hald fix

hald fix

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 358 bytes --]

The attached patch fixes a typo to make hald work with dbus and removes an 
unnecessary can_exec_any().

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: hald.diff --]
[-- Type: text/x-diff, Size: 610 bytes --]

--- /usr/src/se/policy/domains/program/unused/hald.te	2004-09-16 18:06:49.000000000 +1000
+++ domains/program/unused/hald.te	2004-09-16 21:50:28.000000000 +1000
@@ -12,13 +12,13 @@
 #
 daemon_domain(hald, `, fs_domain, nscd_client_domain')
 
-can_exec_any(hald_t)
+can_exec(hald_t, hald_exec_t)
 
 allow hald_t { etc_t etc_runtime_t }:file { getattr read };
 allow hald_t self:unix_stream_socket create_stream_socket_perms;
 allow hald_t self:unix_dgram_socket create_socket_perms;
 
-ifdef(`dbus.te', `
+ifdef(`dbusd.te', `
 allow hald_t system_dbusd_t:dbus { acquire_svc };
 dbusd_client(system, hald_t)
 ')

Re: hald fix

[Stephen Smalley]

On Thu, 2004-09-16 at 07:51, Russell Coker wrote:
> The attached patch fixes a typo to make hald work with dbus and removes an 
> unnecessary can_exec_any().

Are all helpers executed by hald now labeled with hald_exec_t?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hald fix

[James Carter]

Thanks.  In CVS now.

On Thu, 2004-09-16 at 07:51, Russell Coker wrote:
> The attached patch fixes a typo to make hald work with dbus and removes an 
> unnecessary can_exec_any().
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hald fix

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-16 at 07:51, Russell Coker wrote:
>  
>
>>The attached patch fixes a typo to make hald work with dbus and removes an 
>>unnecessary can_exec_any().
>>    
>>
>
>Are all helpers executed by hald now labeled with hald_exec_t?
>
>  
>
I don't think so.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hald fix

[Stephen Smalley]

On Thu, 2004-09-16 at 12:52, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> >Are all helpers executed by hald now labeled with hald_exec_t?
> >
> I don't think so.

Then that diff shouldn't be merged without corresponding updates to
hald.fc for all helpers.  What about the other programs under
/usr/libexec that are in the hal package (e.g. hal.dev, hal.hotplug)? 
Are there likely to be other helpers added in the future under
/usr/libexec or under /etc/hal?  

BTW, as a reminder, using the entrypoint type on helper programs means
that any of the helpers can be used to directly enter the domain without
going through the daemon itself (only from domains that are allowed to
transition to the domain, of course).  Not necessarily a vulnerability,
but something to consider.  Stronger model is to use a separate type on
helpers and only apply the entrypoint type to the actual entrypoint
program.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hald fix

[James Carter]

Since all of the helpers executed by hald haven't been identified, I've
reverted back to the can_exec_any() for now.

On Thu, 2004-09-16 at 10:52, James Carter wrote:
> Thanks.  In CVS now.
> 
> On Thu, 2004-09-16 at 07:51, Russell Coker wrote:
> > The attached patch fixes a typo to make hald work with dbus and removes an 
> > unnecessary can_exec_any().
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Policy patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 111 bytes --]

New patches to allow hald to add a lines to the /etc/fstab with 
fscontext=system_u:object_r:removable_t.

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 11307 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/removable_context policy-1.17.17/appconfig/removable_context
--- nsapolicy/appconfig/removable_context	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.17/appconfig/removable_context	2004-09-16 10:54:46.000000000 -0400
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.17/domains/program/mount.te	2004-09-16 13:50:45.899174425 -0400
@@ -93,7 +93,8 @@
 allow mount_t file_type:filesystem { unmount mount relabelto };
 
 allow mount_t mnt_t:dir { getattr };
-dontaudit mount_t { userdomain kernel_t}:fd use;
+allow mount_t { userdomain }:fd use;
+dontaudit mount_t { kernel_t}:fd use;
 can_exec(mount_t, { sbin_t bin_t })
 allow mount_t device_t:dir r_dir_perms;
 ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.17/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.17/domains/program/unused/consoletype.te	2004-09-16 16:59:49.161755104 -0400
@@ -52,5 +52,5 @@
 allow consoletype_t pam_var_run_t:file { getattr read };
 ')
 ifdef(`distro_redhat', `
-dontaudit consoletype_t tmpfs_t:chr_file { read write };
+allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.17/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-09-16 16:57:34.930259111 -0400
+++ policy-1.17.17/domains/program/unused/hald.te	2004-09-16 13:36:57.631159098 -0400
@@ -51,8 +51,14 @@
 allow hald_t udev_tbl_t:file { getattr read };
 ')
 
+ifdef(`udev.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };
 allow hald_t usbfs_t:dir search;
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
+dontaudit hald_t selinux_config_t:dir { search };
+dontaudit hald_t userdomain:fd { use };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mozilla.te policy-1.17.17/domains/program/unused/mozilla.te
--- nsapolicy/domains/program/unused/mozilla.te	2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.17/domains/program/unused/mozilla.te	2004-09-16 10:54:46.000000000 -0400
@@ -6,6 +6,7 @@
 
 # Type for the netscape, mozilla or other browser executables.
 type mozilla_exec_t, file_type, sysadmfile, exec_type;
+type mozilla_conf_t, file_type, sysadmfile;
 
 # Allow mozilla to read files in the user home directory
 bool mozilla_readhome false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.17/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.17/domains/program/unused/nscd.te	2004-09-16 15:02:07.387150095 -0400
@@ -70,4 +70,8 @@
 #
 dontaudit nscd_t var_run_t:sock_file rw_file_perms;
 
+allow nscd_t self:file { getattr read };
+allow nscd_t proc_t:file { getattr read };
+allow nscd_t selinux_config_t:dir { search };
+r_dir_file(nscd_t, default_context_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.17/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.17/domains/program/unused/portmap.te	2004-09-16 11:55:04.363237680 -0400
@@ -54,3 +54,4 @@
 
 # do not log when it tries to bind to a port belonging to another domain
 #dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
+dontaudit portmap_t tty_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.17/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-09-10 10:17:49.000000000 -0400
+++ policy-1.17.17/domains/program/unused/updfstab.te	2004-09-16 13:36:58.170098295 -0400
@@ -62,3 +62,10 @@
 
 r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
 can_getsecurity(updfstab_t)
+
+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
+dontaudit updfstab_t devtty_t:chr_file { read write };
+allow updfstab_t self:fifo_file { getattr read write ioctl };
+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.17.17/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc	2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.17/file_contexts/program/mozilla.fc	2004-09-16 10:54:46.000000000 -0400
@@ -17,3 +17,4 @@
 /usr/lib(64)?/mozilla[^/]*/mozilla-.* --	system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/firefox[^/]*/mozilla-.* --	system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin --	system_u:object_r:mozilla_exec_t
+/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rhgb.fc policy-1.17.17/file_contexts/program/rhgb.fc
--- nsapolicy/file_contexts/program/rhgb.fc	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.17/file_contexts/program/rhgb.fc	2004-09-16 17:07:57.275857767 -0400
@@ -1,2 +1,3 @@
 /usr/bin/rhgb		--	system_u:object_r:rhgb_exec_t
 #/etc/dbus-1(/.*)?		system_u:object_r:etc_dbusd_t
+/etc/rhgb		-d	system_u:object_r:mnt_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.17/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.17/file_contexts/types.fc	2004-09-16 10:54:46.000000000 -0400
@@ -298,6 +298,7 @@
 /lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/security/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
+/lib(64)?/tls/i486/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
 
 #
 # /sbin
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.17/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-09-10 10:17:50.000000000 -0400
+++ policy-1.17.17/macros/base_user_macros.te	2004-09-16 10:54:46.000000000 -0400
@@ -64,6 +64,7 @@
 ')dnl end if nfs_home_dirs
 if (user_rw_noexattrfile) {
 create_dir_file($1_t, noexattrfile)
+create_dir_file($1_t, removable_t)
 # Write floppies 
 allow $1_t removable_device_t:blk_file rw_file_perms;
 allow $1_t usbtty_device_t:chr_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.17/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-09-16 09:48:16.000000000 -0400
+++ policy-1.17.17/macros/program/mozilla_macros.te	2004-09-16 10:54:46.000000000 -0400
@@ -111,6 +111,8 @@
 ')
 allow $1_mozilla_t $1_t:tcp_socket { read write };
 
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+dontaudit $1_mozilla_t bin_t:dir { getattr };
 dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.17/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-09-14 09:18:11.000000000 -0400
+++ policy-1.17.17/macros/user_macros.te	2004-09-16 13:38:06.207431159 -0400
@@ -230,6 +230,12 @@
 mount_domain($1, $1_mount, `, fs_domain')
 role $1_r types $1_mount_t;
 r_dir_file($1_t, mnt_t)
+allow $1_mount_t removable_device_t:blk_file { read };
+allow $1_mount_t iso9660_t:filesystem { relabelfrom };
+allow $1_mount_t removable_t:filesystem { mount relabelto };
+allow $1_mount_t removable_t:dir { mounton };
+allow $1_mount_t xdm_t:fd { use };
+allow $1_mount_t xdm_t:fifo_file { write };
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.17/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.17/tunables/distro.tun	2004-09-16 10:54:46.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.17/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-15 09:15:39.000000000 -0400
+++ policy-1.17.17/tunables/tunable.tun	2004-09-16 10:54:46.000000000 -0400
@@ -1,51 +1,51 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
 
 # Allow the reading on any NFS file system
 dnl define(`nfs_export_all_ro')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.17/types/file.te
--- nsapolicy/types/file.te	2004-09-14 09:18:14.000000000 -0400
+++ policy-1.17.17/types/file.te	2004-09-16 10:54:46.000000000 -0400
@@ -264,6 +264,7 @@
 
 # Allow the pty to be associated with the file system.
 allow devpts_t devpts_t:filesystem associate;
+allow ttyfile tmpfs_t:filesystem { associate };
 
 type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type;
 allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
@@ -298,3 +299,6 @@
 type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
 allow cifs_t cifs_t:filesystem associate;
 typealias cifs_t alias sambafs_t;
+
+# removable_t is the default type of all removable media
+type removable_t, file_type, sysadmfile, usercanread;

Re: Policy patches

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir { search };

Why is fstab-sync trying to access home directories?

+allow ttyfile tmpfs_t:filesystem { associate };

Better to just use the dev_fs attribute.  I have attached a patch to do this 
as well as clean up a few other minor issues with the macros directory.

The patch is against the latest CVS.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 5620 bytes --]

diff -ru /usr/src/se/policy/macros/admin_macros.te macros/admin_macros.te
--- /usr/src/se/policy/macros/admin_macros.te	2004-09-09 04:23:06.000000000 +1000
+++ macros/admin_macros.te	2004-09-17 22:01:42.000000000 +1000
@@ -24,7 +24,7 @@
 tmp_domain($1)
 
 # Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, dev_fs;
 
 # Inherit rules for ordinary users.
 base_user_domain($1)
diff -ru /usr/src/se/policy/macros/core_macros.te macros/core_macros.te
--- /usr/src/se/policy/macros/core_macros.te	2004-09-02 23:18:55.000000000 +1000
+++ macros/core_macros.te	2004-09-11 19:48:58.000000000 +1000
@@ -549,9 +549,6 @@
 # Access the pty master multiplexer.
 allow $1_t ptmx_t:chr_file rw_file_perms;
 
-ifdef(`devfsd.te', `
-allow $1_t device_t:filesystem getattr;
-')
 allow $1_t devpts_t:filesystem getattr;
 
 # allow searching /dev/pts
diff -ru /usr/src/se/policy/macros/program/gpg_agent_macros.te macros/program/gpg_agent_macros.te
--- /usr/src/se/policy/macros/program/gpg_agent_macros.te	2004-07-08 06:46:41.000000000 +1000
+++ macros/program/gpg_agent_macros.te	2004-09-12 14:47:09.000000000 +1000
@@ -94,9 +94,6 @@
 # read kde font cache
 allow $1_gpg_pinentry_t usr_t:file { getattr read };
 
-# pinentry-qt needs this (executes a KDE style library)
-allow $1_gpg_pinentry_t lib_t:file { execute };
-
 allow $1_gpg_pinentry_t { proc_t self }:dir { search };
 allow $1_gpg_pinentry_t { proc_t self }:lnk_file { read };
 # read /proc/meminfo
diff -ru /usr/src/se/policy/macros/program/mozilla_macros.te macros/program/mozilla_macros.te
--- /usr/src/se/policy/macros/program/mozilla_macros.te	2004-09-16 18:07:08.000000000 +1000
+++ macros/program/mozilla_macros.te	2004-09-16 21:47:34.000000000 +1000
@@ -71,8 +71,6 @@
 allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
 ')
 
-dontaudit $1_mozilla_t tmp_t:lnk_file read;
-
 #
 # This is another place where I sould like to allow system customization.
 # We need to allow the admin to select whether then want to allow mozilla
@@ -100,7 +99,7 @@
 file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_rw_t)
 allow $1_mozilla_t $1_home_t:dir setattr;
 allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
-} 
+} dnl end if writehome
 
 allow $1_mozilla_t $1_t:unix_stream_socket { connectto };
 allow $1_mozilla_t sysctl_net_t:dir { search };
diff -ru /usr/src/se/policy/macros/program/ssh_macros.te macros/program/ssh_macros.te
--- /usr/src/se/policy/macros/program/ssh_macros.te	2004-08-04 20:26:48.000000000 +1000
+++ macros/program/ssh_macros.te	2004-09-12 17:18:07.000000000 +1000
@@ -32,7 +32,7 @@
 allow $1_ssh_t autofs_t:dir { search getattr };
 ')
 ifdef(`nfs_home_dirs', `
-rw_dir_create_file($1_ssh_t, nfs_t)
+create_dir_file($1_ssh_t, nfs_t)
 ')dnl end if nfs_home_dirs
 
 # Transition from the user domain to the derived domain.
diff -ru /usr/src/se/policy/macros/program/userhelper_macros.te macros/program/userhelper_macros.te
--- /usr/src/se/policy/macros/program/userhelper_macros.te	2004-09-11 16:21:48.000000000 +1000
+++ macros/program/userhelper_macros.te	2004-09-11 19:24:48.000000000 +1000
@@ -17,7 +17,7 @@
 ifdef(`single_userdomain', `
 typealias $1_t alias $1_userhelper_t;
 ', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
 
 in_user_role($1_userhelper_t)
 role sysadm_r types $1_userhelper_t;
diff -ru /usr/src/se/policy/macros/program/xserver_macros.te macros/program/xserver_macros.te
--- /usr/src/se/policy/macros/program/xserver_macros.te	2004-09-16 18:07:09.000000000 +1000
+++ macros/program/xserver_macros.te	2004-09-14 01:22:44.000000000 +1000
@@ -132,7 +132,7 @@
 allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
 allow $1_xserver_t device_t:lnk_file { getattr read };
 allow $1_xserver_t devtty_t:chr_file rw_file_perms;
-allow $1_xserver_t devtty_t:lnk_file read;
+allow $1_xserver_t zero_device_t:chr_file { read write execute };
 
 # Type for temporary files.
 tmp_domain($1_xserver)
@@ -199,14 +198,11 @@
 allow $1_xserver_t proc_t:dir r_dir_perms;
 
 # Create and access /dev/dri devices.
-allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
-allow $1_xserver_t dri_device_t:chr_file create_file_perms;
+allow $1_xserver_t device_t:dir create;
+file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
 
 allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
 
-# Do not flood audit logs due to device node creation attempts.
-dontaudit $1_xserver_t device_t:chr_file create;
-
 # Run helper programs in $1_xserver_t.
 allow $1_xserver_t { bin_t sbin_t }:dir search;
 allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
@@ -248,8 +242,6 @@
 
 allow $1_xserver_t var_lib_t:dir search;
 rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
-dontaudit $1_xserver_t selinux_config_t:dir { search };
-allow $1_xserver_t device_t:dir { create };
 
 # for fonts
 r_dir_file($1_xserver_t, fonts_t)
diff -ru /usr/src/se/policy/macros/user_macros.te macros/user_macros.te
--- /usr/src/se/policy/macros/user_macros.te	2004-09-15 16:31:23.000000000 +1000
+++ macros/user_macros.te	2004-09-17 22:01:51.000000000 +1000
@@ -32,7 +32,7 @@
 can_create_pty($1, `, userpty_type, user_tty_type')
 
 #Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs;
  
 base_user_domain($1)
 

Important fix for targeted policy

[Daniel J Walsh]

diff --exclude-from=exclude -N -u -r 
nsapolicy/targeted/domains/program/init.te 
policy-1.17.18/targeted/domains/program/init.te
--- nsapolicy/targeted/domains/program/init.te  2004-09-09 
15:36:12.000000000 -0400
+++ policy-1.17.18/targeted/domains/program/init.te     2004-09-17 
10:22:33.591562641 -0400
@@ -15,4 +15,4 @@
 # strict policy.  /sbin/init will get this policy.
 #
 type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile;
+type initctl_t, file_type, sysadmfile, dev_fs;
diff --exclude-from=exclude -N -u -r 
nsapolicy/targeted/domains/program/udev.te 
policy-1.17.18/targeted/domains/program/udev.te
--- nsapolicy/targeted/domains/program/udev.te  2004-09-09 
15:36:12.000000000 -0400
+++ policy-1.17.18/targeted/domains/program/udev.te     2004-09-17 
10:22:22.119860649 -0400
@@ -13,4 +13,4 @@
 #
 type udev_exec_t, file_type, sysadmfile, exec_type;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-type udev_tbl_t, file_type, sysadmfile;
+type udev_tbl_t, file_type, sysadmfile, dev_fs;


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy patches

[James Carter]

On Thu, 2004-09-16 at 17:23, Daniel J Walsh wrote:
> New patches to allow hald to add a lines to the /etc/fstab with 
> fscontext=system_u:object_r:removable_t.
> 
> Dan

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.17/domains/program/unused/nscd.te
> --- nsapolicy/domains/program/unused/nscd.te	2004-09-16 09:48:15.000000000 -0400
> +++ policy-1.17.17/domains/program/unused/nscd.te	2004-09-16 15:02:07.387150095 -0400
> @@ -70,4 +70,8 @@
>  #
>  dontaudit nscd_t var_run_t:sock_file rw_file_perms;
>  
> +allow nscd_t self:file { getattr read };
> +allow nscd_t proc_t:file { getattr read };
> +allow nscd_t selinux_config_t:dir { search };
> +r_dir_file(nscd_t, default_context_t)
>  

Is this only for the targeted policy?  Maybe userspace_objectmgr.te
should be part of the targeted policy.  I think we would gain most of
these permissions in that case.

When does nscd access a default_context_t?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.17/domains/program/unused/portmap.te
> --- nsapolicy/domains/program/unused/portmap.te	2004-09-16 09:48:15.000000000 -0400
> +++ policy-1.17.17/domains/program/unused/portmap.te	2004-09-16 11:55:04.363237680 -0400
> @@ -54,3 +54,4 @@
>  
>  # do not log when it tries to bind to a port belonging to another domain
>  #dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
> +dontaudit portmap_t tty_device_t:chr_file { read write };

How about this, so it applies to more then just portmap?

diff -u -r1.58 global_macros.te
--- global_macros.te	15 Sep 2004 19:58:14 -0000	1.58
+++ global_macros.te	17 Sep 2004 20:43:47 -0000
@@ -294,6 +294,7 @@
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
 ifdef(`targeted_policy', `
+dontaudit $1_t tty_device_t:chr_file { read write };
 dontaudit $1_t devpts_t:chr_file { read write };
 dontaudit $1_t root_t:file { getattr read };
 ')dnl end if targeted_policy

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.17/domains/program/unused/updfstab.te
> --- nsapolicy/domains/program/unused/updfstab.te	2004-09-10 10:17:49.000000000 -0400
> +++ policy-1.17.17/domains/program/unused/updfstab.te	2004-09-16 13:36:58.170098295 -0400
> @@ -62,3 +62,10 @@
>  
>  r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
>  can_getsecurity(updfstab_t)
> +
> +allow updfstab_t { sbin_t bin_t }:dir { search getattr };
> +dontaudit updfstab_t devtty_t:chr_file { read write };
> +allow updfstab_t self:fifo_file { getattr read write ioctl };
> +can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
> +dontaudit updfstab_t home_root_t:dir { getattr search };
> +dontaudit updfstab_t { home_dir_type home_type }:dir { search };

Why can_exec(ls_exec_t)?

> diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.17/macros/user_macros.te
> --- nsapolicy/macros/user_macros.te	2004-09-14 09:18:11.000000000 -0400
> +++ policy-1.17.17/macros/user_macros.te	2004-09-16 13:38:06.207431159 -0400
> @@ -230,6 +230,12 @@
>  mount_domain($1, $1_mount, `, fs_domain')
>  role $1_r types $1_mount_t;
>  r_dir_file($1_t, mnt_t)
> +allow $1_mount_t removable_device_t:blk_file { read };
> +allow $1_mount_t iso9660_t:filesystem { relabelfrom };
> +allow $1_mount_t removable_t:filesystem { mount relabelto };
> +allow $1_mount_t removable_t:dir { mounton };
> +allow $1_mount_t xdm_t:fd { use };
> +allow $1_mount_t xdm_t:fifo_file { write };
>  ')

Shouldn't these rules need to be in other macros as well?
Also, the xdm_t rules should be in a ifdef.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy patches

[Daniel J Walsh]

James Carter wrote:

>On Thu, 2004-09-16 at 17:23, Daniel J Walsh wrote:
>  
>
>>New patches to allow hald to add a lines to the /etc/fstab with 
>>fscontext=system_u:object_r:removable_t.
>>
>>Dan
>>    
>>
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.17/domains/program/unused/nscd.te
>>--- nsapolicy/domains/program/unused/nscd.te	2004-09-16 09:48:15.000000000 -0400
>>+++ policy-1.17.17/domains/program/unused/nscd.te	2004-09-16 15:02:07.387150095 -0400
>>@@ -70,4 +70,8 @@
>> #
>> dontaudit nscd_t var_run_t:sock_file rw_file_perms;
>> 
>>+allow nscd_t self:file { getattr read };
>>+allow nscd_t proc_t:file { getattr read };
>>+allow nscd_t selinux_config_t:dir { search };
>>+r_dir_file(nscd_t, default_context_t)
>> 
>>    
>>
>
>Is this only for the targeted policy?  Maybe userspace_objectmgr.te
>  
>
I will look into it.  The problem is everytime we add one it seems to 
have expanding
concequences.

>should be part of the targeted policy.  I think we would gain most of
>these permissions in that case.
>
>When does nscd access a default_context_t?
>
>  
>
That probably was overzealous. Remove it.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.17/domains/program/unused/portmap.te
>>--- nsapolicy/domains/program/unused/portmap.te	2004-09-16 09:48:15.000000000 -0400
>>+++ policy-1.17.17/domains/program/unused/portmap.te	2004-09-16 11:55:04.363237680 -0400
>>@@ -54,3 +54,4 @@
>> 
>> # do not log when it tries to bind to a port belonging to another domain
>> #dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
>>+dontaudit portmap_t tty_device_t:chr_file { read write };
>>    
>>
>
>How about this, so it applies to more then just portmap?
>
>diff -u -r1.58 global_macros.te
>--- global_macros.te	15 Sep 2004 19:58:14 -0000	1.58
>+++ global_macros.te	17 Sep 2004 20:43:47 -0000
>@@ -294,6 +294,7 @@
> allow $1_t autofs_t:dir { search getattr };
> ')dnl end if automount.te
> ifdef(`targeted_policy', `
>+dontaudit $1_t tty_device_t:chr_file { read write };
> dontaudit $1_t devpts_t:chr_file { read write };
> dontaudit $1_t root_t:file { getattr read };
> ')dnl end if targeted_policy
>
>  
>
Looks good.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.17/domains/program/unused/updfstab.te
>>--- nsapolicy/domains/program/unused/updfstab.te	2004-09-10 10:17:49.000000000 -0400
>>+++ policy-1.17.17/domains/program/unused/updfstab.te	2004-09-16 13:36:58.170098295 -0400
>>@@ -62,3 +62,10 @@
>> 
>> r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
>> can_getsecurity(updfstab_t)
>>+
>>+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
>>+dontaudit updfstab_t devtty_t:chr_file { read write };
>>+allow updfstab_t self:fifo_file { getattr read write ioctl };
>>+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
>>+dontaudit updfstab_t home_root_t:dir { getattr search };
>>+dontaudit updfstab_t { home_dir_type home_type }:dir { search };
>>    
>>
>
>Why can_exec(ls_exec_t)?
>
>  
>
One of the scripts it execs execs ls.  Why does ls have it's own domain?

>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.17/macros/user_macros.te
>>--- nsapolicy/macros/user_macros.te	2004-09-14 09:18:11.000000000 -0400
>>+++ policy-1.17.17/macros/user_macros.te	2004-09-16 13:38:06.207431159 -0400
>>@@ -230,6 +230,12 @@
>> mount_domain($1, $1_mount, `, fs_domain')
>> role $1_r types $1_mount_t;
>> r_dir_file($1_t, mnt_t)
>>+allow $1_mount_t removable_device_t:blk_file { read };
>>+allow $1_mount_t iso9660_t:filesystem { relabelfrom };
>>+allow $1_mount_t removable_t:filesystem { mount relabelto };
>>+allow $1_mount_t removable_t:dir { mounton };
>>+allow $1_mount_t xdm_t:fd { use };
>>+allow $1_mount_t xdm_t:fifo_file { write };
>> ')
>>    
>>
>
>Shouldn't these rules need to be in other macros as well?
>Also, the xdm_t rules should be in a ifdef.
>
>  
>
Probably, just began experimenting with the new updatefstab patch that 
adds this, so we
should be seeing lots of complaints.

Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Important fix for targeted policy

[James Carter]

Merged.

On Fri, 2004-09-17 at 11:31, Daniel J Walsh wrote:
> diff --exclude-from=exclude -N -u -r 
> nsapolicy/targeted/domains/program/init.te 
> policy-1.17.18/targeted/domains/program/init.te
> --- nsapolicy/targeted/domains/program/init.te  2004-09-09 
> 15:36:12.000000000 -0400
> +++ policy-1.17.18/targeted/domains/program/init.te     2004-09-17 
> 10:22:33.591562641 -0400
> @@ -15,4 +15,4 @@
>  # strict policy.  /sbin/init will get this policy.
>  #
>  type init_exec_t, file_type, sysadmfile, exec_type;
> -type initctl_t, file_type, sysadmfile;
> +type initctl_t, file_type, sysadmfile, dev_fs;
> diff --exclude-from=exclude -N -u -r 
> nsapolicy/targeted/domains/program/udev.te 
> policy-1.17.18/targeted/domains/program/udev.te
> --- nsapolicy/targeted/domains/program/udev.te  2004-09-09 
> 15:36:12.000000000 -0400
> +++ policy-1.17.18/targeted/domains/program/udev.te     2004-09-17 
> 10:22:22.119860649 -0400
> @@ -13,4 +13,4 @@
>  #
>  type udev_exec_t, file_type, sysadmfile, exec_type;
>  type udev_helper_exec_t, file_type, sysadmfile, exec_type;
> -type udev_tbl_t, file_type, sysadmfile;
> +type udev_tbl_t, file_type, sysadmfile, dev_fs;
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy patches

[James Carter]

Merged, except for the userhelper_macros.te chunk.

The attribute privuser is always needed by userhelper since the current code always switches to
"root".

diff -ru /usr/src/se/policy/macros/program/userhelper_macros.te macros/program/userhelper_macros.te
--- /usr/src/se/policy/macros/program/userhelper_macros.te      2004-09-11 16:21:48.000000000 +1000
+++ macros/program/userhelper_macros.te 2004-09-11 19:24:48.000000000 +1000
@@ -17,7 +17,7 @@
 ifdef(`single_userdomain', `
 typealias $1_t alias $1_userhelper_t;
 ', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
 
 in_user_role($1_userhelper_t)
 role sysadm_r types $1_userhelper_t;

On Fri, 2004-09-17 at 08:07, Russell Coker wrote:
> +dontaudit updfstab_t home_root_t:dir { getattr search };
> +dontaudit updfstab_t { home_dir_type home_type }:dir { search };
> 
> Why is fstab-sync trying to access home directories?
> 
> +allow ttyfile tmpfs_t:filesystem { associate };
> 
> Better to just use the dev_fs attribute.  I have attached a patch to do this 
> as well as clean up a few other minor issues with the macros directory.
> 
> The patch is against the latest CVS.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Policy patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 57 bytes --]

Policy patches off of latest policy.

nscd fixes mainly.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 14898 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/removable_context policy-1.17.19/appconfig/removable_context
--- nsapolicy/appconfig/removable_context	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.19/appconfig/removable_context	2004-09-21 13:05:04.223318911 -0400
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.19/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.19/domains/program/unused/consoletype.te	2004-09-21 13:05:04.224318800 -0400
@@ -52,5 +52,5 @@
 allow consoletype_t pam_var_run_t:file { getattr read };
 ')
 ifdef(`distro_redhat', `
-dontaudit consoletype_t tmpfs_t:chr_file { read write };
+allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.19/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.19/domains/program/unused/cups.te	2004-09-21 13:05:04.224318800 -0400
@@ -30,6 +30,7 @@
 allow cupsd_t printer_device_t:chr_file rw_file_perms;
 allow cupsd_t urandom_device_t:chr_file { getattr read };
 dontaudit cupsd_t random_device_t:chr_file ioctl;
+dontaudit cupsd_t device_t:lnk_file { read }; 
 
 # temporary solution, we need something better
 allow cupsd_t serial_device:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.19/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-09-16 16:57:34.000000000 -0400
+++ policy-1.17.19/domains/program/unused/hald.te	2004-09-21 13:05:04.225318690 -0400
@@ -51,8 +51,14 @@
 allow hald_t udev_tbl_t:file { getattr read };
 ')
 
+ifdef(`udev.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };
 allow hald_t usbfs_t:dir search;
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
+dontaudit hald_t selinux_config_t:dir { search };
+dontaudit hald_t userdomain:fd { use };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mozilla.te policy-1.17.19/domains/program/unused/mozilla.te
--- nsapolicy/domains/program/unused/mozilla.te	2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.19/domains/program/unused/mozilla.te	2004-09-21 13:05:04.225318690 -0400
@@ -6,6 +6,7 @@
 
 # Type for the netscape, mozilla or other browser executables.
 type mozilla_exec_t, file_type, sysadmfile, exec_type;
+type mozilla_conf_t, file_type, sysadmfile;
 
 # Allow mozilla to read files in the user home directory
 bool mozilla_readhome false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.19/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.19/domains/program/unused/named.te	2004-09-21 13:48:16.136487414 -0400
@@ -31,7 +31,7 @@
 can_exec(named_t, named_exec_t)
 allow named_t sbin_t:dir search;
 
-allow named_t self:process setsched;
+allow named_t self:process { setsched setcap setrlimit };
 
 # A type for configuration files of named.
 type named_conf_t, file_type, sysadmfile;
@@ -96,8 +96,6 @@
 allow named_t self:fifo_file rw_file_perms;
 
 # Set own capabilities.
-allow named_t self:process setcap;
-
 #A type for /usr/sbin/ndc
 type ndc_exec_t, file_type,sysadmfile, exec_type;
 domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.19/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.19/domains/program/unused/nscd.te	2004-09-21 16:47:07.510447194 -0400
@@ -55,7 +55,7 @@
 
 allow nscd_t sysctl_kernel_t:dir search;
 allow nscd_t sysctl_kernel_t:file read;
-allow nscd_t self:process setsched;
+allow nscd_t self:process { getattr setsched };
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:fifo_file { read write };
 allow nscd_t self:capability { kill setgid setuid };
@@ -70,4 +70,6 @@
 #
 dontaudit nscd_t var_run_t:sock_file rw_file_perms;
 
-
+r_dir_file(nscd_t, selinux_config_t)
+can_getsecurity(nscd_t)
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.19/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.19/domains/program/unused/rhgb.te	2004-09-21 13:05:04.227318468 -0400
@@ -34,7 +34,7 @@
 allow insmod_t rhgb_t:fd use;
 
 allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t root_t:dir { mounton };
+allow rhgb_t mnt_t:dir { mounton };
 allow rhgb_t rhgb_t:capability { sys_admin };
 dontaudit rhgb_t var_run_t:dir { search };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.19/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-09-10 10:17:49.000000000 -0400
+++ policy-1.17.19/domains/program/unused/updfstab.te	2004-09-21 13:05:04.228318357 -0400
@@ -62,3 +62,10 @@
 
 r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
 can_getsecurity(updfstab_t)
+
+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
+dontaudit updfstab_t devtty_t:chr_file { read write };
+allow updfstab_t self:fifo_file { getattr read write ioctl };
+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.17.19/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc	2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.19/file_contexts/program/mozilla.fc	2004-09-21 13:05:04.228318357 -0400
@@ -17,3 +17,4 @@
 /usr/lib(64)?/mozilla[^/]*/mozilla-.* --	system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/firefox[^/]*/mozilla-.* --	system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin --	system_u:object_r:mozilla_exec_t
+/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rhgb.fc policy-1.17.19/file_contexts/program/rhgb.fc
--- nsapolicy/file_contexts/program/rhgb.fc	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.19/file_contexts/program/rhgb.fc	2004-09-21 13:05:04.229318246 -0400
@@ -1,2 +1,3 @@
 /usr/bin/rhgb		--	system_u:object_r:rhgb_exec_t
 #/etc/dbus-1(/.*)?		system_u:object_r:etc_dbusd_t
+/etc/rhgb		-d	system_u:object_r:mnt_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.19/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-09-21 12:51:05.000000000 -0400
+++ policy-1.17.19/file_contexts/types.fc	2004-09-21 13:05:04.230318136 -0400
@@ -302,6 +302,7 @@
 /lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/security/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
+/lib(64)?/tls/i486/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
 
 #
 # /sbin
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.19/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-09-10 10:17:50.000000000 -0400
+++ policy-1.17.19/macros/base_user_macros.te	2004-09-21 13:05:04.230318136 -0400
@@ -64,6 +64,7 @@
 ')dnl end if nfs_home_dirs
 if (user_rw_noexattrfile) {
 create_dir_file($1_t, noexattrfile)
+create_dir_file($1_t, removable_t)
 # Write floppies 
 allow $1_t removable_device_t:blk_file rw_file_perms;
 allow $1_t usbtty_device_t:chr_file write;
@@ -72,6 +73,10 @@
 allow $1_t removable_device_t:blk_file r_file_perms;
 }
 allow $1_t usbtty_device_t:chr_file read;
+
+# GNOME checks for usb and other devices
+r_dir_file($1_t,usbfs_t)
+
 can_exec($1_t, noexattrfile)
 # Bind to a Unix domain socket in /tmp.
 allow $1_t $1_tmp_t:unix_stream_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.17.19/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-09-21 12:51:06.000000000 -0400
+++ policy-1.17.19/macros/core_macros.te	2004-09-21 16:44:32.697773308 -0400
@@ -271,7 +271,7 @@
 define(`can_getsecurity',`
 # Get the selinuxfs mount point via /proc/self/mounts.
 allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
+allow $1 proc_t:{ file lnk_file } { getattr read };
 allow $1 self:dir search;
 allow $1 self:file { getattr read };
 # Access selinuxfs.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.19/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-09-16 09:48:16.000000000 -0400
+++ policy-1.17.19/macros/global_macros.te	2004-09-21 16:37:55.572191411 -0400
@@ -294,7 +294,7 @@
 allow $1_t autofs_t:dir { search getattr };
 ')dnl end if automount.te
 ifdef(`targeted_policy', `
-dontaudit $1_t devpts_t:chr_file { read write };
+dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
 dontaudit $1_t root_t:file { getattr read };
 ')dnl end if targeted_policy
  
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.19/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-09-21 12:51:06.000000000 -0400
+++ policy-1.17.19/macros/program/mozilla_macros.te	2004-09-21 13:05:04.231318025 -0400
@@ -71,6 +71,8 @@
 allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
 ')
 
+dontaudit $1_mozilla_t tmp_t:lnk_file read;
+
 #
 # This is another place where I sould like to allow system customization.
 # We need to allow the admin to select whether then want to allow mozilla
@@ -109,6 +111,8 @@
 ')
 allow $1_mozilla_t $1_t:tcp_socket { read write };
 
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+dontaudit $1_mozilla_t bin_t:dir { getattr };
 dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.19/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-09-21 12:51:06.000000000 -0400
+++ policy-1.17.19/macros/user_macros.te	2004-09-21 13:05:04.232317914 -0400
@@ -181,9 +181,6 @@
 allow $1_t man_t:dir r_dir_perms;
 allow $1_t man_t:notdevfile_class_set r_file_perms;
 
-# GNOME checks for usb and other devices
-r_dir_file($1_t,usbfs_t)
-
 # Allow users to rw usb devices
 if (user_rw_usb) {
 rw_dir_create_file($1_t,usbdevfs_t)
@@ -230,6 +227,12 @@
 mount_domain($1, $1_mount, `, fs_domain')
 role $1_r types $1_mount_t;
 r_dir_file($1_t, mnt_t)
+allow $1_mount_t removable_device_t:blk_file { read };
+allow $1_mount_t iso9660_t:filesystem { relabelfrom };
+allow $1_mount_t removable_t:filesystem { mount relabelto };
+allow $1_mount_t removable_t:dir { mounton };
+allow $1_mount_t xdm_t:fd { use };
+allow $1_mount_t xdm_t:fifo_file { write };
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.19/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.19/tunables/distro.tun	2004-09-21 13:05:04.232317914 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.19/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-15 09:15:39.000000000 -0400
+++ policy-1.17.19/tunables/tunable.tun	2004-09-21 13:05:04.233317803 -0400
@@ -1,51 +1,51 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
 
 # Allow the reading on any NFS file system
 dnl define(`nfs_export_all_ro')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.19/types/file.te
--- nsapolicy/types/file.te	2004-09-14 09:18:14.000000000 -0400
+++ policy-1.17.19/types/file.te	2004-09-21 13:06:27.444094270 -0400
@@ -259,7 +259,7 @@
 #
 allow { file_type device_type } fs_t:filesystem associate;
 ifdef(`distro_redhat', `
-allow dev_fs tmpfs_t:filesystem associate;
+allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
 ')
 
 # Allow the pty to be associated with the file system.
@@ -298,3 +298,6 @@
 type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
 allow cifs_t cifs_t:filesystem associate;
 typealias cifs_t alias sambafs_t;
+
+# removable_t is the default type of all removable media
+type removable_t, file_type, sysadmfile, usercanread;
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.17.19/types/nfs.te
--- nsapolicy/types/nfs.te	2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.19/types/nfs.te	2004-09-21 13:05:04.234317692 -0400
@@ -18,4 +18,5 @@
 #
 # Allow NFS files to be associated with an NFS file system.
 #
-allow nfs_t nfs_t:filesystem associate;
+allow nfs_t self:filesystem associate;
+allow file_type nfs_t:filesystem associate;

Re: Policy patches

[James Carter]

Merged.

On Tue, 2004-09-21 at 16:55, Daniel J Walsh wrote:
> Policy patches off of latest policy.
> 
> nscd fixes mainly.
> 
> ______________________________________________________________________

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.