[patch 00/35] Second round of Fedora/RedHat SELinux changes

[patch 00/35] Second round of Fedora/RedHat SELinux changes

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 708 bytes --]

Here's a second round of 35 hand-picked patches from the Fedora/RedHat
SELinux refpolicy megapatch. About 8 - 9 of the patches were also
in the first patchset I sent to the list but got either no comments
or were the subject of discussions for which no consensus was reached.

Please let me know if this is helpful so that I know if I should 
continue generating these patches.

Also, please don't CC me when discussing any of the patches, I am
subscribed to the list.

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 01/35] anaconda policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1322 bytes --]

Anaconda is a RH installation program, RH should know their own program and
the changes are quite trivial

Previously submitted Jul 19, refreshed to apply to current SVN

Index: refpolicy/policy/modules/admin/anaconda.te
===================================================================
--- refpolicy.orig/policy/modules/admin/anaconda.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/admin/anaconda.te	2008-08-03 16:52:56.000000000 +0200
@@ -31,14 +31,9 @@
 modutils_domtrans_insmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
 
-unconfined_domain(anaconda_t)
-
-unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-
-optional_policy(`
-	dmesg_domtrans(anaconda_t)
-')
+unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	kudzu_domtrans(anaconda_t)
@@ -58,5 +53,9 @@
 ')
 
 optional_policy(`
+	unconfined_domain(anaconda_t)
+')
+
+optional_policy(`
 	usermanage_domtrans_admin_passwd(anaconda_t)
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 02/35] kudzu policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2499 bytes --]

kudzu is RedHat's hw management app, none of the changes seem
controversial.

Previously sent Jul 19, no comments so far

Index: refpolicy/policy/modules/admin/kudzu.te
===================================================================
--- refpolicy.orig/policy/modules/admin/kudzu.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/admin/kudzu.te	2008-08-03 16:54:21.000000000 +0200
@@ -21,8 +21,8 @@
 # Local policy
 #
 
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
 allow kudzu_t self:process { signal_perms execmem };
 allow kudzu_t self:fifo_file rw_fifo_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -68,6 +68,7 @@
 modutils_read_module_deps(kudzu_t)
 modutils_read_module_config(kudzu_t)
 modutils_rename_module_config(kudzu_t)
+modutils_unlink_module_config(kudzu_t)
 
 storage_read_scsi_generic(kudzu_t)
 storage_read_tape(kudzu_t)
@@ -103,6 +104,8 @@
 init_use_fds(kudzu_t)
 init_use_script_ptys(kudzu_t)
 init_stream_connect_script(kudzu_t)
+init_read_init_state(kudzu_t)
+init_ptrace_init_domain(kudzu_t)
 # kudzu will telinit to make init re-read
 # the inittab after configuring serial consoles
 init_telinit(kudzu_t)
@@ -143,28 +146,6 @@
 ')
 
 optional_policy(`
-	# cjp: this was originally in the else block
-	# of ifdef userhelper.te, but it seems to
-	# make more sense here.  also, require
-	# blocks curently do not work in the
-	# else block of optionals
+	unconfined_domtrans(kudzu_t)
 	unconfined_domain(kudzu_t)
 ')
-
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`
-	allow kudzu_t printconf_t:file { getattr read };
-')
-optional_policy(`
-	allow kudzu_t xserver_exec_t:file getattr;
-')
-optional_policy(`
-	allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-optional_policy(`
-	role system_r types sysadm_userhelper_t;
-	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
-')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 03/35] logrotate policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1365 bytes --]

Perhaps controversial changes

First sent on Jul 19, dwalsh described the need for the patch here:
http://marc.info/?l=selinux&m=121726318902852&w=2

Refreshed to apply cleanly to SVN repo

Index: refpolicy/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy.orig/policy/modules/admin/logrotate.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/admin/logrotate.te	2008-08-03 16:59:10.000000000 +0200
@@ -97,6 +97,7 @@
 files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
 # Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
@@ -142,9 +143,8 @@
 ')
 
 optional_policy(`
-	apache_read_config(logrotate_t)
-	apache_domtrans(logrotate_t)
 	apache_signull(logrotate_t)
+	apache_manage_all_content(logrotate_t)
 ')
 
 optional_policy(`
@@ -186,6 +186,5 @@
 ')
 
 optional_policy(`
-	# cjp: why?
-	squid_domtrans(logrotate_t)
+	squid_signal(logrotate_t)
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 04/35] corenetwork policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4893 bytes --]

This patch should be a no-brainer, additional network port names only...

Originally sent on Jul 19, changed to comment out auditd port per
comments on the list.

Index: refpolicy/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy.orig/policy/modules/kernel/corenetwork.te.in	2008-08-03 13:09:47.000000000 +0200
+++ refpolicy/policy/modules/kernel/corenetwork.te.in	2008-08-03 17:04:05.000000000 +0200
@@ -75,6 +75,7 @@
 network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+#network_port(audit, tcp,60,s0) - not a registered port (yet?)
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -82,6 +83,7 @@
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
 network_port(comsat, udp,512,s0)
+network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dbskkd, tcp,1178,s0)
@@ -91,6 +93,7 @@
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,1935,s0, udp,1935,s0)
 network_port(ftp_data, tcp,20,s0)
 network_port(ftp, tcp,21,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -109,11 +112,13 @@
 network_port(ircd, tcp,6667,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 network_port(jabber_interserver, tcp,5269,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(kprop, tcp,754,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -122,6 +127,8 @@
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
+network_port(mythtv, tcp,6543,s0, udp,6543,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
@@ -133,10 +140,13 @@
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(postfix_policyd, tcp,10031,s0)
+network_port(pulseaudio, tcp,4713,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
 network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pxe, udp,4011,s0)
@@ -148,11 +158,11 @@
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0)
+network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(rwho, udp,513,s0)
-network_port(smbd, tcp,139,s0, tcp,445,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
 network_port(spamd, tcp,783,s0)
@@ -170,7 +180,12 @@
 network_port(transproxy, tcp,8081,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+
 network_port(vnc, tcp,5900,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0)
+network_port(whois, tcp,43,s0, udp,43,s0)
 network_port(wccp, udp,2048,s0)
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 05/35] courier policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4143 bytes --]

Adds a separate context for courier spooling dirs/files and a few
new interfaces.

Originally sent on Jul 19, received no comments, refreshed patch only

Index: refpolicy/policy/modules/services/courier.fc
===================================================================
--- refpolicy.orig/policy/modules/services/courier.fc	2008-08-03 13:09:39.000000000 +0200
+++ refpolicy/policy/modules/services/courier.fc	2008-08-03 17:04:59.000000000 +0200
@@ -19,3 +19,5 @@
 /var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
 
 /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
+
+/var/spool/courier(/.*)?		gen_context(system_u:object_r:courier_spool_t,s0)
Index: refpolicy/policy/modules/services/courier.if
===================================================================
--- refpolicy.orig/policy/modules/services/courier.if	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/courier.if	2008-08-03 17:05:41.000000000 +0200
@@ -123,3 +123,77 @@
 
 	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
 ')
+
+
+########################################
+## <summary>
+##	Allow domain to read courier config files
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_read_config',`
+	gen_require(`
+		type courier_etc_t;
+	')
+
+	read_files_pattern($1, courier_etc_t, courier_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage courier spool directories
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_dirs',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage courier spool files
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_files',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write to
+##	courier unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`courier_rw_pipes',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
+')
Index: refpolicy/policy/modules/services/courier.te
===================================================================
--- refpolicy.orig/policy/modules/services/courier.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/courier.te	2008-08-03 17:04:59.000000000 +0200
@@ -9,7 +9,10 @@
 courier_domain_template(authdaemon)
 
 type courier_etc_t;
-files_type(courier_etc_t)
+files_config_file(courier_etc_t)
+
+type courier_spool_t;
+files_type(courier_spool_t)
 
 courier_domain_template(pcp)
 
@@ -25,6 +28,7 @@
 
 type courier_exec_t;
 files_type(courier_exec_t)
+mta_mailclient(courier_exec_t)
 
 courier_domain_template(sqwebmail)
 typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
@@ -97,12 +101,12 @@
 courier_domtrans_authdaemon(courier_pop_t)
 
 # do the actual work (read the Maildir)
-userdom_manage_unpriv_users_home_content_files(courier_pop_t)
+unprivuser_manage_home_content_files(courier_pop_t)
 # cjp: the fact that this is different for pop vs imap means that
 # there should probably be a courier_pop_t and courier_imap_t
 # this should also probably be a separate type too instead of
 # the regular home dir
-userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
+unprivuser_manage_home_content_dirs(courier_pop_t)
 
 ########################################
 #

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 06/35] soundserver policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 5672 bytes --]

This policy was written by Ken Yang and reviewed by Dan Walsh:
http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
and here:
https://bugzilla.redhat.com/show_bug.cgi?id=250453

I updated the .fc changes to also work with Debian paths.

Originally submitted Jul 19, refreshed to apply cleanly

Index: refpolicy/policy/modules/services/soundserver.fc
===================================================================
--- refpolicy.orig/policy/modules/services/soundserver.fc	2008-08-03 13:09:39.000000000 +0200
+++ refpolicy/policy/modules/services/soundserver.fc	2008-08-03 17:07:46.000000000 +0200
@@ -7,4 +7,8 @@
 /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 
 /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/nasd(/.*)?  	gen_context(system_u:object_r:soundd_var_run_t,s0)
+
 /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
+
+/etc/(rc.d/)?init.d/nas(d)?	--	gen_context(system_u:object_r:soundd_script_exec_t,s0)
Index: refpolicy/policy/modules/services/soundserver.if
===================================================================
--- refpolicy.orig/policy/modules/services/soundserver.if	2008-08-03 13:09:39.000000000 +0200
+++ refpolicy/policy/modules/services/soundserver.if	2008-08-03 17:13:28.000000000 +0200
@@ -13,3 +13,74 @@
 interface(`soundserver_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	Execute soundd server in the soundd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`soundserver_script_domtrans',`
+	gen_require(`
+		type soundd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,soundd_script_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an soundd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the soundd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`soundserver_admin',`
+	gen_require(`
+		type soundd_t;
+		type soundd_script_exec_t;
+		type soundd_etc_t;
+		type soundd_tmp_t;
+		type soundd_var_run_t;
+	')
+
+	allow $1 soundd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, soundd_t, soundd_t)
+
+	# Allow soundd_t to restart the apache service
+	soundserver_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 soundd_script_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+        manage_all_pattern($1,soundd_tmp_t)
+
+	files_list_etc($1)
+        manage_all_pattern($1,soundd_etc_t)
+
+	files_list_pids($1)
+        manage_all_pattern($1,soundd_var_run_t)
+')
+
+
Index: refpolicy/policy/modules/services/soundserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/soundserver.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/soundserver.te	2008-08-03 17:11:27.000000000 +0200
@@ -10,9 +10,6 @@
 type soundd_exec_t;
 init_daemon_domain(soundd_t, soundd_exec_t)
 
-type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
-
 type soundd_state_t;
 files_type(soundd_state_t)
 
@@ -26,21 +23,30 @@
 type soundd_var_run_t;
 files_pid_file(soundd_var_run_t)
 
+type soundd_etc_t;
+files_config_file(soundd_etc_t)
+
+type soundd_script_exec_t;
+init_script_type(soundd_script_exec_t)
+
 ########################################
 #
-# Declarations
+# sound server local policy
 #
 
+allow soundd_t self:capability dac_override;
 dontaudit soundd_t self:capability sys_tty_config;
 allow soundd_t self:process { setpgid signal_perms };
 allow soundd_t self:tcp_socket create_stream_socket_perms;
 allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+fs_getattr_all_fs(soundd_t)
+
 # for yiff
 allow soundd_t self:shm create_shm_perms;
 
-allow soundd_t soundd_etc_t:dir list_dir_perms;
-allow soundd_t soundd_etc_t:file read_file_perms;
-allow soundd_t soundd_etc_t:lnk_file { getattr read };
+read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t)
 
 manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
 manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
@@ -55,8 +61,10 @@
 manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
 fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
 manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
-files_pid_filetrans(soundd_t, soundd_var_run_t, file)
+manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
 
 kernel_read_kernel_sysctls(soundd_t)
 kernel_list_proc(soundd_t)
@@ -96,10 +104,13 @@
 sysnet_read_config(soundd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-
 sysadm_dontaudit_search_home_dirs(soundd_t)
 
 optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(soundd_t)
 ')
 

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 07/35] w3c policy addition

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2547 bytes --]

This is a new module not present upstream, contains nothing that
looks controversial.

I've added one Debian path, perhaps it should be in a
conditional block...(/usr/lib/cgi-bin/check)

Originally submitted Jul 19, no comments so far

Index: refpolicy/policy/modules/services/w3c.fc
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/services/w3c.fc	2008-08-03 17:13:33.000000000 +0200
@@ -0,0 +1,3 @@
+/usr/share/w3c-markup-validator(/.*)?		gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+/usr/lib/cgi-bin/check				gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
Index: refpolicy/policy/modules/services/w3c.if
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/services/w3c.if	2008-08-03 17:13:33.000000000 +0200
@@ -0,0 +1,20 @@
+## <summary>W3C</summary>
+
+########################################
+## <summary>
+##	Execute w3c server in the w3c domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`w3c_script_domtrans',`
+	gen_require(`
+		type w3c_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,w3c_script_exec_t)
+')
Index: refpolicy/policy/modules/services/w3c.te
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/services/w3c.te	2008-08-03 17:13:33.000000000 +0200
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
+apache_content_template(w3c_validator)
+
+sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 08/35] logging policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 15566 bytes --]

Most changes here seem uncontroversial. Note that the logging_admin_audit
and logging_admin_syslog interfaces are not currently used in the
refpolicy so changing their signature shouldn't be a problem.

Originally submitted Jul 19, no comments so far

Index: refpolicy/policy/modules/system/logging.fc
===================================================================
--- refpolicy.orig/policy/modules/system/logging.fc	2008-08-03 13:09:37.000000000 +0200
+++ refpolicy/policy/modules/system/logging.fc	2008-08-03 17:14:08.000000000 +0200
@@ -4,6 +4,8 @@
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 
+/sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
+/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -20,6 +22,7 @@
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 
 ifdef(`distro_suse', `
@@ -37,7 +40,7 @@
 /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-/var/log/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 
 ifndef(`distro_gentoo',`
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -48,7 +51,7 @@
 ')
 
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
@@ -59,3 +62,8 @@
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/etc/rc\.d/init\.d/rsyslog	--	gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd	--	gen_context(system_u:object_r:auditd_script_exec_t,s0)
+
+/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
Index: refpolicy/policy/modules/system/logging.if
===================================================================
--- refpolicy.orig/policy/modules/system/logging.if	2008-08-03 13:09:37.000000000 +0200
+++ refpolicy/policy/modules/system/logging.if	2008-08-03 17:14:08.000000000 +0200
@@ -213,12 +213,7 @@
 ## </param>
 #
 interface(`logging_stream_connect_auditd',`
-	gen_require(`
-		type auditd_t, auditd_var_run_t;
-	')
-
-	files_search_pids($1)
-	stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+	logging_stream_connect_audisp($1)
 ')
 
 ########################################
@@ -530,8 +525,27 @@
 	')
 
 	files_search_var($1)
-	allow $1 var_log_t:dir list_dir_perms;
-	allow $1 logfile:file { getattr append };
+	append_files_pattern($1, var_log_t, logfile)
+')
+
+########################################
+## <summary>
+##	read/write to all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_rw_all_logs',`
+	gen_require(`
+		attribute logfile;
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	rw_files_pattern($1, var_log_t, logfile)
 ')
 
 ########################################
@@ -596,6 +610,8 @@
 	files_search_var($1)
 	manage_files_pattern($1,logfile,logfile)
 	read_lnk_files_pattern($1,logfile,logfile)
+	allow $1 logfile:dir  { relabelfrom relabelto };
+	allow $1 logfile:file  { relabelfrom relabelto };
 ')
 
 ########################################
@@ -641,6 +657,25 @@
 
 ########################################
 ## <summary>
+##	Dontaudit Write generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_write_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	dontaudit $1 var_log_t:file write;
+')
+
+########################################
+## <summary>
 ##	Read and write generic log files.
 ## </summary>
 ## <param name="domain">
@@ -695,6 +730,7 @@
 interface(`logging_admin_audit',`
 	gen_require(`
 		type auditd_t, auditd_etc_t, auditd_log_t;
+		type auditd_script_exec_t;
 		type auditd_var_run_t;
 	')
 
@@ -709,6 +745,15 @@
 
 	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
 	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+	logging_run_auditctl($1, $2, $3)
+
+	# Allow $1 to restart the audit service
+	logging_audit_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 auditd_script_exec_t system_r;
+	allow $2 system_r;
+
 ')
 
 ########################################
@@ -729,6 +774,7 @@
 		type syslogd_tmp_t, syslogd_var_lib_t;
 		type syslogd_var_run_t, klogd_var_run_t;
 		type klogd_tmp_t, var_log_t;
+		type syslogd_script_exec_t;
 	')
 
 	allow $1 syslogd_t:process { ptrace signal_perms };
@@ -756,6 +802,12 @@
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
+
+	# Allow $1 to restart the syslog service
+	logging_syslog_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 syslogd_script_exec_t system_r;
+	allow $2 system_r;
 ')
 
 ########################################
@@ -771,6 +823,132 @@
 ## <rolecap/>
 #
 interface(`logging_admin',`
-	logging_admin_audit($1)
-	logging_admin_syslog($1)
+	logging_admin_audit($1, $2, $3)
+	logging_admin_syslog($1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Execute syslog server in the syslogd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`logging_syslog_script_domtrans',`
+	gen_require(`
+		type syslogd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,syslogd_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute audit server in the auditd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`logging_audit_script_domtrans',`
+	gen_require(`
+		type auditd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,auditd_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run audisp.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_audisp',`
+	gen_require(`
+		type audisp_t;
+                type audisp_exec_t;
+	')
+
+	domtrans_pattern($1,audisp_exec_t,audisp_t)
+')
+
+########################################
+## <summary>
+##	Signal the audisp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_audisp_signal',`
+	gen_require(`
+		type audisp_t;
+	')
+
+	allow $1 audisp_t:process signal;
+')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by the system audisp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`logging_audisp_system_domain',`
+	gen_require(`
+		type audisp_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1,$2)
+
+	role system_r types $1;
+
+	domtrans_pattern(audisp_t,$2,$1)
+	allow $1 audisp_t:process signal;
+
+	allow audisp_t $2:file getattr;
+	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Connect to auditdstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_stream_connect_audisp',`
+	gen_require(`
+		type audisp_t, audisp_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
 ')
Index: refpolicy/policy/modules/system/logging.te
===================================================================
--- refpolicy.orig/policy/modules/system/logging.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/system/logging.te	2008-08-03 17:14:41.000000000 +0200
@@ -61,10 +61,29 @@
 logging_log_file(var_log_t)
 files_mountpoint(var_log_t)
 
+type auditd_script_exec_t;
+init_script_type(auditd_script_exec_t)
+
+type syslogd_script_exec_t;
+init_script_type(syslogd_script_exec_t)
+
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+	init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh)
 ')
 
+type audisp_t;
+type audisp_exec_t;
+init_system_domain(audisp_t, audisp_exec_t)
+
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
+type audisp_remote_t;
+type audisp_remote_exec_t;
+domain_type(audisp_remote_t)
+domain_entry_file(audisp_remote_t, audisp_remote_exec_t)
+
 ########################################
 #
 # Auditctl local policy
@@ -84,6 +103,7 @@
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 
+
 domain_read_all_domains_state(auditctl_t)
 domain_use_interactive_fds(auditctl_t)
 
@@ -158,11 +178,13 @@
 
 mls_file_read_all_levels(auditd_t)
 mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+mls_fd_use_all_levels(auditd_t)
 
 seutil_dontaudit_read_config(auditd_t)
 
-userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+sysnet_dns_name_resolve(auditd_t)
 
+userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 sysadm_dontaudit_search_home_dirs(auditd_t)
 
 ifdef(`distro_ubuntu',`
@@ -172,6 +194,10 @@
 ')
 
 optional_policy(`
+	mta_send_mail(auditd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(auditd_t)
 ')
 
@@ -209,6 +235,7 @@
 
 fs_getattr_all_fs(klogd_t)
 fs_search_auto_mountpoints(klogd_t)
+fs_search_tmpfs(klogd_t)
 
 domain_use_interactive_fds(klogd_t)
 
@@ -253,7 +280,6 @@
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 allow syslogd_t self:process { signal_perms setpgid };
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -275,6 +301,9 @@
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 
+mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+mls_fd_use_all_levels(syslogd_t)
+
 # manage temporary files
 manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
 manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
@@ -290,12 +319,14 @@
 manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
 
+kernel_read_system_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
 kernel_read_messages(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+files_read_kernel_symbol_table(syslogd_t)
 
 dev_filetrans(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
@@ -328,6 +359,8 @@
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
 corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
 
 # syslog-ng can send or receive logs
 corenet_sendrecv_syslogd_client_packets(syslogd_t)
@@ -340,23 +373,23 @@
 domain_use_interactive_fds(syslogd_t)
 
 files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
 files_read_var_files(syslogd_t)
 files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 
+auth_use_nsswitch(syslogd_t)
+
 libs_use_ld_so(syslogd_t)
 libs_use_shared_libs(syslogd_t)
 
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
 
-sysnet_read_config(syslogd_t)
-
 miscfiles_read_localization(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-
 sysadm_dontaudit_search_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
@@ -382,15 +415,11 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(syslogd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(syslogd_t)
+	seutil_sigchld_newrole(syslogd_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(syslogd_t)
+	postgresql_stream_connect(syslogd_t)
 ')
 
 optional_policy(`
@@ -401,3 +430,67 @@
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
+
+########################################
+#
+# audisp local policy
+#
+
+# Init script handling
+domain_use_interactive_fds(audisp_t)
+
+allow audisp_t self:capability sys_nice;
+allow audisp_t self:process setsched;
+
+## internal communication is often done using fifo and unix sockets.
+allow audisp_t self:fifo_file rw_file_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+
+files_read_etc_files(audisp_t)
+
+libs_use_ld_so(audisp_t)
+libs_use_shared_libs(audisp_t)
+
+logging_send_syslog_msg(audisp_t)
+
+miscfiles_read_localization(audisp_t)
+
+mls_file_write_all_levels(audisp_t)
+
+corecmd_search_bin(audisp_t)
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+logging_domtrans_audisp(auditd_t)
+logging_audisp_signal(auditd_t)
+
+########################################
+#
+# audisp_remote local policy
+#
+
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
+
+allow audisp_remote_t self:tcp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
+corenet_all_recvfrom_netlabel(audisp_remote_t)
+corenet_tcp_sendrecv_all_if(audisp_remote_t)
+corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+corenet_tcp_connect_audit_port(audisp_remote_t)
+
+files_read_etc_files(audisp_remote_t)
+
+libs_use_ld_so(audisp_remote_t)
+libs_use_shared_libs(audisp_remote_t)
+
+logging_send_syslog_msg(audisp_remote_t)
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
+
+miscfiles_read_localization(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
+

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 09/35] xen policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 9785 bytes --]

Mostly uncontroversial fixes and cleanups, also adds the xen_rw_image_files
interface which is needed for the qemu patch.

Submitted Jul 19, no comments, refreshed to apply cleanly

Index: refpolicy/policy/modules/system/xen.fc
===================================================================
--- refpolicy.orig/policy/modules/system/xen.fc	2008-08-03 13:09:36.000000000 +0200
+++ refpolicy/policy/modules/system/xen.fc	2008-08-03 17:16:57.000000000 +0200
@@ -20,6 +20,7 @@
 /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 
Index: refpolicy/policy/modules/system/xen.if
===================================================================
--- refpolicy.orig/policy/modules/system/xen.if	2008-08-03 13:09:36.000000000 +0200
+++ refpolicy/policy/modules/system/xen.if	2008-08-03 17:16:57.000000000 +0200
@@ -167,11 +167,14 @@
 #
 interface(`xen_stream_connect',`
 	gen_require(`
-		type xend_t, xend_var_run_t;
+		type xend_t, xend_var_run_t,  xend_var_lib_t;
 	')
 
 	files_search_pids($1)
 	stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t)
+
+	files_search_var_lib($1)
+	stream_connect_pattern($1,xend_var_lib_t,xend_var_lib_t,xend_t)
 ')
 
 ########################################
@@ -191,3 +194,24 @@
 
 	domtrans_pattern($1,xm_exec_t,xm_t)
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+	gen_require(`
+		type xen_image_t, xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	allow $1 xend_var_lib_t:dir search_dir_perms;
+	rw_files_pattern($1,xen_image_t,xen_image_t)
+')
Index: refpolicy/policy/modules/system/xen.te
===================================================================
--- refpolicy.orig/policy/modules/system/xen.te	2008-08-03 13:09:36.000000000 +0200
+++ refpolicy/policy/modules/system/xen.te	2008-08-03 17:16:57.000000000 +0200
@@ -6,6 +6,13 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow xen to manage nfs files
+## </p>
+## </desc>
+gen_tunable(xen_use_nfs,false)
+
 # console ptys
 type xen_devpts_t;
 term_pty(xen_devpts_t);
@@ -42,25 +49,31 @@
 # pid files
 type xend_var_run_t;
 files_pid_file(xend_var_run_t)
+files_mountpoint(xend_var_run_t)
 
 type xenstored_t;
 type xenstored_exec_t;
-domain_type(xenstored_t)
-domain_entry_file(xenstored_t,xenstored_exec_t)
-role system_r types xenstored_t;
+init_daemon_domain(xenstored_t,xenstored_exec_t)
+
+# tmp files
+type xenstored_tmp_t;
+files_tmp_file(xenstored_tmp_t)
 
 # var/lib files
 type xenstored_var_lib_t;
 files_type(xenstored_var_lib_t)
 
+# log files
+type xenstored_var_log_t;
+logging_log_file(xenstored_var_log_t)
+
 # pid files
 type xenstored_var_run_t;
 files_pid_file(xenstored_var_run_t)
 
 type xenconsoled_t;
 type xenconsoled_exec_t;
-domain_type(xenconsoled_t)
-domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
+init_daemon_domain(xenconsoled_t,xenconsoled_exec_t)
 role system_r types xenconsoled_t;
 
 # pid files
@@ -95,7 +108,7 @@
 read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
 rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
 
-allow xend_t xenctl_t:fifo_file manage_file_perms;
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(xend_t, xenctl_t, fifo_file)
 
 manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
@@ -103,14 +116,14 @@
 files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
 
 # pid file
-allow xend_t xend_var_run_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_run_t,xend_var_run_t)
 manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
 manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
 manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file dir })
 
 # log files
-allow xend_t xend_var_log_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_log_t,xend_var_log_t)
 manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
 manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
 logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
@@ -122,15 +135,13 @@
 manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
 files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
 
+init_stream_connect_script(xend_t)
+
 # transition to store
-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-allow xenstored_t xend_t:fd use;
-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
 
 # transition to console
-domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-allow xenconsoled_t xend_t:fd use;
+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
 
 kernel_read_kernel_sysctls(xend_t)
 kernel_read_system_state(xend_t)
@@ -176,6 +187,7 @@
 files_manage_etc_runtime_files(xend_t)
 files_etc_filetrans_etc_runtime(xend_t,file)
 files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
 storage_raw_write_fixed_disk(xend_t)
@@ -207,11 +219,15 @@
 sysnet_read_dhcpc_pid(xend_t)
 sysnet_rw_dhcp_config(xend_t)
 
+sysadm_dontaudit_search_home_dirs(xend_t)
+
 xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)
 
-sysadm_dontaudit_search_home_dirs(xend_t)
+optional_policy(`
+	brctl_domtrans(xend_t)
+')
 
 optional_policy(`
 	consoletype_exec(xend_t)
@@ -224,7 +240,7 @@
 
 allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file  rw_fifo_file_perms;
 
 allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
 
@@ -245,6 +261,8 @@
 
 files_read_usr_files(xenconsoled_t)
 
+fs_list_tmpfs(xenconsoled_t)
+
 term_create_pty(xenconsoled_t,xen_devpts_t);
 term_use_generic_ptys(xenconsoled_t)
 term_use_console(xenconsoled_t)
@@ -257,7 +275,7 @@
 
 miscfiles_read_localization(xenconsoled_t)
 
-xen_append_log(xenconsoled_t)
+xen_manage_log(xenconsoled_t)
 xen_stream_connect_xenstore(xenconsoled_t)
 
 ########################################
@@ -265,15 +283,25 @@
 # Xen store local policy
 #
 
-allow xenstored_t self:capability { dac_override mknod ipc_lock };
+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
 allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
+manage_files_pattern(xenstored_t,xenstored_tmp_t,xenstored_tmp_t)
+manage_dirs_pattern(xenstored_t,xenstored_tmp_t,xenstored_tmp_t)
+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
+
 # pid file
 manage_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t)
 manage_sock_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t)
 files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
 
+# log files
+manage_dirs_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t)
+manage_files_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t)
+manage_sock_files_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t)
+logging_log_filetrans(xenstored_t,xenstored_var_log_t,{ sock_file file dir })
+
 # var/lib files for xenstored
 manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
 manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
@@ -318,12 +346,13 @@
 allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
 
 # internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file  rw_fifo_file_perms;
 allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xm_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
 manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
+manage_sock_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
 files_search_var_lib(xm_t)
 
 allow xm_t xen_image_t:dir rw_dir_perms;
@@ -336,6 +365,7 @@
 kernel_write_xen_state(xm_t)
 
 corecmd_exec_bin(xm_t)
+corecmd_exec_shell(xm_t)
 
 corenet_tcp_sendrecv_generic_if(xm_t)
 corenet_tcp_sendrecv_all_nodes(xm_t)
@@ -351,8 +381,11 @@
 
 storage_raw_read_fixed_disk(xm_t)
 
+fs_getattr_all_fs(xm_t)
+
 term_use_all_terms(xm_t)
 
+init_stream_connect_script(xm_t)
 init_rw_script_stream_sockets(xm_t)
 init_use_fds(xm_t)
 
@@ -363,6 +396,23 @@
 
 sysnet_read_config(xm_t)
 
+sysadm_dontaudit_search_home_dirs(xm_t)
+
 xen_append_log(xm_t)
 xen_stream_connect(xm_t)
 xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
+
+tunable_policy(`xen_use_nfs',`
+	fs_manage_nfs_files(xend_t)
+	fs_read_nfs_symlinks(xend_t)
+')
+
+optional_policy(`
+	unconfined_domain(xend_t)
+')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 10/35] qemu policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 6201 bytes --]

None of these changes seem controversial, mostly a couple of new
interfaces, note that this patch relies on the xen patch.

Originally submitted Jul 19

Index: refpolicy/policy/modules/apps/qemu.if
===================================================================
--- refpolicy.orig/policy/modules/apps/qemu.if	2008-08-03 13:09:35.000000000 +0200
+++ refpolicy/policy/modules/apps/qemu.if	2008-08-03 17:17:33.000000000 +0200
@@ -104,7 +104,71 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run qemu unconfined.
+##	Execute qemu programs in the qemu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the PAM domain to use.
+##	</summary>
+## </param>
+#
+interface(`qemu_runas',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	qemu_domtrans($1)
+	allow qemu_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute qemu programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+#
+interface(`qemu_role',`
+	gen_require(`
+		type qemu_t;
+	')
+	role $1 types qemu_t;
+')
+
+########################################
+## <summary>
+##	Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+#
+interface(`qemu_unconfined_role',`
+	gen_require(`
+		type qemu_unconfined_t;
+	')
+	role $1 types qemu_unconfined_t;
+')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run qemu.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -122,6 +186,36 @@
 
 ########################################
 ## <summary>
+##	Execute qemu programs in the qemu unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the PAM domain to use.
+##	</summary>
+## </param>
+#
+interface(`qemu_runas_unconfined',`
+	gen_require(`
+		type qemu_unconfined_t;
+	')
+
+	qemu_domtrans_unconfined($1)
+	allow qemu_unconfined_t $3:chr_file rw_file_perms;
+')
+
+
+########################################
+## <summary>
 ##	Creates types and rules for a basic
 ##	qemu process domain.
 ## </summary>
@@ -133,24 +227,23 @@
 #
 template(`qemu_domain_template',`
 
-	##############################
-	#
-	# Local Policy
-	#
-
 	type $1_t;
 	domain_type($1_t)
 
 	type $1_tmp_t;
 	files_tmp_file($1_tmp_t)
 
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
 	##############################
 	#
 	# Local Policy
 	#
 
 	allow $1_t self:capability { dac_read_search dac_override };
-	allow $1_t self:process { execstack execmem signal getsched };
+	allow $1_t self:process { execstack execmem signal getsched signull };
+
 	allow $1_t self:fifo_file rw_file_perms;
 	allow $1_t self:shm create_shm_perms;
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -160,6 +253,11 @@
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
 
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
 	kernel_read_system_state($1_t)
 
 	corenet_all_recvfrom_unlabeled($1_t)
@@ -171,7 +269,10 @@
 	corenet_tcp_bind_vnc_port($1_t)
 	corenet_rw_tun_tap_dev($1_t)
 
-#	dev_rw_kvm($1_t)
+	dev_read_sound($1_t)
+	dev_write_sound($1_t)
+	dev_rw_kvm($1_t)
+	dev_rw_qemu($1_t)
 
 	domain_use_interactive_fds($1_t)
 
@@ -191,6 +292,8 @@
 	term_getattr_pty_fs($1_t)
 	term_use_generic_ptys($1_t)
 
+	auth_use_nsswitch($1_t)
+
 	libs_use_ld_so($1_t)
 	libs_use_shared_libs($1_t)
 
@@ -198,9 +301,9 @@
 
 	sysnet_read_config($1_t)
 
-#	optional_policy(`
-#		samba_domtrans_smb($1_t)
-#	')
+	optional_policy(`
+		samba_domtrans_smb($1_t)
+	')
 
 	optional_policy(`
 		virt_manage_images($1_t)
@@ -212,6 +315,24 @@
 		xserver_stream_connect_xdm_xserver($1_t)
 		xserver_read_xdm_tmp_files($1_t)
 		xserver_read_xdm_pid($1_t)
-#		xserver_xdm_rw_shm($1_t)
+		xserver_xdm_rw_shm($1_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_setsched',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	allow $1 qemu_t:process setsched;
+')
Index: refpolicy/policy/modules/apps/qemu.te
===================================================================
--- refpolicy.orig/policy/modules/apps/qemu.te	2008-08-03 13:09:35.000000000 +0200
+++ refpolicy/policy/modules/apps/qemu.te	2008-08-03 17:17:33.000000000 +0200
@@ -13,6 +13,20 @@
 ## </desc>
 gen_tunable(qemu_full_network, false)
 
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
 type qemu_exec_t;
 qemu_domain_template(qemu)
 application_domain(qemu_t, qemu_exec_t)
@@ -35,6 +49,22 @@
 	corenet_tcp_connect_all_ports(qemu_t)
 ')
 
+tunable_policy(`qemu_use_nfs',`
+	fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+	fs_manage_cifs_dirs(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
 ########################################
 #
 # qemu_unconfined local policy

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 11/35] hotplug policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

Should all be trivial changes

Index: refpolicy/policy/modules/system/hotplug.te
===================================================================
--- refpolicy.orig/policy/modules/system/hotplug.te	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/hotplug.te	2008-08-03 17:52:58.000000000 +0200
@@ -121,6 +121,7 @@
 	optional_policy(`
 		# for arping used for static IP addresses on PCMCIA ethernet
 		netutils_domtrans(hotplug_t)
+		netutils_signal(hotplug_t)
 		fs_rw_tmpfs_chr_files(hotplug_t)
 	')
 	files_getattr_generic_locks(hotplug_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 12/35] getty policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1398 bytes --]

Hopefully trivial changes
Index: refpolicy/policy/modules/system/getty.fc
===================================================================
--- refpolicy.orig/policy/modules/system/getty.fc	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/getty.fc	2008-08-03 18:01:20.000000000 +0200
@@ -8,5 +8,5 @@
 
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 
-/var/spool/fax		--	gen_context(system_u:object_r:getty_var_run_t,s0)
-/var/spool/voice	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
Index: refpolicy/policy/modules/system/getty.te
===================================================================
--- refpolicy.orig/policy/modules/system/getty.te	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/getty.te	2008-08-03 18:01:20.000000000 +0200
@@ -9,6 +9,7 @@
 type getty_t;
 type getty_exec_t;
 init_domain(getty_t,getty_exec_t)
+init_system_domain(getty_t,getty_exec_t)
 domain_interactive_fd(getty_t)
 
 type getty_etc_t;

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 13/35] ricci policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

One trivial change
Index: refpolicy/policy/modules/services/ricci.te
===================================================================
--- refpolicy.orig/policy/modules/services/ricci.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/ricci.te	2008-08-03 18:01:32.000000000 +0200
@@ -443,6 +443,7 @@
 create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
 files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
 
+corecmd_exec_shell(ricci_modstorage_t)
 corecmd_exec_bin(ricci_modstorage_t)
 
 dev_read_sysfs(ricci_modstorage_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 14/35] remotelogin policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 876 bytes --]

Additional user homedir permissions
Index: refpolicy/policy/modules/services/remotelogin.te
===================================================================
--- refpolicy.orig/policy/modules/services/remotelogin.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/remotelogin.te	2008-08-03 18:01:36.000000000 +0200
@@ -85,6 +85,7 @@
 
 miscfiles_read_localization(remote_login_t)
 
+userdom_read_all_users_home_dirs_symlinks(remote_login_t)
 userdom_use_unpriv_users_fds(remote_login_t)
 userdom_search_all_users_home_content(remote_login_t)
 # Only permit unprivileged user domains to be entered via rlogin,

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 15/35] kernel terminal policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1263 bytes --]

Additional permissions for server ptynodes
Index: refpolicy/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/terminal.if	2008-08-03 16:46:56.000000000 +0200
+++ refpolicy/policy/modules/kernel/terminal.if	2008-08-03 18:01:38.000000000 +0200
@@ -525,11 +525,13 @@
 interface(`term_use_generic_ptys',`
 	gen_require(`
 		type devpts_t;
+		attribute server_ptynode;
 	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 devpts_t:dir list_dir_perms;
 	allow $1 devpts_t:chr_file { rw_term_perms lock append };
+	allow $1 server_ptynode:chr_file { getattr read write ioctl };
 ')
 
 ########################################
@@ -547,9 +549,11 @@
 interface(`term_dontaudit_use_generic_ptys',`
 	gen_require(`
 		type devpts_t;
+		attribute server_ptynode;
 	')
 
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+	dontaudit $1 server_ptynode:chr_file { getattr read write ioctl };
 ')
 
 ########################################

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 16/35] usernet policy updates

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1408 bytes --]

Only minor changes
Index: refpolicy/policy/modules/apps/usernetctl.if
===================================================================
--- refpolicy.orig/policy/modules/apps/usernetctl.if	2008-08-03 16:46:56.000000000 +0200
+++ refpolicy/policy/modules/apps/usernetctl.if	2008-08-03 18:01:40.000000000 +0200
@@ -63,4 +63,9 @@
 	optional_policy(`
 		modutils_run_insmod(usernetctl_t, $2, $3)
 	')
+
+
+	optional_policy(`
+		ppp_run(usernetctl_t,$2,$3)
+	')
 ')
Index: refpolicy/policy/modules/apps/usernetctl.te
===================================================================
--- refpolicy.orig/policy/modules/apps/usernetctl.te	2008-08-03 16:46:56.000000000 +0200
+++ refpolicy/policy/modules/apps/usernetctl.te	2008-08-03 18:01:40.000000000 +0200
@@ -49,15 +49,21 @@
 
 fs_search_auto_mountpoints(usernetctl_t)
 
+auth_use_nsswitch(usernetctl_t)
+
 libs_use_ld_so(usernetctl_t)
 libs_use_shared_libs(usernetctl_t)
 
+logging_send_syslog_msg(usernetctl_t)
+
 miscfiles_read_localization(usernetctl_t)
 
 seutil_read_config(usernetctl_t)
 
 sysnet_read_config(usernetctl_t)
 
+term_search_ptys(usernetctl_t)
+
 optional_policy(`
 	hostname_exec(usernetctl_t)
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 17/35] brctl policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 676 bytes --]

One minor change
Index: refpolicy/policy/modules/admin/brctl.te
===================================================================
--- refpolicy.orig/policy/modules/admin/brctl.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/admin/brctl.te	2008-08-03 18:01:42.000000000 +0200
@@ -33,6 +33,8 @@
 
 files_read_etc_files(brctl_t)
 
+term_use_console(brctl_t)
+
 libs_use_ld_so(brctl_t)
 libs_use_shared_libs(brctl_t)
 

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 18/35] fsadm policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1617 bytes --]

Mostly to allow xen/cifs/nfs file management
Index: refpolicy/policy/modules/system/fstools.if
===================================================================
--- refpolicy.orig/policy/modules/system/fstools.if	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/fstools.if	2008-08-03 18:06:57.000000000 +0200
@@ -142,3 +142,21 @@
 
 	allow $1 swapfile_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	Send signal to fsadm process
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_signal',`
+	gen_require(`
+		type fsadm_t;
+	')
+
+	allow $1 fsadm_t:process signal;
+')
Index: refpolicy/policy/modules/system/fstools.te
===================================================================
--- refpolicy.orig/policy/modules/system/fstools.te	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/fstools.te	2008-08-03 18:06:57.000000000 +0200
@@ -97,6 +97,10 @@
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
 
+fs_manage_nfs_files(fsadm_t)
+
+fs_manage_cifs_files(fsadm_t)
+
 mls_file_read_all_levels(fsadm_t)
 mls_file_write_all_levels(fsadm_t)
 
@@ -184,4 +188,9 @@
 
 optional_policy(`
 	xen_append_log(fsadm_t)
+	xen_rw_image_files(fsadm_t)
+')
+
+optional_policy(`
+	unconfined_domain(fsadm_t)
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 19/35] kernel storage module policy updates

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]

A few new paths and a new interface which is used by later patches
Index: refpolicy/policy/modules/kernel/storage.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/storage.fc	2008-07-19 19:15:34.000000000 +0200
+++ refpolicy/policy/modules/kernel/storage.fc	2008-08-03 18:09:53.000000000 +0200
@@ -13,6 +13,7 @@
 /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/drbd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
@@ -48,6 +49,7 @@
 /dev/tw[a-z][^/]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
 /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/vd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
 /dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
Index: refpolicy/policy/modules/kernel/storage.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/storage.if	2008-08-03 16:46:56.000000000 +0200
+++ refpolicy/policy/modules/kernel/storage.if	2008-08-03 18:09:53.000000000 +0200
@@ -81,6 +81,26 @@
 
 ########################################
 ## <summary>
+##	dontaudit the caller attempts to read from a fixed disk.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_read_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		type fixed_disk_device_t;
+	')
+
+	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Allow the caller to directly read from a fixed disk.
 ##	This is extremly dangerous as it can bypass the
 ##	SELinux protections for filesystem objects, and

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 20/35] rpc policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2289 bytes --]

Partial merge of RedHat rpc changes (mostly a few read permissions and
a couple of dontaudit rules).

Depends on policy_modules_kernel_storage.patch

Index: refpolicy/policy/modules/services/rpc.te
===================================================================
--- refpolicy.orig/policy/modules/services/rpc.te	2008-08-03 18:18:31.000000000 +0200
+++ refpolicy/policy/modules/services/rpc.te	2008-08-04 13:18:47.000000000 +0200
@@ -62,10 +62,10 @@
 
 # rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
-corecmd_search_bin(rpcd_t)
+corecmd_exec_bin(rpcd_t)
 
 kernel_read_system_state(rpcd_t) 
-kernel_search_network_state(rpcd_t) 
+kernel_read_network_state(rpcd_t)
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
 kernel_rw_fs_sysctls(rpcd_t)
@@ -82,6 +82,7 @@
 miscfiles_read_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
 
 optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
@@ -97,6 +98,12 @@
 allow nfsd_t exports_t:file { getattr read };
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+
+dev_rw_lvm_control(nfsd_t)
+storage_dontaudit_raw_read_fixed_disk(nfsd_t)
+
 # for /proc/fs/nfs/exports - should we have a new type?
 kernel_read_system_state(nfsd_t) 
 kernel_read_network_state(nfsd_t) 
@@ -107,6 +114,7 @@
 fs_mount_nfsd_fs(nfsd_t) 
 fs_search_nfsd_fs(nfsd_t) 
 fs_getattr_all_fs(nfsd_t) 
+fs_getattr_all_dirs(nfsd_t)
 fs_rw_nfsd_fs(nfsd_t) 
 
 term_use_controlling_term(nfsd_t) 
@@ -149,6 +157,7 @@
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
+kernel_read_system_state(gssd_t)
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
@@ -162,6 +171,9 @@
 files_list_tmp(gssd_t) 
 files_read_usr_symlinks(gssd_t) 
 
+auth_use_nsswitch(gssd_t)
+auth_manage_cache(gssd_t)
+
 miscfiles_read_certs(gssd_t)
 
 tunable_policy(`allow_gssd_read_tmp',`

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 21/35] kismet policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

kismet is a network sniffer so net_raw seems quite reasonable...

Index: refpolicy/policy/modules/admin/kismet.te
===================================================================
--- refpolicy.orig/policy/modules/admin/kismet.te	2008-08-03 18:30:11.000000000 +0200
+++ refpolicy/policy/modules/admin/kismet.te	2008-08-03 18:30:32.000000000 +0200
@@ -25,7 +25,7 @@
 # kismet local policy
 #
 
-allow kismet_t self:capability { net_admin setuid setgid };
+allow kismet_t self:capability { net_admin net_raw setuid setgid };
 allow kismet_t self:packet_socket create_socket_perms;
 
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 22/35] oav policy updates

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1000 bytes --]

Trivial changes...

Index: refpolicy/policy/modules/services/oav.te
===================================================================
--- refpolicy.orig/policy/modules/services/oav.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/oav.te	2008-08-03 20:34:32.000000000 +0200
@@ -12,7 +12,7 @@
 
 # cjp: may be collapsable to etc_t
 type oav_update_etc_t;
-files_type(oav_update_etc_t)
+files_config_file(oav_update_etc_t)
 
 type oav_update_var_lib_t;
 files_type(oav_update_var_lib_t)
@@ -22,7 +22,7 @@
 init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
 
 type scannerdaemon_etc_t;
-files_type(scannerdaemon_etc_t)
+files_config_file(scannerdaemon_etc_t)
 
 type scannerdaemon_log_t;
 logging_log_file(scannerdaemon_log_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 23/35] iptables policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 982 bytes --]

Trivial changes from the RH patchset to the iptables module...
Index: refpolicy/policy/modules/system/iptables.te
===================================================================
--- refpolicy.orig/policy/modules/system/iptables.te	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/iptables.te	2008-08-03 20:38:53.000000000 +0200
@@ -48,6 +48,7 @@
 
 fs_getattr_xattr_fs(iptables_t)
 fs_search_auto_mountpoints(iptables_t)
+fs_list_inotifyfs(iptables_t)
 
 mls_file_read_all_levels(iptables_t)
 
@@ -70,8 +71,6 @@
 libs_use_shared_libs(iptables_t)
 
 logging_send_syslog_msg(iptables_t)
-# system-config-network appends to /var/log
-#logging_append_system_logs(iptables_t)
 
 miscfiles_read_localization(iptables_t)
 

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 24/35] bootloader policy updates

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1301 bytes --]

Most of the changes here are in a distro_redhat block and shouldn't be
controversial...

Index: refpolicy/policy/modules/admin/bootloader.if
===================================================================
--- refpolicy.orig/policy/modules/admin/bootloader.if	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/admin/bootloader.if	2008-08-03 21:09:17.000000000 +0200
@@ -49,6 +49,11 @@
 
 	role $2 types bootloader_t;
 	allow bootloader_t $3:chr_file rw_term_perms;
+
+	ifdef(`distro_redhat',`
+		# for mke2fs
+		mount_run(bootloader_t, $2, $3)
+	')
 ')
 
 ########################################
Index: refpolicy/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy.orig/policy/modules/admin/bootloader.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/admin/bootloader.te	2008-08-03 21:09:17.000000000 +0200
@@ -218,3 +218,7 @@
 optional_policy(`
 	sysadm_dontaudit_search_home_dirs(bootloader_t)
 ')
+
+optional_policy(`
+	unconfined_domain(bootloader_t)
+')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 25/35] rdisc policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1587 bytes --]

Minor changes to the rdisc module, the interface that is added is used
in later RH patches (not part of the current patchset)...
Index: refpolicy/policy/modules/services/rdisc.if
===================================================================
--- refpolicy.orig/policy/modules/services/rdisc.if	2008-07-19 19:15:41.000000000 +0200
+++ refpolicy/policy/modules/services/rdisc.if	2008-08-03 21:17:42.000000000 +0200
@@ -1 +1,20 @@
 ## <summary>Network router discovery daemon</summary>
+
+########################################
+## <summary>
+##	Execute rdisc server in the rdisc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`rdisc_script_domtrans',`
+	gen_require(`
+		type rdisc_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,rdisc_script_exec_t)
+')
Index: refpolicy/policy/modules/services/rdisc.te
===================================================================
--- refpolicy.orig/policy/modules/services/rdisc.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/rdisc.te	2008-08-03 21:17:42.000000000 +0200
@@ -45,6 +45,8 @@
 libs_use_ld_so(rdisc_t)
 libs_use_shared_libs(rdisc_t)
 
+miscfiles_read_localization(rdisc_t)
+
 logging_send_syslog_msg(rdisc_t)
 
 sysnet_read_config(rdisc_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 26/35] stunnel policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1733 bytes --]

Changes to the stunnel module which shouldn't be controversial, the interface
is used by later RH patches to the inetd module.
Index: refpolicy/policy/modules/services/stunnel.if
===================================================================
--- refpolicy.orig/policy/modules/services/stunnel.if	2008-07-19 19:15:41.000000000 +0200
+++ refpolicy/policy/modules/services/stunnel.if	2008-08-03 21:21:31.000000000 +0200
@@ -1 +1,25 @@
 ## <summary>SSL Tunneling Proxy</summary>
+
+########################################
+## <summary>
+##	Define the specified domain as a stunnel inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the stunnel inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`stunnel_service_domain',`
+	gen_require(`
+		type stunnel_t;
+	')
+
+	domtrans_pattern(stunnel_t,$2,$1)
+	allow $1 stunnel_t:tcp_socket rw_socket_perms;
+')
Index: refpolicy/policy/modules/services/stunnel.te
===================================================================
--- refpolicy.orig/policy/modules/services/stunnel.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/stunnel.te	2008-08-03 21:21:31.000000000 +0200
@@ -20,7 +20,7 @@
 ')
 
 type stunnel_etc_t;
-files_type(stunnel_etc_t)
+files_config_file(stunnel_etc_t)
 
 type stunnel_tmp_t;
 files_tmp_file(stunnel_tmp_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 27/35] inetd policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2605 bytes --]

RH changes to the inetd module, most of these are related to the MLS/MCS
override which is already present in the module...
Index: refpolicy/policy/modules/services/inetd.if
===================================================================
--- refpolicy.orig/policy/modules/services/inetd.if	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/inetd.if	2008-08-03 21:25:12.000000000 +0200
@@ -115,6 +115,10 @@
 
 	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
 	allow $1 inetd_t:udp_socket rw_socket_perms;
+
+	optional_policy(`
+		stunnel_service_domain($1,$2)
+	')
 ')
 
 ########################################
Index: refpolicy/policy/modules/services/inetd.te
===================================================================
--- refpolicy.orig/policy/modules/services/inetd.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/inetd.te	2008-08-03 21:25:12.000000000 +0200
@@ -30,6 +30,10 @@
 type inetd_child_var_run_t;
 files_pid_file(inetd_child_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Local policy
@@ -84,6 +88,7 @@
 corenet_udp_bind_ftp_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
 corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
 corenet_udp_bind_ktalkd_port(inetd_t)
 corenet_tcp_bind_printer_port(inetd_t)
 corenet_udp_bind_rlogind_port(inetd_t)
@@ -137,6 +142,7 @@
 miscfiles_read_localization(inetd_t)
 
 # xinetd needs MLS override privileges to work
+mls_fd_use_all_levels(inetd_t)
 mls_fd_share_all_levels(inetd_t)
 mls_socket_read_to_clearance(inetd_t)
 mls_socket_write_to_clearance(inetd_t)
@@ -165,6 +171,7 @@
 ')
 
 optional_policy(`
+	unconfined_domain(inetd_t)
 	unconfined_domtrans(inetd_t)
 ')
 
@@ -181,6 +188,9 @@
 # for identd
 allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:dir search;
+allow inetd_child_t self:{ lnk_file file } { getattr read };
+
 files_search_home(inetd_child_t)
 
 manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
@@ -227,3 +237,7 @@
 optional_policy(`
 	unconfined_domain(inetd_child_t)
 ')
+
+optional_policy(`
+	inetd_service_domain(inetd_child_t,bin_t)
+')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 28/35] iscsi policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1952 bytes --]

RH updates to the iscsi module, none of which seem controversial...
Index: refpolicy/policy/modules/system/iscsi.fc
===================================================================
--- refpolicy.orig/policy/modules/system/iscsi.fc	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/iscsi.fc	2008-08-03 21:29:52.000000000 +0200
@@ -1,5 +1,5 @@
 /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 
-/var/lib/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_var_lib_t,s0)
-/var/lock/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
 /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
Index: refpolicy/policy/modules/system/iscsi.te
===================================================================
--- refpolicy.orig/policy/modules/system/iscsi.te	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/iscsi.te	2008-08-03 21:29:52.000000000 +0200
@@ -29,7 +29,7 @@
 #
 
 allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process { setrlimit setsched };
+allow iscsid_t self:process { setrlimit setsched signal };
 allow iscsid_t self:fifo_file { read write };
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow iscsid_t self:unix_dgram_socket create_socket_perms;
@@ -63,6 +63,7 @@
 corenet_tcp_sendrecv_all_ports(iscsid_t)
 corenet_tcp_connect_http_port(iscsid_t)
 corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
 

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 29/35] ipsec policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2482 bytes --]

ipsec changes including a new interface which is used by the sysnetwork
module...

Index: refpolicy/policy/modules/system/ipsec.if
===================================================================
--- refpolicy.orig/policy/modules/system/ipsec.if	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/ipsec.if	2008-08-03 21:32:40.000000000 +0200
@@ -150,6 +150,26 @@
 	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
 ')
 
+
+########################################
+## <summary>
+##	write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+	gen_require(`
+		type ipsec_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute racoon in the racoon domain.
Index: refpolicy/policy/modules/system/ipsec.te
===================================================================
--- refpolicy.orig/policy/modules/system/ipsec.te	2008-07-19 19:15:43.000000000 +0200
+++ refpolicy/policy/modules/system/ipsec.te	2008-08-03 21:33:27.000000000 +0200
@@ -69,8 +69,8 @@
 read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
 
-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
-allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
 
 can_exec(ipsec_t, ipsec_mgmt_exec_t)
Index: refpolicy/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.te	2008-08-03 21:37:35.000000000 +0200
+++ refpolicy/policy/modules/system/sysnetwork.te	2008-08-03 21:38:27.000000000 +0200
@@ -332,6 +332,10 @@
 ')
 
 optional_policy(`
+	ipsec_write_pid(ifconfig_t)
+')
+
+optional_policy(`
 	kernel_read_xen_state(ifconfig_t)
 	kernel_write_xen_state(ifconfig_t)
 	xen_append_log(ifconfig_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 30/35] fetchmail policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 795 bytes --]

Trivial change to the fetchmail module...
Index: refpolicy/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy.orig/policy/modules/services/fetchmail.te	2008-08-03 21:45:04.000000000 +0200
+++ refpolicy/policy/modules/services/fetchmail.te	2008-08-03 21:45:45.000000000 +0200
@@ -14,7 +14,7 @@
 files_pid_file(fetchmail_var_run_t)
 
 type fetchmail_etc_t;
-files_type(fetchmail_etc_t)
+files_config_file(fetchmail_etc_t)
 
 type fetchmail_uidl_cache_t;
 files_type(fetchmail_uidl_cache_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 31/35] amanda policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2197 bytes --]

RH policy updates to the amanda module, none of these look controversial
Index: refpolicy/policy/modules/admin/amanda.fc
===================================================================
--- refpolicy.orig/policy/modules/admin/amanda.fc	2008-07-19 19:15:44.000000000 +0200
+++ refpolicy/policy/modules/admin/amanda.fc	2008-08-03 21:51:13.000000000 +0200
@@ -3,6 +3,7 @@
 /etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
 /etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
 /etc/dumpdates				gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+/etc/amanda/.*/index(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
 
 /root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
 
Index: refpolicy/policy/modules/admin/amanda.te
===================================================================
--- refpolicy.orig/policy/modules/admin/amanda.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/admin/amanda.te	2008-08-03 21:51:13.000000000 +0200
@@ -82,8 +82,9 @@
 allow amanda_t amanda_config_t:file { getattr read };
 
 # access to amandas data structure
-allow amanda_t amanda_data_t:dir { read search write };
-allow amanda_t amanda_data_t:file manage_file_perms;
+manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
 # access to amanda_dumpdates_t
 allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
@@ -146,6 +147,8 @@
 fs_list_all(amanda_t)
 
 storage_raw_read_fixed_disk(amanda_t)
+storage_read_tape(amanda_t)
+storage_write_tape(amanda_t)
 
 # Added for targeted policy
 term_use_unallocated_ttys(amanda_t)
@@ -220,6 +223,7 @@
 auth_use_nsswitch(amanda_recover_t)
 
 fstools_domtrans(amanda_t)
+fstools_signal(amanda_t)
 
 libs_use_ld_so(amanda_recover_t)
 libs_use_shared_libs(amanda_recover_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 32/35] rsync policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2427 bytes --]

rsync module policy changes, mostly related to a new type for rsync log
files.
Index: refpolicy/policy/modules/services/rsync.fc
===================================================================
--- refpolicy.orig/policy/modules/services/rsync.fc	2008-07-19 19:15:41.000000000 +0200
+++ refpolicy/policy/modules/services/rsync.fc	2008-08-03 21:58:33.000000000 +0200
@@ -1,2 +1,6 @@
 
 /usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync\.log      --	gen_context(system_u:object_r:rsync_log_t,s0)
+
+/var/run/rsyncd\.lock      --	gen_context(system_u:object_r:rsync_log_t,s0)
Index: refpolicy/policy/modules/services/rsync.te
===================================================================
--- refpolicy.orig/policy/modules/services/rsync.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/rsync.te	2008-08-03 21:58:33.000000000 +0200
@@ -31,6 +31,9 @@
 type rsync_data_t;
 files_type(rsync_data_t)
 
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
 type rsync_tmp_t;
 files_tmp_file(rsync_tmp_t)
 
@@ -42,7 +45,7 @@
 # Local policy
 #
 
-allow rsync_t self:capability sys_chroot;
+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_fifo_file_perms;
 allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -52,7 +55,6 @@
 # cjp: this should probably only be inetd_child_t rules?
 # search home and kerberos also.
 allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
 #end for identd
 
 allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -95,7 +97,8 @@
 libs_use_shared_libs(rsync_t)
 
 logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
+logging_log_filetrans(rsync_t,rsync_log_t,file)
 
 miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
@@ -117,7 +120,6 @@
 ')
 
 tunable_policy(`rsync_export_all_ro',`
-	allow rsync_t self:capability dac_override;
 	fs_read_noxattr_fs_files(rsync_t) 
 	auth_read_all_files_except_shadow(rsync_t)
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 33/35] mailscanner policy addition

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2567 bytes --]

Adds a new mailscanner module from the RH patchset
Index: refpolicy/policy/modules/services/mailscanner.fc
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/services/mailscanner.fc	2008-08-03 22:09:51.000000000 +0200
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
Index: refpolicy/policy/modules/services/mailscanner.if
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/services/mailscanner.if	2008-08-03 22:09:51.000000000 +0200
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
+########################################
+## <summary>
+##	Search mailscanner spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_search_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mailscanner_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	read mailscanner spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_read_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mailscanner spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_manage_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
Index: refpolicy/policy/modules/services/mailscanner.te
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/services/mailscanner.te	2008-08-03 22:09:51.000000000 +0200
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 34/35] qmail policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1754 bytes --]

Parts of the RH changes to the qmail module, mostly related to script
execution and logging...
Index: refpolicy/policy/modules/services/qmail.te
===================================================================
--- refpolicy.orig/policy/modules/services/qmail.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/qmail.te	2008-08-03 22:57:55.000000000 +0200
@@ -14,7 +14,7 @@
 qmail_child_domain_template(qmail_clean, qmail_start_t)
 
 type qmail_etc_t;
-files_type(qmail_etc_t)
+files_config_file(qmail_etc_t)
 
 type qmail_exec_t;
 files_type(qmail_exec_t)
@@ -85,6 +85,8 @@
 libs_use_ld_so(qmail_inject_t)
 libs_use_shared_libs(qmail_inject_t)
 
+miscfiles_read_localization(qmail_inject_t)
+
 qmail_read_config(qmail_inject_t)
 
 ########################################
@@ -106,11 +108,17 @@
 
 kernel_read_system_state(qmail_local_t)
 
+corecmd_exec_bin(qmail_local_t)
 corecmd_exec_shell(qmail_local_t)
+can_exec(qmail_local_t, qmail_local_exec_t)
 
 files_read_etc_files(qmail_local_t)
 files_read_etc_runtime_files(qmail_local_t)
 
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
+
 mta_append_spool(qmail_local_t)
 
 qmail_domtrans_queue(qmail_local_t)
@@ -155,6 +163,10 @@
 manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
 
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
+
 optional_policy(`
 	daemontools_ipc_domain(qmail_queue_t)
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch 35/35] livecd policy addition

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2776 bytes --]

New policy module for livecd from the RH patchset.
Index: refpolicy/policy/modules/apps/livecd.fc
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/apps/livecd.fc	2008-08-03 23:42:07.000000000 +0200
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
Index: refpolicy/policy/modules/apps/livecd.if
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/apps/livecd.if	2008-08-03 23:42:52.000000000 +0200
@@ -0,0 +1,56 @@
+
+## <summary>policy for livecd</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+	gen_require(`
+		type livecd_t;
+                type livecd_exec_t;
+	')
+
+	domtrans_pattern($1,livecd_exec_t,livecd_t)
+')
+
+
+########################################
+## <summary>
+##	Execute livecd in the livecd domain, and
+##	allow the specified role the livecd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the livecd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`livecd_run',`
+	gen_require(`
+		type livecd_t;
+	')
+
+	livecd_domtrans($1)
+	role $2 types livecd_t;
+	allow livecd_t $3:chr_file rw_term_perms;
+
+	seutil_run_setfiles_mac(livecd_t, $2, $3)
+')
+
Index: refpolicy/policy/modules/apps/livecd.te
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/apps/livecd.te	2008-08-03 23:42:07.000000000 +0200
@@ -0,0 +1,26 @@
+policy_module(livecd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+########################################
+#
+# livecd local policy
+#
+dontaudit livecd_t self:capability2 mac_admin;
+
+unconfined_domain_noaudit(livecd_t)
+domain_ptrace_all_domains(livecd_t)
+
+optional_policy(`
+	hal_dbus_chat(livecd_t)
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 06/35] soundserver policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment
> (policy_modules_services_soundserver.patch)
> This policy was written by Ken Yang and reviewed by Dan Walsh:
> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
> and here:
> https://bugzilla.redhat.com/show_bug.cgi?id=250453
> 
> I updated the .fc changes to also work with Debian paths.
> 
> Originally submitted Jul 19, refreshed to apply cleanly

Comments inline

> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an soundd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the soundd domain.
> +##	</summary>
> +## </param>
> +## <param name="terminal">
> +##	<summary>
> +##	The type of the user terminal.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`soundserver_admin',`
> +	gen_require(`
> +		type soundd_t;
> +		type soundd_script_exec_t;
> +		type soundd_etc_t;
> +		type soundd_tmp_t;
> +		type soundd_var_run_t;
> +	')
> +
> +	allow $1 soundd_t:process { ptrace signal_perms getattr };
> +	read_files_pattern($1, soundd_t, soundd_t)
> +
> +	# Allow soundd_t to restart the apache service
> +	soundserver_script_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 soundd_script_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_list_tmp($1)
> +        manage_all_pattern($1,soundd_tmp_t)
> +
> +	files_list_etc($1)
> +        manage_all_pattern($1,soundd_etc_t)
> +
> +	files_list_pids($1)
> +        manage_all_pattern($1,soundd_var_run_t)
> +')

This interface need several fixes.  The XML does not match.  There are
whitespace issues (there should be tabs, not 8 spaces).  Also spaces
after commas (other places in the patch too).  Manage_all_pattern
doesn't exist upstream, and I don't plan on ever adding it.

> Index: refpolicy/policy/modules/services/soundserver.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/soundserver.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/soundserver.te	2008-08-03 17:11:27.000000000 +0200
> @@ -10,9 +10,6 @@
>  type soundd_exec_t;
>  init_daemon_domain(soundd_t, soundd_exec_t)
>  
> -type soundd_etc_t alias etc_soundd_t;
> -files_type(soundd_etc_t)
> -
>  type soundd_state_t;
>  files_type(soundd_state_t)
>  
> @@ -26,21 +23,30 @@
>  type soundd_var_run_t;
>  files_pid_file(soundd_var_run_t)
>  
> +type soundd_etc_t;
> +files_config_file(soundd_etc_t)

This type declaration shouldn't be moved

> +type soundd_script_exec_t;
> +init_script_type(soundd_script_exec_t)
> +
>  ########################################
>  #
> -# Declarations
> +# sound server local policy
>  #
>  
> +allow soundd_t self:capability dac_override;
>  dontaudit soundd_t self:capability sys_tty_config;
>  allow soundd_t self:process { setpgid signal_perms };
>  allow soundd_t self:tcp_socket create_stream_socket_perms;
>  allow soundd_t self:udp_socket create_socket_perms;
> +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
> +
> +fs_getattr_all_fs(soundd_t)
> +
>  # for yiff
>  allow soundd_t self:shm create_shm_perms;
>  
> -allow soundd_t soundd_etc_t:dir list_dir_perms;
> -allow soundd_t soundd_etc_t:file read_file_perms;
> -allow soundd_t soundd_etc_t:lnk_file { getattr read };
> +read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t)
>  
>  manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
>  manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
> @@ -55,8 +61,10 @@
>  manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
>  fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>  
> +manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
>  manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
> -files_pid_filetrans(soundd_t, soundd_var_run_t, file)
> +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
> +files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
>  
>  kernel_read_kernel_sysctls(soundd_t)
>  kernel_list_proc(soundd_t)
> @@ -96,10 +104,13 @@
>  sysnet_read_config(soundd_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(soundd_t)
> -
>  sysadm_dontaudit_search_home_dirs(soundd_t)
>  
>  optional_policy(`
> +	alsa_domtrans(soundd_t)
> +')
> +
> +optional_policy(`
>  	seutil_sigchld_newrole(soundd_t)
>  ')
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 15/35] kernel terminal policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_kernel_terminal.patch)
> Additional permissions for server ptynodes

I have to reject this.  server_ptynode is not a generic pty.

> Index: refpolicy/policy/modules/kernel/terminal.if
> ===================================================================
> --- refpolicy.orig/policy/modules/kernel/terminal.if	2008-08-03 16:46:56.000000000 +0200
> +++ refpolicy/policy/modules/kernel/terminal.if	2008-08-03 18:01:38.000000000 +0200
> @@ -525,11 +525,13 @@
>  interface(`term_use_generic_ptys',`
>  	gen_require(`
>  		type devpts_t;
> +		attribute server_ptynode;
>  	')
>  
>  	dev_list_all_dev_nodes($1)
>  	allow $1 devpts_t:dir list_dir_perms;
>  	allow $1 devpts_t:chr_file { rw_term_perms lock append };
> +	allow $1 server_ptynode:chr_file { getattr read write ioctl };
>  ')
>  
>  ########################################
> @@ -547,9 +549,11 @@
>  interface(`term_dontaudit_use_generic_ptys',`
>  	gen_require(`
>  		type devpts_t;
> +		attribute server_ptynode;
>  	')
>  
>  	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
> +	dontaudit $1 server_ptynode:chr_file { getattr read write ioctl };
>  ')
>  
>  ########################################
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 17/35] brctl policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_brctl.patch)
> One minor change

I need justification for this change.

> Index: refpolicy/policy/modules/admin/brctl.te
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/brctl.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/admin/brctl.te	2008-08-03 18:01:42.000000000 +0200
> @@ -33,6 +33,8 @@
>  
>  files_read_etc_files(brctl_t)
>  
> +term_use_console(brctl_t)
> +
>  libs_use_ld_so(brctl_t)
>  libs_use_shared_libs(brctl_t)
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 18/35] fsadm policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_fstools.patch)
> Mostly to allow xen/cifs/nfs file management

Comments inline

> Index: refpolicy/policy/modules/system/fstools.if
> ===================================================================
> --- refpolicy.orig/policy/modules/system/fstools.if	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/fstools.if	2008-08-03 18:06:57.000000000 +0200
> @@ -142,3 +142,21 @@
>  
>  	allow $1 swapfile_t:file getattr;
>  ')
> +
> +########################################
> +## <summary>
> +##	Send signal to fsadm process
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fstools_signal',`
> +	gen_require(`
> +		type fsadm_t;
> +	')
> +
> +	allow $1 fsadm_t:process signal;
> +')

This needs to be moved after fstools_exec()

> Index: refpolicy/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/fstools.te	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/fstools.te	2008-08-03 18:06:57.000000000 +0200
> @@ -97,6 +97,10 @@
>  fs_getattr_tmpfs_dirs(fsadm_t)
>  fs_read_tmpfs_symlinks(fsadm_t)
>  
> +fs_manage_nfs_files(fsadm_t)
> +
> +fs_manage_cifs_files(fsadm_t)

I need justification for these.

>  mls_file_read_all_levels(fsadm_t)
>  mls_file_write_all_levels(fsadm_t)
>  
> @@ -184,4 +188,9 @@
>  
>  optional_policy(`
>  	xen_append_log(fsadm_t)
> +	xen_rw_image_files(fsadm_t)
> +')
> +
> +optional_policy(`
> +	unconfined_domain(fsadm_t)
>  ')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Problem with MLS because /dev is labeled tmpfs_t

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 886 bytes --]

After already receiving some help with my newrole-problem I have run into the 
next problem.
It does not appear when I compile the policy as standard-policy, but I run 
into it when I build a MLS-policy.

The problem I have is that device-mapper throws some security transition-error 
(which btw. does not appear in audit2allow, but only shows during boot and in 
dmesg). The reason for that is, as I believe, that my /dev is labeled as 
tmpfs_t, which is not the right label.

Manually relabeling it doesn't help, on the next reboot, when udev starts its 
magic, it gets turned into tmpfs_t again.

This problem of course prevents me to boot into enforcing-mode when using MLS.

Does anybody know where this problem is? Is it udev? I already compiled it 
with SELinux-support, but /dev is always tmpfs_t.
As said, I suspect udev here, but of course I might be wrong.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [patch 01/35] anaconda policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:34 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_anaconda.patch)
> Anaconda is a RH installation program, RH should know their own program and
> the changes are quite trivial
> 
> Previously submitted Jul 19, refreshed to apply to current SVN

Merged except for the setsebool part which doesn't exist upstream at the
moment.

> Index: refpolicy/policy/modules/admin/anaconda.te
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/anaconda.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/admin/anaconda.te	2008-08-03 16:52:56.000000000 +0200
> @@ -31,14 +31,9 @@
>  modutils_domtrans_insmod(anaconda_t)
>  
>  seutil_domtrans_semanage(anaconda_t)
> +seutil_domtrans_setsebool(anaconda_t)
>  
> -unconfined_domain(anaconda_t)
> -
> -unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
> -
> -optional_policy(`
> -	dmesg_domtrans(anaconda_t)
> -')
> +unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
>  
>  optional_policy(`
>  	kudzu_domtrans(anaconda_t)
> @@ -58,5 +53,9 @@
>  ')
>  
>  optional_policy(`
> +	unconfined_domain(anaconda_t)
> +')
> +
> +optional_policy(`
>  	usermanage_domtrans_admin_passwd(anaconda_t)
>  ')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 32/35] rsync policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_rsync.patch)
> rsync module policy changes, mostly related to a new type for rsync log
> files.

Merged.

> Index: refpolicy/policy/modules/services/rsync.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/services/rsync.fc	2008-07-19 19:15:41.000000000 +0200
> +++ refpolicy/policy/modules/services/rsync.fc	2008-08-03 21:58:33.000000000 +0200
> @@ -1,2 +1,6 @@
>  
>  /usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
> +
> +/var/log/rsync\.log      --	gen_context(system_u:object_r:rsync_log_t,s0)
> +
> +/var/run/rsyncd\.lock      --	gen_context(system_u:object_r:rsync_log_t,s0)
> Index: refpolicy/policy/modules/services/rsync.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/rsync.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/rsync.te	2008-08-03 21:58:33.000000000 +0200
> @@ -31,6 +31,9 @@
>  type rsync_data_t;
>  files_type(rsync_data_t)
>  
> +type rsync_log_t;
> +logging_log_file(rsync_log_t)
> +
>  type rsync_tmp_t;
>  files_tmp_file(rsync_tmp_t)
>  
> @@ -42,7 +45,7 @@
>  # Local policy
>  #
>  
> -allow rsync_t self:capability sys_chroot;
> +allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
>  allow rsync_t self:process signal_perms;
>  allow rsync_t self:fifo_file rw_fifo_file_perms;
>  allow rsync_t self:tcp_socket create_stream_socket_perms;
> @@ -52,7 +55,6 @@
>  # cjp: this should probably only be inetd_child_t rules?
>  # search home and kerberos also.
>  allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
> -allow rsync_t self:capability { setuid setgid };
>  #end for identd
>  
>  allow rsync_t rsync_data_t:dir list_dir_perms;
> @@ -95,7 +97,8 @@
>  libs_use_shared_libs(rsync_t)
>  
>  logging_send_syslog_msg(rsync_t)
> -logging_dontaudit_search_logs(rsync_t)
> +manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
> +logging_log_filetrans(rsync_t,rsync_log_t,file)
>  
>  miscfiles_read_localization(rsync_t)
>  miscfiles_read_public_files(rsync_t)
> @@ -117,7 +120,6 @@
>  ')
>  
>  tunable_policy(`rsync_export_all_ro',`
> -	allow rsync_t self:capability dac_override;
>  	fs_read_noxattr_fs_files(rsync_t) 
>  	auth_read_all_files_except_shadow(rsync_t)
>  ')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 31/35] amanda policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_amanda.patch)
> RH policy updates to the amanda module, none of these look controversial

Merged.

> Index: refpolicy/policy/modules/admin/amanda.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/amanda.fc	2008-07-19 19:15:44.000000000 +0200
> +++ refpolicy/policy/modules/admin/amanda.fc	2008-08-03 21:51:13.000000000 +0200
> @@ -3,6 +3,7 @@
>  /etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
>  /etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
>  /etc/dumpdates				gen_context(system_u:object_r:amanda_dumpdates_t,s0)
> +/etc/amanda/.*/index(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
>  
>  /root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
>  
> Index: refpolicy/policy/modules/admin/amanda.te
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/amanda.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/admin/amanda.te	2008-08-03 21:51:13.000000000 +0200
> @@ -82,8 +82,9 @@
>  allow amanda_t amanda_config_t:file { getattr read };
>  
>  # access to amandas data structure
> -allow amanda_t amanda_data_t:dir { read search write };
> -allow amanda_t amanda_data_t:file manage_file_perms;
> +manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
> +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
> +filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
>  
>  # access to amanda_dumpdates_t
>  allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
> @@ -146,6 +147,8 @@
>  fs_list_all(amanda_t)
>  
>  storage_raw_read_fixed_disk(amanda_t)
> +storage_read_tape(amanda_t)
> +storage_write_tape(amanda_t)
>  
>  # Added for targeted policy
>  term_use_unallocated_ttys(amanda_t)
> @@ -220,6 +223,7 @@
>  auth_use_nsswitch(amanda_recover_t)
>  
>  fstools_domtrans(amanda_t)
> +fstools_signal(amanda_t)
>  
>  libs_use_ld_so(amanda_recover_t)
>  libs_use_shared_libs(amanda_recover_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 30/35] fetchmail policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment
> (policy_modules_services_fetchmail.patch)
> Trivial change to the fetchmail module...

Merged.

> Index: refpolicy/policy/modules/services/fetchmail.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/fetchmail.te	2008-08-03 21:45:04.000000000 +0200
> +++ refpolicy/policy/modules/services/fetchmail.te	2008-08-03 21:45:45.000000000 +0200
> @@ -14,7 +14,7 @@
>  files_pid_file(fetchmail_var_run_t)
>  
>  type fetchmail_etc_t;
> -files_type(fetchmail_etc_t)
> +files_config_file(fetchmail_etc_t)
>  
>  type fetchmail_uidl_cache_t;
>  files_type(fetchmail_uidl_cache_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 26/35] stunnel policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_stunnel.patch)
> Changes to the stunnel module which shouldn't be controversial, the interface
> is used by later RH patches to the inetd module.

Merged.

> Index: refpolicy/policy/modules/services/stunnel.if
> ===================================================================
> --- refpolicy.orig/policy/modules/services/stunnel.if	2008-07-19 19:15:41.000000000 +0200
> +++ refpolicy/policy/modules/services/stunnel.if	2008-08-03 21:21:31.000000000 +0200
> @@ -1 +1,25 @@
>  ## <summary>SSL Tunneling Proxy</summary>
> +
> +########################################
> +## <summary>
> +##	Define the specified domain as a stunnel inetd service.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type associated with the stunnel inetd service process.
> +##	</summary>
> +## </param>
> +## <param name="entrypoint">
> +##	<summary>
> +##	The type associated with the process program.
> +##	</summary>
> +## </param>
> +#
> +interface(`stunnel_service_domain',`
> +	gen_require(`
> +		type stunnel_t;
> +	')
> +
> +	domtrans_pattern(stunnel_t,$2,$1)
> +	allow $1 stunnel_t:tcp_socket rw_socket_perms;
> +')
> Index: refpolicy/policy/modules/services/stunnel.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/stunnel.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/stunnel.te	2008-08-03 21:21:31.000000000 +0200
> @@ -20,7 +20,7 @@
>  ')
>  
>  type stunnel_etc_t;
> -files_type(stunnel_etc_t)
> +files_config_file(stunnel_etc_t)
>  
>  type stunnel_tmp_t;
>  files_tmp_file(stunnel_tmp_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 22/35] oav policy updates

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_oav.patch)
> Trivial changes...

Merged.

> Index: refpolicy/policy/modules/services/oav.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/oav.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/oav.te	2008-08-03 20:34:32.000000000 +0200
> @@ -12,7 +12,7 @@
>  
>  # cjp: may be collapsable to etc_t
>  type oav_update_etc_t;
> -files_type(oav_update_etc_t)
> +files_config_file(oav_update_etc_t)
>  
>  type oav_update_var_lib_t;
>  files_type(oav_update_var_lib_t)
> @@ -22,7 +22,7 @@
>  init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
>  
>  type scannerdaemon_etc_t;
> -files_type(scannerdaemon_etc_t)
> +files_config_file(scannerdaemon_etc_t)
>  
>  type scannerdaemon_log_t;
>  logging_log_file(scannerdaemon_log_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 19/35] kernel storage module policy updates

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_kernel_storage.patch)
> A few new paths and a new interface which is used by later patches

Merged.  In the future, when a new interface is created and then called,
both changes should be in the same patch.

> Index: refpolicy/policy/modules/kernel/storage.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/kernel/storage.fc	2008-07-19 19:15:34.000000000 +0200
> +++ refpolicy/policy/modules/kernel/storage.fc	2008-08-03 18:09:53.000000000 +0200
> @@ -13,6 +13,7 @@
>  /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
>  /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/drbd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
>  /dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
> @@ -48,6 +49,7 @@
>  /dev/tw[a-z][^/]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
>  /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/vd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  
>  /dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> Index: refpolicy/policy/modules/kernel/storage.if
> ===================================================================
> --- refpolicy.orig/policy/modules/kernel/storage.if	2008-08-03 16:46:56.000000000 +0200
> +++ refpolicy/policy/modules/kernel/storage.if	2008-08-03 18:09:53.000000000 +0200
> @@ -81,6 +81,26 @@
>  
>  ########################################
>  ## <summary>
> +##	dontaudit the caller attempts to read from a fixed disk.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_dontaudit_raw_read_fixed_disk',`
> +	gen_require(`
> +		attribute fixed_disk_raw_read;
> +		type fixed_disk_device_t;
> +	')
> +
> +	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
> +	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Allow the caller to directly read from a fixed disk.
>  ##	This is extremly dangerous as it can bypass the
>  ##	SELinux protections for filesystem objects, and
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 21/35] kismet policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_kismet.patch)
> kismet is a network sniffer so net_raw seems quite reasonable...

Merged.

> Index: refpolicy/policy/modules/admin/kismet.te
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/kismet.te	2008-08-03 18:30:11.000000000 +0200
> +++ refpolicy/policy/modules/admin/kismet.te	2008-08-03 18:30:32.000000000 +0200
> @@ -25,7 +25,7 @@
>  # kismet local policy
>  #
>  
> -allow kismet_t self:capability { net_admin setuid setgid };
> +allow kismet_t self:capability { net_admin net_raw setuid setgid };
>  allow kismet_t self:packet_socket create_socket_perms;
>  
>  manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 16/35] usernet policy updates

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_apps_usernetctl.patch)
> Only minor changes

Merged.

> Index: refpolicy/policy/modules/apps/usernetctl.if
> ===================================================================
> --- refpolicy.orig/policy/modules/apps/usernetctl.if	2008-08-03 16:46:56.000000000 +0200
> +++ refpolicy/policy/modules/apps/usernetctl.if	2008-08-03 18:01:40.000000000 +0200
> @@ -63,4 +63,9 @@
>  	optional_policy(`
>  		modutils_run_insmod(usernetctl_t, $2, $3)
>  	')
> +
> +
> +	optional_policy(`
> +		ppp_run(usernetctl_t,$2,$3)
> +	')
>  ')
> Index: refpolicy/policy/modules/apps/usernetctl.te
> ===================================================================
> --- refpolicy.orig/policy/modules/apps/usernetctl.te	2008-08-03 16:46:56.000000000 +0200
> +++ refpolicy/policy/modules/apps/usernetctl.te	2008-08-03 18:01:40.000000000 +0200
> @@ -49,15 +49,21 @@
>  
>  fs_search_auto_mountpoints(usernetctl_t)
>  
> +auth_use_nsswitch(usernetctl_t)
> +
>  libs_use_ld_so(usernetctl_t)
>  libs_use_shared_libs(usernetctl_t)
>  
> +logging_send_syslog_msg(usernetctl_t)
> +
>  miscfiles_read_localization(usernetctl_t)
>  
>  seutil_read_config(usernetctl_t)
>  
>  sysnet_read_config(usernetctl_t)
>  
> +term_search_ptys(usernetctl_t)
> +
>  optional_policy(`
>  	hostname_exec(usernetctl_t)
>  ')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 13/35] ricci policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_ricci.patch)
> One trivial change

Merged.

> Index: refpolicy/policy/modules/services/ricci.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/ricci.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/ricci.te	2008-08-03 18:01:32.000000000 +0200
> @@ -443,6 +443,7 @@
>  create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
>  files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
>  
> +corecmd_exec_shell(ricci_modstorage_t)
>  corecmd_exec_bin(ricci_modstorage_t)
>  
>  dev_read_sysfs(ricci_modstorage_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 11/35] hotplug policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_hotplug.patch)
> Should all be trivial changes

Merged.

> Index: refpolicy/policy/modules/system/hotplug.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/hotplug.te	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/hotplug.te	2008-08-03 17:52:58.000000000 +0200
> @@ -121,6 +121,7 @@
>  	optional_policy(`
>  		# for arping used for static IP addresses on PCMCIA ethernet
>  		netutils_domtrans(hotplug_t)
> +		netutils_signal(hotplug_t)
>  		fs_rw_tmpfs_chr_files(hotplug_t)
>  	')
>  	files_getattr_generic_locks(hotplug_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 06/35] soundserver policy update

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
>> plain text document attachment
>> (policy_modules_services_soundserver.patch)
>> This policy was written by Ken Yang and reviewed by Dan Walsh:
>> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
>> and here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=250453
>>
>> I updated the .fc changes to also work with Debian paths.
>>
>> Originally submitted Jul 19, refreshed to apply cleanly
> 
> Comments inline
> 
>> +########################################
>> +## <summary>
>> +##	All of the rules required to administrate
>> +##	an soundd environment
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <param name="role">
>> +##	<summary>
>> +##	The role to be allowed to manage the soundd domain.
>> +##	</summary>
>> +## </param>
>> +## <param name="terminal">
>> +##	<summary>
>> +##	The type of the user terminal.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`soundserver_admin',`
>> +	gen_require(`
>> +		type soundd_t;
>> +		type soundd_script_exec_t;
>> +		type soundd_etc_t;
>> +		type soundd_tmp_t;
>> +		type soundd_var_run_t;
>> +	')
>> +
>> +	allow $1 soundd_t:process { ptrace signal_perms getattr };
>> +	read_files_pattern($1, soundd_t, soundd_t)
>> +
>> +	# Allow soundd_t to restart the apache service
>> +	soundserver_script_domtrans($1)
>> +	domain_system_change_exemption($1)
>> +	role_transition $2 soundd_script_exec_t system_r;
>> +	allow $2 system_r;
>> +
>> +	files_list_tmp($1)
>> +        manage_all_pattern($1,soundd_tmp_t)
>> +
>> +	files_list_etc($1)
>> +        manage_all_pattern($1,soundd_etc_t)
>> +
>> +	files_list_pids($1)
>> +        manage_all_pattern($1,soundd_var_run_t)
>> +')
> 
> This interface need several fixes.  The XML does not match.  There are
> whitespace issues (there should be tabs, not 8 spaces).  Also spaces
> after commas (other places in the patch too).  Manage_all_pattern
> doesn't exist upstream, and I don't plan on ever adding it.
> 
Why not?  If I am an admin of a domain, I should be able to modify the
labeling on all types that are in that domain, on the entire class of
objects in that domain. Making me add all of the rules for each type is
just prone to errors.

Without this rule you need to add
        manage_dirs_pattern($1,$2,$2)
        manage_files_pattern($1,$2,$2)
        manage_lnk_files_pattern($1,$2,$2)
        manage_fifo_files_pattern($1,$2,$2)
        manage_sock_files_pattern($1,$2,$2)

        relabelto_dirs_pattern($1,$2,$2)
        relabelto_files_pattern($1,$2,$2)
        relabelto_lnk_files_pattern($1,$2,$2)
        relabelto_fifo_files_pattern($1,$2,$2)
        relabelto_sock_files_pattern($1,$2,$2)

        relabelfrom_dirs_pattern($1,$2,$2)
        relabelfrom_files_pattern($1,$2,$2)
        relabelfrom_lnk_files_pattern($1,$2,$2)
        relabelfrom_fifo_files_pattern($1,$2,$2)
        relabelfrom_sock_files_pattern($1,$2,$2)

For every type, which is nuts.

I am the admin of the httpd_sys_content_t.  I would figure I should be
able to do anything with this type

>> Index: refpolicy/policy/modules/services/soundserver.te
>> ===================================================================
>> --- refpolicy.orig/policy/modules/services/soundserver.te	2008-08-03 16:47:00.000000000 +0200
>> +++ refpolicy/policy/modules/services/soundserver.te	2008-08-03 17:11:27.000000000 +0200
>> @@ -10,9 +10,6 @@
>>  type soundd_exec_t;
>>  init_daemon_domain(soundd_t, soundd_exec_t)
>>  
>> -type soundd_etc_t alias etc_soundd_t;
>> -files_type(soundd_etc_t)
>> -
>>  type soundd_state_t;
>>  files_type(soundd_state_t)
>>  
>> @@ -26,21 +23,30 @@
>>  type soundd_var_run_t;
>>  files_pid_file(soundd_var_run_t)
>>  
>> +type soundd_etc_t;
>> +files_config_file(soundd_etc_t)
> 
> This type declaration shouldn't be moved
> 
>> +type soundd_script_exec_t;
>> +init_script_type(soundd_script_exec_t)
>> +
>>  ########################################
>>  #
>> -# Declarations
>> +# sound server local policy
>>  #
>>  
>> +allow soundd_t self:capability dac_override;
>>  dontaudit soundd_t self:capability sys_tty_config;
>>  allow soundd_t self:process { setpgid signal_perms };
>>  allow soundd_t self:tcp_socket create_stream_socket_perms;
>>  allow soundd_t self:udp_socket create_socket_perms;
>> +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
>> +
>> +fs_getattr_all_fs(soundd_t)
>> +
>>  # for yiff
>>  allow soundd_t self:shm create_shm_perms;
>>  
>> -allow soundd_t soundd_etc_t:dir list_dir_perms;
>> -allow soundd_t soundd_etc_t:file read_file_perms;
>> -allow soundd_t soundd_etc_t:lnk_file { getattr read };
>> +read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t)
>>  
>>  manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
>>  manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
>> @@ -55,8 +61,10 @@
>>  manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
>>  fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>>  
>> +manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
>>  manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
>> -files_pid_filetrans(soundd_t, soundd_var_run_t, file)
>> +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
>> +files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
>>  
>>  kernel_read_kernel_sysctls(soundd_t)
>>  kernel_list_proc(soundd_t)
>> @@ -96,10 +104,13 @@
>>  sysnet_read_config(soundd_t)
>>  
>>  userdom_dontaudit_use_unpriv_user_fds(soundd_t)
>> -
>>  sysadm_dontaudit_search_home_dirs(soundd_t)
>>  
>>  optional_policy(`
>> +	alsa_domtrans(soundd_t)
>> +')
>> +
>> +optional_policy(`
>>  	seutil_sigchld_newrole(soundd_t)
>>  ')
>>  
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 17/35] brctl policy update

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
>> plain text document attachment (policy_modules_admin_brctl.patch)
>> One minor change
> 
> I need justification for this change.
> 
>> Index: refpolicy/policy/modules/admin/brctl.te
>> ===================================================================
>> --- refpolicy.orig/policy/modules/admin/brctl.te	2008-08-03 16:47:00.000000000 +0200
>> +++ refpolicy/policy/modules/admin/brctl.te	2008-08-03 18:01:42.000000000 +0200
>> @@ -33,6 +33,8 @@
>>  
>>  files_read_etc_files(brctl_t)
>>  
>> +term_use_console(brctl_t)
>> +
>>  libs_use_ld_so(brctl_t)
>>  libs_use_shared_libs(brctl_t)
>>  
>>
I believe this comes from libvirt or qemu interacting with the console.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with MLS because /dev is labeled tmpfs_t

[Russell Coker]

On Friday 08 August 2008 00:10, Dennis Wronka <linuxweb@gmx.net> wrote:
> Does anybody know where this problem is? Is it udev? I already compiled it
> with SELinux-support, but /dev is always tmpfs_t.
> As said, I suspect udev here, but of course I might be wrong.

Your udev script which mounts the tmpfs (which might be /etc/init.d/udev or a 
script called by it) needs to call restorecon.

See the scripts in Debian and Fedora for examples of how it's done.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with MLS because /dev is labeled tmpfs_t

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 2144 bytes --]

On Friday 08 August 2008 10:00:39 Russell Coker wrote:
> On Friday 08 August 2008 00:10, Dennis Wronka <linuxweb@gmx.net> wrote:
> > Does anybody know where this problem is? Is it udev? I already compiled
> > it with SELinux-support, but /dev is always tmpfs_t.
> > As said, I suspect udev here, but of course I might be wrong.
>
> Your udev script which mounts the tmpfs (which might be /etc/init.d/udev or
> a script called by it) needs to call restorecon.
>
> See the scripts in Debian and Fedora for examples of how it's done.

Thansk, this already helped with the wrongly labeled /dev, but not with the 
error, which I believe will still stop the boot if I'd switch to enforcing.

Here's the message:
type=1401 audit(1218261917.800:3): security_validate_transition: denied for 
oldcontext=system_u:object_r:fixed_disk_device_t:s0 
newconext=system_u:object_r:fixed_disk_device_t:s15:c0.c255 
taskcontext=system_u:system_r:lvm_t:s0-s15:c0.c255 tclass=blk_file

As the message doesn't show anything I do not know for sure which file it 
exactly is. As this message is caused by the call of dmsetup mknodes (I use 
an encrypted root-partition in this setup) it must be either /dev/hdaX (all 
three hda-partitions have this context, hda3 is the actual root-fs) 
or /dev/mapper/cryptroot, which also has that context and is the file that's 
actually supposed to be created by dmsetup.

I had a look around in the policy but couldn't find a way to get around this. 
Also Google wasn't very helpful as it points to patches and sources of the 
SELinux-libraries.

Just for testing I removed the call of dmsetup mknodes, but the error still 
happens, as lvm vgmknodes still is called and it causes the same problem.
I also switched (disabled the lvm-call and re-enabled the dmsetup-call) and I 
get the error. So, both calls give this error, as they both run in the same 
domain lvm_t and want to do the same stuff with my files.

Now the problem is, how do I get rid of this problem? Both LVM and DevMapper 
are compiled with SELinux-support, but somehow MLS doesn't allow them to 
perform this transition.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [patch 06/35] soundserver policy update

[Christopher J. PeBenito]

On Thu, 2008-08-07 at 11:09 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> >> plain text document attachment
> >> (policy_modules_services_soundserver.patch)
> >> This policy was written by Ken Yang and reviewed by Dan Walsh:
> >> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
> >> and here:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=250453
> >>
> >> I updated the .fc changes to also work with Debian paths.
> >>
> >> Originally submitted Jul 19, refreshed to apply cleanly
> > 
> > Comments inline
> > 
> >> +########################################
> >> +## <summary>
> >> +##	All of the rules required to administrate
> >> +##	an soundd environment
> >> +## </summary>
> >> +## <param name="domain">
> >> +##	<summary>
> >> +##	Domain allowed access.
> >> +##	</summary>
> >> +## </param>
> >> +## <param name="role">
> >> +##	<summary>
> >> +##	The role to be allowed to manage the soundd domain.
> >> +##	</summary>
> >> +## </param>
> >> +## <param name="terminal">
> >> +##	<summary>
> >> +##	The type of the user terminal.
> >> +##	</summary>
> >> +## </param>
> >> +## <rolecap/>
> >> +#
> >> +interface(`soundserver_admin',`
> >> +	gen_require(`
> >> +		type soundd_t;
> >> +		type soundd_script_exec_t;
> >> +		type soundd_etc_t;
> >> +		type soundd_tmp_t;
> >> +		type soundd_var_run_t;
> >> +	')
> >> +
> >> +	allow $1 soundd_t:process { ptrace signal_perms getattr };
> >> +	read_files_pattern($1, soundd_t, soundd_t)
> >> +
> >> +	# Allow soundd_t to restart the apache service
> >> +	soundserver_script_domtrans($1)
> >> +	domain_system_change_exemption($1)
> >> +	role_transition $2 soundd_script_exec_t system_r;
> >> +	allow $2 system_r;
> >> +
> >> +	files_list_tmp($1)
> >> +        manage_all_pattern($1,soundd_tmp_t)
> >> +
> >> +	files_list_etc($1)
> >> +        manage_all_pattern($1,soundd_etc_t)
> >> +
> >> +	files_list_pids($1)
> >> +        manage_all_pattern($1,soundd_var_run_t)
> >> +')
> > 
> > This interface need several fixes.  The XML does not match.  There are
> > whitespace issues (there should be tabs, not 8 spaces).  Also spaces
> > after commas (other places in the patch too).  Manage_all_pattern
> > doesn't exist upstream, and I don't plan on ever adding it.
> > 
> Why not?  If I am an admin of a domain, I should be able to modify the
> labeling on all types that are in that domain, on the entire class of
> objects in that domain. Making me add all of the rules for each type is
> just prone to errors.
> 
> Without this rule you need to add
>         manage_dirs_pattern($1,$2,$2)
>         manage_files_pattern($1,$2,$2)
>         manage_lnk_files_pattern($1,$2,$2)
>         manage_fifo_files_pattern($1,$2,$2)
>         manage_sock_files_pattern($1,$2,$2)
> 
>         relabelto_dirs_pattern($1,$2,$2)
>         relabelto_files_pattern($1,$2,$2)
>         relabelto_lnk_files_pattern($1,$2,$2)
>         relabelto_fifo_files_pattern($1,$2,$2)
>         relabelto_sock_files_pattern($1,$2,$2)
> 
>         relabelfrom_dirs_pattern($1,$2,$2)
>         relabelfrom_files_pattern($1,$2,$2)
>         relabelfrom_lnk_files_pattern($1,$2,$2)
>         relabelfrom_fifo_files_pattern($1,$2,$2)
>         relabelfrom_sock_files_pattern($1,$2,$2)
> 
> For every type, which is nuts.

It is nuts because I don't think all that access should be provided.
Neglecting that, "manage" in refpolicy does not imply any relabeling
permissions.  Also the second and third blocks could be merged with
relabel_*_pattern().

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 17/35] brctl policy update

[Christopher J. PeBenito]

On Thu, 2008-08-07 at 11:11 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> >> plain text document attachment (policy_modules_admin_brctl.patch)
> >> One minor change
> > 
> > I need justification for this change.
> > 
> >> Index: refpolicy/policy/modules/admin/brctl.te
> >> ===================================================================
> >> --- refpolicy.orig/policy/modules/admin/brctl.te	2008-08-03 16:47:00.000000000 +0200
> >> +++ refpolicy/policy/modules/admin/brctl.te	2008-08-03 18:01:42.000000000 +0200
> >> @@ -33,6 +33,8 @@
> >>  
> >>  files_read_etc_files(brctl_t)
> >>  
> >> +term_use_console(brctl_t)
> >> +
> >>  libs_use_ld_so(brctl_t)
> >>  libs_use_shared_libs(brctl_t)
> >>  
> >>
> I believe this comes from libvirt or qemu interacting with the console.

Sounds like this should be dontaudited instead.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 27/35] inetd policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_inetd.patch)
> RH changes to the inetd module, most of these are related to the MLS/MCS
> override which is already present in the module...

Comments inline

> Index: refpolicy/policy/modules/services/inetd.if
> ===================================================================
> --- refpolicy.orig/policy/modules/services/inetd.if	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/inetd.if	2008-08-03 21:25:12.000000000 +0200
> @@ -115,6 +115,10 @@
>  
>  	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
>  	allow $1 inetd_t:udp_socket rw_socket_perms;
> +
> +	optional_policy(`
> +		stunnel_service_domain($1,$2)
> +	')
>  ')
>
>  ########################################
> Index: refpolicy/policy/modules/services/inetd.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/inetd.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/inetd.te	2008-08-03 21:25:12.000000000 +0200
> @@ -30,6 +30,10 @@
>  type inetd_child_var_run_t;
>  files_pid_file(inetd_child_var_run_t)
>  
> +ifdef(`enable_mcs',`
> +	init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
> +')
> +
>  ########################################
>  #
>  # Local policy
> @@ -84,6 +88,7 @@
>  corenet_udp_bind_ftp_port(inetd_t)
>  corenet_tcp_bind_inetd_child_port(inetd_t)
>  corenet_udp_bind_inetd_child_port(inetd_t)
> +corenet_tcp_bind_ircd_port(inetd_t)
>  corenet_udp_bind_ktalkd_port(inetd_t)
>  corenet_tcp_bind_printer_port(inetd_t)
>  corenet_udp_bind_rlogind_port(inetd_t)
> @@ -137,6 +142,7 @@
>  miscfiles_read_localization(inetd_t)
>  
>  # xinetd needs MLS override privileges to work
> +mls_fd_use_all_levels(inetd_t)
>  mls_fd_share_all_levels(inetd_t)
>  mls_socket_read_to_clearance(inetd_t)
>  mls_socket_write_to_clearance(inetd_t)
> @@ -165,6 +171,7 @@
>  ')
>  
>  optional_policy(`
> +	unconfined_domain(inetd_t)
>  	unconfined_domtrans(inetd_t)
>  ')
>  
> @@ -181,6 +188,9 @@
>  # for identd
>  allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
>  allow inetd_child_t self:capability { setuid setgid };
> +allow inetd_child_t self:dir search;
> +allow inetd_child_t self:{ lnk_file file } { getattr read };
> +
>  files_search_home(inetd_child_t)
>  
>  manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)

Reverses an upstream change; these rules are redundant.

> @@ -227,3 +237,7 @@
>  optional_policy(`
>  	unconfined_domain(inetd_child_t)
>  ')
> +
> +optional_policy(`
> +	inetd_service_domain(inetd_child_t,bin_t)
> +')

Not acceptable, as bin_t doesn't belong to this module.  Probably want
corecmd_bin_domtrans() and corecmd_bin_entry_type().

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 34/35] qmail policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_qmail.patch)
> Parts of the RH changes to the qmail module, mostly related to script
> execution and logging...

Merged.

> Index: refpolicy/policy/modules/services/qmail.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/qmail.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/qmail.te	2008-08-03 22:57:55.000000000 +0200
> @@ -14,7 +14,7 @@
>  qmail_child_domain_template(qmail_clean, qmail_start_t)
>  
>  type qmail_etc_t;
> -files_type(qmail_etc_t)
> +files_config_file(qmail_etc_t)
>  
>  type qmail_exec_t;
>  files_type(qmail_exec_t)
> @@ -85,6 +85,8 @@
>  libs_use_ld_so(qmail_inject_t)
>  libs_use_shared_libs(qmail_inject_t)
>  
> +miscfiles_read_localization(qmail_inject_t)
> +
>  qmail_read_config(qmail_inject_t)
>  
>  ########################################
> @@ -106,11 +108,17 @@
>  
>  kernel_read_system_state(qmail_local_t)
>  
> +corecmd_exec_bin(qmail_local_t)
>  corecmd_exec_shell(qmail_local_t)
> +can_exec(qmail_local_t, qmail_local_exec_t)
>  
>  files_read_etc_files(qmail_local_t)
>  files_read_etc_runtime_files(qmail_local_t)
>  
> +auth_use_nsswitch(qmail_local_t)
> +
> +logging_send_syslog_msg(qmail_local_t)
> +
>  mta_append_spool(qmail_local_t)
>  
>  qmail_domtrans_queue(qmail_local_t)
> @@ -155,6 +163,10 @@
>  manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
>  rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
>  
> +corecmd_exec_bin(qmail_queue_t)
> +
> +logging_send_syslog_msg(qmail_queue_t)
> +
>  optional_policy(`
>  	daemontools_ipc_domain(qmail_queue_t)
>  ')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 29/35] ipsec policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_ipsec.patch)
> ipsec changes including a new interface which is used by the sysnetwork
> module...

Merged.

> Index: refpolicy/policy/modules/system/ipsec.if
> ===================================================================
> --- refpolicy.orig/policy/modules/system/ipsec.if	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/ipsec.if	2008-08-03 21:32:40.000000000 +0200
> @@ -150,6 +150,26 @@
>  	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
>  ')
>  
> +
> +########################################
> +## <summary>
> +##	write the ipsec_var_run_t files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`ipsec_write_pid',`
> +	gen_require(`
> +		type ipsec_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	write_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Execute racoon in the racoon domain.
> Index: refpolicy/policy/modules/system/ipsec.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/ipsec.te	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/ipsec.te	2008-08-03 21:33:27.000000000 +0200
> @@ -69,8 +69,8 @@
>  read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
>  read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
>  
> -allow ipsec_t ipsec_var_run_t:file manage_file_perms;
> -allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
> +manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
> +manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
>  files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
>  
>  can_exec(ipsec_t, ipsec_mgmt_exec_t)
> Index: refpolicy/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/sysnetwork.te	2008-08-03 21:37:35.000000000 +0200
> +++ refpolicy/policy/modules/system/sysnetwork.te	2008-08-03 21:38:27.000000000 +0200
> @@ -332,6 +332,10 @@
>  ')
>  
>  optional_policy(`
> +	ipsec_write_pid(ifconfig_t)
> +')
> +
> +optional_policy(`
>  	kernel_read_xen_state(ifconfig_t)
>  	kernel_write_xen_state(ifconfig_t)
>  	xen_append_log(ifconfig_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 28/35] iscsi policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_iscsi.patch)
> RH updates to the iscsi module, none of which seem controversial...

Merged.

> Index: refpolicy/policy/modules/system/iscsi.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/system/iscsi.fc	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/iscsi.fc	2008-08-03 21:29:52.000000000 +0200
> @@ -1,5 +1,5 @@
>  /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
>  
> -/var/lib/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_var_lib_t,s0)
> -/var/lock/iscsi(/.*)?	--	gen_context(system_u:object_r:iscsi_lock_t,s0)
> +/var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
> +/var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
>  /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
> Index: refpolicy/policy/modules/system/iscsi.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/iscsi.te	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/iscsi.te	2008-08-03 21:29:52.000000000 +0200
> @@ -29,7 +29,7 @@
>  #
>  
>  allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
> -allow iscsid_t self:process { setrlimit setsched };
> +allow iscsid_t self:process { setrlimit setsched signal };
>  allow iscsid_t self:fifo_file { read write };
>  allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  allow iscsid_t self:unix_dgram_socket create_socket_perms;
> @@ -63,6 +63,7 @@
>  corenet_tcp_sendrecv_all_ports(iscsid_t)
>  corenet_tcp_connect_http_port(iscsid_t)
>  corenet_tcp_connect_iscsi_port(iscsid_t)
> +corenet_tcp_connect_isns_port(iscsid_t)
>  
>  dev_rw_sysfs(iscsid_t)
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 06/35] soundserver policy update

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2008-08-07 at 11:09 -0400, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
>>>> plain text document attachment
>>>> (policy_modules_services_soundserver.patch)
>>>> This policy was written by Ken Yang and reviewed by Dan Walsh:
>>>> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
>>>> and here:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=250453
>>>>
>>>> I updated the .fc changes to also work with Debian paths.
>>>>
>>>> Originally submitted Jul 19, refreshed to apply cleanly
>>> Comments inline
>>>
>>>> +########################################
>>>> +## <summary>
>>>> +##	All of the rules required to administrate
>>>> +##	an soundd environment
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +##	<summary>
>>>> +##	Domain allowed access.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <param name="role">
>>>> +##	<summary>
>>>> +##	The role to be allowed to manage the soundd domain.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <param name="terminal">
>>>> +##	<summary>
>>>> +##	The type of the user terminal.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <rolecap/>
>>>> +#
>>>> +interface(`soundserver_admin',`
>>>> +	gen_require(`
>>>> +		type soundd_t;
>>>> +		type soundd_script_exec_t;
>>>> +		type soundd_etc_t;
>>>> +		type soundd_tmp_t;
>>>> +		type soundd_var_run_t;
>>>> +	')
>>>> +
>>>> +	allow $1 soundd_t:process { ptrace signal_perms getattr };
>>>> +	read_files_pattern($1, soundd_t, soundd_t)
>>>> +
>>>> +	# Allow soundd_t to restart the apache service
>>>> +	soundserver_script_domtrans($1)
>>>> +	domain_system_change_exemption($1)
>>>> +	role_transition $2 soundd_script_exec_t system_r;
>>>> +	allow $2 system_r;
>>>> +
>>>> +	files_list_tmp($1)
>>>> +        manage_all_pattern($1,soundd_tmp_t)
>>>> +
>>>> +	files_list_etc($1)
>>>> +        manage_all_pattern($1,soundd_etc_t)
>>>> +
>>>> +	files_list_pids($1)
>>>> +        manage_all_pattern($1,soundd_var_run_t)
>>>> +')
>>> This interface need several fixes.  The XML does not match.  There are
>>> whitespace issues (there should be tabs, not 8 spaces).  Also spaces
>>> after commas (other places in the patch too).  Manage_all_pattern
>>> doesn't exist upstream, and I don't plan on ever adding it.
>>>
>> Why not?  If I am an admin of a domain, I should be able to modify the
>> labeling on all types that are in that domain, on the entire class of
>> objects in that domain. Making me add all of the rules for each type is
>> just prone to errors.
>>
>> Without this rule you need to add
>>         manage_dirs_pattern($1,$2,$2)
>>         manage_files_pattern($1,$2,$2)
>>         manage_lnk_files_pattern($1,$2,$2)
>>         manage_fifo_files_pattern($1,$2,$2)
>>         manage_sock_files_pattern($1,$2,$2)
>>
>>         relabelto_dirs_pattern($1,$2,$2)
>>         relabelto_files_pattern($1,$2,$2)
>>         relabelto_lnk_files_pattern($1,$2,$2)
>>         relabelto_fifo_files_pattern($1,$2,$2)
>>         relabelto_sock_files_pattern($1,$2,$2)
>>
>>         relabelfrom_dirs_pattern($1,$2,$2)
>>         relabelfrom_files_pattern($1,$2,$2)
>>         relabelfrom_lnk_files_pattern($1,$2,$2)
>>         relabelfrom_fifo_files_pattern($1,$2,$2)
>>         relabelfrom_sock_files_pattern($1,$2,$2)
>>
>> For every type, which is nuts.
> 
> It is nuts because I don't think all that access should be provided.
> Neglecting that, "manage" in refpolicy does not imply any relabeling
> permissions.  Also the second and third blocks could be merged with
> relabel_*_pattern().
> 
If I am the admin of the httpd domain, I should be able to change the
context of any file I control to any label that I control.  I need to be
able to change httpd_sys_content_t to httpd_sys_script_exec_t for example.

Without the relabel, there is no way for the admin to even create a lot
of the files with the correct context in the first place unless there is
a directory with that context.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 06/35] soundserver policy update

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2008-08-07 at 11:09 -0400, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
>>>> plain text document attachment
>>>> (policy_modules_services_soundserver.patch)
>>>> This policy was written by Ken Yang and reviewed by Dan Walsh:
>>>> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
>>>> and here:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=250453
>>>>
>>>> I updated the .fc changes to also work with Debian paths.
>>>>
>>>> Originally submitted Jul 19, refreshed to apply cleanly
>>> Comments inline
>>>
>>>> +########################################
>>>> +## <summary>
>>>> +##	All of the rules required to administrate
>>>> +##	an soundd environment
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +##	<summary>
>>>> +##	Domain allowed access.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <param name="role">
>>>> +##	<summary>
>>>> +##	The role to be allowed to manage the soundd domain.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <param name="terminal">
>>>> +##	<summary>
>>>> +##	The type of the user terminal.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <rolecap/>
>>>> +#
>>>> +interface(`soundserver_admin',`
>>>> +	gen_require(`
>>>> +		type soundd_t;
>>>> +		type soundd_script_exec_t;
>>>> +		type soundd_etc_t;
>>>> +		type soundd_tmp_t;
>>>> +		type soundd_var_run_t;
>>>> +	')
>>>> +
>>>> +	allow $1 soundd_t:process { ptrace signal_perms getattr };
>>>> +	read_files_pattern($1, soundd_t, soundd_t)
>>>> +
>>>> +	# Allow soundd_t to restart the apache service
>>>> +	soundserver_script_domtrans($1)
>>>> +	domain_system_change_exemption($1)
>>>> +	role_transition $2 soundd_script_exec_t system_r;
>>>> +	allow $2 system_r;
>>>> +
>>>> +	files_list_tmp($1)
>>>> +        manage_all_pattern($1,soundd_tmp_t)
>>>> +
>>>> +	files_list_etc($1)
>>>> +        manage_all_pattern($1,soundd_etc_t)
>>>> +
>>>> +	files_list_pids($1)
>>>> +        manage_all_pattern($1,soundd_var_run_t)
>>>> +')
>>> This interface need several fixes.  The XML does not match.  There are
>>> whitespace issues (there should be tabs, not 8 spaces).  Also spaces
>>> after commas (other places in the patch too).  Manage_all_pattern
>>> doesn't exist upstream, and I don't plan on ever adding it.
>>>
>> Why not?  If I am an admin of a domain, I should be able to modify the
>> labeling on all types that are in that domain, on the entire class of
>> objects in that domain. Making me add all of the rules for each type is
>> just prone to errors.
>>
>> Without this rule you need to add
>>         manage_dirs_pattern($1,$2,$2)
>>         manage_files_pattern($1,$2,$2)
>>         manage_lnk_files_pattern($1,$2,$2)
>>         manage_fifo_files_pattern($1,$2,$2)
>>         manage_sock_files_pattern($1,$2,$2)
>>
>>         relabelto_dirs_pattern($1,$2,$2)
>>         relabelto_files_pattern($1,$2,$2)
>>         relabelto_lnk_files_pattern($1,$2,$2)
>>         relabelto_fifo_files_pattern($1,$2,$2)
>>         relabelto_sock_files_pattern($1,$2,$2)
>>
>>         relabelfrom_dirs_pattern($1,$2,$2)
>>         relabelfrom_files_pattern($1,$2,$2)
>>         relabelfrom_lnk_files_pattern($1,$2,$2)
>>         relabelfrom_fifo_files_pattern($1,$2,$2)
>>         relabelfrom_sock_files_pattern($1,$2,$2)
>>
>> For every type, which is nuts.
> 
> It is nuts because I don't think all that access should be provided.
Then fine pick another name. The idea is an admin controls this type
label.  admin_pattern($1, http_sys_content_t)

> Neglecting that, "manage" in refpolicy does not imply any relabeling
> permissions.  Also the second and third blocks could be merged with
> relabel_*_pattern().
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 06/35] soundserver policy update

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2008-08-07 at 11:09 -0400, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
>>>> plain text document attachment
>>>> (policy_modules_services_soundserver.patch)
>>>> This policy was written by Ken Yang and reviewed by Dan Walsh:
>>>> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
>>>> and here:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=250453
>>>>
>>>> I updated the .fc changes to also work with Debian paths.
>>>>
>>>> Originally submitted Jul 19, refreshed to apply cleanly
>>> Comments inline
>>>
>>>> +########################################
>>>> +## <summary>
>>>> +##	All of the rules required to administrate
>>>> +##	an soundd environment
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +##	<summary>
>>>> +##	Domain allowed access.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <param name="role">
>>>> +##	<summary>
>>>> +##	The role to be allowed to manage the soundd domain.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <param name="terminal">
>>>> +##	<summary>
>>>> +##	The type of the user terminal.
>>>> +##	</summary>
>>>> +## </param>
>>>> +## <rolecap/>
>>>> +#
>>>> +interface(`soundserver_admin',`
>>>> +	gen_require(`
>>>> +		type soundd_t;
>>>> +		type soundd_script_exec_t;
>>>> +		type soundd_etc_t;
>>>> +		type soundd_tmp_t;
>>>> +		type soundd_var_run_t;
>>>> +	')
>>>> +
>>>> +	allow $1 soundd_t:process { ptrace signal_perms getattr };
>>>> +	read_files_pattern($1, soundd_t, soundd_t)
>>>> +
>>>> +	# Allow soundd_t to restart the apache service
>>>> +	soundserver_script_domtrans($1)
>>>> +	domain_system_change_exemption($1)
>>>> +	role_transition $2 soundd_script_exec_t system_r;
>>>> +	allow $2 system_r;
>>>> +
>>>> +	files_list_tmp($1)
>>>> +        manage_all_pattern($1,soundd_tmp_t)
>>>> +
>>>> +	files_list_etc($1)
>>>> +        manage_all_pattern($1,soundd_etc_t)
>>>> +
>>>> +	files_list_pids($1)
>>>> +        manage_all_pattern($1,soundd_var_run_t)
>>>> +')
>>> This interface need several fixes.  The XML does not match.  There are
>>> whitespace issues (there should be tabs, not 8 spaces).  Also spaces
>>> after commas (other places in the patch too).  Manage_all_pattern
>>> doesn't exist upstream, and I don't plan on ever adding it.
>>>
>> Why not?  If I am an admin of a domain, I should be able to modify the
>> labeling on all types that are in that domain, on the entire class of
>> objects in that domain. Making me add all of the rules for each type is
>> just prone to errors.
>>
>> Without this rule you need to add
>>         manage_dirs_pattern($1,$2,$2)
>>         manage_files_pattern($1,$2,$2)
>>         manage_lnk_files_pattern($1,$2,$2)
>>         manage_fifo_files_pattern($1,$2,$2)
>>         manage_sock_files_pattern($1,$2,$2)
>>
>>         relabelto_dirs_pattern($1,$2,$2)
>>         relabelto_files_pattern($1,$2,$2)
>>         relabelto_lnk_files_pattern($1,$2,$2)
>>         relabelto_fifo_files_pattern($1,$2,$2)
>>         relabelto_sock_files_pattern($1,$2,$2)
>>
>>         relabelfrom_dirs_pattern($1,$2,$2)
>>         relabelfrom_files_pattern($1,$2,$2)
>>         relabelfrom_lnk_files_pattern($1,$2,$2)
>>         relabelfrom_fifo_files_pattern($1,$2,$2)
>>         relabelfrom_sock_files_pattern($1,$2,$2)
>>
>> For every type, which is nuts.
> 
> It is nuts because I don't think all that access should be provided.
> Neglecting that, "manage" in refpolicy does not imply any relabeling
> permissions.  Also the second and third blocks could be merged with
> relabel_*_pattern().
> 

define(`admin_pattern',`
        manage_dirs_pattern($1,$2,$2)
        manage_files_pattern($1,$2,$2)
        manage_lnk_files_pattern($1,$2,$2)
        manage_fifo_files_pattern($1,$2,$2)
        manage_sock_files_pattern($1,$2,$2)

        relabel_dirs_pattern($1,$2,$2)
        relabel_files_pattern($1,$2,$2)
        relabel_lnk_files_pattern($1,$2,$2)
        relabel_fifo_files_pattern($1,$2,$2)
        relabel_sock_files_pattern($1,$2,$2)

')

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 23/35] iptables policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_iptables.patch)
> Trivial changes from the RH patchset to the iptables module...

Merged.

> Index: refpolicy/policy/modules/system/iptables.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/iptables.te	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/iptables.te	2008-08-03 20:38:53.000000000 +0200
> @@ -48,6 +48,7 @@
>  
>  fs_getattr_xattr_fs(iptables_t)
>  fs_search_auto_mountpoints(iptables_t)
> +fs_list_inotifyfs(iptables_t)
>  
>  mls_file_read_all_levels(iptables_t)
>  
> @@ -70,8 +71,6 @@
>  libs_use_shared_libs(iptables_t)
>  
>  logging_send_syslog_msg(iptables_t)
> -# system-config-network appends to /var/log
> -#logging_append_system_logs(iptables_t)
>  
>  miscfiles_read_localization(iptables_t)
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 03/35] logrotate policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:34 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_logrotate.patch)
> Perhaps controversial changes
> 
> First sent on Jul 19, dwalsh described the need for the patch here:
> http://marc.info/?l=selinux&m=121726318902852&w=2
> 
> Refreshed to apply cleanly to SVN repo
> 
> Index: refpolicy/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/logrotate.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/admin/logrotate.te	2008-08-03 16:59:10.000000000 +0200
> @@ -97,6 +97,7 @@
>  files_read_etc_files(logrotate_t)
>  files_read_etc_runtime_files(logrotate_t)
>  files_read_all_pids(logrotate_t)
> +files_search_all(logrotate_t)
>  # Write to /var/spool/slrnpull - should be moved into its own type.
>  files_manage_generic_spool(logrotate_t)
>  files_manage_generic_spool_dirs(logrotate_t)

Still don't like this.

> @@ -142,9 +143,8 @@
>  ')
>  
>  optional_policy(`
> -	apache_read_config(logrotate_t)
> -	apache_domtrans(logrotate_t)
>  	apache_signull(logrotate_t)
> +	apache_manage_all_content(logrotate_t)
>  ')
>  
>  optional_policy(`

Definitely need justification for this; these aren't even logs.

> @@ -186,6 +186,5 @@
>  ')
>  
>  optional_policy(`
> -	# cjp: why?
> -	squid_domtrans(logrotate_t)
> +	squid_signal(logrotate_t)
>  ')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 14/35] remotelogin policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment
> (policy_modules_services_remotelogin.patch)
> Additional user homedir permissions
> Index: refpolicy/policy/modules/services/remotelogin.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/remotelogin.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/remotelogin.te	2008-08-03 18:01:36.000000000 +0200
> @@ -85,6 +85,7 @@
>  
>  miscfiles_read_localization(remote_login_t)
>  
> +userdom_read_all_users_home_dirs_symlinks(remote_login_t)
>  userdom_use_unpriv_users_fds(remote_login_t)
>  userdom_search_all_users_home_content(remote_login_t)
>  # Only permit unprivileged user domains to be entered via rlogin,

Interface does not exist.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 25/35] rdisc policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_rdisc.patch)
> Minor changes to the rdisc module, the interface that is added is used
> in later RH patches (not part of the current patchset)...

Merged the .te change, drop the .if change since the type doesn't exist.

> Index: refpolicy/policy/modules/services/rdisc.if
> ===================================================================
> --- refpolicy.orig/policy/modules/services/rdisc.if	2008-07-19 19:15:41.000000000 +0200
> +++ refpolicy/policy/modules/services/rdisc.if	2008-08-03 21:17:42.000000000 +0200
> @@ -1 +1,20 @@
>  ## <summary>Network router discovery daemon</summary>
> +
> +########################################
> +## <summary>
> +##	Execute rdisc server in the rdisc domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +#
> +interface(`rdisc_script_domtrans',`
> +	gen_require(`
> +		type rdisc_script_exec_t;
> +	')
> +
> +	init_script_domtrans_spec($1,rdisc_script_exec_t)
> +')
> Index: refpolicy/policy/modules/services/rdisc.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/rdisc.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/rdisc.te	2008-08-03 21:17:42.000000000 +0200
> @@ -45,6 +45,8 @@
>  libs_use_ld_so(rdisc_t)
>  libs_use_shared_libs(rdisc_t)
>  
> +miscfiles_read_localization(rdisc_t)
> +
>  logging_send_syslog_msg(rdisc_t)
>  
>  sysnet_read_config(rdisc_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 24/35] bootloader policy updates

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_bootloader.patch)
> Most of the changes here are in a distro_redhat block and shouldn't be
> controversial...

Merged.  I moved the unconfined into the distro_redhat.

> Index: refpolicy/policy/modules/admin/bootloader.if
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/bootloader.if	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/admin/bootloader.if	2008-08-03 21:09:17.000000000 +0200
> @@ -49,6 +49,11 @@
>  
>  	role $2 types bootloader_t;
>  	allow bootloader_t $3:chr_file rw_term_perms;
> +
> +	ifdef(`distro_redhat',`
> +		# for mke2fs
> +		mount_run(bootloader_t, $2, $3)
> +	')
>  ')
>  
>  ########################################
> Index: refpolicy/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/bootloader.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/admin/bootloader.te	2008-08-03 21:09:17.000000000 +0200
> @@ -218,3 +218,7 @@
>  optional_policy(`
>  	sysadm_dontaudit_search_home_dirs(bootloader_t)
>  ')
> +
> +optional_policy(`
> +	unconfined_domain(bootloader_t)
> +')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 20/35] rpc policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_rpc.patch)
> Partial merge of RedHat rpc changes (mostly a few read permissions and
> a couple of dontaudit rules).

Comments inline

> Depends on policy_modules_kernel_storage.patch
> 
> Index: refpolicy/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/rpc.te	2008-08-03 18:18:31.000000000 +0200
> +++ refpolicy/policy/modules/services/rpc.te	2008-08-04 13:18:47.000000000 +0200
> @@ -62,10 +62,10 @@
>  
>  # rpc.statd executes sm-notify
>  can_exec(rpcd_t, rpcd_exec_t)
> -corecmd_search_bin(rpcd_t)
> +corecmd_exec_bin(rpcd_t)
>  
>  kernel_read_system_state(rpcd_t) 
> -kernel_search_network_state(rpcd_t) 
> +kernel_read_network_state(rpcd_t)
>  # for rpc.rquotad
>  kernel_read_sysctl(rpcd_t)  
>  kernel_rw_fs_sysctls(rpcd_t)
> @@ -82,6 +82,7 @@
>  miscfiles_read_certs(rpcd_t)
>  
>  seutil_dontaudit_search_config(rpcd_t)
> +selinux_dontaudit_read_fs(rpcd_t)
>  
>  optional_policy(`
>  	nis_read_ypserv_config(rpcd_t)
> @@ -97,6 +98,12 @@
>  allow nfsd_t exports_t:file { getattr read };
>  allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
>  
> +dev_dontaudit_getattr_all_blk_files(nfsd_t)
> +dev_dontaudit_getattr_all_chr_files(nfsd_t)
> +
> +dev_rw_lvm_control(nfsd_t)
> +storage_dontaudit_raw_read_fixed_disk(nfsd_t)
> +
>  # for /proc/fs/nfs/exports - should we have a new type?
>  kernel_read_system_state(nfsd_t) 
>  kernel_read_network_state(nfsd_t) 
> @@ -107,6 +114,7 @@
>  fs_mount_nfsd_fs(nfsd_t) 
>  fs_search_nfsd_fs(nfsd_t) 
>  fs_getattr_all_fs(nfsd_t) 
> +fs_getattr_all_dirs(nfsd_t)
>  fs_rw_nfsd_fs(nfsd_t) 
>  
>  term_use_controlling_term(nfsd_t) 
> @@ -149,6 +157,7 @@
>  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
>  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
>  
> +kernel_read_system_state(gssd_t)
>  kernel_read_network_state(gssd_t)
>  kernel_read_network_state_symlinks(gssd_t)	
>  kernel_search_network_sysctl(gssd_t)	
> @@ -162,6 +171,9 @@
>  files_list_tmp(gssd_t) 
>  files_read_usr_symlinks(gssd_t) 
>  
> +auth_use_nsswitch(gssd_t)


> +auth_manage_cache(gssd_t)

Interface does not exist.

>  miscfiles_read_certs(gssd_t)
>  
>  tunable_policy(`allow_gssd_read_tmp',`

The remainder is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 12/35] getty policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_getty.patch)
> Hopefully trivial changes

Merged.

> Index: refpolicy/policy/modules/system/getty.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/system/getty.fc	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/getty.fc	2008-08-03 18:01:20.000000000 +0200
> @@ -8,5 +8,5 @@
>  
>  /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
>  
> -/var/spool/fax		--	gen_context(system_u:object_r:getty_var_run_t,s0)
> -/var/spool/voice	--	gen_context(system_u:object_r:getty_var_run_t,s0)
> +/var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
> +/var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
> Index: refpolicy/policy/modules/system/getty.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/getty.te	2008-07-19 19:15:43.000000000 +0200
> +++ refpolicy/policy/modules/system/getty.te	2008-08-03 18:01:20.000000000 +0200
> @@ -9,6 +9,7 @@
>  type getty_t;
>  type getty_exec_t;
>  init_domain(getty_t,getty_exec_t)
> +init_system_domain(getty_t,getty_exec_t)
>  domain_interactive_fd(getty_t)
>  
>  type getty_etc_t;
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 05/35] courier policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_courier.patch)
> Adds a separate context for courier spooling dirs/files and a few
> new interfaces.

Comments inline

> Originally sent on Jul 19, received no comments, refreshed patch only
> 
> Index: refpolicy/policy/modules/services/courier.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/services/courier.fc	2008-08-03 13:09:39.000000000 +0200
> +++ refpolicy/policy/modules/services/courier.fc	2008-08-03 17:04:59.000000000 +0200
> @@ -19,3 +19,5 @@
>  /var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
>  
>  /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
> +
> +/var/spool/courier(/.*)?		gen_context(system_u:object_r:courier_spool_t,s0)
> Index: refpolicy/policy/modules/services/courier.if
> ===================================================================
> --- refpolicy.orig/policy/modules/services/courier.if	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/courier.if	2008-08-03 17:05:41.000000000 +0200
> @@ -123,3 +123,77 @@
>  
>  	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
>  ')
> +
> +
> +########################################
> +## <summary>
> +##	Allow domain to read courier config files
> +## </summary>
> +## <param name="prefix">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`courier_read_config',`
> +	gen_require(`
> +		type courier_etc_t;
> +	')
> +
> +	read_files_pattern($1, courier_etc_t, courier_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Allow domain to manage courier spool directories
> +## </summary>
> +## <param name="prefix">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`courier_manage_spool_dirs',`
> +	gen_require(`
> +		type courier_spool_t;
> +	')
> +
> +	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Allow domain to manage courier spool files
> +## </summary>
> +## <param name="prefix">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`courier_manage_spool_files',`
> +	gen_require(`
> +		type courier_spool_t;
> +	')
> +
> +	manage_files_pattern($1, courier_spool_t, courier_spool_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Allow attempts to read and write to
> +##	courier unnamed pipes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`courier_rw_pipes',`
> +	gen_require(`
> +		type courier_spool_t;
> +	')
> +
> +	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
> +')
> Index: refpolicy/policy/modules/services/courier.te
> ===================================================================
> --- refpolicy.orig/policy/modules/services/courier.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/services/courier.te	2008-08-03 17:04:59.000000000 +0200
> @@ -9,7 +9,10 @@
>  courier_domain_template(authdaemon)
>  
>  type courier_etc_t;
> -files_type(courier_etc_t)
> +files_config_file(courier_etc_t)
> +
> +type courier_spool_t;
> +files_type(courier_spool_t)
>  
>  courier_domain_template(pcp)
>  
> @@ -25,6 +28,7 @@
>  
>  type courier_exec_t;
>  files_type(courier_exec_t)
> +mta_mailclient(courier_exec_t)

Interface does not exist.

>  courier_domain_template(sqwebmail)
>  typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
> @@ -97,12 +101,12 @@
>  courier_domtrans_authdaemon(courier_pop_t)
>  
>  # do the actual work (read the Maildir)
> -userdom_manage_unpriv_users_home_content_files(courier_pop_t)
> +unprivuser_manage_home_content_files(courier_pop_t)
>  # cjp: the fact that this is different for pop vs imap means that
>  # there should probably be a courier_pop_t and courier_imap_t
>  # this should also probably be a separate type too instead of
>  # the regular home dir
> -userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
> +unprivuser_manage_home_content_dirs(courier_pop_t)

User home dirs aren't collapsed upstream, so this doesn't make sense.


Merged the remainder.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch 02/35] kudzu policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:34 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_kudzu.patch)
> kudzu is RedHat's hw management app, none of the changes seem
> controversial.

Missing interfaces:

+init_read_init_state(kudzu_t)
+init_ptrace_init_domain(kudzu_t)

I suspect that the ptrace is still related to the /proc/pid entry that
triggers a ptrace check.  That was only fixed recently, I think.

+modutils_unlink_module_config(kudzu_t)


Merged the other parts.

> Previously sent Jul 19, no comments so far
> 
> Index: refpolicy/policy/modules/admin/kudzu.te
> ===================================================================
> --- refpolicy.orig/policy/modules/admin/kudzu.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/admin/kudzu.te	2008-08-03 16:54:21.000000000 +0200
> @@ -21,8 +21,8 @@
>  # Local policy
>  #
>  
> -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
> -dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
> +allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
> +dontaudit kudzu_t self:capability sys_tty_config;
>  allow kudzu_t self:process { signal_perms execmem };
>  allow kudzu_t self:fifo_file rw_fifo_file_perms;
>  allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
> @@ -68,6 +68,7 @@
>  modutils_read_module_deps(kudzu_t)
>  modutils_read_module_config(kudzu_t)
>  modutils_rename_module_config(kudzu_t)
> +modutils_unlink_module_config(kudzu_t)
>  
>  storage_read_scsi_generic(kudzu_t)
>  storage_read_tape(kudzu_t)
> @@ -103,6 +104,8 @@
>  init_use_fds(kudzu_t)
>  init_use_script_ptys(kudzu_t)
>  init_stream_connect_script(kudzu_t)
> +init_read_init_state(kudzu_t)
> +init_ptrace_init_domain(kudzu_t)
>  # kudzu will telinit to make init re-read
>  # the inittab after configuring serial consoles
>  init_telinit(kudzu_t)
> @@ -143,28 +146,6 @@
>  ')
>  
>  optional_policy(`
> -	# cjp: this was originally in the else block
> -	# of ifdef userhelper.te, but it seems to
> -	# make more sense here.  also, require
> -	# blocks curently do not work in the
> -	# else block of optionals
> +	unconfined_domtrans(kudzu_t)
>  	unconfined_domain(kudzu_t)
>  ')
> -
> -ifdef(`TODO',`
> -allow kudzu_t modules_conf_t:file unlink;
> -optional_policy(`
> -	allow kudzu_t printconf_t:file { getattr read };
> -')
> -optional_policy(`
> -	allow kudzu_t xserver_exec_t:file getattr;
> -')
> -optional_policy(`
> -	allow kudzu_t rhgb_t:unix_stream_socket connectto;
> -')
> -optional_policy(`
> -	role system_r types sysadm_userhelper_t;
> -	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
> -')
> -allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
> -')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] [patch 07/35] w3c policy addition

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
> plain text document attachment (policy_modules_services_w3c.patch)
> This is a new module not present upstream, contains nothing that
> looks controversial.
> 
> I've added one Debian path, perhaps it should be in a
> conditional block...(/usr/lib/cgi-bin/check)

Merged.

> Index: refpolicy/policy/modules/services/w3c.fc
> ===================================================================
> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/w3c.fc	2008-08-03 17:13:33.000000000 +0200
> @@ -0,0 +1,3 @@
> +/usr/share/w3c-markup-validator(/.*)?		gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
> +/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
> +/usr/lib/cgi-bin/check				gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
> Index: refpolicy/policy/modules/services/w3c.if
> ===================================================================
> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/w3c.if	2008-08-03 17:13:33.000000000 +0200
> @@ -0,0 +1,20 @@
> +## <summary>W3C</summary>
> +
> +########################################
> +## <summary>
> +##	Execute w3c server in the w3c domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +#
> +interface(`w3c_script_domtrans',`
> +	gen_require(`
> +		type w3c_script_exec_t;
> +	')
> +
> +	init_script_domtrans_spec($1,w3c_script_exec_t)
> +')
> Index: refpolicy/policy/modules/services/w3c.te
> ===================================================================
> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/w3c.te	2008-08-03 17:13:33.000000000 +0200
> @@ -0,0 +1,14 @@
> +policy_module(w3c,1.2.1)
> +
> +apache_content_template(w3c_validator)
> +
> +sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
> +
> +corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
> +corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
> +corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
> +corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
> +corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
> +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
> +
> +miscfiles_read_certs(httpd_w3c_validator_script_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] [patch 33/35] mailscanner policy addition

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
> plain text document attachment
> (policy_modules_services_mailscanner.patch)
> Adds a new mailscanner module from the RH patchset

This seems like an incomplete module, since it only has one file type
and no domain.

> Index: refpolicy/policy/modules/services/mailscanner.fc
> ===================================================================
> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/mailscanner.fc	2008-08-03 22:09:51.000000000 +0200
> @@ -0,0 +1,2 @@
> +/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
> +
> Index: refpolicy/policy/modules/services/mailscanner.if
> ===================================================================
> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/mailscanner.if	2008-08-03 22:09:51.000000000 +0200
> @@ -0,0 +1,59 @@
> +## <summary>Anti-Virus and Anti-Spam Filter</summary>
> +
> +########################################
> +## <summary>
> +##	Search mailscanner spool directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mailscanner_search_spool',`
> +	gen_require(`
> +		type mailscanner_spool_t;
> +	')
> +
> +	files_search_spool($1)
> +	allow $1 mailscanner_spool_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	read mailscanner spool files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mailscanner_read_spool',`
> +	gen_require(`
> +		type mailscanner_spool_t;
> +	')
> +
> +	files_search_spool($1)
> +	read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	mailscanner spool files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mailscanner_manage_spool',`
> +	gen_require(`
> +		type mailscanner_spool_t;
> +	')
> +
> +	files_search_spool($1)
> +	manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
> +')
> Index: refpolicy/policy/modules/services/mailscanner.te
> ===================================================================
> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
> +++ refpolicy/policy/modules/services/mailscanner.te	2008-08-03 22:09:51.000000000 +0200
> @@ -0,0 +1,5 @@
> +
> +policy_module(mailscanner,1.0.0)
> +
> +type mailscanner_spool_t;
> +files_type(mailscanner_spool_t)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

Re: [patch 04/35] corenetwork policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david@hardeman.nu wrote:
> plain text document attachment
> (policy_modules_kernel_corenetwork.te.in.patch)
> This patch should be a no-brainer, additional network port names only...

I'd prefer to add the ports as needed, as part of appropriate the
services' patch.

> Index: refpolicy/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy.orig/policy/modules/kernel/corenetwork.te.in	2008-08-03 13:09:47.000000000 +0200
> +++ refpolicy/policy/modules/kernel/corenetwork.te.in	2008-08-03 17:04:05.000000000 +0200
> @@ -75,6 +75,7 @@
>  network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
>  network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
>  network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
> +#network_port(audit, tcp,60,s0) - not a registered port (yet?)
>  network_port(auth, tcp,113,s0)
>  network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
>  type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
> @@ -82,6 +83,7 @@
>  network_port(clockspeed, udp,4041,s0)
>  network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
>  network_port(comsat, udp,512,s0)
> +network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
>  network_port(cvs, tcp,2401,s0, udp,2401,s0)
>  network_port(dcc, udp,6276,s0, udp,6277,s0)
>  network_port(dbskkd, tcp,1178,s0)
> @@ -91,6 +93,7 @@
>  network_port(distccd, tcp,3632,s0)
>  network_port(dns, udp,53,s0, tcp,53,s0)
>  network_port(fingerd, tcp,79,s0)
> +network_port(flash, tcp,1935,s0, udp,1935,s0)
>  network_port(ftp_data, tcp,20,s0)
>  network_port(ftp, tcp,21,s0)
>  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
> @@ -109,11 +112,13 @@
>  network_port(ircd, tcp,6667,s0)
>  network_port(isakmp, udp,500,s0)
>  network_port(iscsi, tcp,3260,s0)
> +network_port(isns, tcp,3205,s0, udp,3205,s0)
>  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
>  network_port(jabber_interserver, tcp,5269,s0)
>  network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
>  network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
>  network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
> +network_port(kprop, tcp,754,s0)
>  network_port(ktalkd, udp,517,s0, udp,518,s0)
>  network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
>  type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
> @@ -122,6 +127,8 @@
>  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
>  network_port(monopd, tcp,1234,s0)
>  network_port(msnp, tcp,1863,s0, udp,1863,s0)
> +network_port(munin, tcp,4949,s0, udp,4949,s0)
> +network_port(mythtv, tcp,6543,s0, udp,6543,s0)
>  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
>  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
>  network_port(nessus, tcp,1241,s0)
> @@ -133,10 +140,13 @@
>  network_port(pegasus_http, tcp,5988,s0)
>  network_port(pegasus_https, tcp,5989,s0)
>  network_port(postfix_policyd, tcp,10031,s0)
> +network_port(pulseaudio, tcp,4713,s0)
> +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
>  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
>  network_port(portmap, udp,111,s0, tcp,111,s0)
>  network_port(postgresql, tcp,5432,s0)
>  network_port(postgrey, tcp,60000,s0)
> +network_port(prelude, tcp,4690,s0, udp,4690,s0)
>  network_port(printer, tcp,515,s0)
>  network_port(ptal, tcp,5703,s0)
>  network_port(pxe, udp,4011,s0)
> @@ -148,11 +158,11 @@
>  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
>  network_port(rlogind, tcp,513,s0)
>  network_port(rndc, tcp,953,s0)
> -network_port(router, udp,520,s0)
> +network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
>  network_port(rsh, tcp,514,s0)
>  network_port(rsync, tcp,873,s0, udp,873,s0)
>  network_port(rwho, udp,513,s0)
> -network_port(smbd, tcp,139,s0, tcp,445,s0)
> +network_port(smbd, tcp,137-139,s0, tcp,445,s0)
>  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
>  network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
>  network_port(spamd, tcp,783,s0)
> @@ -170,7 +180,12 @@
>  network_port(transproxy, tcp,8081,s0)
>  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
>  network_port(uucpd, tcp,540,s0)
> +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
> +
>  network_port(vnc, tcp,5900,s0)
> +# Reserve 100 ports for vnc/virt machines
> +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0)
> +network_port(whois, tcp,43,s0, udp,43,s0)
>  network_port(wccp, udp,2048,s0)
>  network_port(xdmcp, udp,177,s0, tcp,177,s0)
>  network_port(xen, tcp,8002,s0)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] [patch 04/35] corenetwork policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
> plain text document attachment
> (policy_modules_kernel_corenetwork.te.in.patch)
> This patch should be a no-brainer, additional network port names only...

I'd prefer to add the ports as needed, as part of appropriate the
services' patch.

(resend to refpolicy list)

> Index: refpolicy/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy.orig/policy/modules/kernel/corenetwork.te.in	2008-08-03 13:09:47.000000000 +0200
> +++ refpolicy/policy/modules/kernel/corenetwork.te.in	2008-08-03 17:04:05.000000000 +0200
> @@ -75,6 +75,7 @@
>  network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
>  network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
>  network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
> +#network_port(audit, tcp,60,s0) - not a registered port (yet?)
>  network_port(auth, tcp,113,s0)
>  network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
>  type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
> @@ -82,6 +83,7 @@
>  network_port(clockspeed, udp,4041,s0)
>  network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
>  network_port(comsat, udp,512,s0)
> +network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
>  network_port(cvs, tcp,2401,s0, udp,2401,s0)
>  network_port(dcc, udp,6276,s0, udp,6277,s0)
>  network_port(dbskkd, tcp,1178,s0)
> @@ -91,6 +93,7 @@
>  network_port(distccd, tcp,3632,s0)
>  network_port(dns, udp,53,s0, tcp,53,s0)
>  network_port(fingerd, tcp,79,s0)
> +network_port(flash, tcp,1935,s0, udp,1935,s0)
>  network_port(ftp_data, tcp,20,s0)
>  network_port(ftp, tcp,21,s0)
>  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
> @@ -109,11 +112,13 @@
>  network_port(ircd, tcp,6667,s0)
>  network_port(isakmp, udp,500,s0)
>  network_port(iscsi, tcp,3260,s0)
> +network_port(isns, tcp,3205,s0, udp,3205,s0)
>  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
>  network_port(jabber_interserver, tcp,5269,s0)
>  network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
>  network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
>  network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
> +network_port(kprop, tcp,754,s0)
>  network_port(ktalkd, udp,517,s0, udp,518,s0)
>  network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
>  type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
> @@ -122,6 +127,8 @@
>  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
>  network_port(monopd, tcp,1234,s0)
>  network_port(msnp, tcp,1863,s0, udp,1863,s0)
> +network_port(munin, tcp,4949,s0, udp,4949,s0)
> +network_port(mythtv, tcp,6543,s0, udp,6543,s0)
>  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
>  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
>  network_port(nessus, tcp,1241,s0)
> @@ -133,10 +140,13 @@
>  network_port(pegasus_http, tcp,5988,s0)
>  network_port(pegasus_https, tcp,5989,s0)
>  network_port(postfix_policyd, tcp,10031,s0)
> +network_port(pulseaudio, tcp,4713,s0)
> +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
>  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
>  network_port(portmap, udp,111,s0, tcp,111,s0)
>  network_port(postgresql, tcp,5432,s0)
>  network_port(postgrey, tcp,60000,s0)
> +network_port(prelude, tcp,4690,s0, udp,4690,s0)
>  network_port(printer, tcp,515,s0)
>  network_port(ptal, tcp,5703,s0)
>  network_port(pxe, udp,4011,s0)
> @@ -148,11 +158,11 @@
>  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
>  network_port(rlogind, tcp,513,s0)
>  network_port(rndc, tcp,953,s0)
> -network_port(router, udp,520,s0)
> +network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
>  network_port(rsh, tcp,514,s0)
>  network_port(rsync, tcp,873,s0, udp,873,s0)
>  network_port(rwho, udp,513,s0)
> -network_port(smbd, tcp,139,s0, tcp,445,s0)
> +network_port(smbd, tcp,137-139,s0, tcp,445,s0)
>  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
>  network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
>  network_port(spamd, tcp,783,s0)
> @@ -170,7 +180,12 @@
>  network_port(transproxy, tcp,8081,s0)
>  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
>  network_port(uucpd, tcp,540,s0)
> +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
> +
>  network_port(vnc, tcp,5900,s0)
> +# Reserve 100 ports for vnc/virt machines
> +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0)
> +network_port(whois, tcp,43,s0, udp,43,s0)
>  network_port(wccp, udp,2048,s0)
>  network_port(xdmcp, udp,177,s0, tcp,177,s0)
>  network_port(xen, tcp,8002,s0)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] [patch 08/35] logging policy update

[Christopher J. PeBenito]

On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
> plain text document attachment (policy_modules_system_logging.patch)
> Most changes here seem uncontroversial. Note that the logging_admin_audit
> and logging_admin_syslog interfaces are not currently used in the
> refpolicy so changing their signature shouldn't be a problem.

Merged almost everything, with a bunch of reorganization.

> Index: refpolicy/policy/modules/system/logging.fc
> ===================================================================
> --- refpolicy.orig/policy/modules/system/logging.fc	2008-08-03 13:09:37.000000000 +0200
> +++ refpolicy/policy/modules/system/logging.fc	2008-08-03 17:14:08.000000000 +0200
> @@ -4,6 +4,8 @@
>  /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
>  /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
>  
> +/sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
> +/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
>  /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
>  /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
>  /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
> @@ -20,6 +22,7 @@
>  /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
>  /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
>  
> +/var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
>  /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
>  
>  ifdef(`distro_suse', `
> @@ -37,7 +40,7 @@
>  /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
>  /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
>  /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
> -/var/log/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_run_t,s0)
> +/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,s0)
>  
>  ifndef(`distro_gentoo',`
>  /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
> @@ -48,7 +51,7 @@
>  ')
>  
>  /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
> -/var/run/audispd_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
> +/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
>  /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
>  /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
>  /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
> @@ -59,3 +62,8 @@
>  /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
>  
>  /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
> +
> +/etc/rc\.d/init\.d/rsyslog	--	gen_context(system_u:object_r:syslogd_script_exec_t,s0)
> +/etc/rc\.d/init\.d/auditd	--	gen_context(system_u:object_r:auditd_script_exec_t,s0)
> +
> +/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
> Index: refpolicy/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy.orig/policy/modules/system/logging.if	2008-08-03 13:09:37.000000000 +0200
> +++ refpolicy/policy/modules/system/logging.if	2008-08-03 17:14:08.000000000 +0200
> @@ -213,12 +213,7 @@
>  ## </param>
>  #
>  interface(`logging_stream_connect_auditd',`
> -	gen_require(`
> -		type auditd_t, auditd_var_run_t;
> -	')
> -
> -	files_search_pids($1)
> -	stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
> +	logging_stream_connect_audisp($1)
>  ')
>  
>  ########################################
> @@ -530,8 +525,27 @@
>  	')
>  
>  	files_search_var($1)
> -	allow $1 var_log_t:dir list_dir_perms;
> -	allow $1 logfile:file { getattr append };
> +	append_files_pattern($1, var_log_t, logfile)
> +')
> +
> +########################################
> +## <summary>
> +##	read/write to all log files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_rw_all_logs',`
> +	gen_require(`
> +		attribute logfile;
> +		type var_log_t;
> +	')
> +
> +	files_search_var($1)
> +	rw_files_pattern($1, var_log_t, logfile)
>  ')
>  
>  ########################################
> @@ -596,6 +610,8 @@
>  	files_search_var($1)
>  	manage_files_pattern($1,logfile,logfile)
>  	read_lnk_files_pattern($1,logfile,logfile)
> +	allow $1 logfile:dir  { relabelfrom relabelto };
> +	allow $1 logfile:file  { relabelfrom relabelto };
>  ')
>  
>  ########################################
> @@ -641,6 +657,25 @@
>  
>  ########################################
>  ## <summary>
> +##	Dontaudit Write generic log files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_dontaudit_write_generic_logs',`
> +	gen_require(`
> +		type var_log_t;
> +	')
> +
> +	files_search_var($1)
> +	dontaudit $1 var_log_t:file write;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read and write generic log files.
>  ## </summary>
>  ## <param name="domain">
> @@ -695,6 +730,7 @@
>  interface(`logging_admin_audit',`
>  	gen_require(`
>  		type auditd_t, auditd_etc_t, auditd_log_t;
> +		type auditd_script_exec_t;
>  		type auditd_var_run_t;
>  	')
>  
> @@ -709,6 +745,15 @@
>  
>  	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
>  	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
> +
> +	logging_run_auditctl($1, $2, $3)
> +
> +	# Allow $1 to restart the audit service
> +	logging_audit_script_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 auditd_script_exec_t system_r;
> +	allow $2 system_r;
> +
>  ')
>  
>  ########################################
> @@ -729,6 +774,7 @@
>  		type syslogd_tmp_t, syslogd_var_lib_t;
>  		type syslogd_var_run_t, klogd_var_run_t;
>  		type klogd_tmp_t, var_log_t;
> +		type syslogd_script_exec_t;
>  	')
>  
>  	allow $1 syslogd_t:process { ptrace signal_perms };
> @@ -756,6 +802,12 @@
>  	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
>  
>  	logging_manage_all_logs($1)
> +
> +	# Allow $1 to restart the syslog service
> +	logging_syslog_script_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 syslogd_script_exec_t system_r;
> +	allow $2 system_r;
>  ')
>  
>  ########################################
> @@ -771,6 +823,132 @@
>  ## <rolecap/>
>  #
>  interface(`logging_admin',`
> -	logging_admin_audit($1)
> -	logging_admin_syslog($1)
> +	logging_admin_audit($1, $2, $3)
> +	logging_admin_syslog($1, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute syslog server in the syslogd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_syslog_script_domtrans',`
> +	gen_require(`
> +		type syslogd_script_exec_t;
> +	')
> +
> +	init_script_domtrans_spec($1,syslogd_script_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute audit server in the auditd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_audit_script_domtrans',`
> +	gen_require(`
> +		type auditd_script_exec_t;
> +	')
> +
> +	init_script_domtrans_spec($1,auditd_script_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run audisp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_domtrans_audisp',`
> +	gen_require(`
> +		type audisp_t;
> +                type audisp_exec_t;
> +	')
> +
> +	domtrans_pattern($1,audisp_exec_t,audisp_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Signal the audisp domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_audisp_signal',`
> +	gen_require(`
> +		type audisp_t;
> +	')
> +
> +	allow $1 audisp_t:process signal;
> +')
> +
> +########################################
> +## <summary>
> +##	Create a domain for processes
> +##	which can be started by the system audisp
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be used as a domain.
> +##	</summary>
> +## </param>
> +## <param name="entry_point">
> +##	<summary>
> +##	Type of the program to be used as an entry point to this domain.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_audisp_system_domain',`
> +	gen_require(`
> +		type audisp_t;
> +		role system_r;
> +	')
> +
> +	domain_type($1)
> +	domain_entry_file($1,$2)
> +
> +	role system_r types $1;
> +
> +	domtrans_pattern(audisp_t,$2,$1)
> +	allow $1 audisp_t:process signal;
> +
> +	allow audisp_t $2:file getattr;
> +	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Connect to auditdstored over an unix stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_stream_connect_audisp',`
> +	gen_require(`
> +		type audisp_t, audisp_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
>  ')
> Index: refpolicy/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy.orig/policy/modules/system/logging.te	2008-08-03 16:47:00.000000000 +0200
> +++ refpolicy/policy/modules/system/logging.te	2008-08-03 17:14:41.000000000 +0200
> @@ -61,10 +61,29 @@
>  logging_log_file(var_log_t)
>  files_mountpoint(var_log_t)
>  
> +type auditd_script_exec_t;
> +init_script_type(auditd_script_exec_t)
> +
> +type syslogd_script_exec_t;
> +init_script_type(syslogd_script_exec_t)
> +
>  ifdef(`enable_mls',`
>  	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
> +	init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh)
>  ')
>  
> +type audisp_t;
> +type audisp_exec_t;
> +init_system_domain(audisp_t, audisp_exec_t)
> +
> +type audisp_var_run_t;
> +files_pid_file(audisp_var_run_t)
> +
> +type audisp_remote_t;
> +type audisp_remote_exec_t;
> +domain_type(audisp_remote_t)
> +domain_entry_file(audisp_remote_t, audisp_remote_exec_t)
> +
>  ########################################
>  #
>  # Auditctl local policy
> @@ -84,6 +103,7 @@
>  kernel_read_kernel_sysctls(auditctl_t)
>  kernel_read_proc_symlinks(auditctl_t)
>  
> +
>  domain_read_all_domains_state(auditctl_t)
>  domain_use_interactive_fds(auditctl_t)
>  
> @@ -158,11 +178,13 @@
>  
>  mls_file_read_all_levels(auditd_t)
>  mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
> +mls_fd_use_all_levels(auditd_t)
>  
>  seutil_dontaudit_read_config(auditd_t)
>  
> -userdom_dontaudit_use_unpriv_user_fds(auditd_t)
> +sysnet_dns_name_resolve(auditd_t)
>  
> +userdom_dontaudit_use_unpriv_user_fds(auditd_t)
>  sysadm_dontaudit_search_home_dirs(auditd_t)
>  
>  ifdef(`distro_ubuntu',`
> @@ -172,6 +194,10 @@
>  ')
>  
>  optional_policy(`
> +	mta_send_mail(auditd_t)
> +')
> +
> +optional_policy(`
>  	seutil_sigchld_newrole(auditd_t)
>  ')
>  
> @@ -209,6 +235,7 @@
>  
>  fs_getattr_all_fs(klogd_t)
>  fs_search_auto_mountpoints(klogd_t)
> +fs_search_tmpfs(klogd_t)
>  
>  domain_use_interactive_fds(klogd_t)
>  
> @@ -253,7 +280,6 @@
>  dontaudit syslogd_t self:capability sys_tty_config;
>  # setpgid for metalog
>  allow syslogd_t self:process { signal_perms setpgid };
> -allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
>  # receive messages to be logged
>  allow syslogd_t self:unix_dgram_socket create_socket_perms;
>  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
> @@ -275,6 +301,9 @@
>  # Allow access for syslog-ng
>  allow syslogd_t var_log_t:dir { create setattr };
>  
> +mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
> +mls_fd_use_all_levels(syslogd_t)
> +
>  # manage temporary files
>  manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
>  manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
> @@ -290,12 +319,14 @@
>  manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
>  files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
>  
> +kernel_read_system_state(syslogd_t)
>  kernel_read_kernel_sysctls(syslogd_t)
>  kernel_read_proc_symlinks(syslogd_t)
>  # Allow access to /proc/kmsg for syslog-ng
>  kernel_read_messages(syslogd_t)
>  kernel_clear_ring_buffer(syslogd_t)
>  kernel_change_ring_buffer_level(syslogd_t)
> +files_read_kernel_symbol_table(syslogd_t)
>  
>  dev_filetrans(syslogd_t,devlog_t,sock_file)
>  dev_read_sysfs(syslogd_t)
> @@ -328,6 +359,8 @@
>  # Allow users to define additional syslog ports to connect to
>  corenet_tcp_bind_syslogd_port(syslogd_t)
>  corenet_tcp_connect_syslogd_port(syslogd_t)
> +corenet_tcp_connect_postgresql_port(syslogd_t)
> +corenet_tcp_connect_mysqld_port(syslogd_t)
>  
>  # syslog-ng can send or receive logs
>  corenet_sendrecv_syslogd_client_packets(syslogd_t)
> @@ -340,23 +373,23 @@
>  domain_use_interactive_fds(syslogd_t)
>  
>  files_read_etc_files(syslogd_t)
> +files_read_usr_files(syslogd_t)
>  files_read_var_files(syslogd_t)
>  files_read_etc_runtime_files(syslogd_t)
>  # /initrd is not umounted before minilog starts
>  files_dontaudit_search_isid_type_dirs(syslogd_t)
>  
> +auth_use_nsswitch(syslogd_t)
> +
>  libs_use_ld_so(syslogd_t)
>  libs_use_shared_libs(syslogd_t)
>  
>  # cjp: this doesnt make sense
>  logging_send_syslog_msg(syslogd_t)
>  
> -sysnet_read_config(syslogd_t)
> -
>  miscfiles_read_localization(syslogd_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
> -
>  sysadm_dontaudit_search_home_dirs(syslogd_t)
>  
>  ifdef(`distro_gentoo',`
> @@ -382,15 +415,11 @@
>  ')
>  
>  optional_policy(`
> -	nis_use_ypbind(syslogd_t)
> -')
> -
> -optional_policy(`
> -	nscd_socket_use(syslogd_t)
> +	seutil_sigchld_newrole(syslogd_t)
>  ')
>  
>  optional_policy(`
> -	seutil_sigchld_newrole(syslogd_t)
> +	postgresql_stream_connect(syslogd_t)
>  ')
>  
>  optional_policy(`
> @@ -401,3 +430,67 @@
>  	# log to the xconsole
>  	xserver_rw_console(syslogd_t)
>  ')
> +
> +########################################
> +#
> +# audisp local policy
> +#
> +
> +# Init script handling
> +domain_use_interactive_fds(audisp_t)
> +
> +allow audisp_t self:capability sys_nice;
> +allow audisp_t self:process setsched;
> +
> +## internal communication is often done using fifo and unix sockets.
> +allow audisp_t self:fifo_file rw_file_perms;
> +allow audisp_t self:unix_stream_socket create_stream_socket_perms;
> +allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
> +
> +manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
> +files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
> +
> +files_read_etc_files(audisp_t)
> +
> +libs_use_ld_so(audisp_t)
> +libs_use_shared_libs(audisp_t)
> +
> +logging_send_syslog_msg(audisp_t)
> +
> +miscfiles_read_localization(audisp_t)
> +
> +mls_file_write_all_levels(audisp_t)
> +
> +corecmd_search_bin(audisp_t)
> +allow audisp_t self:unix_dgram_socket create_socket_perms;
> +
> +logging_domtrans_audisp(auditd_t)
> +logging_audisp_signal(auditd_t)
> +
> +########################################
> +#
> +# audisp_remote local policy
> +#
> +
> +logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
> +
> +allow audisp_remote_t self:tcp_socket create_socket_perms;
> +
> +corenet_all_recvfrom_unlabeled(audisp_remote_t)
> +corenet_all_recvfrom_netlabel(audisp_remote_t)
> +corenet_tcp_sendrecv_all_if(audisp_remote_t)
> +corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
> +corenet_tcp_connect_audit_port(audisp_remote_t)
> +
> +files_read_etc_files(audisp_remote_t)
> +
> +libs_use_ld_so(audisp_remote_t)
> +libs_use_shared_libs(audisp_remote_t)
> +
> +logging_send_syslog_msg(audisp_remote_t)
> +logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
> +
> +miscfiles_read_localization(audisp_remote_t)
> +
> +sysnet_dns_name_resolve(audisp_remote_t)
> +
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] [patch 33/35] mailscanner policy addition

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
>> plain text document attachment
>> (policy_modules_services_mailscanner.patch)
>> Adds a new mailscanner module from the RH patchset
> 
> This seems like an incomplete module, since it only has one file type
> and no domain.
> 
>> Index: refpolicy/policy/modules/services/mailscanner.fc
>> ===================================================================
>> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.fc	2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,2 @@
>> +/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
>> +
>> Index: refpolicy/policy/modules/services/mailscanner.if
>> ===================================================================
>> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.if	2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,59 @@
>> +## <summary>Anti-Virus and Anti-Spam Filter</summary>
>> +
>> +########################################
>> +## <summary>
>> +##	Search mailscanner spool directories.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_search_spool',`
>> +	gen_require(`
>> +		type mailscanner_spool_t;
>> +	')
>> +
>> +	files_search_spool($1)
>> +	allow $1 mailscanner_spool_t:dir search_dir_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	read mailscanner spool files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_read_spool',`
>> +	gen_require(`
>> +		type mailscanner_spool_t;
>> +	')
>> +
>> +	files_search_spool($1)
>> +	read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Create, read, write, and delete
>> +##	mailscanner spool files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`mailscanner_manage_spool',`
>> +	gen_require(`
>> +		type mailscanner_spool_t;
>> +	')
>> +
>> +	files_search_spool($1)
>> +	manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
>> +')
>> Index: refpolicy/policy/modules/services/mailscanner.te
>> ===================================================================
>> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
>> +++ refpolicy/policy/modules/services/mailscanner.te	2008-08-03 22:09:51.000000000 +0200
>> @@ -0,0 +1,5 @@
>> +
>> +policy_module(mailscanner,1.0.0)
>> +
>> +type mailscanner_spool_t;
>> +files_type(mailscanner_spool_t)
>>
This domain was added to just define a context and interfaces for
mailscanner_spool_t so other domains could use it. I have never used
mailscanner and have no idea how to set this up.  I guess we could label
/var/spool/MailScanner with a clamscan_spool_t and add the interfaces to
there.  The only domain that uses mailscan_spool is

	mailscanner_read_spool(procmail_t)
	mailscanner_manage_spool(clamscan_t)

[refpolicy] cyphesis policy

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/Policy/services_cyphesis.patch

[refpolicy] nsplugin policy

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/Policy/apps_nsplugin.patch

[refpolicy] Updated kerberos patch to add kprop port definition.

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/Policy/services_kerberos.patch


This is a major update to kerberos policy adding in kprop support

[refpolicy] Updated munin support

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/Policy/services_munin.patch

Add munin port definition

Add http scripts

munin needs chown dav_override and sys_rawio capabilities

Uses fifo_file to communicate with itself.

Execs itself.

Manages its only log files in a log directory

Fixes for file context

Reads all sysctls and network state

Can exec shell

communicates with the munin port

Uses getpw

execs ps

Communicates with mysql

[refpolicy] [patch 04/35] corenetwork policy update

[Daniel J Walsh]

Ok this is just adding additional ports to existing definitions.


--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in
2008-08-11 11:23:34.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/kernel/corenetwork.te.in
2008-08-25 13:35:01.000000000 -0400
@@ -149,11 +157,11 @@
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0)
+network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(rwho, udp,513,s0)
-network_port(smbd, tcp,139,s0, tcp,445,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
 network_port(spamd, tcp,783,s0)

[refpolicy] [patch 04/35] corenetwork policy update

[Christopher J. PeBenito]

On Mon, 2008-08-25 at 13:52 -0400, Daniel J Walsh wrote:
> Ok this is just adding additional ports to existing definitions.

Merged.

> --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in
> 2008-08-11 11:23:34.000000000 -0400
> +++ serefpolicy-3.5.5/policy/modules/kernel/corenetwork.te.in
> 2008-08-25 13:35:01.000000000 -0400
> @@ -149,11 +157,11 @@
>  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
>  network_port(rlogind, tcp,513,s0)
>  network_port(rndc, tcp,953,s0)
> -network_port(router, udp,520,s0)
> +network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
>  network_port(rsh, tcp,514,s0)
>  network_port(rsync, tcp,873,s0, udp,873,s0)
>  network_port(rwho, udp,513,s0)
> -network_port(smbd, tcp,139,s0, tcp,445,s0)
> +network_port(smbd, tcp,137-139,s0, tcp,445,s0)
>  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
>  network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
>  network_port(spamd, tcp,783,s0)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] cyphesis policy

[Christopher J. PeBenito]

On Mon, 2008-08-25 at 13:25 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/Policy/services_cyphesis.patch

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] [patch 33/35] mailscanner policy addition

[Christopher J. PeBenito]

On Mon, 2008-08-25 at 13:18 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
> >> plain text document attachment
> >> (policy_modules_services_mailscanner.patch)
> >> Adds a new mailscanner module from the RH patchset
> >
> > This seems like an incomplete module, since it only has one file type
> > and no domain.
>  
> >> Index: refpolicy/policy/modules/services/mailscanner.fc
> >> ===================================================================
> >> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
> >> +++ refpolicy/policy/modules/services/mailscanner.fc	2008-08-03 22:09:51.000000000 +0200
> >> @@ -0,0 +1,2 @@
> >> +/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
[...]
> >> @@ -0,0 +1,5 @@
> >> +
> >> +policy_module(mailscanner,1.0.0)
> >> +
> >> +type mailscanner_spool_t;
> >> +files_type(mailscanner_spool_t)
> >>
> This domain was added to just define a context and interfaces for
> mailscanner_spool_t so other domains could use it. I have never used
> mailscanner and have no idea how to set this up.  I guess we could
> label
> /var/spool/MailScanner with a clamscan_spool_t and add the interfaces
> to
> there.

>From what I can figure out from the "What Is MailScanner?" web page,
that seems like the better way.  But one thought I also had based on
this:

>   The only domain that uses mailscan_spool is
> 
> 	mailscanner_read_spool(procmail_t)
> 	mailscanner_manage_spool(clamscan_t)

Are we sure its not just mail_spool_t?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] [patch 33/35] mailscanner policy addition

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2008-08-25 at 13:18 -0400, Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-08-04 at 14:35 +0200, david at hardeman.nu wrote:
>>>> plain text document attachment
>>>> (policy_modules_services_mailscanner.patch)
>>>> Adds a new mailscanner module from the RH patchset
>>> This seems like an incomplete module, since it only has one file type
>>> and no domain.
>>  
>>>> Index: refpolicy/policy/modules/services/mailscanner.fc
>>>> ===================================================================
>>>> --- /dev/null	1970-01-01 00:00:00.000000000 +0000
>>>> +++ refpolicy/policy/modules/services/mailscanner.fc	2008-08-03 22:09:51.000000000 +0200
>>>> @@ -0,0 +1,2 @@
>>>> +/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
> [...]
>>>> @@ -0,0 +1,5 @@
>>>> +
>>>> +policy_module(mailscanner,1.0.0)
>>>> +
>>>> +type mailscanner_spool_t;
>>>> +files_type(mailscanner_spool_t)
>>>>
>> This domain was added to just define a context and interfaces for
>> mailscanner_spool_t so other domains could use it. I have never used
>> mailscanner and have no idea how to set this up.  I guess we could
>> label
>> /var/spool/MailScanner with a clamscan_spool_t and add the interfaces
>> to
>> there.
> 
>>From what I can figure out from the "What Is MailScanner?" web page,
> that seems like the better way.  But one thought I also had based on
> this:
> 
>>   The only domain that uses mailscan_spool is
>>
>> 	mailscanner_read_spool(procmail_t)
>> 	mailscanner_manage_spool(clamscan_t)
> 
> Are we sure its not just mail_spool_t?
> 
I am fine with mail_spool.