patch for firefox

All of lore.kernel.org
 help / color / mirror / Atom feed

* patch for firefox
@ 2004-08-23 21:56 Luke Kenneth Casson Leighton
  2004-08-24 11:47 ` Russell Coker
  0 siblings, 1 reply; 7+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-08-23 21:56 UTC (permalink / raw)
  To: SE-Linux

[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

the attached patch is required for firefox 0.9.3 to run under debian
(and other oses?)

the reason for the patch is because someone decided to write a
script around firefox called firefox-bin that does some LD_LIBRARY_PATH
messing to keep /usr/lib/mozilla/blah separate.

that this [script] messes up kde from being able to re-run firefox-bin
for session management because the real binary is fired up without the
correct LD_LIBRARY_PATH doesn't seem to have occurred to anyone, but
that's another story...

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


[-- Attachment #2: firefox --]
[-- Type: text/plain, Size: 700 bytes --]

diff -Naur 
--- default.1.14/file_contexts/program/mozilla.fc	2004-08-02 08:28:37.000000000 +0100
+++ current/file_contexts/program/mozilla.fc	2004-08-14 21:34:18.000000000 +0100
@@ -10,6 +10,7 @@
 /usr/bin/mozilla-snapshot --	system_u:object_r:mozilla_exec_t
 /usr/bin/epiphany-bin   --	system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/firefox/firefox-bin	--	system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/mozilla-firefox/firefox-bin	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla-[0-9].* --	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla-bin-[0-9].* --	system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/netscape/.+/communicator/communicator-smotif.real -- system_u:object_r:mozilla_exec_t

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: patch for firefox
  2004-08-23 21:56 patch for firefox Luke Kenneth Casson Leighton
@ 2004-08-24 11:47 ` Russell Coker
  2004-08-27 21:09   ` James Carter
  0 siblings, 1 reply; 7+ messages in thread
From: Russell Coker @ 2004-08-24 11:47 UTC (permalink / raw)
  To: Luke Kenneth Casson Leighton; +Cc: SE-Linux

[-- Attachment #1: Type: text/plain, Size: 977 bytes --]

On Tue, 24 Aug 2004 07:56, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> the attached patch is required for firefox 0.9.3 to run under debian
> (and other oses?)
>
> the reason for the patch is because someone decided to write a
> script around firefox called firefox-bin that does some LD_LIBRARY_PATH
> messing to keep /usr/lib/mozilla/blah separate.
>
> that this [script] messes up kde from being able to re-run firefox-bin
> for session management because the real binary is fired up without the
> correct LD_LIBRARY_PATH doesn't seem to have occurred to anyone, but
> that's another story...

Try the attached mozilla.fc.  It's got the latest stuff from the CVS plus a 
change equivalent to the one you made.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: mozilla.fc --]
[-- Type: text/plain, Size: 1220 bytes --]

#  netscape/mozilla
HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
HOME_DIR/\.phoenix(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
HOME_DIR/\.gconfd(/.*)?		system_u:object_r:ROLE_mozilla_rw_t
HOME_DIR/\.gconf(/.*)?		system_u:object_r:ROLE_mozilla_rw_t
HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_rw_t
/usr/bin/netscape	--	system_u:object_r:mozilla_exec_t
/usr/bin/mozilla	--	system_u:object_r:mozilla_exec_t
/usr/bin/mozilla-snapshot --	system_u:object_r:mozilla_exec_t
/usr/bin/epiphany-bin   --	system_u:object_r:mozilla_exec_t
/usr/bin/mozilla-[0-9].* --	system_u:object_r:mozilla_exec_t
/usr/bin/mozilla-bin-[0-9].* --	system_u:object_r:mozilla_exec_t
/usr/lib(64)?/netscape/.+/communicator/communicator-smotif.real -- system_u:object_r:mozilla_exec_t
/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t
/usr/lib(64)?/mozilla[^/]*/reg.+	--	system_u:object_r:mozilla_exec_t
/usr/lib(64)?/mozilla[^/]*/mozilla-.* --	system_u:object_r:mozilla_exec_t
/usr/lib(64)?/firefox[^/]*/mozilla-.* --	system_u:object_r:mozilla_exec_t
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin --	system_u:object_r:mozilla_exec_t

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: patch for firefox
  2004-08-24 11:47 ` Russell Coker
@ 2004-08-27 21:09   ` James Carter
  2004-08-30 18:49     ` Latest diffs from our pool Daniel J Walsh
  2004-08-30 18:59     ` Previous patch broken Daniel J Walsh
  0 siblings, 2 replies; 7+ messages in thread
From: James Carter @ 2004-08-27 21:09 UTC (permalink / raw)
  To: russell; +Cc: SELinux

Merged changes.

On Tue, 2004-08-24 at 07:47, Russell Coker wrote:
> On Tue, 24 Aug 2004 07:56, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > the attached patch is required for firefox 0.9.3 to run under debian
> > (and other oses?)
> >
> > the reason for the patch is because someone decided to write a
> > script around firefox called firefox-bin that does some LD_LIBRARY_PATH
> > messing to keep /usr/lib/mozilla/blah separate.
> >
> > that this [script] messes up kde from being able to re-run firefox-bin
> > for session management because the real binary is fired up without the
> > correct LD_LIBRARY_PATH doesn't seem to have occurred to anyone, but
> > that's another story...
> 
> Try the attached mozilla.fc.  It's got the latest stuff from the CVS plus a 
> change equivalent to the one you made.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Latest diffs from our pool
  2004-08-27 21:09   ` James Carter
@ 2004-08-30 18:49     ` Daniel J Walsh
  2004-08-30 18:59     ` Previous patch broken Daniel J Walsh
  1 sibling, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2004-08-30 18:49 UTC (permalink / raw)
  To: jwcart2; +Cc: russell, SELinux

[-- Attachment #1: Type: text/plain, Size: 45 bytes --]


Some of Russells changes are included.

Dan

[-- Attachment #2: policy-20040830.patch --]
[-- Type: text/plain, Size: 27283 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.6/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/crond.te	2004-08-30 11:28:18.000000000 -0400
@@ -81,11 +81,13 @@
 ifdef(`distro_redhat', `
 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 # via redirection of standard out.
+ifdef(`rpm.te', `
 allow crond_t rpm_log_t: file create_file_perms;
 
 system_crond_entry(rpm_exec_t, rpm_t)
 allow system_crond_t rpm_log_t:file create_file_perms;
 ')
+')
 
 allow system_crond_t var_log_t:file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.6/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/initrc.te	2004-08-30 11:28:18.000000000 -0400
@@ -12,12 +12,14 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
 ifdef(`sendmail.te', `
+# do not use privmail for sendmail as it creates a type transition conflict
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
 allow system_mail_t initrc_t:fd use;
 allow system_mail_t initrc_t:fifo_file write;
+', `
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
 ')
-
 role system_r types initrc_t;
 uses_shlib(initrc_t);
 can_ypbind(initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.6/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/ssh.te	2004-08-30 11:28:18.000000000 -0400
@@ -232,6 +232,7 @@
 
 # Type for the ssh executable.
 type ssh_exec_t, file_type, exec_type, sysadmfile;
+can_exec(sshd_t, ssh_exec_t)
 
 # Everything else is in the ssh_domain macro in
 # macros/program/ssh_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.6/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/syslogd.te	2004-08-30 11:28:18.000000000 -0400
@@ -95,3 +95,6 @@
 #
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t devpts_t:dir { search };
+# For tageted policy tries to read /init
+dontaudit syslogd_t root_t:file { getattr read };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.6/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/apache.te	2004-08-30 11:28:18.000000000 -0400
@@ -41,6 +41,7 @@
 append_logdir_domain(httpd)
 #can read /etc/httpd/logs
 allow httpd_t httpd_log_t:lnk_file { read };
+allow httpd_t httpd_log_t:dir { remove_name };
 
 # For /etc/init.d/apache2 reload
 can_tcp_connect(httpd_t, httpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.17.6/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/unused/canna.te	2004-08-30 11:28:18.000000000 -0400
@@ -40,4 +40,3 @@
 can_unix_connect(i18n_input_t, canna_t)
 ')
 
-allow canna_t tmp_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.6/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/cups.te	2004-08-30 11:28:18.000000000 -0400
@@ -157,5 +157,6 @@
 allow cupsd_t ptal_var_run_t:dir { search };
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
+allow cupsd_t printer_device_t:fifo_file rw_file_perms;
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.6/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/unused/dbusd.te	2004-08-30 14:08:00.408575062 -0400
@@ -32,3 +32,4 @@
 
 # SE-DBus specific permissions
 allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
+domain_auto_trans(userdomain, dbus_exec_t, dbus_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.6/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/dovecot.te	2004-08-30 11:28:18.000000000 -0400
@@ -11,7 +11,7 @@
 
 type dovecot_cert_t, file_type, sysadmfile;
 
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
@@ -19,8 +19,13 @@
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
 
+# For SSL certificates
+allow dovecot_t usr_t:file { getattr read };
+
 allow dovecot_t etc_t:file { getattr read };
 allow dovecot_t initrc_var_run_t:file { getattr };
+# Dovecot sub-binaries are lib_t on Debian and bin_t on Fedora
+allow dovecot_t lib_t:file { execute execute_no_trans };
 allow dovecot_t bin_t:dir { getattr search };
 can_exec(dovecot_t, bin_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.6/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/ftpd.te	2004-08-30 11:28:18.000000000 -0400
@@ -101,3 +101,4 @@
 allow ftpd_t nfs_t:file r_file_perms;
 }
 ')dnl end if nfs_home_dirs
+dontaudit ftpd_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.6/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/hald.te	2004-08-30 14:00:48.923231385 -0400
@@ -33,7 +33,10 @@
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
 allow hald_t event_device_t:chr_file { getattr read };
 
-ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
+ifdef(`updfstab.te', `
+domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
+allow updfstab_t hald_t:dbus { send_msg };
+')
 ifdef(`udev.te', `
 domain_auto_trans(hald_t, udev_exec_t, udev_t)
 allow udev_t hald_t:unix_dgram_socket sendto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.6/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/hotplug.te	2004-08-30 11:28:18.000000000 -0400
@@ -137,7 +137,6 @@
 
 ifdef(`udev.te', `
 domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
-allow hotplug_t udev_helper_exec_t:lnk_file read;
 ')
 
 file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.17.6/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/unused/iptables.te	2004-08-30 11:28:18.000000000 -0400
@@ -23,10 +23,9 @@
 # to allow rules to be saved on reboot
 allow iptables_t initrc_tmp_t:file rw_file_perms;
 
-type iptables_var_run_t, file_type, sysadmfile, pidfile;
-
 domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
-file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t, file)
+allow iptables_t var_t:dir search;
+var_run_domain(iptables)
 
 allow iptables_t self:process { fork signal_perms };
 
@@ -57,4 +56,3 @@
 
 # system-config-network appends to /var/log
 allow iptables_t var_log_t:file { append };
-allow iptables_t var_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.17.6/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/unused/mdadm.te	2004-08-30 11:28:18.000000000 -0400
@@ -28,7 +28,6 @@
 # Ignore attempts to read every device file
 dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
 dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
-dontaudit mdadm_t device_t:dir r_dir_perms;
 dontaudit mdadm_t devpts_t:dir r_dir_perms;
 
 # Ignore attempts to read/write sysadmin tty
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openca-ca.te policy-1.17.6/domains/program/unused/openca-ca.te
--- nsapolicy/domains/program/unused/openca-ca.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/unused/openca-ca.te	2004-08-30 11:28:18.000000000 -0400
@@ -39,11 +39,6 @@
 allow httpd_t openca_ca_t:process {transition};
 allow httpd_t openca_ca_exec_t:dir r_dir_perms;
 
-#############################################################
-# Allow the script access to the library files so it can run
-#############################################################
-can_exec(openca_ca_t, lib_t)
-
 ##################################################################
 # Allow the script to get the file descriptor from the http deamon
 # and send sigchild to http deamon
@@ -52,6 +47,16 @@
 allow openca_ca_t httpd_t:fd use;
 allow openca_ca_t httpd_t:fifo_file {getattr write};
 
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow openca_ca_t httpd_log_t:file { append getattr };
+
+#############################################################
+# Allow the script access to the library files so it can run
+#############################################################
+can_exec(openca_ca_t, lib_t)
+
 ########################################################################
 # The script needs to inherit the file descriptor and find the script it
 # needs to run
@@ -79,11 +84,6 @@
 ##############################################################################
 allow openca_ca_t openca_ca_exec_t:dir search;
 
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow openca_ca_t httpd_log_t:file { append getattr };
-
 #
 # Allow access to writeable files under /etc/openca
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.6/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/portmap.te	2004-08-30 11:28:18.000000000 -0400
@@ -26,6 +26,7 @@
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 
 allow portmap_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.6/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/rpm.te	2004-08-30 11:28:18.000000000 -0400
@@ -10,7 +10,7 @@
 # var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
 # var_lib_rpm_t is the type for rpm files in /var/lib
 #
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `,auth_write, unrestricted');
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
 role system_r types rpm_t;
 uses_shlib(rpm_t)
 type rpm_exec_t, file_type, sysadmfile, exec_type;
@@ -60,7 +60,6 @@
 allow rpm_t devtty_t:chr_file rw_file_perms;
 
 domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
-domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
 
 ifdef(`cups.te', `
 r_dir_file(cupsd_t, rpm_var_lib_t)
@@ -116,7 +115,7 @@
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `,auth_write, unrestricted');
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.6/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/unused/udev.te	2004-08-30 14:13:22.725611783 -0400
@@ -16,7 +16,6 @@
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-r_dir_file(udev_t, udev_helper_exec_t)
 can_exec(udev_t, udev_helper_exec_t)
 
 #
@@ -32,19 +31,20 @@
 allow udev_t device_t:blk_file create_file_perms;
 allow udev_t device_t:chr_file create_file_perms;
 allow udev_t device_t:sock_file create_file_perms;
-allow udev_t etc_t:file { getattr read execute };
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t etc_t:file { getattr read };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
 allow udev_t { sbin_t bin_t }:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
 can_exec(udev_t, udev_exec_t)
-can_exec(udev_t, hostname_exec_t)
-can_exec(udev_t, iptables_exec_t)
 r_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
 	
-# to read the file_contexts file?
-r_dir_file(udev_t, policy_config_t)
+# to read the file_contexts file
+allow udev_t { selinux_config_t default_context_t }:dir search;
+allow udev_t default_context_t:file { getattr read };
 
 allow udev_t policy_config_t:dir { search };
 allow udev_t proc_t:file { read };
@@ -52,6 +52,9 @@
 # Get security policy decisions.
 can_getsecurity(udev_t)
 
+# set file system create context
+can_setfscreate(udev_t)
+
 allow udev_t kernel_t:fd { use };
 allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 
@@ -61,7 +64,9 @@
 domain_auto_trans(initrc_t, udev_exec_t, udev_t)
 domain_auto_trans(kernel_t, udev_exec_t, udev_t)
 domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
-allow restorecon_t udev_t:unix_dgram_socket { read write };
+ifdef(`hide_broken_symptoms', `
+dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
+')
 allow udev_t devpts_t:dir { search };
 allow udev_t etc_runtime_t:file { getattr read };
 allow udev_t etc_t:file { ioctl };
@@ -79,12 +84,11 @@
 can_exec(udev_t, consoletype_exec_t)
 ')
 domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
-allow ifconfig_t udev_t:unix_dgram_socket { read write };
+ifdef(`hide_broken_symptoms', `
+dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
+')
 
 dontaudit udev_t file_t:dir search;
-allow udev_t device_t:lnk_file create_file_perms;
-allow udev_t var_lock_t:dir { search };
-allow udev_t var_lock_t:file { getattr read };
 ifdef(`dhcpc.te', `
 domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.6/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/domains/program/unused/xdm.te	2004-08-30 11:28:19.000000000 -0400
@@ -28,7 +28,7 @@
 # for xdmctl
 allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
 allow initrc_t xdm_var_run_t:fifo_file unlink;
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, { fifo_file dir })
 
 tmp_domain(xdm)
 var_lib_domain(xdm)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.17.6/domains/program/unused/xfs.te
--- nsapolicy/domains/program/unused/xfs.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/domains/program/unused/xfs.te	2004-08-30 11:28:19.000000000 -0400
@@ -40,4 +40,3 @@
 # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
 allow xfs_t fonts_t:dir search;
 allow xfs_t fonts_t:file { getattr read };
-allow xfs_t tmpfs_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.17.6/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/file_contexts/program/dovecot.fc	2004-08-30 11:28:19.000000000 -0400
@@ -1,6 +1,12 @@
 # for Dovecot POP and IMAP server
 /usr/sbin/dovecot		--	system_u:object_r:dovecot_exec_t
+ifdef(`distro_redhat', `
 /usr/libexec/dovecot/dovecot-auth --	system_u:object_r:dovecot_auth_exec_t
+')
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth	--	system_u:object_r:dovecot_auth_exec_t
+/usr/lib/dovecot/.+		--	system_u:object_r:bin_t
+')
 /usr/share/ssl/certs/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.17.6/file_contexts/program/initrc.fc
--- nsapolicy/file_contexts/program/initrc.fc	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.6/file_contexts/program/initrc.fc	2004-08-30 11:28:19.000000000 -0400
@@ -13,7 +13,9 @@
 /var/run/setmixer_flag	--	system_u:object_r:initrc_var_run_t
 # run_init
 /usr/sbin/run_init	--	system_u:object_r:run_init_exec_t
+ifdef(`distro_debian', `
 /usr/sbin/open_init_pty	--	system_u:object_r:initrc_exec_t
+')
 /etc/nologin.*		--	system_u:object_r:etc_runtime_t
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
 /halt                   --      system_u:object_r:etc_runtime_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.6/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.6/file_contexts/program/mailman.fc	2004-08-30 11:28:19.000000000 -0400
@@ -4,7 +4,6 @@
 /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
 /var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
@@ -14,8 +13,6 @@
 ifdef(`distro_redhat', `
 /var/mailman/cgi-bin/.*		-- system_u:object_r:mailman_cgi_exec_t
 /var/mailman/data(/.*)?		   system_u:object_r:mailman_data_t
-/var/mailman/pythonlib(/.*)?	   system_u:object_r:mailman_data_t
-/var/mailman/Mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
 /var/mailman/cron		-d system_u:object_r:bin_t
 /var/mailman/cron/.+		-- system_u:object_r:mailman_queue_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.17.6/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.6/file_contexts/program/udev.fc	2004-08-30 14:13:36.136146006 -0400
@@ -3,7 +3,8 @@
 /sbin/udev	--	system_u:object_r:udev_exec_t
 /sbin/udevd	--	system_u:object_r:udev_exec_t
 /usr/bin/udevinfo --	system_u:object_r:udev_exec_t
-/etc/dev\.d(/.*)? 	system_u:object_r:udev_helper_exec_t
-/etc/hotplug.d/default/udev.* system_u:object_r:udev_helper_exec_t
+/etc/dev\.d/.+	--	system_u:object_r:udev_helper_exec_t
+/etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
+/etc/hotplug.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
 /dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xfs.fc policy-1.17.6/file_contexts/program/xfs.fc
--- nsapolicy/file_contexts/program/xfs.fc	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/file_contexts/program/xfs.fc	2004-08-30 11:28:19.000000000 -0400
@@ -1,3 +1,4 @@
 # xfs
 /tmp/\.font-unix(/.*)?		system_u:object_r:xfs_tmp_t
 /usr/X11R6/bin/xfs	--	system_u:object_r:xfs_exec_t
+/usr/X11R6/bin/xfs-xtt	--	system_u:object_r:xfs_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.6/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.6/file_contexts/types.fc	2004-08-30 11:28:19.000000000 -0400
@@ -217,7 +217,7 @@
 /u?dev/amixer.*		-c	system_u:object_r:sound_device_t
 /u?dev/snd/.*		-c	system_u:object_r:sound_device_t
 /u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
-/u?dev/n?(raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
+/u?dev/(n?raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
 /u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
 /u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
 /u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.17.6/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/macros/core_macros.te	2004-08-30 11:28:19.000000000 -0400
@@ -590,7 +590,7 @@
 #
 define(`can_create_pty',`
 base_pty_perms($1)
-pty_slave_label($1, `$2')
+pty_slave_label($1, $2)
 ')
 
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.6/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/macros/global_macros.te	2004-08-30 11:28:19.000000000 -0400
@@ -598,7 +598,6 @@
 
 # Set user information and skip authentication.
 allow $1 self:passwd *;
-
 allow $1 self:dbus *;
 allow $1 self:nscd *;
-')
+')dnl end unconfined_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.17.6/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/macros/program/screen_macros.te	2004-08-30 11:28:19.000000000 -0400
@@ -48,9 +48,8 @@
 ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
 
 allow $1_screen_t $1_home_screen_t:{ file lnk_file } r_file_perms;
-allow $1_t $1_home_screen_t:{ file lnk_file } create_file_perms;
-allow $1_t $1_home_screen_t:{ file lnk_file } { relabelfrom relabelto };
-
+allow $1_t $1_home_screen_t:file { create_file_perms relabelfrom relabelto };
+allow $1_t $1_home_screen_t:lnk_file { create_lnk_perms relabelfrom relabelto };
 ifdef(`nfs_home_dirs', `
 r_dir_file($1_screen_t, nfs_t)
 ')dnl end if nfs_home_dirs
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.6/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/macros/program/xserver_macros.te	2004-08-30 11:28:19.000000000 -0400
@@ -241,6 +241,7 @@
 
 allow $1_xserver_t var_lib_t:dir search;
 rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
+dontaudit $1_xserver_t selinux_config_t:dir { search };
 
 # for fonts
 r_dir_file($1_xserver_t, fonts_t)
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.6/Makefile
--- nsapolicy/Makefile	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/Makefile	2004-08-30 11:28:19.000000000 -0400
@@ -146,6 +146,7 @@
 	@grep -v "^/root" $@.tmp > $@.root
 	@/usr/sbin/genhomedircon . $@.root  > $@
 	@grep "^/root" $@.tmp >> $@
+	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
 	@-rm $@.tmp $@.root
 
 clean:
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.6/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/tunables/distro.tun	2004-08-30 11:28:19.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.6/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.6/tunables/tunable.tun	2004-08-30 11:28:19.000000000 -0400
@@ -5,40 +5,40 @@
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
 
 # Allow users to unrestricted access
 dnl define(`unlimitedUsers')
@@ -48,9 +48,11 @@
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
 dnl define(`unlimitedInetd')
 
+# Allow spamassasin to do DNS lookups
+dnl define(`spamassasin_can_network')

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Previous patch broken.
  2004-08-27 21:09   ` James Carter
  2004-08-30 18:49     ` Latest diffs from our pool Daniel J Walsh
@ 2004-08-30 18:59     ` Daniel J Walsh
  2004-09-01 15:25       ` James Carter
  1 sibling, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2004-08-30 18:59 UTC (permalink / raw)
  To: jwcart2; +Cc: russell, SELinux

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: policy-20040830.patch --]
[-- Type: text/plain, Size: 27285 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.7/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/crond.te	2004-08-30 14:54:52.328858521 -0400
@@ -81,11 +81,13 @@
 ifdef(`distro_redhat', `
 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 # via redirection of standard out.
+ifdef(`rpm.te', `
 allow crond_t rpm_log_t: file create_file_perms;
 
 system_crond_entry(rpm_exec_t, rpm_t)
 allow system_crond_t rpm_log_t:file create_file_perms;
 ')
+')
 
 allow system_crond_t var_log_t:file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.7/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/initrc.te	2004-08-30 14:54:52.329858406 -0400
@@ -12,12 +12,14 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
 ifdef(`sendmail.te', `
+# do not use privmail for sendmail as it creates a type transition conflict
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
 allow system_mail_t initrc_t:fd use;
 allow system_mail_t initrc_t:fifo_file write;
+', `
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
 ')
-
 role system_r types initrc_t;
 uses_shlib(initrc_t);
 can_ypbind(initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.7/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/ssh.te	2004-08-30 14:54:52.330858292 -0400
@@ -232,6 +232,7 @@
 
 # Type for the ssh executable.
 type ssh_exec_t, file_type, exec_type, sysadmfile;
+can_exec(sshd_t, ssh_exec_t)
 
 # Everything else is in the ssh_domain macro in
 # macros/program/ssh_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.7/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/syslogd.te	2004-08-30 14:54:52.331858177 -0400
@@ -95,3 +95,6 @@
 #
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t devpts_t:dir { search };
+# For tageted policy tries to read /init
+dontaudit syslogd_t root_t:file { getattr read };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.7/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/apache.te	2004-08-30 14:54:52.331858177 -0400
@@ -41,6 +41,7 @@
 append_logdir_domain(httpd)
 #can read /etc/httpd/logs
 allow httpd_t httpd_log_t:lnk_file { read };
+allow httpd_t httpd_log_t:dir { remove_name };
 
 # For /etc/init.d/apache2 reload
 can_tcp_connect(httpd_t, httpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.17.7/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/unused/canna.te	2004-08-30 14:54:52.332858063 -0400
@@ -40,4 +40,3 @@
 can_unix_connect(i18n_input_t, canna_t)
 ')
 
-allow canna_t tmp_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.7/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/cups.te	2004-08-30 14:54:52.332858063 -0400
@@ -157,5 +157,6 @@
 allow cupsd_t ptal_var_run_t:dir { search };
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
+allow cupsd_t printer_device_t:fifo_file rw_file_perms;
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.7/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/unused/dbusd.te	2004-08-30 14:55:40.446348342 -0400
@@ -32,3 +32,4 @@
 
 # SE-DBus specific permissions
 allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
+domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.7/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/dovecot.te	2004-08-30 14:54:52.334857834 -0400
@@ -11,7 +11,7 @@
 
 type dovecot_cert_t, file_type, sysadmfile;
 
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
@@ -19,8 +19,13 @@
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
 
+# For SSL certificates
+allow dovecot_t usr_t:file { getattr read };
+
 allow dovecot_t etc_t:file { getattr read };
 allow dovecot_t initrc_var_run_t:file { getattr };
+# Dovecot sub-binaries are lib_t on Debian and bin_t on Fedora
+allow dovecot_t lib_t:file { execute execute_no_trans };
 allow dovecot_t bin_t:dir { getattr search };
 can_exec(dovecot_t, bin_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.7/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/ftpd.te	2004-08-30 14:54:52.334857834 -0400
@@ -101,3 +101,4 @@
 allow ftpd_t nfs_t:file r_file_perms;
 }
 ')dnl end if nfs_home_dirs
+dontaudit ftpd_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.7/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/hald.te	2004-08-30 14:54:52.335857719 -0400
@@ -33,7 +33,10 @@
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
 allow hald_t event_device_t:chr_file { getattr read };
 
-ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
+ifdef(`updfstab.te', `
+domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
+allow updfstab_t hald_t:dbus { send_msg };
+')
 ifdef(`udev.te', `
 domain_auto_trans(hald_t, udev_exec_t, udev_t)
 allow udev_t hald_t:unix_dgram_socket sendto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.7/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/hotplug.te	2004-08-30 14:54:52.335857719 -0400
@@ -137,7 +137,6 @@
 
 ifdef(`udev.te', `
 domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
-allow hotplug_t udev_helper_exec_t:lnk_file read;
 ')
 
 file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.17.7/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/unused/iptables.te	2004-08-30 14:54:52.336857605 -0400
@@ -23,10 +23,9 @@
 # to allow rules to be saved on reboot
 allow iptables_t initrc_tmp_t:file rw_file_perms;
 
-type iptables_var_run_t, file_type, sysadmfile, pidfile;
-
 domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
-file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t, file)
+allow iptables_t var_t:dir search;
+var_run_domain(iptables)
 
 allow iptables_t self:process { fork signal_perms };
 
@@ -57,4 +56,3 @@
 
 # system-config-network appends to /var/log
 allow iptables_t var_log_t:file { append };
-allow iptables_t var_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.17.7/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/unused/mdadm.te	2004-08-30 14:54:52.337857491 -0400
@@ -28,7 +28,6 @@
 # Ignore attempts to read every device file
 dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
 dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
-dontaudit mdadm_t device_t:dir r_dir_perms;
 dontaudit mdadm_t devpts_t:dir r_dir_perms;
 
 # Ignore attempts to read/write sysadmin tty
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openca-ca.te policy-1.17.7/domains/program/unused/openca-ca.te
--- nsapolicy/domains/program/unused/openca-ca.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/unused/openca-ca.te	2004-08-30 14:54:52.337857491 -0400
@@ -39,11 +39,6 @@
 allow httpd_t openca_ca_t:process {transition};
 allow httpd_t openca_ca_exec_t:dir r_dir_perms;
 
-#############################################################
-# Allow the script access to the library files so it can run
-#############################################################
-can_exec(openca_ca_t, lib_t)
-
 ##################################################################
 # Allow the script to get the file descriptor from the http deamon
 # and send sigchild to http deamon
@@ -52,6 +47,16 @@
 allow openca_ca_t httpd_t:fd use;
 allow openca_ca_t httpd_t:fifo_file {getattr write};
 
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow openca_ca_t httpd_log_t:file { append getattr };
+
+#############################################################
+# Allow the script access to the library files so it can run
+#############################################################
+can_exec(openca_ca_t, lib_t)
+
 ########################################################################
 # The script needs to inherit the file descriptor and find the script it
 # needs to run
@@ -79,11 +84,6 @@
 ##############################################################################
 allow openca_ca_t openca_ca_exec_t:dir search;
 
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow openca_ca_t httpd_log_t:file { append getattr };
-
 #
 # Allow access to writeable files under /etc/openca
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.7/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/portmap.te	2004-08-30 14:54:52.338857376 -0400
@@ -26,6 +26,7 @@
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 
 allow portmap_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.7/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/rpm.te	2004-08-30 14:54:52.339857262 -0400
@@ -10,7 +10,7 @@
 # var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
 # var_lib_rpm_t is the type for rpm files in /var/lib
 #
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `,auth_write, unrestricted');
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
 role system_r types rpm_t;
 uses_shlib(rpm_t)
 type rpm_exec_t, file_type, sysadmfile, exec_type;
@@ -60,7 +60,6 @@
 allow rpm_t devtty_t:chr_file rw_file_perms;
 
 domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
-domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
 
 ifdef(`cups.te', `
 r_dir_file(cupsd_t, rpm_var_lib_t)
@@ -116,7 +115,7 @@
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `,auth_write, unrestricted');
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.7/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/unused/udev.te	2004-08-30 14:54:52.340857147 -0400
@@ -16,7 +16,6 @@
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-r_dir_file(udev_t, udev_helper_exec_t)
 can_exec(udev_t, udev_helper_exec_t)
 
 #
@@ -32,19 +31,20 @@
 allow udev_t device_t:blk_file create_file_perms;
 allow udev_t device_t:chr_file create_file_perms;
 allow udev_t device_t:sock_file create_file_perms;
-allow udev_t etc_t:file { getattr read execute };
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t etc_t:file { getattr read };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
 allow udev_t { sbin_t bin_t }:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
 can_exec(udev_t, udev_exec_t)
-can_exec(udev_t, hostname_exec_t)
-can_exec(udev_t, iptables_exec_t)
 r_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
 	
-# to read the file_contexts file?
-r_dir_file(udev_t, policy_config_t)
+# to read the file_contexts file
+allow udev_t { selinux_config_t default_context_t }:dir search;
+allow udev_t default_context_t:file { getattr read };
 
 allow udev_t policy_config_t:dir { search };
 allow udev_t proc_t:file { read };
@@ -52,6 +52,9 @@
 # Get security policy decisions.
 can_getsecurity(udev_t)
 
+# set file system create context
+can_setfscreate(udev_t)
+
 allow udev_t kernel_t:fd { use };
 allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 
@@ -61,7 +64,9 @@
 domain_auto_trans(initrc_t, udev_exec_t, udev_t)
 domain_auto_trans(kernel_t, udev_exec_t, udev_t)
 domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
-allow restorecon_t udev_t:unix_dgram_socket { read write };
+ifdef(`hide_broken_symptoms', `
+dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
+')
 allow udev_t devpts_t:dir { search };
 allow udev_t etc_runtime_t:file { getattr read };
 allow udev_t etc_t:file { ioctl };
@@ -79,12 +84,11 @@
 can_exec(udev_t, consoletype_exec_t)
 ')
 domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
-allow ifconfig_t udev_t:unix_dgram_socket { read write };
+ifdef(`hide_broken_symptoms', `
+dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
+')
 
 dontaudit udev_t file_t:dir search;
-allow udev_t device_t:lnk_file create_file_perms;
-allow udev_t var_lock_t:dir { search };
-allow udev_t var_lock_t:file { getattr read };
 ifdef(`dhcpc.te', `
 domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.7/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/domains/program/unused/xdm.te	2004-08-30 14:54:52.341857033 -0400
@@ -28,7 +28,7 @@
 # for xdmctl
 allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
 allow initrc_t xdm_var_run_t:fifo_file unlink;
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, { fifo_file dir })
 
 tmp_domain(xdm)
 var_lib_domain(xdm)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.17.7/domains/program/unused/xfs.te
--- nsapolicy/domains/program/unused/xfs.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/domains/program/unused/xfs.te	2004-08-30 14:54:52.341857033 -0400
@@ -40,4 +40,3 @@
 # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
 allow xfs_t fonts_t:dir search;
 allow xfs_t fonts_t:file { getattr read };
-allow xfs_t tmpfs_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.17.7/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/file_contexts/program/dovecot.fc	2004-08-30 14:54:52.342856918 -0400
@@ -1,6 +1,12 @@
 # for Dovecot POP and IMAP server
 /usr/sbin/dovecot		--	system_u:object_r:dovecot_exec_t
+ifdef(`distro_redhat', `
 /usr/libexec/dovecot/dovecot-auth --	system_u:object_r:dovecot_auth_exec_t
+')
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth	--	system_u:object_r:dovecot_auth_exec_t
+/usr/lib/dovecot/.+		--	system_u:object_r:bin_t
+')
 /usr/share/ssl/certs/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot.pem --	system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.17.7/file_contexts/program/initrc.fc
--- nsapolicy/file_contexts/program/initrc.fc	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.7/file_contexts/program/initrc.fc	2004-08-30 14:54:52.342856918 -0400
@@ -13,7 +13,9 @@
 /var/run/setmixer_flag	--	system_u:object_r:initrc_var_run_t
 # run_init
 /usr/sbin/run_init	--	system_u:object_r:run_init_exec_t
+ifdef(`distro_debian', `
 /usr/sbin/open_init_pty	--	system_u:object_r:initrc_exec_t
+')
 /etc/nologin.*		--	system_u:object_r:etc_runtime_t
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
 /halt                   --      system_u:object_r:etc_runtime_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.7/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.7/file_contexts/program/mailman.fc	2004-08-30 14:54:52.343856804 -0400
@@ -4,7 +4,6 @@
 /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
 /var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
@@ -14,8 +13,6 @@
 ifdef(`distro_redhat', `
 /var/mailman/cgi-bin/.*		-- system_u:object_r:mailman_cgi_exec_t
 /var/mailman/data(/.*)?		   system_u:object_r:mailman_data_t
-/var/mailman/pythonlib(/.*)?	   system_u:object_r:mailman_data_t
-/var/mailman/Mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
 /var/mailman/cron		-d system_u:object_r:bin_t
 /var/mailman/cron/.+		-- system_u:object_r:mailman_queue_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.17.7/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.7/file_contexts/program/udev.fc	2004-08-30 14:54:52.343856804 -0400
@@ -3,7 +3,8 @@
 /sbin/udev	--	system_u:object_r:udev_exec_t
 /sbin/udevd	--	system_u:object_r:udev_exec_t
 /usr/bin/udevinfo --	system_u:object_r:udev_exec_t
-/etc/dev\.d(/.*)? 	system_u:object_r:udev_helper_exec_t
-/etc/hotplug.d/default/udev.* system_u:object_r:udev_helper_exec_t
+/etc/dev\.d/.+	--	system_u:object_r:udev_helper_exec_t
+/etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
+/etc/hotplug.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
 /dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xfs.fc policy-1.17.7/file_contexts/program/xfs.fc
--- nsapolicy/file_contexts/program/xfs.fc	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/file_contexts/program/xfs.fc	2004-08-30 14:54:52.344856689 -0400
@@ -1,3 +1,4 @@
 # xfs
 /tmp/\.font-unix(/.*)?		system_u:object_r:xfs_tmp_t
 /usr/X11R6/bin/xfs	--	system_u:object_r:xfs_exec_t
+/usr/X11R6/bin/xfs-xtt	--	system_u:object_r:xfs_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.7/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.7/file_contexts/types.fc	2004-08-30 14:54:52.345856575 -0400
@@ -217,7 +217,7 @@
 /u?dev/amixer.*		-c	system_u:object_r:sound_device_t
 /u?dev/snd/.*		-c	system_u:object_r:sound_device_t
 /u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
-/u?dev/n?(raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
+/u?dev/(n?raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
 /u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
 /u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
 /u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.17.7/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/macros/core_macros.te	2004-08-30 14:54:52.346856460 -0400
@@ -590,7 +590,7 @@
 #
 define(`can_create_pty',`
 base_pty_perms($1)
-pty_slave_label($1, `$2')
+pty_slave_label($1, $2)
 ')
 
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.7/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/macros/global_macros.te	2004-08-30 14:54:52.347856346 -0400
@@ -598,7 +598,6 @@
 
 # Set user information and skip authentication.
 allow $1 self:passwd *;
-
 allow $1 self:dbus *;
 allow $1 self:nscd *;
-')
+')dnl end unconfined_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.17.7/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/macros/program/screen_macros.te	2004-08-30 14:54:52.348856232 -0400
@@ -48,9 +48,8 @@
 ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
 
 allow $1_screen_t $1_home_screen_t:{ file lnk_file } r_file_perms;
-allow $1_t $1_home_screen_t:{ file lnk_file } create_file_perms;
-allow $1_t $1_home_screen_t:{ file lnk_file } { relabelfrom relabelto };
-
+allow $1_t $1_home_screen_t:file { create_file_perms relabelfrom relabelto };
+allow $1_t $1_home_screen_t:lnk_file { create_lnk_perms relabelfrom relabelto };
 ifdef(`nfs_home_dirs', `
 r_dir_file($1_screen_t, nfs_t)
 ')dnl end if nfs_home_dirs
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.7/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/macros/program/xserver_macros.te	2004-08-30 14:54:52.348856232 -0400
@@ -241,6 +241,7 @@
 
 allow $1_xserver_t var_lib_t:dir search;
 rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
+dontaudit $1_xserver_t selinux_config_t:dir { search };
 
 # for fonts
 r_dir_file($1_xserver_t, fonts_t)
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.7/Makefile
--- nsapolicy/Makefile	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/Makefile	2004-08-30 14:54:52.349856117 -0400
@@ -146,6 +146,7 @@
 	@grep -v "^/root" $@.tmp > $@.root
 	@/usr/sbin/genhomedircon . $@.root  > $@
 	@grep "^/root" $@.tmp >> $@
+	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
 	@-rm $@.tmp $@.root
 
 clean:
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.7/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/tunables/distro.tun	2004-08-30 14:54:52.349856117 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.7/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.7/tunables/tunable.tun	2004-08-30 14:54:52.350856003 -0400
@@ -5,40 +5,40 @@
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
 
 # Allow users to unrestricted access
 dnl define(`unlimitedUsers')
@@ -48,9 +48,11 @@
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
 dnl define(`unlimitedInetd')
 
+# Allow spamassasin to do DNS lookups
+dnl define(`spamassasin_can_network')

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Previous patch broken.
  2004-08-30 18:59     ` Previous patch broken Daniel J Walsh
@ 2004-09-01 15:25       ` James Carter
  2004-09-01 17:59         ` Daniel J Walsh
  0 siblings, 1 reply; 7+ messages in thread
From: James Carter @ 2004-09-01 15:25 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: russell, SELinux

[-- Attachment #1: Type: text/plain, Size: 3000 bytes --]

Mostly Merged.  I removed the stuff reverting recent patches from
Russell that I just merged.

Below is some comments, and attached is the diff that I merged.
 
On Mon, 2004-08-30 at 14:59, Daniel J Walsh wrote:

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.7/domains/program/ssh.te
> --- nsapolicy/domains/program/ssh.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.7/domains/program/ssh.te	2004-08-30 14:54:52.330858292 -0400
> @@ -232,6 +232,7 @@
>  
>  # Type for the ssh executable.
>  type ssh_exec_t, file_type, exec_type, sysadmfile;
> +can_exec(sshd_t, ssh_exec_t)
>  
>  # Everything else is in the ssh_domain macro in
>  # macros/program/ssh_macros.te.

Also added r_dir_file(sshd_t, self) further up in ssh.te to allow sshd
to access /proc/pid/fd. (Why does it want to?)

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.7/domains/program/syslogd.te
> --- nsapolicy/domains/program/syslogd.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.7/domains/program/syslogd.te	2004-08-30 14:54:52.331858177 -0400
> @@ -95,3 +95,6 @@
>  #
>  dontaudit syslogd_t file_t:dir search;
>  allow syslogd_t devpts_t:dir { search };
> +# For tageted policy tries to read /init
> +dontaudit syslogd_t root_t:file { getattr read };
> +

Instead I did:
diff -u -r1.55 global_macros.te
--- macros/global_macros.te	1 Sep 2004 12:59:59 -0000	1.55
+++ macros/global_macros.te	1 Sep 2004 14:56:38 -0000
@@ -295,7 +295,7 @@
 ')dnl end if automount.te
 ifdef(`targeted_policy', `
 dontaudit $1_t devpts_t:chr_file { read write };
-dontaudit $1_t unlabeled_t:file read;
+dontaudit $1_t root_t:file { getattr read };
 ')dnl end if targeted_policy
  
 ')dnl end macro daemon_core_rules

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.7/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.7/domains/program/unused/apache.te	2004-08-30 14:54:52.331858177 -0400
> @@ -41,6 +41,7 @@
>  append_logdir_domain(httpd)
>  #can read /etc/httpd/logs
>  allow httpd_t httpd_log_t:lnk_file { read };
> +allow httpd_t httpd_log_t:dir { remove_name };
>  
>  # For /etc/init.d/apache2 reload
>  can_tcp_connect(httpd_t, httpd_t)

Do we really want to do this?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.7/domains/program/unused/dbusd.te
> --- nsapolicy/domains/program/unused/dbusd.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.7/domains/program/unused/dbusd.te	2004-08-30 14:55:40.446348342 -0400
> @@ -32,3 +32,4 @@
>  
>  # SE-DBus specific permissions
>  allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
> +domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t)

Steve posted on the list earlier today about this not being desired for
the longterm.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: dan_20040830_mod.diff --]
[-- Type: text/x-patch, Size: 16272 bytes --]

Index: domains/program/crond.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/crond.te,v
retrieving revision 1.33
diff -u -r1.33 crond.te
--- domains/program/crond.te	20 Aug 2004 17:53:50 -0000	1.33
+++ domains/program/crond.te	31 Aug 2004 15:08:51 -0000
@@ -81,11 +81,13 @@
 ifdef(`distro_redhat', `
 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 # via redirection of standard out.
+ifdef(`rpm.te', `
 allow crond_t rpm_log_t: file create_file_perms;
 
 system_crond_entry(rpm_exec_t, rpm_t)
 allow system_crond_t rpm_log_t:file create_file_perms;
 ')
+')
 
 allow system_crond_t var_log_t:file r_file_perms;
 
Index: domains/program/ssh.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/ssh.te,v
retrieving revision 1.36
diff -u -r1.36 ssh.te
--- domains/program/ssh.te	1 Sep 2004 12:58:21 -0000	1.36
+++ domains/program/ssh.te	1 Sep 2004 14:16:20 -0000
@@ -147,6 +147,7 @@
 # sshd_extern_t is the domain for ssh from outside our network
 #
 sshd_program_domain(sshd)
+r_dir_file(sshd_t, self)
 if (ssh_sysadm_login) {
 sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
 } else {
@@ -232,6 +233,7 @@
 
 # Type for the ssh executable.
 type ssh_exec_t, file_type, exec_type, sysadmfile;
+can_exec(sshd_t, ssh_exec_t)
 
 # Everything else is in the ssh_domain macro in
 # macros/program/ssh_macros.te.
Index: domains/program/unused/canna.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/canna.te,v
retrieving revision 1.7
diff -u -r1.7 canna.te
--- domains/program/unused/canna.te	30 Jul 2004 19:57:15 -0000	1.7
+++ domains/program/unused/canna.te	31 Aug 2004 15:08:51 -0000
@@ -40,4 +40,3 @@
 can_unix_connect(i18n_input_t, canna_t)
 ')
 
-allow canna_t tmp_t:dir search;
Index: domains/program/unused/dbusd.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/dbusd.te,v
retrieving revision 1.9
diff -u -r1.9 dbusd.te
--- domains/program/unused/dbusd.te	23 Aug 2004 14:56:57 -0000	1.9
+++ domains/program/unused/dbusd.te	1 Sep 2004 14:48:53 -0000
@@ -32,3 +32,4 @@
 
 # SE-DBus specific permissions
 allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
+domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t)
Index: domains/program/unused/dovecot.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/dovecot.te,v
retrieving revision 1.4
diff -u -r1.4 dovecot.te
--- domains/program/unused/dovecot.te	30 Aug 2004 12:29:19 -0000	1.4
+++ domains/program/unused/dovecot.te	31 Aug 2004 15:08:51 -0000
@@ -19,8 +19,13 @@
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
 
+# For SSL certificates
+allow dovecot_t usr_t:file { getattr read };
+
 allow dovecot_t etc_t:file { getattr read };
 allow dovecot_t initrc_var_run_t:file { getattr };
+# Dovecot sub-binaries are lib_t on Debian and bin_t on Fedora
+allow dovecot_t lib_t:file { execute execute_no_trans };
 allow dovecot_t bin_t:dir { getattr search };
 can_exec(dovecot_t, bin_t)
 
Index: domains/program/unused/ftpd.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/ftpd.te,v
retrieving revision 1.22
diff -u -r1.22 ftpd.te
--- domains/program/unused/ftpd.te	30 Aug 2004 12:29:19 -0000	1.22
+++ domains/program/unused/ftpd.te	31 Aug 2004 15:08:51 -0000
@@ -101,3 +101,4 @@
 allow ftpd_t nfs_t:file r_file_perms;
 }
 ')dnl end if nfs_home_dirs
+dontaudit ftpd_t selinux_config_t:dir { search };
Index: domains/program/unused/hald.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/hald.te,v
retrieving revision 1.4
diff -u -r1.4 hald.te
--- domains/program/unused/hald.te	30 Aug 2004 12:29:20 -0000	1.4
+++ domains/program/unused/hald.te	31 Aug 2004 15:08:51 -0000
@@ -33,7 +33,10 @@
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
 allow hald_t event_device_t:chr_file { getattr read };
 
-ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
+ifdef(`updfstab.te', `
+domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
+allow updfstab_t hald_t:dbus { send_msg };
+')
 ifdef(`udev.te', `
 domain_auto_trans(hald_t, udev_exec_t, udev_t)
 allow udev_t hald_t:unix_dgram_socket sendto;
Index: domains/program/unused/hotplug.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/hotplug.te,v
retrieving revision 1.27
diff -u -r1.27 hotplug.te
--- domains/program/unused/hotplug.te	30 Aug 2004 12:29:20 -0000	1.27
+++ domains/program/unused/hotplug.te	31 Aug 2004 15:08:51 -0000
@@ -137,7 +137,6 @@
 
 ifdef(`udev.te', `
 domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
-allow hotplug_t udev_helper_exec_t:lnk_file read;
 ')
 
 file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
Index: domains/program/unused/iptables.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/iptables.te,v
retrieving revision 1.6
diff -u -r1.6 iptables.te
--- domains/program/unused/iptables.te	30 Jul 2004 19:57:15 -0000	1.6
+++ domains/program/unused/iptables.te	31 Aug 2004 15:08:51 -0000
@@ -23,10 +23,9 @@
 # to allow rules to be saved on reboot
 allow iptables_t initrc_tmp_t:file rw_file_perms;
 
-type iptables_var_run_t, file_type, sysadmfile, pidfile;
-
 domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
-file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t, file)
+allow iptables_t var_t:dir search;
+var_run_domain(iptables)
 
 allow iptables_t self:process { fork signal_perms };
 
@@ -57,4 +56,3 @@
 
 # system-config-network appends to /var/log
 allow iptables_t var_log_t:file { append };
-allow iptables_t var_t:dir { search };
Index: domains/program/unused/mdadm.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/mdadm.te,v
retrieving revision 1.7
diff -u -r1.7 mdadm.te
--- domains/program/unused/mdadm.te	12 Aug 2004 17:19:52 -0000	1.7
+++ domains/program/unused/mdadm.te	31 Aug 2004 15:08:51 -0000
@@ -28,7 +28,6 @@
 # Ignore attempts to read every device file
 dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
 dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
-dontaudit mdadm_t device_t:dir r_dir_perms;
 dontaudit mdadm_t devpts_t:dir r_dir_perms;
 
 # Ignore attempts to read/write sysadmin tty
Index: domains/program/unused/openca-ca.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/openca-ca.te,v
retrieving revision 1.8
diff -u -r1.8 openca-ca.te
--- domains/program/unused/openca-ca.te	8 Mar 2004 13:48:21 -0000	1.8
+++ domains/program/unused/openca-ca.te	31 Aug 2004 15:08:51 -0000
@@ -39,11 +39,6 @@
 allow httpd_t openca_ca_t:process {transition};
 allow httpd_t openca_ca_exec_t:dir r_dir_perms;
 
-#############################################################
-# Allow the script access to the library files so it can run
-#############################################################
-can_exec(openca_ca_t, lib_t)
-
 ##################################################################
 # Allow the script to get the file descriptor from the http deamon
 # and send sigchild to http deamon
@@ -52,6 +47,16 @@
 allow openca_ca_t httpd_t:fd use;
 allow openca_ca_t httpd_t:fifo_file {getattr write};
 
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow openca_ca_t httpd_log_t:file { append getattr };
+
+#############################################################
+# Allow the script access to the library files so it can run
+#############################################################
+can_exec(openca_ca_t, lib_t)
+
 ########################################################################
 # The script needs to inherit the file descriptor and find the script it
 # needs to run
@@ -79,11 +84,6 @@
 ##############################################################################
 allow openca_ca_t openca_ca_exec_t:dir search;
 
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow openca_ca_t httpd_log_t:file { append getattr };
-
 #
 # Allow access to writeable files under /etc/openca
 #
Index: domains/program/unused/portmap.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/portmap.te,v
retrieving revision 1.7
diff -u -r1.7 portmap.te
--- domains/program/unused/portmap.te	30 Aug 2004 12:29:20 -0000	1.7
+++ domains/program/unused/portmap.te	31 Aug 2004 15:08:51 -0000
@@ -26,6 +26,7 @@
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 
 allow portmap_t etc_t:file { getattr read };
 
Index: domains/program/unused/rpm.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/rpm.te,v
retrieving revision 1.30
diff -u -r1.30 rpm.te
--- domains/program/unused/rpm.te	30 Aug 2004 19:58:53 -0000	1.30
+++ domains/program/unused/rpm.te	1 Sep 2004 14:36:01 -0000
@@ -10,7 +10,7 @@
 # var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
 # var_lib_rpm_t is the type for rpm files in /var/lib
 #
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `,auth_write, unrestricted');
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
 role system_r types rpm_t;
 uses_shlib(rpm_t)
 type rpm_exec_t, file_type, sysadmfile, exec_type;
@@ -117,7 +117,7 @@
 
 allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
 
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `,auth_write, unrestricted');
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
 # policy for rpm scriptlet
 role system_r types rpm_script_t;
 uses_shlib(rpm_script_t)
Index: domains/program/unused/xdm.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/xdm.te,v
retrieving revision 1.29
diff -u -r1.29 xdm.te
--- domains/program/unused/xdm.te	30 Aug 2004 12:29:20 -0000	1.29
+++ domains/program/unused/xdm.te	31 Aug 2004 15:08:51 -0000
@@ -29,6 +29,7 @@
 allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
 allow initrc_t xdm_var_run_t:fifo_file unlink;
 file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
 
 tmp_domain(xdm)
 var_lib_domain(xdm)
Index: domains/program/unused/xfs.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/xfs.te,v
retrieving revision 1.10
diff -u -r1.10 xfs.te
--- domains/program/unused/xfs.te	20 Aug 2004 17:53:53 -0000	1.10
+++ domains/program/unused/xfs.te	31 Aug 2004 15:08:51 -0000
@@ -40,4 +40,3 @@
 # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
 allow xfs_t fonts_t:dir search;
 allow xfs_t fonts_t:file { getattr read };
-allow xfs_t tmpfs_t:dir { search };
Index: file_contexts/program/mailman.fc
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/file_contexts/program/mailman.fc,v
retrieving revision 1.10
diff -u -r1.10 mailman.fc
--- file_contexts/program/mailman.fc	30 Aug 2004 12:29:21 -0000	1.10
+++ file_contexts/program/mailman.fc	31 Aug 2004 15:08:51 -0000
@@ -4,7 +4,6 @@
 /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
 /var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
@@ -14,8 +13,6 @@
 ifdef(`distro_redhat', `
 /var/mailman/cgi-bin/.*		-- system_u:object_r:mailman_cgi_exec_t
 /var/mailman/data(/.*)?		   system_u:object_r:mailman_data_t
-/var/mailman/pythonlib(/.*)?	   system_u:object_r:mailman_data_t
-/var/mailman/Mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
 /var/mailman/cron		-d system_u:object_r:bin_t
 /var/mailman/cron/.+		-- system_u:object_r:mailman_queue_exec_t
Index: macros/global_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/global_macros.te,v
retrieving revision 1.55
diff -u -r1.55 global_macros.te
--- macros/global_macros.te	1 Sep 2004 12:59:59 -0000	1.55
+++ macros/global_macros.te	1 Sep 2004 14:56:38 -0000
@@ -295,7 +295,7 @@
 ')dnl end if automount.te
 ifdef(`targeted_policy', `
 dontaudit $1_t devpts_t:chr_file { read write };
-dontaudit $1_t unlabeled_t:file read;
+dontaudit $1_t root_t:file { getattr read };
 ')dnl end if targeted_policy
  
 ')dnl end macro daemon_core_rules
@@ -599,7 +599,6 @@
 
 # Set user information and skip authentication.
 allow $1 self:passwd *;
-
 allow $1 self:dbus *;
 allow $1 self:nscd *;
-')
+')dnl end unconfined_domain
Index: macros/program/screen_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/screen_macros.te,v
retrieving revision 1.10
diff -u -r1.10 screen_macros.te
--- macros/program/screen_macros.te	26 Jul 2004 19:45:05 -0000	1.10
+++ macros/program/screen_macros.te	31 Aug 2004 15:08:51 -0000
@@ -48,9 +48,8 @@
 ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
 
 allow $1_screen_t $1_home_screen_t:{ file lnk_file } r_file_perms;
-allow $1_t $1_home_screen_t:{ file lnk_file } create_file_perms;
-allow $1_t $1_home_screen_t:{ file lnk_file } { relabelfrom relabelto };
-
+allow $1_t $1_home_screen_t:file { create_file_perms relabelfrom relabelto };
+allow $1_t $1_home_screen_t:lnk_file { create_lnk_perms relabelfrom relabelto };
 ifdef(`nfs_home_dirs', `
 r_dir_file($1_screen_t, nfs_t)
 ')dnl end if nfs_home_dirs
Index: macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.25
diff -u -r1.25 xserver_macros.te
--- macros/program/xserver_macros.te	23 Aug 2004 14:52:40 -0000	1.25
+++ macros/program/xserver_macros.te	31 Aug 2004 15:08:51 -0000
@@ -241,6 +241,7 @@
 
 allow $1_xserver_t var_lib_t:dir search;
 rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
+dontaudit $1_xserver_t selinux_config_t:dir { search };
 
 # for fonts
 r_dir_file($1_xserver_t, fonts_t)

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Previous patch broken.
  2004-09-01 15:25       ` James Carter
@ 2004-09-01 17:59         ` Daniel J Walsh
  0 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2004-09-01 17:59 UTC (permalink / raw)
  To: jwcart2; +Cc: russell, SELinux

James Carter wrote:

>Mostly Merged.  I removed the stuff reverting recent patches from
>Russell that I just merged.
>
>Below is some comments, and attached is the diff that I merged.
> 
>On Mon, 2004-08-30 at 14:59, Daniel J Walsh wrote:
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.7/domains/program/ssh.te
>>--- nsapolicy/domains/program/ssh.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.7/domains/program/ssh.te	2004-08-30 14:54:52.330858292 -0400
>>@@ -232,6 +232,7 @@
>> 
>> # Type for the ssh executable.
>> type ssh_exec_t, file_type, exec_type, sysadmfile;
>>+can_exec(sshd_t, ssh_exec_t)
>> 
>> # Everything else is in the ssh_domain macro in
>> # macros/program/ssh_macros.te.
>>    
>>
>
>Also added r_dir_file(sshd_t, self) further up in ssh.te to allow sshd
>to access /proc/pid/fd. (Why does it want to?)
>
>  
>
ssh now reexecs it self in order to increase it's security.  Not sure 
why it wants to access /proc/pid/fd.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.7/domains/program/syslogd.te
>>--- nsapolicy/domains/program/syslogd.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.7/domains/program/syslogd.te	2004-08-30 14:54:52.331858177 -0400
>>@@ -95,3 +95,6 @@
>> #
>> dontaudit syslogd_t file_t:dir search;
>> allow syslogd_t devpts_t:dir { search };
>>+# For tageted policy tries to read /init
>>+dontaudit syslogd_t root_t:file { getattr read };
>>+
>>    
>>
>
>Instead I did:
>diff -u -r1.55 global_macros.te
>--- macros/global_macros.te	1 Sep 2004 12:59:59 -0000	1.55
>+++ macros/global_macros.te	1 Sep 2004 14:56:38 -0000
>@@ -295,7 +295,7 @@
> ')dnl end if automount.te
> ifdef(`targeted_policy', `
> dontaudit $1_t devpts_t:chr_file { read write };
>-dontaudit $1_t unlabeled_t:file read;
>+dontaudit $1_t root_t:file { getattr read };
> ')dnl end if targeted_policy
>  
> ')dnl end macro daemon_core_rules
>
>  
>
Ok

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.7/domains/program/unused/apache.te
>>--- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.7/domains/program/unused/apache.te	2004-08-30 14:54:52.331858177 -0400
>>@@ -41,6 +41,7 @@
>> append_logdir_domain(httpd)
>> #can read /etc/httpd/logs
>> allow httpd_t httpd_log_t:lnk_file { read };
>>+allow httpd_t httpd_log_t:dir { remove_name };
>> 
>> # For /etc/init.d/apache2 reload
>> can_tcp_connect(httpd_t, httpd_t)
>>    
>>
>
>Do we really want to do this?
>
>  
>
Russell?

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.7/domains/program/unused/dbusd.te
>>--- nsapolicy/domains/program/unused/dbusd.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.7/domains/program/unused/dbusd.te	2004-08-30 14:55:40.446348342 -0400
>>@@ -32,3 +32,4 @@
>> 
>> # SE-DBus specific permissions
>> allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
>>+domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t)
>>    
>>
>
>Steve posted on the list earlier today about this not being desired for
>the longterm.
>
>  
>
Colin is doing a rewrite as we speak.

>------------------------------------------------------------------------
>
>Index: domains/program/crond.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/crond.te,v
>retrieving revision 1.33
>diff -u -r1.33 crond.te
>--- domains/program/crond.te	20 Aug 2004 17:53:50 -0000	1.33
>+++ domains/program/crond.te	31 Aug 2004 15:08:51 -0000
>@@ -81,11 +81,13 @@
> ifdef(`distro_redhat', `
> # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
> # via redirection of standard out.
>+ifdef(`rpm.te', `
> allow crond_t rpm_log_t: file create_file_perms;
> 
> system_crond_entry(rpm_exec_t, rpm_t)
> allow system_crond_t rpm_log_t:file create_file_perms;
> ')
>+')
> 
> allow system_crond_t var_log_t:file r_file_perms;
> 
>Index: domains/program/ssh.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/ssh.te,v
>retrieving revision 1.36
>diff -u -r1.36 ssh.te
>--- domains/program/ssh.te	1 Sep 2004 12:58:21 -0000	1.36
>+++ domains/program/ssh.te	1 Sep 2004 14:16:20 -0000
>@@ -147,6 +147,7 @@
> # sshd_extern_t is the domain for ssh from outside our network
> #
> sshd_program_domain(sshd)
>+r_dir_file(sshd_t, self)
> if (ssh_sysadm_login) {
> sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
> } else {
>@@ -232,6 +233,7 @@
> 
> # Type for the ssh executable.
> type ssh_exec_t, file_type, exec_type, sysadmfile;
>+can_exec(sshd_t, ssh_exec_t)
> 
> # Everything else is in the ssh_domain macro in
> # macros/program/ssh_macros.te.
>Index: domains/program/unused/canna.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/canna.te,v
>retrieving revision 1.7
>diff -u -r1.7 canna.te
>--- domains/program/unused/canna.te	30 Jul 2004 19:57:15 -0000	1.7
>+++ domains/program/unused/canna.te	31 Aug 2004 15:08:51 -0000
>@@ -40,4 +40,3 @@
> can_unix_connect(i18n_input_t, canna_t)
> ')
> 
>-allow canna_t tmp_t:dir search;
>Index: domains/program/unused/dbusd.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/dbusd.te,v
>retrieving revision 1.9
>diff -u -r1.9 dbusd.te
>--- domains/program/unused/dbusd.te	23 Aug 2004 14:56:57 -0000	1.9
>+++ domains/program/unused/dbusd.te	1 Sep 2004 14:48:53 -0000
>@@ -32,3 +32,4 @@
> 
> # SE-DBus specific permissions
> allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
>+domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t)
>Index: domains/program/unused/dovecot.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/dovecot.te,v
>retrieving revision 1.4
>diff -u -r1.4 dovecot.te
>--- domains/program/unused/dovecot.te	30 Aug 2004 12:29:19 -0000	1.4
>+++ domains/program/unused/dovecot.te	31 Aug 2004 15:08:51 -0000
>@@ -19,8 +19,13 @@
> allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
> can_unix_connect(dovecot_t, self)
> 
>+# For SSL certificates
>+allow dovecot_t usr_t:file { getattr read };
>+
> allow dovecot_t etc_t:file { getattr read };
> allow dovecot_t initrc_var_run_t:file { getattr };
>+# Dovecot sub-binaries are lib_t on Debian and bin_t on Fedora
>+allow dovecot_t lib_t:file { execute execute_no_trans };
> allow dovecot_t bin_t:dir { getattr search };
> can_exec(dovecot_t, bin_t)
> 
>Index: domains/program/unused/ftpd.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/ftpd.te,v
>retrieving revision 1.22
>diff -u -r1.22 ftpd.te
>--- domains/program/unused/ftpd.te	30 Aug 2004 12:29:19 -0000	1.22
>+++ domains/program/unused/ftpd.te	31 Aug 2004 15:08:51 -0000
>@@ -101,3 +101,4 @@
> allow ftpd_t nfs_t:file r_file_perms;
> }
> ')dnl end if nfs_home_dirs
>+dontaudit ftpd_t selinux_config_t:dir { search };
>Index: domains/program/unused/hald.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/hald.te,v
>retrieving revision 1.4
>diff -u -r1.4 hald.te
>--- domains/program/unused/hald.te	30 Aug 2004 12:29:20 -0000	1.4
>+++ domains/program/unused/hald.te	31 Aug 2004 15:08:51 -0000
>@@ -33,7 +33,10 @@
> allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
> allow hald_t event_device_t:chr_file { getattr read };
> 
>-ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
>+ifdef(`updfstab.te', `
>+domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
>+allow updfstab_t hald_t:dbus { send_msg };
>+')
> ifdef(`udev.te', `
> domain_auto_trans(hald_t, udev_exec_t, udev_t)
> allow udev_t hald_t:unix_dgram_socket sendto;
>Index: domains/program/unused/hotplug.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/hotplug.te,v
>retrieving revision 1.27
>diff -u -r1.27 hotplug.te
>--- domains/program/unused/hotplug.te	30 Aug 2004 12:29:20 -0000	1.27
>+++ domains/program/unused/hotplug.te	31 Aug 2004 15:08:51 -0000
>@@ -137,7 +137,6 @@
> 
> ifdef(`udev.te', `
> domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
>-allow hotplug_t udev_helper_exec_t:lnk_file read;
> ')
> 
> file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
>Index: domains/program/unused/iptables.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/iptables.te,v
>retrieving revision 1.6
>diff -u -r1.6 iptables.te
>--- domains/program/unused/iptables.te	30 Jul 2004 19:57:15 -0000	1.6
>+++ domains/program/unused/iptables.te	31 Aug 2004 15:08:51 -0000
>@@ -23,10 +23,9 @@
> # to allow rules to be saved on reboot
> allow iptables_t initrc_tmp_t:file rw_file_perms;
> 
>-type iptables_var_run_t, file_type, sysadmfile, pidfile;
>-
> domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
>-file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t, file)
>+allow iptables_t var_t:dir search;
>+var_run_domain(iptables)
> 
> allow iptables_t self:process { fork signal_perms };
> 
>@@ -57,4 +56,3 @@
> 
> # system-config-network appends to /var/log
> allow iptables_t var_log_t:file { append };
>-allow iptables_t var_t:dir { search };
>Index: domains/program/unused/mdadm.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/mdadm.te,v
>retrieving revision 1.7
>diff -u -r1.7 mdadm.te
>--- domains/program/unused/mdadm.te	12 Aug 2004 17:19:52 -0000	1.7
>+++ domains/program/unused/mdadm.te	31 Aug 2004 15:08:51 -0000
>@@ -28,7 +28,6 @@
> # Ignore attempts to read every device file
> dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
> dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
>-dontaudit mdadm_t device_t:dir r_dir_perms;
> dontaudit mdadm_t devpts_t:dir r_dir_perms;
> 
> # Ignore attempts to read/write sysadmin tty
>Index: domains/program/unused/openca-ca.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/openca-ca.te,v
>retrieving revision 1.8
>diff -u -r1.8 openca-ca.te
>--- domains/program/unused/openca-ca.te	8 Mar 2004 13:48:21 -0000	1.8
>+++ domains/program/unused/openca-ca.te	31 Aug 2004 15:08:51 -0000
>@@ -39,11 +39,6 @@
> allow httpd_t openca_ca_t:process {transition};
> allow httpd_t openca_ca_exec_t:dir r_dir_perms;
> 
>-#############################################################
>-# Allow the script access to the library files so it can run
>-#############################################################
>-can_exec(openca_ca_t, lib_t)
>-
> ##################################################################
> # Allow the script to get the file descriptor from the http deamon
> # and send sigchild to http deamon
>@@ -52,6 +47,16 @@
> allow openca_ca_t httpd_t:fd use;
> allow openca_ca_t httpd_t:fifo_file {getattr write};
> 
>+############################################
>+# Allow scripts to append to http logs
>+#########################################
>+allow openca_ca_t httpd_log_t:file { append getattr };
>+
>+#############################################################
>+# Allow the script access to the library files so it can run
>+#############################################################
>+can_exec(openca_ca_t, lib_t)
>+
> ########################################################################
> # The script needs to inherit the file descriptor and find the script it
> # needs to run
>@@ -79,11 +84,6 @@
> ##############################################################################
> allow openca_ca_t openca_ca_exec_t:dir search;
> 
>-############################################
>-# Allow scripts to append to http logs
>-#########################################
>-allow openca_ca_t httpd_log_t:file { append getattr };
>-
> #
> # Allow access to writeable files under /etc/openca
> #
>Index: domains/program/unused/portmap.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/portmap.te,v
>retrieving revision 1.7
>diff -u -r1.7 portmap.te
>--- domains/program/unused/portmap.te	30 Aug 2004 12:29:20 -0000	1.7
>+++ domains/program/unused/portmap.te	31 Aug 2004 15:08:51 -0000
>@@ -26,6 +26,7 @@
> 
> # portmap binds to arbitary ports
> allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
>+allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
> 
> allow portmap_t etc_t:file { getattr read };
> 
>Index: domains/program/unused/rpm.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/rpm.te,v
>retrieving revision 1.30
>diff -u -r1.30 rpm.te
>--- domains/program/unused/rpm.te	30 Aug 2004 19:58:53 -0000	1.30
>+++ domains/program/unused/rpm.te	1 Sep 2004 14:36:01 -0000
>@@ -10,7 +10,7 @@
> # var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
> # var_lib_rpm_t is the type for rpm files in /var/lib
> #
>-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `,auth_write, unrestricted');
>+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
> role system_r types rpm_t;
> uses_shlib(rpm_t)
> type rpm_exec_t, file_type, sysadmfile, exec_type;
>@@ -117,7 +117,7 @@
> 
> allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
> 
>-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `,auth_write, unrestricted');
>+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
> # policy for rpm scriptlet
> role system_r types rpm_script_t;
> uses_shlib(rpm_script_t)
>Index: domains/program/unused/xdm.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/xdm.te,v
>retrieving revision 1.29
>diff -u -r1.29 xdm.te
>--- domains/program/unused/xdm.te	30 Aug 2004 12:29:20 -0000	1.29
>+++ domains/program/unused/xdm.te	31 Aug 2004 15:08:51 -0000
>@@ -29,6 +29,7 @@
> allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
> allow initrc_t xdm_var_run_t:fifo_file unlink;
> file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
>+file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
> 
> tmp_domain(xdm)
> var_lib_domain(xdm)
>Index: domains/program/unused/xfs.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/xfs.te,v
>retrieving revision 1.10
>diff -u -r1.10 xfs.te
>--- domains/program/unused/xfs.te	20 Aug 2004 17:53:53 -0000	1.10
>+++ domains/program/unused/xfs.te	31 Aug 2004 15:08:51 -0000
>@@ -40,4 +40,3 @@
> # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
> allow xfs_t fonts_t:dir search;
> allow xfs_t fonts_t:file { getattr read };
>-allow xfs_t tmpfs_t:dir { search };
>Index: file_contexts/program/mailman.fc
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/file_contexts/program/mailman.fc,v
>retrieving revision 1.10
>diff -u -r1.10 mailman.fc
>--- file_contexts/program/mailman.fc	30 Aug 2004 12:29:21 -0000	1.10
>+++ file_contexts/program/mailman.fc	31 Aug 2004 15:08:51 -0000
>@@ -4,7 +4,6 @@
> /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
> /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
> /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
>-/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
> /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
> /var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
> /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
>@@ -14,8 +13,6 @@
> ifdef(`distro_redhat', `
> /var/mailman/cgi-bin/.*		-- system_u:object_r:mailman_cgi_exec_t
> /var/mailman/data(/.*)?		   system_u:object_r:mailman_data_t
>-/var/mailman/pythonlib(/.*)?	   system_u:object_r:mailman_data_t
>-/var/mailman/Mailman(/.*)?	   system_u:object_r:mailman_data_t
> /var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
> /var/mailman/cron		-d system_u:object_r:bin_t
> /var/mailman/cron/.+		-- system_u:object_r:mailman_queue_exec_t
>Index: macros/global_macros.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/global_macros.te,v
>retrieving revision 1.55
>diff -u -r1.55 global_macros.te
>--- macros/global_macros.te	1 Sep 2004 12:59:59 -0000	1.55
>+++ macros/global_macros.te	1 Sep 2004 14:56:38 -0000
>@@ -295,7 +295,7 @@
> ')dnl end if automount.te
> ifdef(`targeted_policy', `
> dontaudit $1_t devpts_t:chr_file { read write };
>-dontaudit $1_t unlabeled_t:file read;
>+dontaudit $1_t root_t:file { getattr read };
> ')dnl end if targeted_policy
>  
> ')dnl end macro daemon_core_rules
>@@ -599,7 +599,6 @@
> 
> # Set user information and skip authentication.
> allow $1 self:passwd *;
>-
> allow $1 self:dbus *;
> allow $1 self:nscd *;
>-')
>+')dnl end unconfined_domain
>Index: macros/program/screen_macros.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/screen_macros.te,v
>retrieving revision 1.10
>diff -u -r1.10 screen_macros.te
>--- macros/program/screen_macros.te	26 Jul 2004 19:45:05 -0000	1.10
>+++ macros/program/screen_macros.te	31 Aug 2004 15:08:51 -0000
>@@ -48,9 +48,8 @@
> ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
> 
> allow $1_screen_t $1_home_screen_t:{ file lnk_file } r_file_perms;
>-allow $1_t $1_home_screen_t:{ file lnk_file } create_file_perms;
>-allow $1_t $1_home_screen_t:{ file lnk_file } { relabelfrom relabelto };
>-
>+allow $1_t $1_home_screen_t:file { create_file_perms relabelfrom relabelto };
>+allow $1_t $1_home_screen_t:lnk_file { create_lnk_perms relabelfrom relabelto };
> ifdef(`nfs_home_dirs', `
> r_dir_file($1_screen_t, nfs_t)
> ')dnl end if nfs_home_dirs
>Index: macros/program/xserver_macros.te
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
>retrieving revision 1.25
>diff -u -r1.25 xserver_macros.te
>--- macros/program/xserver_macros.te	23 Aug 2004 14:52:40 -0000	1.25
>+++ macros/program/xserver_macros.te	31 Aug 2004 15:08:51 -0000
>@@ -241,6 +241,7 @@
> 
> allow $1_xserver_t var_lib_t:dir search;
> rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
>+dontaudit $1_xserver_t selinux_config_t:dir { search };
> 
> # for fonts
> r_dir_file($1_xserver_t, fonts_t)
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2004-09-01 17:59 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-23 21:56 patch for firefox Luke Kenneth Casson Leighton
2004-08-24 11:47 ` Russell Coker
2004-08-27 21:09   ` James Carter
2004-08-30 18:49     ` Latest diffs from our pool Daniel J Walsh
2004-08-30 18:59     ` Previous patch broken Daniel J Walsh
2004-09-01 15:25       ` James Carter
2004-09-01 17:59         ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.