All of lore.kernel.org
 help / color / mirror / Atom feed
* new policy patch
@ 2003-08-01  0:01 Russell Coker
  0 siblings, 0 replies; 9+ messages in thread
From: Russell Coker @ 2003-08-01  0:01 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 1321 bytes --]

This patch has some policy changes related to the change from 
sysadm_home_dir_t to staff_home_dir_t for the /root directory (incidentally, 
do we even need sysadm_home_dir_t any more?).

I've made significant changes to net_contexts and related files and made 
can_network() not permit binding to port_t.  I've got all the common daemons 
working well with this, but there may be some I've missed.

I've fixed the ftpd.te problem as previously discussed.

The new version of rpc.statd has slightly different functionality, I changed 
the policy to allow it to do what it needs to do.

I've made some changes to the rpm policy.  The old version would not work very 
well, my new version should be an improvement.  It would be good if someone 
could test this.

I've made a change to the watchdog policy that will allow it to work properly.

I've changed the file_contexts entries for postfix to deal with the Debian 
package creating the chroot directories and the startup scripts searching 
them and causing audit messages.

There are also many other minor changes.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 31100 bytes --]

diff -ru /tmp/policy/domains/misc/kernel.te policy/domains/misc/kernel.te
--- /tmp/policy/domains/misc/kernel.te	2003-07-31 13:20:08.000000000 +1000
+++ policy/domains/misc/kernel.te	2003-07-11 20:55:13.000000000 +1000
@@ -17,6 +17,7 @@
 general_proc_read_access(kernel_t)
 base_file_read_access(kernel_t)
 uses_shlib(kernel_t)
+can_exec(kernel_t, shell_exec_t)
 
 # Use capabilities.
 allow kernel_t self:capability *;
diff -ru /tmp/policy/domains/program/checkpolicy.te policy/domains/program/checkpolicy.te
--- /tmp/policy/domains/program/checkpolicy.te	2003-03-14 02:14:31.000000000 +1100
+++ policy/domains/program/checkpolicy.te	2003-07-16 11:11:33.000000000 +1000
@@ -44,12 +44,14 @@
 `allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
 
 # Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr };
 uses_shlib(checkpolicy_t)
 allow checkpolicy_t self:capability dac_override;
 
 allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
 
+allow checkpolicy_t fs_t:filesystem getattr;
+
 ##########################
 # Allow users to execute checkpolicy without a domain transition
 # so it can be used without privilege to write real binary policy file
diff -ru /tmp/policy/domains/program/initrc.te policy/domains/program/initrc.te
--- /tmp/policy/domains/program/initrc.te	2003-07-31 13:20:15.000000000 +1000
+++ policy/domains/program/initrc.te	2003-07-12 20:38:43.000000000 +1000
@@ -20,6 +20,9 @@
 uses_shlib(initrc_t);
 type initrc_exec_t, file_type, sysadmfile, exec_type;
 
+# for halt to down interfaces
+allow initrc_t self:udp_socket create_socket_perms;
+
 # read files in /etc/init.d
 allow initrc_t etc_t:lnk_file r_file_perms;
 
diff -ru /tmp/policy/domains/program/logrotate.te policy/domains/program/logrotate.te
--- /tmp/policy/domains/program/logrotate.te	2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/logrotate.te	2003-08-01 08:48:02.000000000 +1000
@@ -28,7 +28,7 @@
 allow logrotate_t etc_runtime_t:{ file lnk_file } r_file_perms;
 
 # it should not require this
-allow logrotate_t sysadm_home_dir_t:dir { read getattr search };
+allow logrotate_t staff_home_dir_t:dir { read getattr search };
 
 # create lock files
 rw_dir_create_file(logrotate_t, var_lock_t)
diff -ru /tmp/policy/domains/program/modutil.te policy/domains/program/modutil.te
--- /tmp/policy/domains/program/modutil.te	2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/modutil.te	2003-08-01 09:03:28.000000000 +1000
@@ -55,8 +55,8 @@
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 
 # Read System.map from home directories.
-allow depmod_t { home_root_t user_home_dir_type sysadm_home_dir_t }:dir r_dir_perms;
-r_dir_file(depmod_t, { user_home_type sysadm_home_t })
+allow depmod_t { home_root_t staff_home_dir_t }:dir r_dir_perms;
+r_dir_file(depmod_t, staff_home_t)
 
 #################################
 #
@@ -154,7 +154,7 @@
 allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
 allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
 
-dontaudit update_modules_t sysadm_home_dir_t:dir search;
+dontaudit update_modules_t staff_home_dir_t:dir search;
 
 uses_shlib(update_modules_t)
 allow update_modules_t self:process { fork sigchld };
diff -ru /tmp/policy/domains/program/mount.te policy/domains/program/mount.te
--- /tmp/policy/domains/program/mount.te	2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/mount.te	2003-07-12 19:59:50.000000000 +1000
@@ -34,11 +34,12 @@
 allow mount_t proc_t:dir mounton;
 allow mount_t root_t:dir mounton;
 allow mount_t home_root_t:dir mounton;
+allow mount_t tmp_t:dir mounton;
 # On some RedHat systems, /boot is a mount point
 allow mount_t boot_t:dir mounton;
 allow mount_t device_t:dir mounton;
 ifdef(`devfsd.te', `
-allow mount_t device_t:filesystem unmount;
+allow mount_t device_t:filesystem { mount unmount };
 ')
 allow mount_t root_t:filesystem unmount;
 
diff -ru /tmp/policy/domains/program/ssh.te policy/domains/program/ssh.te
--- /tmp/policy/domains/program/ssh.te	2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/ssh.te	2003-07-31 05:31:18.000000000 +1000
@@ -38,11 +38,6 @@
 allow $1 etc_runtime_t:{ file lnk_file } r_file_perms;
 allow $1 resolv_conf_t:{ file lnk_file } r_file_perms;
 
-# Read the linker, shared library, and executable types.
-allow $1 ld_so_t:{ file lnk_file } r_file_perms;
-allow $1 shlib_t:{ file lnk_file } r_file_perms;
-allow $1 exec_type:{ file lnk_file } r_file_perms;
-
 # Read and write /dev/tty and /dev/null.
 allow $1 devtty_t:chr_file rw_file_perms;
 allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms;
@@ -91,6 +86,10 @@
 # sshd_key_t is the type of the ssh private key files
 #
 sshd_program_domain(sshd_t)
+
+# for X forwarding
+allow sshd_t port_t:tcp_socket name_bind;
+
 type sshd_exec_t, file_type, exec_type, sysadmfile;
 
 ifdef(`inetd.te', `
diff -ru /tmp/policy/domains/program/unused/bootloader.te policy/domains/program/unused/bootloader.te
--- /tmp/policy/domains/program/unused/bootloader.te	2003-07-31 13:20:21.000000000 +1000
+++ policy/domains/program/unused/bootloader.te	2003-07-12 22:22:41.000000000 +1000
@@ -83,9 +83,10 @@
 
 allow bootloader_t fs_t:filesystem getattr;
 
-allow bootloader_t proc_t:dir r_dir_perms;
+allow bootloader_t proc_t:dir { getattr search };
 allow bootloader_t proc_t:file r_file_perms;
 allow bootloader_t proc_t:lnk_file read;
+allow bootloader_t self:dir { getattr search read };
 allow bootloader_t sysctl_kernel_t:dir search;
 allow bootloader_t sysctl_kernel_t:file { getattr read };
 allow bootloader_t etc_runtime_t:file r_file_perms;
diff -ru /tmp/policy/domains/program/unused/cups.te policy/domains/program/unused/cups.te
--- /tmp/policy/domains/program/unused/cups.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/cups.te	2003-07-15 00:15:04.000000000 +1000
@@ -36,7 +36,7 @@
 allow cupsd_t proc_t:file r_file_perms;
 allow cupsd_t proc_t:dir r_dir_perms;
 allow cupsd_t { sysctl_t sysctl_kernel_t sysctl_dev_t }:dir search;
-allow cupsd_t sysctl_kernel_t:file { getattr read };
+allow cupsd_t { sysctl_kernel_t sysctl_dev_t }:file { getattr read };
 
 # allow cups to execute its backend scripts
 can_exec(cupsd_t, cupsd_exec_t)
@@ -57,7 +57,7 @@
 r_dir_file(cupsd_t, readable_t)
 
 # Bind to the cups/ipp port (631).
-allow cupsd_t ipp_port_t:tcp_socket name_bind;
+allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
 
 can_tcp_connect(web_client_domain, cupsd_t)
 can_tcp_connect(cupsd_t, cupsd_t)
diff -ru /tmp/policy/domains/program/unused/devfsd.te policy/domains/program/unused/devfsd.te
--- /tmp/policy/domains/program/unused/devfsd.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/devfsd.te	2003-07-11 00:03:18.000000000 +1000
@@ -9,7 +9,7 @@
 #
 type etc_devfsd_t, file_type, sysadmfile;
 
-allow kernel_t device_t:dir mounton;
+allow kernel_t { device_t root_t }:dir mounton;
 
 daemon_domain(devfsd)
 
diff -ru /tmp/policy/domains/program/unused/dhcpc.te policy/domains/program/unused/dhcpc.te
--- /tmp/policy/domains/program/unused/dhcpc.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dhcpc.te	2003-07-26 01:34:09.000000000 +1000
@@ -14,6 +14,8 @@
 # dhcpc_exec_t is the type of the dhcpcd executable.
 # The dhcpc_t can be used for other DHCPC related files as well.
 #
+type dhcpc_port_t, port_type;
+
 daemon_domain(dhcpc)
 can_network(dhcpc_t)
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
@@ -22,8 +24,14 @@
 
 ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
+allow cardmgr_t dhcpc_var_run_t:file { getattr read };
 allow cardmgr_t dhcpc_t:process signal_perms;
 ')
+ifdef(`hotplug.te', `
+domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
+allow hotplug_t dhcpc_t:process signal_perms;
+allow hotplug_t dhcpc_var_run_t:file { getattr read };
+')
 
 # for the dhcp client to run ping to check IP addresses
 ifdef(`ping.te', `
@@ -32,7 +40,13 @@
 dontaudit ping_t dhcpc_state_t:file read;
 dontaudit ping_t dhcpc_t:packet_socket { read write };
 dontaudit ping_t dhcpc_t:udp_socket { read write };
-')
+ifdef(`hotplug.te', `
+allow ping_t hotplug_t:fd use;
+') dnl end if hotplug
+ifdef(`cardmgr.te', `
+allow ping_t cardmgr_t:fd use;
+') dnl end if cardmgr
+') dnl end if ping
 
 ifdef(`dhcpd.te', `', `
 type dhcp_state_t, file_type, sysadmfile;
@@ -49,6 +63,9 @@
 # Use capabilities
 allow dhcpc_t self:capability { net_admin net_raw net_bind_service };
 
+# for udp port 68
+allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
+
 # Allow read/write to /etc/resolv.conf. Note that any files in /etc 
 # created by dhcpcd will be labelled resolv_conf_t. As of RH 7.2, no
 # other files are accessed in the /etc dir, only in /etc/dhcpc dir.
diff -ru /tmp/policy/domains/program/unused/dhcpd.te policy/domains/program/unused/dhcpd.te
--- /tmp/policy/domains/program/unused/dhcpd.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dhcpd.te	2003-07-31 05:23:46.000000000 +1000
@@ -16,6 +16,10 @@
 #
 daemon_domain(dhcpd)
 
+# for UDP port 67
+type dhcpd_port_t, port_type;
+allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
+
 type etc_dhcp_t alias { etc_dhcpc_t etc_dhcpd_t }, file_type, sysadmfile;
 
 # Use the network.
diff -ru /tmp/policy/domains/program/unused/dpkg.te policy/domains/program/unused/dpkg.te
--- /tmp/policy/domains/program/unused/dpkg.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dpkg.te	2003-08-01 08:46:54.000000000 +1000
@@ -130,8 +130,8 @@
 dontaudit apt_t var_run_t:dir search;
 
 # for rc files such as ~/.less
-r_dir_file(apt_t, sysadm_home_t)
-allow apt_t sysadm_home_dir_t:dir { search getattr };
+r_dir_file(apt_t, staff_home_t)
+allow apt_t staff_home_dir_t:dir { search getattr };
 
 allow apt_t bin_t:lnk_file r_file_perms;
 
@@ -293,7 +293,7 @@
 type debian_menu_t, file_type, sysadmfile;
 
 r_dir_file(userdomain, debian_menu_t)
-dontaudit install_menu_t sysadm_home_dir_t:dir search;
+dontaudit install_menu_t staff_home_dir_t:dir search;
 allow install_menu_t debian_menu_t:dir create_dir_perms;
 allow install_menu_t debian_menu_t:{ file lnk_file } create_file_perms;
 allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
@@ -304,6 +304,9 @@
 allow install_menu_t { bin_t sbin_t }:dir search;
 allow install_menu_t bin_t:lnk_file read;
 
+# for menus
+allow install_menu_t usr_t:file r_file_perms;
+
 # for /etc/kde3/debian/kde-update-menu.sh
 can_exec(install_menu_t, etc_t)
 
diff -ru /tmp/policy/domains/program/unused/ftpd.te policy/domains/program/unused/ftpd.te
--- /tmp/policy/domains/program/unused/ftpd.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/ftpd.te	2003-08-01 09:11:46.000000000 +1000
@@ -11,8 +11,6 @@
 type ftp_port_t, port_type;
 daemon_domain(ftpd, `, auth')
 type etc_ftpd_t, file_type, sysadmfile;
-ifdef(`inetd.te', `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)')
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
 
 can_network(ftpd_t)
 allow ftpd_t self:unix_dgram_socket create_socket_perms;
@@ -25,10 +23,19 @@
 ')
 
 ifdef(`ftpd_daemon', `
+ifdef(`inetd.te', `', `
+define(`ftpd_is_daemon', `')
+') dnl end inetd.te
+') dnl end ftpd_daemon
+
+ifdef(`ftpd_is_daemon', `
 rw_dir_create_file(ftpd_t, var_lock_t)
 allow ftpd_t ftp_port_t:tcp_socket name_bind;
 can_tcp_connect(userdomain, ftpd_t)
 ', `
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
+ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+
 # Use sockets inherited from inetd.
 allow ftpd_t inetd_t:fd use;
 allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
diff -ru /tmp/policy/domains/program/unused/hotplug.te policy/domains/program/unused/hotplug.te
--- /tmp/policy/domains/program/unused/hotplug.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/hotplug.te	2003-07-11 00:03:07.000000000 +1000
@@ -11,9 +11,6 @@
 #
 daemon_domain(hotplug)
 
-# allow kernel thread to run a shell to interpret the script
-allow kernel_t shell_exec_t:file execute;
-
 type etc_hotplug_t, file_type, sysadmfile;
 
 allow hotplug_t self:fifo_file { read write getattr ioctl };
diff -ru /tmp/policy/domains/program/unused/hwclock.te policy/domains/program/unused/hwclock.te
--- /tmp/policy/domains/program/unused/hwclock.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/hwclock.te	2003-08-01 08:47:17.000000000 +1000
@@ -22,6 +22,8 @@
 domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
 ')
 
+allow hwclock_t fs_t:filesystem getattr;
+
 read_locale(hwclock_t)
 
 # Give hwclock the capabilities it requires.  dac_override is a surprise,
diff -ru /tmp/policy/domains/program/unused/inetd.te policy/domains/program/unused/inetd.te
--- /tmp/policy/domains/program/unused/inetd.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/inetd.te	2003-07-12 11:57:50.000000000 +1000
@@ -14,6 +14,8 @@
 #
 # Rules for the inetd_t domain.
 #
+type inetd_port_t, port_type;
+
 daemon_domain(inetd)
 
 can_network(inetd_t)
@@ -45,6 +47,9 @@
 ifdef(`rlogind.te', `allow inetd_t rlogin_port_t:tcp_socket name_bind;')
 ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
 
+# allow to bind to chargen, echo, etc
+allow inetd_t inetd_port_t:{ tcp_socket udp_socket } name_bind;
+
 # Communicate with the portmapper.
 ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 
diff -ru /tmp/policy/domains/program/unused/ipsec.te policy/domains/program/unused/ipsec.te
--- /tmp/policy/domains/program/unused/ipsec.te	2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/ipsec.te	2003-08-01 08:56:50.000000000 +1000
@@ -200,7 +200,7 @@
 allow ipsec_t self:fifo_file { read getattr };
 
 # ideally it would not need this.  It wants to write to /root/.rnd
-file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+file_type_auto_trans(ipsec_mgmt_t, staff_home_dir_t, staff_home_t, file)
 
 allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
 allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
diff -ru /tmp/policy/domains/program/unused/named.te policy/domains/program/unused/named.te
--- /tmp/policy/domains/program/unused/named.te	2003-07-31 13:20:23.000000000 +1000
+++ policy/domains/program/unused/named.te	2003-08-01 08:48:48.000000000 +1000
@@ -128,5 +128,5 @@
 allow ndc_t named_var_run_t:file getattr;
 allow ndc_t named_zone_t:dir { read getattr };
 allow ndc_t named_zone_t:file getattr;
-dontaudit ndc_t sysadm_home_t:dir { getattr search read };
+dontaudit ndc_t staff_home_t:dir { getattr search read };
 ')
diff -ru /tmp/policy/domains/program/unused/pamconsole.te policy/domains/program/unused/pamconsole.te
--- /tmp/policy/domains/program/unused/pamconsole.te	2003-03-05 01:57:16.000000000 +1100
+++ policy/domains/program/unused/pamconsole.te	2003-04-22 20:01:53.000000000 +1000
@@ -4,7 +4,7 @@
 type pam_console_exec_t, file_type, sysadmfile, exec_type;
 type pam_console_t, domain;
 role system_r types pam_console_t;
-every_domain(pam_console_t)
+uses_shlib(pam_console_t)
 domain_auto_trans(initrc_t, pam_console_exec_t, pam_console_t)
 
 # Allow access to /dev/console through the fd:
diff -ru /tmp/policy/domains/program/unused/portmap.te policy/domains/program/unused/portmap.te
--- /tmp/policy/domains/program/unused/portmap.te	2003-07-31 13:20:25.000000000 +1000
+++ policy/domains/program/unused/portmap.te	2003-07-12 20:00:14.000000000 +1000
@@ -21,6 +21,9 @@
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
 
+# portmap binds to arbitary ports
+allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+
 allow portmap_t etc_t:file { getattr read };
 
 # Send to ypbind, initrc, rpc.statd, xinetd.
@@ -39,6 +42,8 @@
 ')
 can_udp_send(portmap_t, kernel_t)
 can_udp_send(kernel_t, portmap_t)
+can_udp_send(sysadm_t, portmap_t)
+can_udp_send(portmap_t, sysadm_t)
 
 # Use capabilities
 allow portmap_t self:capability { net_bind_service setuid setgid };
diff -ru /tmp/policy/domains/program/unused/radius.te policy/domains/program/unused/radius.te
--- /tmp/policy/domains/program/unused/radius.te	2003-07-31 13:20:27.000000000 +1000
+++ policy/domains/program/unused/radius.te	2003-07-12 12:04:24.000000000 +1000
@@ -51,6 +51,10 @@
 
 can_network(radiusd_t)
 allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
+
+# for RADIUS proxy port
+allow radiusd_t port_t:udp_socket name_bind;
+
 ifdef(`snmpd.te', `
 can_tcp_connect(radiusd_t, snmpd_t)
 ')
diff -ru /tmp/policy/domains/program/unused/rpcd.te policy/domains/program/unused/rpcd.te
--- /tmp/policy/domains/program/unused/rpcd.te	2003-07-31 13:20:27.000000000 +1000
+++ policy/domains/program/unused/rpcd.te	2003-07-31 10:59:05.000000000 +1000
@@ -11,7 +11,7 @@
 # rpcd_t is the domain of rpc daemons.
 # rpcd_exec_t is the type of rpc daemon programs.
 #
-daemon_base_domain(rpcd)
+daemon_domain(rpcd)
 can_network(rpcd_t)
 allow rpcd_t resolv_conf_t:file { getattr read };
 can_udp_send({ init_t initrc_t }, rpcd_t)
@@ -23,6 +23,7 @@
 
 allow rpcd_t self:unix_dgram_socket create_socket_perms;
 allow rpcd_t self:unix_stream_socket create_socket_perms;
+allow rpcd_t self:fifo_file rw_file_perms;
 
 can_udp_send(rpcd_t, rpcd_t)
 can_udp_send(mount_t, rpcd_t)
@@ -41,6 +42,9 @@
 # Use capabilities.
 allow rpcd_t self:capability { net_bind_service dac_override setgid setuid };
 
+# bind to arbitary unused ports
+allow rpcd_t port_t:{ tcp_socket udp_socket } name_bind;
+
 # Access /var/lib/nfs.
 allow rpcd_t { var_t var_lib_t }:dir search;
 allow rpcd_t var_lib_nfs_t:dir rw_dir_perms;
diff -ru /tmp/policy/domains/program/unused/rpm.te policy/domains/program/unused/rpm.te
--- /tmp/policy/domains/program/unused/rpm.te	2003-03-05 01:57:20.000000000 +1100
+++ policy/domains/program/unused/rpm.te	2003-04-22 20:00:42.000000000 +1000
@@ -11,21 +11,21 @@
 #
 type rpm_t, domain, privlog;
 role system_r types rpm_t;
-role sysadm_r types rpm_t;
-every_domain(rpm_t)
+uses_shlib(rpm_t)
 type rpm_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(system_crond_t, rpm_exec_t, rpm_t)
+
+system_crond_entry(rpm_exec_t, rpm_t)
+#role sysadm_r types rpm_t;
 #domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
 
 type rpm_file_t, file_type, sysadmfile;
 type var_lib_rpm_t, file_type, sysadmfile;
 
-type rpm_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(rpm_t, tmp_t, rpm_tmp_t)
+tmp_domain(rpm)
 
-type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t)
-allow rpm_tmpfs_t tmpfs_t:filesystem associate;
+#type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile;
+#file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t)
+#allow rpm_tmpfs_t tmpfs_t:filesystem associate;
 
 type var_log_rpm_t, file_type, sysadmfile, logfile;
 file_type_auto_trans(rpm_t, var_log_t, var_log_rpm_t)
@@ -34,7 +34,7 @@
 can_exec_any(rpm_t)
 
 # Capabilties needed by rpm utils
-allow rpm_t rpm_t:capability { dac_override dac_read_search chown setuid setgid };
+allow rpm_t self:capability { dac_override dac_read_search chown setuid setgid };
 
 # Access /usr/lib files
 allow rpm_t lib_t:dir r_dir_perms;
@@ -44,15 +44,10 @@
 allow rpm_t var_lib_rpm_t:dir rw_dir_perms;
 allow rpm_t var_lib_rpm_t:file create_file_perms;
 
-# When the RPM updates are run from cron, inherit cron descriptors and 
-# read from the FIFO created by cron
-allow rpm_t crond_t:fd use;
-allow rpm_t crond_t:fifo_file r_file_perms;
-
 # Access terminals.
-allow rpm_t sysadm_tty_device_t:chr_file rw_file_perms;
-allow rpm_t sysadm_devpts_t:chr_file rw_file_perms;
+allow rpm_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
+allow rpm_t privfd:fd use;
 
 # Write to /usr/src.
 #allow rpm_t src_t:dir create_dir_perms;
@@ -60,9 +55,3 @@
 
 # Execute from /usr/src.
 #can_exec(rpm_t, src_t)
-
-# Execute helper programs.
-#can_exec_any(rpm_t)
-
-# Execute temporary files.
-#can_exec(rpm_t, rpm_tmp_t)
diff -ru /tmp/policy/domains/program/unused/squid.te policy/domains/program/unused/squid.te
--- /tmp/policy/domains/program/unused/squid.te	2003-07-31 13:20:28.000000000 +1000
+++ policy/domains/program/unused/squid.te	2003-07-11 20:56:29.000000000 +1000
@@ -60,8 +60,9 @@
 can_network(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
 
-# port 8080 is http_cache_port_t (see net_contexts)
+# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
 allow squid_t http_cache_port_t:tcp_socket name_bind;
+allow squid_t http_cache_port_t:udp_socket name_bind;
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
 # also allow exec()ing itself
diff -ru /tmp/policy/domains/program/unused/sysstat.te policy/domains/program/unused/sysstat.te
--- /tmp/policy/domains/program/unused/sysstat.te	2003-07-31 13:20:28.000000000 +1000
+++ policy/domains/program/unused/sysstat.te	2003-08-01 08:49:27.000000000 +1000
@@ -29,7 +29,7 @@
 # for fstab
 allow sysstat_t etc_t:file { read getattr };
 
-dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
+dontaudit sysstat_t staff_home_dir_t:dir r_dir_perms;
 
 allow sysstat_t self:fifo_file rw_file_perms;
 
diff -ru /tmp/policy/domains/program/unused/utempter.te policy/domains/program/unused/utempter.te
--- /tmp/policy/domains/program/unused/utempter.te	2003-03-05 01:57:27.000000000 +1100
+++ policy/domains/program/unused/utempter.te	2003-04-12 10:32:13.000000000 +1000
@@ -14,7 +14,7 @@
 type utempter_t, domain;
 in_user_role(utempter_t)
 role sysadm_r types utempter_t;
-every_domain(utempter_t)
+uses_shlib(utempter_t)
 type utempter_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
 
diff -ru /tmp/policy/domains/program/unused/vmware.te policy/domains/program/unused/vmware.te
--- /tmp/policy/domains/program/unused/vmware.te	2003-07-31 13:20:29.000000000 +1000
+++ policy/domains/program/unused/vmware.te	2003-07-10 11:31:49.000000000 +1000
@@ -118,7 +118,7 @@
 # Access /proc
 r_dir_file(vmware_user_t, proc_t)
 
-# Access to some files in the home directory of the user
+# Access to some files in the user home directory
 r_dir_file(vmware_user_t, user_home_t)
 
 # Access to runtime files for user
diff -ru /tmp/policy/domains/program/unused/watchdog.te policy/domains/program/unused/watchdog.te
--- /tmp/policy/domains/program/unused/watchdog.te	2003-07-31 13:20:29.000000000 +1000
+++ policy/domains/program/unused/watchdog.te	2003-07-11 17:16:26.000000000 +1000
@@ -20,5 +20,13 @@
 allow watchdog_t proc_t:file r_file_perms;
 
 allow watchdog_t self:capability { ipc_lock sys_nice };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+can_network(watchdog_t)
+allow watchdog_t resolv_conf_t:file { getattr read };
+allow watchdog_t self:udp_socket create_socket_perms;
+allow watchdog_t bin_t:dir search;
+allow watchdog_t init_t:process signal;
+allow watchdog_t kernel_t:process sigstop;
 
 allow watchdog_t watchdog_device_t:chr_file { getattr write };
diff -ru /tmp/policy/file_contexts/program/modutil.fc policy/file_contexts/program/modutil.fc
--- /tmp/policy/file_contexts/program/modutil.fc	2003-07-31 13:20:54.000000000 +1000
+++ policy/file_contexts/program/modutil.fc	2003-05-31 12:28:59.000000000 +1000
@@ -1,5 +1,6 @@
 # module utilities
 /etc/modules\.conf(.old)?	system_u:object_r:modules_conf_t
+/lib/modules/modprobe.conf	system_u:object_r:modules_conf_t
 /lib/modules(/.*)?		system_u:object_r:modules_object_t
 /lib/modules/[^/]+/modules\..+ system_u:object_r:modules_dep_t
 /lib/modules/modprobe\.conf.*	system_u:object_r:modules_conf_t
diff -ru /tmp/policy/file_contexts/program/nsd.fc policy/file_contexts/program/nsd.fc
--- /tmp/policy/file_contexts/program/nsd.fc	2003-07-31 13:20:56.000000000 +1000
+++ policy/file_contexts/program/nsd.fc	2003-07-26 01:34:33.000000000 +1000
@@ -3,7 +3,9 @@
 /etc/nsd/primary(/.*)?		system_u:object_r:nsd_zone_t
 /etc/nsd/secondary(/.*)?	system_u:object_r:nsd_zone_t
 /etc/nsd/nsd.db			system_u:object_r:nsd_zone_t
+/var/lib/nsd.db			system_u:object_r:nsd_zone_t
 /usr/sbin/nsd      		system_u:object_r:nsd_exec_t
 /usr/sbin/nsdc      		system_u:object_r:nsd_exec_t
 /usr/sbin/nsd-notify		system_u:object_r:nsd_exec_t
+/usr/sbin/zonec			system_u:object_r:nsd_exec_t
 /var/run/nsd\.pid		system_u:object_r:nsd_var_run_t
diff -ru /tmp/policy/file_contexts/program/postfix.fc policy/file_contexts/program/postfix.fc
--- /tmp/policy/file_contexts/program/postfix.fc	2003-07-31 13:20:57.000000000 +1000
+++ policy/file_contexts/program/postfix.fc	2003-08-01 08:50:14.000000000 +1000
@@ -37,9 +37,10 @@
 /var/spool/postfix/defer(red)?(/.*)? system_u:object_r:postfix_spool_t
 /var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t
 /var/spool/postfix/flush(/.*)?	system_u:object_r:postfix_spool_flush_t
+/var/spool/postfix/etc(/.*)?	system_u:object_r:etc_t
 /var/spool/postfix/lib(/.*)?	system_u:object_r:lib_t
+/var/spool/postfix/usr(/.*)?	system_u:object_r:lib_t
 /var/spool/postfix/lib/ld.*\.so.* system_u:object_r:ld_so_t
 /var/spool/postfix/lib/lib.*\.so.* system_u:object_r:shlib_t
 /var/spool/postfix/lib/[^/]*/lib.*\.so.* system_u:object_r:shlib_t
 /var/spool/postfix/lib/devfsd/.*\.so.* system_u:object_r:shlib_t
-/var/spool/postfix/etc/services	system_u:object_r:etc_t
diff -ru /tmp/policy/file_contexts/program/rpcd.fc policy/file_contexts/program/rpcd.fc
--- /tmp/policy/file_contexts/program/rpcd.fc	2002-07-04 06:26:22.000000000 +1000
+++ policy/file_contexts/program/rpcd.fc	2003-07-31 10:59:27.000000000 +1000
@@ -2,3 +2,4 @@
 /sbin/rpc\..*			system_u:object_r:rpcd_exec_t
 /usr/sbin/rpc\..*		system_u:object_r:rpcd_exec_t
 /usr/sbin/exportfs		system_u:object_r:rpcd_exec_t
+/var/run/rpc.statd.pid		system_u:object_r:rpcd_var_run_t
diff -ru /tmp/policy/macros/global_macros.te policy/macros/global_macros.te
--- /tmp/policy/macros/global_macros.te	2003-07-31 13:21:04.000000000 +1000
+++ policy/macros/global_macros.te	2003-07-12 12:00:00.000000000 +1000
@@ -478,8 +481,8 @@
 # Bind to the default port type.
 # Other port types must be separately authorized.
 #
-allow $1 port_t:udp_socket name_bind;
-allow $1 port_t:tcp_socket name_bind;
+#allow $1 port_t:udp_socket name_bind;
+#allow $1 port_t:tcp_socket name_bind;
 ')
 
 #################################
diff -ru /tmp/policy/macros/program/mount_macros.te policy/macros/program/mount_macros.te
--- /tmp/policy/macros/program/mount_macros.te	2003-07-31 13:21:09.000000000 +1000
+++ policy/macros/program/mount_macros.te	2003-07-12 20:01:38.000000000 +1000
@@ -29,6 +29,7 @@
 domain_auto_trans($1_t, mount_exec_t, $2_t)
 
 allow $2_t proc_t:dir search;
+allow $2_t proc_t:file { getattr read };
 
 tmp_domain($2)
 
diff -ru /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te	2003-07-31 13:21:04.000000000 +1000
+++ policy/macros/user_macros.te	2003-07-12 20:02:20.000000000 +1000
@@ -92,6 +103,9 @@
 allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
 ')dnl end of ssh section
 
+# for ifconfig which is run all the time
+dontaudit $1_t sysctl_t:dir search;
+
 allow $1_t boot_t:dir { getattr search };
 dontaudit $1_t boot_t:dir read;
 dontaudit $1_t boot_t:lnk_file getattr;
@@ -172,8 +186,16 @@
 # Access other miscellaneous devices.
 allow $1_t misc_device_t:file_class_set rw_file_perms;
 
+ifdef(`apache.te', `
+ifelse(`$1', `sysadm', `', `
+dnl apache_domain($1)
+')
+')dnl end apache
+
 # Use the network.
 can_network($1_t)
+# allow port_t name binding for UDP because it is not very usable otherwise
+allow $1_t port_t:udp_socket name_bind;
 allow $1_t resolv_conf_t:file { getattr read };
 # for perl
 dontaudit $1_t resolv_conf_t:file ioctl;
diff -ru /tmp/policy/net_contexts policy/net_contexts
--- /tmp/policy/net_contexts	2003-07-31 13:20:03.000000000 +1000
+++ policy/net_contexts	2003-07-31 05:23:03.000000000 +1000
@@ -17,6 +17,18 @@
 # protocol number context
 # protocol low-high context
 #
+ifdef(`inetd.te', `
+portcon tcp 7 system_u:object_r:inetd_port_t
+portcon udp 7 system_u:object_r:inetd_port_t
+portcon tcp 9 system_u:object_r:inetd_port_t
+portcon udp 9 system_u:object_r:inetd_port_t
+portcon tcp 13 system_u:object_r:inetd_port_t
+portcon udp 13 system_u:object_r:inetd_port_t
+portcon tcp 37 system_u:object_r:inetd_port_t
+portcon udp 37 system_u:object_r:inetd_port_t
+portcon tcp 113 system_u:object_r:inetd_port_t
+portcon udp 517 system_u:object_r:inetd_port_t
+')
 ifdef(`courier.te', `define(`use_pop')')
 ifdef(`perdition.te', `define(`use_pop')')
 ifdef(`ftpd.te', `portcon tcp 21 system_u:object_r:ftp_port_t')
@@ -25,6 +37,8 @@
 ifdef(`mta.te', `portcon tcp 25 system_u:object_r:smtp_port_t')
 ifdef(`named.te', `portcon udp 53 system_u:object_r:named_port_t
 portcon tcp 53 system_u:object_r:named_port_t')
+ifdef(`dhcpd.te', `portcon udp 67  system_u:object_r:dhcpd_port_t')
+ifdef(`dhcpc.te', `portcon udp 68  system_u:object_r:dhcpc_port_t')
 ifdef(`tftpd.te', `portcon udp 69  system_u:object_r:tftp_port_t')
 ifdef(`fingerd.te', `portcon tcp 79  system_u:object_r:fingerd_port_t')
 ifdef(`apache.te', `portcon tcp 80  system_u:object_r:http_port_t')
@@ -37,7 +51,7 @@
 portcon udp 111 system_u:object_r:portmap_port_t
 portcon tcp 111 system_u:object_r:portmap_port_t
 ')
-ifdef(`ntp.te', `portcon udp 123 system_u:object_r:ntp_port_t')
+ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
 ifdef(`samba.te', `
 portcon tcp 137 system_u:object_r:smbd_port_t
 portcon udp 137 system_u:object_r:nmbd_port_t
@@ -57,7 +71,10 @@
 ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
 ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
 ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
-ifdef(`cups.te', `portcon tcp 631 system_u:object_r:ipp_port_t')
+ifdef(`cups.te', `
+portcon tcp 631 system_u:object_r:ipp_port_t
+portcon udp 631 system_u:object_r:ipp_port_t
+')
 ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
 ifdef(`use_pop', `
 portcon tcp 993 system_u:object_r:pop_port_t
@@ -75,9 +92,18 @@
 portcon udp 5323 system_u:object_r:imaze_port_t
 ')
 ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
+ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`sound-server.te', `
+portcon tcp 8000 system_u:object_r:soundd_port_t
+# 9433 is for YIFF
+portcon tcp 9433 system_u:object_r:soundd_port_t
+')
 ifdef(`apache.te', `define(`use_http_cache')')
 ifdef(`squid.te', `define(`use_http_cache')')
-ifdef(`use_http_cache', `portcon tcp 8080  system_u:object_r:http_cache_port_t')
+ifdef(`use_http_cache', `
+portcon tcp 8080  system_u:object_r:http_cache_port_t
+portcon udp 3130  system_u:object_r:http_cache_port_t
+')
 ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
 
 # Network interfaces (default = initial SID "netif" and "netmsg")

^ permalink raw reply	[flat|nested] 9+ messages in thread
* [Fwd: New policy patch]
@ 2005-01-12 18:46 Daniel J Walsh
  2005-01-21 20:36 ` James Carter
  0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2005-01-12 18:46 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: New policy patch --]
[-- Type: message/rfc822, Size: 39682 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 342 bytes --]

    Add customizable types.

    Add samba_home_dir support.

    Fix postgresql to run on ypbind platform

    Begin adding support for NFSV4 with Kerberos keys

    Add execmod to users for ld_so_t

    add execmem for mozilla

    Add unrestricted attribute to indicate domains using unconfined_t. 

    Also began using typeattribute. 



[-- Attachment #2.1.2: policy-20050112.patch --]
[-- Type: text/x-patch, Size: 38466 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.21.1/attrib.te
--- nsapolicy/attrib.te	2004-12-21 10:59:56.000000000 -0500
+++ policy-1.21.1/attrib.te	2005-01-12 09:19:59.141059592 -0500
@@ -393,3 +393,8 @@
 # For labeling of domains whos transition can be disabled
 attribute transitionbool;
 
+# For labeling of file_context domains which users can change files to rather
+# then the default file context.  These file_context can survive a relabeling
+# of the file system.
+attribute customizable;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.21.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-01-12 08:14:47.039693689 -0500
+++ policy-1.21.1/domains/program/initrc.te	2005-01-12 09:18:27.139390056 -0500
@@ -12,7 +12,7 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.21.1/domains/program/init.te
--- nsapolicy/domains/program/init.te	2005-01-12 08:14:47.017696186 -0500
+++ policy-1.21.1/domains/program/init.te	2005-01-12 09:18:27.140389944 -0500
@@ -14,7 +14,7 @@
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain ifdef(`targeted_policy', `, unrestricted');
+type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain;
 role system_r types init_t;
 uses_shlib(init_t);
 type init_exec_t, file_type, sysadmfile, exec_type;
@@ -141,3 +141,7 @@
 
 # file descriptors inherited from the rootfs.
 dontaudit init_t root_t:{ file chr_file } { read write }; 
+ifdef(`targeted_policy', `
+typeattribute init_t unrestricted;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2005-01-12 08:14:47.055691874 -0500
+++ policy-1.21.1/domains/program/ldconfig.te	2005-01-12 09:18:27.140389944 -0500
@@ -8,7 +8,7 @@
 #
 # Rules for the ldconfig_t domain.
 #
-type ldconfig_t, domain, privlog, etc_writer ifdef(`targeted_policy', `, unrestricted' );
+type ldconfig_t, domain, privlog, etc_writer;
 type ldconfig_exec_t, file_type, sysadmfile, exec_type;
 
 role sysadm_r types ldconfig_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-12-11 06:31:18.000000000 -0500
+++ policy-1.21.1/domains/program/login.te	2005-01-12 09:18:27.141389832 -0500
@@ -84,6 +84,10 @@
 r_dir_file($1_login_t, nfs_t)
 }
 
+if (use_samba_home_dirs) {
+r_dir_file($1_login_t, cifs_t)
+}
+
 # FIXME: what is this for?
 ifdef(`xdm.te', `
 allow xdm_t $1_login_t:process signull;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.21.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-01-12 08:14:47.086688356 -0500
+++ policy-1.21.1/domains/program/modutil.te	2005-01-12 09:18:27.142389719 -0500
@@ -69,7 +69,7 @@
 # Rules for the insmod_t domain.
 #
 
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, unrestricted' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
 ;
 role system_r types insmod_t;
 role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.21.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-01-12 08:14:47.150681092 -0500
+++ policy-1.21.1/domains/program/ssh.te	2005-01-12 09:18:27.143389607 -0500
@@ -80,6 +80,11 @@
 allow $1_t nfs_t:file { getattr read };
 }
 
+if (use_samba_home_dirs) {
+allow $1_t cifs_t:dir { search getattr };
+allow $1_t cifs_t:file { getattr read };
+}
+
 # Set exec context.
 can_setexec($1_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unconfined.te policy-1.21.1/domains/program/unconfined.te
--- nsapolicy/domains/program/unconfined.te	2004-08-24 15:35:26.000000000 -0400
+++ policy-1.21.1/domains/program/unconfined.te	2005-01-12 09:18:27.144389495 -0500
@@ -6,7 +6,7 @@
 # chcon -t unconfined_exec_t /usr/local/bin/appsrv
 # Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
 
-type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write, unrestricted;
+type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
 type unconfined_exec_t, file_type, sysadmfile, exec_type;
 role sysadm_r types unconfined_t;
 domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.21.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2004-12-09 10:26:08.000000000 -0500
+++ policy-1.21.1/domains/program/unused/anaconda.te	2005-01-12 09:18:27.144389495 -0500
@@ -10,7 +10,7 @@
 #
 # anaconda_t is the domain of the installation program
 #
-type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted;
+type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
 role system_r types anaconda_t;
 unconfined_domain(anaconda_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-01-12 08:14:47.372655899 -0500
+++ policy-1.21.1/domains/program/unused/apache.te	2005-01-12 09:18:27.145389382 -0500
@@ -19,6 +19,13 @@
 #  the user CGI scripts, then relabel rule for user_r should be removed.
 #
 ###############################################################################
+
+define(`httpd_home_dirs', `
+r_dir_file(httpd_t, $1)
+r_dir_file(httpd_suexec_t, $1)
+can_exec(httpd_suexec_t, $1)
+')
+
 type http_port_t, port_type, reserved_port_type;
 
 bool httpd_unified false;
@@ -262,9 +269,10 @@
 allow httpd_suexec_t autofs_t:dir { search getattr };
 ')
 if (use_nfs_home_dirs && httpd_enable_homedirs) {
-r_dir_file(httpd_t, nfs_t)
-r_dir_file(httpd_suexec_t, nfs_t)
-can_exec(httpd_suexec_t, nfs_t)
+httpd_home_dirs(nfs_t)
+}
+if (use_samba_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(cifs_t)
 }
 r_dir_file(httpd_t, fonts_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.21.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-01-12 08:14:47.490642507 -0500
+++ policy-1.21.1/domains/program/unused/cups.te	2005-01-12 09:18:27.146389270 -0500
@@ -248,3 +248,6 @@
 allow cupsd_t initrc_t:dbus send_msg;
 ')
 
+ifdef(`targeted_policy', `
+allow cupsd_t unconfined_t:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.21.1/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.21.1/domains/program/unused/firstboot.te	2005-01-12 09:18:27.147389158 -0500
@@ -10,7 +10,7 @@
 #
 # firstboot_exec_t is the type of the firstboot executable.
 #
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
 type firstboot_rw_t, file_type, sysadmfile;
 role system_r types firstboot_t;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/ftpd.te	2005-01-12 09:18:27.148389046 -0500
@@ -100,14 +100,15 @@
 # allow access to /home
 allow ftpd_t home_root_t:dir { getattr search };
 }
-
-if (ftp_home_dir && use_nfs_home_dirs) {
-allow ftpd_t nfs_t:dir r_dir_perms;
-allow ftpd_t nfs_t:file r_file_perms;
+if (use_nfs_home_dirs && ftp_home_dir) {
+	r_dir_file(ftpd_t, nfs_t)
+}
+if (use_samba_home_dirs && ftp_home_dir) {
+	r_dir_file(ftpd_t, cifs_t)
 }
 dontaudit ftpd_t selinux_config_t:dir search;
 #
 # Type for access to anon ftp
 #
-type ftpd_anon_t, file_type, sysadmfile;
+type ftpd_anon_t, file_type, sysadmfile, customizable;
 r_dir_file(ftpd_t,ftpd_anon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.21.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/hotplug.te	2005-01-12 09:18:27.149388933 -0500
@@ -11,7 +11,7 @@
 # hotplug_exec_t is the type of the hotplug executable.
 #
 ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, unrestricted')
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
 ', `
 daemon_domain(hotplug, `, privmodule')
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.21.1/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2005-01-12 08:14:47.700618675 -0500
+++ policy-1.21.1/domains/program/unused/inetd.te	2005-01-12 09:18:27.150388821 -0500
@@ -18,7 +18,7 @@
 # Rules for the inetd_t domain.
 #
 
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
 allow inetd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.21.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.21.1/domains/program/unused/pamconsole.te	2005-01-12 09:18:27.150388821 -0500
@@ -41,3 +41,4 @@
 allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
 allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.21.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2005-01-12 08:14:47.980586899 -0500
+++ policy-1.21.1/domains/program/unused/postgresql.te	2005-01-12 09:18:27.151388709 -0500
@@ -53,6 +53,7 @@
 
 # Use the network.
 can_network_server(postgresql_t)
+can_ypbind(postgresql_t)
 allow postgresql_t self:fifo_file { getattr read write ioctl };
 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(postgresql_t, self)
@@ -84,6 +85,7 @@
 
 # Allow access to the postgresql databases
 create_dir_file(postgresql_t, postgresql_db_t)
+file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
 allow postgresql_t var_lib_t:dir { getattr search };
 
 # because postgresql start scripts are broken and put the pid file in the DB
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.21.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/rpcd.te	2005-01-12 09:18:27.152388597 -0500
@@ -126,3 +126,15 @@
 allow rpcd_t rpc_pipefs_t:sock_file { read write };
 dontaudit rpcd_t selinux_config_t:dir { search };
 allow rpcd_t proc_net_t:dir search;
+
+
+rpc_domain(gssd)
+can_kerberos(gssd_t)
+allow gssd_t krb5_keytab_t:file r_file_perms;
+allow gssd_t urandom_device_t:chr_file { getattr read };
+r_dir_file(gssd_t, tmp_t)
+tmp_domain(gssd)
+allow gssd_t self:fifo_file { read write };
+r_dir_file(gssd_t, proc_net_t)
+allow gssd_t rpc_pipefs_t:dir r_dir_perms;
+allow gssd_t rpc_pipefs_t:sock_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.21.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2005-01-12 08:14:48.024581906 -0500
+++ policy-1.21.1/domains/program/unused/rpm.te	2005-01-12 09:18:27.153388484 -0500
@@ -10,7 +10,7 @@
 # var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
 # var_lib_rpm_t is the type for rpm files in /var/lib
 #
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
 role system_r types rpm_t;
 uses_shlib(rpm_t)
 type rpm_exec_t, file_type, sysadmfile, exec_type;
@@ -115,7 +115,7 @@
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
@@ -249,7 +249,9 @@
 allow initrc_t rpm_var_lib_t:file create_file_perms;
 
 ifdef(`unlimitedRPM', `
+typeattribute rpm_t auth_write;
 unconfined_domain(rpm_t)
+typeattribute rpm_script_t auth_write;
 unconfined_domain(rpm_script_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.21.1/domains/program/unused/samba.te	2005-01-12 09:18:27.154388372 -0500
@@ -7,14 +7,14 @@
 #################################
 #
 # Declarations for Samba
-#
+#n
 
 daemon_domain(smbd, `, privhome, auth_chkpwd')
 daemon_domain(nmbd)
 type samba_etc_t, file_type, sysadmfile, usercanread;
 type samba_log_t, file_type, sysadmfile, logfile;
 type samba_var_t, file_type, sysadmfile;
-type samba_share_t, file_type, sysadmfile;
+type samba_share_t, file_type, sysadmfile, customizable;
 type samba_secrets_t, file_type, sysadmfile;
 typealias samba_var_t alias samba_spool_t;
 
@@ -73,8 +73,7 @@
 allow smbd_t usr_t:file { getattr read };
 
 # Access Samba shares.
-allow smbd_t samba_share_t:dir create_dir_perms;
-allow smbd_t samba_share_t:file create_file_perms;
+create_dir_file(smbd_t, samba_share_t)
 
 ifdef(`logrotate.te', `
 # the application should be changed
@@ -117,3 +116,14 @@
 ')
 # Needed for winbindd
 allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
+
+# Support Samba sharing of home directories
+bool samba_enable_home_dirs false;
+
+if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir { getattr search };
+allow smbd_t home_dir_type:dir { getattr search };
+allow smbd_t home_type:dir create_dir_perms;
+dontaudit smbd_t home_type:{ sock_file fifo_file chr_file blk_file } r_file_perms;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.21.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/domains/program/unused/spamd.te	2005-01-12 09:18:27.155388260 -0500
@@ -64,5 +64,10 @@
 allow spamd_t nfs_t:file create_file_perms;
 }
 
+if (use_samba_home_dirs) {
+allow spamd_t cifs_t:dir rw_dir_perms;
+allow spamd_t cifs_t:file create_file_perms;
+}
+
 allow spamd_t home_root_t:dir getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.21.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/xdm.te	2005-01-12 09:18:27.156388147 -0500
@@ -290,6 +290,12 @@
 can_exec(xdm_t, nfs_t)
 }
 
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
 # for .dmrc
 allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.21.1/domains/user.te
--- nsapolicy/domains/user.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.21.1/domains/user.te	2005-01-12 09:18:27.156388147 -0500
@@ -10,6 +10,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
 # Allow users to run TCP servers (bind to ports and accept connection from
 # the same domain and outside users)  disabling this forces FTP passive mode
 # and may change other protocols 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.21.1/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.21.1/file_contexts/program/innd.fc	2005-01-12 09:18:27.157388035 -0500
@@ -1,5 +1,7 @@
 # innd
 /usr/sbin/innd.*	--	system_u:object_r:innd_exec_t
+/usr/bin/rpost          --      system_u:object_r:innd_exec_t
+/usr/bin/suck           --      system_u:object_r:innd_exec_t
 /var/run/innd(/.*)?		system_u:object_r:innd_var_run_t
 /etc/news(/.*)?			system_u:object_r:innd_etc_t
 /etc/news/boot		--	system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mysqld.fc policy-1.21.1/file_contexts/program/mysqld.fc
--- nsapolicy/file_contexts/program/mysqld.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/mysqld.fc	2005-01-12 09:18:27.158387923 -0500
@@ -1,5 +1,5 @@
 # mysql database server
-/usr/sbin/mysqld	--	system_u:object_r:mysqld_exec_t
+/usr/sbin/mysqld(-max)?	--	system_u:object_r:mysqld_exec_t
 /usr/libexec/mysqld	--	system_u:object_r:mysqld_exec_t
 /var/run/mysqld(/.*)?		system_u:object_r:mysqld_var_run_t
 /var/log/mysql.*	--	system_u:object_r:mysqld_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.21.1/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2005-01-12 08:14:48.738500877 -0500
+++ policy-1.21.1/file_contexts/program/postgresql.fc	2005-01-12 09:18:27.159387811 -0500
@@ -13,8 +13,8 @@
 /usr/bin/pg_id		--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_restore	--	system_u:object_r:postgresql_exec_t
 
-/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
-/var/lib/pgsql(/.*)?		system_u:object_r:postgresql_db_t
+/var/lib/postgres(ql)?(/.*)? 	system_u:object_r:postgresql_db_t
+/var/lib/pgsql/data(/.*)?	system_u:object_r:postgresql_db_t
 /var/run/postgresql(/.*)?	system_u:object_r:postgresql_var_run_t
 /etc/postgresql(/.*)?		system_u:object_r:postgresql_etc_t
 /var/log/postgres\.log.* --	system_u:object_r:postgresql_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.21.1/file_contexts/program/rpcd.fc
--- nsapolicy/file_contexts/program/rpcd.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/rpcd.fc	2005-01-12 09:18:27.159387811 -0500
@@ -3,6 +3,8 @@
 /usr/sbin/rpc\..*	--	system_u:object_r:rpcd_exec_t
 /usr/sbin/rpc\.nfsd	--	system_u:object_r:nfsd_exec_t
 /usr/sbin/exportfs	--	system_u:object_r:nfsd_exec_t
+/usr/sbin/rpc\.gssd	--	system_u:object_r:gssd_exec_t
+/usr/sbin/rpc\.svcgssd	--	system_u:object_r:gssd_exec_t
 /usr/sbin/rpc\.mountd	--	system_u:object_r:nfsd_exec_t
 /var/run/rpc\.statd\.pid	--	system_u:object_r:rpcd_var_run_t
 /var/run/rpc\.statd(/.*)?	system_u:object_r:rpcd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.1/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2005-01-12 08:14:48.813492366 -0500
+++ policy-1.21.1/file_contexts/program/udev.fc	2005-01-12 09:18:27.204382758 -0500
@@ -8,5 +8,5 @@
 /etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
 /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb	--	system_u:object_r:udev_tdb_t
+/dev/\.udev\.tdb/.*	--	system_u:object_r:udev_tdb_t
 /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-12-09 10:26:10.000000000 -0500
+++ policy-1.21.1/macros/base_user_macros.te	2005-01-12 09:18:27.205382646 -0500
@@ -2,6 +2,12 @@
 # Macros for all user login domains.
 #
 
+define(`network_home_dir', `
+create_dir_file($1, $2)
+can_exec($1, $2)
+allow $1 $2:{ sock_file fifo_file } create_file_perms;
+')
+
 #
 # base_user_domain(domain_prefix)
 #
@@ -38,6 +44,7 @@
 
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1_t shlib_t:file execmod;
+allow $1_t ld_so_t:file execmod;
 
 #
 # kdeinit wants this access
@@ -70,11 +77,15 @@
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
+
 if (use_nfs_home_dirs) {
-create_dir_file($1_t, nfs_t)
-can_exec($1_t, nfs_t)
-allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
+network_home_dir($1_t, nfs_t)
 }
+
+if (use_samba_home_dirs) {
+network_home_dir($1_t, cifs_t)
+}
+
 if (user_rw_noexattrfile) {
 create_dir_file($1_t, noexattrfile)
 create_dir_file($1_t, removable_t)
@@ -167,6 +178,7 @@
 ifdef(`screen.te', `screen_domain($1)')
 ifdef(`tvtime.te', `tvtime_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`samba.te', `samba_domain($1)')
 ifdef(`games.te', `games_domain($1)')
 ifdef(`gpg.te', `gpg_domain($1)')
 ifdef(`xauth.te', `xauth_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-01-12 08:14:48.985472846 -0500
+++ policy-1.21.1/macros/global_macros.te	2005-01-12 09:18:27.206382534 -0500
@@ -504,6 +504,8 @@
 #
 define(`unconfined_domain', `
 
+typeattribute $1 unrestricted;
+
 # Mount/unmount any filesystem. 
 allow $1 fs_type:filesystem *;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-01-12 08:14:49.097460136 -0500
+++ policy-1.21.1/macros/program/apache_macros.te	2005-01-12 09:18:27.207382421 -0500
@@ -3,7 +3,7 @@
 
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile;
+type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
 ifelse($1, sys, `
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
 ')
@@ -14,7 +14,7 @@
 
 # This type is used for executable scripts files
 #
-type httpd_$1_script_exec_t, file_type, sysadmfile;
+type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
 
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail, nscd_client_domain;
@@ -41,6 +41,7 @@
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
 allow httpd_$1_script_t self:unix_stream_socket create_socket_perms;
+allow httpd_$1_script_t httpd_t:unix_stream_socket { read write };
 
 allow httpd_$1_script_t { self proc_t }:file { getattr read };
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -57,9 +58,9 @@
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 
 ifdef(`slocate.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.21.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2004-12-21 10:59:58.000000000 -0500
+++ policy-1.21.1/macros/program/cdrecord_macros.te	2005-01-12 09:18:27.208382309 -0500
@@ -35,6 +35,9 @@
 if (use_nfs_home_dirs) {
 r_dir_file($1_cdrecord_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+r_dir_file($1_cdrecord_t, cifs_t)
+}
 allow $1_cdrecord_t etc_t:file { getattr read };
 
 # allow searching for cdrom-drive
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.21.1/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_agent_macros.te	2005-01-12 09:18:27.209382197 -0500
@@ -51,6 +51,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_gpg_agent_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_agent_t, cifs_t)
+}
 
 allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
@@ -111,6 +114,12 @@
 dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
 dontaudit $1_gpg_pinentry_t nfs_t:file write;
 }
+if (use_samba_home_dirs) {
+allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t cifs_t:file write;
+}
 
 # read /etc/X11/qtrc
 allow $1_gpg_pinentry_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2004-12-16 11:38:03.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_macros.te	2005-01-12 09:18:27.210382085 -0500
@@ -79,6 +79,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_gpg_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_t, cifs_t)
+}
 
 allow $1_gpg_t self:capability { ipc_lock setuid };
 allow $1_gpg_t devtty_t:chr_file rw_file_perms;
@@ -111,6 +114,9 @@
 if (use_nfs_home_dirs) {
 dontaudit $1_gpg_helper_t nfs_t:file { read write };
 }
+if (use_samba_home_dirs) {
+dontaudit $1_gpg_helper_t cifs_t:file { read write };
+}
 
 # communicate with the user 
 allow $1_gpg_helper_t $1_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.21.1/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/lpr_macros.te	2005-01-12 09:18:27.210382085 -0500
@@ -81,6 +81,10 @@
 r_dir_file($1_lpr_t, nfs_t)
 }
 
+if (use_samba_home_dirs) {
+r_dir_file($1_lpr_t, cifs_t)
+}
+
 # Read and write shared files in the spool directory.
 allow $1_lpr_t print_spool_t:file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-12-21 10:59:59.000000000 -0500
+++ policy-1.21.1/macros/program/mozilla_macros.te	2005-01-12 09:18:27.211381972 -0500
@@ -25,7 +25,7 @@
 allow $1_mozilla_t $1_t:process signull;
 
 # Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+allow $1_mozilla_t self:process { execmem setrlimit setsched };
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
 allow $1_mozilla_t var_lib_t:file { getattr read };
@@ -40,6 +40,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_mozilla_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_mozilla_t, cifs_t)
+}
 ifdef(`automount.te', `
 allow $1_mozilla_t autofs_t:dir { search getattr };
 ')dnl end if automount
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.21.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/mta_macros.te	2005-01-12 09:18:27.212381860 -0500
@@ -99,8 +99,8 @@
 # Create dead.letter in user home directories.
 file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
 
-if (use_nfs_home_dirs) {
-rw_dir_create_file($1_mail_t, nfs_t)
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_mail_t, cifs_t)
 }
 
 # if you do not want to allow dead.letter then use the following instead
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.1/macros/program/samba_macros.te
--- nsapolicy/macros/program/samba_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.1/macros/program/samba_macros.te	2005-01-12 09:18:27.213381748 -0500
@@ -0,0 +1,28 @@
+#
+# Macros for samba domains.
+#
+
+#
+# Authors:  Dan Walsh <dwalsh@redhat.com>
+#
+
+# 
+# samba_domain(domain_prefix)
+#
+# Define a derived domain for the samba program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/samba.te. 
+#
+undefine(`samba_domain')
+ifdef(`samba.te', `
+define(`samba_domain',`
+if ( samba_enable_home_dirs ) {
+file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
+}
+')
+', `
+define(`samba_domain',`')
+
+')dnl end if samba.te
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.21.1/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2005-01-05 14:37:27.000000000 -0500
+++ policy-1.21.1/macros/program/screen_macros.te	2005-01-12 09:18:27.214381636 -0500
@@ -43,6 +43,9 @@
 if (use_nfs_home_dirs) {
 domain_auto_trans($1_screen_t, nfs_t, $1_t)
 }
+if (use_samba_home_dirs) {
+domain_auto_trans($1_screen_t, cifs_t, $1_t)
+}
 
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
@@ -53,6 +56,9 @@
 if (use_nfs_home_dirs) {
 r_dir_file($1_screen_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+r_dir_file($1_screen_t, cifs_t)
+}
 
 allow $1_screen_t privfd:fd use;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.1/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_agent_macros.te	2005-01-12 09:18:27.215381523 -0500
@@ -43,6 +43,9 @@
 ')
 rw_dir_create_file($1_ssh_agent_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_ssh_agent_t, cifs_t)
+}
 
 uses_shlib($1_ssh_agent_t)
 read_locale($1_ssh_agent_t)
@@ -73,6 +76,9 @@
 if (use_nfs_home_dirs) {
 domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
 }
+if (use_samba_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
+}
 allow $1_ssh_agent_t bin_t:dir search;
 
 # allow reading of /usr/bin/X11 (is a symlink)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.1/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_macros.te	2005-01-12 09:18:27.216381411 -0500
@@ -30,6 +30,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_ssh_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_ssh_t, cifs_t)
+}
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.21.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.21.1/macros/program/su_macros.te	2005-01-12 09:18:27.216381411 -0500
@@ -139,6 +139,9 @@
 if (use_nfs_home_dirs) {
 allow $1_su_t nfs_t:dir search;
 }
+if (use_samba_home_dirs) {
+allow $1_su_t cifs_t:dir search;
+}
 
 # Modify .Xauthority file (via xauth program).
 ifdef(`xauth.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.21.1/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/xauth_macros.te	2005-01-12 09:18:27.217381299 -0500
@@ -86,6 +86,12 @@
 ')
 rw_dir_create_file($1_xauth_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
 ')dnl end xauth_domain macro
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.1/Makefile
--- nsapolicy/Makefile	2005-01-12 08:14:46.613742034 -0500
+++ policy-1.21.1/Makefile	2005-01-12 09:18:27.218381186 -0500
@@ -53,7 +53,7 @@
 FCFILES=tmp/program_used_flags.te file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
 
 APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
 
 $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
 	@mkdir -p $(USERPATH)
@@ -75,6 +75,7 @@
 tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
 	@echo "Validating file_contexts ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+	@touch tmp/valid_fc
 
 install: tmp/valid_fc
 
@@ -90,6 +91,11 @@
 	mkdir -p $(APPDIR)
 	install -m 644 $< $@
 
+$(APPDIR)/customizable_types: policy.conf
+	mkdir -p $(APPDIR)
+	@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+	install -m 644 tmp/customizable_types $@ 
+
 $(APPDIR)/default_type: appconfig/default_type
 	mkdir -p $(APPDIR)
 	install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-01-12 08:14:49.606402372 -0500
+++ policy-1.21.1/targeted/domains/unconfined.te	2005-01-12 09:18:27.219381074 -0500
@@ -4,7 +4,7 @@
 # is not explicitly confined.  It has no restrictions.
 # It needs to be carefully protected from the confined domains.
 
-type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem, unrestricted;
+type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem;
 role system_r types unconfined_t;
 role user_r types unconfined_t;
 role sysadm_r types unconfined_t;
@@ -20,8 +20,8 @@
 type system_dbusd_var_run_t, file_type, sysadmfile;
 
 # User home directory type.
-type user_home_t, file_type, sysadmfile;
-type user_home_dir_t, file_type, sysadmfile;
+type user_home_t, file_type, sysadmfile, home_type;
+type user_home_dir_t, file_type, sysadmfile, home_dir_type;
 file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
 file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
 
@@ -43,6 +43,11 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
+ifdef(`samba.te', `samba_domain(user)')
+
 # Allow system to run with NIS
 bool allow_ypbind false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/types/apache.te policy-1.21.1/targeted/types/apache.te
--- nsapolicy/targeted/types/apache.te	2004-05-27 14:52:37.000000000 -0400
+++ policy-1.21.1/targeted/types/apache.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-#
-# Rules required by apache for targeted policy
-#
-define(`admin_tty_type', `{ tty_device_t devpts_t }')
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.21.1/tunables/distro.tun	2005-01-12 09:18:27.220380962 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-12-11 06:31:22.000000000 -0500
+++ policy-1.21.1/tunables/tunable.tun	2005-01-12 09:18:27.221380850 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

^ permalink raw reply	[flat|nested] 9+ messages in thread
* new policy patch
@ 2002-09-27 21:42 Russell Coker
  2002-10-01 16:51 ` Stephen Smalley
  0 siblings, 1 reply; 9+ messages in thread
From: Russell Coker @ 2002-09-27 21:42 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 613 bytes --]

The attached patch has my latest changes.  A minor dpkg patch, some qmail 
changes that are particularly needed for mailman and other things that 
require mail being piped, samba changes for /etc/samba/secrets.tdb, type 
labelling for the suseradd program, a squid cron job policy change, and a 
change that hopefully fixes the su gph problem Brian reported.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: new.diff --]
[-- Type: text/x-diff, Size: 6219 bytes --]

diff -ru /tmp/policy/domains/program/dpkg.te ./domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te	2002-09-27 22:27:37.000000000 +0200
+++ ./domains/program/dpkg.te	2002-09-27 17:39:34.000000000 +0200
@@ -59,7 +59,7 @@
 ')
 
 # for apt
-type apt_t, domain, admin;
+type apt_t, domain, admin, privmail;
 type apt_exec_t, file_type, sysadmfile, exec_type;
 type var_lib_apt_t, file_type, sysadmfile;
 type var_cache_apt_t, file_type, sysadmfile;
@@ -71,6 +71,7 @@
 file_type_auto_trans(apt_t, tmp_t, tmp_apt_t)
 
 dontaudit apt_t var_log_t:dir getattr;
+dontaudit apt_t var_run_t:dir search;
 
 # for rc files such as ~/.less
 r_dir_file(apt_t, sysadm_home_t)
diff -ru /tmp/policy/domains/program/qmail.te ./domains/program/qmail.te
--- /tmp/policy/domains/program/qmail.te	2002-09-27 22:27:38.000000000 +0200
+++ ./domains/program/qmail.te	2002-09-26 19:23:10.000000000 +0200
@@ -27,7 +27,7 @@
 # qmail_$1_exec_t is the type of the qmail_$1 executables.
 #
 define(`qmail_daemon_domain', `
-daemon_sub_domain(qmail_start_t, qmail_$1)
+daemon_sub_domain(qmail_start_t, qmail_$1, `$2')
 allow qmail_$1_t qmail_start_t:fifo_file { read write };
 
 ')dnl
@@ -36,7 +36,7 @@
 
 allow qmail_start_t self:capability setgid;
 
-qmail_daemon_domain(lspawn)
+qmail_daemon_domain(lspawn, `, mta_delivery_agent')
 allow qmail_lspawn_t self:fifo_file { read write };
 allow qmail_lspawn_t self:capability { setuid setgid };
 allow qmail_lspawn_t self:process fork;
@@ -95,10 +95,17 @@
 allow qmail_local_t qmail_queue_exec_t:file read;
 allow qmail_local_t etc_qmail_t:dir { getattr read search };
 allow qmail_local_t etc_qmail_t:file { getattr read };
-allow qmail_local_t qmail_spool_t:file read;
+allow qmail_local_t qmail_spool_t:file { ioctl read };
 allow qmail_local_t self:fifo_file write;
 allow qmail_local_t sbin_t:dir search;
 
+# for piping mail to a command
+can_exec(qmail_local_t, shell_exec_t)
+allow qmail_local_t bin_t:dir search;
+allow qmail_local_t bin_t:lnk_file read;
+allow qmail_local_t devtty_t:chr_file rw_file_perms;
+allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
+
 daemon_sub_domain(tcpd_t, qmail_tcp_env)
 allow qmail_tcp_env_t inetd_t:fd use;
 allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
diff -ru /tmp/policy/domains/program/samba.te ./domains/program/samba.te
--- /tmp/policy/domains/program/samba.te	2002-08-23 21:04:28.000000000 +0200
+++ ./domains/program/samba.te	2002-09-27 22:58:07.000000000 +0200
@@ -14,6 +14,7 @@
 type samba_log_t, file_type, sysadmfile, logfile;
 type samba_var_t, file_type, sysadmfile;
 type samba_share_t, file_type, sysadmfile;
+type samba_secrets_t, file_type, sysadmfile;
 
 #################################
 #
@@ -35,9 +36,12 @@
 can_network(smbd_t)
 
 # Permissions for Samba files in /etc/samba
-#allow smbd_t samba_etc_t:file { write setattr getattr read lock };
+# either allow read access to the directory or allow the auto_trans rule to
+# allow creation of the secrets.tdb file
+#allow smbd_t samba_etc_t:dir { search getattr };
+file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
+
 allow smbd_t samba_etc_t:file { getattr read };
-allow smbd_t samba_etc_t:dir { search getattr };
 
 # Permissions for Samba cache files in /var/cache/samba
 allow smbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
diff -ru /tmp/policy/domains/program/squid.te ./domains/program/squid.te
--- /tmp/policy/domains/program/squid.te	2002-08-23 21:04:28.000000000 +0200
+++ ./domains/program/squid.te	2002-09-22 22:39:19.000000000 +0200
@@ -50,6 +50,7 @@
 allow squid_t var_log_squid_t:file create_file_perms;
 ifdef(`logrotate.te',
 `domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
+ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
 
 # Use the network
 can_network(squid_t)
diff -ru /tmp/policy/file_contexts/program/passwd.fc ./file_contexts/program/passwd.fc
--- /tmp/policy/file_contexts/program/passwd.fc	2002-09-27 22:27:40.000000000 +0200
+++ ./file_contexts/program/passwd.fc	2002-08-22 21:49:40.000000000 +0200
@@ -3,9 +3,11 @@
 /usr/local/selinux/bin/schsh	system_u:object_r:passwd_exec_t
 /usr/local/selinux/bin/schfn	system_u:object_r:passwd_exec_t
 /usr/local/selinux/bin/svipw    system_u:object_r:admin_passwd_exec_t
+/usr/local/selinux/bin/suseradd system_u:object_r:admin_passwd_exec_t
 /usr/local/selinux/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
 /usr/bin/spasswd		system_u:object_r:passwd_exec_t
 /usr/bin/schsh			system_u:object_r:passwd_exec_t
 /usr/bin/schfn			system_u:object_r:passwd_exec_t
 /usr/bin/svipw                 system_u:object_r:admin_passwd_exec_t
+/usr/bin/suseradd              system_u:object_r:admin_passwd_exec_t
 /usr/bin/sadminpasswd          system_u:object_r:admin_passwd_exec_t
diff -ru /tmp/policy/file_contexts/program/samba.fc ./file_contexts/program/samba.fc
--- /tmp/policy/file_contexts/program/samba.fc	2002-07-12 17:19:44.000000000 +0200
+++ ./file_contexts/program/samba.fc	2002-09-27 22:58:30.000000000 +0200
@@ -4,5 +4,4 @@
 /etc/samba(/.*)?		system_u:object_r:samba_etc_t
 /var/log/samba(/.*)?		system_u:object_r:samba_log_t
 /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
-#/net/music(/.*)?		system_u:object_r:samba_share_t
-#/net/pub(/.*)?			system_u:object_r:samba_share_t
+/etc/samba/secrets.tdb		system_u:object_r:samba_secrets_t
diff -ru /tmp/policy/macros/program/su_macros.te ./macros/program/su_macros.te
--- /tmp/policy/macros/program/su_macros.te	2002-09-27 22:27:44.000000000 +0200
+++ ./macros/program/su_macros.te	2002-09-27 12:52:43.000000000 +0200
@@ -34,11 +34,6 @@
 # Revert to the user domain when a shell is executed.
 domain_auto_trans($1_su_t, shell_exec_t, $1_t)
 
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te',
-`allow $1_su_t $1_gph_t:fd use;
-allow $1_t $1_gph_t:fd use;')
-
 allow $1_su_t privfd:fd use;
 
 # Write to utmp.
@@ -53,6 +48,11 @@
 # Run chkpwd.
 can_exec($1_su_t, chkpwd_exec_t)
 
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `
+allow { $1_su_t $1_t } $1_gph_t:fd use;
+')
+
 # The user role is authorized for this domain.
 role $1_r types $1_su_t;
 

^ permalink raw reply	[flat|nested] 9+ messages in thread
end of thread, other threads:[~2005-04-05 22:32 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-01  0:01 new policy patch Russell Coker
  -- strict thread matches above, loose matches on Subject: below --
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
2005-01-21 20:36 ` James Carter
2005-04-04 18:50   ` New Policy Patch Daniel J Walsh
2005-04-04 19:38     ` Ivan Gyurdiev
2005-04-04 19:40       ` Daniel J Walsh
2005-04-05 22:36         ` Ivan Gyurdiev
2005-04-04 19:45       ` Ivan Gyurdiev
2005-04-05 20:20     ` James Carter
2002-09-27 21:42 new policy patch Russell Coker
2002-10-01 16:51 ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.