diff -ru /usr/src/se/policy/domains/program/passwd.te ./domains/program/passwd.te --- /usr/src/se/policy/domains/program/passwd.te 2004-06-17 15:10:38.000000000 +1000 +++ ./domains/program/passwd.te 2004-08-09 00:35:11.000000000 +1000 @@ -35,6 +35,9 @@ allow $1_t etc_t:file create_file_perms; +# read /etc/mtab +allow $1_t etc_runtime_t:file { getattr read }; + # Allow etc_t symlinks for /etc/alternatives on Debian. allow $1_t etc_t:lnk_file read; @@ -87,8 +90,8 @@ dontaudit chfn_t shadow_t:file read; allow chfn_t etc_t:dir rw_dir_perms; allow chfn_t etc_t:file create_file_perms; -allow chfn_t proc_t:file { read }; -allow chfn_t chfn_t:file { write }; +allow chfn_t proc_t:file { getattr read }; +allow chfn_t self:file { write }; in_user_role(passwd_t) in_user_role(chfn_t) @@ -118,9 +121,10 @@ ') # allow vipw to exec the editor -allow sysadm_passwd_t { root_t usr_t bin_t }:dir search; +allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search; allow sysadm_passwd_t { bin_t }:lnk_file read; can_exec(sysadm_passwd_t, { shell_exec_t bin_t }) +r_dir_file(sysadm_passwd_t, usr_t) # allow vipw to create temporary files under /var/tmp/vi.recover allow sysadm_passwd_t var_t:dir search; @@ -133,6 +137,12 @@ # for nscd lookups dontaudit sysadm_passwd_t var_run_t:dir search; +# for /proc/meminfo +allow sysadm_passwd_t proc_t:file { getattr read }; + +dontaudit sysadm_passwd_t selinux_config_t:dir search; +dontaudit sysadm_passwd_t devpts_t:dir search; + # make sure that getcon succeeds allow passwd_t userdomain:dir search; allow passwd_t userdomain:file read; diff -ru /usr/src/se/policy/domains/program/unused/acct.te ./domains/program/unused/acct.te --- /usr/src/se/policy/domains/program/unused/acct.te 2004-06-17 15:10:39.000000000 +1000 +++ ./domains/program/unused/acct.te 2004-07-23 16:15:35.000000000 +1000 @@ -22,7 +22,7 @@ allow acct_t urandom_device_t:chr_file read; ifdef(`logrotate.te', ` -allow acct_t logrotate_exec_t:file getattr; +can_exec(acct_t, logrotate_exec_t) r_dir_file(logrotate_t, acct_data_t) ') diff -ru /usr/src/se/policy/domains/program/unused/amavis.te ./domains/program/unused/amavis.te --- /usr/src/se/policy/domains/program/unused/amavis.te 2004-08-04 20:26:43.000000000 +1000 +++ ./domains/program/unused/amavis.te 2004-08-16 20:24:12.000000000 +1000 @@ -20,8 +20,10 @@ allow initrc_t amavisd_lib_t:file unlink; allow initrc_t amavisd_var_run_t:dir setattr; allow amavisd_t self:capability { chown dac_override setgid setuid }; +dontaudit amavisd_t self:capability sys_tty_config; allow amavisd_t usr_t:{ file lnk_file } { getattr read }; +dontaudit amavisd_t usr_t:file ioctl; # networking can_network(amavisd_t) diff -ru /usr/src/se/policy/domains/program/unused/apmd.te ./domains/program/unused/apmd.te --- /usr/src/se/policy/domains/program/unused/apmd.te 2004-08-02 16:59:47.000000000 +1000 +++ ./domains/program/unused/apmd.te 2004-08-03 15:08:13.000000000 +1000 @@ -72,12 +72,13 @@ # setuid for fuser, dac* for ps dontaudit apmd_t self:capability { setuid dac_override dac_read_search }; dontaudit apmd_t domain:{ socket_class_set } getattr; -dontaudit apmd_t { file_type fs_type }:dir_file_class_set getattr; +dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr; +dontaudit apmd_t device_type:devfile_class_set getattr; dontaudit apmd_t home_type:dir { search getattr }; dontaudit apmd_t domain:key_socket getattr; dontaudit apmd_t domain:dir search; -ifdef(`redhat', ` +ifdef(`redhat', ` can_exec(apmd_t, apmd_var_run_t) # for /var/lock/subsys/network rw_dir_create_file(apmd_t, var_lock_t) @@ -108,7 +109,16 @@ # Same for apm/acpid scripts domain_auto_trans(apmd_t, initrc_exec_t, initrc_t) +ifdef(`consoletype.te', ` +allow consoletype_t apmd_t:fd use; +allow consoletype_t apmd_t:fifo_file write; +') +ifdef(`mount.te', `allow mount_t apmd_t:fd use;') +ifdef(`crond.te', `domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)') ifdef(`mta.te', ` domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) ') + +# for a find /dev operation that gets /dev/shm +dontaudit apmd_t tmpfs_t:dir r_dir_perms; diff -ru /usr/src/se/policy/domains/program/unused/backup.te ./domains/program/unused/backup.te --- /usr/src/se/policy/domains/program/unused/backup.te 2004-07-13 09:07:59.000000000 +1000 +++ ./domains/program/unused/backup.te 2004-07-19 09:53:38.000000000 +1000 @@ -23,6 +23,9 @@ rw_dir_create_file(system_crond_t, backup_store_t) ') +# for SSP +allow backup_t urandom_device_t:chr_file read; + can_network(backup_t) uses_shlib(backup_t) diff -ru /usr/src/se/policy/domains/program/unused/bluetooth.te ./domains/program/unused/bluetooth.te --- /usr/src/se/policy/domains/program/unused/bluetooth.te 2004-05-30 16:26:57.000000000 +1000 +++ ./domains/program/unused/bluetooth.te 2004-07-05 00:03:10.000000000 +1000 @@ -15,7 +15,7 @@ tmp_domain(bluetooth) # Use capabilities. -allow bluetooth_t self:capability { net_raw sys_tty_config net_admin }; +allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; rw_dir_create_file(bluetooth_t, var_lock_t) diff -ru /usr/src/se/policy/domains/program/unused/calamaris.te ./domains/program/unused/calamaris.te --- /usr/src/se/policy/domains/program/unused/calamaris.te 2004-03-27 00:46:44.000000000 +1100 +++ ./domains/program/unused/calamaris.te 2004-08-12 17:11:00.000000000 +1000 @@ -21,6 +21,8 @@ allow calamaris_t var_log_squid_t:dir search; allow calamaris_t var_log_squid_t:file { getattr read }; allow calamaris_t { usr_t lib_t }:file { getattr read }; +allow calamaris_t usr_t:lnk_file { getattr read }; +dontaudit calamaris_t usr_t:file ioctl; type calamaris_www_t, file_type, sysadmfile; ifdef(`apache.te', ` @@ -36,10 +38,13 @@ allow calamaris_t device_t:dir search; allow calamaris_t devtty_t:chr_file { read write }; +allow calamaris_t urandom_device_t:chr_file { getattr read }; + allow calamaris_t self:process { fork signal_perms setsched }; allow calamaris_t { proc_t sysctl_kernel_t }:dir search; allow calamaris_t { proc_t sysctl_kernel_t }:file { getattr read }; allow calamaris_t { proc_t self }:lnk_file read; +allow calamaris_t self:dir search; allow calamaris_t { bin_t sbin_t }:dir search; allow calamaris_t bin_t:lnk_file read;