* new policy patch
@ 2002-09-27 21:42 Russell Coker
2002-10-01 16:51 ` Stephen Smalley
0 siblings, 1 reply; 9+ messages in thread
From: Russell Coker @ 2002-09-27 21:42 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 613 bytes --]
The attached patch has my latest changes. A minor dpkg patch, some qmail
changes that are particularly needed for mailman and other things that
require mail being piped, samba changes for /etc/samba/secrets.tdb, type
labelling for the suseradd program, a squid cron job policy change, and a
change that hopefully fixes the su gph problem Brian reported.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: new.diff --]
[-- Type: text/x-diff, Size: 6219 bytes --]
diff -ru /tmp/policy/domains/program/dpkg.te ./domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te 2002-09-27 22:27:37.000000000 +0200
+++ ./domains/program/dpkg.te 2002-09-27 17:39:34.000000000 +0200
@@ -59,7 +59,7 @@
')
# for apt
-type apt_t, domain, admin;
+type apt_t, domain, admin, privmail;
type apt_exec_t, file_type, sysadmfile, exec_type;
type var_lib_apt_t, file_type, sysadmfile;
type var_cache_apt_t, file_type, sysadmfile;
@@ -71,6 +71,7 @@
file_type_auto_trans(apt_t, tmp_t, tmp_apt_t)
dontaudit apt_t var_log_t:dir getattr;
+dontaudit apt_t var_run_t:dir search;
# for rc files such as ~/.less
r_dir_file(apt_t, sysadm_home_t)
diff -ru /tmp/policy/domains/program/qmail.te ./domains/program/qmail.te
--- /tmp/policy/domains/program/qmail.te 2002-09-27 22:27:38.000000000 +0200
+++ ./domains/program/qmail.te 2002-09-26 19:23:10.000000000 +0200
@@ -27,7 +27,7 @@
# qmail_$1_exec_t is the type of the qmail_$1 executables.
#
define(`qmail_daemon_domain', `
-daemon_sub_domain(qmail_start_t, qmail_$1)
+daemon_sub_domain(qmail_start_t, qmail_$1, `$2')
allow qmail_$1_t qmail_start_t:fifo_file { read write };
')dnl
@@ -36,7 +36,7 @@
allow qmail_start_t self:capability setgid;
-qmail_daemon_domain(lspawn)
+qmail_daemon_domain(lspawn, `, mta_delivery_agent')
allow qmail_lspawn_t self:fifo_file { read write };
allow qmail_lspawn_t self:capability { setuid setgid };
allow qmail_lspawn_t self:process fork;
@@ -95,10 +95,17 @@
allow qmail_local_t qmail_queue_exec_t:file read;
allow qmail_local_t etc_qmail_t:dir { getattr read search };
allow qmail_local_t etc_qmail_t:file { getattr read };
-allow qmail_local_t qmail_spool_t:file read;
+allow qmail_local_t qmail_spool_t:file { ioctl read };
allow qmail_local_t self:fifo_file write;
allow qmail_local_t sbin_t:dir search;
+# for piping mail to a command
+can_exec(qmail_local_t, shell_exec_t)
+allow qmail_local_t bin_t:dir search;
+allow qmail_local_t bin_t:lnk_file read;
+allow qmail_local_t devtty_t:chr_file rw_file_perms;
+allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
+
daemon_sub_domain(tcpd_t, qmail_tcp_env)
allow qmail_tcp_env_t inetd_t:fd use;
allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
diff -ru /tmp/policy/domains/program/samba.te ./domains/program/samba.te
--- /tmp/policy/domains/program/samba.te 2002-08-23 21:04:28.000000000 +0200
+++ ./domains/program/samba.te 2002-09-27 22:58:07.000000000 +0200
@@ -14,6 +14,7 @@
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
type samba_share_t, file_type, sysadmfile;
+type samba_secrets_t, file_type, sysadmfile;
#################################
#
@@ -35,9 +36,12 @@
can_network(smbd_t)
# Permissions for Samba files in /etc/samba
-#allow smbd_t samba_etc_t:file { write setattr getattr read lock };
+# either allow read access to the directory or allow the auto_trans rule to
+# allow creation of the secrets.tdb file
+#allow smbd_t samba_etc_t:dir { search getattr };
+file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
+
allow smbd_t samba_etc_t:file { getattr read };
-allow smbd_t samba_etc_t:dir { search getattr };
# Permissions for Samba cache files in /var/cache/samba
allow smbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
diff -ru /tmp/policy/domains/program/squid.te ./domains/program/squid.te
--- /tmp/policy/domains/program/squid.te 2002-08-23 21:04:28.000000000 +0200
+++ ./domains/program/squid.te 2002-09-22 22:39:19.000000000 +0200
@@ -50,6 +50,7 @@
allow squid_t var_log_squid_t:file create_file_perms;
ifdef(`logrotate.te',
`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
+ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
# Use the network
can_network(squid_t)
diff -ru /tmp/policy/file_contexts/program/passwd.fc ./file_contexts/program/passwd.fc
--- /tmp/policy/file_contexts/program/passwd.fc 2002-09-27 22:27:40.000000000 +0200
+++ ./file_contexts/program/passwd.fc 2002-08-22 21:49:40.000000000 +0200
@@ -3,9 +3,11 @@
/usr/local/selinux/bin/schsh system_u:object_r:passwd_exec_t
/usr/local/selinux/bin/schfn system_u:object_r:passwd_exec_t
/usr/local/selinux/bin/svipw system_u:object_r:admin_passwd_exec_t
+/usr/local/selinux/bin/suseradd system_u:object_r:admin_passwd_exec_t
/usr/local/selinux/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
/usr/bin/spasswd system_u:object_r:passwd_exec_t
/usr/bin/schsh system_u:object_r:passwd_exec_t
/usr/bin/schfn system_u:object_r:passwd_exec_t
/usr/bin/svipw system_u:object_r:admin_passwd_exec_t
+/usr/bin/suseradd system_u:object_r:admin_passwd_exec_t
/usr/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
diff -ru /tmp/policy/file_contexts/program/samba.fc ./file_contexts/program/samba.fc
--- /tmp/policy/file_contexts/program/samba.fc 2002-07-12 17:19:44.000000000 +0200
+++ ./file_contexts/program/samba.fc 2002-09-27 22:58:30.000000000 +0200
@@ -4,5 +4,4 @@
/etc/samba(/.*)? system_u:object_r:samba_etc_t
/var/log/samba(/.*)? system_u:object_r:samba_log_t
/var/cache/samba(/.*)? system_u:object_r:samba_var_t
-#/net/music(/.*)? system_u:object_r:samba_share_t
-#/net/pub(/.*)? system_u:object_r:samba_share_t
+/etc/samba/secrets.tdb system_u:object_r:samba_secrets_t
diff -ru /tmp/policy/macros/program/su_macros.te ./macros/program/su_macros.te
--- /tmp/policy/macros/program/su_macros.te 2002-09-27 22:27:44.000000000 +0200
+++ ./macros/program/su_macros.te 2002-09-27 12:52:43.000000000 +0200
@@ -34,11 +34,6 @@
# Revert to the user domain when a shell is executed.
domain_auto_trans($1_su_t, shell_exec_t, $1_t)
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te',
-`allow $1_su_t $1_gph_t:fd use;
-allow $1_t $1_gph_t:fd use;')
-
allow $1_su_t privfd:fd use;
# Write to utmp.
@@ -53,6 +48,11 @@
# Run chkpwd.
can_exec($1_su_t, chkpwd_exec_t)
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `
+allow { $1_su_t $1_t } $1_gph_t:fd use;
+')
+
# The user role is authorized for this domain.
role $1_r types $1_su_t;
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: new policy patch
2002-09-27 21:42 new policy patch Russell Coker
@ 2002-10-01 16:51 ` Stephen Smalley
0 siblings, 0 replies; 9+ messages in thread
From: Stephen Smalley @ 2002-10-01 16:51 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux
On Fri, 27 Sep 2002, Russell Coker wrote:
> The attached patch has my latest changes. A minor dpkg patch, some qmail
> changes that are particularly needed for mailman and other things that
> require mail being piped, samba changes for /etc/samba/secrets.tdb, type
> labelling for the suseradd program, a squid cron job policy change, and a
> change that hopefully fixes the su gph problem Brian reported.
Thanks, merged except for the suseradd stuff, which has moved into
suseradd.fc.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* new policy patch
@ 2003-08-01 0:01 Russell Coker
0 siblings, 0 replies; 9+ messages in thread
From: Russell Coker @ 2003-08-01 0:01 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1321 bytes --]
This patch has some policy changes related to the change from
sysadm_home_dir_t to staff_home_dir_t for the /root directory (incidentally,
do we even need sysadm_home_dir_t any more?).
I've made significant changes to net_contexts and related files and made
can_network() not permit binding to port_t. I've got all the common daemons
working well with this, but there may be some I've missed.
I've fixed the ftpd.te problem as previously discussed.
The new version of rpc.statd has slightly different functionality, I changed
the policy to allow it to do what it needs to do.
I've made some changes to the rpm policy. The old version would not work very
well, my new version should be an improvement. It would be good if someone
could test this.
I've made a change to the watchdog policy that will allow it to work properly.
I've changed the file_contexts entries for postfix to deal with the Debian
package creating the chroot directories and the startup scripts searching
them and causing audit messages.
There are also many other minor changes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 31100 bytes --]
diff -ru /tmp/policy/domains/misc/kernel.te policy/domains/misc/kernel.te
--- /tmp/policy/domains/misc/kernel.te 2003-07-31 13:20:08.000000000 +1000
+++ policy/domains/misc/kernel.te 2003-07-11 20:55:13.000000000 +1000
@@ -17,6 +17,7 @@
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
+can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
diff -ru /tmp/policy/domains/program/checkpolicy.te policy/domains/program/checkpolicy.te
--- /tmp/policy/domains/program/checkpolicy.te 2003-03-14 02:14:31.000000000 +1100
+++ policy/domains/program/checkpolicy.te 2003-07-16 11:11:33.000000000 +1000
@@ -44,12 +44,14 @@
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr };
uses_shlib(checkpolicy_t)
allow checkpolicy_t self:capability dac_override;
allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
+allow checkpolicy_t fs_t:filesystem getattr;
+
##########################
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
diff -ru /tmp/policy/domains/program/initrc.te policy/domains/program/initrc.te
--- /tmp/policy/domains/program/initrc.te 2003-07-31 13:20:15.000000000 +1000
+++ policy/domains/program/initrc.te 2003-07-12 20:38:43.000000000 +1000
@@ -20,6 +20,9 @@
uses_shlib(initrc_t);
type initrc_exec_t, file_type, sysadmfile, exec_type;
+# for halt to down interfaces
+allow initrc_t self:udp_socket create_socket_perms;
+
# read files in /etc/init.d
allow initrc_t etc_t:lnk_file r_file_perms;
diff -ru /tmp/policy/domains/program/logrotate.te policy/domains/program/logrotate.te
--- /tmp/policy/domains/program/logrotate.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/logrotate.te 2003-08-01 08:48:02.000000000 +1000
@@ -28,7 +28,7 @@
allow logrotate_t etc_runtime_t:{ file lnk_file } r_file_perms;
# it should not require this
-allow logrotate_t sysadm_home_dir_t:dir { read getattr search };
+allow logrotate_t staff_home_dir_t:dir { read getattr search };
# create lock files
rw_dir_create_file(logrotate_t, var_lock_t)
diff -ru /tmp/policy/domains/program/modutil.te policy/domains/program/modutil.te
--- /tmp/policy/domains/program/modutil.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/modutil.te 2003-08-01 09:03:28.000000000 +1000
@@ -55,8 +55,8 @@
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories.
-allow depmod_t { home_root_t user_home_dir_type sysadm_home_dir_t }:dir r_dir_perms;
-r_dir_file(depmod_t, { user_home_type sysadm_home_t })
+allow depmod_t { home_root_t staff_home_dir_t }:dir r_dir_perms;
+r_dir_file(depmod_t, staff_home_t)
#################################
#
@@ -154,7 +154,7 @@
allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-dontaudit update_modules_t sysadm_home_dir_t:dir search;
+dontaudit update_modules_t staff_home_dir_t:dir search;
uses_shlib(update_modules_t)
allow update_modules_t self:process { fork sigchld };
diff -ru /tmp/policy/domains/program/mount.te policy/domains/program/mount.te
--- /tmp/policy/domains/program/mount.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/mount.te 2003-07-12 19:59:50.000000000 +1000
@@ -34,11 +34,12 @@
allow mount_t proc_t:dir mounton;
allow mount_t root_t:dir mounton;
allow mount_t home_root_t:dir mounton;
+allow mount_t tmp_t:dir mounton;
# On some RedHat systems, /boot is a mount point
allow mount_t boot_t:dir mounton;
allow mount_t device_t:dir mounton;
ifdef(`devfsd.te', `
-allow mount_t device_t:filesystem unmount;
+allow mount_t device_t:filesystem { mount unmount };
')
allow mount_t root_t:filesystem unmount;
diff -ru /tmp/policy/domains/program/ssh.te policy/domains/program/ssh.te
--- /tmp/policy/domains/program/ssh.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/ssh.te 2003-07-31 05:31:18.000000000 +1000
@@ -38,11 +38,6 @@
allow $1 etc_runtime_t:{ file lnk_file } r_file_perms;
allow $1 resolv_conf_t:{ file lnk_file } r_file_perms;
-# Read the linker, shared library, and executable types.
-allow $1 ld_so_t:{ file lnk_file } r_file_perms;
-allow $1 shlib_t:{ file lnk_file } r_file_perms;
-allow $1 exec_type:{ file lnk_file } r_file_perms;
-
# Read and write /dev/tty and /dev/null.
allow $1 devtty_t:chr_file rw_file_perms;
allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms;
@@ -91,6 +86,10 @@
# sshd_key_t is the type of the ssh private key files
#
sshd_program_domain(sshd_t)
+
+# for X forwarding
+allow sshd_t port_t:tcp_socket name_bind;
+
type sshd_exec_t, file_type, exec_type, sysadmfile;
ifdef(`inetd.te', `
diff -ru /tmp/policy/domains/program/unused/bootloader.te policy/domains/program/unused/bootloader.te
--- /tmp/policy/domains/program/unused/bootloader.te 2003-07-31 13:20:21.000000000 +1000
+++ policy/domains/program/unused/bootloader.te 2003-07-12 22:22:41.000000000 +1000
@@ -83,9 +83,10 @@
allow bootloader_t fs_t:filesystem getattr;
-allow bootloader_t proc_t:dir r_dir_perms;
+allow bootloader_t proc_t:dir { getattr search };
allow bootloader_t proc_t:file r_file_perms;
allow bootloader_t proc_t:lnk_file read;
+allow bootloader_t self:dir { getattr search read };
allow bootloader_t sysctl_kernel_t:dir search;
allow bootloader_t sysctl_kernel_t:file { getattr read };
allow bootloader_t etc_runtime_t:file r_file_perms;
diff -ru /tmp/policy/domains/program/unused/cups.te policy/domains/program/unused/cups.te
--- /tmp/policy/domains/program/unused/cups.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/cups.te 2003-07-15 00:15:04.000000000 +1000
@@ -36,7 +36,7 @@
allow cupsd_t proc_t:file r_file_perms;
allow cupsd_t proc_t:dir r_dir_perms;
allow cupsd_t { sysctl_t sysctl_kernel_t sysctl_dev_t }:dir search;
-allow cupsd_t sysctl_kernel_t:file { getattr read };
+allow cupsd_t { sysctl_kernel_t sysctl_dev_t }:file { getattr read };
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -57,7 +57,7 @@
r_dir_file(cupsd_t, readable_t)
# Bind to the cups/ipp port (631).
-allow cupsd_t ipp_port_t:tcp_socket name_bind;
+allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
can_tcp_connect(web_client_domain, cupsd_t)
can_tcp_connect(cupsd_t, cupsd_t)
diff -ru /tmp/policy/domains/program/unused/devfsd.te policy/domains/program/unused/devfsd.te
--- /tmp/policy/domains/program/unused/devfsd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/devfsd.te 2003-07-11 00:03:18.000000000 +1000
@@ -9,7 +9,7 @@
#
type etc_devfsd_t, file_type, sysadmfile;
-allow kernel_t device_t:dir mounton;
+allow kernel_t { device_t root_t }:dir mounton;
daemon_domain(devfsd)
diff -ru /tmp/policy/domains/program/unused/dhcpc.te policy/domains/program/unused/dhcpc.te
--- /tmp/policy/domains/program/unused/dhcpc.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dhcpc.te 2003-07-26 01:34:09.000000000 +1000
@@ -14,6 +14,8 @@
# dhcpc_exec_t is the type of the dhcpcd executable.
# The dhcpc_t can be used for other DHCPC related files as well.
#
+type dhcpc_port_t, port_type;
+
daemon_domain(dhcpc)
can_network(dhcpc_t)
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
@@ -22,8 +24,14 @@
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
+allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
')
+ifdef(`hotplug.te', `
+domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
+allow hotplug_t dhcpc_t:process signal_perms;
+allow hotplug_t dhcpc_var_run_t:file { getattr read };
+')
# for the dhcp client to run ping to check IP addresses
ifdef(`ping.te', `
@@ -32,7 +40,13 @@
dontaudit ping_t dhcpc_state_t:file read;
dontaudit ping_t dhcpc_t:packet_socket { read write };
dontaudit ping_t dhcpc_t:udp_socket { read write };
-')
+ifdef(`hotplug.te', `
+allow ping_t hotplug_t:fd use;
+') dnl end if hotplug
+ifdef(`cardmgr.te', `
+allow ping_t cardmgr_t:fd use;
+') dnl end if cardmgr
+') dnl end if ping
ifdef(`dhcpd.te', `', `
type dhcp_state_t, file_type, sysadmfile;
@@ -49,6 +63,9 @@
# Use capabilities
allow dhcpc_t self:capability { net_admin net_raw net_bind_service };
+# for udp port 68
+allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
+
# Allow read/write to /etc/resolv.conf. Note that any files in /etc
# created by dhcpcd will be labelled resolv_conf_t. As of RH 7.2, no
# other files are accessed in the /etc dir, only in /etc/dhcpc dir.
diff -ru /tmp/policy/domains/program/unused/dhcpd.te policy/domains/program/unused/dhcpd.te
--- /tmp/policy/domains/program/unused/dhcpd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dhcpd.te 2003-07-31 05:23:46.000000000 +1000
@@ -16,6 +16,10 @@
#
daemon_domain(dhcpd)
+# for UDP port 67
+type dhcpd_port_t, port_type;
+allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
+
type etc_dhcp_t alias { etc_dhcpc_t etc_dhcpd_t }, file_type, sysadmfile;
# Use the network.
diff -ru /tmp/policy/domains/program/unused/dpkg.te policy/domains/program/unused/dpkg.te
--- /tmp/policy/domains/program/unused/dpkg.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dpkg.te 2003-08-01 08:46:54.000000000 +1000
@@ -130,8 +130,8 @@
dontaudit apt_t var_run_t:dir search;
# for rc files such as ~/.less
-r_dir_file(apt_t, sysadm_home_t)
-allow apt_t sysadm_home_dir_t:dir { search getattr };
+r_dir_file(apt_t, staff_home_t)
+allow apt_t staff_home_dir_t:dir { search getattr };
allow apt_t bin_t:lnk_file r_file_perms;
@@ -293,7 +293,7 @@
type debian_menu_t, file_type, sysadmfile;
r_dir_file(userdomain, debian_menu_t)
-dontaudit install_menu_t sysadm_home_dir_t:dir search;
+dontaudit install_menu_t staff_home_dir_t:dir search;
allow install_menu_t debian_menu_t:dir create_dir_perms;
allow install_menu_t debian_menu_t:{ file lnk_file } create_file_perms;
allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
@@ -304,6 +304,9 @@
allow install_menu_t { bin_t sbin_t }:dir search;
allow install_menu_t bin_t:lnk_file read;
+# for menus
+allow install_menu_t usr_t:file r_file_perms;
+
# for /etc/kde3/debian/kde-update-menu.sh
can_exec(install_menu_t, etc_t)
diff -ru /tmp/policy/domains/program/unused/ftpd.te policy/domains/program/unused/ftpd.te
--- /tmp/policy/domains/program/unused/ftpd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/ftpd.te 2003-08-01 09:11:46.000000000 +1000
@@ -11,8 +11,6 @@
type ftp_port_t, port_type;
daemon_domain(ftpd, `, auth')
type etc_ftpd_t, file_type, sysadmfile;
-ifdef(`inetd.te', `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)')
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
can_network(ftpd_t)
allow ftpd_t self:unix_dgram_socket create_socket_perms;
@@ -25,10 +23,19 @@
')
ifdef(`ftpd_daemon', `
+ifdef(`inetd.te', `', `
+define(`ftpd_is_daemon', `')
+') dnl end inetd.te
+') dnl end ftpd_daemon
+
+ifdef(`ftpd_is_daemon', `
rw_dir_create_file(ftpd_t, var_lock_t)
allow ftpd_t ftp_port_t:tcp_socket name_bind;
can_tcp_connect(userdomain, ftpd_t)
', `
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
+ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+
# Use sockets inherited from inetd.
allow ftpd_t inetd_t:fd use;
allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
diff -ru /tmp/policy/domains/program/unused/hotplug.te policy/domains/program/unused/hotplug.te
--- /tmp/policy/domains/program/unused/hotplug.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/hotplug.te 2003-07-11 00:03:07.000000000 +1000
@@ -11,9 +11,6 @@
#
daemon_domain(hotplug)
-# allow kernel thread to run a shell to interpret the script
-allow kernel_t shell_exec_t:file execute;
-
type etc_hotplug_t, file_type, sysadmfile;
allow hotplug_t self:fifo_file { read write getattr ioctl };
diff -ru /tmp/policy/domains/program/unused/hwclock.te policy/domains/program/unused/hwclock.te
--- /tmp/policy/domains/program/unused/hwclock.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/hwclock.te 2003-08-01 08:47:17.000000000 +1000
@@ -22,6 +22,8 @@
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
')
+allow hwclock_t fs_t:filesystem getattr;
+
read_locale(hwclock_t)
# Give hwclock the capabilities it requires. dac_override is a surprise,
diff -ru /tmp/policy/domains/program/unused/inetd.te policy/domains/program/unused/inetd.te
--- /tmp/policy/domains/program/unused/inetd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/inetd.te 2003-07-12 11:57:50.000000000 +1000
@@ -14,6 +14,8 @@
#
# Rules for the inetd_t domain.
#
+type inetd_port_t, port_type;
+
daemon_domain(inetd)
can_network(inetd_t)
@@ -45,6 +47,9 @@
ifdef(`rlogind.te', `allow inetd_t rlogin_port_t:tcp_socket name_bind;')
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
+# allow to bind to chargen, echo, etc
+allow inetd_t inetd_port_t:{ tcp_socket udp_socket } name_bind;
+
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
diff -ru /tmp/policy/domains/program/unused/ipsec.te policy/domains/program/unused/ipsec.te
--- /tmp/policy/domains/program/unused/ipsec.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/ipsec.te 2003-08-01 08:56:50.000000000 +1000
@@ -200,7 +200,7 @@
allow ipsec_t self:fifo_file { read getattr };
# ideally it would not need this. It wants to write to /root/.rnd
-file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+file_type_auto_trans(ipsec_mgmt_t, staff_home_dir_t, staff_home_t, file)
allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
diff -ru /tmp/policy/domains/program/unused/named.te policy/domains/program/unused/named.te
--- /tmp/policy/domains/program/unused/named.te 2003-07-31 13:20:23.000000000 +1000
+++ policy/domains/program/unused/named.te 2003-08-01 08:48:48.000000000 +1000
@@ -128,5 +128,5 @@
allow ndc_t named_var_run_t:file getattr;
allow ndc_t named_zone_t:dir { read getattr };
allow ndc_t named_zone_t:file getattr;
-dontaudit ndc_t sysadm_home_t:dir { getattr search read };
+dontaudit ndc_t staff_home_t:dir { getattr search read };
')
diff -ru /tmp/policy/domains/program/unused/pamconsole.te policy/domains/program/unused/pamconsole.te
--- /tmp/policy/domains/program/unused/pamconsole.te 2003-03-05 01:57:16.000000000 +1100
+++ policy/domains/program/unused/pamconsole.te 2003-04-22 20:01:53.000000000 +1000
@@ -4,7 +4,7 @@
type pam_console_exec_t, file_type, sysadmfile, exec_type;
type pam_console_t, domain;
role system_r types pam_console_t;
-every_domain(pam_console_t)
+uses_shlib(pam_console_t)
domain_auto_trans(initrc_t, pam_console_exec_t, pam_console_t)
# Allow access to /dev/console through the fd:
diff -ru /tmp/policy/domains/program/unused/portmap.te policy/domains/program/unused/portmap.te
--- /tmp/policy/domains/program/unused/portmap.te 2003-07-31 13:20:25.000000000 +1000
+++ policy/domains/program/unused/portmap.te 2003-07-12 20:00:14.000000000 +1000
@@ -21,6 +21,9 @@
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+# portmap binds to arbitary ports
+allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+
allow portmap_t etc_t:file { getattr read };
# Send to ypbind, initrc, rpc.statd, xinetd.
@@ -39,6 +42,8 @@
')
can_udp_send(portmap_t, kernel_t)
can_udp_send(kernel_t, portmap_t)
+can_udp_send(sysadm_t, portmap_t)
+can_udp_send(portmap_t, sysadm_t)
# Use capabilities
allow portmap_t self:capability { net_bind_service setuid setgid };
diff -ru /tmp/policy/domains/program/unused/radius.te policy/domains/program/unused/radius.te
--- /tmp/policy/domains/program/unused/radius.te 2003-07-31 13:20:27.000000000 +1000
+++ policy/domains/program/unused/radius.te 2003-07-12 12:04:24.000000000 +1000
@@ -51,6 +51,10 @@
can_network(radiusd_t)
allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
+
+# for RADIUS proxy port
+allow radiusd_t port_t:udp_socket name_bind;
+
ifdef(`snmpd.te', `
can_tcp_connect(radiusd_t, snmpd_t)
')
diff -ru /tmp/policy/domains/program/unused/rpcd.te policy/domains/program/unused/rpcd.te
--- /tmp/policy/domains/program/unused/rpcd.te 2003-07-31 13:20:27.000000000 +1000
+++ policy/domains/program/unused/rpcd.te 2003-07-31 10:59:05.000000000 +1000
@@ -11,7 +11,7 @@
# rpcd_t is the domain of rpc daemons.
# rpcd_exec_t is the type of rpc daemon programs.
#
-daemon_base_domain(rpcd)
+daemon_domain(rpcd)
can_network(rpcd_t)
allow rpcd_t resolv_conf_t:file { getattr read };
can_udp_send({ init_t initrc_t }, rpcd_t)
@@ -23,6 +23,7 @@
allow rpcd_t self:unix_dgram_socket create_socket_perms;
allow rpcd_t self:unix_stream_socket create_socket_perms;
+allow rpcd_t self:fifo_file rw_file_perms;
can_udp_send(rpcd_t, rpcd_t)
can_udp_send(mount_t, rpcd_t)
@@ -41,6 +42,9 @@
# Use capabilities.
allow rpcd_t self:capability { net_bind_service dac_override setgid setuid };
+# bind to arbitary unused ports
+allow rpcd_t port_t:{ tcp_socket udp_socket } name_bind;
+
# Access /var/lib/nfs.
allow rpcd_t { var_t var_lib_t }:dir search;
allow rpcd_t var_lib_nfs_t:dir rw_dir_perms;
diff -ru /tmp/policy/domains/program/unused/rpm.te policy/domains/program/unused/rpm.te
--- /tmp/policy/domains/program/unused/rpm.te 2003-03-05 01:57:20.000000000 +1100
+++ policy/domains/program/unused/rpm.te 2003-04-22 20:00:42.000000000 +1000
@@ -11,21 +11,21 @@
#
type rpm_t, domain, privlog;
role system_r types rpm_t;
-role sysadm_r types rpm_t;
-every_domain(rpm_t)
+uses_shlib(rpm_t)
type rpm_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(system_crond_t, rpm_exec_t, rpm_t)
+
+system_crond_entry(rpm_exec_t, rpm_t)
+#role sysadm_r types rpm_t;
#domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
type rpm_file_t, file_type, sysadmfile;
type var_lib_rpm_t, file_type, sysadmfile;
-type rpm_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(rpm_t, tmp_t, rpm_tmp_t)
+tmp_domain(rpm)
-type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t)
-allow rpm_tmpfs_t tmpfs_t:filesystem associate;
+#type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile;
+#file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t)
+#allow rpm_tmpfs_t tmpfs_t:filesystem associate;
type var_log_rpm_t, file_type, sysadmfile, logfile;
file_type_auto_trans(rpm_t, var_log_t, var_log_rpm_t)
@@ -34,7 +34,7 @@
can_exec_any(rpm_t)
# Capabilties needed by rpm utils
-allow rpm_t rpm_t:capability { dac_override dac_read_search chown setuid setgid };
+allow rpm_t self:capability { dac_override dac_read_search chown setuid setgid };
# Access /usr/lib files
allow rpm_t lib_t:dir r_dir_perms;
@@ -44,15 +44,10 @@
allow rpm_t var_lib_rpm_t:dir rw_dir_perms;
allow rpm_t var_lib_rpm_t:file create_file_perms;
-# When the RPM updates are run from cron, inherit cron descriptors and
-# read from the FIFO created by cron
-allow rpm_t crond_t:fd use;
-allow rpm_t crond_t:fifo_file r_file_perms;
-
# Access terminals.
-allow rpm_t sysadm_tty_device_t:chr_file rw_file_perms;
-allow rpm_t sysadm_devpts_t:chr_file rw_file_perms;
+allow rpm_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
+allow rpm_t privfd:fd use;
# Write to /usr/src.
#allow rpm_t src_t:dir create_dir_perms;
@@ -60,9 +55,3 @@
# Execute from /usr/src.
#can_exec(rpm_t, src_t)
-
-# Execute helper programs.
-#can_exec_any(rpm_t)
-
-# Execute temporary files.
-#can_exec(rpm_t, rpm_tmp_t)
diff -ru /tmp/policy/domains/program/unused/squid.te policy/domains/program/unused/squid.te
--- /tmp/policy/domains/program/unused/squid.te 2003-07-31 13:20:28.000000000 +1000
+++ policy/domains/program/unused/squid.te 2003-07-11 20:56:29.000000000 +1000
@@ -60,8 +60,9 @@
can_network(squid_t)
can_tcp_connect(web_client_domain, squid_t)
-# port 8080 is http_cache_port_t (see net_contexts)
+# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
allow squid_t http_cache_port_t:tcp_socket name_bind;
+allow squid_t http_cache_port_t:udp_socket name_bind;
# to allow running programs from /usr/lib/squid (IE unlinkd)
# also allow exec()ing itself
diff -ru /tmp/policy/domains/program/unused/sysstat.te policy/domains/program/unused/sysstat.te
--- /tmp/policy/domains/program/unused/sysstat.te 2003-07-31 13:20:28.000000000 +1000
+++ policy/domains/program/unused/sysstat.te 2003-08-01 08:49:27.000000000 +1000
@@ -29,7 +29,7 @@
# for fstab
allow sysstat_t etc_t:file { read getattr };
-dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
+dontaudit sysstat_t staff_home_dir_t:dir r_dir_perms;
allow sysstat_t self:fifo_file rw_file_perms;
diff -ru /tmp/policy/domains/program/unused/utempter.te policy/domains/program/unused/utempter.te
--- /tmp/policy/domains/program/unused/utempter.te 2003-03-05 01:57:27.000000000 +1100
+++ policy/domains/program/unused/utempter.te 2003-04-12 10:32:13.000000000 +1000
@@ -14,7 +14,7 @@
type utempter_t, domain;
in_user_role(utempter_t)
role sysadm_r types utempter_t;
-every_domain(utempter_t)
+uses_shlib(utempter_t)
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
diff -ru /tmp/policy/domains/program/unused/vmware.te policy/domains/program/unused/vmware.te
--- /tmp/policy/domains/program/unused/vmware.te 2003-07-31 13:20:29.000000000 +1000
+++ policy/domains/program/unused/vmware.te 2003-07-10 11:31:49.000000000 +1000
@@ -118,7 +118,7 @@
# Access /proc
r_dir_file(vmware_user_t, proc_t)
-# Access to some files in the home directory of the user
+# Access to some files in the user home directory
r_dir_file(vmware_user_t, user_home_t)
# Access to runtime files for user
diff -ru /tmp/policy/domains/program/unused/watchdog.te policy/domains/program/unused/watchdog.te
--- /tmp/policy/domains/program/unused/watchdog.te 2003-07-31 13:20:29.000000000 +1000
+++ policy/domains/program/unused/watchdog.te 2003-07-11 17:16:26.000000000 +1000
@@ -20,5 +20,13 @@
allow watchdog_t proc_t:file r_file_perms;
allow watchdog_t self:capability { ipc_lock sys_nice };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+can_network(watchdog_t)
+allow watchdog_t resolv_conf_t:file { getattr read };
+allow watchdog_t self:udp_socket create_socket_perms;
+allow watchdog_t bin_t:dir search;
+allow watchdog_t init_t:process signal;
+allow watchdog_t kernel_t:process sigstop;
allow watchdog_t watchdog_device_t:chr_file { getattr write };
diff -ru /tmp/policy/file_contexts/program/modutil.fc policy/file_contexts/program/modutil.fc
--- /tmp/policy/file_contexts/program/modutil.fc 2003-07-31 13:20:54.000000000 +1000
+++ policy/file_contexts/program/modutil.fc 2003-05-31 12:28:59.000000000 +1000
@@ -1,5 +1,6 @@
# module utilities
/etc/modules\.conf(.old)? system_u:object_r:modules_conf_t
+/lib/modules/modprobe.conf system_u:object_r:modules_conf_t
/lib/modules(/.*)? system_u:object_r:modules_object_t
/lib/modules/[^/]+/modules\..+ system_u:object_r:modules_dep_t
/lib/modules/modprobe\.conf.* system_u:object_r:modules_conf_t
diff -ru /tmp/policy/file_contexts/program/nsd.fc policy/file_contexts/program/nsd.fc
--- /tmp/policy/file_contexts/program/nsd.fc 2003-07-31 13:20:56.000000000 +1000
+++ policy/file_contexts/program/nsd.fc 2003-07-26 01:34:33.000000000 +1000
@@ -3,7 +3,9 @@
/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t
/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t
/etc/nsd/nsd.db system_u:object_r:nsd_zone_t
+/var/lib/nsd.db system_u:object_r:nsd_zone_t
/usr/sbin/nsd system_u:object_r:nsd_exec_t
/usr/sbin/nsdc system_u:object_r:nsd_exec_t
/usr/sbin/nsd-notify system_u:object_r:nsd_exec_t
+/usr/sbin/zonec system_u:object_r:nsd_exec_t
/var/run/nsd\.pid system_u:object_r:nsd_var_run_t
diff -ru /tmp/policy/file_contexts/program/postfix.fc policy/file_contexts/program/postfix.fc
--- /tmp/policy/file_contexts/program/postfix.fc 2003-07-31 13:20:57.000000000 +1000
+++ policy/file_contexts/program/postfix.fc 2003-08-01 08:50:14.000000000 +1000
@@ -37,9 +37,10 @@
/var/spool/postfix/defer(red)?(/.*)? system_u:object_r:postfix_spool_t
/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t
/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t
+/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t
/var/spool/postfix/lib(/.*)? system_u:object_r:lib_t
+/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t
/var/spool/postfix/lib/ld.*\.so.* system_u:object_r:ld_so_t
/var/spool/postfix/lib/lib.*\.so.* system_u:object_r:shlib_t
/var/spool/postfix/lib/[^/]*/lib.*\.so.* system_u:object_r:shlib_t
/var/spool/postfix/lib/devfsd/.*\.so.* system_u:object_r:shlib_t
-/var/spool/postfix/etc/services system_u:object_r:etc_t
diff -ru /tmp/policy/file_contexts/program/rpcd.fc policy/file_contexts/program/rpcd.fc
--- /tmp/policy/file_contexts/program/rpcd.fc 2002-07-04 06:26:22.000000000 +1000
+++ policy/file_contexts/program/rpcd.fc 2003-07-31 10:59:27.000000000 +1000
@@ -2,3 +2,4 @@
/sbin/rpc\..* system_u:object_r:rpcd_exec_t
/usr/sbin/rpc\..* system_u:object_r:rpcd_exec_t
/usr/sbin/exportfs system_u:object_r:rpcd_exec_t
+/var/run/rpc.statd.pid system_u:object_r:rpcd_var_run_t
diff -ru /tmp/policy/macros/global_macros.te policy/macros/global_macros.te
--- /tmp/policy/macros/global_macros.te 2003-07-31 13:21:04.000000000 +1000
+++ policy/macros/global_macros.te 2003-07-12 12:00:00.000000000 +1000
@@ -478,8 +481,8 @@
# Bind to the default port type.
# Other port types must be separately authorized.
#
-allow $1 port_t:udp_socket name_bind;
-allow $1 port_t:tcp_socket name_bind;
+#allow $1 port_t:udp_socket name_bind;
+#allow $1 port_t:tcp_socket name_bind;
')
#################################
diff -ru /tmp/policy/macros/program/mount_macros.te policy/macros/program/mount_macros.te
--- /tmp/policy/macros/program/mount_macros.te 2003-07-31 13:21:09.000000000 +1000
+++ policy/macros/program/mount_macros.te 2003-07-12 20:01:38.000000000 +1000
@@ -29,6 +29,7 @@
domain_auto_trans($1_t, mount_exec_t, $2_t)
allow $2_t proc_t:dir search;
+allow $2_t proc_t:file { getattr read };
tmp_domain($2)
diff -ru /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te 2003-07-31 13:21:04.000000000 +1000
+++ policy/macros/user_macros.te 2003-07-12 20:02:20.000000000 +1000
@@ -92,6 +103,9 @@
allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
')dnl end of ssh section
+# for ifconfig which is run all the time
+dontaudit $1_t sysctl_t:dir search;
+
allow $1_t boot_t:dir { getattr search };
dontaudit $1_t boot_t:dir read;
dontaudit $1_t boot_t:lnk_file getattr;
@@ -172,8 +186,16 @@
# Access other miscellaneous devices.
allow $1_t misc_device_t:file_class_set rw_file_perms;
+ifdef(`apache.te', `
+ifelse(`$1', `sysadm', `', `
+dnl apache_domain($1)
+')
+')dnl end apache
+
# Use the network.
can_network($1_t)
+# allow port_t name binding for UDP because it is not very usable otherwise
+allow $1_t port_t:udp_socket name_bind;
allow $1_t resolv_conf_t:file { getattr read };
# for perl
dontaudit $1_t resolv_conf_t:file ioctl;
diff -ru /tmp/policy/net_contexts policy/net_contexts
--- /tmp/policy/net_contexts 2003-07-31 13:20:03.000000000 +1000
+++ policy/net_contexts 2003-07-31 05:23:03.000000000 +1000
@@ -17,6 +17,18 @@
# protocol number context
# protocol low-high context
#
+ifdef(`inetd.te', `
+portcon tcp 7 system_u:object_r:inetd_port_t
+portcon udp 7 system_u:object_r:inetd_port_t
+portcon tcp 9 system_u:object_r:inetd_port_t
+portcon udp 9 system_u:object_r:inetd_port_t
+portcon tcp 13 system_u:object_r:inetd_port_t
+portcon udp 13 system_u:object_r:inetd_port_t
+portcon tcp 37 system_u:object_r:inetd_port_t
+portcon udp 37 system_u:object_r:inetd_port_t
+portcon tcp 113 system_u:object_r:inetd_port_t
+portcon udp 517 system_u:object_r:inetd_port_t
+')
ifdef(`courier.te', `define(`use_pop')')
ifdef(`perdition.te', `define(`use_pop')')
ifdef(`ftpd.te', `portcon tcp 21 system_u:object_r:ftp_port_t')
@@ -25,6 +37,8 @@
ifdef(`mta.te', `portcon tcp 25 system_u:object_r:smtp_port_t')
ifdef(`named.te', `portcon udp 53 system_u:object_r:named_port_t
portcon tcp 53 system_u:object_r:named_port_t')
+ifdef(`dhcpd.te', `portcon udp 67 system_u:object_r:dhcpd_port_t')
+ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
ifdef(`apache.te', `portcon tcp 80 system_u:object_r:http_port_t')
@@ -37,7 +51,7 @@
portcon udp 111 system_u:object_r:portmap_port_t
portcon tcp 111 system_u:object_r:portmap_port_t
')
-ifdef(`ntp.te', `portcon udp 123 system_u:object_r:ntp_port_t')
+ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
ifdef(`samba.te', `
portcon tcp 137 system_u:object_r:smbd_port_t
portcon udp 137 system_u:object_r:nmbd_port_t
@@ -57,7 +71,10 @@
ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
-ifdef(`cups.te', `portcon tcp 631 system_u:object_r:ipp_port_t')
+ifdef(`cups.te', `
+portcon tcp 631 system_u:object_r:ipp_port_t
+portcon udp 631 system_u:object_r:ipp_port_t
+')
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
ifdef(`use_pop', `
portcon tcp 993 system_u:object_r:pop_port_t
@@ -75,9 +92,18 @@
portcon udp 5323 system_u:object_r:imaze_port_t
')
ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
+ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`sound-server.te', `
+portcon tcp 8000 system_u:object_r:soundd_port_t
+# 9433 is for YIFF
+portcon tcp 9433 system_u:object_r:soundd_port_t
+')
ifdef(`apache.te', `define(`use_http_cache')')
ifdef(`squid.te', `define(`use_http_cache')')
-ifdef(`use_http_cache', `portcon tcp 8080 system_u:object_r:http_cache_port_t')
+ifdef(`use_http_cache', `
+portcon tcp 8080 system_u:object_r:http_cache_port_t
+portcon udp 3130 system_u:object_r:http_cache_port_t
+')
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
# Network interfaces (default = initial SID "netif" and "netmsg")
^ permalink raw reply [flat|nested] 9+ messages in thread
* New Policy Patch
2005-01-21 20:36 ` James Carter
@ 2005-04-04 18:50 ` Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
0 siblings, 2 replies; 9+ messages in thread
From: Daniel J Walsh @ 2005-04-04 18:50 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 426 bytes --]
Major regrouping of apache_policy
Now use apache_domain and apache_user_domain
Added boolean httpd_builtin_scripting. Which when turned off only allows
running of external apache scripts, not built in modules like PHP.
Users can now create their own scripts using apache_domain(myscript)
More fixes of can_network and named_connect
Added NetworkManager policy.
A few fixes submitted from Ivan for hal, kudzu
--
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 34018 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.6/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.6/domains/program/ifconfig.te 2005-04-04 10:44:54.000000000 -0400
@@ -66,3 +66,4 @@
rhgb_domain(ifconfig_t)
allow ifconfig_t userdomain:fd use;
dontaudit ifconfig_t root_t:file read;
+r_dir_file(ifconfig_t, sysfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.23.6/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/logrotate.te 2005-04-04 10:44:54.000000000 -0400
@@ -141,5 +141,10 @@
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
+# Supress libselinux initialization denials
dontaudit logrotate_t selinux_config_t:dir search;
+dontaudit logrotate_t selinux_config_t:file { read getattr };
+# Allow selinux_getenforce
+allow logrotate_t security_t:dir search;
+allow logrotate_t security_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.6/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/unused/apache.te 2005-04-04 10:44:54.000000000 -0400
@@ -28,6 +28,9 @@
bool httpd_unified false;
+# Allow httpd to use built in scripting (usually php)
+bool httpd_builtin_scripting false;
+
# Allow httpd cgi support
bool httpd_enable_cgi false;
@@ -86,54 +89,6 @@
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec)
-allow httpd_t httpd_suexec_exec_t:file read;
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir search;
-allow httpd_suexec_t httpd_log_t:file { append getattr };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-if (httpd_can_network_connect) {
-can_network(httpd_suexec_t)
-allow httpd_suexec_t port_type:tcp_socket name_connect;
-}
-
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_t usr_t:lnk_file { getattr read };
@@ -149,15 +104,24 @@
can_exec(httpd_t, { bin_t sbin_t })
allow httpd_t bin_t:lnk_file read;
-can_network(httpd_t)
+########################################
+# Set up networking
+########################################
+
+can_network_server(httpd_t)
+can_kerberos(httpd_t)
+can_resolve(httpd_t)
+can_ypbind(httpd_t)
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+
if (httpd_can_network_connect) {
+can_network_client(httpd_t)
allow httpd_t port_type:tcp_socket name_connect;
}
-can_ypbind(httpd_t)
-###################
-# Allow httpd to search users diretories
-######################
+#########################################
+# Allow httpd to search users directories
+#########################################
allow httpd_t home_root_t:dir { getattr search };
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
@@ -171,7 +135,6 @@
# Allow the httpd_t to read the web servers config files
###################################################
r_dir_file(httpd_t, httpd_config_t)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
@@ -181,11 +144,6 @@
r_dir_file(initrc_t, httpd_config_t)
##################################################
-########################################
-# Allow httpd_t to bind to the HTTP port
-########################################
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-
###############################
# Allow httpd_t to put files in /var/cache/httpd etc
##############################
@@ -217,13 +175,14 @@
allow httpd_t etc_t:file { read getattr ioctl };
allow httpd_t etc_t:lnk_file { getattr read };
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
# Run SSI execs in system CGI script domain.
if (httpd_ssi_exec) {
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
}
-r_dir_file(httpd_t, httpd_sys_script_ro_t)
-create_dir_file(httpd_t, httpd_sys_script_rw_t)
-ra_dir_file(httpd_t, httpd_sys_script_ra_t)
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
##################################################
@@ -250,7 +209,6 @@
# access to /tmp
tmp_domain(httpd)
tmp_domain(httpd_php)
-tmp_domain(httpd_suexec)
# Creation of lock files for apache2
lock_domain(httpd)
@@ -269,11 +227,11 @@
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
+r_dir_file(httpd_t, fonts_t)
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t autofs_t:dir { search getattr };
-allow httpd_suexec_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
@@ -281,23 +239,12 @@
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
-r_dir_file(httpd_t, fonts_t)
#
# Allow users to mount additional directories as http_source
#
allow httpd_t mnt_t:dir r_dir_perms;
-########################################
-# When the admin starts the server, the server wants to acess
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-##################################################
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-
-can_kerberos(httpd_t)
-
ifdef(`targeted_policy', `
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
@@ -308,6 +255,9 @@
}
') dnl targeted policy
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
ifdef(`distro_redhat', `
#
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
@@ -327,33 +277,27 @@
dontaudit httpd_t usr_t:dir write;
')
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
-
application_domain(httpd_helper)
role system_r types httpd_helper_t;
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file { append };
+########################################
+# When the admin starts the server, the server wants to acess
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+##################################################
+
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir { search };
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
')
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
read_sysctl(httpd_sys_script_t)
@@ -368,6 +312,64 @@
type httpd_unconfined_script_t, domain, nscd_client_domain;
role system_r types httpd_unconfined_script_t;
unconfined_domain(httpd_unconfined_script_t)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec)
+allow httpd_t httpd_suexec_exec_t:file read;
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir search;
+allow httpd_suexec_t httpd_log_t:file { append getattr };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+if (httpd_can_network_connect) {
+can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+allow httpd_suexec_t autofs_t:dir { search getattr };
+tmp_domain(httpd_suexec)
+
+ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+')
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+}
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+can_exec(httpd_t, httpdcontent )
+}
if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
@@ -375,3 +377,21 @@
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
}
+#
+# Types for squirrelmail
+#
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
+create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ifdef(`mta.te', `
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.6/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.6/domains/program/unused/dhcpc.te 2005-04-04 10:44:54.000000000 -0400
@@ -44,6 +44,8 @@
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.6/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/unused/hald.te 2005-04-04 10:44:54.000000000 -0400
@@ -43,6 +43,9 @@
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
+allow hald_t mouse_device_t:chr_file r_file_perms;
+
+can_getsecurity(hald_t)
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
@@ -73,3 +76,20 @@
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
+
+
+# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/sbin/dmidecode
+# Violates assertion
+#allow hald_t memory_device_t:chr_file read;
+allow hald_t self:capability sys_rawio;
+
+# ??
+ifdef(`lvm.te', `
+allow hald_t lvm_control_t:chr_file r_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.6/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.6/domains/program/unused/kudzu.te 2005-04-04 10:44:54.000000000 -0400
@@ -100,3 +100,8 @@
allow kudzu_t xserver_exec_t:file getattr;
')
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.6/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.6/domains/program/unused/NetworkManager.te 2005-04-04 10:44:54.000000000 -0400
@@ -0,0 +1,76 @@
+#DESC NetworkManager -
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon.
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow NetworkManager_t named_t:process signal;
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+
+allow NetworkManager_t domain:dir search;
+allow NetworkManager_t domain:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.6/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.6/domains/program/unused/ntpd.te 2005-04-04 10:44:54.000000000 -0400
@@ -41,7 +41,7 @@
# Use the network.
can_network(ntpd_t)
-allow ntpd_t port_type:tcp_socket name_connect;
+allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.23.6/domains/program/unused/pam.te
--- nsapolicy/domains/program/unused/pam.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.6/domains/program/unused/pam.te 2005-04-04 10:44:54.000000000 -0400
@@ -37,4 +37,4 @@
allow initrc_t pam_var_run_t:dir rw_dir_perms;
allow initrc_t pam_var_run_t:file { getattr read unlink };
-dontaudit pam_t initrc_var_run_t:file { read write };
+dontaudit pam_t initrc_var_run_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.23.6/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/domains/program/unused/postgresql.te 2005-04-04 10:44:54.000000000 -0400
@@ -124,11 +124,15 @@
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir { search };
-allow postgresql_t initrc_su_t:process { sigchld };
+allow initrc_su_t postgresql_db_t:dir search;
+allow postgresql_t initrc_su_t:process sigchld;
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
dontaudit postgresql_t home_root_t:dir search;
can_kerberos(postgresql_t)
allow postgresql_t urandom_device_t:chr_file { getattr read };
+
+if (allow_execmem) {
+allow postgresql_t self:process execmem;
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/publicfile.te policy-1.23.6/domains/program/unused/publicfile.te
--- nsapolicy/domains/program/unused/publicfile.te 2005-03-15 12:54:54.000000000 -0500
+++ policy-1.23.6/domains/program/unused/publicfile.te 2005-04-04 10:46:35.000000000 -0400
@@ -12,11 +12,6 @@
type ftp_data_port_t, port_type, reserved_port_type;
')
-ifdef(`apache.te', `
-', `
-type http_port_t, port_type, reserved_port_type;
-')
-
daemon_domain(publicfile)
type publicfile_content_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.6/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.6/domains/program/unused/snmpd.te 2005-04-04 10:44:54.000000000 -0400
@@ -45,7 +45,9 @@
allow snmpd_t proc_t:dir search;
allow snmpd_t proc_t:file r_file_perms;
allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file { read write };
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t { bin_t sbin_t }:dir search;
+can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.6/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/file_contexts/distros.fc 2005-04-04 10:44:54.000000000 -0400
@@ -141,6 +141,10 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.6/file_contexts/program/NetworkManager.fc
--- nsapolicy/file_contexts/program/NetworkManager.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.6/file_contexts/program/NetworkManager.fc 2005-04-04 10:44:54.000000000 -0400
@@ -0,0 +1,2 @@
+# NetworkManager
+/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.6/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/apache_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -4,14 +4,11 @@
#This type is for webpages
#
type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
-ifelse($1, sys, `
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
-ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;')
# This type is used for .htaccess files
#
-type httpd_$1_htaccess_t, file_type, sysadmfile;
+type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
# This type is used for executable scripts files
#
@@ -68,13 +65,6 @@
type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
-
#########################################################
# Permissions for running child processes and scripts
##########################################################
@@ -117,20 +107,9 @@
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-ifelse($1, sys, `
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-can_exec(httpd_t, httpdcontent )
-', `
-can_exec(httpd_$1_script_t, httpdcontent )
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-')
create_dir_file(httpd_$1_script_t, httpdcontent)
}
-ifelse($1, sys, `
#
# If a user starts a script by hand it gets the proper context
#
@@ -138,7 +117,38 @@
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
role sysadm_r types httpd_$1_script_t;
-', `
+
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+# apache should set close-on-exec
+dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+if (httpd_builtin_scripting) {
+r_dir_file(httpd_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_t, httpd_$1_script_rw_t)
+ra_dir_file(httpd_t, httpd_$1_script_ra_t)
+r_dir_file(httpd_t, httpd_$1_content_t)
+}
+
+')
+define(`apache_user_domain', `
+
+apache_domain($1)
+
+typeattribute httpd_$1_content_t $1_file_type;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+}
if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
# If a user starts a script by hand it gets the proper context
@@ -151,11 +161,7 @@
#########################################
create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-create_dir_file($1_crond_t, httpd_$1_content_t)
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-ifdef(`mozilla.te', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
######################################################################
# Allow the user to create htaccess files
@@ -178,26 +184,8 @@
r_dir_file(httpd_$1_script_t, nfs_t)
')dnl end if nfs_home_dirs
}
-')dnl end ifelse sys
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-r_dir_file(httpd_t, httpd_$1_content_t)
-
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-r_dir_file(httpd_t, httpd_$1_script_rw_t)
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ifdef(`crond.te', `
+create_dir_file($1_crond_t, httpd_$1_content_t)
+')
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.6/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/gift_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -90,6 +90,13 @@
uses_shlib($1_giftd_t)
access_terminal($1_giftd_t, $1)
+# Read /proc/meminfo
+allow $1_giftd_t proc_t:dir search;
+allow $1_giftd_t proc_t:file read;
+
+# Read /etc/mtab
+allow $1_giftd_t etc_runtime_t:file { getattr read };
+
# Access home domain
home_domain_access($1_giftd_t, $1, gift)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.6/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.6/macros/program/java_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -31,7 +31,7 @@
can_network_client($1_javaplugin_t)
allow $1_javaplugin_t port_type:tcp_socket name_connect;
can_ypbind($1_javaplugin_t)
-allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
+allow $1_javaplugin_t self:process { execmem fork signal_perms getsched setsched };
allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t etc_runtime_t:file { getattr read };
@@ -42,6 +42,7 @@
allow $1_javaplugin_t self:file { getattr read };
read_sysctl($1_javaplugin_t)
+allow $1_javaplugin_t sysctl_vm_t:dir search;
tmp_domain($1_javaplugin)
r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
@@ -50,6 +51,11 @@
allow $1_javaplugin_t bin_t:dir search;
can_exec($1_javaplugin_t, java_exec_t)
+# libdeploy.so legacy
+if (allow_execmod) {
+allow $1_javaplugin_t texrel_shlib_t:file execmod;
+}
+
# Allow connections to X server.
ifdef(`xserver.te', `
@@ -111,4 +117,6 @@
dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
+# Do not audit read/getattr of .fonts-cache-1
+dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.6/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/mozilla_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -55,6 +55,7 @@
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, shell_exec_t)
can_exec($1_mozilla_t, bin_t)
allow $1_mozilla_t bin_t:lnk_file read;
allow $1_mozilla_t device_t:dir r_dir_perms;
@@ -155,6 +156,11 @@
allow $1_mozilla_t texrel_shlib_t:file execmod;
}
dbusd_client(system, $1_mozilla)
+ifdef(`apache.te', `
+ifelse($1, sysadm, `', `
+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
+')
+')
')dnl end mozilla macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.6/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/macros/program/ssh_agent_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -49,6 +49,7 @@
allow $1_ssh_agent_t proc_t:dir search;
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
+dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
read_sysctl($1_ssh_agent_t)
# Access the ssh temporary files. Should we have an own type here
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.6/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/user_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -44,7 +44,9 @@
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
-ifdef(`apache.te', `apache_domain($1)')
+ifelse($1, sysadm, `',`
+ifdef(`apache.te', `apache_user_domain($1)')
+')
ifdef(`slocate.te', `locate_domain($1)')
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.6/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/tunables/distro.tun 2005-04-04 10:44:54.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.6/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/tunables/tunable.tun 2005-04-04 10:44:54.000000000 -0400
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.6/types/network.te
--- nsapolicy/types/network.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/types/network.te 2005-04-04 10:44:54.000000000 -0400
@@ -27,7 +27,7 @@
type dhcpd_port_t, port_type, reserved_port_type;
type smbd_port_t, port_type, reserved_port_type;
type nmbd_port_t, port_type, reserved_port_type;
-type http_cache_port_t, port_type;
+type http_cache_port_t, port_type, reserved_port_type;
type http_port_t, port_type, reserved_port_type;
ifdef(`cyrus.te', `define(`use_pop')')
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New Policy Patch
2005-04-04 18:50 ` New Policy Patch Daniel J Walsh
@ 2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
2005-04-04 19:45 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
1 sibling, 2 replies; 9+ messages in thread
From: Ivan Gyurdiev @ 2005-04-04 19:38 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
> +can_getsecurity(hald_t)
check_context was sufficient for me.. does it
need the rest of the things in can_getsecurity?
+# For /usr/libexec/hald-add-selinux-mount-option
+allow hald_t security_t:dir search;
+allow hald_t security_t:file { read write };
+allow hald_t security_t:security check_context;
> +# For /usr/sbin/dmidecode
> +# Violates assertion
> +#allow hald_t memory_device_t:chr_file read;
> +allow hald_t self:capability sys_rawio;
Hold on - this should go into its own domain for dmidecode...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New Policy Patch
2005-04-04 19:38 ` Ivan Gyurdiev
@ 2005-04-04 19:40 ` Daniel J Walsh
2005-04-05 22:36 ` Ivan Gyurdiev
2005-04-04 19:45 ` Ivan Gyurdiev
1 sibling, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2005-04-04 19:40 UTC (permalink / raw)
To: ivg2; +Cc: jwcart2, SE Linux
Ivan Gyurdiev wrote:
>>+can_getsecurity(hald_t)
>>
>>
>
>check_context was sufficient for me.. does it
>need the rest of the things in can_getsecurity?
>
>+# For /usr/libexec/hald-add-selinux-mount-option
>+allow hald_t security_t:dir search;
>+allow hald_t security_t:file { read write };
>+allow hald_t security_t:security check_context;
>
>
>
>>+# For /usr/sbin/dmidecode
>>+# Violates assertion
>>+#allow hald_t memory_device_t:chr_file read;
>>+allow hald_t self:capability sys_rawio;
>>
>>
>
>Hold on - this should go into its own domain for dmidecode...
>
>
>
Since we do not have that policy yet, we need this for strict to work,
correct?
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New Policy Patch
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
@ 2005-04-04 19:45 ` Ivan Gyurdiev
1 sibling, 0 replies; 9+ messages in thread
From: Ivan Gyurdiev @ 2005-04-04 19:45 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
Also, the java execmem addition does not respect the allow_execmem
boolean.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New Policy Patch
2005-04-04 18:50 ` New Policy Patch Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
@ 2005-04-05 20:20 ` James Carter
1 sibling, 0 replies; 9+ messages in thread
From: James Carter @ 2005-04-05 20:20 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged.
I did change the java_macros.te execmem usage to use the allow_execmem
boolean.
On Mon, 2005-04-04 at 14:50 -0400, Daniel J Walsh wrote:
> Major regrouping of apache_policy
>
> Now use apache_domain and apache_user_domain
> Added boolean httpd_builtin_scripting. Which when turned off only allows
> running of external apache scripts, not built in modules like PHP.
> Users can now create their own scripts using apache_domain(myscript)
>
> More fixes of can_network and named_connect
>
> Added NetworkManager policy.
>
> A few fixes submitted from Ivan for hal, kudzu
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New Policy Patch
2005-04-04 19:40 ` Daniel J Walsh
@ 2005-04-05 22:36 ` Ivan Gyurdiev
0 siblings, 0 replies; 9+ messages in thread
From: Ivan Gyurdiev @ 2005-04-05 22:36 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
> Since we do not have that policy yet, we need this for strict to work,
> correct?
Well, I did get a denial, and that fixes the denial, but I'm not
sure if it should be merged, given that the memory_device_t read
isn't allowed yet...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2005-04-05 22:32 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-01 0:01 new policy patch Russell Coker
-- strict thread matches above, loose matches on Subject: below --
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
2005-01-21 20:36 ` James Carter
2005-04-04 18:50 ` New Policy Patch Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
2005-04-05 22:36 ` Ivan Gyurdiev
2005-04-04 19:45 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
2002-09-27 21:42 new policy patch Russell Coker
2002-10-01 16:51 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.