From: Daniel J Walsh <dwalsh@redhat.com>
To: jwcart2@epoch.ncsc.mil
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: Patch for strict policy
Date: Mon, 27 Sep 2004 13:26:07 -0400 [thread overview]
Message-ID: <41584D2F.5020902@redhat.com> (raw)
In-Reply-To: <1096303384.3234.7.camel@moss-lions.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 890 bytes --]
James Carter wrote:
>Shouldn't there be a ktalkd.te? I don't think ktalkd_exec_t is defined
>anywhere.
>
>On Fri, 2004-09-24 at 10:32, Daniel J Walsh wrote:
>
>
>>Added policy templates for swat, ktalkd, in.comcast, and rsyn daemons to
>>be run by xinetd.
>>Separated out inetd_child_t context into a macro.
>>Mailman fixes
>>
>>______________________________________________________________________
>>diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ktalkd.fc policy-1.17.20/file_contexts/program/ktalkd.fc
>>--- nsapolicy/file_contexts/program/ktalkd.fc 1969-12-31 19:00:00.000000000 -0500
>>+++ policy-1.17.20/file_contexts/program/ktalkd.fc 2004-09-24 10:05:50.845362460 -0400
>>@@ -0,0 +1,2 @@
>>+# kde talk daemon
>>+/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t
>>
>>
>
>
>
Oops, yes here is a new patch including ktalkd, some of russells fixes.
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 30850 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/screensaver.te policy-1.17.22/domains/misc/screensaver.te
--- nsapolicy/domains/misc/screensaver.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/misc/screensaver.te 2004-09-27 10:19:13.000000000 -0400
@@ -0,0 +1,18 @@
+#
+# Alias file to stop blow up during policy upgrade, since
+# screensaver policy is being removed.
+#
+typealias bin_t alias screensaver_exec_t;
+typealias sysadm_home_t alias sysadm_screensaver_t;
+typealias sysadm_home_t alias sysadm_screensaver_rw_t;
+typealias sysadm_home_t alias sysadm_screensaver_ro_t;
+typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
+typealias user_home_t alias user_screensaver_t;
+typealias user_home_t alias user_screensaver_rw_t;
+typealias user_home_t alias user_screensaver_ro_t;
+typealias user_home_t alias user_screensaver_tmpfs_t;
+typealias staff_home_t alias staff_screensaver_t;
+typealias staff_home_t alias staff_screensaver_rw_t;
+typealias staff_home_t alias staff_screensaver_ro_t;
+typealias staff_home_t alias staff_screensaver_tmpfs_t;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.22/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2004-09-20 15:40:58.000000000 -0400
+++ policy-1.17.22/domains/program/initrc.te 2004-09-27 10:16:53.000000000 -0400
@@ -48,6 +48,8 @@
allow initrc_t usbdevfs_t:dir r_dir_perms;
allow initrc_t usbdevfs_t:lnk_file r_file_perms;
allow initrc_t usbdevfs_t:file getattr;
+allow initrc_t usbfs_t:dir r_dir_perms;
+allow initrc_t usbfs_t:file getattr;
# allow initrc to fork and renice itself
allow initrc_t self:process { fork sigchld setsched setpgid setrlimit };
@@ -199,6 +201,9 @@
allow initrc_t boot_t:lnk_file rw_file_perms;
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
+allow initrc_t tmpfs_t:chr_file rw_file_perms;
+allow initrc_t tmpfs_t:dir r_dir_perms;
+
#
# readahead asks for these
#
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.22/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.22/domains/program/mount.te 2004-09-27 10:16:53.000000000 -0400
@@ -97,6 +97,6 @@
can_exec(mount_t, { sbin_t bin_t })
allow mount_t device_t:dir r_dir_perms;
ifdef(`distro_redhat', `
-dontaudit mount_t tmpfs_t:chr_file { read write };
+allow mount_t tmpfs_t:chr_file { read write };
allow mount_t tmpfs_t:dir { mounton };
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.17.22/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te 2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.22/domains/program/unused/cardmgr.te 2004-09-27 10:16:53.000000000 -0400
@@ -23,7 +23,7 @@
allow cardmgr_t home_root_t:dir search;
# Use capabilities (net_admin for route), setuid for cardctl
-allow cardmgr_t self:capability { dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
# for /etc/resolv.conf
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
@@ -78,7 +78,7 @@
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
')
-ifdef(`hide_broken_symptoms', `', `
+ifdef(`hide_broken_symptoms', `
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.22/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/comsat.te 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC comsat - biff server
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the comsat_t domain.
+#
+# comsat_exec_t is the type of the comsat executable.
+#
+
+type comsat_port_t, port_type;
+inetd_child_domain(comsat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.22/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/consoletype.te 2004-09-27 10:16:53.000000000 -0400
@@ -54,3 +54,6 @@
ifdef(`distro_redhat', `
allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
')
+allow consoletype_t firstboot_t:fifo_file { write };
+dontaudit consoletype_t proc_t:file { read };
+dontaudit consoletype_t root_t:file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.22/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/cups.te 2004-09-27 11:04:53.179361344 -0400
@@ -31,7 +31,6 @@
allow cupsd_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t urandom_device_t:chr_file { getattr read };
dontaudit cupsd_t random_device_t:chr_file ioctl;
-dontaudit cupsd_t device_t:lnk_file { read };
# temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms;
@@ -156,6 +155,7 @@
allow ptal_t printer_device_t:chr_file { ioctl read write };
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
+r_dir_file(ptal_t, usbfs_t)
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket { connectto };
allow cupsd_t ptal_var_run_t:dir { search };
@@ -167,4 +167,8 @@
ifdef(`hald.te', `
allow cupsd_t hald_t:dbus { send_msg };
allow hald_t cupsd_t:dbus { send_msg };
+allow hald_t cupsd_etc_t:dir search;
+allow hald_t printconf_t:file { getattr read };
+domain_auto_trans(hald_t, cupsd_exec_t, cupsd_t)
')
+allow cupsd_t userdomain:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.22/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/dbskkd.te 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the dbskkd_t domain.
+#
+# dbskkd_exec_t is the type of the dbskkd executable.
+#
+
+type dbskkd_port_t, port_type;
+inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.22/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2004-09-23 15:08:59.000000000 -0400
+++ policy-1.17.22/domains/program/unused/hald.te 2004-09-27 11:02:13.033982220 -0400
@@ -38,6 +38,8 @@
allow hald_t device_t:lnk_file read;
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
allow hald_t event_device_t:chr_file { getattr read ioctl };
+allow hald_t printer_device_t:chr_file rw_file_perms;
+allow hald_t urandom_device_t:chr_file { read };
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
@@ -50,6 +52,9 @@
allow hald_t udev_tbl_t:file { getattr read };
')
+ifdef(`udev.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
allow hald_t usbfs_t:dir search;
@@ -57,4 +62,3 @@
allow hald_t bin_t:lnk_file read;
dontaudit hald_t selinux_config_t:dir { search };
dontaudit hald_t userdomain:fd { use };
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.22/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/hotplug.te 2004-09-27 10:16:53.000000000 -0400
@@ -47,6 +47,9 @@
ifdef(`distro_redhat', `
# for arping used for static IP addresses on PCMCIA ethernet
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+
+allow hotplug_t tmpfs_t:dir search;
+allow hotplug_t tmpfs_t:chr_file rw_file_perms;
')dnl end if distro_redhat
')dnl end if netutils.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.22/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te 2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.22/domains/program/unused/inetd.te 2004-09-27 10:16:53.000000000 -0400
@@ -44,8 +44,6 @@
# Run other daemons in the inetd_child_t domain.
allow inetd_t { bin_t sbin_t }:dir search;
allow inetd_t sbin_t:lnk_file read;
-domain_auto_trans(inetd_t, inetd_child_exec_t, inetd_child_t)
-allow inetd_t inetd_child_t:process sigkill;
# Bind to the telnet, ftp, rlogin and rsh ports.
allow inetd_t telnet_port_t:tcp_socket name_bind;
@@ -71,53 +69,7 @@
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
-#################################
-#
-# Rules for the inetd_child_t domain.
-#
-# inetd_child_t is a general domain for daemons started
-# by inetd that do not have their own individual domains yet.
-# inetd_child_exec_t is the type of the corresponding
-# programs.
-#
-type inetd_child_t, domain, privlog;
-role system_r types inetd_child_t;
-
-can_network(inetd_child_t)
-can_ypbind(inetd_child_t)
-uses_shlib(inetd_child_t)
-allow inetd_child_t self:unix_dgram_socket create_socket_perms;
-allow inetd_child_t self:unix_stream_socket create_socket_perms;
-allow inetd_child_t self:fifo_file rw_file_perms;
-type inetd_child_exec_t, file_type, sysadmfile, exec_type;
-read_locale(inetd_child_t)
-allow inetd_child_t device_t:dir search;
-allow inetd_child_t proc_t:dir search;
-allow inetd_child_t proc_t:{ file lnk_file } { getattr read };
-allow inetd_child_t self:process { fork signal_perms };
-allow inetd_child_t fs_t:filesystem getattr;
-
-allow inetd_child_t sysctl_kernel_t:dir search;
-allow inetd_child_t sysctl_kernel_t:file { getattr read };
-
-allow inetd_child_t etc_t:file { getattr read };
-
-tmp_domain(inetd_child)
-allow inetd_child_t var_t:dir search;
-var_run_domain(inetd_child)
-
-# Use sockets inherited from inetd.
-allow inetd_child_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# for identd
-allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow inetd_child_t self:capability { setuid setgid };
-allow inetd_child_t home_root_t:dir { search };
-allow inetd_child_t self:dir { search };
-allow inetd_child_t self:file { getattr read };
-allow inetd_child_t krb5_conf_t:file r_file_perms;
-dontaudit inetd_child_t krb5_conf_t:file write;
-allow inetd_child_t urandom_device_t:chr_file { getattr read };
+inetd_child_domain(inetd_child)
ifdef(`unconfined.te', `
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.17.22/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/iptables.te 2004-09-27 10:16:53.000000000 -0400
@@ -56,3 +56,6 @@
# system-config-network appends to /var/log
allow iptables_t var_log_t:file { append };
+ifdef(`firstboot.te', `
+allow iptables_t firstboot_t:fifo_file { write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.22/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/ktalkd.te 2004-09-27 13:24:01.429584334 -0400
@@ -0,0 +1,14 @@
+#DESC ktalkd - KDE version of the talk server
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the ktalkd_t domain.
+#
+# ktalkd_exec_t is the type of the ktalkd executable.
+#
+
+type ktalkd_port_t, port_type;
+inetd_child_domain(ktalkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.22/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.22/domains/program/unused/ntpd.te 2004-09-27 10:16:53.000000000 -0400
@@ -66,3 +66,6 @@
can_udp_send(ntpd_t, sysadm_t)
can_udp_send(sysadm_t, ntpd_t)
can_udp_send(ntpd_t, ntpd_t)
+ifdef(`firstboot.te', `
+dontaudit ntpd_t firstboot_t:fd { use };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.22/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/rhgb.te 2004-09-27 10:16:53.000000000 -0400
@@ -34,7 +34,7 @@
allow insmod_t rhgb_t:fd use;
allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t mnt_t:dir { mounton };
+allow rhgb_t mnt_t:dir { search mounton };
allow rhgb_t rhgb_t:capability { sys_admin };
dontaudit rhgb_t var_run_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.22/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2004-08-27 16:51:30.000000000 -0400
+++ policy-1.17.22/domains/program/unused/rpcd.te 2004-09-27 10:16:53.000000000 -0400
@@ -91,14 +91,19 @@
type nfsd_rw_t, file_type, sysadmfile, usercanread;
type nfsd_ro_t, file_type, sysadmfile, usercanread;
-ifdef(`nfs_export_all_rw', `
+bool nfs_export_all_rw false;
+
+if(nfs_export_all_rw) {
allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
create_dir_file(kernel_t,{ file_type -shadow_t })
-')
-ifdef(`nfs_export_all_ro', `
+}
+
+bool nfs_export_all_ro false;
+
+if(nfs_export_all_ro) {
allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
r_dir_file(kernel_t,{ file_type -shadow_t })
-')
+}
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
create_dir_file(kernel_t, nfsd_rw_t);
r_dir_file(kernel_t, nfsd_ro_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.22/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/rsync.te 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC rsync - flexible replacement for rcp
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the rsync_t domain.
+#
+# rsync_exec_t is the type of the rsync executable.
+#
+
+type rsync_port_t, port_type;
+inetd_child_domain(rsync)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/screensaver.te policy-1.17.22/domains/program/unused/screensaver.te
--- nsapolicy/domains/program/unused/screensaver.te 2004-03-31 12:59:08.000000000 -0500
+++ policy-1.17.22/domains/program/unused/screensaver.te 1969-12-31 19:00:00.000000000 -0500
@@ -1,15 +0,0 @@
-#DESC screensaver - X Windows screensaver needs access to password
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the screensaver_t domain
-#
-
-type screensaver_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the screensaver_domain macro in
-# macros/program/screensaver_macros.te.
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.22/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/swat.te 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC swat - Samba Web Administration Tool
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the swat_t domain.
+#
+# swat_exec_t is the type of the swat executable.
+#
+
+type swat_port_t, port_type;
+inetd_child_domain(swat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.22/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.22/domains/program/unused/udev.te 2004-09-27 10:16:53.000000000 -0400
@@ -23,7 +23,7 @@
#
type udev_tbl_t, file_type, sysadmfile, dev_fs;
file_type_auto_trans(udev_t, device_t, udev_tbl_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -103,3 +103,5 @@
dbusd_client(system, udev_t)
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
+allow udev_t sysctl_modprobe_t:file { getattr read };
+allow udev_t udev_t:rawip_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/comsat.fc policy-1.17.22/file_contexts/program/comsat.fc
--- nsapolicy/file_contexts/program/comsat.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/comsat.fc 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# biff server
+/usr/sbin/in.comsat -- system_u:object_r:comsat_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dbskkd.fc policy-1.17.22/file_contexts/program/dbskkd.fc
--- nsapolicy/file_contexts/program/dbskkd.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/dbskkd.fc 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# A dictionary server for the SKK Japanese input method system.
+/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ktalkd.fc policy-1.17.22/file_contexts/program/ktalkd.fc
--- nsapolicy/file_contexts/program/ktalkd.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/ktalkd.fc 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# kde talk daemon
+/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.22/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc 2004-09-01 11:17:49.000000000 -0400
+++ policy-1.17.22/file_contexts/program/mailman.fc 2004-09-27 10:16:53.000000000 -0400
@@ -7,6 +7,7 @@
/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t
/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t
+/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t
/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t
')
@@ -19,5 +20,8 @@
/var/mailman/archives(/.*)? system_u:object_r:mailman_archive_t
/var/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
/var/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t
+/var/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
/var/mailman/mail/mailman -- system_u:object_r:mailman_mail_exec_t
+/var/mailman/Mailman(/.*?) system_u:object_r:lib_t
+/var/mailman/pythonlib(/.*?) system_u:object_r:lib_t
')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.17.22/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/rsync.fc 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# rsync program
+/usr/bin/rsync -- system_u:object_r:rsync_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/screensaver.fc policy-1.17.22/file_contexts/program/screensaver.fc
--- nsapolicy/file_contexts/program/screensaver.fc 2004-07-26 16:16:11.000000000 -0400
+++ policy-1.17.22/file_contexts/program/screensaver.fc 1969-12-31 19:00:00.000000000 -0500
@@ -1,7 +0,0 @@
-# screensaver
-/usr/X11R6/bin/xscreensaver -- system_u:object_r:screensaver_exec_t
-/usr/X11R6/bin/xscreensaver-demo -- system_u:object_r:screensaver_exec_t
-/opt/kde3/bin/kdesktop_lock -- system_u:object_r:screensaver_exec_t
-/usr/bin/kdesktop_lock -- system_u:object_r:screensaver_exec_t
-/usr/X11R6/lib(64)?/xscreensaver(.*)? system_u:object_r:bin_t
-HOME_DIR/\.xscreensaver system_u:object_r:ROLE_screensaver_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/swat.fc policy-1.17.22/file_contexts/program/swat.fc
--- nsapolicy/file_contexts/program/swat.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/swat.fc 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# samba management tool
+/usr/sbin/swat -- system_u:object_r:swat_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.22/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2004-09-23 15:08:59.000000000 -0400
+++ policy-1.17.22/file_contexts/types.fc 2004-09-27 10:56:34.336171167 -0400
@@ -144,6 +144,9 @@
/dev/par.* -c system_u:object_r:printer_device_t
/dev/usb/lp.* -c system_u:object_r:printer_device_t
/dev/usblp.* -c system_u:object_r:printer_device_t
+ifdef(`distro_redhat', `
+/dev/root -b system_u:object_r:fixed_disk_device_t
+')
/u?dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t
/u?dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t
/u?dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.22/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-09-24 11:42:14.000000000 -0400
+++ policy-1.17.22/macros/base_user_macros.te 2004-09-27 10:17:09.000000000 -0400
@@ -153,7 +153,6 @@
ifdef(`screen.te', `screen_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
-ifdef(`screensaver.te', `screensaver_domain($1)')
ifdef(`use_games', `ifdef(`games.te', `games_domain($1)')')
ifdef(`gpg.te', `gpg_domain($1)')
ifdef(`xauth.te', `xauth_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.22/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/macros/program/inetd_macros.te 2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,52 @@
+#################################
+#
+# Rules for the $1_t domain.
+#
+# $1_t is a general domain for daemons started
+# by inetd that do not have their own individual domains yet.
+# $1_exec_t is the type of the corresponding
+# programs.
+#
+define(`inetd_child_domain', `
+type $1_t, domain, privlog;
+role system_r types $1_t;
+
+domain_auto_trans(inetd_t, $1_exec_t, $1_t)
+allow inetd_t $1_t:process sigkill;
+
+can_network($1_t)
+can_ypbind($1_t)
+uses_shlib($1_t)
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t self:fifo_file rw_file_perms;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+read_locale($1_t)
+allow $1_t device_t:dir search;
+allow $1_t proc_t:dir search;
+allow $1_t proc_t:{ file lnk_file } { getattr read };
+allow $1_t self:process { fork signal_perms };
+allow $1_t fs_t:filesystem getattr;
+
+allow $1_t sysctl_kernel_t:dir search;
+allow $1_t sysctl_kernel_t:file { getattr read };
+
+allow $1_t etc_t:file { getattr read };
+
+tmp_domain($1)
+allow $1_t var_t:dir search;
+var_run_domain($1)
+
+# Use sockets inherited from inetd.
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# for identd
+allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow $1_t self:capability { setuid setgid };
+allow $1_t home_root_t:dir { search };
+allow $1_t self:dir { search };
+allow $1_t self:file { getattr read };
+allow $1_t krb5_conf_t:file r_file_perms;
+dontaudit $1_t krb5_conf_t:file write;
+allow $1_t urandom_device_t:chr_file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.22/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-09-22 16:19:14.000000000 -0400
+++ policy-1.17.22/macros/program/mozilla_macros.te 2004-09-27 10:16:53.000000000 -0400
@@ -115,6 +115,8 @@
dontaudit $1_mozilla_t bin_t:dir { getattr };
dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
+# Mozilla tries to delete .fonts.cache-1
+dontaudit $1_mozilla_t $1_home_t:file { unlink };
ifdef(`xdm.te', `
allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screensaver_macros.te policy-1.17.22/macros/program/screensaver_macros.te
--- nsapolicy/macros/program/screensaver_macros.te 2004-08-12 13:21:12.000000000 -0400
+++ policy-1.17.22/macros/program/screensaver_macros.te 1969-12-31 19:00:00.000000000 -0500
@@ -1,83 +0,0 @@
-#DESC screensaver - X Windows screensaver needs access to password
-#
-# Macros for xscreensaver
-#
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# screensaver_domain(domain_prefix)
-#
-# Define a derived domain for the xscreensaver program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/screensaver.te.
-#
-define(`screensaver_domain',`
-x_client_domain($1, screensaver, `, auth_chkpwd');
-dontaudit $1_screensaver_t shadow_t:file { getattr read };
-allow $1_screensaver_t krb5_conf_t:file { getattr read };
-dontaudit $1_screensaver_t krb5_conf_t:file { write };
-
-# Read system information files in /proc.
-dontaudit $1_screensaver_t proc_t:dir r_dir_perms;
-allow $1_screensaver_t proc_t:file r_file_perms;
-
-allow $1_screensaver_t devpts_t:dir r_dir_perms;
-base_file_read_access($1_screensaver_t)
-
-dontaudit $1_screensaver_t port_type:tcp_socket name_bind;
-
-allow $1_screensaver_t etc_t:file { getattr read };
-allow $1_screensaver_t self:unix_stream_socket create_socket_perms;
-
-domain_trans($1_screensaver_t, shell_exec_t, $1_t)
-domain_trans($1_screensaver_t, bin_t, $1_t)
-
-allow $1_screensaver_t initrc_var_run_t:file { lock read };
-#
-# Looking for icons
-dontaudit $1_screensaver_t $1_home_t:dir r_dir_perms;
-dontaudit $1_screensaver_t $1_home_t:file r_file_perms;
-
-# Fortune data
-ifdef(`games.te',`
-dontaudit $1_screensaver_t games_data_t:dir { getattr search };
-')
-
-allow $1_screensaver_t initrc_var_run_t:file { lock read };
-
-#
-# Need to fix the starwars not to read /usr/src dir
-#
-dontaudit $1_screensaver_t src_t:dir { search };
-dontaudit $1_screensaver_t src_t:file { getattr read };
-
-#
-# Worse performance but safer
-#
-dontaudit $1_screensaver_t device_t:dir rw_dir_perms;
-dontaudit $1_screensaver_t dri_device_t:chr_file rw_file_perms;
-allow $1_screensaver_t self:file { getattr read };
-allow $1_screensaver_t self:process { setsched };
-allow $1_screensaver_t urandom_device_t:chr_file { getattr ioctl read };
-
-# Screen savers request the following
-dontaudit $1_screensaver_t $1_t:rawip_socket { create };
-
-ifdef(`xdm.te', `
-allow $1_screensaver_t xdm_tmp_t:dir { search };
-allow $1_screensaver_t xdm_tmp_t:file { getattr read };
-allow $1_screensaver_t xdm_xserver_t:unix_stream_socket { connectto };
-')
-dontaudit $1_screensaver_t var_t:dir { search };
-
-ifdef(`nfs_home_dirs', `
-create_dir_file($1_screensaver_t, nfs_t)
-')dnl end if nfs_home_dirs
-dontaudit $1_screensaver_t $1_screensaver_t:rawip_socket { create };
-
-') dnl screesaver_domain
-
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.22/net_contexts
--- nsapolicy/net_contexts 2004-08-23 14:54:50.000000000 -0400
+++ policy-1.17.22/net_contexts 2004-09-27 10:16:53.000000000 -0400
@@ -35,7 +35,6 @@
portcon udp 891 system_u:object_r:inetd_port_t
portcon tcp 892 system_u:object_r:inetd_port_t
portcon udp 892 system_u:object_r:inetd_port_t
-portcon tcp 901 system_u:object_r:biff_port_t
')
ifdef(`ftpd.te', `
portcon tcp 20 system_u:object_r:ftp_data_port_t
@@ -105,6 +104,7 @@
portcon udp 631 system_u:object_r:ipp_port_t
')
ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
ifdef(`use_pop', `
portcon tcp 993 system_u:object_r:pop_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.22/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.22/tunables/distro.tun 2004-09-27 10:16:53.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.22/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-09-23 15:09:01.000000000 -0400
+++ policy-1.17.22/tunables/tunable.tun 2004-09-27 10:16:53.000000000 -0400
@@ -1,48 +1,42 @@
# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
# Allow users to control network interfaces (also needs USERCTL=true)
dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
# Allow users to run games
-dnl define(`use_games')
+define(`use_games')
# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
-
-# Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
-
-# Allow the reading on any NFS file system
-dnl define(`nfs_export_all_ro')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
next prev parent reply other threads:[~2004-09-27 17:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-24 14:32 Patch for strict policy Daniel J Walsh
2004-09-25 16:57 ` Russell Coker
2004-09-27 16:43 ` James Carter
2004-09-27 17:26 ` Daniel J Walsh [this message]
2004-09-27 19:24 ` James Carter
2004-09-27 20:55 ` Thomas Bleher
2004-09-29 11:28 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41584D2F.5020902@redhat.com \
--to=dwalsh@redhat.com \
--cc=jwcart2@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.