policy

policy

[Hugo F. Martinez]

Hi:
Im  trying to relabel my file system but im getting this kind of errors

....
./set files: invalid context system_u:object_r:cron_log_ti on line
number 368
make: *** [relabel] Error 1

I check the file_contexts but i cant see any clue of where the problem

Thanks in advance.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy

[Jon Crowley]

Did you modify file_contexts?  It appears that is simply a typo... try
changing that line in file_contexts to the following, note the lack of
"i" on the end:

system_u:object_r:cron_log_t 

Jon Crowley




"Hugo F. Martinez" wrote:
> 
> Hi:
> Im  trying to relabel my file system but im getting this kind of errors
> 
> ....
> ./set files: invalid context system_u:object_r:cron_log_ti on line
> number 368
> make: *** [relabel] Error 1
> 
> I check the file_contexts but i cant see any clue of where the problem
> 
> Thanks in advance.
> 
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy

[Rajan Ravindran]

Hi,
While I do relabel my file system, I'm getting some errors as

invalid context system_u:object_r:sysadm_netscape_rw_ti on line number 65

similar errors (by appending 'i' at the end of type field in the context)
at different line numbers.

some days before Hugo F.Martinez claimed the same kind of error, for that
Jon
Crowley replied as it could be a simple typo error. I verified with the
file_contexts in the specified line numbers, I don't see any 'i' at the
end.

Any idea what could be the problem.

Thanks,
Rajan.


Did you modify file_contexts?  It appears that is simply a typo... try
changing that line in file_contexts to the following, note the lack of
"i" on the end:

system_u:object_r:cron_log_t

Jon Crowley




"Hugo F. Martinez" wrote:
>
> Hi:
> Im  trying to relabel my file system but im getting this kind of errors
>
> ....
> ./set files: invalid context system_u:object_r:cron_log_ti on line
> number 368
> make: *** [relabel] Error 1
>
> I check the file_contexts but i cant see any clue of where the problem
>
> Thanks in advance.
>
> --
> You have received this message because you are subscribed to the selinux
list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
> the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy

[Stephen Smalley]

On Fri, 1 Jun 2001, Rajan Ravindran wrote:

> While I do relabel my file system, I'm getting some errors as
> 
> invalid context system_u:object_r:sysadm_netscape_rw_ti on line number 65
> 
> similar errors (by appending 'i' at the end of type field in the context)
> at different line numbers.

I haven't seen this error, and nothing springs to mind as a 
possible cause.  Try using gdb on the setfiles program,
setting a breakpoint immediately after the sscanf call (line 458),
and a breakpoint before the security_context_to_sid call (line 553).
Examine context at each breakpoint.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Policy

[Westerman, Mark]

I guess the first step is to standardize the location
of the policy files. 

How about

The Current install of selinux program,lib and information

/usr/local/selinux/
                   bin
                   etc
                   flask
                   include
                   info
                   libexec
                   man
                   sbin
                   share
                   var
                   X11R6
Policy additions
                   policy
                   setfiles
                   share/doc/examples/
                                      policy
                                      setfiles


When performing a make quickinstall the make will not overwrite
/usr/local/selinux/policy
/usr/local/selinux/setfiles
if those directories exist. If the directories do not exist
create them and then populate them with the example policy.

The make will overwrite the example policy files.
/usr/share/doc/examples/policy
/usr/share/doc/examples/setfiles


Mark Westerman

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy

[Russell Coker]

On Wed, 3 Apr 2002 21:38, Westerman, Mark wrote:
> I guess the first step is to standardize the location
> of the policy files.
>
> How about
>
> The Current install of selinux program,lib and information
>
> /usr/local/selinux/
>                    bin
>                    etc
>                    flask
>                    include
>                    info
>                    libexec
>                    man
>                    sbin
>                    share
>                    var
>                    X11R6
> Policy additions
>                    policy
>                    setfiles
>                    share/doc/examples/
>                                       policy
>                                       setfiles
>

How about the following for distributions other than Slackware:
/usr/bin
/usr/sbin
/usr/include/selinux
/usr/lib
/usr/share/man
/etc/policy

> When performing a make quickinstall the make will not overwrite
> /usr/local/selinux/policy
> /usr/local/selinux/setfiles
> if those directories exist. If the directories do not exist
> create them and then populate them with the example policy.
>
> The make will overwrite the example policy files.
> /usr/share/doc/examples/policy
> /usr/share/doc/examples/setfiles

s/doc/doc\/selinux/ for non-Slackware.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Policy

[Westerman, Mark]

On Wednesday, April 03, 2002 2:12 PM, Russell wrote:

> How about the following for distributions other than Slackware:
> /usr/bin
> /usr/sbin
> /usr/include/selinux
> /usr/lib
> /usr/share/man
> /etc/policy

The reason I was putting every thing under /usr/local/selinux
was to get away from any distributions quirks. I really
have no argument about where to put the files, I would
like a consciences. Also we have to get the folks at the NSA
to agree.

I want to start building packages for selinux, I just don't
want to do a lot of rework when the location changes. I do think
we should find some place beside the source tree location. If I 
build a binary package (rpm .....) for installation a standard location
for the policy files would be nice. 

I do like Russell's Idea about two separate locations for the 
policy files. 

> 
> > When performing a make quickinstall the make will not overwrite
> > /usr/local/selinux/policy
> > /usr/local/selinux/setfiles
> > if those directories exist. If the directories do not exist
> > create them and then populate them with the example policy.
> >
> > The make will overwrite the example policy files.
> > /usr/share/doc/examples/policy
> > /usr/share/doc/examples/setfiles
> 
> s/doc/doc\/selinux/ for non-Slackware.
> 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy

[Russell Coker]

On Wed, 3 Apr 2002 22:43, Westerman, Mark wrote:
> On Wednesday, April 03, 2002 2:12 PM, Russell wrote:
> > How about the following for distributions other than Slackware:
> > /usr/bin
> > /usr/sbin
> > /usr/include/selinux
> > /usr/lib
> > /usr/share/man
> > /etc/policy
>
> The reason I was putting every thing under /usr/local/selinux
> was to get away from any distributions quirks. I really

The FHS is there to get away from quirks of distributions.  The locations I 
suggested comply with the FHS.

> have no argument about where to put the files, I would
> like a consciences. Also we have to get the folks at the NSA
> to agree.

Last time this issue was discussed here most people seemed to disagree with 
me (but the NSA people weren't saying much).

As with all Debian packages, my packages will comply with the FHS regardless 
of what happens in the upstream distribution.

> I want to start building packages for selinux, I just don't
> want to do a lot of rework when the location changes. I do think

It shouldn't be that difficult to change location.

> I do like Russell's Idea about two separate locations for the
> policy files.

Standard proceedure for Unix software distribution in my experience...

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy

[Howard Holm]

On Wed, Apr 03, 2002 at 11:06:19PM +0200, Russell Coker wrote:
> On Wed, 3 Apr 2002 22:43, Westerman, Mark wrote:
> > On Wednesday, April 03, 2002 2:12 PM, Russell wrote:
> > > How about the following for distributions other than Slackware:
> > > /usr/bin
> > > /usr/sbin
> > > /usr/include/selinux
> > > /usr/lib
> > > /usr/share/man
> > > /etc/policy
> >
> > The reason I was putting every thing under /usr/local/selinux
> > was to get away from any distributions quirks. I really
> 
> The FHS is there to get away from quirks of distributions.  The locations I 
> suggested comply with the FHS.

I am a strong proponent of FHS compliance, particularly for SELinux, where we
would like to be relatively distribution neutral.  My reading of the FHS (2.2)
is that the choice is really between /usr/{bin,sbin,include,lib,share} and
/usr/local/{bin,sbin,include,lib,share} and /opt/selinux.  I think I could
make sensible arguments for any of the three and maybe even /usr/local/selinux,
although the FHS seems pretty much silent on the organization of /usr/local
after installation.

The most compelling argument for me, though is that I believe the SELinux
utilities are being installed to "replace or upgrade software in /usr" as
described in section 4.9.1.  We have often said that we would like the
changes in the utilities to be transparent on a non-SELinux system and
carried by the upstream packages.  From that perspective, the utilties are
direct replacements and I would argue that binary packages should replace
the equivalent non-SELinux packages on an SELinux system.  (I suspect
several people will strongly disagree with me on that point.)  For people
building it from source, I think they must have the option to install in
/usr/local/{bin,sbin,include,lib,share} because I think that makes it far
more clearly "locally maintained" software.  That may be an inconsistent
view of the world, but that's the way I see it.
 
> > have no argument about where to put the files, I would
> > like a consciences. Also we have to get the folks at the NSA
> > to agree.
> 
> Last time this issue was discussed here most people seemed to disagree with 
> me (but the NSA people weren't saying much).
> 
> As with all Debian packages, my packages will comply with the FHS regardless 
> of what happens in the upstream distribution.
> 
> > I want to start building packages for selinux, I just don't
> > want to do a lot of rework when the location changes. I do think
> 
> It shouldn't be that difficult to change location.
> 
> > I do like Russell's Idea about two separate locations for the
> > policy files.
> 
> Standard proceedure for Unix software distribution in my experience...

The policy has its own unique complications.  I think it would be great
to allow packages to modify the default polic(ies) when they are installed
so that the default polic(ies) include(s) the statements from all installed
packages.  Then there are the issues of the serious nature of overwriting a
local custom policy (very bad) and the potential to share policies.  They
are, after all, architecture neutral and likely to be the same for large
collections of hosts.  Considering all that and the FHS, my current thinking
is that /usr/share/selinux/{setfiles,policy}/current should contain the
"live" policy and initial file labels.  It should be legal for those to be
symlinks to /usr/share/selinux/{setfiles,policy}/{server,client,firewall}
or other example policies.  (Think of the current example policy as living
in /usr/share/selinux/{setfiles,policy}/server.)  New packages should then
be able to add policy and files to whatever common broadly supported policies
they know about and rebuild and reinstall "current" which will rebuild the
site specific policy or whichever one of the common policies it points to.
But that's just me talking, not an NSA position or even my personal "final
answer."  I think this needs some more discussion.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy

[Dale Amon]

On Wed, Apr 03, 2002 at 11:06:19PM +0200, Russell Coker wrote:
> On Wed, 3 Apr 2002 22:43, Westerman, Mark wrote:
> > On Wednesday, April 03, 2002 2:12 PM, Russell wrote:
> > > How about the following for distributions other than Slackware:
> > > /usr/bin
> > > /usr/sbin
> > > /usr/include/selinux
> > > /usr/lib
> > > /usr/share/man
> > > /etc/policy
> >
> > The reason I was putting every thing under /usr/local/selinux
> > was to get away from any distributions quirks. I really
> 
> The FHS is there to get away from quirks of distributions.  The locations I 
> suggested comply with the FHS.

This is what I was running up against around Christmas when I was trying
to get the build process to work with a supplied build root.

The build process should put everything into the FHS defined locations
by default but allow a build to a specified root, ie /usr/local.

I want debian packages to load into / directories and things I download
and build manually (that are not under the package manager) to go into
/usr/local

So I'd want Russ's selinux debian to go to the above locations, but I'd
prefer a tarball from NSA to build be default into /usr/local/




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy

[Russell Coker]

On Thu, 4 Apr 2002 00:30, Dale Amon wrote:
> > The FHS is there to get away from quirks of distributions.  The locations
> > I suggested comply with the FHS.
>
> This is what I was running up against around Christmas when I was trying
> to get the build process to work with a supplied build root.
>
> The build process should put everything into the FHS defined locations
> by default but allow a build to a specified root, ie /usr/local.

I agree.  But a default of /usr/local and an easy option to use FHS locations 
would also be OK.

All we need is a few changes to #include directives and makefiles to achieve 
this, and preferrably a ./configure script too (I'd be happy to write it).

> I want debian packages to load into / directories and things I download
> and build manually (that are not under the package manager) to go into
> /usr/local
>
> So I'd want Russ's selinux debian to go to the above locations, but I'd
> prefer a tarball from NSA to build be default into /usr/local/

Yep, that's fine.  A Slackware-style "make install" should default to 
/usr/local.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

policy

[Russell Coker]

can_exec(crond_t, sbin_t);
Why was the above rule added to crond.te?

allow $1_t sshd_tmp_t:file create_file_perms;
The above rule from macros/user_macros.te looks dangerous.  We have the type 
sshd_tmp_t being used for all user domains.

Could the following please be added to initrc.fc:
/etc/nologin.*                 system_u:object_r:etc_runtime_t
/etc/nohotplug                 system_u:object_r:etc_runtime_t

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy

[Stephen D. Smalley]

> can_exec(crond_t, sbin_t);
> Why was the above rule added to crond.te?

Good question.  Looks like a mistake when they removed can_exec_any
from system_crond_t and were adding individual can_exec rules.

> allow $1_t sshd_tmp_t:file create_file_perms;
> The above rule from macros/user_macros.te looks dangerous.  We have the type 
> sshd_tmp_t being used for all user domains.

Agreed, I've removed this from our internal tree.  It appears that this
is also granted to some program domains, e.g. the su domains and the
ssh client domains.

> Could the following please be added to initrc.fc:
> /etc/nologin.*                 system_u:object_r:etc_runtime_t
> /etc/nohotplug                 system_u:object_r:etc_runtime_t

Yes, I've made this change to our internal tree.

--
Stephen Smalley, NSA



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy

[Russell Coker]

On Fri, 4 Apr 2003 08:01, Stephen D. Smalley wrote:
> > allow $1_t sshd_tmp_t:file create_file_perms;
> > The above rule from macros/user_macros.te looks dangerous.  We have the
> > type sshd_tmp_t being used for all user domains.
>
> Agreed, I've removed this from our internal tree.  It appears that this
> is also granted to some program domains, e.g. the su domains and the
> ssh client domains.

That will probably break a few things, but that's fine.  When we break things 
we will then be able to fix them properly, just as long as it doesn't get 
released in the broken version.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

policy

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1283 bytes --]

udev.diff just combines a couple of lines into a single line.

diff changes the Makefile to have it not run setfiles -q needlessly (good for 
when a script runs "make install" a few hundred times).

Adds a couple of lines to assert.te.

Adds hide_broken_symptoms to ldconfig.te (there is no good cause for 
ldconfig_t to access a TCP socket).

Changes ftpd.te to allow access to home_root_t for the case of NFS root.  This 
means that if you have home directories individually mounted on /home/user 
then things will still work (and there's no harm in granting such access).

Added some extra access that seems to be needed by the latest version of howl.

Removed the memory_device_t commend from xdm.te - we should not need to 
re-enable that.

Removed redundant entries from types.fc relating to the old locations 
before /etc/selinux was used.

Add support for the Debian locations for pmap_dump and pmap_set.  I wonder 
whether those files will have to change locations in other distributions for 
the case of /usr on NFS...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: udev.diff --]
[-- Type: text/x-diff, Size: 687 bytes --]

--- udev.te	2004-12-03 19:49:24.000000000 +1100
+++ udev.te.new	2005-01-02 23:23:30.000000000 +1100
@@ -44,7 +44,7 @@
 # for arping used for static IP addresses on PCMCIA ethernet
 domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
 ')
-allow udev_t etc_t:file { getattr read };
+allow udev_t etc_t:file { getattr read ioctl };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
 allow udev_t { sbin_t bin_t }:lnk_file read;
 allow udev_t bin_t:lnk_file read;
@@ -80,7 +80,6 @@
 ')
 allow udev_t devpts_t:dir { getattr search };
 allow udev_t etc_runtime_t:file { getattr read };
-allow udev_t etc_t:file ioctl;
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')

[-- Attachment #3: diff --]
[-- Type: text/x-diff, Size: 5220 bytes --]

--- /usr/src/se/policy/Makefile	2004-12-23 19:14:12.000000000 +1100
+++ Makefile.new	2005-01-02 23:05:18.000000000 +1100
@@ -72,10 +72,12 @@
 
 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
 
-install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
+tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
 	@echo "Validating file_contexts ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
 
+install: tmp/valid_fc
+
 $(CONTEXTPATH)/files/media: appconfig/media
 	mkdir -p $(CONTEXTPATH)/files/
 	install -m 644 $< $@
--- /usr/src/se/policy/assert.te	2004-12-13 09:55:20.000000000 +1100
+++ assert.te	2004-12-25 04:35:51.000000000 +1100
@@ -124,6 +124,8 @@
 ifdef(`ypbind.te', `assert_execute(ypbind)')
 ifdef(`xfs.te', `assert_execute(xfs)')
 ifdef(`gpm.te', `assert_execute(gpm)')
+ifdef(`ifconfig.te', `assert_execute(ifconfig)')
+ifdef(`iptables.te', `assert_execute(iptables)')
 
 ifdef(`login.te', `
 neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
--- /usr/src/se/policy/domains/program/ldconfig.te	2004-12-13 09:55:21.000000000 +1100
+++ domains/program/ldconfig.te	2004-12-23 19:24:00.000000000 +1100
@@ -44,6 +44,8 @@
 ')
 
 allow ldconfig_t proc_t:file read;
+ifdef(`hide_broken_symptoms', `
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-');
+')
+')dnl end hide_broken_symptoms
--- /usr/src/se/policy/domains/program/unused/ftpd.te	2004-11-21 21:51:13.000000000 +1100
+++ ./domains/program/unused/ftpd.te	2004-12-01 14:35:19.000000000 +1100
@@ -96,16 +99,14 @@
 # Allow ftp to read/write files in the user home directories.
 bool ftp_home_dir false;
 
+if (ftp_home_dir) {
+# allow access to /home
+allow ftpd_t home_root_t:dir { getattr search };
+}
+
 if (ftp_home_dir && use_nfs_home_dirs) {
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
-# dont allow access to /home
-dontaudit ftpd_t home_root_t:dir { getattr search };
-} 
-else 
-{
-# allow access to /home
-allow ftpd_t home_root_t:dir { getattr search };
 }
 dontaudit ftpd_t selinux_config_t:dir search;
 #
--- /usr/src/se/policy/domains/program/unused/howl.te	2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/howl.te	2004-12-25 04:01:00.000000000 +1100
@@ -4,8 +4,8 @@
 #
 
 daemon_domain(howl)
-allow howl_t proc_net_t:dir search;
-allow howl_t proc_net_t:file {getattr read };
+allow howl_t proc_net_t:dir r_dir_perms;
+allow howl_t proc_net_t:file { getattr read };
 can_network_server(howl_t)
 can_ypbind(howl_t)
 allow howl_t self:capability { kill net_admin };
@@ -15,6 +15,8 @@
 type howl_port_t, port_type;
 allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
 
+allow howl_t self:unix_dgram_socket create_socket_perms;
+
 allow howl_t etc_t:file { getattr read };
 allow howl_t initrc_var_run_t:file rw_file_perms;
 
--- /usr/src/se/policy/domains/program/unused/rpm.te	2004-11-21 21:51:14.000000000 +1100
+++ ./domains/program/unused/rpm.te	2004-11-22 03:14:43.000000000 +1100
@@ -66,6 +66,11 @@
 domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
 ')
 
+ifdef(`gpg.te', `
+# gpg wants this so it does not dump core on errors
+allow rpm_t self:process { setrlimit };
+')
+
 # for a bug in rm
 dontaudit initrc_t pidfile:file write;
 
--- /usr/src/se/policy/domains/program/unused/xdm.te	2004-12-13 09:55:25.000000000 +1100
+++ domains/program/unused/xdm.te	2005-01-02 23:29:29.000000000 +1100
@@ -70,10 +70,6 @@
 # Use capabilities.
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
 
-# Use /dev/mem.
-# Commented out by default.
-#allow xdm_t memory_device_t:chr_file { execute read write };
-
 allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl };
 
 # Transition to user domains for user sessions.
--- /usr/src/se/policy/file_contexts/types.fc	2004-12-13 09:55:26.000000000 +1100
+++ file_contexts/types.fc	2005-01-02 23:38:16.000000000 +1100
@@ -302,11 +299,6 @@
 /etc/resolv\.conf.*	--	system_u:object_r:net_conf_t
 
 /etc/selinux(/.*)?		system_u:object_r:selinux_config_t
-/etc/security/selinux(/.*)?	system_u:object_r:policy_config_t	
-/etc/security/selinux/src(/.*)?	system_u:object_r:policy_src_t
-/etc/security/default_contexts.*	system_u:object_r:default_context_t
-/etc/services		--	system_u:object_r:etc_t
-
 /etc/selinux/[^/]*/policy(/.*)?	system_u:object_r:policy_config_t
 /etc/selinux/[^/]*/src(/.*)?	system_u:object_r:policy_src_t
 /etc/selinux/[^/]*/contexts(/.*)?	system_u:object_r:default_context_t
--- /usr/src/se/policy/file_contexts/program/portmap.fc	2004-12-13 09:55:29.000000000 +1100
+++ file_contexts/program/portmap.fc	2005-01-02 23:46:07.000000000 +1100
@@ -1,4 +1,9 @@
 # portmap
 /sbin/portmap		--	system_u:object_r:portmap_exec_t
+ifdef(`distro_debian', `
+/sbin/pmap_dump		--	system_u:object_r:portmap_helper_exec_t
+/sbin/pmap_set		--	system_u:object_r:portmap_helper_exec_t
+', `
 /usr/sbin/pmap_dump	--	system_u:object_r:portmap_helper_exec_t
 /usr/sbin/pmap_set	--	system_u:object_r:portmap_helper_exec_t
+')

Re: policy

[James Carter]

Merged.

This chunk is not needed because this rule occurs earlier in rpm's
policy.

--- /usr/src/se/policy/domains/program/unused/rpm.te    2004-11-21 21:51:14.000000000 +1100
+++ ./domains/program/unused/rpm.te     2004-11-22 03:14:43.000000000 +1100
@@ -66,6 +66,11 @@
 domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
 ')
 
+ifdef(`gpg.te', `
+# gpg wants this so it does not dump core on errors
+allow rpm_t self:process { setrlimit };
+')
+
 # for a bug in rm
 dontaudit initrc_t pidfile:file write;
 

On Sun, 2005-01-02 at 10:01, Russell Coker wrote:
> udev.diff just combines a couple of lines into a single line.
> 
> diff changes the Makefile to have it not run setfiles -q needlessly (good for 
> when a script runs "make install" a few hundred times).
> 
> Adds a couple of lines to assert.te.
> 
> Adds hide_broken_symptoms to ldconfig.te (there is no good cause for 
> ldconfig_t to access a TCP socket).
> 
> Changes ftpd.te to allow access to home_root_t for the case of NFS root.  This 
> means that if you have home directories individually mounted on /home/user 
> then things will still work (and there's no harm in granting such access).
> 
> Added some extra access that seems to be needed by the latest version of howl.
> 
> Removed the memory_device_t commend from xdm.te - we should not need to 
> re-enable that.
> 
> Removed redundant entries from types.fc relating to the old locations 
> before /etc/selinux was used.
> 
> Add support for the Debian locations for pmap_dump and pmap_set.  I wonder 
> whether those files will have to change locations in other distributions for 
> the case of /usr on NFS...
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.