poly_member($1_home_dir_t)
-
- ##############################
- #
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- # Rules used to associate a homedir as a mountpoint
- allow $1_home_t self:filesystem associate;
+ ifelse(`$1',`user',`',`
+ typealias user_home_t alias $1_home_t;
+ typealias user_home_dir_t alias $1_home_dir_t;
+ ')
##############################
#
@@ -175,13 +164,13 @@
#
# read-only home directory
- allow $1_t $1_home_dir_t:dir list_dir_perms;
- allow $1_t $1_home_t:dir list_dir_perms;
- allow $1_t $1_home_t:file entrypoint;
- read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
+ allow $1_t user_home_dir_t:dir list_dir_perms;
+ allow $1_t user_home_t:dir list_dir_perms;
+ allow $1_t user_home_t:file entrypoint;
+ read_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t)
+ read_lnk_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t)
+ read_fifo_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t)
+ read_sock_files_pattern($1_t,{ user_home_t user_home_dir_t },user_home_t)
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -231,30 +220,14 @@
#
template(`userdom_manage_home_template',`
gen_require(`
- attribute home_type, home_dir_type, $1_file_type;
+ attribute home_type, home_dir_type;
+ type user_home_t, user_home_dir_t;
')
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
-
- ##############################
- #
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- # Rules used to associate a homedir as a mountpoint
- allow $1_home_t self:filesystem associate;
+ ifelse(`$1',`user',`',`
+ typealias user_home_t alias $1_home_t;
+ typealias user_home_dir_t alias $1_home_dir_t;
+ ')
##############################
#
@@ -262,43 +235,44 @@
#
# full control of the home directory
- allow $1_t $1_home_t:file entrypoint;
- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
- files_list_home($1_t)
+ allow $1_t user_home_t:file entrypoint;
+ allow $1_usertype user_home_type:dir_file_class_set { relabelto relabelfrom };
+ manage_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ manage_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ manage_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ manage_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ manage_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ relabel_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ relabel_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ relabel_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ relabel_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ relabel_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type)
+ filetrans_pattern($1_usertype,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
+ files_list_home($1_usertype)
# cjp: this should probably be removed:
- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1_usertype user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_t)
- fs_manage_nfs_files($1_t)
- fs_manage_nfs_symlinks($1_t)
- fs_manage_nfs_named_sockets($1_t)
- fs_manage_nfs_named_pipes($1_t)
+ fs_manage_nfs_dirs($1_usertype)
+ fs_manage_nfs_files($1_usertype)
+ fs_manage_nfs_symlinks($1_usertype)
+ fs_manage_nfs_named_sockets($1_usertype)
+ fs_manage_nfs_named_pipes($1_usertype)
',`
- fs_dontaudit_manage_nfs_dirs($1_t)
- fs_dontaudit_manage_nfs_files($1_t)
+ fs_dontaudit_manage_nfs_dirs($1_usertype)
+ fs_dontaudit_manage_nfs_files($1_usertype)
')
tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_t)
- fs_manage_cifs_files($1_t)
- fs_manage_cifs_symlinks($1_t)
- fs_manage_cifs_named_sockets($1_t)
- fs_manage_cifs_named_pipes($1_t)
+ fs_manage_cifs_dirs($1_usertype)
+ fs_manage_cifs_files($1_usertype)
+ fs_manage_cifs_symlinks($1_usertype)
+ fs_manage_cifs_named_sockets($1_usertype)
+ fs_manage_cifs_named_pipes($1_usertype)
',`
- fs_dontaudit_manage_cifs_dirs($1_t)
- fs_dontaudit_manage_cifs_files($1_t)
+ fs_dontaudit_manage_cifs_dirs($1_usertype)
+ fs_dontaudit_manage_cifs_files($1_usertype)
')
')
@@ -316,14 +290,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
- can_exec($1_t,$1_home_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1_t)
+ tunable_policy(`allow_$1_exec_content', `
+ can_exec($1_usertype,user_home_type)
+ ',`
+ dontaudit $1_usertype user_home_type:file execute;
')
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1_t)
+
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
+
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
')
')
@@ -341,11 +321,10 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
- type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
- files_poly($1_home_dir_t)
- files_poly_parent($1_home_dir_t)
- files_poly_parent($1_home_t)
- files_poly_member($1_home_t)
+ gen_require(`
+ type user_home_dir_t;
+ ')
+ type_member $1_t user_home_dir_t:dir user_home_dir_t;
')
#######################################
@@ -369,18 +348,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
- attribute $1_file_type;
+ type user_tmp_t;
')
- type $1_tmp_t, $1_file_type;
- files_tmp_file($1_tmp_t)
-
- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
+ ifelse(`$1',`user',`',`
+ typealias user_tmp_t alias $1_tmp_t;
+ ')
+ manage_dirs_pattern($1_usertype,user_tmp_t,user_tmp_t)
+ manage_files_pattern($1_usertype,user_tmp_t,user_tmp_t)
+ manage_lnk_files_pattern($1_usertype,user_tmp_t,user_tmp_t)
+ manage_sock_files_pattern($1_usertype,user_tmp_t,user_tmp_t)
+ manage_fifo_files_pattern($1_usertype,user_tmp_t,user_tmp_t)
+ files_tmp_filetrans($1_usertype, user_tmp_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -396,7 +375,13 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ tunable_policy(`allow_$1_exec_content', `
+ exec_files_pattern($1_usertype, user_tmp_t, user_tmp_t)
+ ')
')
#######################################
@@ -510,10 +495,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
- gen_require(`
- type $1_t;
- ')
-
corecmd_exec_bin($1_t)
')
@@ -531,9 +512,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
- gen_require(`
- type $1_t;
- ')
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
@@ -548,10 +526,6 @@
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
-
- optional_policy(`
- ipsec_match_default_spd($1_t)
- ')
')
#######################################
@@ -568,30 +542,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
- type $1_t, $1_tmpfs_t;
+ type $1_tmpfs_t;
')
- dev_rw_xserver_misc($1_t)
- dev_rw_power_management($1_t)
- dev_read_input($1_t)
- dev_read_misc($1_t)
- dev_write_misc($1_t)
+ dev_rw_xserver_misc($1_usertype)
+ dev_rw_power_management($1_usertype)
+ dev_read_input($1_usertype)
+ dev_read_misc($1_usertype)
+ dev_write_misc($1_usertype)
# open office is looking for the following
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
+ dev_getattr_agp_dev($1_usertype)
+ dev_dontaudit_rw_dri($1_usertype)
# GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
-
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
+ dev_rw_usbfs($1_usertype)
+ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t)
+ xserver_xsession_entry_type($1_usertype)
+ xserver_dontaudit_write_log($1_usertype)
+ xserver_stream_connect_xdm($1_usertype)
# certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
+ xserver_read_xdm_pid($1_usertype)
# gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
+ xserver_create_xdm_tmp_sockets($1_usertype)
# Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
+ xserver_manage_xdm_tmp_files($1_usertype)
')
#######################################
@@ -717,6 +690,12 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
+ logging_send_syslog_msg($1_usertype)
+ logging_dontaudit_send_audit_msgs($1_t)
+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
+ logging_send_audit_msgs($1_t)
+ selinux_get_enforce_mode($1_t)
+
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
@@ -728,11 +707,11 @@
# for eject
storage_getattr_fixed_disk_dev($1_t)
- auth_use_nsswitch($1_t)
auth_read_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ authlogin_per_role_template($1, $1_t, $1_r)
init_read_utmp($1_t)
@@ -758,10 +737,6 @@
dev_read_mouse($1_t)
')
- tunable_policy(`user_ttyfile_stat',`
- term_getattr_all_user_ttys($1_t)
- ')
-
optional_policy(`
alsa_read_rw_config($1_t)
')
@@ -783,20 +758,20 @@
')
optional_policy(`
- evolution_dbus_chat($1,$1_t)
- evolution_alarm_dbus_chat($1,$1_t)
+ consolekit_dbus_chat($1_t)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
+ evolution_dbus_chat($1,$1_t)
+ evolution_alarm_dbus_chat($1,$1_t)
')
optional_policy(`
- hal_dbus_chat($1_t)
+ networkmanager_dbus_chat($1_t)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
+ vpnc_dbus_chat($1_t)
')
')
@@ -824,11 +799,18 @@
mta_rw_spool($1_t)
')
-
optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
- ')
+ alsa_read_rw_config($1_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_t)
+ ')
+ ')
+
+ tunable_policy(`user_ttyfile_stat',`
+ term_getattr_all_user_ttys($1_t)
')
optional_policy(`
@@ -842,13 +824,6 @@
')
optional_policy(`
- tunable_policy(`allow_user_postgresql_connect',`
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
- ')
- ')
-
- optional_policy(`
resmgr_stream_connect($1_t)
')
@@ -889,6 +864,8 @@
## </param>
#
template(`userdom_login_user_template', `
+ gen_tunable(allow_$1_exec_content,true)
+
userdom_base_user_template($1)
userdom_manage_home_template($1)
@@ -917,26 +894,26 @@
allow $1_t self:context contains;
- kernel_dontaudit_read_system_state($1_t)
+ kernel_dontaudit_read_system_state($1_usertype)
- dev_read_sysfs($1_t)
- dev_read_urand($1_t)
+ dev_read_sysfs($1_usertype)
+ dev_read_urand($1_usertype)
- domain_use_interactive_fds($1_t)
+ domain_use_interactive_fds($1_usertype)
# Command completion can fire hundreds of denials
- domain_dontaudit_exec_all_entry_files($1_t)
+ domain_dontaudit_exec_all_entry_files($1_usertype)
- files_dontaudit_list_default($1_t)
- files_dontaudit_read_default_files($1_t)
# Stat lost+found.
- files_getattr_lost_found_dirs($1_t)
+ files_getattr_lost_found_dirs($1_usertype)
- fs_get_all_fs_quotas($1_t)
- fs_getattr_all_fs($1_t)
- fs_getattr_all_dirs($1_t)
- fs_search_auto_mountpoints($1_t)
- fs_list_inotifyfs($1_t)
- fs_rw_anon_inodefs_files($1_t)
+ files_dontaudit_list_default($1_usertype)
+ files_dontaudit_read_default_files($1_usertype)
+
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
auth_dontaudit_write_login_records($1_t)
@@ -944,43 +921,43 @@
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
- init_dontaudit_rw_utmp($1_t)
+ init_dontaudit_rw_utmp($1_usertype)
# Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
+ init_dontaudit_use_fds($1_usertype)
+ init_dontaudit_use_script_fds($1_usertype)
- libs_exec_lib_files($1_t)
+ libs_exec_lib_files($1_usertype)
- logging_dontaudit_getattr_all_logs($1_t)
+ logging_dontaudit_getattr_all_logs($1_usertype)
- miscfiles_read_man_pages($1_t)
+ miscfiles_read_man_pages($1_usertype)
# for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
-
- seutil_read_config($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
+ seutil_read_config($1_usertype)
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
+ kerberos_use($1_usertype)
+ kerberos_524_connect($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
+ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
+ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
+ rpm_read_db($1_usertype)
+ rpm_dontaudit_manage_db($1_usertype)
')
')
@@ -1014,9 +991,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
- typeattribute $1_home_dir_t user_home_dir_type;
- typeattribute $1_home_t user_home_type;
- typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
##############################
@@ -1025,16 +999,32 @@
#
# privileged home directory writers
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+ manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
+
+ optional_policy(`
+ dbus_per_role_template($1, $1_usertype, $1_r)
+ dbus_system_bus_client_template($1, $1_usertype)
+
+ optional_policy(`
+ consolekit_dbus_chat($1_usertype)
+ ')
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ ')
+ ')
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
+
+ optional_policy(`
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
')
#######################################
@@ -1062,6 +1052,13 @@
userdom_restricted_user_template($1)
+ # Should be optional but policy will not build because of compiler problems
+ # Must be before xwindows calls
+ #optional_policy(`
+ gnome_per_role_template($1, $1_usertype, $1_r)
+ gnome_exec_gconf($1_t)
+ #')
+
userdom_xwindows_client_template($1)
##############################
@@ -1070,14 +1067,14 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
- dev_dontaudit_read_rand($1_t)
+ dev_dontaudit_read_rand($1_usertype)
- logging_send_syslog_msg($1_t)
+ logging_send_syslog_msg($1_usertype)
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -1085,33 +1082,14 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
- ')
-
- optional_policy(`
- dbus_per_role_template($1, $1_t, $1_r)
- dbus_system_bus_client_template($1, $1_t)
-
- optional_policy(`
- consolekit_dbus_chat($1_t)
- ')
-
- optional_policy(`
- cups_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
- java_per_role_template($1, $1_t, $1_r)
+ alsa_read_rw_config($1_usertype)
')
- optional_policy(`
- mono_per_role_template($1, $1_t, $1_r)
- ')
-
- optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
- ')
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
+ corenet_tcp_connect_soundd_port($1_t)
+ corenet_tcp_sendrecv_soundd_port($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_lo_node($1_t)
')
#######################################
@@ -1121,10 +1099,10 @@
## </summary>
## <desc>
## <p>
-## The template for creating a unprivileged user roughly
-## equivalent to a regular linux user.
-## </p>
-## <p>
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+## </p>
+## <p>
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
@@ -1187,22 +1165,17 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ hal_dbus_chat($1_t)
')
# Run pppd in pppd_t by default for user
optional_policy(`
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-
- optional_policy(`
- setroubleshoot_stream_connect($1_t)
- ')
')
#######################################
@@ -1278,8 +1251,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -1416,6 +1387,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
+ files_create_default_dir($1)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1781,10 +1753,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
+ attribute user_home_type;
+ attribute home_type;
')
typeattribute $2 $1_file_type;
- files_type($2)
+ typeattribute $2 user_home_type;
+ typeattribute $2 home_type;
+ files_poly_member($2)
')
########################################
@@ -1880,11 +1856,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
- type $1_home_dir_t;
+ type user_home_dir_t;
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
+ allow $2 user_home_dir_t:dir search_dir_perms;
')
########################################
@@ -1914,11 +1890,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
- type $1_home_dir_t;
+ type user_home_dir_t;
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir list_dir_perms;
+ allow $2 user_home_dir_t:dir list_dir_perms;
')
########################################
@@ -1962,12 +1938,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- domain_auto_trans($2,$1_home_t,$3)
+ allow $2 user_home_dir_t:dir search_dir_perms;
+ domain_auto_trans($2,user_home_t,$3)
')
########################################
@@ -1997,10 +1973,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
- type $1_home_dir_t;
+ type user_home_dir_t;
')
- dontaudit $2 $1_home_dir_t:dir list_dir_perms;
+ dontaudit $2 user_home_dir_t:dir list_dir_perms;
')
########################################
@@ -2032,11 +2008,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
')
files_search_home($2)
- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_dirs_pattern($2,{ user_home_dir_t user_home_type },user_home_t)
+')
+
+########################################
+## <summary>
+## dontaudit attemps to Create files
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete directories
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_create_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $2 user_home_dir_t:file create;
')
########################################
@@ -2068,10 +2080,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
- dontaudit $2 $1_home_t:file setattr;
+ dontaudit $2 user_home_t:file setattr;
')
########################################
@@ -2101,11 +2113,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ read_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -2135,11 +2147,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
- type $1_home_t;
+ type user_home_t;
')
- dontaudit $2 $1_home_t:dir list_dir_perms;
- dontaudit $2 $1_home_t:file read_file_perms;
+ dontaudit $2 user_home_t:dir list_dir_perms;
+ dontaudit $2 user_home_t:file read_file_perms;
')
########################################
@@ -2169,10 +2181,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
- type $1_home_t;
+ type user_home_t;
')
- dontaudit $2 $1_home_t:file write;
+ dontaudit $2 user_home_t:file write;
')
########################################
@@ -2202,11 +2214,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ read_lnk_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -2236,11 +2248,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ exec_files_pattern($2,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -2270,10 +2282,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
- type $1_home_t;
+ type user_home_t;
')
- dontaudit $2 $1_home_t:file execute;
+ dontaudit $2 user_home_t:file execute;
')
########################################
@@ -2305,12 +2317,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_files_pattern($2,$1_home_t,$1_home_t)
+ allow $2 user_home_dir_t:dir search_dir_perms;
+ manage_files_pattern($2,user_home_t,user_home_t)
')
########################################
@@ -2342,10 +2354,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
- dontaudit $2 $1_home_t:dir manage_dir_perms;
+ dontaudit $2 user_home_t:dir manage_dir_perms;
')
########################################
@@ -2377,12 +2389,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
+ allow $2 user_home_dir_t:dir search_dir_perms;
+ manage_lnk_files_pattern($2,user_home_t,user_home_t)
')
########################################
@@ -2414,12 +2426,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
+ allow $2 user_home_dir_t:dir search_dir_perms;
+ manage_fifo_files_pattern($2,user_home_t,user_home_t)
')
########################################
@@ -2451,12 +2463,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_sock_files_pattern($2,$1_home_t,$1_home_t)
+ allow $2 user_home_dir_t:dir search_dir_perms;
+ manage_sock_files_pattern($2,user_home_t,user_home_t)
')
########################################
@@ -2501,11 +2513,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
- type $1_home_dir_t;
+ type user_home_dir_t;
')
files_search_home($2)
- filetrans_pattern($2,$1_home_dir_t,$3,$4)
+ filetrans_pattern($2,user_home_dir_t,$3,$4)
')
########################################
@@ -2550,11 +2562,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
- type $1_home_t;
+ type user_home_t;
')
files_search_home($2)
- filetrans_pattern($2,$1_home_t,$3,$4)
+ filetrans_pattern($2,user_home_t,$3,$4)
')
########################################
@@ -2594,11 +2606,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
- type $1_home_dir_t, $1_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($2)
- filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
+ filetrans_pattern($2,user_home_dir_t,user_home_t,$3)
')
########################################
@@ -2628,11 +2640,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- allow $2 $1_tmp_t:sock_file write;
+ allow $2 user_tmp_t:sock_file write;
')
########################################
@@ -2662,11 +2674,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
+ allow $2 user_tmp_t:dir list_dir_perms;
')
########################################
@@ -2698,10 +2710,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
- dontaudit $2 $1_tmp_t:dir list_dir_perms;
+ dontaudit $2 user_tmp_t:dir list_dir_perms;
')
########################################
@@ -2733,10 +2745,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
- dontaudit $2 $1_tmp_t:dir manage_dir_perms;
+ dontaudit $2 user_tmp_t:dir manage_dir_perms;
')
########################################
@@ -2766,12 +2778,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
- read_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ allow $2 user_tmp_t:dir list_dir_perms;
+ read_files_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -2803,10 +2815,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
- dontaudit $2 $1_tmp_t:file read_file_perms;
+ dontaudit $2 user_tmp_t:file read_file_perms;
')
########################################
@@ -2838,10 +2850,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
+ ')
+
+ dontaudit $2 user_tmp_t:file append;
+')
+
+########################################
+## <summary>
+## unlink all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unlink_unpriv_users_tmp_files',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ files_delete_tmp_dir_entry($1)
+ allow $1 user_tmpfile:file unlink;
+')
+
+########################################
+## <summary>
+## Connect to unpriviledged users over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unpriv_users_stream_connect',`
+ gen_require(`
+ attribute user_tmpfile;
+ attribute userdomain;
')
- dontaudit $2 $1_tmp_t:file append;
+ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
')
########################################
@@ -2871,12 +2921,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
- rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ allow $2 user_tmp_t:dir list_dir_perms;
+ rw_files_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -2908,10 +2958,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
- dontaudit $2 $1_tmp_t:file manage_file_perms;
+ dontaudit $2 user_tmp_t:file manage_file_perms;
')
########################################
@@ -2943,12 +2993,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
- read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ allow $2 user_tmp_t:dir list_dir_perms;
+ read_lnk_files_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -2980,11 +3030,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t)
+ manage_dirs_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -3016,11 +3066,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- manage_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ manage_files_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -3052,11 +3102,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ manage_lnk_files_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -3088,11 +3138,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ manage_fifo_files_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -3124,11 +3174,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($2)
- manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t)
+ manage_sock_files_pattern($2,user_tmp_t,user_tmp_t)
')
########################################
@@ -3173,10 +3223,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
- filetrans_pattern($2,$1_tmp_t,$3,$4)
+ filetrans_pattern($2,user_tmp_t,$3,$4)
files_search_tmp($2)
')
@@ -3217,10 +3267,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
')
- files_tmp_filetrans($2,$1_tmp_t,$3)
+ files_tmp_filetrans($2,user_tmp_t,$3)
')
########################################
@@ -3248,6 +3298,42 @@
## </summary>
## </param>
#
+template(`userdom_read_user_tmpfs_files',`
+ gen_require(`
+ type $1_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($2)
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
+ read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read/write user tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read/write user tmpfs files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
@@ -4225,11 +4311,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
- type staff_home_dir_t;
+ type user_home_dir_t;
')
files_search_home($1)
- allow $1 staff_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:dir search_dir_perms;
')
########################################
@@ -4245,10 +4331,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
- type staff_home_dir_t;
+ type user_home_dir_t;
')
- dontaudit $1 staff_home_dir_t:dir search_dir_perms;
+ dontaudit $1 user_home_dir_t:dir search_dir_perms;
')
########################################
@@ -4264,11 +4350,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
- type staff_home_dir_t;
+ type user_home_dir_t;
')
files_search_home($1)
- allow $1 staff_home_dir_t:dir manage_dir_perms;
+ allow $1 user_home_dir_t:dir manage_dir_perms;
')
########################################
@@ -4283,16 +4369,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
- type staff_home_dir_t;
+ type user_home_dir_t;
')
files_search_home($1)
- allow $1 staff_home_dir_t:dir relabelto;
+ allow $1 user_home_dir_t:dir relabelto;
')
########################################
## <summary>
-## Do not audit attempts to append to the staff
+## Do not audit attempts to append to the
## users home directory.
## </summary>
## <param name="domain">
@@ -4301,12 +4387,27 @@
## </summary>
## </param>
#
-interface(`userdom_dontaudit_append_staff_home_content_files',`
+interface(`userdom_dontaudit_append_unpriv_home_content_files',`
gen_require(`
- type staff_home_t;
+ type user_home_t;
')
- dontaudit $1 staff_home_t:file append;
+ dontaudit $1 user_home_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append to the staff
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_staff_home_content_files',`
+ userdom_dontaudit_append_unpriv_home_content_files($1)
')
########################################
@@ -4321,13 +4422,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
- type staff_home_dir_t, staff_home_t;
+ type user_home_dir_t, user_home_t;
')
files_search_home($1)
- allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
- read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
- read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
+ allow $1 { user_home_dir_t user_home_t }:dir list_dir_perms;
+ read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+ read_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -4525,10 +4626,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- allow $1 sysadm_home_dir_t:dir getattr;
+ allow $1 admin_home_t:dir getattr;
')
########################################
@@ -4545,10 +4646,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir getattr;
+ dontaudit $1 admin_home_t:dir getattr;
')
########################################
@@ -4563,10 +4664,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- allow $1 sysadm_home_dir_t:dir search_dir_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
')
########################################
@@ -4582,10 +4683,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ dontaudit $1 admin_home_t:dir search_dir_perms;
')
########################################
@@ -4600,10 +4701,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- allow $1 sysadm_home_dir_t:dir list_dir_perms;
+ allow $1 admin_home_t:dir list_dir_perms;
')
########################################
@@ -4619,10 +4720,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+ dontaudit $1 admin_home_t:dir list_dir_perms;
')
########################################
@@ -4638,12 +4739,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file read_file_perms;
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
')
########################################
@@ -4670,10 +4770,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- filetrans_pattern($1,sysadm_home_dir_t,$2,$3)
+ filetrans_pattern($1,admin_home_t,$2,$3)
')
########################################
@@ -4688,10 +4788,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
')
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
')
########################################
@@ -4706,13 +4806,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
')
files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
- read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
- read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+ allow $1 admin_home_t:dir list_dir_perms;
+ read_files_pattern($1, admin_home_t, admin_home_t)
+ read_lnk_files_pattern($1, admin_home_t, admin_home_t)
')
########################################
@@ -4748,11 +4848,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
+ attribute user_home_dir_type;
+ ')
+
+ files_list_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all users home directories symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
attribute home_dir_type;
')
files_list_home($1)
- allow $1 home_dir_type:dir search_dir_perms;
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read all users home directories symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_home_content_symlinks',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_list_home($1)
+ allow $1 user_home_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4772,6 +4910,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(crond_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(crond_t)
+ ')
')
########################################
@@ -5109,7 +5255,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
- type staff_home_dir_t;
+ type user_home_dir_t;
')
files_search_home($1)
@@ -5298,6 +5444,49 @@
########################################
## <summary>
+## append all unprivileged users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_append_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_type:dir list_dir_perms;
+ append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+')
+
+########################################
+## <summary>
+## dontaudit Read all unprivileged users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
+ dontaudit $1 user_home_type:file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
@@ -5503,6 +5692,42 @@
########################################
## <summary>
+## Write all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_users_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+## Write all unprivileged users lnk_files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
@@ -5668,6 +5893,42 @@
########################################
## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
+## dontaudit search keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:key search;
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
@@ -5698,3 +5959,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+## <summary>
+## allow getattr all user file type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_list_user_files',`
+ gen_require(`
+ attribute $1_file_type;
+ ')
+
+ allow $2 $1_file_type:dir search_dir_perms;
+ allow $2 $1_file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to homedirs of sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_sysadm_home_dirs',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir write;
+')
+
+########################################
+## <summary>
+## Ptrace all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_ptrace_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process ptrace;
+')
+
+########################################
+## <summary>
+## unlink all unprivileged users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unlink_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_type:dir list_dir_perms;
+ allow $1 user_home_type:file unlink;
+')
+
+########################################
+## <summary>
+## dontaudit search all users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_users_home_dirs',`
+
+ gen_require(`
+ attribute user_home_dir_type;
+ ')
+
+ files_search_home($1)
+ dontaudit $1 user_home_dir_type:dir search_dir_perms;
+')
+
+
+########################################
+## <summary>
+## Identify specified type as being in a users home directory
+## </summary>
+## <desc>
+## <p>
+## Make the specified type a home type.
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used as a home directory type.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_type',`
+ gen_require(`
+ attribute user_home_type;
+ attribute home_type;
+ ')
+ typeattribute $1 user_home_type;
+ typeattribute $1 home_type;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to relabel unpriv user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabel_unpriv_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ dontaudit $1 user_home_type:file { relabelto relabelfrom };
+')
+
+
+########################################
+## <summary>
+## Mmap of unpriv user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mmap_unpriv_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_type:file execute;
+')
+
+########################################
+## <summary>
+## dontaudit attempts to write to user home dir files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_unpriv_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file write;
+')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_set_rlimitnh',`
+ gen_require(`
+ attribute userdomain;
+ ')
+ allow $1 userdomain:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_usertype',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ attribute $1_usertype;
+ ')
+ typeattribute $2 $1_usertype;
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+')
+
+
+########################################
+## <summary>
+## Manage and create all files in /tmp on behalf of the user
+## </summary>
+## <desc>
+## <p>
+## The interface for full access to the temporary directories.
+## This creates a derived type for the user
+## temporary type. Execute access is not given.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The class of the object to be created.
+## If not specified, file is used.
+## </summary>
+## </param>
+#
+template(`userdom_transition_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_tmp_filetrans($2, user_tmp_t, $3)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.te 2008-01-02 14:18:19.000000000 -0500
@@ -2,12 +2,7 @@
policy_module(userdomain,2.5.0)
gen_require(`
- role sysadm_r, staff_r, user_r;
-
- ifdef(`enable_mls',`
- role secadm_r;
- role auditadm_r;
- ')
+ role sysadm_r;
')
########################################
@@ -17,20 +12,13 @@
## <desc>
## <p>
-## Allow sysadm to debug or ptrace all processes.
+## Allow sysadm to debug or ptrace all processes
## </p>
## </desc>
gen_tunable(allow_ptrace,false)
## <desc>
## <p>
-## Allow users to connect to mysql
-## </p>
-## </desc>
-gen_tunable(allow_user_mysql_connect,false)
-
-## <desc>
-## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
@@ -74,6 +62,9 @@
# users home directory contents
attribute home_type;
+# Executables to be run by user
+attribute user_exec_type;
+
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
@@ -101,40 +92,49 @@
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
-########################################
-#
-# Local policy
-#
+type admin_home_t, home_type;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
+
+type user_home_t, user_file_type, user_home_type, home_type;
+files_type(user_home_t)
+files_associate_tmp(user_home_t)
+fs_associate_tmpfs(user_home_t)
+files_mountpoint(user_home_t)
+files_poly_parent(user_home_t)
+files_poly_member(user_home_t)
+
+# type of home directory
+type user_home_dir_t, home_dir_type, user_home_dir_type, home_type;
+files_type(user_home_dir_t)
+files_mountpoint(user_home_dir_t)
+files_associate_tmp(user_home_dir_t)
+fs_associate_tmpfs(user_home_dir_t)
+files_poly(user_home_dir_t)
+files_poly_member(user_home_dir_t)
+files_poly_parent(user_home_dir_t)
-userdom_admin_user_template(sysadm)
-userdom_unpriv_user_template(staff)
-userdom_unpriv_user_template(user)
+type user_tmp_t, user_file_type, user_tmpfile;
+files_tmp_file(user_tmp_t)
-# user role change rules:
-# sysadm_r can change to user roles
-userdom_role_change_template(sysadm, user)
-userdom_role_change_template(sysadm, staff)
-
-# only staff_r can change to sysadm_r
-userdom_role_change_template(staff, sysadm)
-dontaudit staff_t admin_terminal:chr_file { read write };
-
-ifdef(`enable_mls',`
- userdom_unpriv_user_template(secadm)
- userdom_unpriv_user_template(auditadm)
+##############################
+#
+# User home directory file rules
+#
- userdom_role_change_template(staff, auditadm)
- userdom_role_change_template(staff, secadm)
+allow user_file_type user_home_t:filesystem associate;
- userdom_role_change_template(sysadm, secadm)
- userdom_role_change_template(sysadm, auditadm)
+# Rules used to associate a homedir as a mountpoint
+allow user_home_t self:filesystem associate;
- userdom_role_change_template(auditadm, secadm)
- userdom_role_change_template(auditadm, sysadm)
+########################################
+#
+# Local policy
+#
- userdom_role_change_template(secadm, auditadm)
- userdom_role_change_template(secadm, sysadm)
-')
+userdom_admin_user_template(sysadm)
########################################
#
@@ -154,6 +154,11 @@
init_exec(sysadm_t)
+kernel_sigstop_unlabeled(sysadm_t)
+kernel_signal_unlabeled(sysadm_t)
+kernel_kill_unlabeled(sysadm_t)
+kernel_read_unlabeled_state(sysadm_t)
+
# Following for sending reboot and wall messages
userdom_use_unpriv_users_ptys(sysadm_t)
userdom_use_unpriv_users_ttys(sysadm_t)
@@ -170,46 +175,7 @@
')
')
-ifdef(`enable_mls',`
- allow auditadm_t self:capability { dac_read_search dac_override };
- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- domain_kill_all_domains(auditadm_t)
- seutil_read_bin_policy(auditadm_t)
- corecmd_exec_shell(auditadm_t)
- logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
- allow secadm_t self:capability { dac_read_search dac_override };
- corecmd_exec_shell(secadm_t)
- domain_obj_id_change_exemption(secadm_t)
- mls_process_read_up(secadm_t)
- mls_file_read_all_levels(secadm_t)
- mls_file_write_all_levels(secadm_t)
- mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
- auth_relabel_all_files_except_shadow(secadm_t)
- dev_relabel_all_dev_nodes(secadm_t)
- auth_relabel_shadow(secadm_t)
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- logging_read_audit_config(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
-
- optional_policy(`
- aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
-
- optional_policy(`
- netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
-',`
+ifdef(`enable_mls',`',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
@@ -224,6 +190,10 @@
')
optional_policy(`
+ amtu_run(sysadm_t, sysadm_r, admin_terminal)
+')
+
+optional_policy(`
apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -279,14 +249,6 @@
')
optional_policy(`
- consoletype_exec(sysadm_t)
-
- ifdef(`enable_mls',`
- consoletype_exec(auditadm_t)
- ')
-')
-
-optional_policy(`
cron_admin_template(sysadm, sysadm_t, sysadm_r)
')
@@ -302,12 +264,9 @@
optional_policy(`
dmesg_exec(sysadm_t)
-
- ifdef(`enable_mls',`
- dmesg_exec(auditadm_t)
- ')
')
+
optional_policy(`
dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
')
@@ -352,6 +311,10 @@
')
optional_policy(`
+ kismet_run(sysadm_t, sysadm_r, admin_terminal)
+')
+
+optional_policy(`
lvm_run(sysadm_t, sysadm_r, admin_terminal)
')
@@ -387,6 +350,10 @@
')
optional_policy(`
+ netlabel_run_mgmt(sysadm_t, sysadm_r, admin_terminal)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r, admin_terminal)
netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
@@ -436,15 +403,19 @@
optional_policy(`
samba_run_net(sysadm_t, sysadm_r, admin_terminal)
+ samba_run_smbcontrol(sysadm_t, sysadm_r, admin_terminal)
samba_run_winbind_helper(sysadm_t, sysadm_r, admin_terminal)
')
optional_policy(`
+ seutil_run_setsebool(sysadm_t, sysadm_r, admin_terminal)
seutil_run_setfiles(sysadm_t, sysadm_r, admin_terminal)
seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
+# tunable_policy(`allow_sysadm_manage_security',`
+ userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
+# ')
', `
userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
')
@@ -487,3 +458,8 @@
optional_policy(`
yam_run(sysadm_t, sysadm_r, admin_terminal)
')
+
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.5/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/virt.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.5/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/virt.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,78 @@
+## <summary>Virtualization </summary>
+
+########################################
+## <summary>
+## Read virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t,virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## append virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_append_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ allow $1 virt_var_lib_t:file append;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_rw_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.5/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/virt.te 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,3 @@
+# var/lib files
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.5/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/xen.if 2007-12-19 05:38:09.000000000 -0500
@@ -191,3 +191,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## xend image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1,xen_image_t,xen_image_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.5/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/xen.te 2007-12-19 05:38:09.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow xen to manage nfs files
+## </p>
+## </desc>
+gen_tunable(xen_use_nfs,false)
+
# console ptys
type xen_devpts_t;
term_pty(xen_devpts_t);
@@ -45,9 +52,7 @@
type xenstored_t;
type xenstored_exec_t;
-domain_type(xenstored_t)
-domain_entry_file(xenstored_t,xenstored_exec_t)
-role system_r types xenstored_t;
+init_daemon_domain(xenstored_t,xenstored_exec_t)
# var/lib files
type xenstored_var_lib_t;
@@ -59,8 +64,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
-domain_type(xenconsoled_t)
-domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
+init_daemon_domain(xenconsoled_t,xenconsoled_exec_t)
role system_r types xenconsoled_t;
# pid files
@@ -95,7 +99,7 @@
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
-allow xend_t xenctl_t:fifo_file manage_file_perms;
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(xend_t, xenctl_t, fifo_file)
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
@@ -103,14 +107,14 @@
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
# pid file
-allow xend_t xend_var_run_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_run_t,xend_var_run_t)
manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file dir })
# log files
-allow xend_t xend_var_log_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_log_t,xend_var_log_t)
manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
@@ -122,15 +126,13 @@
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
+init_stream_connect_script(xend_t)
+
# transition to store
-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-allow xenstored_t xend_t:fd use;
-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
# transition to console
-domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-allow xenconsoled_t xend_t:fd use;
+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
@@ -176,6 +178,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
@@ -214,6 +217,10 @@
netutils_domtrans(xend_t)
optional_policy(`
+ brctl_domtrans(xend_t)
+')
+
+optional_policy(`
consoletype_exec(xend_t)
')
@@ -224,7 +231,7 @@
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
@@ -257,7 +264,7 @@
miscfiles_read_localization(xenconsoled_t)
-xen_append_log(xenconsoled_t)
+xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
########################################
@@ -265,7 +272,7 @@
# Xen store local policy
#
-allow xenstored_t self:capability { dac_override mknod ipc_lock };
+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
@@ -318,12 +325,13 @@
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xm_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
+manage_sock_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
@@ -336,6 +344,7 @@
kernel_write_xen_state(xm_t)
corecmd_exec_bin(xm_t)
+corecmd_exec_shell(xm_t)
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
@@ -351,8 +360,11 @@
storage_raw_read_fixed_disk(xm_t)
+fs_getattr_all_fs(xm_t)
+
term_use_all_terms(xm_t)
+init_stream_connect_script(xm_t)
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
@@ -363,6 +375,20 @@
sysnet_read_config(xm_t)
+userdom_dontaudit_search_sysadm_home_dirs(xm_t)
+
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
+
+tunable_policy(`xen_use_nfs',`
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+ fstools_manage_nfs(xend_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.2.5/policy/modules/users/auditadm.fc
--- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/auditadm.fc 2008-01-02 11:37:55.000000000 -0500
@@ -0,0 +1 @@
+# No auditadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.if serefpolicy-3.2.5/policy/modules/users/auditadm.if
--- nsaserefpolicy/policy/modules/users/auditadm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/auditadm.if 2008-01-02 11:36:36.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for auditadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.te serefpolicy-3.2.5/policy/modules/users/auditadm.te
--- nsaserefpolicy/policy/modules/users/auditadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/auditadm.te 2008-01-02 11:38:04.000000000 -0500
@@ -0,0 +1,25 @@
+policy_module(auditadm,1.0.1)
+gen_require(`
+ role staff_r;
+')
+
+userdom_unpriv_user_template(auditadm)
+
+userdom_role_change_template(staff, auditadm)
+
+allow auditadm_t self:capability { dac_read_search dac_override };
+seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+domain_kill_all_domains(auditadm_t)
+seutil_read_bin_policy(auditadm_t)
+corecmd_exec_shell(auditadm_t)
+logging_send_syslog_msg(auditadm_t)
+logging_read_generic_logs(auditadm_t)
+logging_manage_audit_log(auditadm_t)
+logging_manage_audit_config(auditadm_t)
+logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
+
+optional_policy(`
+ dmesg_exec(auditadm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.5/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/guest.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+# No guest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.5/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/guest.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.5/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/guest.te 2007-12-22 07:19:26.000000000 -0500
@@ -0,0 +1,21 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
+
+optional_policy(`
+ java_per_role_template(guest, guest_t, guest_r)
+')
+
+optional_policy(`
+ mono_per_role_template(guest, guest_t, guest_r)
+')
+
+userdom_restricted_user_template(gadmin)
+
+optional_policy(`
+ gen_require(`
+ type xguest_mozilla_t;
+ ')
+
+ dbus_chat_user_bus(xguest,xguest_mozilla_t)
+ dbus_connectto_user_bus(xguest,xguest_mozilla_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.5/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/logadm.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+# No logadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.5/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/logadm.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for logadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.5/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/logadm.te 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,11 @@
+policy_module(logadm,1.0.0)
+
+########################################
+#
+# logadmin local policy
+#
+userdom_base_user_template(logadm)
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.5/policy/modules/users/metadata.xml
--- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/metadata.xml 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+<summary>Policy modules for users</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.fc serefpolicy-3.2.5/policy/modules/users/secadm.fc
--- nsaserefpolicy/policy/modules/users/secadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/secadm.fc 2008-01-02 11:40:47.000000000 -0500
@@ -0,0 +1 @@
+# No secadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.if serefpolicy-3.2.5/policy/modules/users/secadm.if
--- nsaserefpolicy/policy/modules/users/secadm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/secadm.if 2008-01-02 11:40:35.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for secadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.te serefpolicy-3.2.5/policy/modules/users/secadm.te
--- nsaserefpolicy/policy/modules/users/secadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/secadm.te 2008-01-02 14:52:04.000000000 -0500
@@ -0,0 +1,39 @@
+policy_module(secadm,1.0.1)
+gen_require(`
+ role staff_r;
+')
+
+userdom_unpriv_user_template(secadm)
+userdom_role_change_template(staff, secadm)
+
+allow secadm_t self:capability { dac_read_search dac_override };
+corecmd_exec_shell(secadm_t)
+domain_obj_id_change_exemption(secadm_t)
+mls_process_read_up(secadm_t)
+mls_file_read_all_levels(secadm_t)
+mls_file_write_all_levels(secadm_t)
+mls_file_upgrade(secadm_t)
+mls_file_downgrade(secadm_t)
+auth_relabel_all_files_except_shadow(secadm_t)
+dev_relabel_all_dev_nodes(secadm_t)
+auth_relabel_shadow(secadm_t)
+init_exec(secadm_t)
+logging_read_audit_log(secadm_t)
+logging_read_generic_logs(secadm_t)
+logging_read_audit_config(secadm_t)
+userdom_dontaudit_append_staff_home_content_files(secadm_t)
+userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
+userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+
+optional_policy(`
+ aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+ netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+ dmesg_exec(secadm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.fc serefpolicy-3.2.5/policy/modules/users/staff.fc
--- nsaserefpolicy/policy/modules/users/staff.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/staff.fc 2008-01-02 11:12:56.000000000 -0500
@@ -0,0 +1 @@
+# No staff file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.if serefpolicy-3.2.5/policy/modules/users/staff.if
--- nsaserefpolicy/policy/modules/users/staff.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/staff.if 2008-01-02 11:13:02.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-15 11:59:03.000000000 -0500
@@ -0,0 +1,38 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
+# only staff_r can change to sysadm_r
+userdom_role_change_template(staff, sysadm)
+userdom_dontaudit_use_sysadm_terms(staff_t)
+
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+
+optional_policy(`
+ xserver_per_role_template(staff, staff_t, staff_r)
+')
+
+sudo_per_role_template(staff, staff_t, staff_r)
+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
+
+optional_policy(`
+ gpg_per_role_template(staff, staff_usertype, staff_r)
+')
+
+optional_policy(`
+ java_per_role_template(staff, staff_t, staff_r)
+')
+
+optional_policy(`
+ mono_per_role_template(staff, staff_t, staff_r)
+')
+
+optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+')
+
+optional_policy(`
+ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.5/policy/modules/users/user.fc
--- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/user.fc 2008-01-02 11:13:33.000000000 -0500
@@ -0,0 +1 @@
+# No user file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if serefpolicy-3.2.5/policy/modules/users/user.if
--- nsaserefpolicy/policy/modules/users/user.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/user.if 2008-01-02 11:13:21.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for user user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.2.5/policy/modules/users/user.te
--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/user.te 2008-01-03 13:17:42.000000000 -0500
@@ -0,0 +1,25 @@
+policy_module(user,1.0.1)
+userdom_unpriv_user_template(user)
+
+optional_policy(`
+ java_per_role_template(user, user_t, user_r)
+')
+
+optional_policy(`
+ mono_per_role_template(user, user_t, user_r)
+')
+
+optional_policy(`
+ xserver_per_role_template(user, user_t, user_r)
+')
+
+optional_policy(`
+ gpg_per_role_template(user, user_usertype, user_r)
+')
+
+optional_policy(`
+ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
+ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.5/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/webadm.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.5/policy/modules/users/webadm.if
--- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/webadm.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.5/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/webadm.te 2008-01-02 11:22:34.000000000 -0500
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
+########################################
+#
+# webadmin local policy
+#
+
+userdom_base_user_template(webadm)
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+bool webadm_read_user_files false;
+bool webadm_manage_user_files false;
+
+if (webadm_read_user_files) {
+ userdom_read_unpriv_users_home_content_files(webadm_t)
+ userdom_read_unpriv_users_tmp_files(webadm_t)
+}
+
+if (webadm_manage_user_files) {
+ userdom_manage_unpriv_users_home_content_dirs(webadm_t)
+ userdom_read_unpriv_users_tmp_files(webadm_t)
+ userdom_write_unpriv_users_tmp_files(webadm_t)
+}
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(webadm_t)
+userdom_dontaudit_search_generic_user_home_dirs(webadm_t)
+
+apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t })
+
+gen_require(`
+ type staff_t;
+')
+allow staff_t webadm_t:process transition;
+allow webadm_t staff_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.5/policy/modules/users/xguest.fc
--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/xguest.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+# No xguest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.5/policy/modules/users/xguest.if
--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/xguest.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.5/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/xguest.te 2008-01-13 08:40:07.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(xguest,1.0.1)
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media,false)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network,false)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth,false)
+
+userdom_restricted_xwindows_user_template(xguest)
+
+optional_policy(`
+ mozilla_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+ java_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+optional_policy(`
+ mono_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+# Allow mounting of file systems
+optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ hal_dbus_chat(xguest_t)
+ init_read_utmp(xguest_t)
+ auth_list_pam_console_data(xguest_t)
+ kernel_read_fs_sysctls(xguest_t)
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ networkmanager_dbus_chat(xguest_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`xguest_use_bluetooth',`
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.5/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/policy/support/obj_perm_sets.spt 2007-12-19 05:38:09.000000000 -0500
@@ -204,7 +204,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
@@ -315,3 +315,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.5/policy/users
--- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.2.5/policy/users 2007-12-21 12:52:51.000000000 -0500
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u, user, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -25,13 +25,10 @@
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-gen_user(user_u, user, user_r, s0, s0)
+gen_user(user_u, user, user_r system_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
@@ -39,8 +36,4 @@
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, unconfined, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.2.5/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.2.5/Rules.modular 2007-12-19 05:38:09.000000000 -0500
@@ -73,8 +73,8 @@
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
@test -d $(tmpdir) || mkdir -p $(tmpdir)
- $(call perrole-expansion,$(basename $(@F)),$@.role)
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+# $(call perrole-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
$(tmpdir)/%.mod.fc: $(m4support) %.fc
@@ -129,7 +129,7 @@
@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
$(verbose) $(genperm) $(avs) $(secclass) > $@
- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
@@ -147,7 +147,7 @@
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/rolemap.conf: $(rolemap)
$(verbose) echo "" > $@
- $(call parse-rolemap,base,$@)
+# $(call parse-rolemap,base,$@)
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.5/Rules.monolithic
--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
+++ serefpolicy-3.2.5/Rules.monolithic 2007-12-19 05:38:09.000000000 -0500
@@ -96,7 +96,7 @@
#
# Load the binary policy
#
-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
@echo "Loading $(NAME) $(loadpath)"
$(verbose) $(LOADPOLICY) -q $(loadpath)
@touch $(tmpdir)/load