diff -ru /tmp/policy/domains/misc/kernel.te policy/domains/misc/kernel.te --- /tmp/policy/domains/misc/kernel.te 2003-07-31 13:20:08.000000000 +1000 +++ policy/domains/misc/kernel.te 2003-07-11 20:55:13.000000000 +1000 @@ -17,6 +17,7 @@ general_proc_read_access(kernel_t) base_file_read_access(kernel_t) uses_shlib(kernel_t) +can_exec(kernel_t, shell_exec_t) # Use capabilities. allow kernel_t self:capability *; diff -ru /tmp/policy/domains/program/checkpolicy.te policy/domains/program/checkpolicy.te --- /tmp/policy/domains/program/checkpolicy.te 2003-03-14 02:14:31.000000000 +1100 +++ policy/domains/program/checkpolicy.te 2003-07-16 11:11:33.000000000 +1000 @@ -44,12 +44,14 @@ `allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') # Other access -allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; +allow checkpolicy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr }; uses_shlib(checkpolicy_t) allow checkpolicy_t self:capability dac_override; allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; +allow checkpolicy_t fs_t:filesystem getattr; + ########################## # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file diff -ru /tmp/policy/domains/program/initrc.te policy/domains/program/initrc.te --- /tmp/policy/domains/program/initrc.te 2003-07-31 13:20:15.000000000 +1000 +++ policy/domains/program/initrc.te 2003-07-12 20:38:43.000000000 +1000 @@ -20,6 +20,9 @@ uses_shlib(initrc_t); type initrc_exec_t, file_type, sysadmfile, exec_type; +# for halt to down interfaces +allow initrc_t self:udp_socket create_socket_perms; + # read files in /etc/init.d allow initrc_t etc_t:lnk_file r_file_perms; diff -ru /tmp/policy/domains/program/logrotate.te policy/domains/program/logrotate.te --- /tmp/policy/domains/program/logrotate.te 2003-07-31 13:20:16.000000000 +1000 +++ policy/domains/program/logrotate.te 2003-08-01 08:48:02.000000000 +1000 @@ -28,7 +28,7 @@ allow logrotate_t etc_runtime_t:{ file lnk_file } r_file_perms; # it should not require this -allow logrotate_t sysadm_home_dir_t:dir { read getattr search }; +allow logrotate_t staff_home_dir_t:dir { read getattr search }; # create lock files rw_dir_create_file(logrotate_t, var_lock_t) diff -ru /tmp/policy/domains/program/modutil.te policy/domains/program/modutil.te --- /tmp/policy/domains/program/modutil.te 2003-07-31 13:20:16.000000000 +1000 +++ policy/domains/program/modutil.te 2003-08-01 09:03:28.000000000 +1000 @@ -55,8 +55,8 @@ ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;') # Read System.map from home directories. -allow depmod_t { home_root_t user_home_dir_type sysadm_home_dir_t }:dir r_dir_perms; -r_dir_file(depmod_t, { user_home_type sysadm_home_t }) +allow depmod_t { home_root_t staff_home_dir_t }:dir r_dir_perms; +r_dir_file(depmod_t, staff_home_t) ################################# # @@ -154,7 +154,7 @@ allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms; allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; -dontaudit update_modules_t sysadm_home_dir_t:dir search; +dontaudit update_modules_t staff_home_dir_t:dir search; uses_shlib(update_modules_t) allow update_modules_t self:process { fork sigchld }; diff -ru /tmp/policy/domains/program/mount.te policy/domains/program/mount.te --- /tmp/policy/domains/program/mount.te 2003-07-31 13:20:16.000000000 +1000 +++ policy/domains/program/mount.te 2003-07-12 19:59:50.000000000 +1000 @@ -34,11 +34,12 @@ allow mount_t proc_t:dir mounton; allow mount_t root_t:dir mounton; allow mount_t home_root_t:dir mounton; +allow mount_t tmp_t:dir mounton; # On some RedHat systems, /boot is a mount point allow mount_t boot_t:dir mounton; allow mount_t device_t:dir mounton; ifdef(`devfsd.te', ` -allow mount_t device_t:filesystem unmount; +allow mount_t device_t:filesystem { mount unmount }; ') allow mount_t root_t:filesystem unmount; diff -ru /tmp/policy/domains/program/ssh.te policy/domains/program/ssh.te --- /tmp/policy/domains/program/ssh.te 2003-07-31 13:20:16.000000000 +1000 +++ policy/domains/program/ssh.te 2003-07-31 05:31:18.000000000 +1000 @@ -38,11 +38,6 @@ allow $1 etc_runtime_t:{ file lnk_file } r_file_perms; allow $1 resolv_conf_t:{ file lnk_file } r_file_perms; -# Read the linker, shared library, and executable types. -allow $1 ld_so_t:{ file lnk_file } r_file_perms; -allow $1 shlib_t:{ file lnk_file } r_file_perms; -allow $1 exec_type:{ file lnk_file } r_file_perms; - # Read and write /dev/tty and /dev/null. allow $1 devtty_t:chr_file rw_file_perms; allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms; @@ -91,6 +86,10 @@ # sshd_key_t is the type of the ssh private key files # sshd_program_domain(sshd_t) + +# for X forwarding +allow sshd_t port_t:tcp_socket name_bind; + type sshd_exec_t, file_type, exec_type, sysadmfile; ifdef(`inetd.te', ` diff -ru /tmp/policy/domains/program/unused/bootloader.te policy/domains/program/unused/bootloader.te --- /tmp/policy/domains/program/unused/bootloader.te 2003-07-31 13:20:21.000000000 +1000 +++ policy/domains/program/unused/bootloader.te 2003-07-12 22:22:41.000000000 +1000 @@ -83,9 +83,10 @@ allow bootloader_t fs_t:filesystem getattr; -allow bootloader_t proc_t:dir r_dir_perms; +allow bootloader_t proc_t:dir { getattr search }; allow bootloader_t proc_t:file r_file_perms; allow bootloader_t proc_t:lnk_file read; +allow bootloader_t self:dir { getattr search read }; allow bootloader_t sysctl_kernel_t:dir search; allow bootloader_t sysctl_kernel_t:file { getattr read }; allow bootloader_t etc_runtime_t:file r_file_perms; diff -ru /tmp/policy/domains/program/unused/cups.te policy/domains/program/unused/cups.te --- /tmp/policy/domains/program/unused/cups.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/cups.te 2003-07-15 00:15:04.000000000 +1000 @@ -36,7 +36,7 @@ allow cupsd_t proc_t:file r_file_perms; allow cupsd_t proc_t:dir r_dir_perms; allow cupsd_t { sysctl_t sysctl_kernel_t sysctl_dev_t }:dir search; -allow cupsd_t sysctl_kernel_t:file { getattr read }; +allow cupsd_t { sysctl_kernel_t sysctl_dev_t }:file { getattr read }; # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -57,7 +57,7 @@ r_dir_file(cupsd_t, readable_t) # Bind to the cups/ipp port (631). -allow cupsd_t ipp_port_t:tcp_socket name_bind; +allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind; can_tcp_connect(web_client_domain, cupsd_t) can_tcp_connect(cupsd_t, cupsd_t) diff -ru /tmp/policy/domains/program/unused/devfsd.te policy/domains/program/unused/devfsd.te --- /tmp/policy/domains/program/unused/devfsd.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/devfsd.te 2003-07-11 00:03:18.000000000 +1000 @@ -9,7 +9,7 @@ # type etc_devfsd_t, file_type, sysadmfile; -allow kernel_t device_t:dir mounton; +allow kernel_t { device_t root_t }:dir mounton; daemon_domain(devfsd) diff -ru /tmp/policy/domains/program/unused/dhcpc.te policy/domains/program/unused/dhcpc.te --- /tmp/policy/domains/program/unused/dhcpc.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/dhcpc.te 2003-07-26 01:34:09.000000000 +1000 @@ -14,6 +14,8 @@ # dhcpc_exec_t is the type of the dhcpcd executable. # The dhcpc_t can be used for other DHCPC related files as well. # +type dhcpc_port_t, port_type; + daemon_domain(dhcpc) can_network(dhcpc_t) allow dhcpc_t self:unix_dgram_socket create_socket_perms; @@ -22,8 +24,14 @@ ifdef(`cardmgr.te', ` domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) +allow cardmgr_t dhcpc_var_run_t:file { getattr read }; allow cardmgr_t dhcpc_t:process signal_perms; ') +ifdef(`hotplug.te', ` +domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) +allow hotplug_t dhcpc_t:process signal_perms; +allow hotplug_t dhcpc_var_run_t:file { getattr read }; +') # for the dhcp client to run ping to check IP addresses ifdef(`ping.te', ` @@ -32,7 +40,13 @@ dontaudit ping_t dhcpc_state_t:file read; dontaudit ping_t dhcpc_t:packet_socket { read write }; dontaudit ping_t dhcpc_t:udp_socket { read write }; -') +ifdef(`hotplug.te', ` +allow ping_t hotplug_t:fd use; +') dnl end if hotplug +ifdef(`cardmgr.te', ` +allow ping_t cardmgr_t:fd use; +') dnl end if cardmgr +') dnl end if ping ifdef(`dhcpd.te', `', ` type dhcp_state_t, file_type, sysadmfile; @@ -49,6 +63,9 @@ # Use capabilities allow dhcpc_t self:capability { net_admin net_raw net_bind_service }; +# for udp port 68 +allow dhcpc_t dhcpc_port_t:udp_socket name_bind; + # Allow read/write to /etc/resolv.conf. Note that any files in /etc # created by dhcpcd will be labelled resolv_conf_t. As of RH 7.2, no # other files are accessed in the /etc dir, only in /etc/dhcpc dir. diff -ru /tmp/policy/domains/program/unused/dhcpd.te policy/domains/program/unused/dhcpd.te --- /tmp/policy/domains/program/unused/dhcpd.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/dhcpd.te 2003-07-31 05:23:46.000000000 +1000 @@ -16,6 +16,10 @@ # daemon_domain(dhcpd) +# for UDP port 67 +type dhcpd_port_t, port_type; +allow dhcpd_t dhcpd_port_t:udp_socket name_bind; + type etc_dhcp_t alias { etc_dhcpc_t etc_dhcpd_t }, file_type, sysadmfile; # Use the network. diff -ru /tmp/policy/domains/program/unused/dpkg.te policy/domains/program/unused/dpkg.te --- /tmp/policy/domains/program/unused/dpkg.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/dpkg.te 2003-08-01 08:46:54.000000000 +1000 @@ -130,8 +130,8 @@ dontaudit apt_t var_run_t:dir search; # for rc files such as ~/.less -r_dir_file(apt_t, sysadm_home_t) -allow apt_t sysadm_home_dir_t:dir { search getattr }; +r_dir_file(apt_t, staff_home_t) +allow apt_t staff_home_dir_t:dir { search getattr }; allow apt_t bin_t:lnk_file r_file_perms; @@ -293,7 +293,7 @@ type debian_menu_t, file_type, sysadmfile; r_dir_file(userdomain, debian_menu_t) -dontaudit install_menu_t sysadm_home_dir_t:dir search; +dontaudit install_menu_t staff_home_dir_t:dir search; allow install_menu_t debian_menu_t:dir create_dir_perms; allow install_menu_t debian_menu_t:{ file lnk_file } create_file_perms; allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms }; @@ -304,6 +304,9 @@ allow install_menu_t { bin_t sbin_t }:dir search; allow install_menu_t bin_t:lnk_file read; +# for menus +allow install_menu_t usr_t:file r_file_perms; + # for /etc/kde3/debian/kde-update-menu.sh can_exec(install_menu_t, etc_t) diff -ru /tmp/policy/domains/program/unused/ftpd.te policy/domains/program/unused/ftpd.te --- /tmp/policy/domains/program/unused/ftpd.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/ftpd.te 2003-08-01 09:11:46.000000000 +1000 @@ -11,8 +11,6 @@ type ftp_port_t, port_type; daemon_domain(ftpd, `, auth') type etc_ftpd_t, file_type, sysadmfile; -ifdef(`inetd.te', `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)') -ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') can_network(ftpd_t) allow ftpd_t self:unix_dgram_socket create_socket_perms; @@ -25,10 +23,19 @@ ') ifdef(`ftpd_daemon', ` +ifdef(`inetd.te', `', ` +define(`ftpd_is_daemon', `') +') dnl end inetd.te +') dnl end ftpd_daemon + +ifdef(`ftpd_is_daemon', ` rw_dir_create_file(ftpd_t, var_lock_t) allow ftpd_t ftp_port_t:tcp_socket name_bind; can_tcp_connect(userdomain, ftpd_t) ', ` +domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t) +ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)') + # Use sockets inherited from inetd. allow ftpd_t inetd_t:fd use; allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms; diff -ru /tmp/policy/domains/program/unused/hotplug.te policy/domains/program/unused/hotplug.te --- /tmp/policy/domains/program/unused/hotplug.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/hotplug.te 2003-07-11 00:03:07.000000000 +1000 @@ -11,9 +11,6 @@ # daemon_domain(hotplug) -# allow kernel thread to run a shell to interpret the script -allow kernel_t shell_exec_t:file execute; - type etc_hotplug_t, file_type, sysadmfile; allow hotplug_t self:fifo_file { read write getattr ioctl }; diff -ru /tmp/policy/domains/program/unused/hwclock.te policy/domains/program/unused/hwclock.te --- /tmp/policy/domains/program/unused/hwclock.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/hwclock.te 2003-08-01 08:47:17.000000000 +1000 @@ -22,6 +22,8 @@ domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t) ') +allow hwclock_t fs_t:filesystem getattr; + read_locale(hwclock_t) # Give hwclock the capabilities it requires. dac_override is a surprise, diff -ru /tmp/policy/domains/program/unused/inetd.te policy/domains/program/unused/inetd.te --- /tmp/policy/domains/program/unused/inetd.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/inetd.te 2003-07-12 11:57:50.000000000 +1000 @@ -14,6 +14,8 @@ # # Rules for the inetd_t domain. # +type inetd_port_t, port_type; + daemon_domain(inetd) can_network(inetd_t) @@ -45,6 +47,9 @@ ifdef(`rlogind.te', `allow inetd_t rlogin_port_t:tcp_socket name_bind;') ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;') +# allow to bind to chargen, echo, etc +allow inetd_t inetd_port_t:{ tcp_socket udp_socket } name_bind; + # Communicate with the portmapper. ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') diff -ru /tmp/policy/domains/program/unused/ipsec.te policy/domains/program/unused/ipsec.te --- /tmp/policy/domains/program/unused/ipsec.te 2003-07-31 13:20:22.000000000 +1000 +++ policy/domains/program/unused/ipsec.te 2003-08-01 08:56:50.000000000 +1000 @@ -200,7 +200,7 @@ allow ipsec_t self:fifo_file { read getattr }; # ideally it would not need this. It wants to write to /root/.rnd -file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) +file_type_auto_trans(ipsec_mgmt_t, staff_home_dir_t, staff_home_t, file) allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl }; allow ipsec_t initrc_devpts_t:chr_file { getattr read write }; diff -ru /tmp/policy/domains/program/unused/named.te policy/domains/program/unused/named.te --- /tmp/policy/domains/program/unused/named.te 2003-07-31 13:20:23.000000000 +1000 +++ policy/domains/program/unused/named.te 2003-08-01 08:48:48.000000000 +1000 @@ -128,5 +128,5 @@ allow ndc_t named_var_run_t:file getattr; allow ndc_t named_zone_t:dir { read getattr }; allow ndc_t named_zone_t:file getattr; -dontaudit ndc_t sysadm_home_t:dir { getattr search read }; +dontaudit ndc_t staff_home_t:dir { getattr search read }; ') diff -ru /tmp/policy/domains/program/unused/pamconsole.te policy/domains/program/unused/pamconsole.te --- /tmp/policy/domains/program/unused/pamconsole.te 2003-03-05 01:57:16.000000000 +1100 +++ policy/domains/program/unused/pamconsole.te 2003-04-22 20:01:53.000000000 +1000 @@ -4,7 +4,7 @@ type pam_console_exec_t, file_type, sysadmfile, exec_type; type pam_console_t, domain; role system_r types pam_console_t; -every_domain(pam_console_t) +uses_shlib(pam_console_t) domain_auto_trans(initrc_t, pam_console_exec_t, pam_console_t) # Allow access to /dev/console through the fd: diff -ru /tmp/policy/domains/program/unused/portmap.te policy/domains/program/unused/portmap.te --- /tmp/policy/domains/program/unused/portmap.te 2003-07-31 13:20:25.000000000 +1000 +++ policy/domains/program/unused/portmap.te 2003-07-12 20:00:14.000000000 +1000 @@ -21,6 +21,9 @@ allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; +# portmap binds to arbitary ports +allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; + allow portmap_t etc_t:file { getattr read }; # Send to ypbind, initrc, rpc.statd, xinetd. @@ -39,6 +42,8 @@ ') can_udp_send(portmap_t, kernel_t) can_udp_send(kernel_t, portmap_t) +can_udp_send(sysadm_t, portmap_t) +can_udp_send(portmap_t, sysadm_t) # Use capabilities allow portmap_t self:capability { net_bind_service setuid setgid }; diff -ru /tmp/policy/domains/program/unused/radius.te policy/domains/program/unused/radius.te --- /tmp/policy/domains/program/unused/radius.te 2003-07-31 13:20:27.000000000 +1000 +++ policy/domains/program/unused/radius.te 2003-07-12 12:04:24.000000000 +1000 @@ -51,6 +51,10 @@ can_network(radiusd_t) allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind; + +# for RADIUS proxy port +allow radiusd_t port_t:udp_socket name_bind; + ifdef(`snmpd.te', ` can_tcp_connect(radiusd_t, snmpd_t) ') diff -ru /tmp/policy/domains/program/unused/rpcd.te policy/domains/program/unused/rpcd.te --- /tmp/policy/domains/program/unused/rpcd.te 2003-07-31 13:20:27.000000000 +1000 +++ policy/domains/program/unused/rpcd.te 2003-07-31 10:59:05.000000000 +1000 @@ -11,7 +11,7 @@ # rpcd_t is the domain of rpc daemons. # rpcd_exec_t is the type of rpc daemon programs. # -daemon_base_domain(rpcd) +daemon_domain(rpcd) can_network(rpcd_t) allow rpcd_t resolv_conf_t:file { getattr read }; can_udp_send({ init_t initrc_t }, rpcd_t) @@ -23,6 +23,7 @@ allow rpcd_t self:unix_dgram_socket create_socket_perms; allow rpcd_t self:unix_stream_socket create_socket_perms; +allow rpcd_t self:fifo_file rw_file_perms; can_udp_send(rpcd_t, rpcd_t) can_udp_send(mount_t, rpcd_t) @@ -41,6 +42,9 @@ # Use capabilities. allow rpcd_t self:capability { net_bind_service dac_override setgid setuid }; +# bind to arbitary unused ports +allow rpcd_t port_t:{ tcp_socket udp_socket } name_bind; + # Access /var/lib/nfs. allow rpcd_t { var_t var_lib_t }:dir search; allow rpcd_t var_lib_nfs_t:dir rw_dir_perms; diff -ru /tmp/policy/domains/program/unused/rpm.te policy/domains/program/unused/rpm.te --- /tmp/policy/domains/program/unused/rpm.te 2003-03-05 01:57:20.000000000 +1100 +++ policy/domains/program/unused/rpm.te 2003-04-22 20:00:42.000000000 +1000 @@ -11,21 +11,21 @@ # type rpm_t, domain, privlog; role system_r types rpm_t; -role sysadm_r types rpm_t; -every_domain(rpm_t) +uses_shlib(rpm_t) type rpm_exec_t, file_type, sysadmfile, exec_type; -domain_auto_trans(system_crond_t, rpm_exec_t, rpm_t) + +system_crond_entry(rpm_exec_t, rpm_t) +#role sysadm_r types rpm_t; #domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t) type rpm_file_t, file_type, sysadmfile; type var_lib_rpm_t, file_type, sysadmfile; -type rpm_tmp_t, file_type, sysadmfile, tmpfile; -file_type_auto_trans(rpm_t, tmp_t, rpm_tmp_t) +tmp_domain(rpm) -type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile; -file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t) -allow rpm_tmpfs_t tmpfs_t:filesystem associate; +#type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile; +#file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t) +#allow rpm_tmpfs_t tmpfs_t:filesystem associate; type var_log_rpm_t, file_type, sysadmfile, logfile; file_type_auto_trans(rpm_t, var_log_t, var_log_rpm_t) @@ -34,7 +34,7 @@ can_exec_any(rpm_t) # Capabilties needed by rpm utils -allow rpm_t rpm_t:capability { dac_override dac_read_search chown setuid setgid }; +allow rpm_t self:capability { dac_override dac_read_search chown setuid setgid }; # Access /usr/lib files allow rpm_t lib_t:dir r_dir_perms; @@ -44,15 +44,10 @@ allow rpm_t var_lib_rpm_t:dir rw_dir_perms; allow rpm_t var_lib_rpm_t:file create_file_perms; -# When the RPM updates are run from cron, inherit cron descriptors and -# read from the FIFO created by cron -allow rpm_t crond_t:fd use; -allow rpm_t crond_t:fifo_file r_file_perms; - # Access terminals. -allow rpm_t sysadm_tty_device_t:chr_file rw_file_perms; -allow rpm_t sysadm_devpts_t:chr_file rw_file_perms; +allow rpm_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;') +allow rpm_t privfd:fd use; # Write to /usr/src. #allow rpm_t src_t:dir create_dir_perms; @@ -60,9 +55,3 @@ # Execute from /usr/src. #can_exec(rpm_t, src_t) - -# Execute helper programs. -#can_exec_any(rpm_t) - -# Execute temporary files. -#can_exec(rpm_t, rpm_tmp_t) diff -ru /tmp/policy/domains/program/unused/squid.te policy/domains/program/unused/squid.te --- /tmp/policy/domains/program/unused/squid.te 2003-07-31 13:20:28.000000000 +1000 +++ policy/domains/program/unused/squid.te 2003-07-11 20:56:29.000000000 +1000 @@ -60,8 +60,9 @@ can_network(squid_t) can_tcp_connect(web_client_domain, squid_t) -# port 8080 is http_cache_port_t (see net_contexts) +# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) allow squid_t http_cache_port_t:tcp_socket name_bind; +allow squid_t http_cache_port_t:udp_socket name_bind; # to allow running programs from /usr/lib/squid (IE unlinkd) # also allow exec()ing itself diff -ru /tmp/policy/domains/program/unused/sysstat.te policy/domains/program/unused/sysstat.te --- /tmp/policy/domains/program/unused/sysstat.te 2003-07-31 13:20:28.000000000 +1000 +++ policy/domains/program/unused/sysstat.te 2003-08-01 08:49:27.000000000 +1000 @@ -29,7 +29,7 @@ # for fstab allow sysstat_t etc_t:file { read getattr }; -dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms; +dontaudit sysstat_t staff_home_dir_t:dir r_dir_perms; allow sysstat_t self:fifo_file rw_file_perms; diff -ru /tmp/policy/domains/program/unused/utempter.te policy/domains/program/unused/utempter.te --- /tmp/policy/domains/program/unused/utempter.te 2003-03-05 01:57:27.000000000 +1100 +++ policy/domains/program/unused/utempter.te 2003-04-12 10:32:13.000000000 +1000 @@ -14,7 +14,7 @@ type utempter_t, domain; in_user_role(utempter_t) role sysadm_r types utempter_t; -every_domain(utempter_t) +uses_shlib(utempter_t) type utempter_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(userdomain, utempter_exec_t, utempter_t) diff -ru /tmp/policy/domains/program/unused/vmware.te policy/domains/program/unused/vmware.te --- /tmp/policy/domains/program/unused/vmware.te 2003-07-31 13:20:29.000000000 +1000 +++ policy/domains/program/unused/vmware.te 2003-07-10 11:31:49.000000000 +1000 @@ -118,7 +118,7 @@ # Access /proc r_dir_file(vmware_user_t, proc_t) -# Access to some files in the home directory of the user +# Access to some files in the user home directory r_dir_file(vmware_user_t, user_home_t) # Access to runtime files for user diff -ru /tmp/policy/domains/program/unused/watchdog.te policy/domains/program/unused/watchdog.te --- /tmp/policy/domains/program/unused/watchdog.te 2003-07-31 13:20:29.000000000 +1000 +++ policy/domains/program/unused/watchdog.te 2003-07-11 17:16:26.000000000 +1000 @@ -20,5 +20,13 @@ allow watchdog_t proc_t:file r_file_perms; allow watchdog_t self:capability { ipc_lock sys_nice }; +allow watchdog_t self:fifo_file rw_file_perms; +allow watchdog_t self:unix_stream_socket create_socket_perms; +can_network(watchdog_t) +allow watchdog_t resolv_conf_t:file { getattr read }; +allow watchdog_t self:udp_socket create_socket_perms; +allow watchdog_t bin_t:dir search; +allow watchdog_t init_t:process signal; +allow watchdog_t kernel_t:process sigstop; allow watchdog_t watchdog_device_t:chr_file { getattr write }; diff -ru /tmp/policy/file_contexts/program/modutil.fc policy/file_contexts/program/modutil.fc --- /tmp/policy/file_contexts/program/modutil.fc 2003-07-31 13:20:54.000000000 +1000 +++ policy/file_contexts/program/modutil.fc 2003-05-31 12:28:59.000000000 +1000 @@ -1,5 +1,6 @@ # module utilities /etc/modules\.conf(.old)? system_u:object_r:modules_conf_t +/lib/modules/modprobe.conf system_u:object_r:modules_conf_t /lib/modules(/.*)? system_u:object_r:modules_object_t /lib/modules/[^/]+/modules\..+ system_u:object_r:modules_dep_t /lib/modules/modprobe\.conf.* system_u:object_r:modules_conf_t diff -ru /tmp/policy/file_contexts/program/nsd.fc policy/file_contexts/program/nsd.fc --- /tmp/policy/file_contexts/program/nsd.fc 2003-07-31 13:20:56.000000000 +1000 +++ policy/file_contexts/program/nsd.fc 2003-07-26 01:34:33.000000000 +1000 @@ -3,7 +3,9 @@ /etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t /etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t /etc/nsd/nsd.db system_u:object_r:nsd_zone_t +/var/lib/nsd.db system_u:object_r:nsd_zone_t /usr/sbin/nsd system_u:object_r:nsd_exec_t /usr/sbin/nsdc system_u:object_r:nsd_exec_t /usr/sbin/nsd-notify system_u:object_r:nsd_exec_t +/usr/sbin/zonec system_u:object_r:nsd_exec_t /var/run/nsd\.pid system_u:object_r:nsd_var_run_t diff -ru /tmp/policy/file_contexts/program/postfix.fc policy/file_contexts/program/postfix.fc --- /tmp/policy/file_contexts/program/postfix.fc 2003-07-31 13:20:57.000000000 +1000 +++ policy/file_contexts/program/postfix.fc 2003-08-01 08:50:14.000000000 +1000 @@ -37,9 +37,10 @@ /var/spool/postfix/defer(red)?(/.*)? system_u:object_r:postfix_spool_t /var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t /var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t +/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t /var/spool/postfix/lib(/.*)? system_u:object_r:lib_t +/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t /var/spool/postfix/lib/ld.*\.so.* system_u:object_r:ld_so_t /var/spool/postfix/lib/lib.*\.so.* system_u:object_r:shlib_t /var/spool/postfix/lib/[^/]*/lib.*\.so.* system_u:object_r:shlib_t /var/spool/postfix/lib/devfsd/.*\.so.* system_u:object_r:shlib_t -/var/spool/postfix/etc/services system_u:object_r:etc_t diff -ru /tmp/policy/file_contexts/program/rpcd.fc policy/file_contexts/program/rpcd.fc --- /tmp/policy/file_contexts/program/rpcd.fc 2002-07-04 06:26:22.000000000 +1000 +++ policy/file_contexts/program/rpcd.fc 2003-07-31 10:59:27.000000000 +1000 @@ -2,3 +2,4 @@ /sbin/rpc\..* system_u:object_r:rpcd_exec_t /usr/sbin/rpc\..* system_u:object_r:rpcd_exec_t /usr/sbin/exportfs system_u:object_r:rpcd_exec_t +/var/run/rpc.statd.pid system_u:object_r:rpcd_var_run_t diff -ru /tmp/policy/macros/global_macros.te policy/macros/global_macros.te --- /tmp/policy/macros/global_macros.te 2003-07-31 13:21:04.000000000 +1000 +++ policy/macros/global_macros.te 2003-07-12 12:00:00.000000000 +1000 @@ -478,8 +481,8 @@ # Bind to the default port type. # Other port types must be separately authorized. # -allow $1 port_t:udp_socket name_bind; -allow $1 port_t:tcp_socket name_bind; +#allow $1 port_t:udp_socket name_bind; +#allow $1 port_t:tcp_socket name_bind; ') ################################# diff -ru /tmp/policy/macros/program/mount_macros.te policy/macros/program/mount_macros.te --- /tmp/policy/macros/program/mount_macros.te 2003-07-31 13:21:09.000000000 +1000 +++ policy/macros/program/mount_macros.te 2003-07-12 20:01:38.000000000 +1000 @@ -29,6 +29,7 @@ domain_auto_trans($1_t, mount_exec_t, $2_t) allow $2_t proc_t:dir search; +allow $2_t proc_t:file { getattr read }; tmp_domain($2) diff -ru /tmp/policy/macros/user_macros.te policy/macros/user_macros.te --- /tmp/policy/macros/user_macros.te 2003-07-31 13:21:04.000000000 +1000 +++ policy/macros/user_macros.te 2003-07-12 20:02:20.000000000 +1000 @@ -92,6 +103,9 @@ allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms; ')dnl end of ssh section +# for ifconfig which is run all the time +dontaudit $1_t sysctl_t:dir search; + allow $1_t boot_t:dir { getattr search }; dontaudit $1_t boot_t:dir read; dontaudit $1_t boot_t:lnk_file getattr; @@ -172,8 +186,16 @@ # Access other miscellaneous devices. allow $1_t misc_device_t:file_class_set rw_file_perms; +ifdef(`apache.te', ` +ifelse(`$1', `sysadm', `', ` +dnl apache_domain($1) +') +')dnl end apache + # Use the network. can_network($1_t) +# allow port_t name binding for UDP because it is not very usable otherwise +allow $1_t port_t:udp_socket name_bind; allow $1_t resolv_conf_t:file { getattr read }; # for perl dontaudit $1_t resolv_conf_t:file ioctl; diff -ru /tmp/policy/net_contexts policy/net_contexts --- /tmp/policy/net_contexts 2003-07-31 13:20:03.000000000 +1000 +++ policy/net_contexts 2003-07-31 05:23:03.000000000 +1000 @@ -17,6 +17,18 @@ # protocol number context # protocol low-high context # +ifdef(`inetd.te', ` +portcon tcp 7 system_u:object_r:inetd_port_t +portcon udp 7 system_u:object_r:inetd_port_t +portcon tcp 9 system_u:object_r:inetd_port_t +portcon udp 9 system_u:object_r:inetd_port_t +portcon tcp 13 system_u:object_r:inetd_port_t +portcon udp 13 system_u:object_r:inetd_port_t +portcon tcp 37 system_u:object_r:inetd_port_t +portcon udp 37 system_u:object_r:inetd_port_t +portcon tcp 113 system_u:object_r:inetd_port_t +portcon udp 517 system_u:object_r:inetd_port_t +') ifdef(`courier.te', `define(`use_pop')') ifdef(`perdition.te', `define(`use_pop')') ifdef(`ftpd.te', `portcon tcp 21 system_u:object_r:ftp_port_t') @@ -25,6 +37,8 @@ ifdef(`mta.te', `portcon tcp 25 system_u:object_r:smtp_port_t') ifdef(`named.te', `portcon udp 53 system_u:object_r:named_port_t portcon tcp 53 system_u:object_r:named_port_t') +ifdef(`dhcpd.te', `portcon udp 67 system_u:object_r:dhcpd_port_t') +ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t') ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t') ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t') ifdef(`apache.te', `portcon tcp 80 system_u:object_r:http_port_t') @@ -37,7 +51,7 @@ portcon udp 111 system_u:object_r:portmap_port_t portcon tcp 111 system_u:object_r:portmap_port_t ') -ifdef(`ntp.te', `portcon udp 123 system_u:object_r:ntp_port_t') +ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t') ifdef(`samba.te', ` portcon tcp 137 system_u:object_r:smbd_port_t portcon udp 137 system_u:object_r:nmbd_port_t @@ -57,7 +71,10 @@ ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t') ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t') ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t') -ifdef(`cups.te', `portcon tcp 631 system_u:object_r:ipp_port_t') +ifdef(`cups.te', ` +portcon tcp 631 system_u:object_r:ipp_port_t +portcon udp 631 system_u:object_r:ipp_port_t +') ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t') ifdef(`use_pop', ` portcon tcp 993 system_u:object_r:pop_port_t @@ -75,9 +92,18 @@ portcon udp 5323 system_u:object_r:imaze_port_t ') ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t') +ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') +ifdef(`sound-server.te', ` +portcon tcp 8000 system_u:object_r:soundd_port_t +# 9433 is for YIFF +portcon tcp 9433 system_u:object_r:soundd_port_t +') ifdef(`apache.te', `define(`use_http_cache')') ifdef(`squid.te', `define(`use_http_cache')') -ifdef(`use_http_cache', `portcon tcp 8080 system_u:object_r:http_cache_port_t') +ifdef(`use_http_cache', ` +portcon tcp 8080 system_u:object_r:http_cache_port_t +portcon udp 3130 system_u:object_r:http_cache_port_t +') ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t') # Network interfaces (default = initial SID "netif" and "netmsg")