Patch for strict policy

Patch for strict policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 156 bytes --]

Added policy templates for swat, ktalkd, in.comcast, and rsyn daemons to 
be run by xinetd.
Separated out inetd_child_t context into a macro.
Mailman fixes

[-- Attachment #2: policy-20040924.patch --]
[-- Type: text/plain, Size: 20463 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.20/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-09-21 12:51:05.000000000 -0400
+++ policy-1.17.20/domains/program/initrc.te	2004-09-23 13:57:50.000000000 -0400
@@ -48,6 +48,8 @@
 allow initrc_t usbdevfs_t:dir r_dir_perms;
 allow initrc_t usbdevfs_t:lnk_file r_file_perms;
 allow initrc_t usbdevfs_t:file getattr;
+allow initrc_t usbfs_t:dir r_dir_perms;
+allow initrc_t usbfs_t:file getattr;
 
 # allow initrc to fork and renice itself
 allow initrc_t self:process { fork sigchld setsched setpgid setrlimit };
@@ -199,6 +201,9 @@
 allow initrc_t boot_t:lnk_file rw_file_perms;
 file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
 
+allow initrc_t tmpfs_t:chr_file rw_file_perms;
+allow initrc_t tmpfs_t:dir r_dir_perms;
+
 #
 # readahead asks for these
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.20/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.20/domains/program/mount.te	2004-09-23 13:57:50.000000000 -0400
@@ -97,6 +97,6 @@
 can_exec(mount_t, { sbin_t bin_t })
 allow mount_t device_t:dir r_dir_perms;
 ifdef(`distro_redhat', `
-dontaudit mount_t tmpfs_t:chr_file { read write };
+allow mount_t tmpfs_t:chr_file { read write };
 allow mount_t tmpfs_t:dir { mounton };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.17.20/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.20/domains/program/unused/cardmgr.te	2004-09-24 10:01:56.156856947 -0400
@@ -23,7 +23,7 @@
 allow cardmgr_t home_root_t:dir search;
 
 # Use capabilities (net_admin for route), setuid for cardctl
-allow cardmgr_t self:capability { dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
 
 # for /etc/resolv.conf
 file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
@@ -78,7 +78,7 @@
 domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
 ')
 
-ifdef(`hide_broken_symptoms', `', `
+ifdef(`hide_broken_symptoms', `
 dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
 dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.20/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/domains/program/unused/comsat.te	2004-09-24 10:02:23.453775339 -0400
@@ -0,0 +1,14 @@
+#DESC comsat - biff server
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the comsat_t domain.
+#
+# comsat_exec_t is the type of the comsat executable.
+#
+
+type comsat_port_t, port_type;
+inetd_child_domain(comsat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.20/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-09-23 09:01:00.000000000 -0400
+++ policy-1.17.20/domains/program/unused/cups.te	2004-09-24 10:01:49.701585696 -0400
@@ -168,3 +168,4 @@
 allow cupsd_t hald_t:dbus { send_msg };
 allow hald_t cupsd_t:dbus { send_msg };
 ')
+allow cupsd_t userdomain:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.20/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/domains/program/unused/dbskkd.te	2004-09-24 10:02:33.858600716 -0400
@@ -0,0 +1,14 @@
+#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the dbskkd_t domain.
+#
+# dbskkd_exec_t is the type of the dbskkd executable.
+#
+
+type dbskkd_port_t, port_type;
+inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.20/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-09-24 10:06:08.297392263 -0400
+++ policy-1.17.20/domains/program/unused/hald.te	2004-09-23 09:01:17.000000000 -0400
@@ -50,6 +50,9 @@
 allow hald_t udev_tbl_t:file { getattr read };
 ')
 
+ifdef(`udev.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };
 allow hald_t usbfs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.20/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-09-23 09:01:00.000000000 -0400
+++ policy-1.17.20/domains/program/unused/hotplug.te	2004-09-23 13:57:50.000000000 -0400
@@ -47,6 +47,9 @@
 ifdef(`distro_redhat', `
 # for arping used for static IP addresses on PCMCIA ethernet
 domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+
+allow hotplug_t tmpfs_t:dir search;
+allow hotplug_t tmpfs_t:chr_file rw_file_perms;
 ')dnl end if distro_redhat
 ')dnl end if netutils.te
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.20/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-09-10 16:10:36.000000000 -0400
+++ policy-1.17.20/domains/program/unused/inetd.te	2004-09-24 10:01:29.025919816 -0400
@@ -44,8 +44,6 @@
 # Run other daemons in the inetd_child_t domain.
 allow inetd_t { bin_t sbin_t }:dir search;
 allow inetd_t sbin_t:lnk_file read;
-domain_auto_trans(inetd_t, inetd_child_exec_t, inetd_child_t)
-allow inetd_t inetd_child_t:process sigkill;
 
 # Bind to the telnet, ftp, rlogin and rsh ports.
 allow inetd_t telnet_port_t:tcp_socket name_bind;
@@ -71,53 +69,7 @@
 ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 
 
-#################################
-#
-# Rules for the inetd_child_t domain.
-#
-# inetd_child_t is a general domain for daemons started
-# by inetd that do not have their own individual domains yet.
-# inetd_child_exec_t is the type of the corresponding
-# programs.
-#
-type inetd_child_t, domain, privlog;
-role system_r types inetd_child_t;
-
-can_network(inetd_child_t)
-can_ypbind(inetd_child_t)
-uses_shlib(inetd_child_t)
-allow inetd_child_t self:unix_dgram_socket create_socket_perms;
-allow inetd_child_t self:unix_stream_socket create_socket_perms;
-allow inetd_child_t self:fifo_file rw_file_perms;
-type inetd_child_exec_t, file_type, sysadmfile, exec_type;
-read_locale(inetd_child_t)
-allow inetd_child_t device_t:dir search;
-allow inetd_child_t proc_t:dir search;
-allow inetd_child_t proc_t:{ file lnk_file } { getattr read };
-allow inetd_child_t self:process { fork signal_perms };
-allow inetd_child_t fs_t:filesystem getattr;
-
-allow inetd_child_t sysctl_kernel_t:dir search;
-allow inetd_child_t sysctl_kernel_t:file { getattr read };
-
-allow inetd_child_t etc_t:file { getattr read };
-
-tmp_domain(inetd_child)
-allow inetd_child_t var_t:dir search;
-var_run_domain(inetd_child)
-
-# Use sockets inherited from inetd.
-allow inetd_child_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# for identd
-allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow inetd_child_t self:capability { setuid setgid };
-allow inetd_child_t home_root_t:dir { search };
-allow inetd_child_t self:dir { search };
-allow inetd_child_t self:file { getattr read };
-allow inetd_child_t krb5_conf_t:file r_file_perms;
-dontaudit inetd_child_t krb5_conf_t:file write;
-allow inetd_child_t urandom_device_t:chr_file { getattr read };
+inetd_child_domain(inetd_child)
 
 ifdef(`unconfined.te', `
 domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.20/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.20/domains/program/unused/rpcd.te	2004-09-23 12:21:36.000000000 -0400
@@ -91,14 +91,19 @@
 type nfsd_rw_t, file_type, sysadmfile, usercanread;
 type nfsd_ro_t, file_type, sysadmfile, usercanread;
 
-ifdef(`nfs_export_all_rw', `
+bool nfs_export_all_rw false;
+
+if(nfs_export_all_rw) {
 allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
 create_dir_file(kernel_t,{ file_type -shadow_t })
-')
-ifdef(`nfs_export_all_ro', `
+}
+
+bool nfs_export_all_ro false;
+
+if(nfs_export_all_ro) {
 allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
 r_dir_file(kernel_t,{ file_type -shadow_t })
-')
+}
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
 create_dir_file(kernel_t, nfsd_rw_t);
 r_dir_file(kernel_t, nfsd_ro_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.20/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/domains/program/unused/rsync.te	2004-09-24 10:02:54.773239618 -0400
@@ -0,0 +1,14 @@
+#DESC rsync - flexible replacement for rcp
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the rsync_t domain.
+#
+# rsync_exec_t is the type of the rsync executable.
+#
+
+type rsync_port_t, port_type;
+inetd_child_domain(rsync)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.20/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/domains/program/unused/swat.te	2004-09-24 10:02:28.230236114 -0400
@@ -0,0 +1,14 @@
+#DESC swat - Samba Web Administration Tool
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the swat_t domain.
+#
+# swat_exec_t is the type of the swat executable.
+#
+
+type swat_port_t, port_type;
+inetd_child_domain(swat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.20/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.20/domains/program/unused/udev.te	2004-09-24 10:00:38.925575751 -0400
@@ -23,7 +23,7 @@
 #
 type udev_tbl_t, file_type, sysadmfile, dev_fs;
 file_type_auto_trans(udev_t, device_t, udev_tbl_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
 allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -103,3 +103,5 @@
 dbusd_client(system, udev_t)
 
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
+allow udev_t sysctl_modprobe_t:file { getattr read };
+allow udev_t udev_t:rawip_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/comsat.fc policy-1.17.20/file_contexts/program/comsat.fc
--- nsapolicy/file_contexts/program/comsat.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/file_contexts/program/comsat.fc	2004-09-24 10:05:50.835363588 -0400
@@ -0,0 +1,2 @@
+# biff server
+/usr/sbin/in.comsat	--	system_u:object_r:comsat_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dbskkd.fc policy-1.17.20/file_contexts/program/dbskkd.fc
--- nsapolicy/file_contexts/program/dbskkd.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/file_contexts/program/dbskkd.fc	2004-09-24 10:05:50.837363363 -0400
@@ -0,0 +1,2 @@
+# A dictionary server for the SKK Japanese input method system.
+/usr/sbin/dbskkd-cdb	--	system_u:object_r:dbskkd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ktalkd.fc policy-1.17.20/file_contexts/program/ktalkd.fc
--- nsapolicy/file_contexts/program/ktalkd.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/file_contexts/program/ktalkd.fc	2004-09-24 10:05:50.845362460 -0400
@@ -0,0 +1,2 @@
+# kde talk daemon 
+/usr/bin/ktalkd	--	system_u:object_r:ktalkd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.20/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc	2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.20/file_contexts/program/mailman.fc	2004-09-24 10:05:50.847362234 -0400
@@ -7,6 +7,7 @@
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
 /var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
+/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
 /etc/cron\.daily/mailman 	-- system_u:object_r:mailman_queue_exec_t
 /etc/cron\.monthly/mailman 	-- system_u:object_r:mailman_queue_exec_t
 ')
@@ -19,5 +20,8 @@
 /var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
 /var/mailman/scripts/mailman 	-- system_u:object_r:mailman_mail_exec_t
 /var/mailman/bin/qrunner     	-- system_u:object_r:mailman_queue_exec_t
+/var/mailman/bin/mailmanctl     -- system_u:object_r:mailman_mail_exec_t
 /var/mailman/mail/mailman 	-- system_u:object_r:mailman_mail_exec_t
+/var/mailman/Mailman(/.*?)	   system_u:object_r:lib_t
+/var/mailman/pythonlib(/.*?)	   system_u:object_r:lib_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.17.20/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/file_contexts/program/rsync.fc	2004-09-24 10:05:50.854361444 -0400
@@ -0,0 +1,2 @@
+# rsync program
+/usr/bin/rsync	--	system_u:object_r:rsync_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/swat.fc policy-1.17.20/file_contexts/program/swat.fc
--- nsapolicy/file_contexts/program/swat.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/file_contexts/program/swat.fc	2004-09-24 10:05:50.859360879 -0400
@@ -0,0 +1,2 @@
+# samba management tool
+/usr/sbin/swat	--	system_u:object_r:swat_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.20/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-09-23 09:01:00.000000000 -0400
+++ policy-1.17.20/macros/base_user_macros.te	2004-09-24 10:04:26.394896253 -0400
@@ -291,6 +291,7 @@
 #
 allow $1_t rpc_pipefs_t:dir { getattr };
 allow $1_t nfsd_fs_t:dir { getattr };
+allow $1_t binfmt_misc_fs_t:dir { getattr };
 
 # /initrd is left mounted, various programs try to look at it
 dontaudit $1_t ramfs_t:dir { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.20/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.20/macros/program/inetd_macros.te	2004-09-24 10:06:57.702814779 -0400
@@ -0,0 +1,52 @@
+#################################
+#
+# Rules for the $1_t domain.
+#
+# $1_t is a general domain for daemons started
+# by inetd that do not have their own individual domains yet.
+# $1_exec_t is the type of the corresponding
+# programs.
+#
+define(`inetd_child_domain', `
+type $1_t, domain, privlog;
+role system_r types $1_t;
+
+domain_auto_trans(inetd_t, $1_exec_t, $1_t)
+allow inetd_t $1_t:process sigkill;
+
+can_network($1_t)
+can_ypbind($1_t)
+uses_shlib($1_t)
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t self:fifo_file rw_file_perms;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+read_locale($1_t)
+allow $1_t device_t:dir search;
+allow $1_t proc_t:dir search;
+allow $1_t proc_t:{ file lnk_file } { getattr read };
+allow $1_t self:process { fork signal_perms };
+allow $1_t fs_t:filesystem getattr;
+
+allow $1_t sysctl_kernel_t:dir search;
+allow $1_t sysctl_kernel_t:file { getattr read };
+
+allow $1_t etc_t:file { getattr read };
+
+tmp_domain($1)
+allow $1_t var_t:dir search;
+var_run_domain($1)
+
+# Use sockets inherited from inetd.
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# for identd
+allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow $1_t self:capability { setuid setgid };
+allow $1_t home_root_t:dir { search };
+allow $1_t self:dir { search };
+allow $1_t self:file { getattr read };
+allow $1_t krb5_conf_t:file r_file_perms;
+dontaudit $1_t krb5_conf_t:file write;
+allow $1_t urandom_device_t:chr_file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.20/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-09-23 09:01:00.000000000 -0400
+++ policy-1.17.20/macros/program/mozilla_macros.te	2004-09-24 10:04:03.854440893 -0400
@@ -115,6 +115,8 @@
 dontaudit $1_mozilla_t bin_t:dir { getattr };
 dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
+# Mozilla tries to delete .fonts.cache-1
+dontaudit $1_mozilla_t $1_home_t:file { unlink };
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.20/net_contexts
--- nsapolicy/net_contexts	2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.20/net_contexts	2004-09-24 10:03:30.156245155 -0400
@@ -35,7 +35,6 @@
 portcon udp 891 system_u:object_r:inetd_port_t
 portcon tcp 892 system_u:object_r:inetd_port_t
 portcon udp 892 system_u:object_r:inetd_port_t
-portcon tcp 901 system_u:object_r:biff_port_t
 ')
 ifdef(`ftpd.te', `
 portcon tcp 20 system_u:object_r:ftp_data_port_t
@@ -105,6 +104,7 @@
 portcon udp 631 system_u:object_r:ipp_port_t
 ')
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
 ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
 ifdef(`use_pop', `
 portcon tcp 993 system_u:object_r:pop_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.20/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.20/tunables/distro.tun	2004-09-23 09:26:44.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.20/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-24 10:06:25.077497921 -0400
+++ policy-1.17.20/tunables/tunable.tun	2004-09-23 12:22:29.000000000 -0400
@@ -1,48 +1,42 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
-
-# Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
-
-# Allow the reading on any NFS file system
-dnl define(`nfs_export_all_ro')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Patch for strict policy

[Russell Coker]

On Sat, 25 Sep 2004 00:32, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Added policy templates for swat, ktalkd, in.comcast, and rsyn daemons to
> be run by xinetd.
> Separated out inetd_child_t context into a macro.
> Mailman fixes

-allow udev_t self:capability { chown dac_override dac_read_search fowner 
fsetid sys_admin mknod };
+allow udev_t self:capability { chown dac_override dac_read_search fowner 
fsetid sys_admin mknod net_raw net_admin };

What is udev doing that requires net_raw and net_admin?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch for strict policy

[James Carter]

Shouldn't there be a ktalkd.te?  I don't think ktalkd_exec_t is defined
anywhere.

On Fri, 2004-09-24 at 10:32, Daniel J Walsh wrote:
> Added policy templates for swat, ktalkd, in.comcast, and rsyn daemons to 
> be run by xinetd.
> Separated out inetd_child_t context into a macro.
> Mailman fixes
> 
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ktalkd.fc policy-1.17.20/file_contexts/program/ktalkd.fc
> --- nsapolicy/file_contexts/program/ktalkd.fc	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.17.20/file_contexts/program/ktalkd.fc	2004-09-24 10:05:50.845362460 -0400
> @@ -0,0 +1,2 @@
> +# kde talk daemon 
> +/usr/bin/ktalkd	--	system_u:object_r:ktalkd_exec_t

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch for strict policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 890 bytes --]

James Carter wrote:

>Shouldn't there be a ktalkd.te?  I don't think ktalkd_exec_t is defined
>anywhere.
>
>On Fri, 2004-09-24 at 10:32, Daniel J Walsh wrote:
>  
>
>>Added policy templates for swat, ktalkd, in.comcast, and rsyn daemons to 
>>be run by xinetd.
>>Separated out inetd_child_t context into a macro.
>>Mailman fixes
>>
>>______________________________________________________________________
>>diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ktalkd.fc policy-1.17.20/file_contexts/program/ktalkd.fc
>>--- nsapolicy/file_contexts/program/ktalkd.fc	1969-12-31 19:00:00.000000000 -0500
>>+++ policy-1.17.20/file_contexts/program/ktalkd.fc	2004-09-24 10:05:50.845362460 -0400
>>@@ -0,0 +1,2 @@
>>+# kde talk daemon 
>>+/usr/bin/ktalkd	--	system_u:object_r:ktalkd_exec_t
>>    
>>
>
>  
>
Oops, yes here is a new patch including ktalkd, some of russells fixes.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 30850 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/screensaver.te policy-1.17.22/domains/misc/screensaver.te
--- nsapolicy/domains/misc/screensaver.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/misc/screensaver.te	2004-09-27 10:19:13.000000000 -0400
@@ -0,0 +1,18 @@
+#
+# Alias file to stop blow up during policy upgrade, since 
+# screensaver policy is being removed.
+#
+typealias bin_t alias screensaver_exec_t;
+typealias sysadm_home_t alias sysadm_screensaver_t;
+typealias sysadm_home_t alias sysadm_screensaver_rw_t;
+typealias sysadm_home_t alias sysadm_screensaver_ro_t;
+typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
+typealias user_home_t alias user_screensaver_t;
+typealias user_home_t alias user_screensaver_rw_t;
+typealias user_home_t alias user_screensaver_ro_t;
+typealias user_home_t alias user_screensaver_tmpfs_t;
+typealias staff_home_t alias staff_screensaver_t;
+typealias staff_home_t alias staff_screensaver_rw_t;
+typealias staff_home_t alias staff_screensaver_ro_t;
+typealias staff_home_t alias staff_screensaver_tmpfs_t;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.22/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-09-20 15:40:58.000000000 -0400
+++ policy-1.17.22/domains/program/initrc.te	2004-09-27 10:16:53.000000000 -0400
@@ -48,6 +48,8 @@
 allow initrc_t usbdevfs_t:dir r_dir_perms;
 allow initrc_t usbdevfs_t:lnk_file r_file_perms;
 allow initrc_t usbdevfs_t:file getattr;
+allow initrc_t usbfs_t:dir r_dir_perms;
+allow initrc_t usbfs_t:file getattr;
 
 # allow initrc to fork and renice itself
 allow initrc_t self:process { fork sigchld setsched setpgid setrlimit };
@@ -199,6 +201,9 @@
 allow initrc_t boot_t:lnk_file rw_file_perms;
 file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
 
+allow initrc_t tmpfs_t:chr_file rw_file_perms;
+allow initrc_t tmpfs_t:dir r_dir_perms;
+
 #
 # readahead asks for these
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.22/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.22/domains/program/mount.te	2004-09-27 10:16:53.000000000 -0400
@@ -97,6 +97,6 @@
 can_exec(mount_t, { sbin_t bin_t })
 allow mount_t device_t:dir r_dir_perms;
 ifdef(`distro_redhat', `
-dontaudit mount_t tmpfs_t:chr_file { read write };
+allow mount_t tmpfs_t:chr_file { read write };
 allow mount_t tmpfs_t:dir { mounton };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.17.22/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.22/domains/program/unused/cardmgr.te	2004-09-27 10:16:53.000000000 -0400
@@ -23,7 +23,7 @@
 allow cardmgr_t home_root_t:dir search;
 
 # Use capabilities (net_admin for route), setuid for cardctl
-allow cardmgr_t self:capability { dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
 
 # for /etc/resolv.conf
 file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
@@ -78,7 +78,7 @@
 domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
 ')
 
-ifdef(`hide_broken_symptoms', `', `
+ifdef(`hide_broken_symptoms', `
 dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
 dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.22/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/comsat.te	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC comsat - biff server
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the comsat_t domain.
+#
+# comsat_exec_t is the type of the comsat executable.
+#
+
+type comsat_port_t, port_type;
+inetd_child_domain(comsat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.22/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/consoletype.te	2004-09-27 10:16:53.000000000 -0400
@@ -54,3 +54,6 @@
 ifdef(`distro_redhat', `
 allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
 ')
+allow consoletype_t firstboot_t:fifo_file { write };
+dontaudit consoletype_t proc_t:file { read };
+dontaudit consoletype_t root_t:file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.22/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/cups.te	2004-09-27 11:04:53.179361344 -0400
@@ -31,7 +31,6 @@
 allow cupsd_t printer_device_t:chr_file rw_file_perms;
 allow cupsd_t urandom_device_t:chr_file { getattr read };
 dontaudit cupsd_t random_device_t:chr_file ioctl;
-dontaudit cupsd_t device_t:lnk_file { read }; 
 
 # temporary solution, we need something better
 allow cupsd_t serial_device:chr_file rw_file_perms;
@@ -156,6 +155,7 @@
 allow ptal_t printer_device_t:chr_file { ioctl read write };
 allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
 r_dir_file(ptal_t, usbdevfs_t)
+r_dir_file(ptal_t, usbfs_t)
 allow cupsd_t ptal_var_run_t:sock_file { write setattr };
 allow cupsd_t ptal_t:unix_stream_socket { connectto };
 allow cupsd_t ptal_var_run_t:dir { search };
@@ -167,4 +167,8 @@
 ifdef(`hald.te', `
 allow cupsd_t hald_t:dbus { send_msg };
 allow hald_t cupsd_t:dbus { send_msg };
+allow hald_t cupsd_etc_t:dir search;
+allow hald_t printconf_t:file { getattr read };
+domain_auto_trans(hald_t, cupsd_exec_t, cupsd_t)
 ')
+allow cupsd_t userdomain:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.22/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/dbskkd.te	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the dbskkd_t domain.
+#
+# dbskkd_exec_t is the type of the dbskkd executable.
+#
+
+type dbskkd_port_t, port_type;
+inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.22/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-09-23 15:08:59.000000000 -0400
+++ policy-1.17.22/domains/program/unused/hald.te	2004-09-27 11:02:13.033982220 -0400
@@ -38,6 +38,8 @@
 allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
 allow hald_t event_device_t:chr_file { getattr read ioctl };
+allow hald_t printer_device_t:chr_file rw_file_perms;
+allow hald_t urandom_device_t:chr_file { read };
 
 ifdef(`updfstab.te', `
 domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
@@ -50,6 +52,9 @@
 allow hald_t udev_tbl_t:file { getattr read };
 ')
 
+ifdef(`udev.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };
 allow hald_t usbfs_t:dir search;
@@ -57,4 +62,3 @@
 allow hald_t bin_t:lnk_file read;
 dontaudit hald_t selinux_config_t:dir { search };
 dontaudit hald_t userdomain:fd { use };
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.22/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/hotplug.te	2004-09-27 10:16:53.000000000 -0400
@@ -47,6 +47,9 @@
 ifdef(`distro_redhat', `
 # for arping used for static IP addresses on PCMCIA ethernet
 domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
+
+allow hotplug_t tmpfs_t:dir search;
+allow hotplug_t tmpfs_t:chr_file rw_file_perms;
 ')dnl end if distro_redhat
 ')dnl end if netutils.te
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.22/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.22/domains/program/unused/inetd.te	2004-09-27 10:16:53.000000000 -0400
@@ -44,8 +44,6 @@
 # Run other daemons in the inetd_child_t domain.
 allow inetd_t { bin_t sbin_t }:dir search;
 allow inetd_t sbin_t:lnk_file read;
-domain_auto_trans(inetd_t, inetd_child_exec_t, inetd_child_t)
-allow inetd_t inetd_child_t:process sigkill;
 
 # Bind to the telnet, ftp, rlogin and rsh ports.
 allow inetd_t telnet_port_t:tcp_socket name_bind;
@@ -71,53 +69,7 @@
 ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 
 
-#################################
-#
-# Rules for the inetd_child_t domain.
-#
-# inetd_child_t is a general domain for daemons started
-# by inetd that do not have their own individual domains yet.
-# inetd_child_exec_t is the type of the corresponding
-# programs.
-#
-type inetd_child_t, domain, privlog;
-role system_r types inetd_child_t;
-
-can_network(inetd_child_t)
-can_ypbind(inetd_child_t)
-uses_shlib(inetd_child_t)
-allow inetd_child_t self:unix_dgram_socket create_socket_perms;
-allow inetd_child_t self:unix_stream_socket create_socket_perms;
-allow inetd_child_t self:fifo_file rw_file_perms;
-type inetd_child_exec_t, file_type, sysadmfile, exec_type;
-read_locale(inetd_child_t)
-allow inetd_child_t device_t:dir search;
-allow inetd_child_t proc_t:dir search;
-allow inetd_child_t proc_t:{ file lnk_file } { getattr read };
-allow inetd_child_t self:process { fork signal_perms };
-allow inetd_child_t fs_t:filesystem getattr;
-
-allow inetd_child_t sysctl_kernel_t:dir search;
-allow inetd_child_t sysctl_kernel_t:file { getattr read };
-
-allow inetd_child_t etc_t:file { getattr read };
-
-tmp_domain(inetd_child)
-allow inetd_child_t var_t:dir search;
-var_run_domain(inetd_child)
-
-# Use sockets inherited from inetd.
-allow inetd_child_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# for identd
-allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow inetd_child_t self:capability { setuid setgid };
-allow inetd_child_t home_root_t:dir { search };
-allow inetd_child_t self:dir { search };
-allow inetd_child_t self:file { getattr read };
-allow inetd_child_t krb5_conf_t:file r_file_perms;
-dontaudit inetd_child_t krb5_conf_t:file write;
-allow inetd_child_t urandom_device_t:chr_file { getattr read };
+inetd_child_domain(inetd_child)
 
 ifdef(`unconfined.te', `
 domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.17.22/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/iptables.te	2004-09-27 10:16:53.000000000 -0400
@@ -56,3 +56,6 @@
 
 # system-config-network appends to /var/log
 allow iptables_t var_log_t:file { append };
+ifdef(`firstboot.te', `
+allow iptables_t firstboot_t:fifo_file { write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.22/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/ktalkd.te	2004-09-27 13:24:01.429584334 -0400
@@ -0,0 +1,14 @@
+#DESC ktalkd -  KDE version of the talk server 
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the ktalkd_t domain.
+#
+# ktalkd_exec_t is the type of the ktalkd executable.
+#
+
+type ktalkd_port_t, port_type;
+inetd_child_domain(ktalkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.22/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.22/domains/program/unused/ntpd.te	2004-09-27 10:16:53.000000000 -0400
@@ -66,3 +66,6 @@
 can_udp_send(ntpd_t, sysadm_t)
 can_udp_send(sysadm_t, ntpd_t)
 can_udp_send(ntpd_t, ntpd_t)
+ifdef(`firstboot.te', `
+dontaudit ntpd_t firstboot_t:fd { use };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.22/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.22/domains/program/unused/rhgb.te	2004-09-27 10:16:53.000000000 -0400
@@ -34,7 +34,7 @@
 allow insmod_t rhgb_t:fd use;
 
 allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t mnt_t:dir { mounton };
+allow rhgb_t mnt_t:dir { search mounton };
 allow rhgb_t rhgb_t:capability { sys_admin };
 dontaudit rhgb_t var_run_t:dir { search };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.22/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-08-27 16:51:30.000000000 -0400
+++ policy-1.17.22/domains/program/unused/rpcd.te	2004-09-27 10:16:53.000000000 -0400
@@ -91,14 +91,19 @@
 type nfsd_rw_t, file_type, sysadmfile, usercanread;
 type nfsd_ro_t, file_type, sysadmfile, usercanread;
 
-ifdef(`nfs_export_all_rw', `
+bool nfs_export_all_rw false;
+
+if(nfs_export_all_rw) {
 allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
 create_dir_file(kernel_t,{ file_type -shadow_t })
-')
-ifdef(`nfs_export_all_ro', `
+}
+
+bool nfs_export_all_ro false;
+
+if(nfs_export_all_ro) {
 allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
 r_dir_file(kernel_t,{ file_type -shadow_t })
-')
+}
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
 create_dir_file(kernel_t, nfsd_rw_t);
 r_dir_file(kernel_t, nfsd_ro_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.22/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/rsync.te	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC rsync - flexible replacement for rcp
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the rsync_t domain.
+#
+# rsync_exec_t is the type of the rsync executable.
+#
+
+type rsync_port_t, port_type;
+inetd_child_domain(rsync)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/screensaver.te policy-1.17.22/domains/program/unused/screensaver.te
--- nsapolicy/domains/program/unused/screensaver.te	2004-03-31 12:59:08.000000000 -0500
+++ policy-1.17.22/domains/program/unused/screensaver.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,15 +0,0 @@
-#DESC screensaver - X Windows screensaver needs access to password
-#
-# Authors:  Dan Walsh <dwalsh@redhat.com> 
-#
-
-#################################
-# 
-# Rules for the screensaver_t domain
-#
-
-type screensaver_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the screensaver_domain macro in
-# macros/program/screensaver_macros.te.
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.22/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/domains/program/unused/swat.te	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,14 @@
+#DESC swat - Samba Web Administration Tool
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the swat_t domain.
+#
+# swat_exec_t is the type of the swat executable.
+#
+
+type swat_port_t, port_type;
+inetd_child_domain(swat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.22/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.22/domains/program/unused/udev.te	2004-09-27 10:16:53.000000000 -0400
@@ -23,7 +23,7 @@
 #
 type udev_tbl_t, file_type, sysadmfile, dev_fs;
 file_type_auto_trans(udev_t, device_t, udev_tbl_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
 allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -103,3 +103,5 @@
 dbusd_client(system, udev_t)
 
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
+allow udev_t sysctl_modprobe_t:file { getattr read };
+allow udev_t udev_t:rawip_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/comsat.fc policy-1.17.22/file_contexts/program/comsat.fc
--- nsapolicy/file_contexts/program/comsat.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/comsat.fc	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# biff server
+/usr/sbin/in.comsat	--	system_u:object_r:comsat_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dbskkd.fc policy-1.17.22/file_contexts/program/dbskkd.fc
--- nsapolicy/file_contexts/program/dbskkd.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/dbskkd.fc	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# A dictionary server for the SKK Japanese input method system.
+/usr/sbin/dbskkd-cdb	--	system_u:object_r:dbskkd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ktalkd.fc policy-1.17.22/file_contexts/program/ktalkd.fc
--- nsapolicy/file_contexts/program/ktalkd.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/ktalkd.fc	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# kde talk daemon 
+/usr/bin/ktalkd	--	system_u:object_r:ktalkd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.17.22/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc	2004-09-01 11:17:49.000000000 -0400
+++ policy-1.17.22/file_contexts/program/mailman.fc	2004-09-27 10:16:53.000000000 -0400
@@ -7,6 +7,7 @@
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
 /var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
 /var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
+/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
 /etc/cron\.daily/mailman 	-- system_u:object_r:mailman_queue_exec_t
 /etc/cron\.monthly/mailman 	-- system_u:object_r:mailman_queue_exec_t
 ')
@@ -19,5 +20,8 @@
 /var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
 /var/mailman/scripts/mailman 	-- system_u:object_r:mailman_mail_exec_t
 /var/mailman/bin/qrunner     	-- system_u:object_r:mailman_queue_exec_t
+/var/mailman/bin/mailmanctl     -- system_u:object_r:mailman_mail_exec_t
 /var/mailman/mail/mailman 	-- system_u:object_r:mailman_mail_exec_t
+/var/mailman/Mailman(/.*?)	   system_u:object_r:lib_t
+/var/mailman/pythonlib(/.*?)	   system_u:object_r:lib_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.17.22/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/rsync.fc	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# rsync program
+/usr/bin/rsync	--	system_u:object_r:rsync_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/screensaver.fc policy-1.17.22/file_contexts/program/screensaver.fc
--- nsapolicy/file_contexts/program/screensaver.fc	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.17.22/file_contexts/program/screensaver.fc	1969-12-31 19:00:00.000000000 -0500
@@ -1,7 +0,0 @@
-# screensaver
-/usr/X11R6/bin/xscreensaver		--	system_u:object_r:screensaver_exec_t
-/usr/X11R6/bin/xscreensaver-demo	--      system_u:object_r:screensaver_exec_t
-/opt/kde3/bin/kdesktop_lock		--	system_u:object_r:screensaver_exec_t
-/usr/bin/kdesktop_lock			--	system_u:object_r:screensaver_exec_t
-/usr/X11R6/lib(64)?/xscreensaver(.*)?	system_u:object_r:bin_t
-HOME_DIR/\.xscreensaver	system_u:object_r:ROLE_screensaver_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/swat.fc policy-1.17.22/file_contexts/program/swat.fc
--- nsapolicy/file_contexts/program/swat.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/file_contexts/program/swat.fc	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,2 @@
+# samba management tool
+/usr/sbin/swat	--	system_u:object_r:swat_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.22/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-09-23 15:08:59.000000000 -0400
+++ policy-1.17.22/file_contexts/types.fc	2004-09-27 10:56:34.336171167 -0400
@@ -144,6 +144,9 @@
 /dev/par.*		-c	system_u:object_r:printer_device_t
 /dev/usb/lp.*		-c	system_u:object_r:printer_device_t
 /dev/usblp.*		-c	system_u:object_r:printer_device_t
+ifdef(`distro_redhat', `
+/dev/root		-b	system_u:object_r:fixed_disk_device_t
+')
 /u?dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
 /u?dev/dm-[0-9]+	-b	system_u:object_r:fixed_disk_device_t
 /u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.22/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-09-24 11:42:14.000000000 -0400
+++ policy-1.17.22/macros/base_user_macros.te	2004-09-27 10:17:09.000000000 -0400
@@ -153,7 +153,6 @@
 
 ifdef(`screen.te', `screen_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
-ifdef(`screensaver.te', `screensaver_domain($1)')
 ifdef(`use_games', `ifdef(`games.te', `games_domain($1)')')
 ifdef(`gpg.te', `gpg_domain($1)')
 ifdef(`xauth.te', `xauth_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.22/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.22/macros/program/inetd_macros.te	2004-09-27 10:16:53.000000000 -0400
@@ -0,0 +1,52 @@
+#################################
+#
+# Rules for the $1_t domain.
+#
+# $1_t is a general domain for daemons started
+# by inetd that do not have their own individual domains yet.
+# $1_exec_t is the type of the corresponding
+# programs.
+#
+define(`inetd_child_domain', `
+type $1_t, domain, privlog;
+role system_r types $1_t;
+
+domain_auto_trans(inetd_t, $1_exec_t, $1_t)
+allow inetd_t $1_t:process sigkill;
+
+can_network($1_t)
+can_ypbind($1_t)
+uses_shlib($1_t)
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t self:fifo_file rw_file_perms;
+type $1_exec_t, file_type, sysadmfile, exec_type;
+read_locale($1_t)
+allow $1_t device_t:dir search;
+allow $1_t proc_t:dir search;
+allow $1_t proc_t:{ file lnk_file } { getattr read };
+allow $1_t self:process { fork signal_perms };
+allow $1_t fs_t:filesystem getattr;
+
+allow $1_t sysctl_kernel_t:dir search;
+allow $1_t sysctl_kernel_t:file { getattr read };
+
+allow $1_t etc_t:file { getattr read };
+
+tmp_domain($1)
+allow $1_t var_t:dir search;
+var_run_domain($1)
+
+# Use sockets inherited from inetd.
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+
+# for identd
+allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow $1_t self:capability { setuid setgid };
+allow $1_t home_root_t:dir { search };
+allow $1_t self:dir { search };
+allow $1_t self:file { getattr read };
+allow $1_t krb5_conf_t:file r_file_perms;
+dontaudit $1_t krb5_conf_t:file write;
+allow $1_t urandom_device_t:chr_file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.22/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-09-22 16:19:14.000000000 -0400
+++ policy-1.17.22/macros/program/mozilla_macros.te	2004-09-27 10:16:53.000000000 -0400
@@ -115,6 +115,8 @@
 dontaudit $1_mozilla_t bin_t:dir { getattr };
 dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
+# Mozilla tries to delete .fonts.cache-1
+dontaudit $1_mozilla_t $1_home_t:file { unlink };
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screensaver_macros.te policy-1.17.22/macros/program/screensaver_macros.te
--- nsapolicy/macros/program/screensaver_macros.te	2004-08-12 13:21:12.000000000 -0400
+++ policy-1.17.22/macros/program/screensaver_macros.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,83 +0,0 @@
-#DESC screensaver - X Windows screensaver needs access to password
-#
-# Macros for xscreensaver 
-#
-#
-# Authors:  Dan Walsh <dwalsh@redhat.com> 
-#
-
-#
-# screensaver_domain(domain_prefix)
-#
-# Define a derived domain for the xscreensaver program when executed by
-# a user domain.  
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/screensaver.te. 
-#
-define(`screensaver_domain',`
-x_client_domain($1, screensaver, `, auth_chkpwd');
-dontaudit $1_screensaver_t shadow_t:file { getattr read };
-allow $1_screensaver_t krb5_conf_t:file { getattr read };
-dontaudit $1_screensaver_t krb5_conf_t:file { write };
-
-# Read system information files in /proc.
-dontaudit $1_screensaver_t proc_t:dir r_dir_perms;
-allow $1_screensaver_t proc_t:file  r_file_perms;
-
-allow $1_screensaver_t devpts_t:dir r_dir_perms;
-base_file_read_access($1_screensaver_t)
-
-dontaudit $1_screensaver_t port_type:tcp_socket name_bind;
-
-allow $1_screensaver_t etc_t:file { getattr read };
-allow $1_screensaver_t self:unix_stream_socket create_socket_perms;
-
-domain_trans($1_screensaver_t, shell_exec_t, $1_t)
-domain_trans($1_screensaver_t, bin_t, $1_t)
-
-allow $1_screensaver_t initrc_var_run_t:file { lock read };
-# 
-# Looking for icons
-dontaudit $1_screensaver_t $1_home_t:dir r_dir_perms;
-dontaudit $1_screensaver_t $1_home_t:file r_file_perms;
-
-# Fortune data
-ifdef(`games.te',`
-dontaudit $1_screensaver_t games_data_t:dir { getattr search };
-')
-
-allow $1_screensaver_t initrc_var_run_t:file { lock read };
-
-#
-# Need to fix the starwars not to read /usr/src dir
-#
-dontaudit $1_screensaver_t src_t:dir { search };
-dontaudit $1_screensaver_t src_t:file { getattr read };
-
-#
-# Worse performance but safer
-#
-dontaudit $1_screensaver_t device_t:dir rw_dir_perms;
-dontaudit $1_screensaver_t dri_device_t:chr_file rw_file_perms;
-allow $1_screensaver_t self:file { getattr read };
-allow $1_screensaver_t self:process { setsched };
-allow $1_screensaver_t urandom_device_t:chr_file { getattr ioctl read };
-
-# Screen savers request the following
-dontaudit $1_screensaver_t $1_t:rawip_socket { create };
-
-ifdef(`xdm.te', `
-allow $1_screensaver_t xdm_tmp_t:dir { search };
-allow $1_screensaver_t xdm_tmp_t:file { getattr read };
-allow $1_screensaver_t xdm_xserver_t:unix_stream_socket { connectto };
-')
-dontaudit $1_screensaver_t var_t:dir { search };
-
-ifdef(`nfs_home_dirs', `
-create_dir_file($1_screensaver_t, nfs_t)
-')dnl end if nfs_home_dirs
-dontaudit $1_screensaver_t $1_screensaver_t:rawip_socket { create };
-
-') dnl screesaver_domain
-
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.22/net_contexts
--- nsapolicy/net_contexts	2004-08-23 14:54:50.000000000 -0400
+++ policy-1.17.22/net_contexts	2004-09-27 10:16:53.000000000 -0400
@@ -35,7 +35,6 @@
 portcon udp 891 system_u:object_r:inetd_port_t
 portcon tcp 892 system_u:object_r:inetd_port_t
 portcon udp 892 system_u:object_r:inetd_port_t
-portcon tcp 901 system_u:object_r:biff_port_t
 ')
 ifdef(`ftpd.te', `
 portcon tcp 20 system_u:object_r:ftp_data_port_t
@@ -105,6 +104,7 @@
 portcon udp 631 system_u:object_r:ipp_port_t
 ')
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
 ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
 ifdef(`use_pop', `
 portcon tcp 993 system_u:object_r:pop_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.22/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.22/tunables/distro.tun	2004-09-27 10:16:53.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.22/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-23 15:09:01.000000000 -0400
+++ policy-1.17.22/tunables/tunable.tun	2004-09-27 10:16:53.000000000 -0400
@@ -1,48 +1,42 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
-
-# Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
-
-# Allow the reading on any NFS file system
-dnl define(`nfs_export_all_ro')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Patch for strict policy

[James Carter]

Merged -- I think.  

There were an awful lot of cvs adds and removes, I believe I got them
all, but... :)

On Mon, 2004-09-27 at 13:26, Daniel J Walsh wrote:
> James Carter wrote:
> 
> >Shouldn't there be a ktalkd.te?  I don't think ktalkd_exec_t is defined
> >anywhere.
> >
> >On Fri, 2004-09-24 at 10:32, Daniel J Walsh wrote:
> >  
> >
> >>Added policy templates for swat, ktalkd, in.comcast, and rsyn daemons to 
> >>be run by xinetd.
> >>Separated out inetd_child_t context into a macro.
> >>Mailman fixes
> >>
> >>______________________________________________________________________
> >>diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ktalkd.fc policy-1.17.20/file_contexts/program/ktalkd.fc
> >>--- nsapolicy/file_contexts/program/ktalkd.fc	1969-12-31 19:00:00.000000000 -0500
> >>+++ policy-1.17.20/file_contexts/program/ktalkd.fc	2004-09-24 10:05:50.845362460 -0400
> >>@@ -0,0 +1,2 @@
> >>+# kde talk daemon 
> >>+/usr/bin/ktalkd	--	system_u:object_r:ktalkd_exec_t
> >>    
> >>
> >
> >  
> >
> Oops, yes here is a new patch including ktalkd, some of russells fixes.
> 
> ______________________________________________________________________
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch for strict policy

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 849 bytes --]

* Daniel J Walsh <dwalsh@redhat.com> [2004-09-27 21:12]:
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/screensaver.te policy-1.17.22/domains/misc/screensaver.te
> --- nsapolicy/domains/misc/screensaver.te	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.17.22/domains/misc/screensaver.te	2004-09-27 10:19:13.000000000 -0400
> @@ -0,0 +1,18 @@
> +#
> +# Alias file to stop blow up during policy upgrade, since 
> +# screensaver policy is being removed.

How will screensavers be able to authenticate users (think screen lock)
if this policy is removed? screensavers had the auth_chkpwd attribute to
do this; I do not think that we should grant this capability to user_t.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patch for strict policy

[Russell Coker]

On Tue, 28 Sep 2004 06:55, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> * Daniel J Walsh <dwalsh@redhat.com> [2004-09-27 21:12]:
> > diff --exclude-from=exclude -N -u -r
> > nsapolicy/domains/misc/screensaver.te
> > policy-1.17.22/domains/misc/screensaver.te ---
> > nsapolicy/domains/misc/screensaver.te 1969-12-31 19:00:00.000000000 -0500
> > +++ policy-1.17.22/domains/misc/screensaver.te 2004-09-27
> > 10:19:13.000000000 -0400 @@ -0,0 +1,18 @@
> > +#
> > +# Alias file to stop blow up during policy upgrade, since
> > +# screensaver policy is being removed.
>
> How will screensavers be able to authenticate users (think screen lock)
> if this policy is removed? screensavers had the auth_chkpwd attribute to
> do this; I do not think that we should grant this capability to user_t.

In macros/base_user_macros.te:
ifdef(`chkpwd.te', `chkpwd_domain($1)')

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.