All of lore.kernel.org
 help / color / mirror / Atom feed
* policy patch
@ 2004-11-25 13:27 Russell Coker
  2004-11-25 16:32 ` Luke Kenneth Casson Leighton
                   ` (3 more replies)
  0 siblings, 4 replies; 27+ messages in thread
From: Russell Coker @ 2004-11-25 13:27 UTC (permalink / raw)
  To: SELinux List

[-- Attachment #1: Type: text/plain, Size: 2559 bytes --]

The attached patch makes some trivial policy changes.

Allows Debian systems to touch /etc from an init script.

Only Red Hat needs initrc_t to be able to stat all files from an init script.

$1_login_t should not inherit a file handle from init (maybe a bug that has to 
be fixed - it certainly needs something other than a dontaudit).

Updated policy for the latest version of asterisk and postgrey.

No domain should have both auth and auth_chkpwd attributes.  If the domain has 
auth then it will never have a need to run unix_chkpwd.

Removed some duplicate rules and needless {}.

Allow kudzu to do everything it wants.

Mailman should not have a dontaudit for access to src_t.  Any access to src_t 
is a bug.  The bug that caused this to be added is supposed to be fixed in 
Fedora now.  If it turns out that /usr/src is accessed for other reasons then 
it's more bugs we need to fix and we don't want it hidden.

Don't use a dontaudit rule for rhgb_t access to /tmp, that will cause us pain 
later on if rhgb is changed to need such access.

Don't use the root_dir_type attribute for type tftpdir_t, it's usually not the 
root of a file system, and there's no good reason for using it.  Maybe we can 
do as the comment suggests and remove that attribute entirely?

Put in a dontaudit rule to stop some annoying messages on sighup.

Removed the CVS comment line from amanda.fc.  We don't seem to be using CVS in 
a way that makes sense of that line and it just makes for needless file 
changes on every update.  Best to be consistent with the other files and 
remove that line.

/var/spool/mqueue is part of Sendmail.  It should not be referenced apart from 
through the sendmail policy.

$1_tty_device_t is not a file, the attribute file_type does not belong.  Also 
updated types/file.te to allow the terminal devices to be associated with the 
root fs without this attribute.

mozilla should not be permitted to write to random devices (this means append 
too).  Now that we aren't labelling a /usr/tmp sym-link as tmp_t we can 
remove the access to tmp_t:lnk_file.

gam_server seems to run wild and want to explore every part of the file 
system.  I put in a ifdef(`distro_redhat' as Fedora is the only distribution 
currently relying on gam.  I think that some changes need to be made to gam.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff.trivial --]
[-- Type: text/x-diff, Size: 20103 bytes --]

diff -ru /usr/src/se/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /usr/src/se/policy/domains/program/initrc.te	2004-11-21 21:51:11.000000000 +1100
+++ ./domains/program/initrc.te	2004-11-25 23:20:31.000000000 +1100
@@ -12,7 +12,7 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer;
 ifdef(`sendmail.te', `
 allow system_mail_t initrc_t:fd use;
 allow system_mail_t initrc_t:fifo_file write;
@@ -36,6 +36,7 @@
 # Read system information files in /proc.
 allow initrc_t proc_t:dir r_dir_perms;
 allow initrc_t proc_t:{ file lnk_file } r_file_perms;
+allow initrc_t proc_mdstat_t:file { getattr read };
 
 # Allow IPC with self
 allow initrc_t self:unix_dgram_socket create_socket_perms;
@@ -63,6 +64,14 @@
 allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
 allow initrc_t var_run_t:dir { create rmdir };
 
+ifdef(`distro_debian', `
+allow initrc_t etc_t:dir setattr;
+
+# for storing state under /dev/shm
+file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
+allow initrc_var_run_t tmpfs_t:filesystem associate;
+')
+
 allow initrc_t framebuf_device_t:chr_file r_file_perms;
 
 # Use capabilities.
@@ -330,7 +338,9 @@
 
 r_dir_file(initrc_t,selinux_config_t)
 
+ifdef(`distro_redhat', `
 allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+')
 
 ifdef(`unlimitedRC', `
 unconfined_domain(initrc_t) 
diff -ru /usr/src/se/policy/domains/program/login.te ./domains/program/login.te
--- /usr/src/se/policy/domains/program/login.te	2004-11-21 21:51:11.000000000 +1100
+++ ./domains/program/login.te	2004-11-22 03:14:43.000000000 +1100
@@ -126,7 +126,7 @@
 r_dir_file($1_login_t, selinux_config_t)
 
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
-dontaudit $1_login_t init_t:fd use;
+
 ')dnl end login_domain macro
 #################################
 #
diff -ru /usr/src/se/policy/domains/program/unused/asterisk.te ./domains/program/unused/asterisk.te
--- /usr/src/se/policy/domains/program/unused/asterisk.te	2004-10-20 09:31:06.000000000 +1000
+++ ./domains/program/unused/asterisk.te	2004-11-13 04:12:14.000000000 +1100
@@ -15,6 +15,10 @@
 
 allow asterisk_t proc_t:file { getattr read };
 
+allow asterisk_t { bin_t sbin_t }:dir search;
+allow asterisk_t bin_t:lnk_file read;
+can_exec(asterisk_t, bin_t)
+
 etcdir_domain(asterisk)
 logdir_domain(asterisk)
 var_lib_domain(asterisk)
@@ -47,5 +51,8 @@
 # for /var/run/asterisk
 allow asterisk_t self:capability dac_override;
 
+# for shutdown
+dontaudit asterisk_t self:capability sys_tty_config;
+
 tmpfs_domain(asterisk)
 tmp_domain(asterisk)
diff -ru /usr/src/se/policy/domains/program/unused/consoletype.te ./domains/program/unused/consoletype.te
--- /usr/src/se/policy/domains/program/unused/consoletype.te	2004-11-21 21:51:13.000000000 +1100
+++ ./domains/program/unused/consoletype.te	2004-11-22 03:14:43.000000000 +1100
@@ -52,7 +52,7 @@
 allow consoletype_t pam_var_run_t:file { getattr read };
 ')
 ifdef(`distro_redhat', `
-allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
+allow consoletype_t tmpfs_t:chr_file rw_file_perms;
 ')
 ifdef(`firstboot.te', `
 allow consoletype_t firstboot_t:fifo_file write;
diff -ru /usr/src/se/policy/domains/program/unused/cups.te ./domains/program/unused/cups.te
--- /usr/src/se/policy/domains/program/unused/cups.te	2004-11-21 21:51:13.000000000 +1100
+++ ./domains/program/unused/cups.te	2004-11-25 21:09:23.000000000 +1100
@@ -184,7 +184,7 @@
 allow cupsd_config_t cupsd_var_run_t:file { getattr read };
 allow cupsd_config_t cupsd_t:process { signal };
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-r_dir_file(cupsd_config_t, cupsd_t)
+can_ps(cupsd_config_t, cupsd_t)
 
 allow cupsd_config_t self:capability chown;
 
diff -ru /usr/src/se/policy/domains/program/unused/dovecot.te ./domains/program/unused/dovecot.te
--- /usr/src/se/policy/domains/program/unused/dovecot.te	2004-11-20 01:18:15.000000000 +1100
+++ ./domains/program/unused/dovecot.te	2004-11-22 03:14:43.000000000 +1100
@@ -38,7 +38,7 @@
 allow dovecot_t mail_spool_t:lnk_file read;
 allow dovecot_t var_spool_t:dir { search };
 
-daemon_sub_domain(dovecot_t, dovecot_auth, `, auth, auth_chkpwd')
+daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
 allow dovecot_auth_t self:process { fork signal_perms };
 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
diff -ru /usr/src/se/policy/domains/program/unused/gpm.te ./domains/program/unused/gpm.te
--- /usr/src/se/policy/domains/program/unused/gpm.te	2004-11-25 20:37:11.000000000 +1100
+++ ./domains/program/unused/gpm.te	2004-11-25 21:11:40.000000000 +1100
@@ -32,8 +32,6 @@
 allow gpm_t self:unix_dgram_socket create_socket_perms;
 allow gpm_t self:unix_stream_socket create_stream_socket_perms;
 
-allow gpm_t mouse_device_t:chr_file rw_file_perms;
-
 # Read and write ttys.
 allow gpm_t tty_device_t:chr_file rw_file_perms;
 
diff -ru /usr/src/se/policy/domains/program/unused/hald.te ./domains/program/unused/hald.te
--- /usr/src/se/policy/domains/program/unused/hald.te	2004-11-25 20:37:11.000000000 +1100
+++ ./domains/program/unused/hald.te	2004-11-25 21:12:51.000000000 +1100
@@ -54,7 +54,7 @@
 allow hald_t udev_tbl_t:file { getattr read };
 ')
 
-ifdef(`udev.te', `
+ifdef(`hotplug.te', `
 r_dir_file(hald_t, hotplug_etc_t)
 ')
 allow hald_t usbdevfs_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/iptables.te ./domains/program/unused/iptables.te
--- /usr/src/se/policy/domains/program/unused/iptables.te	2004-11-25 20:37:11.000000000 +1100
+++ ./domains/program/unused/iptables.te	2004-11-25 23:18:50.000000000 +1100
@@ -54,7 +54,7 @@
 ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
 
 allow iptables_t proc_t:file { getattr read };
-allow iptables_t proc_net_t:dir { search };
+allow iptables_t proc_net_t:dir search;
 allow iptables_t proc_net_t:file { read getattr };
 
 # system-config-network appends to /var/log
diff -ru /usr/src/se/policy/domains/program/unused/kudzu.te ./domains/program/unused/kudzu.te
--- /usr/src/se/policy/domains/program/unused/kudzu.te	2004-11-21 21:51:13.000000000 +1100
+++ ./domains/program/unused/kudzu.te	2004-11-25 21:14:19.000000000 +1100
@@ -3,13 +3,17 @@
 # Author:  Russell Coker <russell@coker.com.au>
 #
 
-daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain')
+daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
 
 read_locale(kudzu_t)
 
 # for /etc/sysconfig/hwconf - probably need a new type
 allow kudzu_t etc_runtime_t:file rw_file_perms;
 
+# for kmodule
+allow kudzu_t zero_device_t:chr_file rx_file_perms;
+allow kudzu_t memory_device_t:chr_file { read write execute };
+
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t etc_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/mailman.te ./domains/program/unused/mailman.te
--- /usr/src/se/policy/domains/program/unused/mailman.te	2004-11-20 01:18:16.000000000 +1100
+++ ./domains/program/unused/mailman.te	2004-11-25 21:14:51.000000000 +1100
@@ -71,8 +71,7 @@
 domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
 # should have separate types for public and private archives
 r_dir_file(httpd_t, mailman_archive_t)
-rw_dir_file(mailman_cgi_t, mailman_archive_t)
-allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
+rw_dir_create_file(mailman_cgi_t, mailman_archive_t)
 allow httpd_t mailman_data_t:dir { getattr search };
 
 dontaudit mailman_cgi_t httpd_log_t:file append;
@@ -84,7 +83,6 @@
 allow mailman_cgi_t devtty_t:chr_file { read write };
 allow mailman_cgi_t self:process { fork sigchld };
 allow mailman_cgi_t var_spool_t:dir search;
-dontaudit mailman_cgi_t src_t:dir search;
 ')
 
 allow mta_delivery_agent mailman_data_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/ping.te ./domains/program/unused/ping.te
--- /usr/src/se/policy/domains/program/unused/ping.te	2004-11-20 01:18:16.000000000 +1100
+++ ./domains/program/unused/ping.te	2004-11-22 03:14:43.000000000 +1100
@@ -55,5 +55,5 @@
 # it tries to access /var/run
 dontaudit ping_t var_t:dir search;
 dontaudit ping_t devtty_t:chr_file { read write };
-dontaudit ping_t ping_t:capability sys_tty_config;
+dontaudit ping_t self:capability sys_tty_config;
 
diff -ru /usr/src/se/policy/domains/program/unused/postgresql.te ./domains/program/unused/postgresql.te
--- /usr/src/se/policy/domains/program/unused/postgresql.te	2004-11-25 20:37:12.000000000 +1100
+++ ./domains/program/unused/postgresql.te	2004-11-25 22:35:08.000000000 +1100
@@ -34,7 +34,7 @@
 
 # capability kill is for shutdown script
 allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
-dontaudit postgresql_t postgresql_t:capability { sys_admin };
+dontaudit postgresql_t self:capability sys_admin;
 
 etcdir_domain(postgresql)
 typealias postgresql_etc_t alias etc_postgresql_t;
diff -ru /usr/src/se/policy/domains/program/unused/postgrey.te ./domains/program/unused/postgrey.te
--- /usr/src/se/policy/domains/program/unused/postgrey.te	2004-08-28 12:05:04.000000000 +1000
+++ ./domains/program/unused/postgrey.te	2004-11-13 01:02:26.000000000 +1100
@@ -20,10 +20,11 @@
 can_network(postgrey_t)
 can_ypbind(postgrey_t)
 allow postgrey_t postgrey_port_t:tcp_socket name_bind;
+allow postgrey_t self:unix_dgram_socket create_socket_perms;
 allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
 allow postgrey_t proc_t:file { getattr read };
 
-allow postgrey_t self:capability { chown setuid };
+allow postgrey_t self:capability { chown setgid setuid };
 dontaudit postgrey_t self:capability sys_tty_config;
 
 var_lib_domain(postgrey)
diff -ru /usr/src/se/policy/domains/program/unused/rhgb.te ./domains/program/unused/rhgb.te
--- /usr/src/se/policy/domains/program/unused/rhgb.te	2004-11-13 03:56:03.000000000 +1100
+++ ./domains/program/unused/rhgb.te	2004-11-22 03:14:43.000000000 +1100
@@ -22,7 +22,7 @@
 allow rhgb_t proc_t:file { getattr read };
 
 allow rhgb_t devtty_t:chr_file { read write };
-allow rhgb_t tty_device_t:chr_file { ioctl read write };
+allow rhgb_t tty_device_t:chr_file rw_file_perms;
 
 read_locale(rhgb_t)
 allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
@@ -85,7 +85,7 @@
 ifdef(`firstboot.te', `
 allow rhgb_t firstboot_rw_t:file r_file_perms;
 ')
-dontaudit rhgb_t tmp_t:dir search;
+allow rhgb_t tmp_t:dir search;
 allow rhgb_t xdm_xserver_t:process sigkill;
 allow domain rhgb_devpts_t:chr_file { read write };
 ifdef(`fsadm.te', `
diff -ru /usr/src/se/policy/domains/program/unused/sendmail.te ./domains/program/unused/sendmail.te
--- /usr/src/se/policy/domains/program/unused/sendmail.te	2004-11-13 03:56:04.000000000 +1100
+++ ./domains/program/unused/sendmail.te	2004-11-25 22:43:05.000000000 +1100
@@ -99,5 +99,7 @@
 allow system_mail_t sysctl_kernel_t:file read;
 dontaudit system_mail_t system_crond_tmp_t:file append;
 dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
 allow sendmail_t initrc_var_run_t:file { getattr read };
 dontaudit sendmail_t initrc_var_run_t:file { lock write };
diff -ru /usr/src/se/policy/domains/program/unused/sxid.te ./domains/program/unused/sxid.te
--- /usr/src/se/policy/domains/program/unused/sxid.te	2004-08-19 17:10:37.000000000 +1000
+++ ./domains/program/unused/sxid.te	2004-11-13 04:00:22.000000000 +1100
@@ -29,6 +29,7 @@
 
 allow sxid_t file_type:notdevfile_class_set getattr;
 allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
+allow sxid_t ttyfile:chr_file getattr;
 allow sxid_t file_type:dir { getattr read search };
 allow sxid_t sysadmfile:file read;
 allow sxid_t root_dir_type:dir { getattr read search };
diff -ru /usr/src/se/policy/domains/program/unused/tftpd.te ./domains/program/unused/tftpd.te
--- /usr/src/se/policy/domains/program/unused/tftpd.te	2004-10-20 09:31:10.000000000 +1000
+++ ./domains/program/unused/tftpd.te	2004-11-13 04:00:39.000000000 +1100
@@ -16,7 +16,7 @@
 type tftp_port_t, port_type, reserved_port_type;
 
 # tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, root_dir_type, sysadmfile;
+type tftpdir_t, file_type, sysadmfile;
 r_dir_file(tftpd_t, tftpdir_t)
 
 domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
diff -ru /usr/src/se/policy/domains/user.te ./domains/user.te
--- /usr/src/se/policy/domains/user.te	2004-11-25 20:37:08.000000000 +1100
+++ ./domains/user.te	2004-11-25 22:46:14.000000000 +1100
@@ -48,6 +48,8 @@
 allow $1_r $2_r;
 type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
 type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+# avoid annoying messages on terminal hangup
+dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
 ')
 
 # Reach sysadm_t via programs like userhelper/sudo/su
diff -ru /usr/src/se/policy/file_contexts/program/amanda.fc ./file_contexts/program/amanda.fc
--- /usr/src/se/policy/file_contexts/program/amanda.fc	2004-11-13 03:56:05.000000000 +1100
+++ ./file_contexts/program/amanda.fc	2004-11-13 04:03:15.000000000 +1100
@@ -1,8 +1,6 @@
 #
 # Author:  Carsten Grohmann <carstengrohmann@gmx.de>
 #
-# $Id: amanda.fc,v 1.3 2004/03/03 20:55:53 sds Exp $
-#
 
 # amanda
 /etc/amanda(/.*)?			system_u:object_r:amanda_config_t
diff -ru /usr/src/se/policy/file_contexts/program/sendmail.fc ./file_contexts/program/sendmail.fc
--- /usr/src/se/policy/file_contexts/program/sendmail.fc	2004-11-21 21:51:16.000000000 +1100
+++ ./file_contexts/program/sendmail.fc	2004-11-22 02:45:31.000000000 +1100
@@ -1,5 +1,6 @@
 # sendmail
 /etc/mail(/.*)?				system_u:object_r:etc_mail_t
+/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 /var/log/sendmail\.st		--	system_u:object_r:sendmail_log_t
 /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
 /var/run/sendmail\.pid		--	system_u:object_r:sendmail_var_run_t
diff -ru /usr/src/se/policy/file_contexts/types.fc ./file_contexts/types.fc
--- /usr/src/se/policy/file_contexts/types.fc	2004-11-25 20:37:14.000000000 +1100
+++ ./file_contexts/types.fc	2004-11-22 03:14:43.000000000 +1100
@@ -399,7 +396,6 @@
 #
 /var/spool(/.*)?		system_u:object_r:var_spool_t
 /var/spool/texmf(/.*)?		system_u:object_r:tetex_data_t
-/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 
 # 
 # /var/log
diff -ru /usr/src/se/policy/macros/admin_macros.te ./macros/admin_macros.te
--- /usr/src/se/policy/macros/admin_macros.te	2004-11-25 20:37:20.000000000 +1100
+++ ./macros/admin_macros.te	2004-11-25 22:57:58.000000000 +1100
@@ -25,7 +25,7 @@
 tmp_domain($1)
 
 # Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, dev_fs;
+type $1_tty_device_t, sysadmfile, ttyfile, dev_fs;
 
 # Inherit rules for ordinary users.
 base_user_domain($1)
diff -ru /usr/src/se/policy/macros/base_user_macros.te ./macros/base_user_macros.te
--- /usr/src/se/policy/macros/base_user_macros.te	2004-11-25 20:37:20.000000000 +1100
+++ ./macros/base_user_macros.te	2004-11-25 23:01:56.000000000 +1100
@@ -349,7 +344,7 @@
 #
 # Running ifconfig as a user generates the following
 #
-dontaudit $1_t $1_t:socket create;
+dontaudit $1_t self:socket create;
 dontaudit $1_t sysctl_net_t:dir search;
 
 dontaudit $1_t default_context_t:dir search;
diff -ru /usr/src/se/policy/macros/program/crontab_macros.te ./macros/program/crontab_macros.te
--- /usr/src/se/policy/macros/program/crontab_macros.te	2004-11-13 03:56:11.000000000 +1100
+++ ./macros/program/crontab_macros.te	2004-11-22 03:14:43.000000000 +1100
@@ -55,6 +55,7 @@
 allow $1_crontab_t self:process { fork signal_perms };
 ifdef(`fcron.te', `
 # fcron wants an instant update of a crontab change for the administrator
+# also crontab does a security check for crontab -u
 ifelse(`$1', `sysadm', `
 allow $1_crontab_t crond_t:process signal;
 can_setfscreate($1_crontab_t)
@@ -63,6 +64,9 @@
 ')dnl end ifelse
 ')dnl end ifdef fcron
 
+# for the checks used by crontab -u
+dontaudit $1_crontab_t security_t:dir search;
+
 # crontab signals crond by updating the mtime on the spooldir
 allow $1_crontab_t cron_spool_t:dir setattr;
 # Allow crond to read those crontabs in cron spool.
diff -ru /usr/src/se/policy/macros/program/mozilla_macros.te ./macros/program/mozilla_macros.te
--- /usr/src/se/policy/macros/program/mozilla_macros.te	2004-11-25 20:37:21.000000000 +1100
+++ ./macros/program/mozilla_macros.te	2004-11-25 23:07:56.000000000 +1100
@@ -29,8 +30,7 @@
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
 allow $1_mozilla_t var_lib_t:file { getattr read };
-allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read append };
-
+allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
 allow $1_mozilla_t self:socket create_socket_perms;
 allow $1_mozilla_t self:file { getattr read };
 
@@ -71,8 +71,6 @@
 dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
 ')
 
-dontaudit $1_mozilla_t tmp_t:lnk_file read;
-
 #
 # This is another place where I sould like to allow system customization.
 # We need to allow the admin to select whether then want to allow mozilla
diff -ru /usr/src/se/policy/macros/program/screen_macros.te ./macros/program/screen_macros.te
--- /usr/src/se/policy/macros/program/screen_macros.te	2004-11-20 01:18:25.000000000 +1100
+++ ./macros/program/screen_macros.te	2004-11-22 03:18:59.000000000 +1100
@@ -88,7 +88,6 @@
 # get stats
 allow $1_screen_t proc_t:dir search;
 allow $1_screen_t proc_t:lnk_file read;
-dontaudit $1_screen_t device_t:chr_file getattr;
 allow $1_screen_t etc_t:{ file lnk_file } { read getattr };
 allow $1_screen_t self:dir { search read };
 allow $1_screen_t self:lnk_file read;
diff -ru /usr/src/se/policy/macros/program/userhelper_macros.te ./macros/program/userhelper_macros.te
--- /usr/src/se/policy/macros/program/userhelper_macros.te	2004-11-25 20:37:21.000000000 +1100
+++ ./macros/program/userhelper_macros.te	2004-11-22 03:14:43.000000000 +1100
@@ -38,9 +38,6 @@
 # Inherit descriptors from the current session.
 allow $1_userhelper_t { init_t privfd }:fd use;
 
-# Execute /sbin/unix_chkpwd to check the password.
-allow $1_userhelper_t sbin_t:dir r_dir_perms;
-
 can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t })
 
 # Execute shells
diff -ru /usr/src/se/policy/macros/user_macros.te ./macros/user_macros.te
--- /usr/src/se/policy/macros/user_macros.te	2004-11-20 01:18:25.000000000 +1100
+++ ./macros/user_macros.te	2004-11-22 03:14:43.000000000 +1100
@@ -197,8 +197,10 @@
 
 dontaudit $1_t sysadm_home_t:dir { read search getattr };
 dontaudit $1_t sysadm_home_t:file { read getattr append };
+ifdef(`distro_redhat', `
 # gam_server fires off these when exploring with mozilla/nautilous
 dontaudit $1_t file_type:dir getattr;
+')
 
 ifdef(`syslogd.te', `
 # Some programs that are left in $1_t will try to connect
diff -ru /usr/src/se/policy/types/file.te ./types/file.te
--- /usr/src/se/policy/types/file.te	2004-11-13 03:56:14.000000000 +1100
+++ ./types/file.te	2004-11-22 03:14:43.000000000 +1100
@@ -256,7 +256,7 @@
 # Allow each file type to be associated with 
 # the default file system type.
 #
-allow { file_type device_type } fs_t:filesystem associate;
+allow { file_type device_type ttyfile } fs_t:filesystem associate;
 ifdef(`distro_redhat', `
 allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
 ')

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2005-08-18  7:31 Russell Coker
  0 siblings, 0 replies; 27+ messages in thread
From: Russell Coker @ 2005-08-18  7:31 UTC (permalink / raw)
  To: SE-Linux

[-- Attachment #1: Type: text/plain, Size: 438 bytes --]

Attached is a policy patch for some minor things that are missing.  The most 
important patches are the ones for postfix.fc and dhcpd.fc as they are the 
most likely to break systems.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 9941 bytes --]

--- selinux-policy-strict-1.24.orig/domains/program/restorecon.te
+++ selinux-policy-strict-1.24/domains/program/restorecon.te
@@ -45,6 +45,9 @@
 ifdef(`distro_redhat', `
 allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
 ')
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
 
 allow restorecon_t ptyfile:chr_file getattr;
 
--- selinux-policy-strict-1.24.orig/domains/program/ssh.te
+++ selinux-policy-strict-1.24/domains/program/ssh.te
@@ -113,6 +113,14 @@
 can_create_pty($1, `, server_pty')
 allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
 dontaudit sshd_t userpty_type:chr_file relabelfrom;
+
+allow $1_t faillog_t:file { append getattr };
+allow $1_t sbin_t:file getattr;
+
+# Allow checking users mail at login
+allow $1_t { var_spool_t mail_spool_t }:dir search;
+allow $1_t mail_spool_t:lnk_file read;
+allow $1_t mail_spool_t:file getattr;
 ')dnl end sshd_program_domain
 
 # macro for defining which domains a sshd can spawn
@@ -161,11 +169,6 @@
 # for when the network connection breaks after running newrole -r sysadm_r
 dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
 
-# Allow checking users mail at login
-allow sshd_t { var_spool_t mail_spool_t }:dir search;
-allow sshd_t mail_spool_t:lnk_file read;
-allow sshd_t mail_spool_t:file getattr;
-
 ifdef(`inetd.te', `
 if (run_ssh_inetd) {
 allow inetd_t ssh_port_t:tcp_socket name_bind;
@@ -229,5 +232,3 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-allow sshd_t faillog_t:file { append getattr };
-allow sshd_t sbin_t:file getattr;
--- selinux-policy-strict-1.24.orig/domains/program/unused/acct.te
+++ selinux-policy-strict-1.24/domains/program/unused/acct.te
@@ -23,10 +23,11 @@
 
 type acct_data_t, file_type, sysadmfile;
 
-allow acct_t self:capability sys_pacct;
+# not sure why we need this, the command "last" is reported as using it
+dontaudit acct_t self:capability kill;
 
 # gzip needs chown capability for some reason
-allow acct_t self:capability chown;
+allow acct_t self:capability { chown fsetid sys_pacct };
 
 allow acct_t var_t:dir { getattr search };
 rw_dir_create_file(acct_t, acct_data_t)
@@ -37,14 +38,13 @@
 
 read_locale(acct_t)
 
-allow acct_t self:capability fsetid;
 allow acct_t fs_t:filesystem getattr;
 
 allow acct_t self:unix_stream_socket create_socket_perms;
 
 allow acct_t self:fifo_file { read write getattr };
 
-allow acct_t proc_t:file { read getattr };
+allow acct_t { self proc_t }:file { read getattr };
 
 read_sysctl(acct_t)
 
@@ -53,8 +53,6 @@
 # for nscd
 dontaudit acct_t var_run_t:dir search;
 
-# not sure why we need this, the command "last" is reported as using it
-dontaudit acct_t self:capability kill;
 
 allow acct_t devtty_t:chr_file { read write };
 
--- selinux-policy-strict-1.24.orig/domains/program/unused/dpkg.te
+++ selinux-policy-strict-1.24/domains/program/unused/dpkg.te
@@ -178,6 +178,9 @@
 type apt_rw_etc_t, file_type, sysadmfile;
 tmp_domain(apt, `', `{ dir file lnk_file }')
 can_exec(apt_t, apt_tmp_t)
+ifdef(`crond.te', `
+allow system_crond_t apt_etc_t:file { getattr read };
+')
 
 rw_dir_create_file(apt_t, apt_rw_etc_t)
 
--- selinux-policy-strict-1.24.orig/domains/program/unused/fs_daemon.te
+++ selinux-policy-strict-1.24/domains/program/unused/fs_daemon.te
@@ -15,6 +15,8 @@
 allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
 allow fsdaemon_t etc_runtime_t:file { getattr read };
 
+allow fsdaemon_t proc_mdstat_t:file { getattr read };
+
 can_exec_any(fsdaemon_t)
 allow fsdaemon_t self:fifo_file rw_file_perms;
 can_network_udp(fsdaemon_t)
--- selinux-policy-strict-1.24.orig/domains/program/unused/lvm.te
+++ selinux-policy-strict-1.24/domains/program/unused/lvm.te
@@ -101,6 +101,7 @@
 dontaudit lvm_t ttyfile:chr_file getattr;
 dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
 dontaudit lvm_t devpts_t:dir { getattr read };
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
 
 ifdef(`gpm.te', `
 dontaudit lvm_t gpmctl_t:sock_file getattr;
--- selinux-policy-strict-1.24.orig/domains/program/unused/mailman.te
+++ selinux-policy-strict-1.24/domains/program/unused/mailman.te
@@ -91,6 +91,8 @@
 
 allow mta_delivery_agent mailman_data_t:dir search;
 allow mta_delivery_agent mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:dir r_dir_perms;
 domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
 ifdef(`direct_sysadm_daemon', `
 domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
--- selinux-policy-strict-1.24.orig/domains/program/unused/mysqld.te
+++ selinux-policy-strict-1.24/domains/program/unused/mysqld.te
@@ -89,3 +89,6 @@
 }
 ')
 
+ifdef(`crond.te', `
+allow system_crond_t mysqld_etc_t:file { getattr read };
+')
--- selinux-policy-strict-1.24.orig/domains/program/unused/ntpd.te
+++ selinux-policy-strict-1.24/domains/program/unused/ntpd.te
@@ -27,7 +27,7 @@
 # for SSP
 allow ntpd_t urandom_device_t:chr_file { getattr read };
 
-allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
 dontaudit ntpd_t self:capability { net_admin };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice
--- selinux-policy-strict-1.24.orig/domains/program/unused/sxid.te
+++ selinux-policy-strict-1.24/domains/program/unused/sxid.te
@@ -32,6 +32,7 @@
 allow sxid_t ttyfile:chr_file getattr;
 allow sxid_t file_type:dir { getattr read search };
 allow sxid_t sysadmfile:file { getattr read };
+dontaudit sxid_t devpts_t:dir r_dir_perms;
 allow sxid_t fs_type:dir { getattr read search };
 
 # Use the network.
--- selinux-policy-strict-1.24.orig/file_contexts/program/apache.fc
+++ selinux-policy-strict-1.24/file_contexts/program/apache.fc
@@ -26,15 +26,17 @@
 /var/log/cgiwrap\.log.*	--	system_u:object_r:httpd_log_t
 /var/cache/ssl.*\.sem	--	system_u:object_r:httpd_cache_t
 /var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
-/var/run/apache(2)?\.pid.* --	system_u:object_r:httpd_var_run_t
+/var/run/apache.*		system_u:object_r:httpd_var_run_t
 /var/lib/httpd(/.*)?		system_u:object_r:httpd_var_lib_t
 /var/lib/php/session(/.*)?	system_u:object_r:httpd_var_run_t
 /etc/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_config_t
 /usr/lib/apache-ssl/.+	 --	system_u:object_r:httpd_exec_t
 /usr/sbin/apache-ssl(2)? --	system_u:object_r:httpd_exec_t
 /var/log/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_log_t
-/var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
 /var/run/gcache_port	-s	system_u:object_r:httpd_var_run_t
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)?		system_u:object_r:httpd_log_t
+')
 ifdef(`distro_suse', `
 # suse puts shell scripts there :-(
 /usr/share/apache2/[^/]*	--	system_u:object_r:bin_t
--- selinux-policy-strict-1.24.orig/file_contexts/program/clamav.fc
+++ selinux-policy-strict-1.24/file_contexts/program/clamav.fc
@@ -12,4 +12,4 @@
 /var/run/clamd\.ctl	-s	system_u:object_r:clamd_sock_t
 /var/run/clamd\.pid	--	system_u:object_r:clamd_var_run_t
 /var/run/clamav(/.*)?		system_u:object_r:clamd_var_run_t
-/var/run/clamav/clamd.sock -s	system_u:object_r:clamd_sock_t
+/var/run/clamav/clamd\.sock -s	system_u:object_r:clamd_sock_t
--- selinux-policy-strict-1.24.orig/file_contexts/program/dhcpd.fc
+++ selinux-policy-strict-1.24/file_contexts/program/dhcpd.fc
@@ -3,7 +3,7 @@
 /etc/dhcp3(/.*)?		system_u:object_r:dhcp_etc_t
 /usr/sbin/dhcpd.*	--	system_u:object_r:dhcpd_exec_t
 /var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
-/var/run/dhcpd\.pid	-d	system_u:object_r:dhcpd_var_run_t
+/var/run/dhcpd\.pid	--	system_u:object_r:dhcpd_var_run_t
 ifdef(`dhcp_defined', `', `
 /var/lib/dhcp(3)?	-d	system_u:object_r:dhcp_state_t
 define(`dhcp_defined')
--- selinux-policy-strict-1.24.orig/file_contexts/program/postfix.fc
+++ selinux-policy-strict-1.24/file_contexts/program/postfix.fc
@@ -10,6 +10,7 @@
 /usr/libexec/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
 /usr/libexec/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
 /usr/libexec/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/libexec/postfix/scache	--	system_u:object_r:postfix_smtp_exec_t
 /usr/libexec/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
 /usr/libexec/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
 /usr/libexec/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
@@ -22,6 +23,7 @@
 /usr/lib/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
 /usr/lib/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
 /usr/lib/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/lib/postfix/scache	--	system_u:object_r:postfix_smtp_exec_t
 /usr/lib/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
 /usr/lib/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
 /usr/lib/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
--- selinux-policy-strict-1.24.orig/file_contexts/program/radvd.fc
+++ selinux-policy-strict-1.24/file_contexts/program/radvd.fc
@@ -2,3 +2,4 @@
 /etc/radvd\.conf	--	system_u:object_r:radvd_etc_t
 /usr/sbin/radvd		--	system_u:object_r:radvd_exec_t
 /var/run/radvd\.pid	--	system_u:object_r:radvd_var_run_t
+/var/run/radvd/saved-settings -- system_u:object_r:radvd_var_run_t
--- selinux-policy-strict-1.24.orig/macros/program/gpg_macros.te
+++ selinux-policy-strict-1.24/macros/program/gpg_macros.te
@@ -61,7 +61,7 @@
 allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
 
 # setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap };
+allow $1_gpg_t self:process { setrlimit setcap setpgid };
 
 # allow ps to show gpg
 can_ps($1_t, $1_gpg_t)

^ permalink raw reply	[flat|nested] 27+ messages in thread
* [Fwd: New policy patch]
@ 2005-01-12 18:46 Daniel J Walsh
  2005-01-21 20:36 ` James Carter
  0 siblings, 1 reply; 27+ messages in thread
From: Daniel J Walsh @ 2005-01-12 18:46 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: New policy patch --]
[-- Type: message/rfc822, Size: 39682 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 342 bytes --]

    Add customizable types.

    Add samba_home_dir support.

    Fix postgresql to run on ypbind platform

    Begin adding support for NFSV4 with Kerberos keys

    Add execmod to users for ld_so_t

    add execmem for mozilla

    Add unrestricted attribute to indicate domains using unconfined_t. 

    Also began using typeattribute. 



[-- Attachment #2.1.2: policy-20050112.patch --]
[-- Type: text/x-patch, Size: 38466 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.21.1/attrib.te
--- nsapolicy/attrib.te	2004-12-21 10:59:56.000000000 -0500
+++ policy-1.21.1/attrib.te	2005-01-12 09:19:59.141059592 -0500
@@ -393,3 +393,8 @@
 # For labeling of domains whos transition can be disabled
 attribute transitionbool;
 
+# For labeling of file_context domains which users can change files to rather
+# then the default file context.  These file_context can survive a relabeling
+# of the file system.
+attribute customizable;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.21.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-01-12 08:14:47.039693689 -0500
+++ policy-1.21.1/domains/program/initrc.te	2005-01-12 09:18:27.139390056 -0500
@@ -12,7 +12,7 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.21.1/domains/program/init.te
--- nsapolicy/domains/program/init.te	2005-01-12 08:14:47.017696186 -0500
+++ policy-1.21.1/domains/program/init.te	2005-01-12 09:18:27.140389944 -0500
@@ -14,7 +14,7 @@
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain ifdef(`targeted_policy', `, unrestricted');
+type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain;
 role system_r types init_t;
 uses_shlib(init_t);
 type init_exec_t, file_type, sysadmfile, exec_type;
@@ -141,3 +141,7 @@
 
 # file descriptors inherited from the rootfs.
 dontaudit init_t root_t:{ file chr_file } { read write }; 
+ifdef(`targeted_policy', `
+typeattribute init_t unrestricted;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2005-01-12 08:14:47.055691874 -0500
+++ policy-1.21.1/domains/program/ldconfig.te	2005-01-12 09:18:27.140389944 -0500
@@ -8,7 +8,7 @@
 #
 # Rules for the ldconfig_t domain.
 #
-type ldconfig_t, domain, privlog, etc_writer ifdef(`targeted_policy', `, unrestricted' );
+type ldconfig_t, domain, privlog, etc_writer;
 type ldconfig_exec_t, file_type, sysadmfile, exec_type;
 
 role sysadm_r types ldconfig_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-12-11 06:31:18.000000000 -0500
+++ policy-1.21.1/domains/program/login.te	2005-01-12 09:18:27.141389832 -0500
@@ -84,6 +84,10 @@
 r_dir_file($1_login_t, nfs_t)
 }
 
+if (use_samba_home_dirs) {
+r_dir_file($1_login_t, cifs_t)
+}
+
 # FIXME: what is this for?
 ifdef(`xdm.te', `
 allow xdm_t $1_login_t:process signull;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.21.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-01-12 08:14:47.086688356 -0500
+++ policy-1.21.1/domains/program/modutil.te	2005-01-12 09:18:27.142389719 -0500
@@ -69,7 +69,7 @@
 # Rules for the insmod_t domain.
 #
 
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, unrestricted' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
 ;
 role system_r types insmod_t;
 role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.21.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-01-12 08:14:47.150681092 -0500
+++ policy-1.21.1/domains/program/ssh.te	2005-01-12 09:18:27.143389607 -0500
@@ -80,6 +80,11 @@
 allow $1_t nfs_t:file { getattr read };
 }
 
+if (use_samba_home_dirs) {
+allow $1_t cifs_t:dir { search getattr };
+allow $1_t cifs_t:file { getattr read };
+}
+
 # Set exec context.
 can_setexec($1_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unconfined.te policy-1.21.1/domains/program/unconfined.te
--- nsapolicy/domains/program/unconfined.te	2004-08-24 15:35:26.000000000 -0400
+++ policy-1.21.1/domains/program/unconfined.te	2005-01-12 09:18:27.144389495 -0500
@@ -6,7 +6,7 @@
 # chcon -t unconfined_exec_t /usr/local/bin/appsrv
 # Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
 
-type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write, unrestricted;
+type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
 type unconfined_exec_t, file_type, sysadmfile, exec_type;
 role sysadm_r types unconfined_t;
 domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.21.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2004-12-09 10:26:08.000000000 -0500
+++ policy-1.21.1/domains/program/unused/anaconda.te	2005-01-12 09:18:27.144389495 -0500
@@ -10,7 +10,7 @@
 #
 # anaconda_t is the domain of the installation program
 #
-type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted;
+type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
 role system_r types anaconda_t;
 unconfined_domain(anaconda_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-01-12 08:14:47.372655899 -0500
+++ policy-1.21.1/domains/program/unused/apache.te	2005-01-12 09:18:27.145389382 -0500
@@ -19,6 +19,13 @@
 #  the user CGI scripts, then relabel rule for user_r should be removed.
 #
 ###############################################################################
+
+define(`httpd_home_dirs', `
+r_dir_file(httpd_t, $1)
+r_dir_file(httpd_suexec_t, $1)
+can_exec(httpd_suexec_t, $1)
+')
+
 type http_port_t, port_type, reserved_port_type;
 
 bool httpd_unified false;
@@ -262,9 +269,10 @@
 allow httpd_suexec_t autofs_t:dir { search getattr };
 ')
 if (use_nfs_home_dirs && httpd_enable_homedirs) {
-r_dir_file(httpd_t, nfs_t)
-r_dir_file(httpd_suexec_t, nfs_t)
-can_exec(httpd_suexec_t, nfs_t)
+httpd_home_dirs(nfs_t)
+}
+if (use_samba_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(cifs_t)
 }
 r_dir_file(httpd_t, fonts_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.21.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-01-12 08:14:47.490642507 -0500
+++ policy-1.21.1/domains/program/unused/cups.te	2005-01-12 09:18:27.146389270 -0500
@@ -248,3 +248,6 @@
 allow cupsd_t initrc_t:dbus send_msg;
 ')
 
+ifdef(`targeted_policy', `
+allow cupsd_t unconfined_t:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.21.1/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.21.1/domains/program/unused/firstboot.te	2005-01-12 09:18:27.147389158 -0500
@@ -10,7 +10,7 @@
 #
 # firstboot_exec_t is the type of the firstboot executable.
 #
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
 type firstboot_rw_t, file_type, sysadmfile;
 role system_r types firstboot_t;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/ftpd.te	2005-01-12 09:18:27.148389046 -0500
@@ -100,14 +100,15 @@
 # allow access to /home
 allow ftpd_t home_root_t:dir { getattr search };
 }
-
-if (ftp_home_dir && use_nfs_home_dirs) {
-allow ftpd_t nfs_t:dir r_dir_perms;
-allow ftpd_t nfs_t:file r_file_perms;
+if (use_nfs_home_dirs && ftp_home_dir) {
+	r_dir_file(ftpd_t, nfs_t)
+}
+if (use_samba_home_dirs && ftp_home_dir) {
+	r_dir_file(ftpd_t, cifs_t)
 }
 dontaudit ftpd_t selinux_config_t:dir search;
 #
 # Type for access to anon ftp
 #
-type ftpd_anon_t, file_type, sysadmfile;
+type ftpd_anon_t, file_type, sysadmfile, customizable;
 r_dir_file(ftpd_t,ftpd_anon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.21.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/hotplug.te	2005-01-12 09:18:27.149388933 -0500
@@ -11,7 +11,7 @@
 # hotplug_exec_t is the type of the hotplug executable.
 #
 ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, unrestricted')
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
 ', `
 daemon_domain(hotplug, `, privmodule')
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.21.1/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2005-01-12 08:14:47.700618675 -0500
+++ policy-1.21.1/domains/program/unused/inetd.te	2005-01-12 09:18:27.150388821 -0500
@@ -18,7 +18,7 @@
 # Rules for the inetd_t domain.
 #
 
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
 allow inetd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.21.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.21.1/domains/program/unused/pamconsole.te	2005-01-12 09:18:27.150388821 -0500
@@ -41,3 +41,4 @@
 allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
 allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.21.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2005-01-12 08:14:47.980586899 -0500
+++ policy-1.21.1/domains/program/unused/postgresql.te	2005-01-12 09:18:27.151388709 -0500
@@ -53,6 +53,7 @@
 
 # Use the network.
 can_network_server(postgresql_t)
+can_ypbind(postgresql_t)
 allow postgresql_t self:fifo_file { getattr read write ioctl };
 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(postgresql_t, self)
@@ -84,6 +85,7 @@
 
 # Allow access to the postgresql databases
 create_dir_file(postgresql_t, postgresql_db_t)
+file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
 allow postgresql_t var_lib_t:dir { getattr search };
 
 # because postgresql start scripts are broken and put the pid file in the DB
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.21.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/rpcd.te	2005-01-12 09:18:27.152388597 -0500
@@ -126,3 +126,15 @@
 allow rpcd_t rpc_pipefs_t:sock_file { read write };
 dontaudit rpcd_t selinux_config_t:dir { search };
 allow rpcd_t proc_net_t:dir search;
+
+
+rpc_domain(gssd)
+can_kerberos(gssd_t)
+allow gssd_t krb5_keytab_t:file r_file_perms;
+allow gssd_t urandom_device_t:chr_file { getattr read };
+r_dir_file(gssd_t, tmp_t)
+tmp_domain(gssd)
+allow gssd_t self:fifo_file { read write };
+r_dir_file(gssd_t, proc_net_t)
+allow gssd_t rpc_pipefs_t:dir r_dir_perms;
+allow gssd_t rpc_pipefs_t:sock_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.21.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2005-01-12 08:14:48.024581906 -0500
+++ policy-1.21.1/domains/program/unused/rpm.te	2005-01-12 09:18:27.153388484 -0500
@@ -10,7 +10,7 @@
 # var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
 # var_lib_rpm_t is the type for rpm files in /var/lib
 #
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
 role system_r types rpm_t;
 uses_shlib(rpm_t)
 type rpm_exec_t, file_type, sysadmfile, exec_type;
@@ -115,7 +115,7 @@
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
@@ -249,7 +249,9 @@
 allow initrc_t rpm_var_lib_t:file create_file_perms;
 
 ifdef(`unlimitedRPM', `
+typeattribute rpm_t auth_write;
 unconfined_domain(rpm_t)
+typeattribute rpm_script_t auth_write;
 unconfined_domain(rpm_script_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.21.1/domains/program/unused/samba.te	2005-01-12 09:18:27.154388372 -0500
@@ -7,14 +7,14 @@
 #################################
 #
 # Declarations for Samba
-#
+#n
 
 daemon_domain(smbd, `, privhome, auth_chkpwd')
 daemon_domain(nmbd)
 type samba_etc_t, file_type, sysadmfile, usercanread;
 type samba_log_t, file_type, sysadmfile, logfile;
 type samba_var_t, file_type, sysadmfile;
-type samba_share_t, file_type, sysadmfile;
+type samba_share_t, file_type, sysadmfile, customizable;
 type samba_secrets_t, file_type, sysadmfile;
 typealias samba_var_t alias samba_spool_t;
 
@@ -73,8 +73,7 @@
 allow smbd_t usr_t:file { getattr read };
 
 # Access Samba shares.
-allow smbd_t samba_share_t:dir create_dir_perms;
-allow smbd_t samba_share_t:file create_file_perms;
+create_dir_file(smbd_t, samba_share_t)
 
 ifdef(`logrotate.te', `
 # the application should be changed
@@ -117,3 +116,14 @@
 ')
 # Needed for winbindd
 allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
+
+# Support Samba sharing of home directories
+bool samba_enable_home_dirs false;
+
+if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir { getattr search };
+allow smbd_t home_dir_type:dir { getattr search };
+allow smbd_t home_type:dir create_dir_perms;
+dontaudit smbd_t home_type:{ sock_file fifo_file chr_file blk_file } r_file_perms;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.21.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/domains/program/unused/spamd.te	2005-01-12 09:18:27.155388260 -0500
@@ -64,5 +64,10 @@
 allow spamd_t nfs_t:file create_file_perms;
 }
 
+if (use_samba_home_dirs) {
+allow spamd_t cifs_t:dir rw_dir_perms;
+allow spamd_t cifs_t:file create_file_perms;
+}
+
 allow spamd_t home_root_t:dir getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.21.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/xdm.te	2005-01-12 09:18:27.156388147 -0500
@@ -290,6 +290,12 @@
 can_exec(xdm_t, nfs_t)
 }
 
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
 # for .dmrc
 allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.21.1/domains/user.te
--- nsapolicy/domains/user.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.21.1/domains/user.te	2005-01-12 09:18:27.156388147 -0500
@@ -10,6 +10,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
 # Allow users to run TCP servers (bind to ports and accept connection from
 # the same domain and outside users)  disabling this forces FTP passive mode
 # and may change other protocols 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.21.1/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.21.1/file_contexts/program/innd.fc	2005-01-12 09:18:27.157388035 -0500
@@ -1,5 +1,7 @@
 # innd
 /usr/sbin/innd.*	--	system_u:object_r:innd_exec_t
+/usr/bin/rpost          --      system_u:object_r:innd_exec_t
+/usr/bin/suck           --      system_u:object_r:innd_exec_t
 /var/run/innd(/.*)?		system_u:object_r:innd_var_run_t
 /etc/news(/.*)?			system_u:object_r:innd_etc_t
 /etc/news/boot		--	system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mysqld.fc policy-1.21.1/file_contexts/program/mysqld.fc
--- nsapolicy/file_contexts/program/mysqld.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/mysqld.fc	2005-01-12 09:18:27.158387923 -0500
@@ -1,5 +1,5 @@
 # mysql database server
-/usr/sbin/mysqld	--	system_u:object_r:mysqld_exec_t
+/usr/sbin/mysqld(-max)?	--	system_u:object_r:mysqld_exec_t
 /usr/libexec/mysqld	--	system_u:object_r:mysqld_exec_t
 /var/run/mysqld(/.*)?		system_u:object_r:mysqld_var_run_t
 /var/log/mysql.*	--	system_u:object_r:mysqld_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.21.1/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2005-01-12 08:14:48.738500877 -0500
+++ policy-1.21.1/file_contexts/program/postgresql.fc	2005-01-12 09:18:27.159387811 -0500
@@ -13,8 +13,8 @@
 /usr/bin/pg_id		--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_restore	--	system_u:object_r:postgresql_exec_t
 
-/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
-/var/lib/pgsql(/.*)?		system_u:object_r:postgresql_db_t
+/var/lib/postgres(ql)?(/.*)? 	system_u:object_r:postgresql_db_t
+/var/lib/pgsql/data(/.*)?	system_u:object_r:postgresql_db_t
 /var/run/postgresql(/.*)?	system_u:object_r:postgresql_var_run_t
 /etc/postgresql(/.*)?		system_u:object_r:postgresql_etc_t
 /var/log/postgres\.log.* --	system_u:object_r:postgresql_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.21.1/file_contexts/program/rpcd.fc
--- nsapolicy/file_contexts/program/rpcd.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/rpcd.fc	2005-01-12 09:18:27.159387811 -0500
@@ -3,6 +3,8 @@
 /usr/sbin/rpc\..*	--	system_u:object_r:rpcd_exec_t
 /usr/sbin/rpc\.nfsd	--	system_u:object_r:nfsd_exec_t
 /usr/sbin/exportfs	--	system_u:object_r:nfsd_exec_t
+/usr/sbin/rpc\.gssd	--	system_u:object_r:gssd_exec_t
+/usr/sbin/rpc\.svcgssd	--	system_u:object_r:gssd_exec_t
 /usr/sbin/rpc\.mountd	--	system_u:object_r:nfsd_exec_t
 /var/run/rpc\.statd\.pid	--	system_u:object_r:rpcd_var_run_t
 /var/run/rpc\.statd(/.*)?	system_u:object_r:rpcd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.1/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2005-01-12 08:14:48.813492366 -0500
+++ policy-1.21.1/file_contexts/program/udev.fc	2005-01-12 09:18:27.204382758 -0500
@@ -8,5 +8,5 @@
 /etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
 /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb	--	system_u:object_r:udev_tdb_t
+/dev/\.udev\.tdb/.*	--	system_u:object_r:udev_tdb_t
 /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-12-09 10:26:10.000000000 -0500
+++ policy-1.21.1/macros/base_user_macros.te	2005-01-12 09:18:27.205382646 -0500
@@ -2,6 +2,12 @@
 # Macros for all user login domains.
 #
 
+define(`network_home_dir', `
+create_dir_file($1, $2)
+can_exec($1, $2)
+allow $1 $2:{ sock_file fifo_file } create_file_perms;
+')
+
 #
 # base_user_domain(domain_prefix)
 #
@@ -38,6 +44,7 @@
 
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1_t shlib_t:file execmod;
+allow $1_t ld_so_t:file execmod;
 
 #
 # kdeinit wants this access
@@ -70,11 +77,15 @@
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
+
 if (use_nfs_home_dirs) {
-create_dir_file($1_t, nfs_t)
-can_exec($1_t, nfs_t)
-allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
+network_home_dir($1_t, nfs_t)
 }
+
+if (use_samba_home_dirs) {
+network_home_dir($1_t, cifs_t)
+}
+
 if (user_rw_noexattrfile) {
 create_dir_file($1_t, noexattrfile)
 create_dir_file($1_t, removable_t)
@@ -167,6 +178,7 @@
 ifdef(`screen.te', `screen_domain($1)')
 ifdef(`tvtime.te', `tvtime_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`samba.te', `samba_domain($1)')
 ifdef(`games.te', `games_domain($1)')
 ifdef(`gpg.te', `gpg_domain($1)')
 ifdef(`xauth.te', `xauth_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-01-12 08:14:48.985472846 -0500
+++ policy-1.21.1/macros/global_macros.te	2005-01-12 09:18:27.206382534 -0500
@@ -504,6 +504,8 @@
 #
 define(`unconfined_domain', `
 
+typeattribute $1 unrestricted;
+
 # Mount/unmount any filesystem. 
 allow $1 fs_type:filesystem *;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-01-12 08:14:49.097460136 -0500
+++ policy-1.21.1/macros/program/apache_macros.te	2005-01-12 09:18:27.207382421 -0500
@@ -3,7 +3,7 @@
 
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile;
+type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
 ifelse($1, sys, `
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
 ')
@@ -14,7 +14,7 @@
 
 # This type is used for executable scripts files
 #
-type httpd_$1_script_exec_t, file_type, sysadmfile;
+type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
 
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail, nscd_client_domain;
@@ -41,6 +41,7 @@
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
 allow httpd_$1_script_t self:unix_stream_socket create_socket_perms;
+allow httpd_$1_script_t httpd_t:unix_stream_socket { read write };
 
 allow httpd_$1_script_t { self proc_t }:file { getattr read };
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -57,9 +58,9 @@
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 
 ifdef(`slocate.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.21.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2004-12-21 10:59:58.000000000 -0500
+++ policy-1.21.1/macros/program/cdrecord_macros.te	2005-01-12 09:18:27.208382309 -0500
@@ -35,6 +35,9 @@
 if (use_nfs_home_dirs) {
 r_dir_file($1_cdrecord_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+r_dir_file($1_cdrecord_t, cifs_t)
+}
 allow $1_cdrecord_t etc_t:file { getattr read };
 
 # allow searching for cdrom-drive
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.21.1/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_agent_macros.te	2005-01-12 09:18:27.209382197 -0500
@@ -51,6 +51,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_gpg_agent_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_agent_t, cifs_t)
+}
 
 allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
@@ -111,6 +114,12 @@
 dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
 dontaudit $1_gpg_pinentry_t nfs_t:file write;
 }
+if (use_samba_home_dirs) {
+allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t cifs_t:file write;
+}
 
 # read /etc/X11/qtrc
 allow $1_gpg_pinentry_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2004-12-16 11:38:03.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_macros.te	2005-01-12 09:18:27.210382085 -0500
@@ -79,6 +79,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_gpg_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_t, cifs_t)
+}
 
 allow $1_gpg_t self:capability { ipc_lock setuid };
 allow $1_gpg_t devtty_t:chr_file rw_file_perms;
@@ -111,6 +114,9 @@
 if (use_nfs_home_dirs) {
 dontaudit $1_gpg_helper_t nfs_t:file { read write };
 }
+if (use_samba_home_dirs) {
+dontaudit $1_gpg_helper_t cifs_t:file { read write };
+}
 
 # communicate with the user 
 allow $1_gpg_helper_t $1_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.21.1/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/lpr_macros.te	2005-01-12 09:18:27.210382085 -0500
@@ -81,6 +81,10 @@
 r_dir_file($1_lpr_t, nfs_t)
 }
 
+if (use_samba_home_dirs) {
+r_dir_file($1_lpr_t, cifs_t)
+}
+
 # Read and write shared files in the spool directory.
 allow $1_lpr_t print_spool_t:file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-12-21 10:59:59.000000000 -0500
+++ policy-1.21.1/macros/program/mozilla_macros.te	2005-01-12 09:18:27.211381972 -0500
@@ -25,7 +25,7 @@
 allow $1_mozilla_t $1_t:process signull;
 
 # Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+allow $1_mozilla_t self:process { execmem setrlimit setsched };
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
 allow $1_mozilla_t var_lib_t:file { getattr read };
@@ -40,6 +40,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_mozilla_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_mozilla_t, cifs_t)
+}
 ifdef(`automount.te', `
 allow $1_mozilla_t autofs_t:dir { search getattr };
 ')dnl end if automount
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.21.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/mta_macros.te	2005-01-12 09:18:27.212381860 -0500
@@ -99,8 +99,8 @@
 # Create dead.letter in user home directories.
 file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
 
-if (use_nfs_home_dirs) {
-rw_dir_create_file($1_mail_t, nfs_t)
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_mail_t, cifs_t)
 }
 
 # if you do not want to allow dead.letter then use the following instead
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.1/macros/program/samba_macros.te
--- nsapolicy/macros/program/samba_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.1/macros/program/samba_macros.te	2005-01-12 09:18:27.213381748 -0500
@@ -0,0 +1,28 @@
+#
+# Macros for samba domains.
+#
+
+#
+# Authors:  Dan Walsh <dwalsh@redhat.com>
+#
+
+# 
+# samba_domain(domain_prefix)
+#
+# Define a derived domain for the samba program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/samba.te. 
+#
+undefine(`samba_domain')
+ifdef(`samba.te', `
+define(`samba_domain',`
+if ( samba_enable_home_dirs ) {
+file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
+}
+')
+', `
+define(`samba_domain',`')
+
+')dnl end if samba.te
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.21.1/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2005-01-05 14:37:27.000000000 -0500
+++ policy-1.21.1/macros/program/screen_macros.te	2005-01-12 09:18:27.214381636 -0500
@@ -43,6 +43,9 @@
 if (use_nfs_home_dirs) {
 domain_auto_trans($1_screen_t, nfs_t, $1_t)
 }
+if (use_samba_home_dirs) {
+domain_auto_trans($1_screen_t, cifs_t, $1_t)
+}
 
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
@@ -53,6 +56,9 @@
 if (use_nfs_home_dirs) {
 r_dir_file($1_screen_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+r_dir_file($1_screen_t, cifs_t)
+}
 
 allow $1_screen_t privfd:fd use;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.1/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_agent_macros.te	2005-01-12 09:18:27.215381523 -0500
@@ -43,6 +43,9 @@
 ')
 rw_dir_create_file($1_ssh_agent_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_ssh_agent_t, cifs_t)
+}
 
 uses_shlib($1_ssh_agent_t)
 read_locale($1_ssh_agent_t)
@@ -73,6 +76,9 @@
 if (use_nfs_home_dirs) {
 domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
 }
+if (use_samba_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
+}
 allow $1_ssh_agent_t bin_t:dir search;
 
 # allow reading of /usr/bin/X11 (is a symlink)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.1/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_macros.te	2005-01-12 09:18:27.216381411 -0500
@@ -30,6 +30,9 @@
 if (use_nfs_home_dirs) {
 create_dir_file($1_ssh_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+create_dir_file($1_ssh_t, cifs_t)
+}
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.21.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.21.1/macros/program/su_macros.te	2005-01-12 09:18:27.216381411 -0500
@@ -139,6 +139,9 @@
 if (use_nfs_home_dirs) {
 allow $1_su_t nfs_t:dir search;
 }
+if (use_samba_home_dirs) {
+allow $1_su_t cifs_t:dir search;
+}
 
 # Modify .Xauthority file (via xauth program).
 ifdef(`xauth.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.21.1/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/xauth_macros.te	2005-01-12 09:18:27.217381299 -0500
@@ -86,6 +86,12 @@
 ')
 rw_dir_create_file($1_xauth_t, nfs_t)
 }
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
 ')dnl end xauth_domain macro
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.1/Makefile
--- nsapolicy/Makefile	2005-01-12 08:14:46.613742034 -0500
+++ policy-1.21.1/Makefile	2005-01-12 09:18:27.218381186 -0500
@@ -53,7 +53,7 @@
 FCFILES=tmp/program_used_flags.te file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
 
 APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
 
 $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
 	@mkdir -p $(USERPATH)
@@ -75,6 +75,7 @@
 tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
 	@echo "Validating file_contexts ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+	@touch tmp/valid_fc
 
 install: tmp/valid_fc
 
@@ -90,6 +91,11 @@
 	mkdir -p $(APPDIR)
 	install -m 644 $< $@
 
+$(APPDIR)/customizable_types: policy.conf
+	mkdir -p $(APPDIR)
+	@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+	install -m 644 tmp/customizable_types $@ 
+
 $(APPDIR)/default_type: appconfig/default_type
 	mkdir -p $(APPDIR)
 	install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-01-12 08:14:49.606402372 -0500
+++ policy-1.21.1/targeted/domains/unconfined.te	2005-01-12 09:18:27.219381074 -0500
@@ -4,7 +4,7 @@
 # is not explicitly confined.  It has no restrictions.
 # It needs to be carefully protected from the confined domains.
 
-type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem, unrestricted;
+type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem;
 role system_r types unconfined_t;
 role user_r types unconfined_t;
 role sysadm_r types unconfined_t;
@@ -20,8 +20,8 @@
 type system_dbusd_var_run_t, file_type, sysadmfile;
 
 # User home directory type.
-type user_home_t, file_type, sysadmfile;
-type user_home_dir_t, file_type, sysadmfile;
+type user_home_t, file_type, sysadmfile, home_type;
+type user_home_dir_t, file_type, sysadmfile, home_dir_type;
 file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
 file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
 
@@ -43,6 +43,11 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
+ifdef(`samba.te', `samba_domain(user)')
+
 # Allow system to run with NIS
 bool allow_ypbind false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/types/apache.te policy-1.21.1/targeted/types/apache.te
--- nsapolicy/targeted/types/apache.te	2004-05-27 14:52:37.000000000 -0400
+++ policy-1.21.1/targeted/types/apache.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-#
-# Rules required by apache for targeted policy
-#
-define(`admin_tty_type', `{ tty_device_t devpts_t }')
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.21.1/tunables/distro.tun	2005-01-12 09:18:27.220380962 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-12-11 06:31:22.000000000 -0500
+++ policy-1.21.1/tunables/tunable.tun	2005-01-12 09:18:27.221380850 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2004-10-13  5:55 Russell Coker
  2004-10-13 20:17 ` James Carter
  0 siblings, 1 reply; 27+ messages in thread
From: Russell Coker @ 2004-10-13  5:55 UTC (permalink / raw)
  To: SELinux

[-- Attachment #1: Type: text/plain, Size: 1477 bytes --]

Allow checkpolicy to access /dev/tty.

Change var_lib_rpm_t to rpm_var_lib_t.

Allow load_policy to access /dev/tty.

Removed a dontaudit from login.te that was only needed if you had both a buggy 
init and booted in permissive mode.

Allow setfiles to access /dev/tty, create unix datagram sockets, and read 
locale data.

syslogd should not be running before /dev is labelled so it has no need to 
access tmpfs_t.

Make useradd and groupadd run in the correct domain when run from firstboot to 
give the files the right context.

Allow fsdaemon_t to access etc_runtime_t for /etc/smartd.conf.

Make kmodule run in kudzu_t (it's from the same code base).

Some minor improvements to mailman policy.

Fix a Red Hat Postfix problem and the postconf problem.

Removed some typealias rules that aren't needed any more.

tftpdir_t generally is not the root of a file system and should not have 
attribute root_dir_type.

Added support for the new master socket support in ssh.

xdm_t should not even get access to most types that are labeled as 
homedirfile, so changed the rule to use the attribute home_dir_type.

Fixed howl_t port assignments.  Either howl code has changed recently or the 
current policy was merged wrong.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 18484 bytes --]

diff -ru /usr/src/se/policy/domains/program/checkpolicy.te ./domains/program/checkpolicy.te
--- /usr/src/se/policy/domains/program/checkpolicy.te	2004-09-16 18:06:45.000000000 +1000
+++ ./domains/program/checkpolicy.te	2004-10-04 05:46:14.000000000 +1000
@@ -46,7 +46,7 @@
 `allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
 
 # Other access
-allow checkpolicy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr };
+allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
 uses_shlib(checkpolicy_t)
 allow checkpolicy_t self:capability dac_override;
 
diff -ru /usr/src/se/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /usr/src/se/policy/domains/program/initrc.te	2004-10-02 03:36:10.000000000 +1000
+++ ./domains/program/initrc.te	2004-10-11 03:45:20.000000000 +1000
@@ -216,8 +216,8 @@
 
 ifdef(`rpm.te', `
 # Access /var/lib/rpm.
-allow initrc_t var_lib_rpm_t:dir rw_dir_perms;
-allow initrc_t var_lib_rpm_t:file create_file_perms;
+allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
+allow initrc_t rpm_var_lib_t:file create_file_perms;
 ')
 ')dnl end distro_redhat
 
diff -ru /usr/src/se/policy/domains/program/load_policy.te ./domains/program/load_policy.te
--- /usr/src/se/policy/domains/program/load_policy.te	2004-08-08 22:16:26.000000000 +1000
+++ ./domains/program/load_policy.te	2004-10-04 05:45:00.000000000 +1000
@@ -48,7 +48,7 @@
 allow load_policy_t devpts_t:dir r_dir_perms;
 
 # Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t }:chr_file { read write ioctl getattr };
+allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
 uses_shlib(load_policy_t)
 allow load_policy_t self:capability dac_override;
 
diff -ru /usr/src/se/policy/domains/program/login.te ./domains/program/login.te
--- /usr/src/se/policy/domains/program/login.te	2004-09-11 16:21:43.000000000 +1000
+++ ./domains/program/login.te	2004-09-07 22:37:55.000000000 +1000
@@ -130,7 +130,6 @@
 can_ypbind($1_login_t)
 
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
-dontaudit $1_login_t init_t:fd { use };
 ')dnl end login_domain macro
 #################################
 #
diff -ru /usr/src/se/policy/domains/program/setfiles.te ./domains/program/setfiles.te
--- /usr/src/se/policy/domains/program/setfiles.te	2004-09-03 14:10:30.000000000 +1000
+++ ./domains/program/setfiles.te	2004-10-04 06:11:39.000000000 +1000
@@ -19,7 +19,9 @@
 role sysadm_r types setfiles_t;
 
 allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
-allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
+
+allow setfiles_t self:unix_dgram_socket create_socket_perms;
 
 domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
 allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
@@ -46,6 +48,8 @@
 allow setfiles_t fs_t:filesystem getattr;
 allow setfiles_t fs_type:dir r_dir_perms;
 
+read_locale(setfiles_t)
+
 allow setfiles_t etc_runtime_t:file read;
 allow setfiles_t etc_t:file read;
 allow setfiles_t proc_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/sulogin.te ./domains/program/sulogin.te
--- /usr/src/se/policy/domains/program/sulogin.te	2004-10-02 03:36:11.000000000 +1000
+++ ./domains/program/sulogin.te	2004-10-11 04:37:17.000000000 +1000
@@ -38,6 +38,10 @@
 
 allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
 allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir { search };
+allow sulogin_t default_context_t:dir search;
 allow sulogin_t default_context_t:file { getattr read };
 
 r_dir_file(sulogin_t, selinux_config_t)
+
+# because file systems are not mounted
+dontaudit sulogin_t file_t:dir search;
diff -ru /usr/src/se/policy/domains/program/syslogd.te ./domains/program/syslogd.te
--- /usr/src/se/policy/domains/program/syslogd.te	2004-10-11 03:50:36.000000000 +1000
+++ ./domains/program/syslogd.te	2004-10-11 04:37:44.000000000 +1000
@@ -94,5 +94,4 @@
 # /initrd is not umounted before minilog starts
 #
 dontaudit syslogd_t file_t:dir search;
-allow syslogd_t { tmpfs_t devpts_t }:dir { search };
-dontaudit syslogd_t unlabeled_t:file read;
+allow syslogd_t devpts_t:dir { search };
diff -ru /usr/src/se/policy/domains/program/unused/anaconda.te ./domains/program/unused/anaconda.te
--- /usr/src/se/policy/domains/program/unused/anaconda.te	2004-09-11 16:21:44.000000000 +1000
+++ ./domains/program/unused/anaconda.te	2004-10-11 03:44:38.000000000 +1000
@@ -187,8 +187,8 @@
 ifdef(`distro_redhat', `
 ifdef(`rpm.te', `
 # Access /var/lib/rpm.
-allow anaconda_t var_lib_rpm_t:dir rw_dir_perms;
-allow anaconda_t var_lib_rpm_t:file create_file_perms;
+allow anaconda_t rpm_var_lib_t:dir rw_dir_perms;
+allow anaconda_t rpm_var_lib_t:file create_file_perms;
 domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
 ')
 ')
Only in ./domains/program/unused: bindgraph.te
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te	2004-10-11 03:50:36.000000000 +1000
+++ ./domains/program/unused/bootloader.te	2004-10-11 04:38:52.000000000 +1000
@@ -121,7 +121,7 @@
 allow bootloader_t proc_t:dir { getattr search };
 allow bootloader_t proc_t:file r_file_perms;
 allow bootloader_t proc_t:lnk_file { getattr read };
-allow bootloader_t proc_mdstat_t:file r_file_perms;
+allow bootloader_t proc_mdstat_t:file { getattr read };
 allow bootloader_t self:dir { getattr search read };
 allow bootloader_t sysctl_kernel_t:dir search;
 allow bootloader_t sysctl_kernel_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/firstboot.te ./domains/program/unused/firstboot.te
--- /usr/src/se/policy/domains/program/unused/firstboot.te	2004-09-24 06:31:21.000000000 +1000
+++ ./domains/program/unused/firstboot.te	2004-10-01 06:19:47.000000000 +1000
@@ -19,7 +19,6 @@
 ')
 
 etc_domain(firstboot)
-typealias firstboot_etc_t alias etc_firstboot_t;
 
 allow firstboot_t proc_t:file r_file_perms;
 
@@ -30,6 +29,8 @@
 file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
 
 can_exec_any(firstboot_t)
+domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
+domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
 allow firstboot_t etc_runtime_t:file { getattr read };
 
 r_dir_file(firstboot_t, etc_t)
diff -ru /usr/src/se/policy/domains/program/unused/fs_daemon.te ./domains/program/unused/fs_daemon.te
--- /usr/src/se/policy/domains/program/unused/fs_daemon.te	2004-02-03 02:17:22.000000000 +1100
+++ ./domains/program/unused/fs_daemon.te	2004-10-04 06:05:27.000000000 +1000
@@ -12,3 +12,4 @@
 allow fsdaemon_t device_t:dir read;
 allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
 allow fsdaemon_t self:capability { sys_rawio sys_admin };
+allow fsdaemon_t etc_runtime_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/i18n_input.te ./domains/program/unused/i18n_input.te
--- /usr/src/se/policy/domains/program/unused/i18n_input.te	2004-10-11 03:50:37.000000000 +1000
+++ ./domains/program/unused/i18n_input.te	2004-10-11 04:42:15.000000000 +1000
@@ -12,13 +12,6 @@
 can_network(i18n_input_t)
 can_ypbind(i18n_input_t)
 
-## No Unix Socket Connection at the moment
-##
-# can_unix_send( { i18n_input_t sysadm_t }, { i18n_input_t sysadm_t } )
-# allow i18n_input_t self:unix_dgram_socket create_socket_perms;
-# allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
-# can_unix_connect(i18n_input_t, self)
-
 can_tcp_connect(userdomain, i18n_input_t)
 
 allow i18n_input_t self:fifo_file rw_file_perms;
diff -ru /usr/src/se/policy/domains/program/unused/kudzu.te ./domains/program/unused/kudzu.te
--- /usr/src/se/policy/domains/program/unused/kudzu.te	2004-10-07 16:14:46.000000000 +1000
+++ ./domains/program/unused/kudzu.te	2004-10-04 05:54:24.000000000 +1000
@@ -15,8 +15,8 @@
 allow kudzu_t etc_t:file { getattr read };
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config };
 allow kudzu_t modules_conf_t:file { getattr read };
-allow kudzu_t modules_object_t:dir { getattr search };
-allow kudzu_t modules_dep_t:file { getattr read };
+allow kudzu_t modules_object_t:dir r_dir_perms;
+allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
 allow kudzu_t proc_t:file { getattr read };
 allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
diff -ru /usr/src/se/policy/domains/program/unused/mailman.te ./domains/program/unused/mailman.te
--- /usr/src/se/policy/domains/program/unused/mailman.te	2004-08-28 12:05:03.000000000 +1000
+++ ./domains/program/unused/mailman.te	2004-10-08 06:06:06.000000000 +1000
@@ -87,7 +87,10 @@
 
 allow mta_delivery_agent mailman_data_t:dir search;
 allow mta_delivery_agent mailman_data_t:lnk_file read;
-domain_auto_trans(mta_delivery_agent, mailman_mail_exec_t, mailman_mail_t)
+domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
+ifdef(`direct_sysadm_daemon', `
+domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
+')
 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 
 system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
diff -ru /usr/src/se/policy/domains/program/unused/mdadm.te ./domains/program/unused/mdadm.te
--- /usr/src/se/policy/domains/program/unused/mdadm.te	2004-09-11 16:21:44.000000000 +1000
+++ ./domains/program/unused/mdadm.te	2004-10-04 02:53:30.000000000 +1000
@@ -6,6 +6,8 @@
 daemon_base_domain(mdadm, `, fs_domain')
 role sysadm_r types mdadm_t;
 
+allow initrc_t mdadm_var_run_t:file create_file_perms;
+
 # Kernel filesystem permissions
 r_dir_file(mdadm_t, proc_t)
 allow mdadm_t proc_mdstat_t:file rw_file_perms;
diff -ru /usr/src/se/policy/domains/program/unused/postfix.te ./domains/program/unused/postfix.te
--- /usr/src/se/policy/domains/program/unused/postfix.te	2004-10-02 03:36:11.000000000 +1000
+++ ./domains/program/unused/postfix.te	2004-10-11 15:36:41.000000000 +1000
@@ -94,7 +94,7 @@
 dontaudit postfix_master_t selinux_config_t:dir search;
 can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
 ifdef(`distro_redhat', `
-file_type_auto_trans({ sysadm_mail_t system_mail_t }, postfix_etc_t, etc_aliases_t)
+file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
 ', `
 file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
 ')
@@ -103,7 +103,7 @@
 ifdef(`pppd.te', `
 domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
 ')
-can_exec(postfix_master_t, ls_exec_t)
+can_exec(postfix_master_t, { ls_exec_t sbin_t })
 allow postfix_master_t sysctl_kernel_t:dir r_dir_perms;
 allow postfix_master_t sysctl_kernel_t:file r_file_perms;
 allow postfix_master_t self:fifo_file rw_file_perms;
diff -ru /usr/src/se/policy/domains/program/unused/procmail.te ./domains/program/unused/procmail.te
--- /usr/src/se/policy/domains/program/unused/procmail.te	2004-08-28 12:05:04.000000000 +1000
+++ ./domains/program/unused/procmail.te	2004-10-10 17:32:31.000000000 +1000
@@ -70,4 +70,7 @@
 
 ifdef(`sendmail.te', `
 r_dir_file(procmail_t, etc_mail_t)
+ifdef(`hide_broken_symptoms', `
+dontaudit procmail_t mqueue_spool_t:file { getattr read };
+')
 ')
diff -ru /usr/src/se/policy/domains/program/unused/radvd.te ./domains/program/unused/radvd.te
--- /usr/src/se/policy/domains/program/unused/radvd.te	2004-03-18 15:36:09.000000000 +1100
+++ ./domains/program/unused/radvd.te	2004-10-07 14:26:35.000000000 +1000
@@ -11,7 +11,7 @@
 daemon_domain(radvd)
 
 etc_domain(radvd)
-typealias radvd_etc_t alias etc_radvd_t;
+allow radvd_t etc_t:file { getattr read };
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
diff -ru /usr/src/se/policy/domains/program/unused/rpm.te ./domains/program/unused/rpm.te
--- /usr/src/se/policy/domains/program/unused/rpm.te	2004-10-07 16:14:46.000000000 +1000
+++ ./domains/program/unused/rpm.te	2004-10-11 04:51:43.000000000 +1000
@@ -172,7 +172,7 @@
 allow crond_t rpm_t:fifo_file r_file_perms;
 ')
 
-allow rpm_script_t proc_t:dir { search getattr read };
+allow rpm_script_t proc_t:dir r_dir_perms;
 allow rpm_script_t proc_t:{ file lnk_file } r_file_perms;
 
 allow rpm_script_t devtty_t:chr_file rw_file_perms;
diff -ru /usr/src/se/policy/domains/program/unused/squid.te ./domains/program/unused/squid.te
--- /usr/src/se/policy/domains/program/unused/squid.te	2004-09-16 18:06:56.000000000 +1000
+++ ./domains/program/unused/squid.te	2004-09-29 21:57:20.000000000 +1000
@@ -66,4 +66,6 @@
 allow squid_t { bin_t sbin_t }:dir search;
 
 dontaudit squid_t { home_root_t security_t devpts_t }:dir getattr;
+ifdef(`targeted_policy', `
 dontaudit squid_t tty_device_t:chr_file { read write };
+')
diff -ru /usr/src/se/policy/domains/program/unused/tftpd.te ./domains/program/unused/tftpd.te
--- /usr/src/se/policy/domains/program/unused/tftpd.te	2004-10-11 03:50:38.000000000 +1000
+++ ./domains/program/unused/tftpd.te	2004-10-11 04:54:30.000000000 +1000
@@ -16,7 +16,7 @@
 type tftp_port_t, port_type, reserved_port_type;
 
 # tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, root_dir_type, sysadmfile;
+type tftpdir_t, file_type, sysadmfile;
 r_dir_file(tftpd_t, tftpdir_t)
 
 domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
diff -ru /usr/src/se/policy/file_contexts/program/fs_daemon.fc ./file_contexts/program/fs_daemon.fc
--- /usr/src/se/policy/file_contexts/program/fs_daemon.fc	2004-02-03 02:17:23.000000000 +1100
+++ ./file_contexts/program/fs_daemon.fc	2004-10-04 06:04:44.000000000 +1000
@@ -1,3 +1,4 @@
 # fs admin daemons
 /usr/sbin/smartd	--	system_u:object_r:fsdaemon_exec_t
 /var/run/smartd.pid	--	system_u:object_r:fsdaemon_var_run_t
+/etc/smartd.conf	--	system_u:object_r:etc_runtime_t
diff -ru /usr/src/se/policy/file_contexts/program/kudzu.fc ./file_contexts/program/kudzu.fc
--- /usr/src/se/policy/file_contexts/program/kudzu.fc	2003-11-27 05:04:46.000000000 +1100
+++ ./file_contexts/program/kudzu.fc	2004-09-26 05:24:38.000000000 +1000
@@ -1,2 +1,3 @@
 # kudzu
 /usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
+/sbin/kmodule	--	system_u:object_r:kudzu_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/mailman.fc ./file_contexts/program/mailman.fc
--- /usr/src/se/policy/file_contexts/program/mailman.fc	2004-10-02 03:36:12.000000000 +1000
+++ ./file_contexts/program/mailman.fc	2004-10-12 17:32:59.000000000 +1000
@@ -14,10 +14,12 @@
 ')
 
 ifdef(`distro_redhat', `
-/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t
+/usr/lib/mailman/cgi-bin/.*	-- system_u:object_r:mailman_cgi_exec_t
 /var/mailman(/.*)?		   system_u:object_r:mailman_data_t
 /var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
 /var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
 /usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/qrunner     -- system_u:object_r:mailman_queue_exec_t
+/usr/lib/mailman/bin/qrunner  	-- system_u:object_r:mailman_queue_exec_t
+/var/mailman/lists(/.*)?	system_u:object_r:mailman_data_t
+/var/mailman/logs(/.*)?		   system_u:object_r:mailman_log_t
 ')
diff -ru /usr/src/se/policy/file_contexts/program/postfix.fc ./file_contexts/program/postfix.fc
--- /usr/src/se/policy/file_contexts/program/postfix.fc	2004-09-23 22:31:22.000000000 +1000
+++ ./file_contexts/program/postfix.fc	2004-10-11 15:35:56.000000000 +1000
@@ -18,7 +18,6 @@
 /usr/lib(exec)?/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
 /usr/sbin/postalias	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postcat	--	system_u:object_r:postfix_master_exec_t
-/usr/sbin/postconf	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postdrop	--	system_u:object_r:postfix_postdrop_exec_t
 /usr/sbin/postfix	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postkick	--	system_u:object_r:postfix_master_exec_t
diff -ru /usr/src/se/policy/macros/global_macros.te ./macros/global_macros.te
--- /usr/src/se/policy/macros/global_macros.te	2004-10-07 16:14:50.000000000 +1000
+++ ./macros/global_macros.te	2004-09-29 01:13:57.000000000 +1000
@@ -373,7 +372,6 @@
 # classes to use; default is file.
 define(`var_run_domain', `
 type $1_var_run_t, file_type, sysadmfile, pidfile;
-typealias $1_var_run_t alias var_run_$1_t;
 
 ifelse(`$2', `', `
 file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
diff -ru /usr/src/se/policy/macros/program/ssh_macros.te ./macros/program/ssh_macros.te
--- /usr/src/se/policy/macros/program/ssh_macros.te	2004-10-11 03:50:41.000000000 +1000
+++ ./macros/program/ssh_macros.te	2004-09-30 07:08:07.000000000 +1000
@@ -104,6 +104,8 @@
 
 # Access the users .ssh directory.
 file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
+file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
+allow $1_t $1_home_ssh_t:sock_file create_file_perms;
 allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms;
 allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read };
 dontaudit $1_ssh_t $1_home_t:dir { getattr search };
diff -ru /usr/src/se/policy/macros/program/xserver_macros.te ./macros/program/xserver_macros.te
--- /usr/src/se/policy/macros/program/xserver_macros.te	2004-10-11 03:50:41.000000000 +1000
+++ ./macros/program/xserver_macros.te	2004-10-11 14:34:17.000000000 +1000
@@ -64,7 +64,7 @@
 
 allow xdm_xserver_t init_t:fd use;
 
-dontaudit xdm_xserver_t homedirfile:dir { read search };
+dontaudit xdm_xserver_t home_dir_type:dir { read search };
 ', `
 # The user role is authorized for this domain.
 role $1_r types $1_xserver_t;
diff -ru /usr/src/se/policy/net_contexts ./net_contexts
--- /usr/src/se/policy/net_contexts	2004-10-07 16:14:35.000000000 +1000
+++ ./net_contexts	2004-10-07 18:39:54.000000000 +1000
@@ -158,7 +158,10 @@
 portcon tcp 5323 system_u:object_r:imaze_port_t
 portcon udp 5323 system_u:object_r:imaze_port_t
 ')
-ifdef(`howl.te', `portcon tcp 5353 system_u:object_r:howl_port_t')
+ifdef(`howl.te', `
+portcon tcp 5335 system_u:object_r:howl_port_t
+portcon udp 5353 system_u:object_r:howl_port_t
+')
 ifdef(`jabberd.te', `
 portcon tcp 5222 system_u:object_r:jabber_client_port_t
 portcon tcp 5223 system_u:object_r:jabber_client_port_t

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2004-08-24  8:18 Russell Coker
  2004-08-24 12:23 ` Stephen Smalley
  2004-08-27 20:58 ` James Carter
  0 siblings, 2 replies; 27+ messages in thread
From: Russell Coker @ 2004-08-24  8:18 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 1898 bytes --]

diff1 removes some unnecessary dontaudit lines from syslogd.te, if there is to 
be one single domain accessing devpts_t:chr_file then syslogd_t is not it, 
and if a log file gets type unlabeled_t then it's something we want audited.

httpd_t does not need search access to devpts_t (it is not granted access to 
any device node under /dev/pts).  httpd_suexec_t does not need 
net_bind_service (all it does it call setuid() and execute a script), it's 
access attempts of /var/run are the usual nscd stuff that gets a dontaudit 
rule.

It seems that only Red Hat has bootloader_t needing access to 
modules_object_t:lnk_file.

cpucontrol_t sometimes needs getattr access to a sym-link in /dev, no harm in 
granting it.

There should never be a printer_device_t:fifo_file object, there is no 
file_contexts entry assigning printer_device_t to a fifo_file object, so I 
remove the access to this invalid combination.

dovecot_cert_t is used for SSL certificates.  If there are any certificates 
labeled as usr_t then that's a bug in the file_contexts file.  I'll change 
the contexts of the files to use bin_t for sub-binaries on Debian as well as 
Red Hat (as well as putting some conditionals into the .fc file).

I changed ftpd.te to have the domain_auto_trans(inetd, part inside 
if(!ftpd_is_daemon).

Change hald.te to work with the latest version in Fedora.  I didn't want to 
give it read access to hard disks, but it seems that's he way things are 
going.

Changed hotplug.te to allow it to run arping on Red Hat, and to be a hald 
client (maybe we need a hald_client_domain attribute).

Allows lvm_t to create unix_dgram_socket objects.


-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff1 --]
[-- Type: text/x-diff, Size: 11250 bytes --]

diff -ru /usr/src/se/policy/domains/program/syslogd.te ./domains/program/syslogd.te
--- /usr/src/se/policy/domains/program/syslogd.te	2004-08-24 16:01:13.000000000 +1000
+++ ./domains/program/syslogd.te	2004-07-08 21:30:48.000000000 +1000
@@ -94,6 +94,3 @@
 #
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t devpts_t:dir { search };
-dontaudit syslogd_t devpts_t:chr_file { read write };
-
-dontaudit syslogd_t unlabeled_t:file { read };
diff -ru /usr/src/se/policy/domains/program/unused/apache.te ./domains/program/unused/apache.te
--- /usr/src/se/policy/domains/program/unused/apache.te	2004-08-15 15:45:15.000000000 +1000
+++ ./domains/program/unused/apache.te	2004-08-24 16:07:09.000000000 +1000
@@ -68,7 +69,6 @@
 
 allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
 
-allow httpd_t devpts_t:dir { search };
 allow httpd_t sysctl_kernel_t:dir search;
 allow httpd_t sysctl_kernel_t:file read;
 
@@ -88,11 +88,10 @@
 # Permissions for running child processes and scripts
 ##########################################################
 
-allow httpd_suexec_t self:capability { setuid setgid net_bind_service };
+allow httpd_suexec_t self:capability { setuid setgid };
 
-allow httpd_suexec_t var_run_t:dir { search };
-allow httpd_suexec_t var_t:dir { search };
-allow httpd_suexec_t var_log_t:dir search;
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
 allow httpd_suexec_t home_root_t:dir search;
 
 allow httpd_suexec_t httpd_log_t:dir search;
@@ -122,7 +121,10 @@
 
 uses_shlib(httpd_t)
 allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_t usr_t:lnk_file read;
+allow httpd_t usr_t:lnk_file { getattr read };
+
+# for apache2 memory mapped files
+var_lib_domain(httpd)
 
 # for tomcat
 r_dir_file(httpd_t, var_lib_t)
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te	2004-08-24 16:01:17.000000000 +1000
+++ ./domains/program/unused/bootloader.te	2004-08-24 16:07:33.000000000 +1000
@@ -65,7 +65,9 @@
 
 allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
 allow bootloader_t modules_object_t:dir r_dir_perms;
+ifdef(`distro_redhat', `
 allow bootloader_t modules_object_t:lnk_file { getattr read };
+')
 
 # for ldd
 ifdef(`fsadm.te', `
diff -ru /usr/src/se/policy/domains/program/unused/cpucontrol.te ./domains/program/unused/cpucontrol.te
--- /usr/src/se/policy/domains/program/unused/cpucontrol.te	2004-08-24 16:01:19.000000000 +1000
+++ ./domains/program/unused/cpucontrol.te	2004-08-22 19:08:10.000000000 +1000
@@ -9,8 +9,8 @@
 
 # Access cpu devices.
 allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
+allow cpucontrol_t device_t:lnk_file { getattr read };
 allow initrc_t cpu_device_t:chr_file getattr;
-allow cpucontrol_t device_t:lnk_file { read };
 
 allow cpucontrol_t self:capability sys_rawio;
 
diff -ru /usr/src/se/policy/domains/program/unused/cups.te ./domains/program/unused/cups.te
--- /usr/src/se/policy/domains/program/unused/cups.te	2004-08-02 16:59:48.000000000 +1000
+++ ./domains/program/unused/cups.te	2004-08-24 16:10:02.000000000 +1000
@@ -152,11 +152,10 @@
 allow ptal_t printer_device_t:chr_file { ioctl read write };
 allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
 r_dir_file(ptal_t, usbdevfs_t)
-allow cupsd_t ptal_var_run_t:sock_file { write setattr } ;
+allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket { connectto };
 allow cupsd_t ptal_var_run_t:dir { search };
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
-allow cupsd_t printer_device_t:fifo_file rw_file_perms;
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/dovecot.te ./domains/program/unused/dovecot.te
--- /usr/src/se/policy/domains/program/unused/dovecot.te	2004-06-30 13:03:13.000000000 +1000
+++ ./domains/program/unused/dovecot.te	2004-08-24 16:19:10.000000000 +1000
@@ -11,20 +11,15 @@
 
 type dovecot_cert_t, file_type, sysadmfile;
 
-allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
+allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
 
-# For SSL certificates
-allow dovecot_t usr_t:file { getattr read };
-
 allow dovecot_t etc_t:file { getattr read };
 allow dovecot_t initrc_var_run_t:file { getattr };
-# Dovecot sub-binaries are lib_t on Debian and bin_t on Fedora
-allow dovecot_t lib_t:file { execute execute_no_trans };
 allow dovecot_t bin_t:dir { getattr search };
 can_exec(dovecot_t, bin_t)
 
diff -ru /usr/src/se/policy/domains/program/unused/ftpd.te ./domains/program/unused/ftpd.te
--- /usr/src/se/policy/domains/program/unused/ftpd.te	2004-08-08 22:16:26.000000000 +1000
+++ ./domains/program/unused/ftpd.te	2004-08-24 16:32:22.000000000 +1000
@@ -24,6 +24,7 @@
 
 allow ftpd_t bin_t:dir search;
 can_exec(ftpd_t, bin_t)
+allow ftpd_t bin_t:lnk_file read;
 allow ftpd_t { sysctl_t sysctl_kernel_t }:dir search;
 allow ftpd_t sysctl_kernel_t:file { getattr read };
 
@@ -32,14 +33,11 @@
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
 can_exec(ftpd_t, { sbin_t shell_exec_t })
+allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
 
-ifdef(`inetd.te', `
-domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
-')
-
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
 if (ftpd_is_daemon) {
@@ -47,10 +45,10 @@
 allow ftpd_t ftp_port_t:tcp_socket name_bind;
 can_tcp_connect(userdomain, ftpd_t)
 }
-
 ifdef(`inetd.te', `
 if (!ftpd_is_daemon) {
 ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
 
 # Use sockets inherited from inetd.
 allow ftpd_t inetd_t:fd use;
@@ -87,11 +85,12 @@
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
 dontaudit ftpd_t krb5_conf_t:file { write };
+dontaudit ftpd_t selinux_config_t:dir search;
 allow ftpd_t krb5_conf_t:file { getattr read };
 ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir { search };
 ')
-allow ftpd_t self:file { read };
+allow ftpd_t self:file { getattr read };
 tmp_domain(ftpd)
 
 # Allow ftp to read/write files in the user home directories.
@@ -101,4 +100,4 @@
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
 }
-')
+')dnl end if nfs_home_dirs
diff -ru /usr/src/se/policy/domains/program/unused/hald.te ./domains/program/unused/hald.te
--- /usr/src/se/policy/domains/program/unused/hald.te	2004-08-18 22:42:50.000000000 +1000
+++ ./domains/program/unused/hald.te	2004-08-23 20:35:07.000000000 +1000
@@ -10,14 +10,15 @@
 #
 # hald_exec_t is the type of the hald executable.
 #
-daemon_domain(hald, `, dbus_client_domain')
+daemon_domain(hald, `, dbus_client_domain, fs_domain')
 
-allow hald_t etc_t:file { getattr read };
+allow hald_t { etc_t etc_runtime_t }:file { getattr read };
 allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_dgram_socket create_socket_perms;
 
 allow hald_t dbusd_t:dbus { acquire_svc };
 
-allow hald_t self:file { getattr read };
+allow hald_t { self proc_t }:file { getattr read };
 
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t hald_t:fifo_file rw_file_perms;
@@ -28,8 +29,14 @@
 allow hald_t self:capability { net_admin sys_admin };
 can_network(hald_t)
 
+allow hald_t fixed_disk_device_t:blk_file { getattr read };
+allow hald_t event_device_t:chr_file { getattr read };
+
 ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
-ifdef(`udev.te', `domain_auto_trans(hald_t, udev_exec_t, udev_t)')
+ifdef(`udev.te', `
+domain_auto_trans(hald_t, udev_exec_t, udev_t)
+allow udev_t hald_t:unix_dgram_socket sendto;
+')
 
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/hotplug.te ./domains/program/unused/hotplug.te
--- /usr/src/se/policy/domains/program/unused/hotplug.te	2004-08-21 13:19:07.000000000 +1000
+++ ./domains/program/unused/hotplug.te	2004-08-23 16:37:52.000000000 +1000
@@ -17,14 +17,13 @@
 ')
 
 etcdir_domain(hotplug)
-typealias hotplug_etc_t alias etc_hotplug_t;
 
 allow hotplug_t self:fifo_file { read write getattr ioctl };
 allow hotplug_t self:unix_dgram_socket create_socket_perms;
 allow hotplug_t self:unix_stream_socket create_socket_perms;
 allow hotplug_t self:udp_socket create_socket_perms;
 
-allow hotplug_t sysctl_net_t:dir search;
+allow hotplug_t sysctl_net_t:dir r_dir_perms;
 allow hotplug_t sysctl_net_t:file { getattr read };
 
 # get info from /proc
@@ -43,12 +42,16 @@
 allow hotplug_t { bin_t sbin_t }:dir search;
 allow hotplug_t { bin_t sbin_t }:lnk_file read;
 can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
-ifdef(`hostname.te', `
-can_exec(hotplug_t, hostname_exec_t)
-')
+ifdef(`hostname.te', `can_exec(hotplug_t, hostname_exec_t)')
+ifdef(`netutils.te', `
+ifdef(`distro_redhat', `
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+')dnl end if distro_redhat
+')dnl end if netutils.te
 
 allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read };
+allow initrc_t modules_dep_t:file { getattr read ioctl };
 r_dir_file(hotplug_t, usbdevfs_t)
 allow hotplug_t usbfs_t:dir r_dir_perms;
 allow hotplug_t usbfs_t:file { getattr read };
@@ -64,6 +67,10 @@
 allow hotplug_t var_lock_t:file getattr;
 ')
 
+ifdef(`hald.te', `
+allow hotplug_t hald_t:unix_dgram_socket sendto;
+')
+
 # for killall
 allow hotplug_t self:process { getsession getattr };
 allow hotplug_t self:file getattr;
@@ -129,8 +136,7 @@
 allow hotplug_t sound_device_t:chr_file { setattr };
 
 ifdef(`udev.te', `
-domain_auto_trans(hotplug_t, udev_exec_t, udev_t)
-domain_auto_trans(hotplug_t, udev_helper_exec_t, udev_t)
+domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
 ')
 
 file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
@@ -143,7 +149,7 @@
 domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) 
 ')
 
-allow restorecon_t hotplug_t:fd { use };
+allow restorecon_t hotplug_t:fd use;
 
 ifdef(`unlimitedUtils', `
 unconfined_domain(hotplug_t) 
diff -ru /usr/src/se/policy/domains/program/unused/lvm.te ./domains/program/unused/lvm.te
--- /usr/src/se/policy/domains/program/unused/lvm.te	2004-08-19 17:10:36.000000000 +1000
+++ ./domains/program/unused/lvm.te	2004-08-18 19:00:03.000000000 +1000
@@ -32,6 +32,7 @@
 allow lvm_t self:process { setsched };
 
 allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
 
 r_dir_file(lvm_t, proc_t)
 allow lvm_t self:file r_file_perms;

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2004-07-12 14:12 Russell Coker
  2004-07-12 19:46 ` Luke Kenneth Casson Leighton
  0 siblings, 1 reply; 27+ messages in thread
From: Russell Coker @ 2004-07-12 14:12 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 924 bytes --]

We don't have any sym-link under /boot for klogd to read.

Added some use of create_lnk_perms.

Allow load_policy_t to run in system_r for scripts to load policy.

var_log_t:chr_file is wrong.  syslogd_t can already write to terminal devices.

More cleaning up device_type stuff.

Fixed a couple of minor bugs in cpucontrol and lvm policy.

allow mdadm_t proc_t:file rw_file_perms;
I believe that the above is bogus.  The file can't be opened for write access 
on any system I have running regardless of what SE Linux does.

Fixed some mistakes in .fc files.

Made mysql work properly.

A few other small things.


Steve, I believe that this is worthy of CVS inclusion.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 24174 bytes --]

diff -ru /usr/src/se/policy/domains/program/klogd.te ./domains/program/klogd.te
--- /usr/src/se/policy/domains/program/klogd.te	2004-07-08 13:09:33.000000000 +1000
+++ ./domains/program/klogd.te	2004-06-17 03:07:45.000000000 +1000
@@ -43,5 +43,3 @@
 # Read /boot/System.map*
 allow klogd_t system_map_t:file r_file_perms;
 allow klogd_t boot_t:dir r_dir_perms;
-allow klogd_t boot_t:lnk_file { read };
-
diff -ru /usr/src/se/policy/domains/program/ldconfig.te ./domains/program/ldconfig.te
--- /usr/src/se/policy/domains/program/ldconfig.te	2004-05-12 05:10:34.000000000 +1000
+++ ./domains/program/ldconfig.te	2004-07-08 23:42:59.000000000 +1000
@@ -23,7 +23,7 @@
 
 file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
 allow ldconfig_t lib_t:dir rw_dir_perms;
-allow ldconfig_t lib_t:lnk_file create_file_perms;
+allow ldconfig_t lib_t:lnk_file create_lnk_perms;
 
 allow ldconfig_t userdomain:fd use;
 allow ldconfig_t etc_t:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/load_policy.te ./domains/program/load_policy.te
--- /usr/src/se/policy/domains/program/load_policy.te	2004-06-17 15:10:38.000000000 +1000
+++ ./domains/program/load_policy.te	2004-07-04 18:19:12.000000000 +1000
@@ -11,6 +11,7 @@
 
 type load_policy_t, domain;
 role sysadm_r types load_policy_t;
+role system_r types load_policy_t;
 
 type load_policy_exec_t, file_type, exec_type, sysadmfile;
 
diff -ru /usr/src/se/policy/domains/program/modutil.te ./domains/program/modutil.te
--- /usr/src/se/policy/domains/program/modutil.te	2004-05-12 05:10:34.000000000 +1000
+++ ./domains/program/modutil.te	2004-07-04 23:42:54.000000000 +1000
@@ -81,6 +81,9 @@
 in_user_role(insmod_t)
 uses_shlib(insmod_t)
 read_locale(insmod_t)
+
+# for SSP
+allow insmod_t urandom_device_t:chr_file read;
 allow insmod_t lib_t:file { getattr read };
 
 allow insmod_t { bin_t sbin_t }:dir search;
diff -ru /usr/src/se/policy/domains/program/netutils.te ./domains/program/netutils.te
--- /usr/src/se/policy/domains/program/netutils.te	2004-06-18 10:47:55.000000000 +1000
+++ ./domains/program/netutils.te	2004-07-04 23:43:46.000000000 +1000
@@ -55,3 +55,6 @@
 allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
 allow netutils_t proc_t:dir { search };
+
+# for nscd
+dontaudit netutils_t var_t:dir search;
diff -ru /usr/src/se/policy/domains/program/syslogd.te ./domains/program/syslogd.te
--- /usr/src/se/policy/domains/program/syslogd.te	2004-07-08 13:09:33.000000000 +1000
+++ ./domains/program/syslogd.te	2004-07-08 21:30:48.000000000 +1000
@@ -39,10 +39,6 @@
 
 # Modify/create log files.
 create_append_log_file(syslogd_t, var_log_t)
-#
-# This allows someone to set the context of a terminal for syslog output
-#
-allow syslogd_t var_log_t:chr_file { append };
 
 # Create and bind to /dev/log or /var/run/log.
 file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
diff -ru /usr/src/se/policy/domains/program/tmpreaper.te ./domains/program/tmpreaper.te
--- /usr/src/se/policy/domains/program/tmpreaper.te	2004-04-07 13:32:14.000000000 +1000
+++ ./domains/program/tmpreaper.te	2004-07-08 23:42:30.000000000 +1000
@@ -17,7 +17,7 @@
 uses_shlib(tmpreaper_t)
 # why does it need setattr?
 allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t tmpfile:file_class_set { getattr unlink };
+allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t self:process { fork sigchld };
 allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
diff -ru /usr/src/se/policy/domains/program/unused/apmd.te ./domains/program/unused/apmd.te
--- /usr/src/se/policy/domains/program/unused/apmd.te	2004-06-17 15:10:39.000000000 +1000
+++ ./domains/program/unused/apmd.te	2004-07-05 00:02:14.000000000 +1000
@@ -75,7 +75,7 @@
 dontaudit apmd_t { file_type fs_type }:dir_file_class_set getattr;
 dontaudit apmd_t home_type:dir { search getattr };
 dontaudit apmd_t domain:key_socket getattr;
-
+dontaudit apmd_t domain:dir search;
 
 ifdef(`rpm.te', `
 can_exec(apmd_t, apmd_var_run_t)
diff -ru /usr/src/se/policy/domains/program/unused/backup.te ./domains/program/unused/backup.te
--- /usr/src/se/policy/domains/program/unused/backup.te	2004-03-18 15:36:08.000000000 +1100
+++ ./domains/program/unused/backup.te	2004-07-05 00:02:53.000000000 +1000
@@ -30,7 +30,9 @@
 
 allow backup_t { file_type fs_type }:dir r_dir_perms;
 allow backup_t file_type:{ file lnk_file } r_file_perms;
-allow backup_t file_type:{ sock_file fifo_file chr_file blk_file } getattr;
+allow backup_t file_type:{ sock_file fifo_file } getattr;
+allow backup_t { device_t device_type ttyfile }:chr_file getattr;
+allow backup_t { device_t device_type }:blk_file getattr;
 allow backup_t var_t:file create_file_perms;
 
 allow backup_t proc_t:dir r_dir_perms;
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te	2004-06-30 13:03:13.000000000 +1000
+++ ./domains/program/unused/bootloader.te	2004-07-05 00:10:20.000000000 +1000
@@ -28,7 +28,7 @@
 domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
 allow bootloader_t { initrc_t privfd }:fd use;
 
-tmp_domain(bootloader)
+tmp_domain(bootloader, `, device_type')
 allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms;
 
 read_locale(bootloader_t)
@@ -78,7 +78,8 @@
 dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
 
 allow bootloader_t boot_t:dir { create rw_dir_perms };
-allow bootloader_t boot_t:{ file lnk_file } create_file_perms;
+allow bootloader_t boot_t:file create_file_perms;
+allow bootloader_t boot_t:lnk_file create_lnk_perms;
 
 allow bootloader_t load_policy_exec_t:file { getattr read };
 
@@ -91,7 +92,8 @@
 
 # new file system defaults to file_t, granting file_t access is still bad.
 allow bootloader_t file_t:dir create_dir_perms;
-allow bootloader_t file_t:{ file lnk_file blk_file chr_file } create_file_perms;
+allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
+allow bootloader_t file_t:lnk_file create_lnk_perms;
 allow bootloader_t self:unix_stream_socket create_socket_perms;
 allow bootloader_t boot_runtime_t:file { read getattr unlink };
 
@@ -102,7 +104,8 @@
 
 allow bootloader_t self:capability { fsetid sys_rawio sys_admin mknod chown };
 # allow bootloader to get attributes of any device node
-allow bootloader_t file_type:dir_file_class_set getattr;
+allow bootloader_t { device_type ttyfile }:chr_file getattr;
+allow bootloader_t device_type:blk_file getattr;
 dontaudit bootloader_t devpts_t:dir create_dir_perms;
 
 allow bootloader_t self:process { fork signal_perms };
@@ -144,5 +147,5 @@
 allow bootloader_t urandom_device_t:chr_file read;
 allow bootloader_t { usr_t var_t }:file { getattr read };
 r_dir_file(bootloader_t, src_t)
-dontaudit bootloader_t selinux_config_t:dir { search };
-dontaudit bootloader_t sysctl_t:dir { search };
+dontaudit bootloader_t selinux_config_t:dir search;
+dontaudit bootloader_t sysctl_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/cardmgr.te ./domains/program/unused/cardmgr.te
--- /usr/src/se/policy/domains/program/unused/cardmgr.te	2004-07-08 13:09:33.000000000 +1000
+++ ./domains/program/unused/cardmgr.te	2004-07-05 00:35:05.000000000 +1000
@@ -35,27 +35,29 @@
 allow cardmgr_t self:unix_stream_socket create_socket_perms;
 allow cardmgr_t self:fifo_file rw_file_perms;
 
-file_type_auto_trans(cardmgr_t, { var_run_t device_t }, cardmgr_var_run_t, { blk_file chr_file file })
+file_type_auto_trans(cardmgr_t, { var_run_t device_t }, cardmgr_dev_t, { blk_file chr_file })
 
 # Create stab file and device nodes.
-type cardmgr_var_lib_t, file_type, sysadmfile;
-file_type_auto_trans(cardmgr_t, var_lib_t, cardmgr_var_lib_t, { blk_file chr_file file })
+file_type_auto_trans(cardmgr_t, var_lib_t, cardmgr_dev_t, { blk_file chr_file })
+var_lib_domain(cardmgr)
 
 # for /var/lib/misc/pcmcia-scheme
 # would be better to have it in a different type if I knew how it was created..
 allow cardmgr_t var_lib_t:file { getattr read };
 
 # Create device files in /tmp.
-type cardmgr_dev_t, file_type, sysadmfile, tmpfile;
-allow cardmgr_t tmp_t:dir { search };
+type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type;
 type_transition cardmgr_t tmp_t:chr_file cardmgr_dev_t;
 allow cardmgr_t cardmgr_dev_t:chr_file create_file_perms;
+ifdef(`tmpreaper.te', `
+allow tmpreaper_t cardmgr_dev_t:chr_file { getattr unlink };
+')
 
 # Create symbolic links in /dev.
 type cardmgr_lnk_t, file_type, sysadmfile;
 type_transition cardmgr_t device_t:lnk_file cardmgr_lnk_t;
 allow cardmgr_t device_t:dir rw_dir_perms;
-allow cardmgr_t cardmgr_lnk_t:lnk_file create_file_perms;
+allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
 
 # Run a shell, normal commands, /etc/pcmcia scripts. 
 can_exec_any(cardmgr_t)
@@ -83,6 +85,6 @@
 ')
 
 ifdef(`hide_broken_symptoms', `', `
-dontaudit insmod_t cardmgr_var_run_t:chr_file { read write };
-dontaudit ifconfig_t cardmgr_var_run_t:chr_file { read write };
+dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
+dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
 ')
diff -ru /usr/src/se/policy/domains/program/unused/cpucontrol.te ./domains/program/unused/cpucontrol.te
--- /usr/src/se/policy/domains/program/unused/cpucontrol.te	2003-10-02 23:40:03.000000000 +1000
+++ ./domains/program/unused/cpucontrol.te	2004-07-11 17:25:01.000000000 +1000
@@ -9,6 +9,7 @@
 
 # Access cpu devices.
 allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
+allow initrc_t cpu_device_t:chr_file getattr;
 
 allow cpucontrol_t self:capability sys_rawio;
 
diff -ru /usr/src/se/policy/domains/program/unused/dpkg.te ./domains/program/unused/dpkg.te
--- /usr/src/se/policy/domains/program/unused/dpkg.te	2004-06-17 15:10:39.000000000 +1000
+++ ./domains/program/unused/dpkg.te	2004-07-11 19:27:39.000000000 +1000
@@ -155,6 +155,9 @@
 domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
 role system_r types { useradd_t groupadd_t };
 ')
+ifdef(`passwd.te', `
+domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
+')
 ifdef(`ldconfig.te', `
 domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
 ')
@@ -285,10 +288,11 @@
 
 # read/write/create any files in the system
 allow dpkg_t sysadmfile:dir create_dir_perms;
-allow dpkg_t sysadmfile:{ file lnk_file fifo_file sock_file } create_file_perms;
-allow dpkg_t file_type:{ chr_file blk_file } getattr;
+allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
+allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
+allow dpkg_t device_type:{ chr_file blk_file } getattr;
 ifdef(`devfsd.te', `', `
-allow dpkg_t file_type:{ chr_file blk_file } { create setattr rename };
+allow dpkg_t device_type:{ chr_file blk_file } { create setattr rename };
 ')
 dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
 allow dpkg_t proc_kmsg_t:file getattr;
@@ -308,7 +312,7 @@
 rw_dir_create_file(apt_t, lib_t)
 
 # for apt-listbugs
-allow apt_t usr_t:file { getattr read };
+allow apt_t usr_t:file { getattr read ioctl };
 allow apt_t usr_t:lnk_file read;
 
 # allow /var/cache/apt/archives to be owned by non-root
@@ -359,8 +363,7 @@
 
 r_dir_file(userdomain, debian_menu_t)
 dontaudit install_menu_t sysadm_home_dir_t:dir search;
-allow install_menu_t debian_menu_t:dir create_dir_perms;
-allow install_menu_t debian_menu_t:{ file lnk_file } create_file_perms;
+create_dir_file(install_menu_t, debian_menu_t)
 allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
 allow install_menu_t self:process signal;
 allow install_menu_t proc_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/lvm.te ./domains/program/unused/lvm.te
--- /usr/src/se/policy/domains/program/unused/lvm.te	2004-07-08 13:09:34.000000000 +1000
+++ ./domains/program/unused/lvm.te	2004-07-11 17:21:36.000000000 +1000
@@ -52,7 +52,7 @@
 # LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
 # and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
 allow lvm_t device_t:dir create_dir_perms;
-allow lvm_t device_t:lnk_file create_file_perms;
+allow lvm_t device_t:lnk_file create_lnk_perms;
 
 # /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
 allow lvm_t lvm_exec_t:dir search;
@@ -104,7 +104,7 @@
 dontaudit lvm_t initctl_t:fifo_file getattr;
 dontaudit lvm_t sbin_t:file getattr;
 allow lvm_t lvm_control_t:chr_file rw_file_perms;
-allow initrc_t lvm_control_t:chr_file unlink;
+allow initrc_t lvm_control_t:chr_file { getattr unlink };
 allow initrc_t device_t:chr_file create;
 dontaudit lvm_t var_run_t:dir getattr;
 
diff -ru /usr/src/se/policy/domains/program/unused/mdadm.te ./domains/program/unused/mdadm.te
--- /usr/src/se/policy/domains/program/unused/mdadm.te	2004-06-18 10:47:56.000000000 +1000
+++ ./domains/program/unused/mdadm.te	2004-07-06 08:29:36.000000000 +1000
@@ -11,8 +11,6 @@
 allow mdadm_t sysctl_kernel_t:file r_file_perms;
 allow mdadm_t sysctl_kernel_t:dir r_dir_perms;
 r_dir_file(mdadm_t, sysfs_t) 
-# Allow writes to /proc/mdstat - TODO: specific type for that file
-allow mdadm_t proc_t:file rw_file_perms;
 
 # Configuration
 allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/mysqld.te ./domains/program/unused/mysqld.te
--- /usr/src/se/policy/domains/program/unused/mysqld.te	2004-04-03 21:37:22.000000000 +1000
+++ ./domains/program/unused/mysqld.te	2004-07-05 22:52:04.000000000 +1000
@@ -12,6 +12,9 @@
 #
 daemon_domain(mysqld)
 
+type mysqld_port_t, port_type;
+allow mysqld_t mysqld_port_t:tcp_socket name_bind;
+
 allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
 
 etcdir_domain(mysqld)
@@ -65,3 +68,14 @@
 can_unix_connect(logrotate_t, mysqld_t)
 ')
 
+ifdef(`user_db_connect', `
+allow userdomain mysqld_var_run_t:dir search;
+allow userdomain mysqld_var_run_t:sock_file write;
+')
+
+ifdef(`rpm.te', `
+allow initrc_t mysqld_db_t:dir create_dir_perms;
+
+# because Fedora has the sock_file in the database directory
+file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
diff -ru /usr/src/se/policy/file_contexts/program/bootloader.fc ./file_contexts/program/bootloader.fc
--- /usr/src/se/policy/file_contexts/program/bootloader.fc	2004-03-18 15:36:09.000000000 +1100
+++ ./file_contexts/program/bootloader.fc	2004-07-07 21:11:42.000000000 +1000
@@ -9,4 +9,4 @@
 /etc/mkinitrd/scripts/.* --	system_u:object_r:bootloader_exec_t
 /sbin/ybin.*		--	system_u:object_r:bootloader_exec_t
 /etc/yaboot\.conf.*	--	system_u:object_r:bootloader_etc_t
-/boot/grub/.*		--	system_u:object_r:boot_runtime_t
+/boot/grub/menu.lst	--	system_u:object_r:boot_runtime_t
diff -ru /usr/src/se/policy/file_contexts/program/courier.fc ./file_contexts/program/courier.fc
--- /usr/src/se/policy/file_contexts/program/courier.fc	2004-03-18 15:36:09.000000000 +1100
+++ ./file_contexts/program/courier.fc	2004-07-05 23:05:08.000000000 +1000
@@ -13,5 +13,5 @@
 /usr/sbin/courierlogger		--	system_u:object_r:courier_exec_t
 /usr/sbin/courierldapaliasd	--	system_u:object_r:courier_exec_t
 /usr/sbin/couriertcpd		--	system_u:object_r:courier_tcpd_exec_t
-/var/run/courier(.*)?			system_u:object_r:courier_var_run_t
+/var/run/courier(/.*)?			system_u:object_r:courier_var_run_t
 /etc/courier(/.*)?			system_u:object_r:courier_etc_t
diff -ru /usr/src/se/policy/file_contexts/program/cyrus.fc ./file_contexts/program/cyrus.fc
--- /usr/src/se/policy/file_contexts/program/cyrus.fc	2004-06-17 15:10:42.000000000 +1000
+++ ./file_contexts/program/cyrus.fc	2004-07-05 23:06:05.000000000 +1000
@@ -1,4 +1,4 @@
 # cyrus
 /var/lib/imap(/.*)?				system_u:object_r:cyrus_var_lib_t
-/usr/lib(64)?/cyrus-imapd/(.*)?		 	--	system_u:object_r:bin_t
+/usr/lib(64)?/cyrus-imapd/.*		 	--	system_u:object_r:bin_t
 /usr/lib(64)?/cyrus-imapd/cyrus-master 		--	system_u:object_r:cyrus_exec_t	
diff -ru /usr/src/se/policy/file_contexts/program/dovecot.fc ./file_contexts/program/dovecot.fc
--- /usr/src/se/policy/file_contexts/program/dovecot.fc	2004-04-06 03:48:16.000000000 +1000
+++ ./file_contexts/program/dovecot.fc	2004-07-05 22:45:46.000000000 +1000
@@ -4,3 +4,4 @@
 /usr/share/ssl/certs/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
+/usr/lib/dovecot/.+	--		system_u:object_r:bin_t
diff -ru /usr/src/se/policy/file_contexts/program/dpkg.fc ./file_contexts/program/dpkg.fc
--- /usr/src/se/policy/file_contexts/program/dpkg.fc	2004-06-17 15:10:42.000000000 +1000
+++ ./file_contexts/program/dpkg.fc	2004-07-08 13:50:06.000000000 +1000
@@ -39,10 +39,12 @@
 /usr/share/dlint/digparse --	system_u:object_r:bin_t
 /usr/share/gimp/1.2/user_install -- system_u:object_r:bin_t
 /usr/share/openoffice.org-debian-files/install-hook -- system_u:object_r:bin_t
-/var/lib/defoma(/.*)?		system_u:object_r:readable_t
+/var/lib/defoma(/.*)?		system_u:object_r:fonts_t
 /usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t
 /usr/share/intltool-debian/.* -- system_u:object_r:bin_t
 /usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t
 /usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t
 /usr/share/shorewall/.*	--	system_u:object_r:bin_t
 /usr/share/reportbug/.*	--	system_u:object_r:bin_t
+/etc/network/ifstate.*	--	system_u:object_r:etc_runtime_t
+/usr/lib/gconf2/gconfd-2 --	system_u:object_r:bin_t
diff -ru /usr/src/se/policy/file_contexts/program/lrrd.fc ./file_contexts/program/lrrd.fc
--- /usr/src/se/policy/file_contexts/program/lrrd.fc	2004-06-17 15:10:43.000000000 +1000
+++ ./file_contexts/program/lrrd.fc	2004-07-05 23:07:55.000000000 +1000
@@ -6,5 +6,5 @@
 /var/run/lrrd(/.*)?			system_u:object_r:lrrd_var_run_t
 /var/log/lrrd.*			--	system_u:object_r:lrrd_log_t
 /var/lib/lrrd(/.*)?			system_u:object_r:lrrd_var_lib_t
-/var/www/lrrd(.*)?			system_u:object_r:lrrd_var_lib_t
+/var/www/lrrd(/.*)?			system_u:object_r:lrrd_var_lib_t
 /etc/lrrd(/.*)?				system_u:object_r:lrrd_etc_t
diff -ru /usr/src/se/policy/file_contexts/program/lvm.fc ./file_contexts/program/lvm.fc
--- /usr/src/se/policy/file_contexts/program/lvm.fc	2004-05-12 05:10:48.000000000 +1000
+++ ./file_contexts/program/lvm.fc	2004-07-07 22:20:31.000000000 +1000
@@ -14,9 +14,8 @@
 /dev/lvm		-c	system_u:object_r:fixed_disk_device_t
 /dev/mapper/.*		-b	system_u:object_r:fixed_disk_device_t
 /dev/mapper/control	-c	system_u:object_r:lvm_control_t
-/lib(64)?/lvm-10(/.*)		system_u:object_r:lvm_exec_t
-/lib(64)?/lvm-200(/.*)		system_u:object_r:lvm_exec_t
-/lib(64)?/lvm-default		system_u:object_r:bin_t
+/lib/lvm-10(/.*)	--	system_u:object_r:lvm_exec_t
+/lib/lvm-200(/.*)	--	system_u:object_r:lvm_exec_t
 /sbin/e2fsadm		--	system_u:object_r:lvm_exec_t
 /sbin/lvchange		--	system_u:object_r:lvm_exec_t
 /sbin/lvcreate		--	system_u:object_r:lvm_exec_t
@@ -55,10 +54,12 @@
 /sbin/vgscan.static	--	system_u:object_r:lvm_exec_t
 /sbin/vgsplit		--	system_u:object_r:lvm_exec_t
 /sbin/vgwrapper		--	system_u:object_r:lvm_exec_t
+/usr/bin/cryptsetup	--	system_u:object_r:lvm_exec_t
 /sbin/dmsetup      --      system_u:object_r:lvm_exec_t
 /sbin/dmsetup.static --    system_u:object_r:lvm_exec_t
 /sbin/lvm          --      system_u:object_r:lvm_exec_t
 /sbin/lvm.static   --      system_u:object_r:lvm_exec_t
+/usr/sbin/lvm		--	system_u:object_r:lvm_exec_t
 /sbin/lvresize     --      system_u:object_r:lvm_exec_t
 /sbin/lvs          --      system_u:object_r:lvm_exec_t
 /sbin/pvremove     --      system_u:object_r:lvm_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/mozilla.fc ./file_contexts/program/mozilla.fc
--- /usr/src/se/policy/file_contexts/program/mozilla.fc	2004-06-17 15:10:43.000000000 +1000
+++ ./file_contexts/program/mozilla.fc	2004-07-05 23:11:37.000000000 +1000
@@ -2,6 +2,8 @@
 HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/\.phoenix(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
+HOME_DIR/\.gconfd(/.*)?		system_u:object_r:ROLE_mozilla_rw_t
+HOME_DIR/\.gconf(/.*)?		system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_rw_t
 /usr/bin/netscape	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla	--	system_u:object_r:mozilla_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/mysqld.fc ./file_contexts/program/mysqld.fc
--- /usr/src/se/policy/file_contexts/program/mysqld.fc	2004-06-17 15:10:43.000000000 +1000
+++ ./file_contexts/program/mysqld.fc	2004-07-05 23:12:05.000000000 +1000
@@ -1,7 +1,9 @@
 # mysql database server
 /usr/sbin/mysqld	--	system_u:object_r:mysqld_exec_t
+/usr/libexec/mysqld	--	system_u:object_r:mysqld_exec_t
 /var/run/mysqld(/.*)?		system_u:object_r:mysqld_var_run_t
 /var/log/mysql.*	--	system_u:object_r:mysqld_log_t
 /var/lib/mysql(/.*)?		system_u:object_r:mysqld_db_t
+/var/lib/mysql/mysql.sock -s	system_u:object_r:mysqld_var_run_t
 /etc/my\.cnf		--	system_u:object_r:mysqld_etc_t
 /etc/mysql(/.*)?		system_u:object_r:mysqld_etc_t
diff -ru /usr/src/se/policy/file_contexts/program/postfix.fc ./file_contexts/program/postfix.fc
--- /usr/src/se/policy/file_contexts/program/postfix.fc	2004-06-18 10:47:58.000000000 +1000
+++ ./file_contexts/program/postfix.fc	2004-07-05 23:12:53.000000000 +1000
@@ -30,6 +30,7 @@
 /var/spool/postfix/active(/.*)?	system_u:object_r:postfix_spool_t
 /var/spool/postfix/hold(/.*)?	system_u:object_r:postfix_spool_t
 /var/spool/postfix/incoming(/.*)? system_u:object_r:postfix_spool_t
+/var/spool/postfix/corrupt(/.*)? system_u:object_r:postfix_spool_t
 /var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t
 /var/spool/postfix/pid	-d	system_u:object_r:var_run_t
 /var/spool/postfix/pid/.*	system_u:object_r:postfix_var_run_t
diff -ru /usr/src/se/policy/file_contexts/program/pppd.fc ./file_contexts/program/pppd.fc
--- /usr/src/se/policy/file_contexts/program/pppd.fc	2004-06-17 15:10:43.000000000 +1000
+++ ./file_contexts/program/pppd.fc	2004-07-05 23:13:17.000000000 +1000
@@ -10,6 +10,7 @@
 /etc/ppp/.*secrets	--	system_u:object_r:pppd_secret_t
 /var/run/(i)?ppp.*pid	--	system_u:object_r:pppd_var_run_t
 /var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
+/var/log/ppp(/.*)?	--	system_u:object_r:pppd_log_t
 /etc/ppp/ip-down.*	--	system_u:object_r:bin_t
 /etc/ppp/ip-up.*	--	system_u:object_r:bin_t
 /etc/ppp/ipv6-up	--	system_u:object_r:bin_t
diff -ru /usr/src/se/policy/file_contexts/program/udev.fc ./file_contexts/program/udev.fc
--- /usr/src/se/policy/file_contexts/program/udev.fc	2004-05-12 05:10:51.000000000 +1000
+++ ./file_contexts/program/udev.fc	2004-07-05 23:14:35.000000000 +1000
@@ -4,3 +4,4 @@
 /sbin/udevd	--	system_u:object_r:udev_exec_t
 /etc/dev.d(/.*)? 	system_u:object_r:udev_helper_exec_t
 /etc/hotplug.d/default/udev.* system_u:object_r:udev_helper_exec_t
+/dev/udev.tbl	--	system_u:object_r:udev_tbl_t
diff -ru /usr/src/se/policy/file_contexts/types.fc ./file_contexts/types.fc
--- /usr/src/se/policy/file_contexts/types.fc	2004-06-30 13:03:16.000000000 +1000
+++ ./file_contexts/types.fc	2004-07-08 21:20:32.000000000 +1000
@@ -227,6 +227,8 @@
 #
 /etc(/.*)?			system_u:object_r:etc_t
 /etc/\.pwd\.lock	--	system_u:object_r:shadow_t
+/etc/passwd\.lock	--	system_u:object_r:shadow_t
+/etc/group\.lock	--	system_u:object_r:shadow_t
 /etc/shadow.*		--	system_u:object_r:shadow_t
 /etc/gshadow.*		--	system_u:object_r:shadow_t
 /etc/blkid.tab		--	system_u:object_r:etc_runtime_t
@@ -267,7 +269,6 @@
 /lib(64)?/tls/ld[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
 /lib(64)?/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/lib(64)?/devfsd/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/security/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
 

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2004-07-11  7:59 Russell Coker
  2004-07-12 13:30 ` Stephen Smalley
  0 siblings, 1 reply; 27+ messages in thread
From: Russell Coker @ 2004-07-11  7:59 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 857 bytes --]

file_type_auto_trans(sysadm_t, user_home_dir_t, user_home_t)

I remove the above from domains/admin.te because it's granted to privhome by 
macros/user_macros.te and sysadm_t has the privhome attribute.

checkpolicy_t should not be creating lnk_file, sock_file, or fifo_file objects 
of type policy_config_t, and if there are sock_file or fifo_file objects of 
type policy_src_t then it should not be reading them.

system_crond_t should not be trying to access device nodes of types that are 
for files.

I still don't think that dmesg_t is appropriate for running dmesg from the 
administrator shell.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 2754 bytes --]

diff -ru /usr/src/se/policy/domains/admin.te ./domains/admin.te
--- /usr/src/se/policy/domains/admin.te	2004-05-30 16:26:57.000000000 +1000
+++ ./domains/admin.te	2004-07-08 19:20:25.000000000 +1000
@@ -31,4 +31,3 @@
 
 # Add/remove user home directories
 file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(sysadm_t, user_home_dir_t, user_home_t)
diff -ru /usr/src/se/policy/domains/program/checkpolicy.te ./domains/program/checkpolicy.te
--- /usr/src/se/policy/domains/program/checkpolicy.te	2004-06-03 14:11:05.000000000 +1000
+++ ./domains/program/checkpolicy.te	2004-07-09 11:17:36.000000000 +1000
@@ -23,7 +23,7 @@
 
 # able to create and modify binary policy files
 allow checkpolicy_t policy_config_t:dir rw_dir_perms;
-allow checkpolicy_t policy_config_t:notdevfile_class_set create_file_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
 
 ###########################
 # constrain what checkpolicy can use as source files
@@ -31,7 +31,7 @@
 
 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir r_dir_perms;
-allow checkpolicy_t policy_src_t:notdevfile_class_set r_file_perms;
+allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
 
 # allow test policies to be created in src directories
 file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
diff -ru /usr/src/se/policy/domains/program/crond.te ./domains/program/crond.te
--- /usr/src/se/policy/domains/program/crond.te	2004-07-11 17:37:09.000000000 +1000
+++ ./domains/program/crond.te	2004-07-09 07:17:19.000000000 +1000
@@ -61,7 +61,7 @@
 allow crond_t cron_spool_t:file r_file_perms;
 
 # Read /etc/security/default_contexts.
-r_dir_file( crond_t, default_context_t)
+r_dir_file(crond_t, default_context_t)
 
 allow crond_t etc_t:file { getattr read };
 allow crond_t etc_t:lnk_file read;
@@ -147,7 +147,8 @@
 ')
 
 # Stat any file and search any directory for find.
-allow system_crond_t file_type:file_class_set getattr;
+allow system_crond_t file_type:notdevfile_class_set getattr;
+allow system_crond_t device_type:{ chr_file blk_file } getattr;
 allow system_crond_t file_type:dir { read search getattr };
 
 # Create temporary files.
diff -ru /usr/src/se/policy/domains/program/dmesg.te ./domains/program/dmesg.te
--- /usr/src/se/policy/domains/program/dmesg.te	2004-06-17 15:10:38.000000000 +1000
+++ ./domains/program/dmesg.te	2004-07-04 18:17:42.000000000 +1000
@@ -9,7 +9,10 @@
 #
 # dmesg_exec_t is the type of the dmesg executable.
 #
-daemon_base_domain(dmesg)
+# while sysadm_t has the sys_admin capability there is no point in using
+# dmesg_t when run from sysadm_t, so we use nosysadm.
+#
+daemon_base_domain(dmesg, , `nosysadm')
 
 #
 # Rules used for dmesg

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2004-07-04  5:04 Russell Coker
  2004-07-07 20:47 ` Stephen Smalley
  0 siblings, 1 reply; 27+ messages in thread
From: Russell Coker @ 2004-07-04  5:04 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 587 bytes --]

The attached patch fixes a problem with LVM on Fedora, some annoying audit 
messages from rpm, and has some of the stuff that's needed for Postgresql (NB 
it's not enough to make Postgresql fully functional but it's a definite 
improvement over what's currently there so it's worth having).

Steve, please put this into Sourceforge.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 2546 bytes --]

diff -ru policy-1.14/domains/program/unused/lvm.te selinux-policy-default-1.14/domains/program/unused/lvm.te
--- policy-1.14/domains/program/unused/lvm.te	2004-06-24 22:48:00.000000000 +1000
+++ selinux-policy-default-1.14/domains/program/unused/lvm.te	2004-07-02 12:59:06.000000000 +1000
@@ -93,6 +93,7 @@
 dontaudit lvm_t initctl_t:fifo_file getattr;
 dontaudit lvm_t sbin_t:file getattr;
 allow lvm_t lvm_control_t:chr_file rw_file_perms;
+allow initrc_t lvm_control_t:chr_file unlink;
 dontaudit lvm_t var_run_t:dir getattr;
 
 allow lvm_t tmpfs_t:dir getattr;
diff -ru policy-1.14/domains/program/unused/rpm.te selinux-policy-default-1.14/domains/program/unused/rpm.te
--- policy-1.14/domains/program/unused/rpm.te	2004-06-17 23:33:14.000000000 +1000
+++ selinux-policy-default-1.14/domains/program/unused/rpm.te	2004-07-02 00:50:38.000000000 +1000
@@ -93,6 +93,8 @@
 allow rpm_t sysfs_t:filesystem getattr;
 allow rpm_t tmpfs_t:filesystem getattr;
 dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
+allow rpm_t fs_type:dir getattr;
+allow rpm_t fs_type:filesystem getattr;
 
 # allow compiling and loading new policy
 create_dir_file(rpm_t, { policy_src_t policy_config_t })
diff -ru policy-1.14/file_contexts/program/postgresql.fc selinux-policy-default-1.14/file_contexts/program/postgresql.fc
--- policy-1.14/file_contexts/program/postgresql.fc	2004-06-24 22:48:00.000000000 +1000
+++ selinux-policy-default-1.14/file_contexts/program/postgresql.fc	2004-07-03 00:18:45.000000000 +1000
@@ -1,5 +1,18 @@
 # postgresql - ldap server
 /usr/lib(64)?/postgresql/bin/.* --	system_u:object_r:postgresql_exec_t
+/usr/bin/postgres	--	system_u:object_r:postgresql_exec_t
+/usr/bin/pg_dump	--	system_u:object_r:postgresql_exec_t
+/usr/bin/pg_dumpall	--	system_u:object_r:postgresql_exec_t
+/usr/bin/pg_resetxlog	--	system_u:object_r:postgresql_exec_t
+/etc/rc.d/init.d/postgresql --	system_u:object_r:postgresql_exec_t
+
+# not sure whether the following binaries need labelling
+/usr/bin/createlang	--	system_u:object_r:postgresql_exec_t
+/usr/bin/droplang	--	system_u:object_r:postgresql_exec_t
+/usr/bin/pg_encoding	--	system_u:object_r:postgresql_exec_t
+/usr/bin/pg_id		--	system_u:object_r:postgresql_exec_t
+/usr/bin/pg_restore	--	system_u:object_r:postgresql_exec_t
+
 /var/lib/postgres(/.*)?		system_u:object_r:postgresql_db_t
 /var/lib/pgsql(/.*)?		system_u:object_r:postgresql_db_t
 /var/run/postgresql(/.*)?	system_u:object_r:postgresql_var_run_t

^ permalink raw reply	[flat|nested] 27+ messages in thread
* Re: policy patch
@ 2002-12-03 14:47 Stephen D. Smalley
  0 siblings, 0 replies; 27+ messages in thread
From: Stephen D. Smalley @ 2002-12-03 14:47 UTC (permalink / raw)
  To: selinux, russell


> I've attached my latest patch.  Please read the following before applying.

Thanks, mostly merged.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2002-11-29 11:45 Russell Coker
  0 siblings, 0 replies; 27+ messages in thread
From: Russell Coker @ 2002-11-29 11:45 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 2256 bytes --]

I've attached my latest patch.  Please read the following before applying.

Steve, apart from a few exceptions I think it's all good for the CVS.

Adds support for flag defines for domains/misc.

Finishes off the changes for the new fcron policy, and uses the 
system_crond_entry() macro more.

Allows automount_t to get the attributes of any fs_type directory because it 
appears to need it.

Puts the "allow daemon fs_t:filesystem getattr;" into the daemon_domain macro 
and removes it from numerous daemons.

Adds the following for devfsd, not sure if it should be needed in an ideal 
situation, but it seems to be needed on some of my systems now for the 
initial boot phase.
allow kernel_t device_t:filesystem mount;

Allow lsof as sysadm_t to see stats on ipsec_t:key_socket.

The latest version of mrtg seems to do some spurious ioctls, that we don't 
want to audit.

ping_t needs to be able to receive from itself for pinging 127.0.0.1.

Finished the changes to xdm that I started some time ago.  Now it's fully 
functional again.

Put in some changes to user.te and rbac.  They make things a bit easier when 
adding multiple user roles (I think).  Steve, let me know if you don't like 
them and I'll re-arrange them a bit.

Fixed fsadm.fc to correctly label all the fsck/mkfs type programs.

Correctly label all the .tdb files for Samba.

Changes to xdm.fc and xserver.fc.  Steve you will want to carefully consider 
my changes to /tmp.  I have been considering the matter for some time (I made 
the change in my tree months ago).  The xdm.fc stuff that isn't related to 
/tmp is all good and should go in however.

Also made some changes to types.fc, Steve, you may not like the /tmp and 
/var/tmp changes.

For the global_macros.te file I added ioctl to rw_dir_perms as previously 
discussed.  Also I gave all daemons access to devtty_t:chr_file and added a 
new macro var_lib_domain().

I made some minor changes to x_client_macros for ssh tunnels and for some 
other types of file access.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 32939 bytes --]

diff -ruN /tmp/policy/Makefile policy/Makefile
--- /tmp/policy/Makefile	2002-09-27 22:27:36.000000000 +0200
+++ policy/Makefile	2002-11-08 10:31:17.000000000 +0100
@@ -77,6 +79,7 @@
 tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
 	mkdir -p tmp
 	( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@
+	( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@
 
 tmp/all_macros.te:  macros $(wildcard macros/*.te) tmp/all_program_macros.te
 	cat $(wildcard macros/*.te) tmp/all_program_macros.te > $@
diff -ruN /tmp/policy/domains/program/acct.te policy/domains/program/acct.te
--- /tmp/policy/domains/program/acct.te	2002-11-29 12:19:33.000000000 +0100
+++ policy/domains/program/acct.te	2002-11-14 23:11:04.000000000 +0100
@@ -10,10 +10,12 @@
 # acct_exec_t is the type of the acct executable.
 #
 daemon_base_domain(acct)
-domain_auto_trans(system_crond_t, acct_exec_t, acct_t)
+ifdef(`crond.te', `
+system_crond_entry(acct_exec_t, acct_t)
 
 # for monthly cron job
 file_type_auto_trans(acct_t, var_log_t, wtmp_t)
+')
 
 ifdef(`logrotate.te', `
 allow acct_t logrotate_exec_t:file getattr;
diff -ruN /tmp/policy/domains/program/automount.te policy/domains/program/automount.te
--- /tmp/policy/domains/program/automount.te	2002-11-29 12:19:34.000000000 +0100
+++ policy/domains/program/automount.te	2002-11-24 10:16:54.000000000 +0100
@@ -33,6 +33,7 @@
 file_type_auto_trans(automount_t, tmp_t, automount_tmp_t)
 
 allow automount_t autofs_t:dir { create_dir_perms ioctl };
+allow automount_t fs_type:dir getattr;
 allow autofs_t self:filesystem associate;
 
 domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
diff -ruN /tmp/policy/domains/program/crack.te policy/domains/program/crack.te
--- /tmp/policy/domains/program/crack.te	2002-09-27 22:27:37.000000000 +0200
+++ policy/domains/program/crack.te	2002-11-08 10:32:25.000000000 +0100
@@ -9,18 +9,14 @@
 # crack_exec_t is the type of the crack executable.
 #
 system_domain(crack)
-domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
+ifdef(`crond.te', `
+system_crond_entry(crack_exec_t, crack_t)
+')
 
 type crack_db_t, file_type, sysadmfile;
 allow crack_t var_t:dir search;
 rw_dir_create_file(crack_t, crack_db_t)
 
-allow crack_t crond_t:fd use;
-allow crack_t crond_t:fifo_file r_file_perms;
-ifdef(`fcron.te', `
-allow crack_t fcron_t:fd use;
-allow crack_t fcron_t:fifo_file r_file_perms;
-')
 allow crack_t device_t:dir search;
 allow crack_t devtty_t:chr_file rw_file_perms;
 allow crack_t self:fifo_file { read write getattr };
diff -ruN /tmp/policy/domains/program/crond.te policy/domains/program/crond.te
--- /tmp/policy/domains/program/crond.te	2002-11-29 12:19:34.000000000 +0100
+++ policy/domains/program/crond.te	2002-11-20 14:24:13.000000000 +0100
@@ -71,8 +71,6 @@
 # Run a shell.
 can_exec(crond_t, shell_exec_t)
 
-allow crond_t fs_t:filesystem getattr;
-
 ifdef(`rpm.te',
 `# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 # via redirection of standard out.
diff -ruN /tmp/policy/domains/program/ddt-client.te policy/domains/program/ddt-client.te
--- /tmp/policy/domains/program/ddt-client.te	2002-08-23 21:04:28.000000000 +0200
+++ policy/domains/program/ddt-client.te	2002-11-20 14:27:02.000000000 +0100
@@ -27,7 +27,6 @@
 
 # Use capabilities
 allow ddt_client_t self:capability { setuid setgid dac_override chown };
-allow ddt_client_t fs_t:filesystem getattr;
 
 allow ddt_client_t etc_t:dir search;
 allow ddt_client_t etc_t:lnk_file read;
diff -ruN /tmp/policy/domains/program/devfsd.te policy/domains/program/devfsd.te
--- /tmp/policy/domains/program/devfsd.te	2002-10-28 22:55:52.000000000 +0100
+++ policy/domains/program/devfsd.te	2002-11-20 14:24:32.000000000 +0100
@@ -27,6 +27,9 @@
 ifdef(`dpkg.te', `
 # for the makedev script - this may be a bad idea
 domain_auto_trans_read(dpkg_t, devfsd_exec_t, devfsd_t)
+
+# for package upgrade
+allow devfsd_t lib_t:file execute;
 ')
 
 # mknod capability is for the startup scripts
@@ -49,8 +52,6 @@
 # allow all devices to be under device_t
 allow file_type device_t:filesystem associate;
 
-allow devfsd_t fs_t:filesystem getattr;
-
 # allow context lookups
 allow devfsd_t security_t:security { context_to_sid sid_to_context };
 
@@ -80,6 +81,8 @@
 
 allow devfsd_t privfd:fd use;
 
+allow kernel_t device_t:filesystem mount;
+
 # for nss-ldap etc
 can_network(devfsd_t)
 allow devfsd_t self:tcp_socket create_socket_perms;
diff -ruN /tmp/policy/domains/program/dpkg.te policy/domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te	2002-11-29 12:19:34.000000000 +0100
+++ policy/domains/program/dpkg.te	2002-11-19 13:57:32.000000000 +0100
@@ -18,6 +18,10 @@
 allow dpkg_t security_t:security load_policy;
 
 can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t tmp_dpkg_t ls_exec_t var_lib_dpkg_t etc_dpkg_t sbin_t })
+ifdef(`rlogind.te', `
+# for ssh
+can_exec(dpkg_t, rlogind_exec_t)
+')
 can_exec(dpkg_t, init_exec_t)
 file_type_auto_trans(dpkg_t, tmp_t, tmp_dpkg_t)
 ifdef(`mta.te', `
@@ -136,8 +140,9 @@
 allow { apt_t install_menu_t userdomain } etc_dpkg_t:file r_file_perms;
 can_exec(sysadm_t, etc_dpkg_t)
 
-# Inherit and use descriptors from any domain.
+# Inherit and use descriptors from open_init_pty
 allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
+dontaudit dpkg_t privfd:fd use;
 allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
 allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;
 
diff -ruN /tmp/policy/domains/program/hotplug.te policy/domains/program/hotplug.te
--- /tmp/policy/domains/program/hotplug.te	2002-09-21 05:01:26.000000000 +0200
+++ policy/domains/program/hotplug.te	2002-11-20 14:24:53.000000000 +0100
@@ -34,8 +34,6 @@
 r_dir_file(hotplug_t, usbdevfs_t)
 allow hotplug_t usbdevfs_device_t:file getattr;
 
-allow hotplug_t fs_t:filesystem getattr;
-
 # read config files
 allow hotplug_t etc_t:dir r_dir_perms;
 allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
diff -ruN /tmp/policy/domains/program/ipsec.te policy/domains/program/ipsec.te
--- /tmp/policy/domains/program/ipsec.te	2002-11-04 13:27:51.000000000 +0100
+++ policy/domains/program/ipsec.te	2002-11-17 03:11:03.000000000 +0100
@@ -56,6 +56,9 @@
 
 allow ipsec_t self:key_socket { create write read };
 
+# for lsof
+allow sysadm_t ipsec_t:key_socket getattr;
+
 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 # it in its own domain?)
 can_exec(ipsec_mgmt_t, bin_t)
diff -ruN /tmp/policy/domains/program/ircd.te policy/domains/program/ircd.te
--- /tmp/policy/domains/program/ircd.te	2002-10-28 22:55:53.000000000 +0100
+++ policy/domains/program/ircd.te	2002-11-20 14:25:02.000000000 +0100
@@ -29,8 +29,6 @@
 
 allow ircd_t devtty_t:chr_file rw_file_perms;
 
-allow ircd_t fs_t:filesystem getattr;
-
 allow ircd_t sbin_t:dir search;
 
 allow ircd_t proc_t:file { getattr read };
diff -ruN /tmp/policy/domains/program/kcheckpass.te policy/domains/program/kcheckpass.te
--- /tmp/policy/domains/program/kcheckpass.te	2002-10-01 19:28:43.000000000 +0200
+++ policy/domains/program/kcheckpass.te	2002-11-20 01:12:49.000000000 +0100
@@ -34,6 +34,8 @@
 
 dontaudit kcheckpass_t { home_root_t user_home_dir_type }:dir search;
 dontaudit kcheckpass_t user_home_type:dir read;
+ifdef(`xdm.te', `
 dontaudit kcheckpass_t xdm_t:fd use;
+')
 dontaudit kcheckpass_t user_tmpfile:file read;
 dontaudit kcheckpass_t device_t:dir search;
diff -ruN /tmp/policy/domains/program/load_policy.te policy/domains/program/load_policy.te
--- /tmp/policy/domains/program/load_policy.te	2002-11-04 13:27:51.000000000 +0100
+++ policy/domains/program/load_policy.te	2002-11-20 01:02:54.000000000 +0100
@@ -49,3 +49,4 @@
 
 allow load_policy_t { initrc_t privfd }:fd use;
 
+allow load_policy_t fs_t:filesystem getattr;
diff -ruN /tmp/policy/domains/program/lpd.te policy/domains/program/lpd.te
--- /tmp/policy/domains/program/lpd.te	2002-10-17 00:01:10.000000000 +0200
+++ policy/domains/program/lpd.te	2002-11-09 14:53:02.000000000 +0100
@@ -54,7 +54,7 @@
 type lpd_var_run_t, file_type, sysadmfile, pidfile;
 file_type_auto_trans(lpd_t, var_run_t, lpd_var_run_t)
 
-allow checkpc_t lpd_var_run_t:dir getattr;
+allow checkpc_t lpd_var_run_t:dir { search getattr };
 
 
 # This is needed to permit chown to read /var/spool/lpd/lp.
diff -ruN /tmp/policy/domains/program/mailman.te policy/domains/program/mailman.te
--- /tmp/policy/domains/program/mailman.te	2002-10-01 18:40:37.000000000 +0200
+++ policy/domains/program/mailman.te	2002-11-08 10:32:25.000000000 +0100
@@ -86,10 +86,6 @@
 domain_auto_trans(system_crond_t, mailman_queue_exec_t, mailman_queue_t)
 allow mailman_queue_t crond_t:fd use;
 allow mailman_queue_t crond_t:fifo_file { ioctl read write };
-ifdef(`fcron.te', `
-allow mailman_queue_t fcron_t:fd use;
-allow mailman_queue_t fcron_t:fifo_file { ioctl read write };
-')
 allow mailman_queue_t devtty_t:chr_file { read write };
 allow mailman_queue_t self:process { fork signal sigchld };
 
diff -ruN /tmp/policy/domains/program/mrtg.te policy/domains/program/mrtg.te
--- /tmp/policy/domains/program/mrtg.te	2002-10-23 21:38:18.000000000 +0200
+++ policy/domains/program/mrtg.te	2002-11-29 09:35:14.000000000 +0100
@@ -12,10 +12,8 @@
 daemon_base_domain(mrtg)
 
 ifdef(`crond.te', `
-domain_auto_trans(system_crond_t, mrtg_exec_t, mrtg_t)
-allow mrtg_t crond_t:fifo_file { ioctl read write };
+system_crond_entry(mrtg_exec_t, mrtg_t)
 allow mrtg_t cron_log_t:file rw_file_perms;
-allow mrtg_t crond_t:process sigchld;
 ')
 
 type etc_mrtg_t, file_type, sysadmfile;
@@ -44,6 +42,7 @@
 ')
 
 allow mrtg_t proc_t:file { read getattr };
+dontaudit mrtg_t proc_t:file ioctl;
 
 allow mrtg_t { var_lock_t var_lib_t }:dir search;
 rw_dir_create_file(mrtg_t, var_lib_mrtg_t)
@@ -51,6 +50,7 @@
 
 # read config files
 allow mrtg_t { etc_t etc_mrtg_t resolv_conf_t }:file { read getattr };
+dontaudit mrtg_t etc_mrtg_t:file ioctl;
 allow mrtg_t etc_mrtg_t:dir { read search getattr };
 dontaudit mrtg_t etc_mrtg_t:dir write;
 allow mrtg_t etc_t:lnk_file read;
diff -ruN /tmp/policy/domains/program/named.te policy/domains/program/named.te
--- /tmp/policy/domains/program/named.te	2002-11-04 13:27:52.000000000 +0100
+++ policy/domains/program/named.te	2002-11-20 14:25:36.000000000 +0100
@@ -63,8 +63,6 @@
 allow named_t self:unix_stream_socket create_stream_socket_perms;
 allow named_t self:unix_dgram_socket create_socket_perms;
 
-allow named_t fs_t:filesystem getattr;
-
 # Read sysctl kernel variables.
 allow named_t sysctl_t:dir r_dir_perms;
 allow named_t sysctl_kernel_t:dir r_dir_perms;
@@ -112,6 +110,9 @@
 allow ndc_t self:fifo_file { read write getattr ioctl };
 allow ndc_t named_zone_t:dir search;
 
+# for chmod in start script
+dontaudit initrc_t var_run_named_t:dir setattr;
+
 # for ndc_t to be used for restart shell scripts
 ifdef(`ndc_shell_script', `
 allow ndc_t crond_t:fd use;
diff -ruN /tmp/policy/domains/program/ntpd.te policy/domains/program/ntpd.te
--- /tmp/policy/domains/program/ntpd.te	2002-09-27 22:27:38.000000000 +0200
+++ policy/domains/program/ntpd.te	2002-11-20 14:25:48.000000000 +0100
@@ -63,8 +63,6 @@
 
 allow ntpd_t devtty_t:chr_file rw_file_perms;
 
-allow ntpd_t fs_t:filesystem getattr;
-
 can_udp_send(ntpd_t, sysadm_t)
 can_udp_send(sysadm_t, ntpd_t)
 can_udp_send(ntpd_t, ntpd_t)
diff -ruN /tmp/policy/domains/program/ping.te policy/domains/program/ping.te
--- /tmp/policy/domains/program/ping.te	2002-11-04 13:27:52.000000000 +0100
+++ policy/domains/program/ping.te	2002-11-13 19:04:17.000000000 +0100
@@ -24,7 +24,7 @@
 allow ping_t any_socket_t:rawip_socket sendto;
 
 # Let ping receive ICMP replies.
-allow ping_t icmp_socket_t:rawip_socket recvfrom;
+allow ping_t { self icmp_socket_t }:rawip_socket recvfrom;
 
 # Use capabilities.
 allow ping_t ping_t:capability { net_raw setuid };
diff -ruN /tmp/policy/domains/program/postfix.te policy/domains/program/postfix.te
--- /tmp/policy/domains/program/postfix.te	2002-11-29 12:19:35.000000000 +0100
+++ policy/domains/program/postfix.te	2002-11-09 16:27:44.000000000 +0100
@@ -131,6 +131,7 @@
 postfix_server_domain(local, `, mta_delivery_agent')
 ifdef(`procmail.te', `
 domain_auto_trans_read(postfix_local_t, procmail_exec_t, procmail_t)
+# for a bug in the postfix local program
 dontaudit procmail_t postfix_local_t:tcp_socket { read write };
 ')
 allow postfix_local_t { etc_aliases_t }:file r_file_perms;
diff -ruN /tmp/policy/domains/program/postgresql.te policy/domains/program/postgresql.te
--- /tmp/policy/domains/program/postgresql.te	2002-11-29 12:19:35.000000000 +0100
+++ policy/domains/program/postgresql.te	2002-11-20 14:25:55.000000000 +0100
@@ -18,6 +18,9 @@
 
 dontaudit postgresql_t sysadm_home_dir_t:dir search;
 
+# quiet ps
+dontaudit postgresql_t domain:dir getattr;
+
 # for currect directory of scripts
 allow postgresql_t { var_spool_t cron_spool_t }:dir search;
 
@@ -57,7 +60,6 @@
 can_tcp_connect(userdomain, postgresql_t)
 
 allow postgresql_t { proc_t self }:file { getattr read };
-allow postgresql_t fs_t:filesystem getattr;
 
 # Allow access to the postgresql databases
 create_dir_file(postgresql_t, postgresql_db_t)
diff -ruN /tmp/policy/domains/program/pppd.te policy/domains/program/pppd.te
--- /tmp/policy/domains/program/pppd.te	2002-10-01 19:28:45.000000000 +0200
+++ policy/domains/program/pppd.te	2002-11-20 14:26:05.000000000 +0100
@@ -10,11 +10,11 @@
 # pppd_t is the domain for the pppd program.
 # pppd_exec_t is the type of the pppd executable.
 # pppd_secret_t is the type of the pap and chap password files
-# pppd_log_t is the type of the ppp log files
 #
 daemon_domain(pppd, `, privmail')
 type pppd_secret_t, file_type, sysadmfile;
-type pppd_log_t, file_type, sysadmfile, logfile;
+
+log_domain(pppd)
 
 # Use the network.
 can_network(pppd_t)
@@ -22,14 +22,9 @@
 # Use capabilities.
 allow pppd_t self:capability { net_admin setuid setgid fsetid };
 
-allow pppd_t fs_t:filesystem getattr;
-
 allow pppd_t var_lock_t:dir rw_dir_perms;
 allow pppd_t var_lock_t:file create_file_perms;
 
-# allow writing log files
-file_type_auto_trans(pppd_t, var_log_t, pppd_log_t)
-
 # Access secret files
 allow pppd_t pppd_secret_t:file r_file_perms;
 
diff -ruN /tmp/policy/domains/program/procmail.te policy/domains/program/procmail.te
--- /tmp/policy/domains/program/procmail.te	2002-10-10 17:50:17.000000000 +0200
+++ policy/domains/program/procmail.te	2002-11-20 01:07:27.000000000 +0100
@@ -39,6 +39,8 @@
 allow procmail_t var_spool_t:dir r_dir_perms;
 
 allow procmail_t fs_t:filesystem getattr;
+allow procmail_t proc_t:dir search;
+allow procmail_t proc_t:file { getattr read };
 
 # for if /var/mail is a symlink to /var/spool/mail
 #allow procmail_t mail_spool_t:lnk_file r_file_perms;
diff -ruN /tmp/policy/domains/program/qmail.te policy/domains/program/qmail.te
--- /tmp/policy/domains/program/qmail.te	2002-10-17 00:01:13.000000000 +0200
+++ policy/domains/program/qmail.te	2002-11-07 12:38:13.000000000 +0100
@@ -55,6 +55,7 @@
 allow qmail_lspawn_t qmail_spool_t:dir search;
 allow qmail_lspawn_t qmail_spool_t:file { read getattr };
 allow qmail_lspawn_t etc_t:file { getattr read };
+allow qmail_lspawn_t tmp_t:dir getattr;
 dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search };
 
 qmail_daemon_domain(send)
diff -ruN /tmp/policy/domains/program/snmpd.te policy/domains/program/snmpd.te
--- /tmp/policy/domains/program/snmpd.te	2002-11-04 13:27:54.000000000 +0100
+++ policy/domains/program/snmpd.te	2002-11-20 14:26:16.000000000 +0100
@@ -35,5 +35,4 @@
 
 allow snmpd_t proc_t:dir search;
 allow snmpd_t proc_t:file r_file_perms;
-allow snmpd_t fs_t:filesystem getattr;
 allow snmpd_t self:file { getattr read };
diff -ruN /tmp/policy/domains/program/squid.te policy/domains/program/squid.te
--- /tmp/policy/domains/program/squid.te	2002-10-28 21:31:50.000000000 +0100
+++ policy/domains/program/squid.te	2002-11-20 14:26:24.000000000 +0100
@@ -39,8 +39,6 @@
 
 allow squid_t devtty_t:chr_file rw_file_perms;
 
-allow squid_t fs_t:filesystem getattr;
-
 allow squid_t { self proc_t }:file { read getattr };
 
 # for when we use /var/spool/cache
diff -ruN /tmp/policy/domains/program/ssh.te policy/domains/program/ssh.te
--- /tmp/policy/domains/program/ssh.te	2002-10-28 22:55:57.000000000 +0100
+++ policy/domains/program/ssh.te	2002-11-05 18:37:02.000000000 +0100
@@ -48,6 +48,7 @@
 # sshd_key_t is the type of the ssh private key files
 #
 sshd_program_domain(sshd_t)
+allow sshd_t initrc_devpts_t:chr_file rw_file_perms;
 allow sshd_t ssh_port_t:tcp_socket name_bind;
 sshd_program_domain(sshd_login_t)
 undefine(`sshd_program_domain')
diff -ruN /tmp/policy/domains/program/sxid.te policy/domains/program/sxid.te
--- /tmp/policy/domains/program/sxid.te	2002-09-27 22:27:38.000000000 +0200
+++ policy/domains/program/sxid.te	2002-11-08 10:32:25.000000000 +0100
@@ -13,10 +13,10 @@
 
 allow sxid_t fs_t:filesystem getattr;
 
-domain_auto_trans(system_crond_t, sxid_exec_t, sxid_t)
-allow sxid_t crond_t:fd use;
-allow sxid_t crond_t:fifo_file { read ioctl };
-allow system_crond_t var_log_sxid_t:file create_file_perms;
+ifdef(`crond.te', `
+system_crond_entry(sxid_exec_t, sxid_t)
+')
+#allow system_crond_t var_log_sxid_t:file create_file_perms;
 
 allow sxid_t etc_t:lnk_file read;
 
diff -ruN /tmp/policy/domains/program/tftpd.te policy/domains/program/tftpd.te
--- /tmp/policy/domains/program/tftpd.te	2002-09-21 05:01:28.000000000 +0200
+++ policy/domains/program/tftpd.te	2002-11-20 14:26:35.000000000 +0100
@@ -35,6 +35,3 @@
 
 allow tftpd_t var_t:dir r_dir_perms;
 allow tftpd_t var_t:{ file lnk_file } r_file_perms;
-
-allow tftpd_t fs_t:filesystem getattr;
-
diff -ruN /tmp/policy/domains/program/tmpreaper.te policy/domains/program/tmpreaper.te
--- /tmp/policy/domains/program/tmpreaper.te	2002-10-23 21:38:19.000000000 +0200
+++ policy/domains/program/tmpreaper.te	2002-11-08 10:32:25.000000000 +0100
@@ -15,10 +15,6 @@
 uses_shlib(tmpreaper_t)
 allow tmpreaper_t crond_t:fd use;
 allow tmpreaper_t crond_t:fifo_file { read write };
-ifdef(`fcron.te', `
-allow tmpreaper_t fcron_t:fd use;
-allow tmpreaper_t fcron_t:fifo_file { read write };
-')
 allow tmpreaper_t tmpfile:dir { rw_dir_perms rmdir };
 allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
 allow tmpreaper_t home_type:notdevfile_class_set { getattr unlink };
diff -ruN /tmp/policy/domains/program/xdm.te policy/domains/program/xdm.te
--- /tmp/policy/domains/program/xdm.te	2002-11-29 12:19:36.000000000 +0100
+++ policy/domains/program/xdm.te	2002-11-09 16:13:05.000000000 +0100
@@ -14,12 +14,20 @@
 # xdm_exec_t is the type of the [xgk]dm program
 #
 daemon_domain(xdm, `, privuser, privrole, auth, privowner, privmem')
-#every_domain(xdm_t)
 tmp_domain(xdm)
+var_lib_domain(xdm)
+# NB we do NOT allow xdm_xserver_t var_lib_xdm_t:dir!!!
+allow xdm_xserver_t var_lib_xdm_t:file { getattr read };
+dontaudit xdm_xserver_t var_lib_xdm_t:dir search;
 type xsession_exec_t, file_type, sysadmfile, exec_type;
 
 allow xdm_t default_context_t:file { read getattr };
 
+can_network(xdm_t)
+allow xdm_t self:unix_stream_socket create_stream_socket_perms;
+allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:fifo_file rw_file_perms;
+
 # for reboot
 allow xdm_t initctl_t:fifo_file write;
 
@@ -31,6 +39,8 @@
 # Commented out by default.
 #allow xdm_t memory_device_t:chr_file { execute read write };
 
+allow xdm_t random_device_t:chr_file { getattr read };
+
 # Transition to user domains for user sessions.
 domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
 
@@ -67,14 +77,14 @@
 allow xdm_t gpmctl_t:sock_file { getattr setattr };')
 
 # Update utmp and wtmp.
-allow xdm_t initrc_var_run_t: file { read write };
+allow xdm_t initrc_var_run_t: file { read write lock };
 allow xdm_t wtmp_t:file { append };
 
 # Update lastlog.
 allow xdm_t lastlog_t:file rw_file_perms;
 
 # Ask the security server for SIDs for user sessions.
-allow xdm_t security_t:security { get_user_sids };
+allow xdm_t security_t:security { get_user_sids context_to_sid };
 
 # Access the shared memory pseudo file system.
 # Should really define a derived type for this.
@@ -93,9 +103,15 @@
 allow xdm_t xfs_tmp_t:sock_file { write };
 can_unix_connect(xdm_t, xfs_t)')
 
+allow xdm_t self:process { setpgid setsched };
+allow xdm_t etc_t:lnk_file read;
+allow xdm_t etc_runtime_t:file { getattr read };
+
 # Signal any user domain.
 allow xdm_t userdomain:process signal_perms;
 
+allow xdm_t proc_t:file { getattr read };
+
 # Search /proc for any user domain processes.
 allow xdm_t userdomain:dir r_dir_perms;
 allow xdm_t userdomain:{ file lnk_file } r_file_perms;
diff -ruN /tmp/policy/domains/user.te policy/domains/user.te
--- /tmp/policy/domains/user.te	2002-10-17 00:01:05.000000000 +0200
+++ policy/domains/user.te	2002-10-23 20:14:43.000000000 +0200
@@ -5,16 +5,26 @@
 full_user_role(user)
 #full_user_role(second_user)
 
-# Add role allow rules in policy/rbac as desired to 
-# support transitions among the user roles, and to permit
-# system_r to transition to user_r.  
+allow system_r user_r;
+#allow system_r second_user_r;
 
-# system_r is authorized for user_t as a fallback for unmodified daemons.
-role system_r types user_t;
+#
+# Allow the user roles to transition
+# into each other.
+#
+allow user_r sysadm_r;
+allow sysadm_r user_r;
+#allow sysadm_r second_user_r;
+
+# if adding new user roles make sure you edit the in_user_role macro in
+# macros/user_macros.te to match
 
 # lots of user programs accidentally search /root, and also the admin often
 # logs in as UID=0 domain=user_t...
 dontaudit unpriv_userdomain sysadm_home_dir_t:dir { getattr search };
 
+# system_r is authorized for user_t as a fallback for unmodified daemons.
+role system_r types user_t;
+
 # "ps aux" and "ls -l /dev/pts" make too much noise without this
 dontaudit unpriv_userdomain ptyfile:chr_file getattr;
diff -ruN /tmp/policy/file_contexts/program/fsadm.fc policy/file_contexts/program/fsadm.fc
--- /tmp/policy/file_contexts/program/fsadm.fc	2002-09-09 19:54:20.000000000 +0200
+++ policy/file_contexts/program/fsadm.fc	2002-11-08 10:33:05.000000000 +0100
@@ -1,12 +1,12 @@
 # fs admin utilities
-/sbin/fsck			system_u:object_r:fsadm_exec_t
-/sbin/fsck\.ext2		system_u:object_r:fsadm_exec_t
-/sbin/fsck\.ext3		system_u:object_r:fsadm_exec_t
+/sbin/fsck.*			system_u:object_r:fsadm_exec_t
+/sbin/mkfs.*			system_u:object_r:fsadm_exec_t
 /sbin/e2fsck			system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune)		system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs		system_u:object_r:fsadm_exec_t
 /sbin/e2label			system_u:object_r:fsadm_exec_t
 /sbin/mkfs			system_u:object_r:fsadm_exec_t
 /sbin/mke2fs			system_u:object_r:fsadm_exec_t
-/sbin/mkfs.ext2			system_u:object_r:fsadm_exec_t
 /sbin/mkswap			system_u:object_r:fsadm_exec_t
 /sbin/scsi_info			system_u:object_r:fsadm_exec_t
 /sbin/sfdisk			system_u:object_r:fsadm_exec_t
diff -ruN /tmp/policy/file_contexts/program/named.fc policy/file_contexts/program/named.fc
--- /tmp/policy/file_contexts/program/named.fc	2002-10-01 19:28:51.000000000 +0200
+++ policy/file_contexts/program/named.fc	2002-11-18 20:37:48.000000000 +0100
@@ -8,4 +8,5 @@
 /usr/sbin/r?ndc			system_u:object_r:ndc_exec_t
 /var/cache/bind(/.*)?		system_u:object_r:named_cache_t
 /var/run/ndc			system_u:object_r:var_run_named_t
+/var/run/bind(/.*)?		system_u:object_r:var_run_named_t
 /usr/sbin/lwresd		system_u:object_r:named_exec_t
diff -ruN /tmp/policy/file_contexts/program/pppd.fc policy/file_contexts/program/pppd.fc
--- /tmp/policy/file_contexts/program/pppd.fc	2002-09-21 05:01:29.000000000 +0200
+++ policy/file_contexts/program/pppd.fc	2002-11-09 14:36:12.000000000 +0100
@@ -6,3 +6,4 @@
 /var/run/pppd.tdb		system_u:object_r:var_run_pppd_t
 /etc/ppp/.*secrets		system_u:object_r:pppd_secret_t
 /var/run/ipppd.*pid		system_u:object_r:var_run_pppd_t
+/var/log/ppp-connect-errors.*	system_u:object_r:pppd_log_t
diff -ruN /tmp/policy/file_contexts/program/samba.fc policy/file_contexts/program/samba.fc
--- /tmp/policy/file_contexts/program/samba.fc	2002-10-28 21:32:43.000000000 +0100
+++ policy/file_contexts/program/samba.fc	2002-11-22 22:40:06.000000000 +0100
@@ -7,3 +7,12 @@
 /var/lib/samba(/.*)?		system_u:object_r:samba_var_t
 /etc/samba/secrets.tdb		system_u:object_r:samba_secrets_t
 /etc/samba/MACHINE.SID		system_u:object_r:samba_secrets_t
+/var/run/samba/locking.tdb	system_u:object_r:var_run_smbd_t
+/var/run/samba/connections.tdb	system_u:object_r:var_run_smbd_t
+/var/run/samba/sessionid.tdb	system_u:object_r:var_run_smbd_t
+/var/run/samba/brlock.tdb	system_u:object_r:var_run_smbd_t
+/var/run/samba/namelist.debug	system_u:object_r:var_run_nmbd_t
+/var/run/samba/messages.tdb	system_u:object_r:var_run_nmbd_t
+/var/run/samba/unexpected.tdb	system_u:object_r:var_run_nmbd_t
+/var/run/samba/smbd.pid		system_u:object_r:var_run_smbd_t
+/var/run/samba/nmbd.pid		system_u:object_r:var_run_nmbd_t
diff -ruN /tmp/policy/file_contexts/program/xdm.fc policy/file_contexts/program/xdm.fc
--- /tmp/policy/file_contexts/program/xdm.fc	2002-08-23 21:04:28.000000000 +0200
+++ policy/file_contexts/program/xdm.fc	2002-11-05 01:01:51.000000000 +0100
@@ -3,7 +3,8 @@
 /var/[xgk]dm(/.*)?              system_u:object_r:xserver_var_log_t
 /usr/var/[xgk]dm(/.*)?          system_u:object_r:xserver_var_log_t
 /var/log/kdm.log		system_u:object_r:xserver_var_log_t
-#/tmp/.X11-unix(/.*)?           system_u:object_r:xdm_tmp_t
-#/tmp/.X0-lock                  system_u:object_r:xdm_tmp_t
-/etc/X11/Xsession[^/]* --	system_u:object_r:xsession_exec_t
-
+/tmp/.X11-unix(/.*)?            system_u:object_r:xdm_tmp_t
+/tmp/.X0-lock                   system_u:object_r:xdm_tmp_t
+/etc/X11/Xsession[^/]*	--	system_u:object_r:xsession_exec_t
+/var/run/xdmctl			system_u:object_r:var_run_xdm_t
+/var/lib/kdm/authfiles(/.*)?	system_u:object_r:var_lib_xdm_t
diff -ruN /tmp/policy/file_contexts/program/xserver.fc policy/file_contexts/program/xserver.fc
--- /tmp/policy/file_contexts/program/xserver.fc	2002-08-23 21:04:28.000000000 +0200
+++ policy/file_contexts/program/xserver.fc	2002-10-23 20:12:44.000000000 +0200
@@ -1,8 +1,6 @@
 # X server
 /dev/agpgart			system_u:object_r:agp_device_t
 /dev/dri(/.*)?			system_u:object_r:dri_device_t
-/tmp/.X11-unix(/.*)?		system_u:object_r:user_xserver_tmp_t
-/tmp/.X0-lock			system_u:object_r:user_xserver_tmp_t
 /usr/X11R6/bin/Xwrapper		system_u:object_r:xserver_exec_t
 /usr/X11R6/bin/X		system_u:object_r:xserver_exec_t
 /usr/X11R6/bin/XFree86		system_u:object_r:xserver_exec_t
diff -ruN /tmp/policy/file_contexts/types.fc policy/file_contexts/types.fc
--- /tmp/policy/file_contexts/types.fc	2002-10-23 21:38:20.000000000 +0200
+++ policy/file_contexts/types.fc	2002-11-20 18:18:57.000000000 +0100
@@ -58,8 +58,10 @@
 /var/lib(/.*)?			system_u:object_r:var_lib_t
 /var/lib/nfs(/.*)?		system_u:object_r:var_lib_nfs_t
 /var/lib/texmf(/.*)?		system_u:object_r:tetex_data_t
+/var/cache/fonts(/.*)?		system_u:object_r:tetex_data_t
 /var/lock(/.*)?			system_u:object_r:var_lock_t
-/var/tmp(/.*)?			system_u:object_r:tmp_t
+/var/tmp			system_u:object_r:tmp_t
+/var/tmp/.*			<<none>>
 /var/tmp/vi.recover		system_u:object_r:tmp_t
 
 #
@@ -136,12 +138,13 @@
 /dev/psaux			system_u:object_r:mouse_device_t
 /dev/.*mouse.*	-c		system_u:object_r:mouse_device_t
 /dev/input/.*mouse.*		system_u:object_r:mouse_device_t
+/dev/input/mice			system_u:object_r:mouse_device_t
 /dev/ptmx			system_u:object_r:ptmx_t
 /dev/sequencer			system_u:object_r:misc_device_t
 /dev/fb[0-9]*			system_u:object_r:framebuf_device_t
 /dev/apm_bios			system_u:object_r:apm_bios_t
 /dev/cpu/mtrr			system_u:object_r:mtrr_device_t
-/dev/(radio|video|vbi|vtx).*	system_u:object_r:v4l_device_t
+/dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
 
 /proc(/.*)?			<<none>>
 
@@ -187,7 +190,8 @@
 #
 # /tmp
 #
-/tmp(/.*)?			system_u:object_r:tmp_t
+/tmp				system_u:object_r:tmp_t
+/tmp/.*				<<none>>
 /tmp/orbit.*			system_u:object_r:user_tmp_t
 /tmp/.ICE-unix(/.*)?		system_u:object_r:user_tmp_t
 
diff -ruN /tmp/policy/macros/global_macros.te policy/macros/global_macros.te
--- /tmp/policy/macros/global_macros.te	2002-10-28 22:56:04.000000000 +0100
+++ policy/macros/global_macros.te	2002-11-29 10:17:35.000000000 +0100
@@ -104,7 +104,7 @@
 # 
 # Permissions for reading and writing directories and their attributes.
 #
-define(`rw_dir_perms', `{ read getattr lock search add_name remove_name write }')
+define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
 
 # 
 # Permissions for reading and adding names to directories.
@@ -950,8 +950,13 @@
 type var_run_$1_t, file_type, sysadmfile, pidfile;
 file_type_auto_trans($1_t, var_run_t, var_run_$1_t)
 
+allow $1_t devtty_t:chr_file rw_file_perms;
+
 # for daemons that look at /root on startup
 dontaudit $1_t sysadm_home_dir_t:dir search;
+
+# for df
+allow $1_t fs_type:filesystem getattr;
 ')dnl
 
 define(`uses_authbind',
@@ -996,6 +1001,11 @@
 file_type_auto_trans($1_t, tmp_t, $1_tmp_t)
 ')
 
+define(`var_lib_domain', `
+type var_lib_$1_t, file_type, sysadmfile;
+file_type_auto_trans($1_t, var_lib_t, var_lib_$1_t)
+')
+
 define(`log_domain', `
 type $1_log_t, file_type, sysadmfile, logfile;
 file_type_auto_trans($1_t, var_log_t, $1_log_t)
diff -ruN /tmp/policy/macros/program/crond_macros.te policy/macros/program/crond_macros.te
--- /tmp/policy/macros/program/crond_macros.te	2002-09-27 22:27:44.000000000 +0200
+++ policy/macros/program/crond_macros.te	2002-11-08 10:33:44.000000000 +0100
@@ -29,11 +29,6 @@
 # via execve_secure.  There is no way to set up an automatic
 # transition, since crontabs are configuration files, not executables.
 domain_trans(crond_t, shell_exec_t, $1_crond_t)
-ifdef(`fcron.te', `
-domain_trans(fcron_t, shell_exec_t, $1_crond_t)
-# should get the spool file created under a different type or use a fifo
-allow $1_crond_t fcron_spool_t:file rw_file_perms;
-')
 
 ifdef(`mta.te', `
 domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
diff -ruN /tmp/policy/macros/program/crontab_macros.te policy/macros/program/crontab_macros.te
--- /tmp/policy/macros/program/crontab_macros.te	2002-10-28 21:33:15.000000000 +0100
+++ policy/macros/program/crontab_macros.te	2002-11-08 10:33:44.000000000 +0100
@@ -44,13 +44,12 @@
 allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
 file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t)
 ifdef(`fcron.te', `
-file_type_auto_trans($1_crontab_t, fcron_spool_t, $1_cron_spool_t)
-allow fcron_t $1_cron_spool_t:file create_file_perms;
+allow crond_t $1_cron_spool_t:file create_file_perms;
 # fcron wants an instant update of a crontab change for the administrator
 ifelse(`$1', `sysadm', `
-allow $1_crontab_t fcron_t:process signal;
+allow $1_crontab_t crond_t:process signal;
 ', `
-dontaudit $1_crontab_t fcron_t:process signal;
+dontaudit $1_crontab_t crond_t:process signal;
 ')dnl end ifelse
 ')dnl end ifdef fcron
 
diff -ruN /tmp/policy/macros/program/x_client_macros.te policy/macros/program/x_client_macros.te
--- /tmp/policy/macros/program/x_client_macros.te	2002-10-10 17:50:31.000000000 +0200
+++ policy/macros/program/x_client_macros.te	2002-11-27 19:04:03.000000000 +0100
@@ -52,7 +52,9 @@
 # Type for files that are read-only for this domain
 type $1_$2_ro_t, file_type, sysadmfile;
 r_dir_file($1_$2_t, $1_$2_ro_t)
-rw_dir_create_file($1_t, $1_$2_ro_t)
+allow $1_$2_t $1_$2_ro_t:fifo_file { read write };
+create_dir_file($1_t, $1_$2_ro_t)
+allow $1_t $1_$2_ro_t:fifo_file create_file_perms;
 allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom };
 
 # Allow the user domain to send any signal to the $2 process.
@@ -91,6 +93,10 @@
 allow $1_$2_t xdm_xserver_tmp_t:sock_file { read write };
 allow $1_$2_t xdm_t:fd use;
 dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+# for X over a ssh tunnel
+ifdef(`ssh.te', `
+can_tcp_connect($1_$2_t, sshd_t)
+')
 
 # for .xsession-errors
 dontaudit $1_$2_t $1_home_t:file write;
diff -ruN /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te	2002-11-29 12:19:38.000000000 +0100
+++ policy/macros/user_macros.te	2002-11-29 12:30:08.000000000 +0100
@@ -270,6 +270,8 @@
 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
 ')
 
+# stop warnings about "ls -l" on directories with unlabelled files
+dontaudit $1_t file_t:{ dir file lnk_file } getattr;
 ')
 
 undefine(`in_user_role')
diff -ruN /tmp/policy/rbac policy/rbac
--- /tmp/policy/rbac	2002-07-03 22:26:19.000000000 +0200
+++ policy/rbac	2002-10-23 20:18:03.000000000 +0200
@@ -31,19 +31,11 @@
 
 #
 # Allow the system_r role to transition 
-# into any of the user roles.
+# into the sysadm_r role.
 #
-allow system_r user_r;
 allow system_r sysadm_r;
 
 #
-# Allow the user roles to transition
-# into each other.
-#
-allow user_r sysadm_r;
-allow sysadm_r user_r;
-
-#
 # Allow the user and admin role to transition to httpd_admin_r
 #
 ifdef(`apache.te',

^ permalink raw reply	[flat|nested] 27+ messages in thread
* policy patch
@ 2002-09-21  4:39 Russell Coker
  0 siblings, 0 replies; 27+ messages in thread
From: Russell Coker @ 2002-09-21  4:39 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 654 bytes --]

This one should be mostly self-explanatory, a few notes:

dontaudit ldconfig_t device_t:dir search;
It doesn't really need search access, so I removed the allow rule.

dontaudit ntpd_t var_t:dir getattr;
My var.diff patch allows this...

can_udp_send(init_t, portmap_t)
For NFS...

I solved the Postgresql problems that needed the gross hacks so I removed 
them.

-- 
There is no point PGP/GPG signing an email unless the signature can be
verified.  If you post to a list then don't sign the message unless your
key is available on public key servers and has been signed by someone
who is in the web of trust, otherwise you just waste bandwidth and CPU.

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 7448 bytes --]

diff -ru /tmp/policy/domains/program/dpkg.te policy/domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te	2002-09-21 06:04:23.000000000 +0200
+++ policy/domains/program/dpkg.te	2002-09-21 05:19:00.000000000 +0200
@@ -115,7 +115,7 @@
 ')
 
 r_dir_file(install_menu_t, var_lib_dpkg_t)
-allow { install_menu_t userdomain system_crond_t } etc_dpkg_t:file r_file_perms;
+allow { apt_t install_menu_t userdomain system_crond_t } etc_dpkg_t:file r_file_perms;
 can_exec(sysadm_t, etc_dpkg_t)
 
 # Inherit and use descriptors from any domain.
@@ -237,7 +238,7 @@
 domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
 allow dpkg_t install_menu_t:process signal_perms;
 
-allow install_menu_t newrole_t:fd use;
+allow install_menu_t privfd:fd use;
 uses_shlib(install_menu_t)
 
 allow install_menu_t self:process { fork sigchld };
diff -ru /tmp/policy/domains/program/fcron.te policy/domains/program/fcron.te
--- /tmp/policy/domains/program/fcron.te	2002-09-21 05:01:26.000000000 +0200
+++ policy/domains/program/fcron.te	2002-09-10 22:35:26.000000000 +0200
@@ -6,8 +6,8 @@
 #
 # Author: Russell Coker <russell@coker.com.au>
 
-# ideally we would not give it privowner!
-daemon_domain(fcron, `, privuser, privrole, privmail, privfd, privowner')
+# ideally we would not give it privowner or auth!
+daemon_domain(fcron, `, privuser, privrole, privmail, privfd, privowner, auth')
 
 general_domain_access(fcron_t)
 
diff -ru /tmp/policy/domains/program/ldconfig.te policy/domains/program/ldconfig.te
--- /tmp/policy/domains/program/ldconfig.te	2002-09-21 05:01:27.000000000 +0200
+++ policy/domains/program/ldconfig.te	2002-09-15 19:23:39.000000000 +0200
@@ -13,8 +13,8 @@
 role system_r types ldconfig_t;
 
 domain_auto_trans({ sysadm_t initrc_t ifdef(`dpkg.te', `dpkg_t') }, ldconfig_exec_t, ldconfig_t)
-allow ldconfig_t device_t:dir search;
-allow ldconfig_t { sysadm_devpts_t sysadm_tty_device_t }:chr_file rw_file_perms;
+dontaudit ldconfig_t device_t:dir search;
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
 allow ldconfig_t privfd:fd use;
 
 uses_shlib(ldconfig_t)
diff -ru /tmp/policy/domains/program/named.te policy/domains/program/named.te
--- /tmp/policy/domains/program/named.te	2002-09-21 06:08:50.000000000 +0200
+++ policy/domains/program/named.te	2002-09-21 05:23:54.000000000 +0200
@@ -100,6 +100,9 @@
 allow ndc_t self:capability dac_override;
 allow ndc_t var_run_named_t:sock_file rw_file_perms;
 allow ndc_t named_t:unix_stream_socket connectto;
+allow ndc_t privfd:fd use;
+# seems to need read as well for some reason
+allow ndc_t admin_tty_type:chr_file { getattr read write };
 
 # for ndc_t to be used for restart shell scripts
 ifdef(`ndc_shell_script', `
diff -ru /tmp/policy/domains/program/ntpd.te policy/domains/program/ntpd.te
--- /tmp/policy/domains/program/ntpd.te	2002-09-09 19:54:13.000000000 +0200
+++ policy/domains/program/ntpd.te	2002-09-13 23:24:30.000000000 +0200
@@ -24,11 +24,13 @@
 dontaudit ntpd_t self:capability fsetid;
 dontaudit ntpd_t domain:lnk_file read;
 
+# for some reason it creates a file in /tmp
+tmp_domain(ntpd)
+
 allow ntpd_t etc_t:dir r_dir_perms;
 allow ntpd_t etc_t:lnk_file r_file_perms;
 allow ntpd_t resolv_conf_t:file { read getattr };
 allow ntpd_t etc_ntp_t:file rw_file_perms;
-dontaudit ntpd_t var_t:dir getattr;
 
 # Use the network.
 can_network(ntpd_t)
diff -ru /tmp/policy/domains/program/portmap.te policy/domains/program/portmap.te
--- /tmp/policy/domains/program/portmap.te	2002-09-09 19:54:14.000000000 +0200
+++ policy/domains/program/portmap.te	2002-09-17 14:44:29.000000000 +0200
@@ -31,6 +31,7 @@
 ifdef(`ypbind.te',
 `can_udp_send(portmap_t, ypbind_t)')
 can_udp_send(portmap_t, initrc_t)
+can_udp_send(init_t, portmap_t)
 ifdef(`rpcd.te',
 `can_udp_send(portmap_t, rpcd_t)')
 ifdef(`inetd.te',
diff -ru /tmp/policy/domains/program/portslave.te policy/domains/program/portslave.te
--- /tmp/policy/domains/program/portslave.te	2002-08-23 20:44:19.000000000 +0200
+++ policy/domains/program/portslave.te	2002-09-20 05:19:59.000000000 +0200
@@ -13,6 +13,7 @@
 
 allow portslave_t shadow_t:file { read getattr };
 general_domain_access(portslave_t)
+domain_auto_trans(init_t, portslave_exec_t, portslave_t)
 ifdef(`rlogind.te', `
 domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
 ')
@@ -23,10 +24,12 @@
 
 allow portslave_t proc_t:file { getattr read };
 
-allow portslave_t { var_log_t devpts_t }:dir r_dir_perms;
+allow portslave_t { var_t var_log_t devpts_t }:dir search;
 
 allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
 
+allow portslave_t pppd_secret_t:file r_file_perms;
+
 can_network(portslave_t)
 allow portslave_t fs_t:filesystem getattr;
 ifdef(`radius.te', `
@@ -61,7 +64,7 @@
 allow portslave_t wtmp_t:file rw_file_perms;
 
 # Read and write ttys.
-allow portslave_t tty_device_t:chr_file rw_file_perms;
+allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
 allow portslave_t ttyfile:chr_file rw_file_perms;
 
 
diff -ru /tmp/policy/domains/program/postgresql.te policy/domains/program/postgresql.te
--- /tmp/policy/domains/program/postgresql.te	2002-09-21 05:01:28.000000000 +0200
+++ policy/domains/program/postgresql.te	2002-09-21 05:32:02.000000000 +0200
@@ -15,8 +15,6 @@
 # gross hack
 domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
 ')
-# a grosser hack, and not a good idea
-#allow postgresql_t etc_t:file setattr;
 
 dontaudit postgresql_t { sysadm_home_dir_t var_spool_t }:dir search;
 
@@ -70,10 +68,6 @@
 allow postgresql_t bin_t:lnk_file read;
 allow postgresql_t postgresql_exec_t:lnk_file read;
 
-# Not a good idea.
-#allow postgresql_t initrc_var_run_t:file { read write lock };
-allow postgresql_t initrc_var_run_t:file { read };
-
 allow postgresql_t self:sem rw_sem_perms;
 
 allow postgresql_t self:udp_socket recvfrom;
diff -ru /tmp/policy/domains/program/tmpreaper.te policy/domains/program/tmpreaper.te
--- /tmp/policy/domains/program/tmpreaper.te	2002-09-09 19:54:16.000000000 +0200
+++ policy/domains/program/tmpreaper.te	2002-09-21 05:37:06.000000000 +0200
@@ -15,6 +15,10 @@
 uses_shlib(tmpreaper_t)
 allow tmpreaper_t crond_t:fd use;
 allow tmpreaper_t crond_t:fifo_file { read write };
+ifdef(`fcron.te', `
+allow tmpreaper_t fcron_t:fd use;
+allow tmpreaper_t fcron_t:fifo_file { read write };
+')
 create_dir_file(tmpreaper_t, tmpfile)
 allow tmpreaper_t tmpfile:dir { rw_dir_perms rmdir };
 allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
diff -ru /tmp/policy/file_contexts/program/portslave.fc policy/file_contexts/program/portslave.fc
--- /tmp/policy/file_contexts/program/portslave.fc	2002-07-12 17:19:44.000000000 +0200
+++ policy/file_contexts/program/portslave.fc	2002-09-20 05:22:13.000000000 +0200
@@ -1,3 +1,4 @@
 # portslave
 /usr/sbin/portslave		system_u:object_r:portslave_exec_t
 /etc/portslave(/.*)?		system_u:object_r:portslave_etc_t
+/var/run/radius.(id)|(seq)	system_u:object_r:var_run_pppd_t
diff -ru /tmp/policy/genfs_contexts policy/genfs_contexts
--- /tmp/policy/genfs_contexts	2002-09-21 05:01:24.000000000 +0200
+++ policy/genfs_contexts	2002-09-15 19:17:05.000000000 +0200
@@ -84,6 +84,8 @@
 ')
 ifdef(`lpd.te', `
 genfscon devfs /printers	-c	system_u:object_r:printer_t
+genfscon devfs /lp		-c	system_u:object_r:printer_t
+genfscon devfs /usb/lp		-c	system_u:object_r:printer_t
 ')
 genfscon devfs /ppp			system_u:object_r:ppp_device_t
 genfscon devfs /fb	-c		system_u:object_r:framebuf_device_t

^ permalink raw reply	[flat|nested] 27+ messages in thread
end of thread, other threads:[~2005-08-18  7:41 UTC | newest]

Thread overview: 27+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-25 13:27 policy patch Russell Coker
2004-11-25 16:32 ` Luke Kenneth Casson Leighton
2004-11-25 19:05   ` Russell Coker
2004-11-25 20:34     ` Luke Kenneth Casson Leighton
2004-11-29 19:23 ` James Carter
2004-11-29 21:47 ` Daniel J Walsh
2004-11-30 16:42 ` Daniel J Walsh
  -- strict thread matches above, loose matches on Subject: below --
2005-08-18  7:31 Russell Coker
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
2005-01-21 20:36 ` James Carter
2005-03-29 16:47   ` Policy Patch Daniel J Walsh
2005-04-01 20:28     ` James Carter
2004-10-13  5:55 policy patch Russell Coker
2004-10-13 20:17 ` James Carter
2004-08-24  8:18 Russell Coker
2004-08-24 12:23 ` Stephen Smalley
2004-08-24 16:54   ` Russell Coker
2004-08-27 20:58 ` James Carter
2004-08-28 13:46   ` Russell Coker
2004-08-30 20:24     ` James Carter
2004-07-12 14:12 Russell Coker
2004-07-12 19:46 ` Luke Kenneth Casson Leighton
2004-07-11  7:59 Russell Coker
2004-07-12 13:30 ` Stephen Smalley
2004-07-04  5:04 Russell Coker
2004-07-07 20:47 ` Stephen Smalley
2002-12-03 14:47 Stephen D. Smalley
2002-11-29 11:45 Russell Coker
2002-09-21  4:39 Russell Coker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.