* policy patches
@ 2002-08-09 15:30 Russell Coker
0 siblings, 0 replies; 47+ messages in thread
From: Russell Coker @ 2002-08-09 15:30 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 850 bytes --]
I have attached the most important parts of the diff file between the last
release SE Linux policy and my policy tree.
I have not included work in progress such as my chroot policy, the patches
for better handling of "sendmail -t", user_home_dir_t, and other things I
regard as experimental. I have left them in the attrib.te file because it
doesn't do any harm to commit a patch to add an attribute before anything
uses it.
I've included some new policy files such as tmpreaper and mysqld, but left
others out (postgresql and Brian's anti-virus policy).
I think that most (if not all) of this patch is suitable for inclusion.
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
[-- Attachment #2: selinux-small_2002070313-7.diff.gz --]
[-- Type: application/x-gzip, Size: 26604 bytes --]
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2002-09-09 22:59 Russell Coker
2002-09-21 2:39 ` Stephen Smalley
0 siblings, 1 reply; 47+ messages in thread
From: Russell Coker @ 2002-09-09 22:59 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 930 bytes --]
initrd.diff is part of the policy needed to get an initrd working properly, it
doesn't have everything because it's difficult to separate it all. But it's
a good improvement and it has most of what you need.
misc.diff is many things that are patches for things that are in my area (IE
dpkg.te), trivial, or patches for things that are not fully working anyway
(postgresql and fcron) so which can't be broken. Also it includes part of
the policy for the chroot setup as described in my paper for Linux Kongress
(again it's something that's not easy to split so I'll include the rest in
another patch).
amanda.diff is a patch for amanda to properly support the types for home dirs
with multiple user roles.
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
[-- Attachment #2: amanda.diff --]
[-- Type: text/x-diff, Size: 800 bytes --]
--- /tmp/policy/domains/program/amanda.te 2002-09-09 19:54:10.000000000 +0200
+++ domains/program/amanda.te 2002-09-10 00:37:39.000000000 +0200
@@ -195,8 +195,8 @@
########################
# access to user_home_t
-allow amanda_t { user_home_dir_t user_home_t }:dir { search getattr read };
-allow amanda_t user_home_t:file { getattr read };
+allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
+allow amanda_t user_home_type:file { getattr read };
# access to file_t ( /floppy, /cdrom )
allow amanda_t file_t:dir { getattr };
@@ -204,7 +204,6 @@
###########
# Dontaudit
###########
-
dontaudit amanda_t file_labels_t:dir { getattr read search };
dontaudit amanda_t file_labels_t:file { getattr read };
dontaudit amanda_t lost_found_t:dir { getattr read };
[-- Attachment #3: initrd.diff --]
[-- Type: text/x-diff, Size: 7812 bytes --]
diff -ruN /tmp/policy/Makefile policy/Makefile
--- /tmp/policy/Makefile 2002-09-10 00:01:30.000000000 +0200
+++ policy/Makefile 2002-08-31 17:33:36.000000000 +0200
@@ -23,7 +23,6 @@
POLICYVER := policy.$(shell $(CHECKPOLICY) -V)
INSTALLDIR = /etc/security/selinux
LOADPATH = $(INSTALLDIR)/$(POLICYVER)
-INITRDLOADPATH = $(INSTALLDIR)/initrd-$(POLICYVER)
SRCINSTALLDIR = $(INSTALLDIR)/src
POLICYCONF = $(SRCINSTALLDIR)/policy.conf
@@ -35,71 +34,68 @@
POLICYFILES += rbac users constraints
POLICYFILES += initial_sid_contexts fs_use genfs_contexts net_contexts
-INITRDPOLICYFILES = $(subst all.te,initrd_all.te,$(POLICYFILES))
+INITRDPOLICYFILES = $(subst users, initrd-domains/users,$(subst all.te,initrd_all.te,$(POLICYFILES)))
FC = file_contexts/file_contexts
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
-
-policy: $(POLICYVER)
-
-$(POLICYVER): tmp policy.conf $(CHECKPOLICY)
- $(CHECKPOLICY) -o $@ policy.conf
-
-tmp:
- mkdir tmp
-
-initrd-$(POLICYVER): tmp initrd-policy.conf $(CHECKPOLICY)
- $(CHECKPOLICY) -o tmp/$@ initrd-policy.conf
- gzip -c tmp/$@ > $@
-
-initrd-policy: initrd-$(POLICYVER)
-
install: $(LOADPATH)
-install-initrd: $(INITRDLOADPATH)
+install-initrd: $(LOADPATH).initrd
$(LOADPATH): $(POLICYCONF) $(CHECKPOLICY)
mkdir -p $(INSTALLDIR)
- $(CHECKPOLICY) -o $@ $(POLICYCONF)
+ $(CHECKPOLICY) -o tmp/pol $(POLICYCONF)
+ gzip -9 < tmp/pol > $@
+ rm tmp/pol
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
-$(INITRDLOADPATH): initrd-$(POLICYVER)
+$(LOADPATH).initrd: $(POLICYCONF).initrd $(CHECKPOLICY)
mkdir -p $(INSTALLDIR)
- install -m 644 -o root -g root initrd-$(POLICYVER) $(INITRDLOADPATH)
+ $(CHECKPOLICY) -o tmp/pol.initrd $(POLICYCONF).initrd
+ gzip -9 < tmp/pol.initrd > $@
+ rm tmp/pol.initrd
+# Note: Can't use install, so not sure how to deal with mode, user, and group
+# other than by default.
$(POLICYCONF): policy.conf
mkdir -p $(SRCINSTALLDIR)
install -m 644 -o root -g root policy.conf $@
+$(POLICYCONF).initrd: policy.conf.initrd
+ mkdir -p $(SRCINSTALLDIR)
+ install -m 644 -o root -g root policy.conf.initrd $@
+
reload tmp/load: $(LOADPATH)
$(BINDIR)/load_policy $(LOADPATH)
touch tmp/load
load: tmp/load
-policy.conf: tmp $(POLICYFILES)
+policy.conf: $(POLICYFILES)
+ mkdir -p tmp
m4 -Imacros -s $(POLICYFILES) > policy.conf
install-src:
mkdir -p $(SRCINSTALLDIR)/policy
cp -R . $(SRCINSTALLDIR)/policy
-initrd-policy.conf: $(INITRDPOLICYFILES)
- m4 -Imacros -s $(INITRDPOLICYFILES) > initrd-policy.conf
+policy.conf.initrd: $(INITRDPOLICYFILES)
+ m4 -Imacros -s $(INITRDPOLICYFILES) > $@
ALLTEFILES := attrib.te tmp/program_used_flags.te tmp/all_macros.te tmp/all_types.te tmp/all_domains.te assert.te
tmp/all.te: $(ALLTEFILES)
cat $^ > $@
-INITRDALLTEFILES = $(subst all_domains.te,all_initrd_domains.te,$(subst program_used_flags.te,initrd_program_used_flags.te,$(POLICYFILES)))
+INITRD_ALLTEFILES := attrib.te tmp/initrd_program_used_flags.te tmp/all_macros.te tmp/all_types.te tmp/all_initrd_domains.te assert.te
-tmp/initrd_all.te: $(INITRDALLTEFILES)
+tmp/initrd_all.te: $(INITRD_ALLTEFILES)
cat $^ > $@
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
+ mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@
tmp/initrd_program_used_flags.te: $(wildcard initrd-domains/*.te) initrd-domains
@@ -130,8 +126,7 @@
cat $(FCFILES) > $@
clean:
- rm -f $(POLICYVER) policy.conf
- rm -f initrd-$(POLICYVER) initrd-policy.conf
+ rm -f policy.conf policy.conf.initrd
rm -f tmp/*
rm -f $(FC)
diff -ruN /tmp/policy/assert.te policy/assert.te
--- /tmp/policy/assert.te 2002-08-23 21:04:27.000000000 +0200
+++ policy/assert.te 2002-08-29 00:32:49.000000000 +0200
@@ -70,7 +70,7 @@
#
neverallow ~{ initrc_t admin kernel_t insmod_t } sysctl_t:file { write append };
neverallow ~{ initrc_t admin } sysctl_fs_t:file { write append };
-neverallow ~{ initrc_t admin kernel_t kmod_t insmod_t } sysctl_kernel_t:file { write append };
+neverallow ~{ init_t initrc_t admin kernel_t kmod_t insmod_t } sysctl_kernel_t:file { write append };
neverallow ~{ initrc_t admin } sysctl_net_t:file { write append };
neverallow ~{ initrc_t admin } sysctl_net_unix_t:file { write append };
neverallow ~{ initrc_t admin } sysctl_vm_t:file { write append };
@@ -89,8 +89,8 @@
``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
`assert_execute($1) assert_execute(shift($@))')')
-assert_execute(getty, klogd)
-
+ifdef(`getty.te', `assert_execute(getty)')
+assert_execute(klogd)
ifdef(`atd.te', `assert_execute(atd)')
ifdef(`tcpd.te', `assert_execute(tcpd)')
ifdef(`portmap.te', `assert_execute(portmap)')
@@ -101,8 +101,10 @@
ifdef(`xfs.te', `assert_execute(xfs)')
ifdef(`gpm.te', `assert_execute(gpm)')
+ifdef(`login.te', `
neverallow { local_login_t remote_login_t } ~login_exec_t:file entrypoint;
neverallow { local_login_t remote_login_t } ~ld_so_t:file execute_no_trans;
+')
#
# Verify that the passwd domain can only be entered by its
diff -ruN /tmp/policy/domains/program/init.te policy/domains/program/init.te
--- /tmp/policy/domains/program/init.te 2002-09-09 19:54:11.000000000 +0200
+++ policy/domains/program/init.te 2002-09-10 00:10:38.000000000 +0200
@@ -36,6 +36,11 @@
# Run init.
can_exec(init_t, init_exec_t)
+# Run chroot from initrd scripts.
+ifdef(`chroot.te', `
+can_exec(init_t, chroot_exec_t)
+')
+
# Create /dev/initctl.
file_type_auto_trans(init_t, device_t, initctl_t)
@@ -88,3 +93,6 @@
# reparented to init, so we need these type transition rules.
#
# These rules have been moved to the individual target domain .te files.
+
+# for initrd pivot_root seems to access this
+dontaudit init_t file_labels_t:dir { search };
diff -ruN /tmp/policy/genfs_contexts policy/genfs_contexts
--- /tmp/policy/genfs_contexts 2002-09-09 19:54:04.000000000 +0200
+++ policy/genfs_contexts 2002-08-29 00:35:11.000000000 +0200
@@ -88,7 +88,9 @@
genfscon devfs /ppp system_u:object_r:ppp_device_t
genfscon devfs /fb -c system_u:object_r:framebuf_device_t
genfscon devfs /initctl system_u:object_r:initctl_t
+ifdef(`syslog.te', `
genfscon devfs /log system_u:object_r:devlog_t
+')
genfscon devfs /misc/psaux system_u:object_r:mouse_device_t
genfscon devfs /misc/nvram system_u:object_r:memory_device_t
genfscon devfs /input/mouse system_u:object_r:mouse_device_t
@@ -111,4 +113,24 @@
genfscon autofs / system_u:object_r:autofs_t
')
-# FLASK
+# romfs
+genfscon romfs / system_u:object_r:root_t
+genfscon romfs /bin system_u:object_r:bin_t
+genfscon romfs /bin/mount system_u:object_r:mount_exec_t
+genfscon romfs /bin/umount system_u:object_r:mount_exec_t
+genfscon romfs /bin/ash system_u:object_r:shell_exec_t
+genfscon romfs /etc system_u:object_r:etc_t
+genfscon romfs /lib system_u:object_r:lib_t
+genfscon romfs /lib/ld-linux.so.2 system_u:object_r:ld_so_t
+genfscon romfs /lib/libc.so.6 system_u:object_r:shlib_t
+genfscon romfs /lib/modules system_u:object_r:modules_object_t
+genfscon romfs /linuxrc system_u:object_r:init_exec_t
+genfscon romfs /linuxrc.conf system_u:object_r:etc_t
+genfscon romfs /loadmodules system_u:object_r:shell_exec_t
+genfscon romfs /sbin system_u:object_r:sbin_t
+genfscon romfs /sbin/init system_u:object_r:init_exec_t
+genfscon romfs /sbin/insmod system_u:object_r:insmod_exec_t
+genfscon romfs /sbin/modprobe system_u:object_r:insmod_exec_t
+genfscon romfs /scripts system_u:object_r:sbin_t
+genfscon romfs /tmp system_u:object_r:tmp_t
+genfscon romfs /usr system_u:object_r:sbin_t
[-- Attachment #4: misc.diff --]
[-- Type: text/x-diff, Size: 35755 bytes --]
diff -ruN /tmp/policy/domains/admin.te policy/domains/admin.te
--- /tmp/policy/domains/admin.te 2002-09-09 19:54:07.000000000 +0200
+++ policy/domains/admin.te 2002-09-08 10:31:05.000000000 +0200
@@ -22,5 +22,6 @@
auditallow admin kernel_t:system avc_toggle;
+define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
diff -ruN /tmp/policy/domains/program/backup.te policy/domains/program/backup.te
--- /tmp/policy/domains/program/backup.te 2002-08-23 20:44:18.000000000 +0200
+++ policy/domains/program/backup.te 2002-08-31 15:38:47.000000000 +0200
@@ -16,10 +16,11 @@
domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
allow backup_t privfd:fd use;
-ifdef(`crond.te',
-`domain_auto_trans(system_crond_t, backup_exec_t, backup_t)
+ifdef(`crond.te', `
+domain_auto_trans(system_crond_t, backup_exec_t, backup_t)
rw_dir_create_file(system_crond_t, backup_store_t)
-allow backup_t crond_t:fifo_file { read write ioctl };')
+allow backup_t crond_t:fifo_file { read write ioctl };
+')
can_network(backup_t)
uses_shlib(backup_t)
@@ -37,11 +38,11 @@
allow backup_t sysctl_kernel_t:file read;
allow backup_t self:fifo_file rw_file_perms;
-allow backup_t self:process { sigchld fork };
+allow backup_t self:process { signal sigchld fork };
allow backup_t self:capability { dac_override };
rw_dir_file(backup_t, backup_store_t)
-allow backup_t backup_store_t:file create;
+allow backup_t backup_store_t:file { create setattr };
allow backup_t fs_t:filesystem getattr;
diff -ruN /tmp/policy/domains/program/courier.te policy/domains/program/courier.te
--- /tmp/policy/domains/program/courier.te 2002-09-09 19:54:10.000000000 +0200
+++ policy/domains/program/courier.te 2002-09-03 02:23:42.000000000 +0200
@@ -113,7 +113,10 @@
# for webmail
courier_domain(sqwebmail)
-ifdef(`crond.te',
-`domain_auto_trans(system_crond_t, sqwebmail_cron_exec_t, courier_sqwebmail_t)
+ifdef(`crond.te', `
+domain_auto_trans(system_crond_t, sqwebmail_cron_exec_t, courier_sqwebmail_t)
allow courier_sqwebmail_t crond_t:fd use;
-allow courier_sqwebmail_t crond_t:fifo_file rw_file_perms;')
+allow courier_sqwebmail_t crond_t:fifo_file rw_file_perms;
+')
+allow courier_sqwebmail_t { sysctl_t sysctl_kernel_t }:dir search;
+allow courier_sqwebmail_t sysctl_kernel_t:file { getattr read };
diff -ruN /tmp/policy/domains/program/crack.te policy/domains/program/crack.te
--- /tmp/policy/domains/program/crack.te 2002-08-23 20:44:18.000000000 +0200
+++ policy/domains/program/crack.te 2002-08-29 09:46:02.000000000 +0200
@@ -12,41 +12,26 @@
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
type crack_db_t, file_type, sysadmfile;
-
rw_dir_create_file(crack_t, crack_db_t)
allow crack_t crond_t:fd use;
allow crack_t crond_t:fifo_file r_file_perms;
+allow crack_t device_t:dir search;
allow crack_t devtty_t:chr_file rw_file_perms;
-# Use the network.
-#can_network(crack_t)
allow crack_t self:fifo_file { read write getattr };
-#allow crack_t self:unix_stream_socket create_socket_perms;
-#allow crack_t self:unix_dgram_socket create_socket_perms;
tmp_domain(crack)
can_exec(crack_t, bin_t)
allow crack_t { bin_t sbin_t }:dir search;
-# Use capabilities
-#allow crack_t self:capability { net_raw net_bind_service };
-
allow crack_t self:process { fork signal_perms };
allow crack_t proc_t:dir { read search };
allow crack_t proc_t:file { read getattr };
-# Allow access to the crack databases
-#allow crack_t crack_db_t:file create_file_perms;
-#allow crack_t crack_db_t:dir create_dir_perms;
-#allow crack_t var_lib_t:dir r_dir_perms;
-
# read config files
allow crack_t { etc_t etc_runtime_t }:file { getattr read };
allow crack_t etc_t:dir r_dir_perms;
-#allow crack_t sysctl_kernel_t:dir search;
-#allow crack_t sysctl_kernel_t:file read;
-
dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
diff -ruN /tmp/policy/domains/program/crond.te policy/domains/program/crond.te
--- /tmp/policy/domains/program/crond.te 2002-08-26 18:50:43.000000000 +0200
+++ policy/domains/program/crond.te 2002-09-03 02:24:32.000000000 +0200
@@ -144,6 +144,9 @@
# permission check for this purpose.
#
allow system_crond_t system_crond_script_t:file entrypoint;
+ifdef(`fcron.te', `
+allow system_crond_t sysadm_cron_spool_t:file entrypoint;
+')
# Run helper programs in the system_crond_t domain.
can_exec_any(system_crond_t)
diff -ruN /tmp/policy/domains/program/dpkg.te policy/domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te 2002-09-09 19:54:11.000000000 +0200
+++ policy/domains/program/dpkg.te 2002-09-09 11:15:07.000000000 +0200
@@ -113,6 +113,7 @@
r_dir_file(install_menu_t, var_lib_dpkg_t)
allow { install_menu_t userdomain system_crond_t } etc_dpkg_t:file r_file_perms;
+can_exec(sysadm_t, etc_dpkg_t)
# Inherit and use descriptors from any domain.
allow { apt_t dpkg_t } privfd:fd use;
@@ -216,7 +217,7 @@
allow install_menu_t self:process signal;
allow install_menu_t proc_t:dir search;
allow install_menu_t proc_t:file r_file_perms;
-can_exec(install_menu_t, { bin_t shell_exec_t install_menu_exec_t dpkg_exec_t install_menu_t })
+can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t install_menu_t })
allow install_menu_t { bin_t sbin_t }:dir search;
allow install_menu_t bin_t:lnk_file read;
@@ -242,11 +243,7 @@
ifdef(`crond.te', `
allow system_crond_t shadow_t:file { read getattr };
create_dir_file(system_crond_t, tetex_data_t)
-')
-
-ifdef(`fcron.te', `
-domain_auto_trans(dpkg_t, crontab_exec_t, sysadm_crontab_t)
-role system_r types sysadm_crontab_t;
+can_exec(dpkg_t, tetex_data_t)
')
role system_r types { dpkg_t apt_t install_menu_t };
diff -ruN /tmp/policy/domains/program/fcron.te policy/domains/program/fcron.te
--- /tmp/policy/domains/program/fcron.te 2002-08-23 20:44:18.000000000 +0200
+++ policy/domains/program/fcron.te 2002-09-09 11:15:31.000000000 +0200
@@ -6,7 +6,8 @@
#
# Author: Russell Coker <russell@coker.com.au>
-daemon_domain(fcron, `, privuser, privrole, privmail')
+# ideally we would not give it privowner!
+daemon_domain(fcron, `, privuser, privrole, privmail, privfd, privowner')
general_domain_access(fcron_t)
@@ -17,10 +18,12 @@
file_type_auto_trans(fcron_t, var_log_t, cron_log_t)
ifdef(`mta.te', `
-allow system_mail_t fcron_spool_t:file read;
-dontaudit system_mail_t fcron_spool_t:file write;
+# not sure why we need write access, but Postfix does not work without it
+allow { system_mail_t mta_user_agent } fcron_spool_t:file { read write getattr };
')
+allow { user_crond_domain system_crond_t sysadm_crond_t } fcron_spool_t:dir getattr;
+
# Use capabilities.
allow fcron_t self:capability { dac_override dac_read_search setgid setuid net_bind_service };
@@ -33,13 +36,13 @@
rw_dir_create_file(fcron_t, fcron_spool_t)
# Read system crontabs
-r_dir_file(fcron_t, system_crond_script_t)
+allow fcron_t system_crond_script_t:file create_file_perms;
# Read /etc/security/cron_context
allow fcron_t cron_context_t:file r_file_perms;
allow fcron_t etc_t:lnk_file read;
-allow fcron_t etc_t:file r_file_perms;
+allow fcron_t { etc_t resolv_conf_t }:file { read getattr };
allow fcron_t { sysadm_home_dir_t user_home_dir_type }:dir search;
@@ -50,6 +53,12 @@
domain_trans(fcron_t, shell_exec_t, system_crond_t)
allow fcron_t shell_exec_t:file read;
+ifdef(`dpkg.te', `
+can_exec(dpkg_t, crontab_exec_t)
+file_type_auto_trans(dpkg_t, fcron_spool_t, sysadm_cron_spool_t)
+')
+allow sysadm_crontab_t system_crond_script_t:file { setattr rw_file_perms };
+
# Modutils are now combined, so we can no longer distinguish them.
# Let crond run the insmod executable in the insmod_t domain.
ifdef(`modutil.te', `
diff -ruN /tmp/policy/domains/program/fingerd.te policy/domains/program/fingerd.te
--- /tmp/policy/domains/program/fingerd.te 2002-08-23 20:44:18.000000000 +0200
+++ policy/domains/program/fingerd.te 2002-09-07 23:03:06.000000000 +0200
@@ -38,6 +38,8 @@
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
allow fingerd_t devtty_t:chr_file { read write };
+allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
+
# Use the network.
can_network(fingerd_t)
diff -ruN /tmp/policy/domains/program/hotplug.te policy/domains/program/hotplug.te
--- /tmp/policy/domains/program/hotplug.te 2002-08-23 20:44:19.000000000 +0200
+++ policy/domains/program/hotplug.te 2002-09-08 11:06:35.000000000 +0200
@@ -32,6 +32,7 @@
can_exec(hotplug_t, { bin_t sbin_t ls_exec_t shell_exec_t etc_hotplug_t etc_t })
r_dir_file(hotplug_t, usbdevfs_t)
+allow hotplug_t usbdevfs_device_t:file getattr;
allow hotplug_t fs_t:filesystem getattr;
diff -ruN /tmp/policy/domains/program/ircd.te policy/domains/program/ircd.te
--- /tmp/policy/domains/program/ircd.te 2002-08-23 20:44:19.000000000 +0200
+++ policy/domains/program/ircd.te 2002-08-29 00:33:54.000000000 +0200
@@ -18,6 +18,11 @@
log_domain(ircd)
+type var_lib_ircd_t, sysadmfile, file_type;
+file_type_auto_trans(ircd_t, var_lib_t, var_lib_ircd_t)
+
+allow ircd_t sysadm_devpts_t:chr_file rw_file_perms;
+
# Use the network.
can_network(ircd_t)
#allow ircd_t self:fifo_file { read write };
@@ -30,8 +35,6 @@
allow ircd_t sbin_t:dir search;
-r_dir_file(ircd_t, var_lib_t)
-
allow ircd_t proc_t:file { getattr read };
# read config files
diff -ruN /tmp/policy/domains/program/kcheckpass.te policy/domains/program/kcheckpass.te
--- /tmp/policy/domains/program/kcheckpass.te 2002-08-26 18:50:43.000000000 +0200
+++ policy/domains/program/kcheckpass.te 2002-09-03 02:28:34.000000000 +0200
@@ -24,6 +24,8 @@
allow kcheckpass_t self:process { fork sigchld };
+allow kcheckpass_t devtty_t:chr_file rw_file_perms;
+
# read config files
allow kcheckpass_t { etc_t resolv_conf_t }:file { read getattr };
allow kcheckpass_t etc_t:lnk_file read;
diff -ruN /tmp/policy/domains/program/logrotate.te policy/domains/program/logrotate.te
--- /tmp/policy/domains/program/logrotate.te 2002-08-23 21:04:28.000000000 +0200
+++ policy/domains/program/logrotate.te 2002-08-31 17:58:11.000000000 +0200
@@ -39,6 +39,7 @@
# Modify /var/log and other log dirs.
allow logrotate_t logfile:dir rw_dir_perms;
+allow logrotate_t logfile:lnk_file read;
# Create, rename, and truncate log files.
allow logrotate_t logfile:file create_file_perms;
diff -ruN /tmp/policy/domains/program/mount.te policy/domains/program/mount.te
--- /tmp/policy/domains/program/mount.te 2002-09-09 19:54:12.000000000 +0200
+++ policy/domains/program/mount.te 2002-08-29 00:33:54.000000000 +0200
@@ -37,5 +37,6 @@
ifdef(`devfsd.te', `
allow mount_t device_t:filesystem unmount;
')
+allow mount_t root_t:filesystem unmount;
diff -ruN /tmp/policy/domains/program/mrtg.te policy/domains/program/mrtg.te
--- /tmp/policy/domains/program/mrtg.te 2002-09-09 19:54:12.000000000 +0200
+++ policy/domains/program/mrtg.te 2002-08-28 17:20:05.000000000 +0200
@@ -59,4 +59,5 @@
dontaudit mrtg_t initrc_var_run_t:file { write lock };
allow mrtg_t etc_runtime_t:file { getattr read };
-dontaudit mrtg_t sysadm_home_dir_t:dir { search read };
+# should not need this!
+allow mrtg_t sysadm_home_dir_t:dir { search read getattr };
diff -ruN /tmp/policy/domains/program/mta.te policy/domains/program/mta.te
--- /tmp/policy/domains/program/mta.te 2002-09-09 19:54:12.000000000 +0200
+++ policy/domains/program/mta.te 2002-08-24 21:36:08.000000000 +0200
@@ -37,5 +37,3 @@
allow system_mail_t privmail:fd use;
allow system_mail_t privmail:fifo_file rw_file_perms;
-allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
-allow system_mail_t mqueue_spool_t:{ file lnk_file } create_file_perms;
diff -ruN /tmp/policy/domains/program/named.te policy/domains/program/named.te
--- /tmp/policy/domains/program/named.te 2002-08-23 20:44:19.000000000 +0200
+++ policy/domains/program/named.te 2002-09-08 10:30:40.000000000 +0200
@@ -16,6 +16,9 @@
type ndc_t, domain, privlog;
role sysadm_r types ndc_t;
+# named will not start without this!
+allow named_t admin_tty_type:chr_file { read write };
+
can_exec(named_t, named_exec_t)
allow named_t sbin_t:dir search;
diff -ruN /tmp/policy/domains/program/postfix.te policy/domains/program/postfix.te
--- /tmp/policy/domains/program/postfix.te 2002-08-26 18:50:43.000000000 +0200
+++ policy/domains/program/postfix.te 2002-09-09 11:15:55.000000000 +0200
@@ -48,6 +48,8 @@
allow postfix_$1_t resolv_conf_t:file { read getattr };
allow postfix_$1_t var_t:dir { search getattr };
+allow postfix_$1_t tmp_t:dir getattr;
+
file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t)
')dnl
@@ -86,6 +88,7 @@
allow postfix_master_t privfd:fd use;
allow postfix_master_t etc_aliases_t:file r_file_perms;
create_dir_file(postfix_master_t, postfix_spool_flush_t)
+allow postfix_master_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read write };
# allow access to deferred queue
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
@@ -122,7 +125,6 @@
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
can_network(postfix_smtpd_t)
-allow postfix_smtpd_t tmp_t:dir getattr;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
@@ -137,7 +139,6 @@
allow postfix_local_t postfix_spool_t:dir r_dir_perms;
allow postfix_local_t postfix_spool_t:file rw_file_perms;
# for .forward - maybe we need a new type for it?
-allow postfix_local_t tmp_t:dir getattr;
allow postfix_local_t postfix_private_t:dir search;
allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
@@ -155,7 +156,6 @@
allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
allow postfix_cleanup_t postfix_private_t:dir search;
allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_cleanup_t tmp_t:dir getattr;
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
can_network(postfix_cleanup_t)
allow postfix_cleanup_t { postfix_spool_bounce_t }:dir r_dir_perms;
@@ -165,7 +165,7 @@
allow user_mail_domain self:capability dac_override;
define(`postfix_user_domain', `
-postfix_domain($1)
+postfix_domain($1, `$2')
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
in_user_role(postfix_$1_t)
role sysadm_r types postfix_$1_t;
@@ -202,7 +202,7 @@
allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t ptyfile:chr_file { read write };
-postfix_user_domain(postdrop)
+postfix_user_domain(postdrop, `, mta_user_agent')
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
diff -ruN /tmp/policy/domains/program/postgresql.te policy/domains/program/postgresql.te
--- /tmp/policy/domains/program/postgresql.te 2002-09-09 19:54:14.000000000 +0200
+++ policy/domains/program/postgresql.te 2002-08-28 18:21:05.000000000 +0200
@@ -15,6 +15,8 @@
# gross hack
domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
')
+# a grosser hack
+allow postgresql_t etc_t:file setattr;
dontaudit postgresql_t { sysadm_home_dir_t var_spool_t }:dir search;
@@ -22,7 +24,7 @@
type etc_postgresql_t, file_type, sysadmfile;
type postgresql_db_t, file_type, sysadmfile;
-type postgresql_log_t, file_type, sysadmfile;
+type postgresql_log_t, file_type, sysadmfile, logfile;
file_type_auto_trans(postgresql_t, var_log_t, postgresql_log_t)
@@ -52,7 +54,7 @@
# read config files
allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-r_dir_file(postgresql_t, etc_postgresql_t)
+r_dir_file({ initrc_t postgresql_t }, etc_postgresql_t)
allow postgresql_t etc_t:dir rw_dir_perms;
allow postgresql_t etc_t:lnk_file create;
@@ -68,7 +70,7 @@
allow postgresql_t bin_t:lnk_file read;
allow postgresql_t postgresql_exec_t:lnk_file read;
-allow postgresql_t initrc_var_run_t:file { read };
+allow postgresql_t initrc_var_run_t:file { read write lock };
allow postgresql_t self:sem rw_sem_perms;
diff -ruN /tmp/policy/domains/program/pppd.te policy/domains/program/pppd.te
--- /tmp/policy/domains/program/pppd.te 2002-09-09 19:54:14.000000000 +0200
+++ policy/domains/program/pppd.te 2002-09-09 22:31:18.000000000 +0200
@@ -41,7 +41,7 @@
allow postfix_postqueue_t pppd_t:process sigchld;')
# allow running ip-up and ip-down scripts and running chat.
-can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t })
+can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
allow pppd_t { bin_t sbin_t }:dir search;
allow pppd_t bin_t:lnk_file read;
diff -ruN /tmp/policy/domains/program/snmpd.te policy/domains/program/snmpd.te
--- /tmp/policy/domains/program/snmpd.te 2002-08-26 18:50:43.000000000 +0200
+++ policy/domains/program/snmpd.te 2002-08-29 00:33:54.000000000 +0200
@@ -24,7 +24,7 @@
allow snmpd_t etc_snmpd_t:file { getattr read };
type var_lib_snmpd_t, file_type, sysadmfile;
-file_type_auto_trans(snmpd_t, var_lib_t, var_lib_snmpd_t)
+file_type_auto_trans(snmpd_t, { var_lib_t usr_t }, var_lib_snmpd_t)
can_udp_send(sysadm_t, snmpd_t)
can_udp_send(snmpd_t, sysadm_t)
@@ -40,5 +40,3 @@
allow snmpd_t proc_t:file r_file_perms;
allow snmpd_t fs_t:filesystem getattr;
allow snmpd_t self:file { getattr read };
-
-allow snmpd_t var_lib_t:dir r_dir_perms;
diff -ruN /tmp/policy/domains/program/sxid.te policy/domains/program/sxid.te
--- /tmp/policy/domains/program/sxid.te 2002-08-23 20:44:20.000000000 +0200
+++ policy/domains/program/sxid.te 2002-09-08 11:03:31.000000000 +0200
@@ -38,6 +38,9 @@
allow sxid_t self:unix_stream_socket create_socket_perms;
allow sxid_t { proc_t self }:file { read getattr };
+ifdef(`mta.te', `
+allow system_mail_t sxid_t:file { read getattr };
+')
allow sxid_t { sysctl_kernel_t sysctl_t }:dir search;
allow sxid_t sysctl_kernel_t:file read;
allow sxid_t devtty_t:chr_file rw_file_perms;
diff -ruN /tmp/policy/domains/program/sysstat.te policy/domains/program/sysstat.te
--- /tmp/policy/domains/program/sysstat.te 2002-09-09 19:54:15.000000000 +0200
+++ policy/domains/program/sysstat.te 2002-09-08 11:31:17.000000000 +0200
@@ -24,7 +24,9 @@
allow sysstat_t devtty_t:chr_file rw_file_perms;
# for mtab
-allow sysstat_t etc_runtime_t:file r_file_perms;
+allow sysstat_t etc_runtime_t:file { read getattr };
+# for fstab
+allow sysstat_t etc_t:file { read getattr };
dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
@@ -36,11 +38,9 @@
allow sysstat_t var_log_t:dir r_dir_perms;
allow sysstat_t var_log_sysstat_t:dir rw_dir_perms;
allow sysstat_t var_log_sysstat_t:file create_file_perms;
-#allow domain var_log_sysstat_t:dir r_dir_perms;
-#allow domain var_log_sysstat_t:file r_file_perms;
allow sysstat_t etc_t:dir r_dir_perms;
-allow sysstat_t etc_t:lnk_file r_file_perms;
+allow sysstat_t etc_t:lnk_file read;
# Inherit and use descriptors from cron.
allow sysstat_t crond_t:fd use;
@@ -50,16 +50,12 @@
# get info from /proc
allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t }:dir r_dir_perms;
-allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t }:file r_file_perms;
-
-# read config files
-#allow sysstat_t { etc_t etc_sysstat_t }:{ file lnk_file } r_file_perms;
+allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t }:file { read getattr };
domain_auto_trans({ system_crond_t initrc_t }, sysstat_exec_t, sysstat_t)
allow sysstat_t init_t:fd use;
allow sysstat_t console_device_t:chr_file { read write };
-#allow sysstat_t { root_t etc_t }:dir r_dir_perms;
uses_shlib(sysstat_t)
allow system_crond_t var_log_sysstat_t:dir { write remove_name };
diff -ruN /tmp/policy/domains/program/tftpd.te policy/domains/program/tftpd.te
--- /tmp/policy/domains/program/tftpd.te 2002-09-09 19:54:16.000000000 +0200
+++ policy/domains/program/tftpd.te 2002-08-29 00:33:54.000000000 +0200
@@ -18,6 +18,9 @@
# Use the network.
can_network(tftpd_t)
allow tftpd_t tftp_port_t:udp_socket name_bind;
+ifdef(`inetd.te', `
+allow inetd_t tftp_port_t:udp_socket name_bind;
+')
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
diff -ruN /tmp/policy/domains/program/vmware.te policy/domains/program/vmware.te
--- /tmp/policy/domains/program/vmware.te 2002-08-23 21:04:28.000000000 +0200
+++ policy/domains/program/vmware.te 2002-09-04 13:28:48.000000000 +0200
@@ -83,8 +83,10 @@
# Rules added to kmod_t domain for VMWare to start up
#
# VMWare need access to pcmcia devices for network
+ifdef(`cardmgr.te', `
allow kmod_t cardmgr_var_lib_t:dir { getattr search };
allow kmod_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
# Vmware create network devices
allow kmod_t kmod_t:capability { net_admin };
diff -ruN /tmp/policy/domains/program/xdm.te policy/domains/program/xdm.te
--- /tmp/policy/domains/program/xdm.te 2002-09-09 19:54:16.000000000 +0200
+++ policy/domains/program/xdm.te 2002-08-31 17:49:18.000000000 +0200
@@ -131,7 +131,7 @@
dontaudit xdm_t sysadm_tty_device_t:chr_file { read write };
# Do not audit access to /root
-dontaudit xdm_t sysadm_home_t:dir search;
+dontaudit xdm_t sysadm_home_dir_t:dir search;
# Do not audit user access to the X log files due to file handle inheritance
dontaudit unpriv_userdomain xserver_var_log_t:file append;
diff -ruN /tmp/policy/file_contexts/program/fcron.fc policy/file_contexts/program/fcron.fc
--- /tmp/policy/file_contexts/program/fcron.fc 2002-08-23 20:44:20.000000000 +0200
+++ policy/file_contexts/program/fcron.fc 2002-09-03 02:28:59.000000000 +0200
@@ -2,4 +2,4 @@
/usr/sbin/fcron system_u:object_r:fcron_exec_t
/var/spool/fcron system_u:object_r:fcron_spool_t
/var/spool/fcron/.* <<none>>
-/var/spool/fcron/root.orig system_u:object_r:sysadm_cron_spool_t
+/var/spool/fcron/systab.orig system_u:object_r:sysadm_cron_spool_t
diff -ruN /tmp/policy/file_contexts/program/ipsec.fc policy/file_contexts/program/ipsec.fc
--- /tmp/policy/file_contexts/program/ipsec.fc 2002-08-23 21:04:28.000000000 +0200
+++ policy/file_contexts/program/ipsec.fc 2002-08-27 23:17:32.000000000 +0200
@@ -15,4 +15,4 @@
/usr/local/lib/ipsec/spi system_u:object_r:ipsec_exec_t
/usr/sbin/ipsec system_u:object_r:ipsec_mgmt_exec_t
/usr/local/sbin/ipsec system_u:object_r:ipsec_mgmt_exec_t
-/var/run/ipsec.info system_u:object_r:ipsec_mgmt_var_run_t
+/var/run/ipsec.info system_u:object_r:ipsec_var_run_t
diff -ruN /tmp/policy/file_contexts/program/ircd.fc policy/file_contexts/program/ircd.fc
--- /tmp/policy/file_contexts/program/ircd.fc 2002-08-23 20:44:20.000000000 +0200
+++ policy/file_contexts/program/ircd.fc 2002-08-29 00:34:21.000000000 +0200
@@ -2,3 +2,4 @@
/usr/sbin/(dancer-)?ircd system_u:object_r:ircd_exec_t
/etc/(dancer-)?ircd(/.*)? system_u:object_r:etc_ircd_t
/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t
+/var/lib/dancer-ircd(/.*)? system_u:object_r:var_lib_ircd_t
diff -ruN /tmp/policy/file_contexts/program/pppd.fc policy/file_contexts/program/pppd.fc
--- /tmp/policy/file_contexts/program/pppd.fc 2002-07-03 22:26:22.000000000 +0200
+++ policy/file_contexts/program/pppd.fc 2002-09-08 19:20:23.000000000 +0200
@@ -1,4 +1,8 @@
# pppd
/usr/sbin/pppd system_u:object_r:pppd_exec_t
+/usr/sbin/ipppd system_u:object_r:pppd_exec_t
/dev/ppp system_u:object_r:ppp_device_t
+/dev/ippp.* system_u:object_r:ppp_device_t
/var/run/pppd.tdb system_u:object_r:var_run_pppd_t
+/etc/ppp/.*secrets system_u:object_r:pppd_secret_t
+/var/run/ipppd.*pid system_u:object_r:var_run_pppd_t
diff -ruN /tmp/policy/file_contexts/program/snmpd.fc policy/file_contexts/program/snmpd.fc
--- /tmp/policy/file_contexts/program/snmpd.fc 2002-08-26 18:50:44.000000000 +0200
+++ policy/file_contexts/program/snmpd.fc 2002-08-29 00:34:21.000000000 +0200
@@ -2,3 +2,4 @@
/usr/sbin/snmp(trap)?d system_u:object_r:snmpd_exec_t
/var/lib/snmp(/.*)? system_u:object_r:var_lib_snmpd_t
/etc/snmp/snmp(trap)?d.conf system_u:object_r:etc_snmpd_t
+/usr/share/snmp/mibs/.index system_u:object_r:var_lib_snmpd_t
diff -ruN /tmp/policy/file_contexts/program/vmware.fc policy/file_contexts/program/vmware.fc
--- /tmp/policy/file_contexts/program/vmware.fc 2002-07-12 17:19:44.000000000 +0200
+++ policy/file_contexts/program/vmware.fc 2002-08-24 22:59:34.000000000 +0200
@@ -30,6 +30,7 @@
/dev/vmnet7 system_u:object_r:vmware_device_t
/dev/vmnet8 system_u:object_r:vmware_device_t
/dev/vmnet9 system_u:object_r:vmware_device_t
+/dev/plex86 system_u:object_r:vmware_device_t
/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t
/usr/lib/vmware/config system_u:object_r:vmware_sys_conf_t
diff -ruN /tmp/policy/macros/admin_macros.te policy/macros/admin_macros.te
--- /tmp/policy/macros/admin_macros.te 2002-09-09 19:54:23.000000000 +0200
+++ policy/macros/admin_macros.te 2002-08-29 00:35:40.000000000 +0200
@@ -17,7 +17,11 @@
# Inherit rules for ordinary users.
user_domain($1)
+rw_dir_create_file($1_t, policy_config_t)
+
+ifdef(`crond.te', `
allow $1_crond_t var_log_t:file r_file_perms;
+')
# Allow system log read
allow $1_t kernel_t:system syslog_read;
diff -ruN /tmp/policy/macros/global_macros.te policy/macros/global_macros.te
--- /tmp/policy/macros/global_macros.te 2002-09-09 19:54:23.000000000 +0200
+++ policy/macros/global_macros.te 2002-09-10 00:12:18.000000000 +0200
@@ -193,6 +193,11 @@
allow $1 $2:{ file lnk_file } create_file_perms;
')
+define(`create_dir_notdevfile', `
+allow $1 $2:dir create_dir_perms;
+allow $1 $2:notdevfile_class_set create_file_perms;
+')
+
define(`create_append_log_file', `
allow $1 $2:dir { read getattr access search add_name write };
allow $1 $2:file { create ioctl getattr access setattr append link };
@@ -736,7 +741,9 @@
allow $1 boot_t:dir { search getattr };
allow $1 boot_t:file getattr;
allow $1 system_map_t:{ file lnk_file } r_file_perms;
+ifdef(`rpm.te', `
allow $1 boot_runtime_t:{ file lnk_file } r_file_perms;
+')
allow $1 boot_t:lnk_file read;
# Read /etc.
@@ -1016,3 +1023,4 @@
uses_shlib($1_t)
allow $1_t etc_t:dir r_dir_perms;
')
+
diff -ruN /tmp/policy/macros/program/chroot_macros.te policy/macros/program/chroot_macros.te
--- /tmp/policy/macros/program/chroot_macros.te 1970-01-01 01:00:00.000000000 +0100
+++ policy/macros/program/chroot_macros.te 2002-09-10 00:11:51.000000000 +0200
@@ -0,0 +1,129 @@
+
+# macro for chroot environments
+# Author Russell Coker
+
+# chroot(initial_domain, basename, role, tty_device_type)
+define(`chroot', `
+
+ifelse(`$1', `initrc', `
+define(`chroot_role', `system_r')
+define(`chroot_tty_device', `{ sysadm_devpts_t sysadm_tty_device_t }')
+define(`chroot_mount_domain', `mount_t')
+', `
+define(`chroot_role', `$1_r')
+define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
+
+# allow mounting /proc and /dev
+ifdef(`$1_mount_def', `', `
+mount_domain($1, $1_mount)
+role chroot_role types $1_mount_t;
+')
+define(`chroot_mount_domain', `$1_mount_t')
+ifdef(`ssh.te', `
+can_tcp_connect($1_ssh_t, $2_t)
+')dnl end ssh
+')dnl end ifelse initrc
+
+# types for read-only and read-write files in the chroot
+type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
+type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
+# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
+# when you execute it
+type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
+
+allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
+allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
+
+# entry point for $2_super_t
+type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
+# $2_t is the base domain, has full access to $2_rw_t files
+type $2_t, domain, userdomain, unpriv_userdomain;
+# $2_super_t is the super-chroot domain, can also write to $2_ro_t
+# but still can not access outside the chroot
+type $2_super_t, domain, userdomain, unpriv_userdomain;
+allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
+
+ifdef(`$1_chroot_def', `', `
+dnl can not have this defined twice
+define(`$1_chroot_def')
+
+allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
+
+# $1_chroot_t is the domain for /usr/sbin/chroot
+type $1_chroot_t, domain;
+
+# allow $1_chroot_t to write to the tty device
+allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
+allow $1_chroot_t privfd:fd use;
+allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
+
+role chroot_role types $1_chroot_t;
+uses_shlib($1_chroot_t)
+allow $1_chroot_t self:capability sys_chroot;
+allow $1_t $1_chroot_t:dir { search getattr read };
+allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
+domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
+allow $1_chroot_t fs_t:filesystem getattr;
+')dnl End conditional
+
+role chroot_role types { $2_t $2_super_t };
+
+# allow ps to show processes and allow killing them
+allow $1_t { $2_super_t $2_t }:dir { search getattr read };
+allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
+allow $1_t { $2_super_t $2_t }:process signal_perms;
+allow $2_super_t $2_t:dir { search getattr read };
+allow $2_super_t $2_t:{ file lnk_file } { read getattr };
+allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
+allow $1_t $2_super_t:process { signal_perms ptrace };
+allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
+
+allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
+allow { $2_super_t $2_t } device_t:dir { search getattr };
+allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
+allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
+allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
+allow $2_super_t self:capability sys_ptrace;
+
+can_tcp_connect($2_super_t, $2_t)
+allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
+
+allow { $2_super_t $2_t } devpts_t:dir { getattr search read };
+
+# quiet ps and killall
+dontaudit { $2_super_t $2_t } domain:dir { search getattr };
+
+# allow $2_t to write to the owner tty device (should remove this)
+allow $2_t chroot_tty_device:chr_file { read write };
+
+r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
+create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+# $2_super_t transitions to $2_t when it executes
+# any file that $2_t can write
+domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
+allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
+r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
+create_dir_notdevfile($2_t, $2_rw_t)
+allow $2_t $2_rw_t:fifo_file create_file_perms;
+allow $2_t $2_ro_t:fifo_file rw_file_perms;
+allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
+create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
+can_exec($1_t, { $2_ro_t $2_dropdown_t })
+domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
+domain_auto_trans_read($1_chroot_t, $2_super_entry_t, $2_super_t)
+allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
+general_proc_read_access({ $2_t $2_super_t })
+general_domain_access({ $2_t $2_super_t })
+can_create_pty($2)
+can_create_pty($2_super)
+can_network({ $2_t $2_super_t })
+allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
+allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
+allow { $2_t $2_super_t } self:capability { dac_override kill };
+
+undefine(`chroot_role')
+undefine(`chroot_tty_device')
+undefine(`chroot_mount_domain')
+')
diff -ruN /tmp/policy/macros/program/crontab_macros.te policy/macros/program/crontab_macros.te
--- /tmp/policy/macros/program/crontab_macros.te 2002-09-09 19:54:24.000000000 +0200
+++ policy/macros/program/crontab_macros.te 2002-09-09 11:16:26.000000000 +0200
@@ -31,7 +31,7 @@
every_domain($1_crontab_t)
# Use capabilities
-allow $1_crontab_t $1_crontab_t:capability { setuid chown dac_override net_bind_service };
+allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override net_bind_service };
# Type for temporary files.
type $1_crontab_tmp_t, file_type, sysadmfile, tmpfile;
@@ -45,7 +45,14 @@
ifdef(`fcron.te', `
file_type_auto_trans($1_crontab_t, fcron_spool_t, $1_cron_spool_t)
allow fcron_t $1_cron_spool_t:file create_file_perms;
-')
+# fcron wants an instant update of a crontab change for the administrator
+ifelse(`$1', `sysadm', `
+allow $1_crontab_t fcron_t:process signal;
+', `
+dontaudit $1_crontab_t fcron_t:process signal;
+')dnl end ifelse
+')dnl end ifdef fcron
+
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
# Allow crond to read those crontabs in cron spool.
diff -ruN /tmp/policy/macros/program/mount_macros.te policy/macros/program/mount_macros.te
--- /tmp/policy/macros/program/mount_macros.te 2002-08-23 20:44:20.000000000 +0200
+++ policy/macros/program/mount_macros.te 2002-08-29 00:35:52.000000000 +0200
@@ -36,7 +36,7 @@
file_type_auto_trans($2_t, etc_t, etc_runtime_t)
# Access the terminal.
-allow $2_t $1_tty_device_t:chr_file { getattr read write };
+allow $2_t $1_tty_device_t:chr_file { getattr read write ioctl };
allow $2_t $1_devpts_t:chr_file { getattr read write };
ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
')
diff -ruN /tmp/policy/macros/program/xserver_macros.te policy/macros/program/xserver_macros.te
--- /tmp/policy/macros/program/xserver_macros.te 2002-09-09 19:54:24.000000000 +0200
+++ policy/macros/program/xserver_macros.te 2002-08-31 17:50:44.000000000 +0200
@@ -20,8 +20,8 @@
# FIXME! The X server requires far too many privileges.
#
undefine(`xserver_domain')
-ifdef(`xserver.te',
-`
+ifdef(`xserver.te', `
+
define(`xserver_domain',`
# Derived domain based on the calling user domain and the program.
type $1_xserver_t, domain, privlog, privmem;
@@ -106,8 +106,11 @@
# Communicate via System V shared memory.
allow $1_xserver_t $1_t:shm rw_shm_perms;
-ifelse($1, xdm, , `
-allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;')
+allow $1_t $1_xserver_t:shm rw_shm_perms;
+ifelse($1, xdm, `', `
+allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
+allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
+')
# David Wheeler says he needs the following permission
# for his X server. Something is wrong here - the shared
@@ -128,7 +131,7 @@
dontaudit xdm_xserver_t sysadm_home_dir_t:dir { read search };
', `
# Access the home directory.
-allow $1_xserver_t $1_home_dir_t:dir { read search };
+allow $1_xserver_t $1_home_dir_t:dir { getattr read search };
allow $1_xserver_t $1_home_t:dir r_dir_perms;
allow $1_xserver_t $1_home_t:file r_file_perms;')
diff -ruN /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te 2002-09-09 19:54:23.000000000 +0200
+++ policy/macros/user_macros.te 2002-08-31 17:51:17.000000000 +0200
@@ -210,9 +210,11 @@
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_t xdm_xserver_tmp_t:dir search;
+ifelse(`$1', sysadm, `', `
# gross hack - should not need this
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_home_t, file)
-')
+')dnl end ifelse sysadm
+')dnl end ifdef xdm.te
# Access the sound device.
allow $1_t sound_device_t:chr_file { getattr read write ioctl };
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2002-09-09 22:59 Russell Coker
@ 2002-09-21 2:39 ` Stephen Smalley
0 siblings, 0 replies; 47+ messages in thread
From: Stephen Smalley @ 2002-09-21 2:39 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Tue, 10 Sep 2002, Russell Coker wrote:
> initrd.diff is part of the policy needed to get an initrd working properly, it
> doesn't have everything because it's difficult to separate it all. But it's
> a good improvement and it has most of what you need.
Merged, except that I retained the policy target (but it is no longer the
default) and I omitted the gzip intermediate stage, as it conflicts with
the Tresys' work, which is trying to establish an assured pipeline for
policy updates. The preferred solution is to modify checkpolicy to
directly support compressing the binary policy.
> misc.diff is many things that are patches for things that are in my area (IE
> dpkg.te), trivial, or patches for things that are not fully working anyway
> (postgresql and fcron) so which can't be broken.
Mostly merged, with a few changes rejected due to concerns about their
implications.
> amanda.diff is a patch for amanda to properly support the types for home dirs
> with multiple user roles.
Merged.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2002-11-04 12:41 Russell Coker
0 siblings, 0 replies; 47+ messages in thread
From: Russell Coker @ 2002-11-04 12:41 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 956 bytes --]
I have attached two patches. Games.diff addresses an unpublished security
hole that will soon become public, and also a family of other similar
problems.
The other patch has a bunch of things, a few things related to the
initrc_devpts_t issue. A change to the postfix policy which seems to be
needed (for unknown reasons) on some systems (it's harmless enough that
there's no reason not to include it in the main policy). It also has a
rewrite of xdm.te to use daemon_domain(). I've put in a change to courier.fc
which allows you to press TAB in bash at the command line as a unpriv user
without generating AVC messages...
There's a bunch of other things too which aren't very important.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: games.diff --]
[-- Type: text/x-diff, Size: 1856 bytes --]
diff -ru /tmp/policy/domains/program/games.te policy/domains/program/games.te
--- /tmp/policy/domains/program/games.te 2002-10-01 18:40:37.000000000 +0200
+++ policy/domains/program/games.te 2002-11-04 02:25:59.000000000 +0100
@@ -3,8 +3,14 @@
# Author: Russell Coker <russell@coker.com.au>
#
-# Type for the games that use X
-type games_exec_t, file_type, sysadmfile, exec_type;
+# type for shared data from games
+type games_data_t, file_type, sysadmfile;
+
+# domain games_t is for system operation of games, generic games daemons and
+# games recovery scripts, also defines games_exec_t
+daemon_domain(games)
+rw_dir_create_file(games_t, games_data_t)
+r_dir_file(initrc_t, games_data_t)
# Everything else is in the x_client_domain macro in
# macros/program/x_client_macros.te.
diff -ru /tmp/policy/file_contexts/program/games.fc policy/file_contexts/program/games.fc
--- /tmp/policy/file_contexts/program/games.fc 2002-10-01 18:40:37.000000000 +0200
+++ policy/file_contexts/program/games.fc 2002-11-04 02:26:15.000000000 +0100
@@ -1,2 +1,4 @@
# netscape/mozilla
/usr/games/.* system_u:object_r:games_exec_t
+/usr/lib/games/.* -- system_u:object_r:games_exec_t
+/var/games(/.*)? system_u:object_r:games_data_t
diff -ru /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te 2002-10-28 22:56:04.000000000 +0100
+++ policy/macros/user_macros.te 2002-11-04 02:26:41.000000000 +0100
@@ -120,7 +120,10 @@
ifdef(`chkpwd.te', `chkpwd_domain($1)')
ifdef(`screen.te', `screen_domain($1)')
ifdef(`netscape.te', `netscape_domain($1)')
-ifdef(`games.te', `x_client_domain($1, games)')
+ifdef(`games.te', `
+x_client_domain($1, games)
+rw_dir_create_file($1_games_t, games_data_t)
+')
ifdef(`gpg.te', `gpg_domain($1)')
ifdef(`xauth.te', `xauth_domain($1)')
ifdef(`xserver.te', `xserver_domain($1)')
[-- Attachment #3: diff --]
[-- Type: text/x-diff, Size: 10823 bytes --]
Only in /tmp/policy/domains: admin
diff -ru /tmp/policy/domains/program/acct.te policy/domains/program/acct.te
--- /tmp/policy/domains/program/acct.te 2002-09-27 22:27:37.000000000 +0200
+++ policy/domains/program/acct.te 2002-11-02 13:15:30.000000000 +0100
@@ -12,6 +12,13 @@
daemon_base_domain(acct)
domain_auto_trans(system_crond_t, acct_exec_t, acct_t)
+# for monthly cron job
+file_type_auto_trans(acct_t, var_log_t, wtmp_t)
+
+ifdef(`logrotate.te', `
+allow acct_t logrotate_exec_t:file getattr;
+')
+
type acct_data_t, file_type, sysadmfile;
allow acct_t self:capability sys_pacct;
diff -ru /tmp/policy/domains/program/automount.te policy/domains/program/automount.te
--- /tmp/policy/domains/program/automount.te 2002-08-23 21:04:28.000000000 +0200
+++ policy/domains/program/automount.te 2002-11-02 13:15:30.000000000 +0100
@@ -23,6 +23,11 @@
type automount_var_run_t, file_type, sysadmfile, pidfile;
file_type_auto_trans(automount_t, var_run_t, automount_var_run_t)
+allow automount_t initrc_devpts_t:chr_file rw_file_perms;
+
+# for if the mount point is not labelled
+allow automount_t file_t:dir getattr;
+
# Create temporary files.
type automount_tmp_t, file_type, sysadmfile, tmpfile;
file_type_auto_trans(automount_t, tmp_t, automount_tmp_t)
diff -ru /tmp/policy/domains/program/backup.te policy/domains/program/backup.te
--- /tmp/policy/domains/program/backup.te 2002-09-21 05:01:25.000000000 +0200
+++ policy/domains/program/backup.te 2002-11-01 15:30:00.000000000 +0100
@@ -29,7 +29,7 @@
allow backup_t file_type:dir r_dir_perms;
allow backup_t file_type:{ file lnk_file } r_file_perms;
-allow backup_t file_type:{ sock_file fifo_file } getattr;
+allow backup_t file_type:{ sock_file fifo_file chr_file blk_file } getattr;
allow backup_t var_t:file create_file_perms;
allow backup_t proc_t:dir r_dir_perms;
diff -ru /tmp/policy/domains/program/bootloader.te policy/domains/program/bootloader.te
--- /tmp/policy/domains/program/bootloader.te 2002-11-04 13:27:50.000000000 +0100
+++ policy/domains/program/bootloader.te 2002-10-30 22:25:50.000000000 +0100
@@ -20,7 +20,7 @@
allow bootloader_t var_log_t:file write;
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
-allow bootloader_t privfd:fd use;
+allow bootloader_t { initrc_t privfd }:fd use;
file_type_auto_trans(bootloader_t, tmp_t, bootloader_tmp_t)
allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms;
@@ -78,7 +78,7 @@
allow bootloader_t etc_runtime_t:file r_file_perms;
allow bootloader_t devtty_t:chr_file rw_file_perms;
-allow bootloader_t admin_tty_type:chr_file rw_file_perms;
+allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`dpkg.te', `
# for making an initrd
diff -ru /tmp/policy/domains/program/dpkg.te policy/domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te 2002-11-04 13:27:51.000000000 +0100
+++ policy/domains/program/dpkg.te 2002-11-02 23:26:16.000000000 +0100
@@ -32,6 +32,7 @@
ifdef(`modutil.te', `
domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
domain_auto_trans(dpkg_t, insmod_exec_t, insmod_t)
+domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
')
ifdef(`ipsec.te', `
allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
@@ -123,10 +124,16 @@
r_dir_file({ apt_t userdomain }, { var_lib_dpkg_t var_lib_apt_t var_cache_apt_t })
ifdef(`crond.te', `
r_dir_file(system_crond_t, var_lib_dpkg_t)
+allow system_crond_t etc_dpkg_t:file r_file_perms;
+
+# for Debian cron job
+allow system_crond_t shadow_t:file { read getattr };
+create_dir_file(system_crond_t, tetex_data_t)
+can_exec(dpkg_t, tetex_data_t)
')
r_dir_file(install_menu_t, var_lib_dpkg_t)
-allow { apt_t install_menu_t userdomain system_crond_t } etc_dpkg_t:file r_file_perms;
+allow { apt_t install_menu_t userdomain } etc_dpkg_t:file r_file_perms;
can_exec(sysadm_t, etc_dpkg_t)
# Inherit and use descriptors from any domain.
@@ -168,7 +175,6 @@
allow dpkg_t root_dir_type:dir getattr;
allow dpkg_t security_t:security sid_to_context;
-domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
# change to the apt_t domain on exec from dpkg_t (dselect)
domain_auto_trans(dpkg_t, apt_exec_t, apt_t)
@@ -254,13 +260,6 @@
allow install_menu_t self:process { fork sigchld };
-# for Debian cron job
-ifdef(`crond.te', `
-allow system_crond_t shadow_t:file { read getattr };
-create_dir_file(system_crond_t, tetex_data_t)
-can_exec(dpkg_t, tetex_data_t)
-')
-
role system_r types { dpkg_t apt_t install_menu_t };
#################################
diff -ru /tmp/policy/domains/program/fcron.te policy/domains/program/fcron.te
--- /tmp/policy/domains/program/fcron.te 2002-10-01 19:28:43.000000000 +0200
+++ policy/domains/program/fcron.te 2002-11-02 23:45:13.000000000 +0100
@@ -39,7 +39,7 @@
allow fcron_t system_crond_script_t:file create_file_perms;
# Read /etc/security/cron_context
-allow fcron_t cron_context_t:file r_file_perms;
+allow fcron_t default_context_t:file r_file_perms;
allow fcron_t etc_t:lnk_file read;
allow fcron_t { etc_t resolv_conf_t }:file { read getattr };
diff -ru /tmp/policy/domains/program/postfix.te policy/domains/program/postfix.te
--- /tmp/policy/domains/program/postfix.te 2002-11-04 13:27:52.000000000 +0100
+++ policy/domains/program/postfix.te 2002-11-01 12:38:12.000000000 +0100
@@ -177,7 +177,7 @@
postfix_user_domain(postqueue)
allow postfix_postqueue_t postfix_public_t:dir search;
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
-allow postfix_postqueue_t self:udp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
# to write the mailq output, it really should not need read access!
@@ -193,6 +193,7 @@
postfix_user_domain(showq)
# the following auto_trans is usually in postfix server domain
domain_auto_trans_read(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+allow postfix_showq_t self:udp_socket { create ioctl };
allow postfix_showq_t { postfix_spool_t }:dir r_dir_perms;
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
domain_auto_trans_read(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
diff -ru /tmp/policy/domains/program/postgresql.te policy/domains/program/postgresql.te
--- /tmp/policy/domains/program/postgresql.te 2002-10-28 22:55:56.000000000 +0100
+++ policy/domains/program/postgresql.te 2002-11-03 10:33:24.000000000 +0100
@@ -16,7 +16,10 @@
domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
')
-dontaudit postgresql_t { sysadm_home_dir_t var_spool_t }:dir search;
+dontaudit postgresql_t sysadm_home_dir_t:dir search;
+
+# for currect directory of scripts
+allow postgresql_t { var_spool_t cron_spool_t }:dir search;
# capability kill is for shutdown script
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid };
diff -ru /tmp/policy/domains/program/xdm.te policy/domains/program/xdm.te
--- /tmp/policy/domains/program/xdm.te 2002-10-10 17:50:21.000000000 +0200
+++ policy/domains/program/xdm.te 2002-11-02 23:53:31.000000000 +0100
@@ -13,21 +13,13 @@
# spawned by getty.
# xdm_exec_t is the type of the [xgk]dm program
#
-type xdm_t, domain, privuser, privrole, privlog, auth, privowner, privmem;
-role system_r types xdm_t;
-every_domain(xdm_t)
-type xdm_exec_t, file_type, sysadmfile, exec_type;
-type xdm_var_run_t, file_type, sysadmfile, pidfile;
-type xdm_tmp_t, file_type, sysadmfile, tmpfile;
+daemon_domain(xdm, `, privuser, privrole, auth, privowner, privmem')
+#every_domain(xdm_t)
+tmp_domain(xdm)
type xsession_exec_t, file_type, sysadmfile, exec_type;
-# Run the X Display Manager in its own domain.
-domain_auto_trans({ init_t initrc_t }, xdm_exec_t, xdm_t)
-
allow xdm_t default_context_t:file { read getattr };
-allow xdm_t init_t:fd use;
-
# for reboot
allow xdm_t initctl_t:fifo_file write;
@@ -43,8 +35,6 @@
domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
# Label pid and temporary files with derived types.
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t)
-file_type_auto_trans(xdm_t, tmp_t, xdm_tmp_t)
rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
Only in /tmp/policy/domains: system
Only in /tmp/policy/domains: user
diff -ru /tmp/policy/file_contexts/program/courier.fc policy/file_contexts/program/courier.fc
--- /tmp/policy/file_contexts/program/courier.fc 2002-07-12 17:19:44.000000000 +0200
+++ policy/file_contexts/program/courier.fc 2002-10-29 17:23:06.000000000 +0100
@@ -1,9 +1,9 @@
# courier pop, imap, and webmail
-/usr/lib/courier(/.*)? system_u:object_r:etc_courier_t
+/usr/lib/courier(/.*)? system_u:object_r:bin_t
+/usr/lib/courier/rootcerts(/.*)? system_u:object_r:etc_courier_t
/usr/lib/courier/authlib/.* system_u:object_r:courier_authdaemon_exec_t
/usr/lib/courier/courier/.* system_u:object_r:courier_exec_t
/usr/lib/courier/courier/courierpop.* system_u:object_r:courier_pop_exec_t
-/usr/lib/courier/courier/courierpop3.* system_u:object_r:courier_pop_exec_t
/usr/lib/courier/courier/imaplogin system_u:object_r:courier_pop_exec_t
/usr/lib/courier/courier/pcpd system_u:object_r:courier_pcp_exec_t
/usr/lib/courier/imapd system_u:object_r:courier_pop_exec_t
diff -ru /tmp/policy/file_contexts/program/fcron.fc policy/file_contexts/program/fcron.fc
--- /tmp/policy/file_contexts/program/fcron.fc 2002-09-21 05:01:29.000000000 +0200
+++ policy/file_contexts/program/fcron.fc 2002-11-02 23:47:22.000000000 +0100
@@ -3,3 +3,4 @@
/var/spool/fcron system_u:object_r:fcron_spool_t
/var/spool/fcron/.* <<none>>
/var/spool/fcron/systab.orig system_u:object_r:sysadm_cron_spool_t
+/var/run/fcron.fifo system_u:object_r:var_run_fcron_t
diff -ru /tmp/policy/file_contexts/program/ipsec.fc policy/file_contexts/program/ipsec.fc
--- /tmp/policy/file_contexts/program/ipsec.fc 2002-09-21 05:01:29.000000000 +0200
+++ policy/file_contexts/program/ipsec.fc 2002-11-02 23:47:02.000000000 +0100
@@ -16,3 +16,4 @@
/usr/sbin/ipsec system_u:object_r:ipsec_mgmt_exec_t
/usr/local/sbin/ipsec system_u:object_r:ipsec_mgmt_exec_t
/var/run/ipsec.info system_u:object_r:ipsec_var_run_t
+/var/run/pluto.ctl system_u:object_r:ipsec_var_run_t
diff -ru /tmp/policy/macros/program/netscape_macros.te policy/macros/program/netscape_macros.te
--- /tmp/policy/macros/program/netscape_macros.te 2002-10-01 19:28:53.000000000 +0200
+++ policy/macros/program/netscape_macros.te 2002-11-02 13:19:56.000000000 +0100
@@ -27,6 +27,9 @@
allow httpd_t $1_netscape_t:tcp_socket { recvfrom acceptfrom };
')
+dontaudit $1_netscape_t $1_home_t:dir rw_dir_perms;
+dontaudit $1_netscape_t $1_home_t:file rw_file_perms;
+
# Use printer
ifdef(`lpr.te', `domain_auto_trans($1_netscape_t, lpr_exec_t, $1_lpr_t)')
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2003-03-22 22:14 Russell Coker
2003-03-24 17:13 ` Wayne Salamon
0 siblings, 1 reply; 47+ messages in thread
From: Russell Coker @ 2003-03-22 22:14 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 458 bytes --]
I've attached a patch for the passwd_t policy as previously described.
I've also attached a patch containing some trivial changes, none of which
should require much consideration before being included.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: passwd --]
[-- Type: text/x-diff, Size: 2633 bytes --]
diff -ru /tmp/policy/assert.te policy/assert.te
--- /tmp/policy/assert.te 2003-01-20 01:03:58.000000000 +0100
+++ policy/assert.te 2003-03-07 10:11:56.000000000 +0100
@@ -113,7 +113,7 @@
#
ifdef(`passwd.te',
`neverallow passwd_t ~{ admin_passwd_exec_t passwd_exec_t }:file entrypoint;
-neverallow passwd_t ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;')
+neverallow passwd_t ~{ bin_t sbin_t shell_exec_t ld_so_t passwd_real_exec_t }:file execute_no_trans;')
#
# Verify that only the admin domains and initrc_t have avc_toggle.
diff -ru /tmp/policy/domains/program/passwd.te policy/domains/program/passwd.te
--- /tmp/policy/domains/program/passwd.te 2003-03-13 16:14:38.000000000 +0100
+++ policy/domains/program/passwd.te 2003-03-22 22:23:00.000000000 +0100
@@ -18,6 +18,7 @@
role sysadm_r types passwd_t;
type passwd_exec_t, file_type, sysadmfile, exec_type;
+type passwd_real_exec_t, file_type, sysadmfile;
type admin_passwd_exec_t, file_type, sysadmfile;
general_domain_access(passwd_t);
@@ -27,6 +28,9 @@
domain_auto_trans(userdomain, passwd_exec_t, passwd_t)
domain_auto_trans(sysadm_t, admin_passwd_exec_t, passwd_t)
+# for vipw - vi looks in the root home directory for config
+dontaudit passwd_t sysadm_home_dir_t:dir { getattr search };
+
# Use capabilities.
allow passwd_t passwd_t:capability { chown dac_override fsetid setuid sys_resource };
@@ -35,7 +39,7 @@
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
allow passwd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(passwd_t, { bin_t sbin_t shell_exec_t })
+can_exec(passwd_t, { bin_t sbin_t shell_exec_t passwd_real_exec_t })
# allow checking if a shell is executable
allow passwd_t shell_exec_t:file execute;
@@ -72,3 +76,5 @@
# audit those denials.
# Access denials to /var aren't audited either.
dontaudit passwd_t { proc_t device_t var_t }:dir { search read };
+
+allow passwd_t device_t:dir getattr;
diff -ru /tmp/policy/file_contexts/program/passwd.fc policy/file_contexts/program/passwd.fc
--- /tmp/policy/file_contexts/program/passwd.fc 2002-09-27 22:27:40.000000000 +0200
+++ policy/file_contexts/program/passwd.fc 2003-03-07 10:15:28.000000000 +0100
@@ -5,6 +5,7 @@
/usr/local/selinux/bin/svipw system_u:object_r:admin_passwd_exec_t
/usr/local/selinux/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
/usr/bin/spasswd system_u:object_r:passwd_exec_t
+/usr/bin/passwd system_u:object_r:passwd_real_exec_t
/usr/bin/schsh system_u:object_r:passwd_exec_t
/usr/bin/schfn system_u:object_r:passwd_exec_t
/usr/bin/svipw system_u:object_r:admin_passwd_exec_t
[-- Attachment #3: trivial --]
[-- Type: text/x-diff, Size: 15631 bytes --]
diff -ru /tmp/policy/domains/program/crond.te policy/domains/program/crond.te
--- /tmp/policy/domains/program/crond.te 2003-01-20 01:04:00.000000000 +0100
+++ policy/domains/program/crond.te 2003-02-24 08:12:09.000000000 +0100
@@ -10,7 +10,7 @@
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#
-# Domain for crond. Does it really need auth?
+# Domain for crond. It needs auth to check for locked accounts.
daemon_domain(crond, `, privrole, privmail, auth, privfd')
# This domain is granted permissions common to most domains (including can_net)
@@ -157,6 +157,9 @@
system_crond_entry(insmod_exec_t, insmod_t)
')
+# for if /var/mail is a symlink
+allow crond_t mail_spool_t:lnk_file read;
+
# Run logrotate in the logrotate_t domain.
ifdef(`logrotate.te', `
system_crond_entry(logrotate_exec_t, logrotate_t)
diff -ru /tmp/policy/domains/program/init.te policy/domains/program/init.te
--- /tmp/policy/domains/program/init.te 2003-03-22 21:52:23.000000000 +0100
+++ policy/domains/program/init.te 2003-03-22 22:07:25.000000000 +0100
@@ -100,7 +100,7 @@
# get stuck if you don't allow unlabeled policies to signal init
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
-# allow unlabeled_t init_t:process sigchld;
+allow unlabeled_t init_t:process sigchld;
# Read and write the console and ttys.
allow init_t console_device_t:chr_file rw_file_perms;
diff -ru /tmp/policy/domains/program/initrc.te policy/domains/program/initrc.te
--- /tmp/policy/domains/program/initrc.te 2003-03-22 21:52:23.000000000 +0100
+++ policy/domains/program/initrc.te 2003-03-22 22:12:15.000000000 +0100
@@ -173,10 +173,12 @@
allow initrc_t ttyfile:chr_file relabelfrom;
allow initrc_t tty_device_t:chr_file relabelto;
+ifdef(`rpm.te', `
# Create and read /boot/kernel.h.
# Redhat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file r_file_perms;
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t)
+')
# Delete and re-create /boot/System.map.
allow initrc_t boot_t:dir { read getattr write remove_name add_name };
diff -ru /tmp/policy/domains/program/modutil.te policy/domains/program/modutil.te
--- /tmp/policy/domains/program/modutil.te 2003-03-22 21:52:25.000000000 +0100
+++ policy/domains/program/modutil.te 2003-03-22 22:14:03.000000000 +0100
@@ -115,7 +115,7 @@
allow update_modules_t privfd:fd use;
allow update_modules_t init_t:fd use;
-allow update_modules_t device_t:dir search;
+allow update_modules_t device_t:dir { getattr search };
allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
@@ -127,7 +127,7 @@
allow update_modules_t modules_dep_t:file rw_file_perms;
file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t)
domain_auto_trans_read(update_modules_t, depmod_exec_t, depmod_t)
-can_exec(update_modules_t, { shell_exec_t bin_t update_modules_exec_t })
+can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t })
allow update_modules_t bin_t:lnk_file read;
allow update_modules_t { sbin_t bin_t }:dir search;
allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms;
diff -ru /tmp/policy/domains/program/newrole.te policy/domains/program/newrole.te
--- /tmp/policy/domains/program/newrole.te 2003-03-22 21:52:25.000000000 +0100
+++ policy/domains/program/newrole.te 2003-03-22 22:21:36.000000000 +0100
@@ -78,8 +78,10 @@
#
allow newrole_t security_t:security { sid_to_context context_to_sid change_sid };
-# for some PAM modules
-dontaudit newrole_t { home_type }:dir search;
+allow newrole_t fs_t:filesystem getattr;
+
+# for some PAM modules and for cwd
+dontaudit newrole_t { home_root_t home_type }:dir search;
# Failed reads to /proc cause no harm, so don't audit them
dontaudit newrole_t proc_t:dir search;
diff -ru /tmp/policy/domains/program/setfiles.te policy/domains/program/setfiles.te
--- /tmp/policy/domains/program/setfiles.te 2003-01-20 01:04:01.000000000 +0100
+++ policy/domains/program/setfiles.te 2003-03-18 12:09:56.000000000 +0100
@@ -23,7 +23,7 @@
allow setfiles_t privfd:fd use;
uses_shlib(setfiles_t)
-allow setfiles_t self:capability dac_override;
+allow setfiles_t self:capability { dac_override dac_read_search };
# for upgrading glibc - without this the glibc upgrade scripts will put things
# in a state such that setfiles can not be run!
@@ -44,5 +44,9 @@
allow setfiles_t fs_t:filesystem getattr;
allow setfiles_t fs_type:dir r_dir_perms;
+allow setfiles_t etc_runtime_t:file read;
+allow setfiles_t etc_t:file read;
+allow setfiles_t proc_t:file { getattr read };
+
# for config files in a home directory
allow setfiles_t home_type:file r_file_perms;
diff -ru /tmp/policy/file_contexts/program/crond.fc policy/file_contexts/program/crond.fc
--- /tmp/policy/file_contexts/program/crond.fc 2003-03-16 12:33:44.000000000 +0100
+++ policy/file_contexts/program/crond.fc 2003-03-17 00:02:51.000000000 +0100
@@ -1,6 +1,6 @@
# crond
/etc/crontab system_u:object_r:system_crond_script_t
-/etc/cron.d(/.*)? system_u:object_r:system_crond_script_t
+/etc/cron\.d(/.*)? system_u:object_r:system_crond_script_t
/usr/sbin/cron(d)? system_u:object_r:crond_exec_t
/usr/sbin/anacron system_u:object_r:anacron_exec_t
/var/spool/cron system_u:object_r:cron_spool_t
@@ -9,7 +9,7 @@
/var/spool/cron/crontabs/root system_u:object_r:sysadm_cron_spool_t
/var/log/cron system_u:object_r:cron_log_t
/var/log/mrtg(/.*)? system_u:object_r:cron_log_t
-/var/run/crond.reboot system_u:object_r:var_run_crond_t
+/var/run/crond\.reboot system_u:object_r:var_run_crond_t
/var/run/crond\.pid system_u:object_r:var_run_crond_t
# fcron
/usr/sbin/fcron system_u:object_r:crond_exec_t
diff -ru /tmp/policy/file_contexts/program/dhcpc.fc policy/file_contexts/program/dhcpc.fc
--- /tmp/policy/file_contexts/program/dhcpc.fc 2003-03-16 12:33:44.000000000 +0100
+++ policy/file_contexts/program/dhcpc.fc 2003-03-16 23:57:14.000000000 +0100
@@ -6,3 +6,4 @@
/sbin/dhclient.* system_u:object_r:dhcpc_exec_t
/var/lib/dhcp(3)? system_u:object_r:dhcp_state_t
/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
+/var/run/dhclient\.pid system_u:object_r:var_run_dhcpc_t
diff -ru /tmp/policy/file_contexts/program/dpkg.fc policy/file_contexts/program/dpkg.fc
--- /tmp/policy/file_contexts/program/dpkg.fc 2003-03-13 16:14:48.000000000 +0100
+++ policy/file_contexts/program/dpkg.fc 2003-03-18 12:16:55.000000000 +0100
@@ -32,3 +32,5 @@
/usr/share/console/getkmapchoice\.pl system_u:object_r:bin_t
/var/run/update-menus\.pid system_u:object_r:install_menu_var_run_t
/usr/share/openoffice\.org-debian-files/install-hook system_u:object_r:bin_t
+/usr/share/dlint/digparse system_u:object_r:bin_t
+/usr/share/gimp/1.2/user_install system_u:object_r:bin_t
diff -ru /tmp/policy/file_contexts/program/gpg.fc policy/file_contexts/program/gpg.fc
--- /tmp/policy/file_contexts/program/gpg.fc 2003-02-13 17:16:50.000000000 +0100
+++ policy/file_contexts/program/gpg.fc 2003-03-12 23:13:38.000000000 +0100
@@ -1,4 +1,4 @@
# gpg
-/home/[^/]+/\.gnupg(/.+)? system_u:object_r:user_gpg_secret_t
-/root/[^/]+/\.gnupg(/.+)? system_u:object_r:sysadm_gpg_secret_t
+/home/[^/]+/\.gnupg(/.+)? system_u:object_r:user_gpg_secret_t
+/root/\.gnupg(/.+)? system_u:object_r:sysadm_gpg_secret_t
/usr/bin/gpg system_u:object_r:gpg_exec_t
diff -ru /tmp/policy/file_contexts/program/modutil.fc policy/file_contexts/program/modutil.fc
--- /tmp/policy/file_contexts/program/modutil.fc 2003-03-16 12:33:44.000000000 +0100
+++ policy/file_contexts/program/modutil.fc 2003-03-17 00:30:21.000000000 +0100
@@ -2,7 +2,7 @@
/etc/modules\.conf(.old)? system_u:object_r:modules_conf_t
/lib/modules(/.*)? system_u:object_r:modules_object_t
/lib/modules/[^/]+/modules\..+ system_u:object_r:modules_dep_t
-/lib/modules/modprobe\.conf system_u:object_r:modules_conf_t
+/lib/modules/modprobe\.conf.* system_u:object_r:modules_conf_t
/sbin/depmod.* system_u:object_r:depmod_exec_t
/sbin/modprobe.* system_u:object_r:insmod_exec_t
/sbin/insmod.* system_u:object_r:insmod_exec_t
diff -ru /tmp/policy/file_contexts/program/netutils.fc policy/file_contexts/program/netutils.fc
--- /tmp/policy/file_contexts/program/netutils.fc 2002-07-03 22:26:22.000000000 +0200
+++ policy/file_contexts/program/netutils.fc 2003-02-06 08:58:52.000000000 +0100
@@ -1,5 +1,5 @@
# network utilities
-/sbin/ip system_u:object_r:netutils_exec_t
+/(s)?bin/ip system_u:object_r:netutils_exec_t
/sbin/arping system_u:object_r:netutils_exec_t
/usr/sbin/tcpdump system_u:object_r:netutils_exec_t
/etc/network/ifstate system_u:object_r:etc_runtime_t
diff -ru /tmp/policy/file_contexts/program/ping.fc policy/file_contexts/program/ping.fc
--- /tmp/policy/file_contexts/program/ping.fc 2002-05-03 14:26:41.000000000 +0200
+++ policy/file_contexts/program/ping.fc 2003-03-22 21:02:01.000000000 +0100
@@ -1,2 +1,2 @@
# ping
-/bin/ping system_u:object_r:ping_exec_t
+/bin/ping.* system_u:object_r:ping_exec_t
diff -ru /tmp/policy/file_contexts/program/postfix.fc policy/file_contexts/program/postfix.fc
--- /tmp/policy/file_contexts/program/postfix.fc 2003-03-13 16:14:49.000000000 +0100
+++ policy/file_contexts/program/postfix.fc 2003-02-15 19:44:20.000000000 +0100
@@ -12,6 +12,7 @@
/usr/lib/postfix/smtp system_u:object_r:postfix_smtp_exec_t
/usr/lib/postfix/smtpd system_u:object_r:postfix_smtpd_exec_t
/usr/lib/postfix/bounce system_u:object_r:postfix_bounce_exec_t
+/usr/lib/postfix/pipe system_u:object_r:postfix_pipe_exec_t
/usr/sbin/postalias system_u:object_r:postfix_master_exec_t
/usr/sbin/postcat system_u:object_r:postfix_master_exec_t
/usr/sbin/postconf system_u:object_r:postfix_master_exec_t
diff -ru /tmp/policy/file_contexts/program/traceroute.fc policy/file_contexts/program/traceroute.fc
--- /tmp/policy/file_contexts/program/traceroute.fc 2003-03-13 16:14:51.000000000 +0100
+++ policy/file_contexts/program/traceroute.fc 2003-03-05 15:20:15.000000000 +0100
@@ -1,3 +1,3 @@
# traceroute
-/usr/bin/traceroute.* system_u:object_r:traceroute_exec_t
-/usr/sbin/traceroute system_u:object_r:traceroute_exec_t
+/usr/(s)?bin/traceroute.* system_u:object_r:traceroute_exec_t
+/usr/bin/lft system_u:object_r:traceroute_exec_t
diff -ru /tmp/policy/file_contexts/types.fc policy/file_contexts/types.fc
--- /tmp/policy/file_contexts/types.fc 2003-03-16 12:33:43.000000000 +0100
+++ policy/file_contexts/types.fc 2003-03-22 21:28:34.000000000 +0100
@@ -216,6 +220,7 @@
/usr/lib/lib.*\.so.* system_u:object_r:shlib_t
/usr/lib/python.*\.so system_u:object_r:shlib_t
/usr/lib/.*/lib[^/]*\.so.* system_u:object_r:shlib_t
+/usr/lib/.*/.*\.so system_u:object_r:shlib_t
/usr/lib/autofs/.*\.so system_u:object_r:shlib_t
/usr/lib/perl5/man(/.*)? system_u:object_r:man_t
/usr/lib/perl.*\.so system_u:object_r:shlib_t
diff -ru /tmp/policy/fs_use policy/fs_use
--- /tmp/policy/fs_use 2002-07-03 22:26:19.000000000 +0200
+++ policy/fs_use 2003-03-01 18:54:03.000000000 +0100
@@ -9,6 +9,7 @@
fs_use_psid ext2;
fs_use_psid ext3;
fs_use_psid reiserfs;
+fs_use_psid jfs;
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
diff -ru /tmp/policy/macros/admin_macros.te policy/macros/admin_macros.te
--- /tmp/policy/macros/admin_macros.te 2003-02-12 13:36:15.000000000 +0100
+++ policy/macros/admin_macros.te 2003-03-07 10:15:59.000000000 +0100
@@ -54,7 +54,7 @@
allow $1_t domain:notdevfile_class_set r_file_perms;
# Send signals to all processes.
-allow $1_t domain:process signal_perms;
+allow $1_t { domain unlabeled_t }:process signal_perms;
# Access all user terminals.
allow $1_t tty_device_t:chr_file rw_file_perms;
diff -ru /tmp/policy/macros/global_macros.te policy/macros/global_macros.te
--- /tmp/policy/macros/global_macros.te 2003-03-22 21:52:43.000000000 +0100
+++ policy/macros/global_macros.te 2003-03-22 22:38:33.000000000 +0100
@@ -109,7 +109,7 @@
#
# Permissions for reading and adding names to directories.
#
-define(`ra_dir_perms', `{ read getattr lock search add_name write }')
+define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
#
@@ -183,6 +183,11 @@
allow $1 $2:{ file lnk_file } rw_file_perms;
')
+define(`ra_dir_file', `
+allow $1 $2:dir ra_dir_perms;
+allow $1 $2:{ file lnk_file } ra_file_perms;
+')
+
define(`rw_dir_create_file', `
allow $1 $2:dir rw_dir_perms;
allow $1 $2:{ file lnk_file } create_file_perms;
@@ -287,6 +292,16 @@
#################################
#
+# can_ptrace(domain, domain)
+#
+# Permissions for running ptrace (strace or gdb) on another domain
+#
+define(`can_ptrace',`
+allow $1 $2:process ptrace;
+')
+
+#################################
+#
# can_exec(domain, type)
#
# Permissions for executing programs with
@@ -987,12 +1007,11 @@
allow $2_t device_t:dir { getattr search };
allow $2_t null_device_t:chr_file rw_file_perms;
-allow $2_t console_device_t:chr_file rw_file_perms;
')
define(`tmp_domain', `
-type $1_tmp_t, file_type, sysadmfile, tmpfile;
+type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
file_type_auto_trans($1_t, tmp_t, $1_tmp_t)
')
@@ -1006,6 +1025,11 @@
file_type_auto_trans($1_t, var_log_t, $1_log_t)
')
+define(`lock_domain', `
+type $1_lock_t, file_type, sysadmfile, lockfile;
+file_type_auto_trans($1_t, var_lock_t, $1_lock_t)
+')
+
#######################
# application_domain(domain_prefix)
#
diff -ru /tmp/policy/macros/program/gpg_macros.te policy/macros/program/gpg_macros.te
--- /tmp/policy/macros/program/gpg_macros.te 2003-01-20 01:04:03.000000000 +0100
+++ policy/macros/program/gpg_macros.te 2003-03-05 21:03:46.000000000 +0100
@@ -65,9 +65,11 @@
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
# a file and write output to your home directory it will use user_home_t.
-file_type_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t)
-type_transition $1_gpg_t $1_home_dir_t:dir $1_gpg_secret_t;
-rw_dir_create_file($1_gpg_t, $1_home_t)
+file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
+rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
+
+file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
+create_dir_file($1_gpg_t, $1_home_t)
# allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
diff -ru /tmp/policy/macros/program/su_macros.te policy/macros/program/su_macros.te
--- /tmp/policy/macros/program/su_macros.te 2003-03-13 16:14:56.000000000 +0100
+++ policy/macros/program/su_macros.te 2003-03-10 19:19:31.000000000 +0100
@@ -43,8 +43,10 @@
define(`su_domain', `
su_mini_domain($1)
+ifdef(`chkpwd.te', `
# Run chkpwd.
can_exec($1_su_t, chkpwd_exec_t)
+')
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `
diff -ru /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te 2003-03-22 21:52:43.000000000 +0100
+++ policy/macros/user_macros.te 2003-03-22 22:43:57.000000000 +0100
@@ -200,6 +207,9 @@
# do not audit getattr on tmpfile, otherwise ls -l /tmp fills the logs
dontaudit $1_t tmpfile:dir_file_class_set getattr;
+# do not audit getattr on disk devices, otherwise KDE fills the logs
+dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file getattr;
+
ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2003-03-22 22:53 Russell Coker
0 siblings, 0 replies; 47+ messages in thread
From: Russell Coker @ 2003-03-22 22:53 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 773 bytes --]
I've attached a patch to use readable_t for the timezone files. It's a bit of
an experimental patch, perhaps we should have a timezone_t instead.
I've attached a patch to make some file_type_auto_trans rules specific to the
classes that they need to create. This removes some access that isn't
needed. I think that this should be included in the CVS.
The file "general" contains a patch for the global macros, and a patch for the
X server policy to tighten it down a lot. This is also good for the CVS
IMHO.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: readable --]
[-- Type: text/x-diff, Size: 1285 bytes --]
diff -ru /tmp/policy/domains/program/init.te policy/domains/program/init.te
--- /tmp/policy/domains/program/init.te 2003-03-22 21:52:23.000000000 +0100
+++ policy/domains/program/init.te 2003-03-22 22:07:25.000000000 +0100
@@ -119,3 +119,8 @@
# for initrd pivot_root seems to access this
dontaudit init_t file_labels_t:dir { search };
+
+# Read directories and files with the readable_t type.
+# This type is a general type for "world"-readable files.
+allow domain readable_t:dir r_dir_perms;
+allow domain readable_t:notdevfile_class_set r_file_perms;
diff -ru /tmp/policy/file_contexts/types.fc policy/file_contexts/types.fc
--- /tmp/policy/file_contexts/types.fc 2003-03-16 12:33:43.000000000 +0100
+++ policy/file_contexts/types.fc 2003-03-22 21:28:34.000000000 +0100
@@ -170,6 +171,7 @@
/etc/security/selinux/src(/.*)? system_u:object_r:policy_src_t
/etc/security/default_context.* system_u:object_r:default_context_t
/etc/services system_u:object_r:etc_t
+/etc/localtime system_u:object_r:readable_t
#
# /lib
@@ -197,6 +200,7 @@
# /usr
#
/usr(/.*)? system_u:object_r:usr_t
+/usr/share/zoneinfo(/.*)? system_u:object_r:readable_t
/usr/etc(/.*)? system_u:object_r:etc_t
/usr/libexec(/.*)? system_u:object_r:lib_t
/usr/src(/.*)? system_u:object_r:src_t
[-- Attachment #3: file_type --]
[-- Type: text/x-diff, Size: 2961 bytes --]
diff -ru /tmp/policy/domains/program/fsadm.te policy/domains/program/fsadm.te
--- /tmp/policy/domains/program/fsadm.te 2003-02-12 13:36:05.000000000 +0100
+++ policy/domains/program/fsadm.te 2003-03-18 11:57:43.000000000 +0100
@@ -26,11 +26,11 @@
# remount file system to apply changes
allow fsadm_t fs_t:filesystem remount;
-# Use capabilities.
-allow fsadm_t fsadm_t:capability { sys_admin sys_rawio };
+# Use capabilities. ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin };
# Write to /etc/mtab.
-file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t)
+file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
# Inherit and use descriptors from init.
allow fsadm_t init_t:fd use;
diff -ru /tmp/policy/domains/program/init.te policy/domains/program/init.te
--- /tmp/policy/domains/program/init.te 2003-03-22 21:52:23.000000000 +0100
+++ policy/domains/program/init.te 2003-03-22 22:07:25.000000000 +0100
@@ -43,10 +43,10 @@
')
# Create /dev/initctl.
-file_type_auto_trans(init_t, device_t, initctl_t)
+file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
# Create ioctl.save.
-file_type_auto_trans(init_t, etc_t, etc_runtime_t)
+file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache
allow init_t ld_so_cache_t:file rw_file_perms;
diff -ru /tmp/policy/domains/program/initrc.te policy/domains/program/initrc.te
--- /tmp/policy/domains/program/initrc.te 2003-03-22 21:52:23.000000000 +0100
+++ policy/domains/program/initrc.te 2003-03-22 22:12:15.000000000 +0100
@@ -102,7 +102,7 @@
allow initrc_t file_t:dir { read search getattr mounton };
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
-file_type_auto_trans(initrc_t, etc_t, etc_runtime_t)
+file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
# Update /etc/ld.so.cache.
allow initrc_t ld_so_cache_t:file rw_file_perms;
diff -ru /tmp/policy/domains/program/mount.te policy/domains/program/mount.te
--- /tmp/policy/domains/program/mount.te 2003-01-20 01:04:01.000000000 +0100
+++ policy/domains/program/mount.te 2003-03-18 11:57:37.000000000 +0100
@@ -20,7 +20,7 @@
allow mount_t self:capability { ipc_lock dac_override };
# Create and modify /etc/mtab.
-file_type_auto_trans(mount_t, etc_t, etc_runtime_t)
+file_type_auto_trans(mount_t, etc_t, etc_runtime_t, file)
allow mount_t file_type:dir search;
diff -ru /tmp/policy/macros/program/mount_macros.te policy/macros/program/mount_macros.te
--- /tmp/policy/macros/program/mount_macros.te 2002-09-21 05:01:30.000000000 +0200
+++ policy/macros/program/mount_macros.te 2003-03-18 11:58:42.000000000 +0100
@@ -33,7 +33,7 @@
allow $2_t self:capability { net_bind_service sys_rawio sys_admin };
# Create and modify /etc/mtab.
-file_type_auto_trans($2_t, etc_t, etc_runtime_t)
+file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
# Access the terminal.
allow $2_t $1_tty_device_t:chr_file { getattr read write ioctl };
[-- Attachment #4: general --]
[-- Type: text/x-diff, Size: 2095 bytes --]
diff -ru /tmp/policy/macros/global_macros.te policy/macros/global_macros.te
--- /tmp/policy/macros/global_macros.te 2003-03-22 21:52:43.000000000 +0100
+++ policy/macros/global_macros.te 2003-03-22 22:38:33.000000000 +0100
@@ -605,6 +620,11 @@
allow $1 self:msgq rw_msgq_perms;
allow $1 self:shm rw_shm_perms;
+# Use descriptors created by login, sshd, or newrole.
+allow $1 privfd:fd use;
+
+# Use descriptors created by mount (e.g. NFS).
+allow $1 mount_t:fd use;
')
#
diff -ru /tmp/policy/macros/program/xserver_macros.te policy/macros/program/xserver_macros.te
--- /tmp/policy/macros/program/xserver_macros.te 2003-03-17 23:08:46.000000000 +0100
+++ policy/macros/program/xserver_macros.te 2003-03-07 17:53:53.000000000 +0100
@@ -48,10 +48,24 @@
allow $1_xserver_t proc_t:dir search;
-# Use capabilities. Access /dev/mem.
-allow $1_xserver_t self:capability { setuid setgid sys_rawio sys_nice };
+# Use capabilities.
+# allow setuid/setgid for the wrapper program to change UID
+# sys_rawio is for iopl access - should not be needed for frame-buffer
+# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
+# admin of APM bios?
+# sys_nice is so that the X server can set a negative nice value
+allow $1_xserver_t self:capability { setuid setgid sys_rawio sys_admin sys_nice };
dontaudit $1_xserver_t self:capability { dac_override dac_read_search };
+
+# memory_device_t access is needed if not using the frame buffer
+dontaudit $1_xserver_t memory_device_t:chr_file read;
#allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
+# net_bind_service is needed if you want your X server to allow TCP connections
+# from other hosts, EG an XDM serving a network of X terms
+# if you want good security you do not want this
+# not sure why some people want chown, fsetid, and sys_tty_config.
+#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
+dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t mtrr_device_t:file rw_file_perms;
allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2003-03-22 22:14 Russell Coker
@ 2003-03-24 17:13 ` Wayne Salamon
0 siblings, 0 replies; 47+ messages in thread
From: Wayne Salamon @ 2003-03-24 17:13 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Sat, 22 Mar 2003, Russell Coker wrote:
> I've attached a patch for the passwd_t policy as previously described.
>
Thanks for the patch. One comment:
+++ policy/domains/program/initrc.te 2003-03-22 22:12:15.000000000
+0100
@@ -173,10 +173,12 @@
allow initrc_t ttyfile:chr_file relabelfrom;
allow initrc_t tty_device_t:chr_file relabelto;
+ifdef(`rpm.te', `
# Create and read /boot/kernel.h.
# RedHat systems typically create this file at boot time.
allow initrc_t boot_t:lnk_file r_file_perms;
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t)
+')
# Delete and re-create /boot/System.map.
allow initrc_t boot_t:dir { read getattr write remove_name add_name };
diff -ru /tmp/policy/domains/program/modutil.te
policy/domains/program/modutil.te
We can't use the presence of rpm.te to denote a RedHat system, and this
approach won't work for the core policy.
--
Wayne Salamon
wsalamon@tislabs.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* RE: policy patches
@ 2003-03-26 17:47 Kelly_Djahandari
0 siblings, 0 replies; 47+ messages in thread
From: Kelly_Djahandari @ 2003-03-26 17:47 UTC (permalink / raw)
To: russell, selinux
Russell's policy patches have been applied and the modified files are available on sourceforge. Thanks Russell.
Kelly Djahandari
Network Associates Laboratories
> -----Original Message-----
> From: Russell Coker [mailto:russell@coker.com.au]
> Sent: Saturday, March 22, 2003 5:14 PM
> To: SE Linux
> Subject: policy patches
>
>
> I've attached a patch for the passwd_t policy as previously described.
>
> I've also attached a patch containing some trivial changes,
> none of which
> should require much consideration before being included.
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced
> Linux packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* RE: policy patches
@ 2003-03-27 18:25 Kelly_Djahandari
0 siblings, 0 replies; 47+ messages in thread
From: Kelly_Djahandari @ 2003-03-27 18:25 UTC (permalink / raw)
To: russell, selinux
I've updated the policy files on sourceforge with the "file_type" patch and most of the "general" patch. We are still looking at the "readable" patch. Thanks Russell for the patches.
Kelly Djahandari
Network Associates Laboratories
> -----Original Message-----
> From: Russell Coker [mailto:russell@coker.com.au]
> Sent: Saturday, March 22, 2003 5:53 PM
> To: SE Linux
> Subject: policy patches
>
>
> I've attached a patch to use readable_t for the timezone
> files. It's a bit of
> an experimental patch, perhaps we should have a timezone_t instead.
>
> I've attached a patch to make some file_type_auto_trans rules
> specific to the
> classes that they need to create. This removes some access
> that isn't
> needed. I think that this should be included in the CVS.
>
> The file "general" contains a patch for the global macros,
> and a patch for the
> X server policy to tighten it down a lot. This is also good
> for the CVS
> IMHO.
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced
> Linux packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2003-04-26 7:30 Russell Coker
0 siblings, 0 replies; 47+ messages in thread
From: Russell Coker @ 2003-04-26 7:30 UTC (permalink / raw)
To: Howard Holm; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1286 bytes --]
makefile.diff is a Makefile patch for jfs and jffs2. jffs2 is probably
redundant, but does no harm (and it's good to demonstrate that a large number
of file systems are supported).
global.diff is a patch to global_macros.te. This contains some things that
are relied on by later patches. It allows can_exec_any() to read symlinks in
/etc because in Debian /usr/bin has many symlinks to symlinks in /etc for the
case where several packages can provide the same program. Also it removes
every_domain(), which will break some other policy. I've got patches for all
the other domains, I'll post them here shortly.
passwd.diff makes two separate domains for changing password, one for the user
that's just for "spasswd", and the other for the administrator that allows
everything that's needed for svipw etc. Also it merges useradd.te and
groupadd.te into the same file with macros and removes every_domain() from
chkpwd_macros.te .
simple.diff contains a bunch of small changes that aren't particularly
noteworthy.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: makefile.diff --]
[-- Type: text/x-makefile, Size: 662 bytes --]
diff -ru /tmp/policy/Makefile ./Makefile
--- /tmp/policy/Makefile 2003-04-26 16:11:43.000000000 +1000
+++ ./Makefile 2003-03-28 12:39:33.000000000 +1100
@@ -103,10 +104,10 @@
cat domains/*.te domains/misc/*.te domains/program/*.te > $@
relabel: $(FC) $(SETFILES)
- $(SETFILES) $(FC) `mount | awk '/(ext[23]|reiserfs)/{print $$3}'`
+ $(SETFILES) $(FC) `mount | awk '/(ext[23]|reiserfs|jfs|jffs2)/{print $$3}'`
reset: $(FC) $(SETFILES)
- $(SETFILES) -R $(FC) `mount | awk '/(ext[23]|reiserfs)/{print $$3}'`
+ $(SETFILES) -R $(FC) `mount | awk '/(ext[23]|reiserfs|jfs|jffs2)/{print $$3}'`
$(FC): $(FCFILES) file_contexts/program
cat $(FCFILES) > $@
[-- Attachment #3: global.diff --]
[-- Type: text/x-diff, Size: 6415 bytes --]
diff -ru /tmp/policy/macros/global_macros.te ./macros/global_macros.te
--- /tmp/policy/macros/global_macros.te 2003-04-26 16:11:45.000000000 +1000
+++ ./macros/global_macros.te 2003-04-25 13:28:16.000000000 +1000
@@ -319,7 +321,7 @@
#
define(`can_exec_any',`
allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
-allow $1 { bin_t sbin_t }:lnk_file read;
+allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
uses_shlib($1)
can_exec($1, etc_t)
can_exec($1, lib_t)
@@ -350,8 +352,12 @@
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
', `
+ifelse(`$4', `dir', `
+allow $1 $3:$4 create_dir_perms;
+', `
allow $1 $3:$4 create_file_perms;
-')
+')dnl end if dir
+')dnl end if param 4 specified
')
@@ -525,30 +531,41 @@
##################################
#
+# base_pty_perms(domain_prefix)
+#
+# Base permissions used for can_create_pty() and can_create_other_pty()
+#
+define(`base_pty_perms', `
+# Access the pty master multiplexer.
+allow $1_t ptmx_t:chr_file rw_file_perms;
+
+ifdef(`devfsd.te', `
+allow $1_t device_t:filesystem getattr;
+')
+allow $1_t devpts_t:filesystem getattr;
+
+# allow searching /dev/pts
+allow $1_t devpts_t:dir { getattr search };
+')
+
+##################################
+#
# can_create_pty(domain_prefix, attributes)
#
# Permissions for creating ptys.
#
define(`can_create_pty',`
-
+base_pty_perms($1)
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
# Allow the pty to be associated with the file system.
allow $1_devpts_t devpts_t:filesystem associate;
-# Access the pty master multiplexer.
-allow $1_t ptmx_t:chr_file rw_file_perms;
-
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $1_devpts_t;
# Read and write my pty files.
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
-
-ifdef(`devfsd.te', `
-allow $1_t device_t:filesystem getattr;
-')
-
')
@@ -559,20 +576,12 @@
# Permissions for creating ptys for another domain.
#
define(`can_create_other_pty',`
-
-# Access the pty master multiplexer.
-allow $1_t ptmx_t:chr_file rw_file_perms;
-
+base_pty_perms($1)
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $2_devpts_t;
# Read and write pty files.
allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
-
-ifdef(`devfsd.te', `
-allow $1_t device_t:filesystem getattr;
-')
-
')
@@ -590,7 +599,9 @@
# Grant permissions within the domain.
# This includes permissions to processes, /proc/PID files,
# file descriptors, pipes, Unix sockets, and System V IPC objects
-# labeled with the domain.
+# labeled with the domain. It also includes permissions to
+# send SIGCHLD to init and to use descriptors created by certain
+# domains.
#
define(`general_domain_access',`
# Access other processes in the same domain.
@@ -617,6 +628,11 @@
allow $1 self:msgq rw_msgq_perms;
allow $1 self:shm rw_shm_perms;
+# Use descriptors created by login, sshd, or newrole.
+allow $1 privfd:fd use;
+
+# Use descriptors created by mount (e.g. NFS).
+allow $1 mount_t:fd use;
')
#
@@ -815,27 +829,10 @@
allow $1 usbdevfs_t:dir r_dir_perms;
allow $1 usbdevfs_t:{ file lnk_file } r_file_perms;
allow $1 usbdevfs_device_t:file getattr;
-')
-#
-# general_file_write_access(domain)
-#
-# Grant write permissions to a small set of system file types, e.g.
-# /dev/tty, /dev/null, etc.
-#
-# For shared directories like /tmp, each domain should have its own derived
-# type (with a file_type_auto_trans rule) for files created in the shared
-# directory.
-#
-define(`general_file_write_access',`
-errprint(`m4: '__file__:__line__: `Warning: general_file_write_access is deprecated.
-')
-# Read and write /dev/tty and /dev/null.
-allow $1 devtty_t:chr_file rw_file_perms;
-allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms;
-
-# Do not audit write denials to /etc/ld.so.cache.
-dontaudit $1 ld_so_cache_t:file write;
+# Read PID files in /var/run. pidfile is a type attribute for
+# all types used for such files.
+allow $1 pidfile:file r_file_perms;
')
#
@@ -875,33 +872,6 @@
')
-################################
-#
-# every_domain(domain)
-#
-# Grant permissions common to most domains.
-#
-# This macro replaces the rules formerly located in domains/every.te.
-# An every_domain macro has been inserted into each domain .te file
-# for each domain defined within that file. If you want a new domain
-# to inherit these rules, then you can likewise use this macro in
-# your new domain .te file. However, for least privilege purposes, you
-# may want to consider using macros or individual rules that only include
-# a subset of these permissions for your new domain. This macro has already
-# been partitioned into a few subsets, with corresponding macros defined
-# above and used in defining this macro.
-#
-define(`every_domain',`
-errprint(`m4: '__file__:__line__: `Warning: every_domain is deprecated.
-')
-# Grant the permissions common to the test domains.
-every_test_domain($1)
-
-# Grant permissions needed to create TCP and UDP sockets and
-# to access the network.
-can_network($1)
-')
-
#######################
# daemon_base_domain(domain_prefix, attribs)
#
@@ -937,12 +907,16 @@
allow $1_t initrc_devpts_t:chr_file rw_file_perms;
')dnl
+define(`var_run_domain', `
+type $1_var_run_t alias var_run_$1_t, file_type, sysadmfile, pidfile;
+file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
+')
+
define(`daemon_domain', `
daemon_base_domain($1, `$2')
# Create pid file.
allow $1_t var_t:dir { getattr search };
-type var_run_$1_t, file_type, sysadmfile, pidfile;
-file_type_auto_trans($1_t, var_run_t, var_run_$1_t)
+var_run_domain($1)
allow $1_t devtty_t:chr_file rw_file_perms;
@@ -951,6 +925,8 @@
# for df
allow $1_t fs_type:filesystem getattr;
+
+r_dir_file($1_t, locale_t)
')dnl
define(`uses_authbind',
@@ -984,8 +960,7 @@
allow $2_t { self proc_t }:dir r_dir_perms;
allow $2_t { self proc_t }:lnk_file read;
-allow $2_t device_t:dir { getattr search };
-allow $2_t null_device_t:chr_file rw_file_perms;
+allow $2_t device_t:dir getattr;
')
@@ -995,8 +970,8 @@
')
define(`var_lib_domain', `
-type var_lib_$1_t, file_type, sysadmfile;
-file_type_auto_trans($1_t, var_lib_t, var_lib_$1_t)
+type $1_var_lib_t, file_type, sysadmfile;
+file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t)
')
define(`log_domain', `
[-- Attachment #4: passwd.diff --]
[-- Type: text/x-diff, Size: 11105 bytes --]
diff -ru /tmp/policy/assert.te ./assert.te
--- /tmp/policy/assert.te 2003-03-29 08:38:54.000000000 +1100
+++ ./assert.te 2003-04-23 19:52:12.000000000 +1000
@@ -111,9 +111,11 @@
# entrypoint type and can only execute the dynamic loader
# and the ordinary passwd program without a transition to another domain.
#
-ifdef(`passwd.te',
-`neverallow passwd_t ~{ admin_passwd_exec_t passwd_exec_t }:file entrypoint;
-neverallow passwd_t ~{ bin_t sbin_t shell_exec_t ld_so_t passwd_real_exec_t }:file execute_no_trans;')
+ifdef(`passwd.te', `
+neverallow passwd_t ~{ passwd_exec_t }:file entrypoint;
+neverallow sysadm_passwd_t ~{ admin_passwd_exec_t }:file entrypoint;
+neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t passwd_real_exec_t }:file execute_no_trans;
+')
#
# Verify that only the admin domains and initrc_t have avc_toggle.
diff -ru /tmp/policy/domains/program/groupadd.te ./domains/program/groupadd.te
--- /tmp/policy/domains/program/groupadd.te 2003-04-08 06:25:34.000000000 +1000
+++ ./domains/program/groupadd.te 2003-04-22 19:42:08.000000000 +1000
@@ -1,60 +0,0 @@
-#DESC Groupadd - Manage system groups
-#
-# Authors: David Caplan, dac@tresys.com
-# (Based on useradd.te by Chris Vance <cvance@tislabs.com>)
-#
-
-#################################
-#
-# Rules for the groupadd_t domain.
-#
-# groupadd_t is the domain of the groupadd/mod/del programs when
-# executed through the sgroupadd/mod/del wrapper.
-type groupadd_t, domain, privlog, auth, privowner;
-role sysadm_r types groupadd_t;
-
-general_domain_access(groupadd_t)
-uses_shlib(groupadd_t)
-
-type groupadd_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t )
-
-# Use capabilities.
-# need more if users can run gpasswd
-allow groupadd_t groupadd_t:capability { dac_override };
-
-# Allow access to context for shadow file
-allow groupadd_t security_t:security { context_to_sid };
-
-# Inherit and use descriptors from login.
-allow groupadd_t privfd:fd use;
-
-# Execute /usr/sbin/{groupadd,groupdel,groupmod}, /usr/bin/gpasswd.
-allow groupadd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(groupadd_t, { sbin_t bin_t })
-
-# Update /etc/shadow and /etc/passwd
-file_type_auto_trans(groupadd_t, etc_t, shadow_t)
-allow groupadd_t etc_t:file create_file_perms;
-
-allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-# some apps ask for these accesses, but seems to work regardless
-dontaudit groupadd_t initrc_var_run_t:file { write };
-dontaudit groupadd_t { var_run_t device_t var_t }:dir { search };
-
-# Access terminals.
-allow groupadd_t ttyfile:chr_file rw_file_perms;
-allow groupadd_t ptyfile:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
-
-
-
-
-
-
-
-
-
-
-
diff -ru /tmp/policy/domains/program/passwd.te ./domains/program/passwd.te
--- /tmp/policy/domains/program/passwd.te 2003-03-27 23:57:57.000000000 +1100
+++ ./domains/program/passwd.te 2003-04-23 19:50:59.000000000 +1000
@@ -13,68 +13,85 @@
# This domain and type is also used for wrappers for
# chfn and chsh.
#
-type passwd_t, domain, privlog, auth, privowner;
-in_user_role(passwd_t)
-role sysadm_r types passwd_t;
-
-type passwd_exec_t, file_type, sysadmfile, exec_type;
-type passwd_real_exec_t, file_type, sysadmfile;
-type admin_passwd_exec_t, file_type, sysadmfile;
-
-general_domain_access(passwd_t);
-
-uses_shlib(passwd_t);
-
-domain_auto_trans(userdomain, passwd_exec_t, passwd_t)
-domain_auto_trans(sysadm_t, admin_passwd_exec_t, passwd_t)
+define(`passwd_domain', `
+type $1_t, domain, privlog, auth, privowner;
-# for vipw - vi looks in the root home directory for config
-dontaudit passwd_t sysadm_home_dir_t:dir { getattr search };
-
-# Use capabilities.
-allow passwd_t passwd_t:capability { chown dac_override fsetid setuid sys_resource };
+general_domain_access($1_t);
+uses_shlib($1_t);
# Inherit and use descriptors from login.
-allow passwd_t privfd:fd use;
+allow $1_t privfd:fd use;
+ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-allow passwd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(passwd_t, { bin_t sbin_t shell_exec_t passwd_real_exec_t })
+allow $1_t { bin_t sbin_t }:dir r_dir_perms;
+can_exec($1_t, { bin_t sbin_t shell_exec_t passwd_real_exec_t })
+allow $1_t bin_t:lnk_file read;
+r_dir_file($1_t, locale_t)
+
+allow $1_t fs_t:filesystem getattr;
# allow checking if a shell is executable
-allow passwd_t shell_exec_t:file execute;
+allow $1_t shell_exec_t:file execute;
# Obtain contexts
-allow passwd_t security_t:security { sid_to_context context_to_sid };
+allow $1_t security_t:security { sid_to_context context_to_sid };
# Update /etc/shadow and /etc/passwd
-file_type_auto_trans(passwd_t, etc_t, shadow_t)
-allow passwd_t etc_t:file create_file_perms;
-allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
+file_type_auto_trans($1_t, etc_t, shadow_t)
+allow $1_t etc_t:file create_file_perms;
+allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
-# allow vipw to create temporary files under /var/tmp/vi.recover
-tmp_domain(passwd)
+# Use capabilities.
+allow $1_t self:capability { chown dac_override fsetid setuid sys_resource };
# Access terminals.
-allow passwd_t ttyfile:chr_file rw_file_perms;
-allow passwd_t ptyfile:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
+allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
+allow $1_t devtty_t:chr_file rw_file_perms;
-# for vipw - vi looks in the root home directory for config
-dontaudit passwd_t sysadm_home_dir_t:dir { getattr search };
+dontaudit $1_t devpts_t:dir getattr;
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
-dontaudit passwd_t initrc_var_run_t:file { read write };
+dontaudit $1_t initrc_var_run_t:file { read write };
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
+dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
# When the wrong current passwd is entered, passwd, for some reason,
-# attempts to access /proc and /dev, but fails appropriately. So don't
+# attempts to access /proc and /dev, but fails appropriately. So dont
# audit those denials.
-# Access denials to /var aren't audited either.
-dontaudit passwd_t { proc_t device_t var_t }:dir { search read };
+dontaudit $1_t { proc_t device_t }:dir { search read };
+
+allow $1_t device_t:dir getattr;
+')
+
+passwd_domain(passwd)
+passwd_domain(sysadm_passwd)
+
+in_user_role(passwd_t)
+role sysadm_r types sysadm_passwd_t;
+
+type admin_passwd_exec_t, file_type, sysadmfile, exec_type;
+type passwd_exec_t, file_type, sysadmfile, exec_type;
+type passwd_real_exec_t, file_type, sysadmfile;
+
+domain_auto_trans(userdomain, passwd_exec_t, passwd_t)
+domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
+
+# for vipw - vi looks in the root home directory for config
+dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
+
+dontaudit passwd_t var_t:dir search;
+
+# allow vipw to create temporary files under /var/tmp/vi.recover
+allow sysadm_passwd_t var_t:dir search;
+tmp_domain(sysadm_passwd)
+
+# for vipw - vi looks in the root home directory for config
+dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
+
+# for /etc/alternatives/vi
+allow sysadm_passwd_t etc_t:lnk_file read;
-allow passwd_t device_t:dir getattr;
diff -ru /tmp/policy/file_contexts/program/groupadd.fc ./file_contexts/program/groupadd.fc
--- /tmp/policy/file_contexts/program/groupadd.fc 2003-04-08 06:25:35.000000000 +1000
+++ ./file_contexts/program/groupadd.fc 2003-04-22 19:42:25.000000000 +1000
@@ -1,10 +0,0 @@
-# groupadd
-/usr/local/selinux/bin/sgroupadd system_u:object_r:groupadd_exec_t
-/usr/local/selinux/bin/sgroupdel system_u:object_r:groupadd_exec_t
-/usr/local/selinux/bin/sgroupmod system_u:object_r:groupadd_exec_t
-/usr/local/selinux/bin/sgpasswd system_u:object_r:groupadd_exec_t
-/usr/bin/sgroupmod system_u:object_r:groupadd_exec_t
-/usr/bin/sgroupadd system_u:object_r:groupadd_exec_t
-/usr/bin/sgroupdel system_u:object_r:groupadd_exec_t
-/usr/bin/sgpasswd system_u:object_r:groupadd_exec_t
-
diff -ru /tmp/policy/file_contexts/program/passwd.fc ./file_contexts/program/passwd.fc
--- /tmp/policy/file_contexts/program/passwd.fc 2003-03-27 23:58:03.000000000 +1100
+++ ./file_contexts/program/passwd.fc 2003-04-02 18:08:36.000000000 +1000
@@ -3,10 +3,12 @@
/usr/local/selinux/bin/schsh system_u:object_r:passwd_exec_t
/usr/local/selinux/bin/schfn system_u:object_r:passwd_exec_t
/usr/local/selinux/bin/svipw system_u:object_r:admin_passwd_exec_t
+/usr/local/selinux/bin/svigr system_u:object_r:admin_passwd_exec_t
/usr/local/selinux/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
/usr/bin/spasswd system_u:object_r:passwd_exec_t
/usr/bin/passwd system_u:object_r:passwd_real_exec_t
/usr/bin/schsh system_u:object_r:passwd_exec_t
/usr/bin/schfn system_u:object_r:passwd_exec_t
/usr/bin/svipw system_u:object_r:admin_passwd_exec_t
+/usr/bin/svigr system_u:object_r:admin_passwd_exec_t
/usr/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
diff -ru /tmp/policy/file_contexts/program/useradd.fc ./file_contexts/program/useradd.fc
--- /tmp/policy/file_contexts/program/useradd.fc 2003-04-11 19:46:03.000000000 +1000
+++ ./file_contexts/program/useradd.fc 2003-03-30 17:07:35.000000000 +1000
@@ -5,3 +5,13 @@
/usr/bin/susermod system_u:object_r:useradd_exec_t
/usr/bin/suseradd system_u:object_r:useradd_exec_t
/usr/bin/suserdel system_u:object_r:useradd_exec_t
+# groupadd
+/usr/local/selinux/bin/sgroupadd system_u:object_r:groupadd_exec_t
+/usr/local/selinux/bin/sgroupdel system_u:object_r:groupadd_exec_t
+/usr/local/selinux/bin/sgroupmod system_u:object_r:groupadd_exec_t
+/usr/local/selinux/bin/sgpasswd system_u:object_r:groupadd_exec_t
+/usr/bin/sgroupmod system_u:object_r:groupadd_exec_t
+/usr/bin/sgroupadd system_u:object_r:groupadd_exec_t
+/usr/bin/sgroupdel system_u:object_r:groupadd_exec_t
+/usr/bin/sgpasswd system_u:object_r:groupadd_exec_t
+
diff -ru /tmp/policy/macros/program/chkpwd_macros.te ./macros/program/chkpwd_macros.te
--- /tmp/policy/macros/program/chkpwd_macros.te 2002-10-02 03:28:52.000000000 +1000
+++ ./macros/program/chkpwd_macros.te 2003-04-21 17:47:26.000000000 +1000
@@ -23,8 +23,9 @@
# The user role is authorized for this domain.
role $1_r types $1_chkpwd_t;
-# This domain is granted permissions common to most domains (includes can_net)
-every_domain($1_chkpwd_t)
+uses_shlib($1_chkpwd_t)
+allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
+r_dir_file($1_chkpwd_t, locale_t)
# Use capabilities.
allow $1_chkpwd_t self:capability setuid;
[-- Attachment #5: simple.diff --]
[-- Type: text/x-diff, Size: 12856 bytes --]
diff -ru /tmp/policy/domains/program/klogd.te ./domains/program/klogd.te
--- /tmp/policy/domains/program/klogd.te 2003-04-02 18:06:26.000000000 +1000
+++ ./domains/program/klogd.te 2003-04-25 03:52:17.000000000 +1000
@@ -7,47 +7,35 @@
#
# Rules for the klogd_t domain.
#
-type klogd_t, domain, privlog, privmem;
-role system_r types klogd_t;
-uses_shlib(klogd_t)
-type klogd_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, klogd_exec_t, klogd_t)
-allow klogd_t self:process { fork signal };
-
-type klogd_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(klogd_t, tmp_t, klogd_tmp_t)
-allow klogd_t var_t:dir r_dir_perms;
-type klogd_var_run_t, file_type, sysadmfile, pidfile;
-file_type_auto_trans(klogd_t, var_run_t, klogd_var_run_t)
+daemon_domain(klogd, `, privmem')
+
+tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
allow klogd_t proc_t:lnk_file r_file_perms;
+allow klogd_t proc_t:file { getattr read };
allow klogd_t self:dir r_dir_perms;
allow klogd_t self:lnk_file r_file_perms;
# read /etc/nsswitch.conf
+allow klogd_t etc_t:lnk_file read;
allow klogd_t etc_t:file r_file_perms;
# read localization information
allow klogd_t locale_t:dir r_dir_perms;
allow klogd_t locale_t:{file lnk_file} r_file_perms;
+allow klogd_t etc_runtime_t:file { getattr read };
+
# Create unix sockets
allow klogd_t self:unix_dgram_socket create_socket_perms;
# Use the sys_admin and sys_rawio capabilities.
allow klogd_t klogd_t:capability { sys_admin sys_rawio };
-# Inherit and use descriptors from init.
-allow klogd_t init_t:fd use;
-
# Read /proc/kmsg and /dev/mem.
-allow klogd_t device_t:dir r_dir_perms;
allow klogd_t proc_kmsg_t:file r_file_perms;
allow klogd_t memory_device_t:chr_file r_file_perms;
-# Write to the console.
-allow klogd_t { initrc_devpts_t console_device_t }:chr_file rw_file_perms;
-
# Control syslog and console logging
allow klogd_t kernel_t:system { syslog_mod syslog_console };
diff -ru /tmp/policy/domains/program/syslogd.te ./domains/program/syslogd.te
--- /tmp/policy/domains/program/syslogd.te 2003-04-02 18:06:29.000000000 +1000
+++ ./domains/program/syslogd.te 2003-04-25 03:54:06.000000000 +1000
@@ -12,31 +12,22 @@
# devlog_t is the type of the Unix domain socket created
# by syslogd.
#
-type syslogd_t, domain;
-role system_r types syslogd_t;
-uses_shlib(syslogd_t)
-type syslogd_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, syslogd_exec_t, syslogd_t)
+daemon_domain(syslogd)
+
+# can_network is for the UDP socket
+can_network(syslogd_t)
+
type devlog_t, file_type, sysadmfile;
-allow syslogd_t self:process { fork signal };
# if something can log to syslog they should be able to log to the console
allow privlog console_device_t:chr_file { ioctl read write getattr };
-type syslogd_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(syslogd_t, tmp_t, syslogd_tmp_t)
-type syslogd_var_run_t, file_type, sysadmfile, pidfile;
-file_type_auto_trans(syslogd_t, var_run_t, syslogd_var_run_t, file)
-allow syslogd_t var_t:dir r_dir_perms;
+tmp_domain(syslogd)
# read files in /etc
allow syslogd_t etc_t:file r_file_perms;
allow syslogd_t resolv_conf_t:{ file lnk_file } r_file_perms;
-# read localization information
-allow syslogd_t locale_t:dir r_dir_perms;
-allow syslogd_t locale_t:{file lnk_file} r_file_perms;
-
# Use capabilities.
allow syslogd_t syslogd_t:capability { net_bind_service dac_override };
@@ -65,3 +56,7 @@
# Write to the cron log.
allow syslogd_t cron_log_t:file rw_file_perms;
+
+ifdef(`logrotate.te', `
+allow logrotate_t syslogd_exec_t:file r_file_perms;
+')
diff -ru /tmp/policy/file_contexts/program/fsadm.fc ./file_contexts/program/fsadm.fc
--- /tmp/policy/file_contexts/program/fsadm.fc 2003-02-12 23:36:12.000000000 +1100
+++ ./file_contexts/program/fsadm.fc 2003-04-08 09:06:20.000000000 +1000
@@ -6,6 +6,7 @@
/sbin/mkreiserfs system_u:object_r:fsadm_exec_t
/sbin/resize.*fs system_u:object_r:fsadm_exec_t
/sbin/e2label system_u:object_r:fsadm_exec_t
+/sbin/findfs system_u:object_r:fsadm_exec_t
/sbin/mkfs system_u:object_r:fsadm_exec_t
/sbin/mke2fs system_u:object_r:fsadm_exec_t
/sbin/mkswap system_u:object_r:fsadm_exec_t
@@ -22,6 +23,7 @@
/sbin/mkraid system_u:object_r:fsadm_exec_t
/sbin/blockdev system_u:object_r:fsadm_exec_t
/sbin/losetup system_u:object_r:fsadm_exec_t
+/sbin/jfs_.* system_u:object_r:fsadm_exec_t
/usr/sbin/updfstab system_u:object_r:fsadm_exec_t
/usr/sbin/smart(d|ctl) system_u:object_r:fsadm_exec_t
/sbin/lvmiopversion system_u:object_r:fsadm_exec_t
diff -ru /tmp/policy/file_contexts/program/postfix.fc ./file_contexts/program/postfix.fc
--- /tmp/policy/file_contexts/program/postfix.fc 2003-03-27 23:58:04.000000000 +1100
+++ ./file_contexts/program/postfix.fc 2003-04-24 12:51:18.000000000 +1000
@@ -24,7 +24,7 @@
/usr/sbin/postmap system_u:object_r:postfix_master_exec_t
/usr/sbin/postqueue system_u:object_r:postfix_postqueue_exec_t
/usr/sbin/postsuper system_u:object_r:postfix_master_exec_t
-/usr/sbin/rmail system_u:object_r:postfix_master_exec_t
+/usr/sbin/rmail system_u:object_r:sendmail_exec_t
/var/spool/postfix(/[^/]+)? system_u:object_r:postfix_spool_t
/var/spool/postfix/active(/.*)? system_u:object_r:postfix_spool_t
/var/spool/postfix/hold(/.*)? system_u:object_r:postfix_spool_t
diff -ru /tmp/policy/file_contexts/program/syslogd.fc ./file_contexts/program/syslogd.fc
--- /tmp/policy/file_contexts/program/syslogd.fc 2003-03-16 22:33:46.000000000 +1100
+++ ./file_contexts/program/syslogd.fc 2003-04-25 03:54:53.000000000 +1000
@@ -5,5 +5,4 @@
/sbin/syslog-ng system_u:object_r:syslogd_exec_t
/dev/log system_u:object_r:devlog_t
/var/run/log system_u:object_r:devlog_t
-/var/run/klogd\.pid system_u:object_r:klogd_var_run_t
/var/run/syslogd\.pid system_u:object_r:syslogd_var_run_t
diff -ru /tmp/policy/macros/program/crontab_macros.te ./macros/program/crontab_macros.te
--- /tmp/policy/macros/program/crontab_macros.te 2003-03-14 02:14:55.000000000 +1100
+++ ./macros/program/crontab_macros.te 2003-04-20 18:20:48.000000000 +1000
@@ -27,8 +27,11 @@
# The user role is authorized for this domain.
role $1_r types $1_crontab_t;
-# This domain is granted permissions common to most domains (including can_net)
-every_domain($1_crontab_t)
+uses_shlib($1_crontab_t)
+allow $1_crontab_t etc_t:file { getattr read };
+allow $1_crontab_t self:unix_stream_socket create_socket_perms;
+allow $1_crontab_t self:unix_dgram_socket create_socket_perms;
+r_dir_file($1_crontab_t, locale_t)
# Use capabilities
allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown };
@@ -40,7 +43,9 @@
type $1_cron_spool_t, file_type, sysadmfile;
# Use the type when creating files in /var/spool/cron.
allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
+allow $1_crontab_t var_spool_t:dir search;
file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t)
+allow $1_crontab_t self:process { fork signal_perms };
ifdef(`fcron.te', `
allow crond_t $1_cron_spool_t:file create_file_perms;
# fcron wants an instant update of a crontab change for the administrator
@@ -57,7 +62,9 @@
allow crond_t $1_cron_spool_t:file r_file_perms;
# Run helper programs as $1_t
-domain_auto_trans($1_crontab_t, { bin_t sbin_t exec_type }, $1_t)
+allow $1_crontab_t { bin_t sbin_t }:dir search;
+allow $1_crontab_t bin_t:lnk_file read;
+domain_auto_trans_read($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
# Read user crontabs
allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
@@ -69,10 +76,11 @@
allow $1_crontab_t cron_log_t:file { append };
# Access terminals.
+allow $1_crontab_t device_t:dir search;
allow $1_crontab_t $1_tty_device_t:chr_file rw_file_perms;
allow $1_crontab_t $1_devpts_t:chr_file rw_file_perms;
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
-
+allow $1_crontab_t privfd:fd use;
')
diff -ru /tmp/policy/macros/program/gpg_macros.te ./macros/program/gpg_macros.te
--- /tmp/policy/macros/program/gpg_macros.te 2003-03-27 23:58:06.000000000 +1100
+++ ./macros/program/gpg_macros.te 2003-04-05 14:18:06.000000000 +1000
@@ -80,6 +80,6 @@
allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
allow $1_gpg_t fs_t:filesystem getattr;
allow $1_gpg_t usr_t:file r_file_perms;
-allow $1_gpg_t etc_t:lnk_file r_file_perms;
+r_dir_file($1_gpg_t, locale_t)
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
')
diff -ru /tmp/policy/macros/program/gph_macros.te ./macros/program/gph_macros.te
--- /tmp/policy/macros/program/gph_macros.te 2003-01-20 11:04:03.000000000 +1100
+++ ./macros/program/gph_macros.te 2003-04-17 08:43:31.000000000 +1000
@@ -34,7 +34,7 @@
role $1_r types $1_gph_t;
# This domain is granted permissions common to most domains.
-every_domain($1_gph_t)
+uses_shlib($1_gph_t)
# Use capabilities.
allow $1_gph_t $1_gph_t:capability { setuid setgid fsetid };
diff -ru /tmp/policy/macros/program/irc_macros.te ./macros/program/irc_macros.te
--- /tmp/policy/macros/program/irc_macros.te 2003-03-14 02:14:55.000000000 +1100
+++ ./macros/program/irc_macros.te 2003-04-12 10:02:10.000000000 +1000
@@ -36,9 +36,7 @@
role $1_r types $1_irc_t;
# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te',
-`allow $1_irc_t $1_gph_t:fd use;
-allow $1_t $1_gph_t:fd use;')
+ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;')
# Inherit and use descriptors from newrole.
ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;')
@@ -53,7 +51,7 @@
uses_shlib($1_irc_t)
allow $1_irc_t { etc_t resolv_conf_t }:file { read getattr };
-allow $1_irc_t etc_t:lnk_file read;
+r_dir_file($1_irc_t, locale_t)
allow $1_irc_t fs_t:filesystem getattr;
allow $1_irc_t var_t:dir search;
allow $1_irc_t devpts_t:dir { getattr read search };
diff -ru /tmp/policy/macros/program/run_program_macros.te ./macros/program/run_program_macros.te
--- /tmp/policy/macros/program/run_program_macros.te 2002-11-04 23:28:01.000000000 +1100
+++ ./macros/program/run_program_macros.te 2003-04-20 22:13:21.000000000 +1000
@@ -29,6 +29,9 @@
allow run_$3_t initrc_var_run_t:file rw_file_perms;
allow run_$3_t admin_tty_type:chr_file rw_file_perms;
+dontaudit run_$3_t devpts_t:dir { getattr read };
+dontaudit run_$3_t device_t:dir read;
+
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
@@ -39,6 +42,14 @@
domain_trans(run_$3_t, $4, $5)
-# hmm, do we REALLY need this?
-every_domain(run_$3_t)
+allow run_$3_t privfd:fd use;
+uses_shlib(run_$3_t)
+allow run_$3_t security_t:security { sid_to_context context_to_sid };
+allow run_$3_t self:unix_stream_socket create_socket_perms;
+allow run_$3_t self:unix_dgram_socket create_socket_perms;
+allow run_$3_t etc_t:file { getattr read };
+r_dir_file(run_$3_t, locale_t)
+allow run_$3_t fs_t:filesystem getattr;
+allow run_$3_t { bin_t sbin_t }:dir search;
+dontaudit run_$3_t { proc_t device_t }:dir { getattr search };
')
diff -ru /tmp/policy/macros/program/sendmail_macros.te ./macros/program/sendmail_macros.te
--- /tmp/policy/macros/program/sendmail_macros.te 2003-01-20 11:04:03.000000000 +1100
+++ ./macros/program/sendmail_macros.te 2003-03-23 10:08:30.000000000 +1100
@@ -25,9 +25,6 @@
# Use this type when creating files in /tmp.
file_type_auto_trans($1_mail_t, tmp_t, $1_mail_tmp_t)
-# Update /etc/mail/statistics.
-allow $1_mail_t etc_mail_t:file rw_file_perms;
-
# Write to /var/spool/mail and /var/spool/mqueue.
allow $1_mail_t mail_spool_t:dir rw_dir_perms;
allow $1_mail_t mail_spool_t:file create_file_perms;
diff -ru /tmp/policy/macros/program/ssh_macros.te ./macros/program/ssh_macros.te
--- /tmp/policy/macros/program/ssh_macros.te 2003-04-02 18:06:41.000000000 +1000
+++ ./macros/program/ssh_macros.te 2003-04-08 09:07:20.000000000 +1000
@@ -111,6 +111,9 @@
r_dir_file(sshd_t, $1_home_ssh_t)
rw_dir_create_file($1_t, $1_home_ssh_t)
+# for /bin/sh used to execute xauth
+dontaudit $1_ssh_t proc_t:dir search;
+
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
diff -ru /tmp/policy/macros/program/xserver_macros.te ./macros/program/xserver_macros.te
--- /tmp/policy/macros/program/xserver_macros.te 2003-03-28 06:10:03.000000000 +1100
+++ ./macros/program/xserver_macros.te 2003-04-05 14:18:23.000000000 +1000
@@ -128,6 +128,8 @@
allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
')
+r_dir_file($1_xserver_t, locale_t)
+
# David Wheeler says he needs the following permission
# for his X server. Something is wrong here - the shared
# memory pseudo file should be labeled $1_tmpfs_t and handled
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2004-08-19 12:57 Russell Coker
2004-08-20 19:07 ` Stephen Smalley
0 siblings, 1 reply; 47+ messages in thread
From: Russell Coker @ 2004-08-19 12:57 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]
diff1 makes the Makefile use M4PARAM for the file_contexts.
It makes a trivial change to fsadm_t access which satisfies some of the
assertions I test with (no difference in production).
Removes devpts access from getty_t (it has no business doing such things, any
time it tries to do so is a bug somewhere).
Makes a change to initrc_t needed for cryptsetup on Debian (unsure whether
cryptsetup on Fedora will work the same way, it's quite likely - I think it's
best if we copy the Debian cryptsetup stuff into Fedora).
Also it removes boot_t:lnk_file access from klogd_t, on Fedora the only
boot_t:lnk_file is the GRUB menu.lst file (which klogd does not need access
to), on Debian there are also some sym-links for LILO (which are in the same
category).
diff makes some minor changes to the passwd policy to work with different
editors for vipw and different versions of chfn.
Allows acct_t to execute logrotate.
Works with the latest version of amavis.
Fixes the apmd policy to work with the device_type changes and some
functionality that is commonly called from apm scripts.
Changes the capabilities in bluetooth.te to be in the same order as the header
file.
Updates the calamaris policy to work with the latest version.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff1 --]
[-- Type: text/x-diff, Size: 2806 bytes --]
diff -ru /usr/src/se/policy/Makefile ./Makefile
--- /usr/src/se/policy/Makefile 2004-08-02 16:59:45.000000000 +1000
+++ ./Makefile 2004-08-19 21:22:13.000000000 +1000
@@ -140,7 +140,7 @@
$(FC): $(FCFILES) $(ALL_TUNABLES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file_contexts ..."
- @m4 $(ALL_TUNABLES) $(FCFILES) > $@.tmp
+ @m4 $(M4PARAM) $(ALL_TUNABLES) $(FCFILES) > $@.tmp
@grep -v "^/root" $@.tmp > $@.root
@/usr/sbin/genhomedircon . $@.root > $@
@grep "^/root" $@.tmp >> $@
diff -ru /usr/src/se/policy/domains/program/fsadm.te ./domains/program/fsadm.te
--- /usr/src/se/policy/domains/program/fsadm.te 2004-06-17 15:10:38.000000000 +1000
+++ ./domains/program/fsadm.te 2004-07-04 18:18:07.000000000 +1000
@@ -84,7 +84,8 @@
# Access lost+found.
allow fsadm_t lost_found_t:dir create_dir_perms;
-allow fsadm_t lost_found_t:notdevfile_class_set create_file_perms;
+allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
+allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
allow fsadm_t file_t:dir { search read getattr rmdir create };
diff -ru /usr/src/se/policy/domains/program/getty.te ./domains/program/getty.te
--- /usr/src/se/policy/domains/program/getty.te 2004-08-04 20:26:43.000000000 +1000
+++ ./domains/program/getty.te 2004-08-15 15:53:57.000000000 +1000
@@ -52,8 +52,6 @@
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
-allow getty_t initrc_devpts_t:chr_file { setattr rw_file_perms };
-dontaudit getty_t { user_devpts_t sysadm_devpts_t }:chr_file { read write };
# for error condition handling
allow getty_t fs_t:filesystem getattr;
diff -ru /usr/src/se/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /usr/src/se/policy/domains/program/initrc.te 2004-08-02 16:59:47.000000000 +1000
+++ ./domains/program/initrc.te 2004-08-11 16:58:56.000000000 +1000
@@ -164,7 +164,10 @@
allow initrc_t pidfile:file { getattr read unlink };
# Write to /dev/urandom.
-allow initrc_t urandom_device_t:chr_file rw_file_perms;
+allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
+
+# for cryptsetup
+allow initrc_t fixed_disk_device_t:blk_file getattr;
# Set device ownerships/modes.
allow initrc_t framebuf_device_t:lnk_file read;
diff -ru /usr/src/se/policy/domains/program/klogd.te ./domains/program/klogd.te
--- /usr/src/se/policy/domains/program/klogd.te 2004-07-08 13:09:33.000000000 +1000
+++ ./domains/program/klogd.te 2004-06-17 03:07:45.000000000 +1000
@@ -43,5 +43,3 @@
# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;
-allow klogd_t boot_t:lnk_file { read };
-
[-- Attachment #3: diff --]
[-- Type: text/x-diff, Size: 6297 bytes --]
diff -ru /usr/src/se/policy/domains/program/passwd.te ./domains/program/passwd.te
--- /usr/src/se/policy/domains/program/passwd.te 2004-06-17 15:10:38.000000000 +1000
+++ ./domains/program/passwd.te 2004-08-09 00:35:11.000000000 +1000
@@ -35,6 +35,9 @@
allow $1_t etc_t:file create_file_perms;
+# read /etc/mtab
+allow $1_t etc_runtime_t:file { getattr read };
+
# Allow etc_t symlinks for /etc/alternatives on Debian.
allow $1_t etc_t:lnk_file read;
@@ -87,8 +90,8 @@
dontaudit chfn_t shadow_t:file read;
allow chfn_t etc_t:dir rw_dir_perms;
allow chfn_t etc_t:file create_file_perms;
-allow chfn_t proc_t:file { read };
-allow chfn_t chfn_t:file { write };
+allow chfn_t proc_t:file { getattr read };
+allow chfn_t self:file { write };
in_user_role(passwd_t)
in_user_role(chfn_t)
@@ -118,9 +121,10 @@
')
# allow vipw to exec the editor
-allow sysadm_passwd_t { root_t usr_t bin_t }:dir search;
+allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
allow sysadm_passwd_t { bin_t }:lnk_file read;
can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
+r_dir_file(sysadm_passwd_t, usr_t)
# allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t var_t:dir search;
@@ -133,6 +137,12 @@
# for nscd lookups
dontaudit sysadm_passwd_t var_run_t:dir search;
+# for /proc/meminfo
+allow sysadm_passwd_t proc_t:file { getattr read };
+
+dontaudit sysadm_passwd_t selinux_config_t:dir search;
+dontaudit sysadm_passwd_t devpts_t:dir search;
+
# make sure that getcon succeeds
allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file read;
diff -ru /usr/src/se/policy/domains/program/unused/acct.te ./domains/program/unused/acct.te
--- /usr/src/se/policy/domains/program/unused/acct.te 2004-06-17 15:10:39.000000000 +1000
+++ ./domains/program/unused/acct.te 2004-07-23 16:15:35.000000000 +1000
@@ -22,7 +22,7 @@
allow acct_t urandom_device_t:chr_file read;
ifdef(`logrotate.te', `
-allow acct_t logrotate_exec_t:file getattr;
+can_exec(acct_t, logrotate_exec_t)
r_dir_file(logrotate_t, acct_data_t)
')
diff -ru /usr/src/se/policy/domains/program/unused/amavis.te ./domains/program/unused/amavis.te
--- /usr/src/se/policy/domains/program/unused/amavis.te 2004-08-04 20:26:43.000000000 +1000
+++ ./domains/program/unused/amavis.te 2004-08-16 20:24:12.000000000 +1000
@@ -20,8 +20,10 @@
allow initrc_t amavisd_lib_t:file unlink;
allow initrc_t amavisd_var_run_t:dir setattr;
allow amavisd_t self:capability { chown dac_override setgid setuid };
+dontaudit amavisd_t self:capability sys_tty_config;
allow amavisd_t usr_t:{ file lnk_file } { getattr read };
+dontaudit amavisd_t usr_t:file ioctl;
# networking
can_network(amavisd_t)
diff -ru /usr/src/se/policy/domains/program/unused/apmd.te ./domains/program/unused/apmd.te
--- /usr/src/se/policy/domains/program/unused/apmd.te 2004-08-02 16:59:47.000000000 +1000
+++ ./domains/program/unused/apmd.te 2004-08-03 15:08:13.000000000 +1000
@@ -72,12 +72,13 @@
# setuid for fuser, dac* for ps
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
dontaudit apmd_t domain:{ socket_class_set } getattr;
-dontaudit apmd_t { file_type fs_type }:dir_file_class_set getattr;
+dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
+dontaudit apmd_t device_type:devfile_class_set getattr;
dontaudit apmd_t home_type:dir { search getattr };
dontaudit apmd_t domain:key_socket getattr;
dontaudit apmd_t domain:dir search;
-ifdef(`redhat', `
+ifdef(`redhat', `
can_exec(apmd_t, apmd_var_run_t)
# for /var/lock/subsys/network
rw_dir_create_file(apmd_t, var_lock_t)
@@ -108,7 +109,16 @@
# Same for apm/acpid scripts
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
+ifdef(`consoletype.te', `
+allow consoletype_t apmd_t:fd use;
+allow consoletype_t apmd_t:fifo_file write;
+')
+ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
+ifdef(`crond.te', `domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)')
ifdef(`mta.te', `
domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
')
+
+# for a find /dev operation that gets /dev/shm
+dontaudit apmd_t tmpfs_t:dir r_dir_perms;
diff -ru /usr/src/se/policy/domains/program/unused/backup.te ./domains/program/unused/backup.te
--- /usr/src/se/policy/domains/program/unused/backup.te 2004-07-13 09:07:59.000000000 +1000
+++ ./domains/program/unused/backup.te 2004-07-19 09:53:38.000000000 +1000
@@ -23,6 +23,9 @@
rw_dir_create_file(system_crond_t, backup_store_t)
')
+# for SSP
+allow backup_t urandom_device_t:chr_file read;
+
can_network(backup_t)
uses_shlib(backup_t)
diff -ru /usr/src/se/policy/domains/program/unused/bluetooth.te ./domains/program/unused/bluetooth.te
--- /usr/src/se/policy/domains/program/unused/bluetooth.te 2004-05-30 16:26:57.000000000 +1000
+++ ./domains/program/unused/bluetooth.te 2004-07-05 00:03:10.000000000 +1000
@@ -15,7 +15,7 @@
tmp_domain(bluetooth)
# Use capabilities.
-allow bluetooth_t self:capability { net_raw sys_tty_config net_admin };
+allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
rw_dir_create_file(bluetooth_t, var_lock_t)
diff -ru /usr/src/se/policy/domains/program/unused/calamaris.te ./domains/program/unused/calamaris.te
--- /usr/src/se/policy/domains/program/unused/calamaris.te 2004-03-27 00:46:44.000000000 +1100
+++ ./domains/program/unused/calamaris.te 2004-08-12 17:11:00.000000000 +1000
@@ -21,6 +21,8 @@
allow calamaris_t var_log_squid_t:dir search;
allow calamaris_t var_log_squid_t:file { getattr read };
allow calamaris_t { usr_t lib_t }:file { getattr read };
+allow calamaris_t usr_t:lnk_file { getattr read };
+dontaudit calamaris_t usr_t:file ioctl;
type calamaris_www_t, file_type, sysadmfile;
ifdef(`apache.te', `
@@ -36,10 +38,13 @@
allow calamaris_t device_t:dir search;
allow calamaris_t devtty_t:chr_file { read write };
+allow calamaris_t urandom_device_t:chr_file { getattr read };
+
allow calamaris_t self:process { fork signal_perms setsched };
allow calamaris_t { proc_t sysctl_kernel_t }:dir search;
allow calamaris_t { proc_t sysctl_kernel_t }:file { getattr read };
allow calamaris_t { proc_t self }:lnk_file read;
+allow calamaris_t self:dir search;
allow calamaris_t { bin_t sbin_t }:dir search;
allow calamaris_t bin_t:lnk_file read;
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-08-19 12:57 policy patches Russell Coker
@ 2004-08-20 19:07 ` Stephen Smalley
0 siblings, 0 replies; 47+ messages in thread
From: Stephen Smalley @ 2004-08-20 19:07 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Thu, 2004-08-19 at 08:57, Russell Coker wrote:
> diff1 makes the Makefile use M4PARAM for the file_contexts.
>
> It makes a trivial change to fsadm_t access which satisfies some of the
> assertions I test with (no difference in production).
>
> Removes devpts access from getty_t (it has no business doing such things, any
> time it tries to do so is a bug somewhere).
>
> Makes a change to initrc_t needed for cryptsetup on Debian (unsure whether
> cryptsetup on Fedora will work the same way, it's quite likely - I think it's
> best if we copy the Debian cryptsetup stuff into Fedora).
>
> Also it removes boot_t:lnk_file access from klogd_t, on Fedora the only
> boot_t:lnk_file is the GRUB menu.lst file (which klogd does not need access
> to), on Debian there are also some sym-links for LILO (which are in the same
> category).
>
>
> diff makes some minor changes to the passwd policy to work with different
> editors for vipw and different versions of chfn.
>
> Allows acct_t to execute logrotate.
>
> Works with the latest version of amavis.
>
> Fixes the apmd policy to work with the device_type changes and some
> functionality that is commonly called from apm scripts.
>
> Changes the capabilities in bluetooth.te to be in the same order as the header
> file.
>
> Updates the calamaris policy to work with the latest version.
Merged.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Policy patches
2004-09-16 14:52 ` James Carter
@ 2004-09-16 21:23 ` Daniel J Walsh
2004-09-17 12:07 ` Russell Coker
2004-09-17 20:56 ` James Carter
0 siblings, 2 replies; 47+ messages in thread
From: Daniel J Walsh @ 2004-09-16 21:23 UTC (permalink / raw)
To: jwcart2; +Cc: Russell Coker, SE Linux
[-- Attachment #1: Type: text/plain, Size: 111 bytes --]
New patches to allow hald to add a lines to the /etc/fstab with
fscontext=system_u:object_r:removable_t.
Dan
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 11307 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/removable_context policy-1.17.17/appconfig/removable_context
--- nsapolicy/appconfig/removable_context 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.17/appconfig/removable_context 2004-09-16 10:54:46.000000000 -0400
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.17/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.17/domains/program/mount.te 2004-09-16 13:50:45.899174425 -0400
@@ -93,7 +93,8 @@
allow mount_t file_type:filesystem { unmount mount relabelto };
allow mount_t mnt_t:dir { getattr };
-dontaudit mount_t { userdomain kernel_t}:fd use;
+allow mount_t { userdomain }:fd use;
+dontaudit mount_t { kernel_t}:fd use;
can_exec(mount_t, { sbin_t bin_t })
allow mount_t device_t:dir r_dir_perms;
ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.17/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.17/domains/program/unused/consoletype.te 2004-09-16 16:59:49.161755104 -0400
@@ -52,5 +52,5 @@
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
-dontaudit consoletype_t tmpfs_t:chr_file { read write };
+allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.17/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2004-09-16 16:57:34.930259111 -0400
+++ policy-1.17.17/domains/program/unused/hald.te 2004-09-16 13:36:57.631159098 -0400
@@ -51,8 +51,14 @@
allow hald_t udev_tbl_t:file { getattr read };
')
+ifdef(`udev.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
allow hald_t usbfs_t:dir search;
allow hald_t usbfs_t:file { getattr read };
allow hald_t bin_t:lnk_file read;
+dontaudit hald_t selinux_config_t:dir { search };
+dontaudit hald_t userdomain:fd { use };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mozilla.te policy-1.17.17/domains/program/unused/mozilla.te
--- nsapolicy/domains/program/unused/mozilla.te 2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.17/domains/program/unused/mozilla.te 2004-09-16 10:54:46.000000000 -0400
@@ -6,6 +6,7 @@
# Type for the netscape, mozilla or other browser executables.
type mozilla_exec_t, file_type, sysadmfile, exec_type;
+type mozilla_conf_t, file_type, sysadmfile;
# Allow mozilla to read files in the user home directory
bool mozilla_readhome false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.17/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.17/domains/program/unused/nscd.te 2004-09-16 15:02:07.387150095 -0400
@@ -70,4 +70,8 @@
#
dontaudit nscd_t var_run_t:sock_file rw_file_perms;
+allow nscd_t self:file { getattr read };
+allow nscd_t proc_t:file { getattr read };
+allow nscd_t selinux_config_t:dir { search };
+r_dir_file(nscd_t, default_context_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.17/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te 2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.17/domains/program/unused/portmap.te 2004-09-16 11:55:04.363237680 -0400
@@ -54,3 +54,4 @@
# do not log when it tries to bind to a port belonging to another domain
#dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
+dontaudit portmap_t tty_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.17/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te 2004-09-10 10:17:49.000000000 -0400
+++ policy-1.17.17/domains/program/unused/updfstab.te 2004-09-16 13:36:58.170098295 -0400
@@ -62,3 +62,10 @@
r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
can_getsecurity(updfstab_t)
+
+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
+dontaudit updfstab_t devtty_t:chr_file { read write };
+allow updfstab_t self:fifo_file { getattr read write ioctl };
+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.17.17/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc 2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.17/file_contexts/program/mozilla.fc 2004-09-16 10:54:46.000000000 -0400
@@ -17,3 +17,4 @@
/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
+/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rhgb.fc policy-1.17.17/file_contexts/program/rhgb.fc
--- nsapolicy/file_contexts/program/rhgb.fc 2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.17/file_contexts/program/rhgb.fc 2004-09-16 17:07:57.275857767 -0400
@@ -1,2 +1,3 @@
/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
#/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t
+/etc/rhgb -d system_u:object_r:mnt_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.17/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.17/file_contexts/types.fc 2004-09-16 10:54:46.000000000 -0400
@@ -298,6 +298,7 @@
/lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/lib(64)?/security/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?/tls/i486/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# /sbin
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.17/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-09-10 10:17:50.000000000 -0400
+++ policy-1.17.17/macros/base_user_macros.te 2004-09-16 10:54:46.000000000 -0400
@@ -64,6 +64,7 @@
')dnl end if nfs_home_dirs
if (user_rw_noexattrfile) {
create_dir_file($1_t, noexattrfile)
+create_dir_file($1_t, removable_t)
# Write floppies
allow $1_t removable_device_t:blk_file rw_file_perms;
allow $1_t usbtty_device_t:chr_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.17/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-09-16 09:48:16.000000000 -0400
+++ policy-1.17.17/macros/program/mozilla_macros.te 2004-09-16 10:54:46.000000000 -0400
@@ -111,6 +111,8 @@
')
allow $1_mozilla_t $1_t:tcp_socket { read write };
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+dontaudit $1_mozilla_t bin_t:dir { getattr };
dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.17/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2004-09-14 09:18:11.000000000 -0400
+++ policy-1.17.17/macros/user_macros.te 2004-09-16 13:38:06.207431159 -0400
@@ -230,6 +230,12 @@
mount_domain($1, $1_mount, `, fs_domain')
role $1_r types $1_mount_t;
r_dir_file($1_t, mnt_t)
+allow $1_mount_t removable_device_t:blk_file { read };
+allow $1_mount_t iso9660_t:filesystem { relabelfrom };
+allow $1_mount_t removable_t:filesystem { mount relabelto };
+allow $1_mount_t removable_t:dir { mounton };
+allow $1_mount_t xdm_t:fd { use };
+allow $1_mount_t xdm_t:fifo_file { write };
')
#
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.17/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.17/tunables/distro.tun 2004-09-16 10:54:46.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.17/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-09-15 09:15:39.000000000 -0400
+++ policy-1.17.17/tunables/tunable.tun 2004-09-16 10:54:46.000000000 -0400
@@ -1,51 +1,51 @@
# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
# Allow users to control network interfaces (also needs USERCTL=true)
dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
# Allow users to run games
-dnl define(`use_games')
+define(`use_games')
# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow sysadm_t to do almost everything
dnl define(`unrestricted_admin')
# Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
# Allow the reading on any NFS file system
dnl define(`nfs_export_all_ro')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.17/types/file.te
--- nsapolicy/types/file.te 2004-09-14 09:18:14.000000000 -0400
+++ policy-1.17.17/types/file.te 2004-09-16 10:54:46.000000000 -0400
@@ -264,6 +264,7 @@
# Allow the pty to be associated with the file system.
allow devpts_t devpts_t:filesystem associate;
+allow ttyfile tmpfs_t:filesystem { associate };
type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type;
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
@@ -298,3 +299,6 @@
type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
allow cifs_t cifs_t:filesystem associate;
typealias cifs_t alias sambafs_t;
+
+# removable_t is the default type of all removable media
+type removable_t, file_type, sysadmfile, usercanread;
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: Policy patches
2004-09-16 21:23 ` Policy patches Daniel J Walsh
@ 2004-09-17 12:07 ` Russell Coker
2004-09-20 20:03 ` James Carter
2004-09-17 20:56 ` James Carter
1 sibling, 1 reply; 47+ messages in thread
From: Russell Coker @ 2004-09-17 12:07 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
[-- Attachment #1: Type: text/plain, Size: 671 bytes --]
+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir { search };
Why is fstab-sync trying to access home directories?
+allow ttyfile tmpfs_t:filesystem { associate };
Better to just use the dev_fs attribute. I have attached a patch to do this
as well as clean up a few other minor issues with the macros directory.
The patch is against the latest CVS.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 5620 bytes --]
diff -ru /usr/src/se/policy/macros/admin_macros.te macros/admin_macros.te
--- /usr/src/se/policy/macros/admin_macros.te 2004-09-09 04:23:06.000000000 +1000
+++ macros/admin_macros.te 2004-09-17 22:01:42.000000000 +1000
@@ -24,7 +24,7 @@
tmp_domain($1)
# Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, dev_fs;
# Inherit rules for ordinary users.
base_user_domain($1)
diff -ru /usr/src/se/policy/macros/core_macros.te macros/core_macros.te
--- /usr/src/se/policy/macros/core_macros.te 2004-09-02 23:18:55.000000000 +1000
+++ macros/core_macros.te 2004-09-11 19:48:58.000000000 +1000
@@ -549,9 +549,6 @@
# Access the pty master multiplexer.
allow $1_t ptmx_t:chr_file rw_file_perms;
-ifdef(`devfsd.te', `
-allow $1_t device_t:filesystem getattr;
-')
allow $1_t devpts_t:filesystem getattr;
# allow searching /dev/pts
diff -ru /usr/src/se/policy/macros/program/gpg_agent_macros.te macros/program/gpg_agent_macros.te
--- /usr/src/se/policy/macros/program/gpg_agent_macros.te 2004-07-08 06:46:41.000000000 +1000
+++ macros/program/gpg_agent_macros.te 2004-09-12 14:47:09.000000000 +1000
@@ -94,9 +94,6 @@
# read kde font cache
allow $1_gpg_pinentry_t usr_t:file { getattr read };
-# pinentry-qt needs this (executes a KDE style library)
-allow $1_gpg_pinentry_t lib_t:file { execute };
-
allow $1_gpg_pinentry_t { proc_t self }:dir { search };
allow $1_gpg_pinentry_t { proc_t self }:lnk_file { read };
# read /proc/meminfo
diff -ru /usr/src/se/policy/macros/program/mozilla_macros.te macros/program/mozilla_macros.te
--- /usr/src/se/policy/macros/program/mozilla_macros.te 2004-09-16 18:07:08.000000000 +1000
+++ macros/program/mozilla_macros.te 2004-09-16 21:47:34.000000000 +1000
@@ -71,8 +71,6 @@
allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
')
-dontaudit $1_mozilla_t tmp_t:lnk_file read;
-
#
# This is another place where I sould like to allow system customization.
# We need to allow the admin to select whether then want to allow mozilla
@@ -100,7 +99,7 @@
file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_rw_t)
allow $1_mozilla_t $1_home_t:dir setattr;
allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
-}
+} dnl end if writehome
allow $1_mozilla_t $1_t:unix_stream_socket { connectto };
allow $1_mozilla_t sysctl_net_t:dir { search };
diff -ru /usr/src/se/policy/macros/program/ssh_macros.te macros/program/ssh_macros.te
--- /usr/src/se/policy/macros/program/ssh_macros.te 2004-08-04 20:26:48.000000000 +1000
+++ macros/program/ssh_macros.te 2004-09-12 17:18:07.000000000 +1000
@@ -32,7 +32,7 @@
allow $1_ssh_t autofs_t:dir { search getattr };
')
ifdef(`nfs_home_dirs', `
-rw_dir_create_file($1_ssh_t, nfs_t)
+create_dir_file($1_ssh_t, nfs_t)
')dnl end if nfs_home_dirs
# Transition from the user domain to the derived domain.
diff -ru /usr/src/se/policy/macros/program/userhelper_macros.te macros/program/userhelper_macros.te
--- /usr/src/se/policy/macros/program/userhelper_macros.te 2004-09-11 16:21:48.000000000 +1000
+++ macros/program/userhelper_macros.te 2004-09-11 19:24:48.000000000 +1000
@@ -17,7 +17,7 @@
ifdef(`single_userdomain', `
typealias $1_t alias $1_userhelper_t;
', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
in_user_role($1_userhelper_t)
role sysadm_r types $1_userhelper_t;
diff -ru /usr/src/se/policy/macros/program/xserver_macros.te macros/program/xserver_macros.te
--- /usr/src/se/policy/macros/program/xserver_macros.te 2004-09-16 18:07:09.000000000 +1000
+++ macros/program/xserver_macros.te 2004-09-14 01:22:44.000000000 +1000
@@ -132,7 +132,7 @@
allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
allow $1_xserver_t device_t:lnk_file { getattr read };
allow $1_xserver_t devtty_t:chr_file rw_file_perms;
-allow $1_xserver_t devtty_t:lnk_file read;
+allow $1_xserver_t zero_device_t:chr_file { read write execute };
# Type for temporary files.
tmp_domain($1_xserver)
@@ -199,14 +198,11 @@
allow $1_xserver_t proc_t:dir r_dir_perms;
# Create and access /dev/dri devices.
-allow $1_xserver_t device_t:dir { setattr rw_dir_perms };
-allow $1_xserver_t dri_device_t:chr_file create_file_perms;
+allow $1_xserver_t device_t:dir create;
+file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
-# Do not flood audit logs due to device node creation attempts.
-dontaudit $1_xserver_t device_t:chr_file create;
-
# Run helper programs in $1_xserver_t.
allow $1_xserver_t { bin_t sbin_t }:dir search;
allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
@@ -248,8 +242,6 @@
allow $1_xserver_t var_lib_t:dir search;
rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
-dontaudit $1_xserver_t selinux_config_t:dir { search };
-allow $1_xserver_t device_t:dir { create };
# for fonts
r_dir_file($1_xserver_t, fonts_t)
diff -ru /usr/src/se/policy/macros/user_macros.te macros/user_macros.te
--- /usr/src/se/policy/macros/user_macros.te 2004-09-15 16:31:23.000000000 +1000
+++ macros/user_macros.te 2004-09-17 22:01:51.000000000 +1000
@@ -32,7 +32,7 @@
can_create_pty($1, `, userpty_type, user_tty_type')
#Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs;
base_user_domain($1)
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: Policy patches
2004-09-16 21:23 ` Policy patches Daniel J Walsh
2004-09-17 12:07 ` Russell Coker
@ 2004-09-17 20:56 ` James Carter
2004-09-20 12:35 ` Daniel J Walsh
1 sibling, 1 reply; 47+ messages in thread
From: James Carter @ 2004-09-17 20:56 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Russell Coker, SE Linux
On Thu, 2004-09-16 at 17:23, Daniel J Walsh wrote:
> New patches to allow hald to add a lines to the /etc/fstab with
> fscontext=system_u:object_r:removable_t.
>
> Dan
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.17/domains/program/unused/nscd.te
> --- nsapolicy/domains/program/unused/nscd.te 2004-09-16 09:48:15.000000000 -0400
> +++ policy-1.17.17/domains/program/unused/nscd.te 2004-09-16 15:02:07.387150095 -0400
> @@ -70,4 +70,8 @@
> #
> dontaudit nscd_t var_run_t:sock_file rw_file_perms;
>
> +allow nscd_t self:file { getattr read };
> +allow nscd_t proc_t:file { getattr read };
> +allow nscd_t selinux_config_t:dir { search };
> +r_dir_file(nscd_t, default_context_t)
>
Is this only for the targeted policy? Maybe userspace_objectmgr.te
should be part of the targeted policy. I think we would gain most of
these permissions in that case.
When does nscd access a default_context_t?
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.17/domains/program/unused/portmap.te
> --- nsapolicy/domains/program/unused/portmap.te 2004-09-16 09:48:15.000000000 -0400
> +++ policy-1.17.17/domains/program/unused/portmap.te 2004-09-16 11:55:04.363237680 -0400
> @@ -54,3 +54,4 @@
>
> # do not log when it tries to bind to a port belonging to another domain
> #dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
> +dontaudit portmap_t tty_device_t:chr_file { read write };
How about this, so it applies to more then just portmap?
diff -u -r1.58 global_macros.te
--- global_macros.te 15 Sep 2004 19:58:14 -0000 1.58
+++ global_macros.te 17 Sep 2004 20:43:47 -0000
@@ -294,6 +294,7 @@
allow $1_t autofs_t:dir { search getattr };
')dnl end if automount.te
ifdef(`targeted_policy', `
+dontaudit $1_t tty_device_t:chr_file { read write };
dontaudit $1_t devpts_t:chr_file { read write };
dontaudit $1_t root_t:file { getattr read };
')dnl end if targeted_policy
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.17/domains/program/unused/updfstab.te
> --- nsapolicy/domains/program/unused/updfstab.te 2004-09-10 10:17:49.000000000 -0400
> +++ policy-1.17.17/domains/program/unused/updfstab.te 2004-09-16 13:36:58.170098295 -0400
> @@ -62,3 +62,10 @@
>
> r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
> can_getsecurity(updfstab_t)
> +
> +allow updfstab_t { sbin_t bin_t }:dir { search getattr };
> +dontaudit updfstab_t devtty_t:chr_file { read write };
> +allow updfstab_t self:fifo_file { getattr read write ioctl };
> +can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
> +dontaudit updfstab_t home_root_t:dir { getattr search };
> +dontaudit updfstab_t { home_dir_type home_type }:dir { search };
Why can_exec(ls_exec_t)?
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.17/macros/user_macros.te
> --- nsapolicy/macros/user_macros.te 2004-09-14 09:18:11.000000000 -0400
> +++ policy-1.17.17/macros/user_macros.te 2004-09-16 13:38:06.207431159 -0400
> @@ -230,6 +230,12 @@
> mount_domain($1, $1_mount, `, fs_domain')
> role $1_r types $1_mount_t;
> r_dir_file($1_t, mnt_t)
> +allow $1_mount_t removable_device_t:blk_file { read };
> +allow $1_mount_t iso9660_t:filesystem { relabelfrom };
> +allow $1_mount_t removable_t:filesystem { mount relabelto };
> +allow $1_mount_t removable_t:dir { mounton };
> +allow $1_mount_t xdm_t:fd { use };
> +allow $1_mount_t xdm_t:fifo_file { write };
> ')
Shouldn't these rules need to be in other macros as well?
Also, the xdm_t rules should be in a ifdef.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: Policy patches
2004-09-17 20:56 ` James Carter
@ 2004-09-20 12:35 ` Daniel J Walsh
2004-09-21 20:55 ` Daniel J Walsh
0 siblings, 1 reply; 47+ messages in thread
From: Daniel J Walsh @ 2004-09-20 12:35 UTC (permalink / raw)
To: jwcart2; +Cc: Russell Coker, SE Linux
James Carter wrote:
>On Thu, 2004-09-16 at 17:23, Daniel J Walsh wrote:
>
>
>>New patches to allow hald to add a lines to the /etc/fstab with
>>fscontext=system_u:object_r:removable_t.
>>
>>Dan
>>
>>
>
>
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.17/domains/program/unused/nscd.te
>>--- nsapolicy/domains/program/unused/nscd.te 2004-09-16 09:48:15.000000000 -0400
>>+++ policy-1.17.17/domains/program/unused/nscd.te 2004-09-16 15:02:07.387150095 -0400
>>@@ -70,4 +70,8 @@
>> #
>> dontaudit nscd_t var_run_t:sock_file rw_file_perms;
>>
>>+allow nscd_t self:file { getattr read };
>>+allow nscd_t proc_t:file { getattr read };
>>+allow nscd_t selinux_config_t:dir { search };
>>+r_dir_file(nscd_t, default_context_t)
>>
>>
>>
>
>Is this only for the targeted policy? Maybe userspace_objectmgr.te
>
>
I will look into it. The problem is everytime we add one it seems to
have expanding
concequences.
>should be part of the targeted policy. I think we would gain most of
>these permissions in that case.
>
>When does nscd access a default_context_t?
>
>
>
That probably was overzealous. Remove it.
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.17/domains/program/unused/portmap.te
>>--- nsapolicy/domains/program/unused/portmap.te 2004-09-16 09:48:15.000000000 -0400
>>+++ policy-1.17.17/domains/program/unused/portmap.te 2004-09-16 11:55:04.363237680 -0400
>>@@ -54,3 +54,4 @@
>>
>> # do not log when it tries to bind to a port belonging to another domain
>> #dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
>>+dontaudit portmap_t tty_device_t:chr_file { read write };
>>
>>
>
>How about this, so it applies to more then just portmap?
>
>diff -u -r1.58 global_macros.te
>--- global_macros.te 15 Sep 2004 19:58:14 -0000 1.58
>+++ global_macros.te 17 Sep 2004 20:43:47 -0000
>@@ -294,6 +294,7 @@
> allow $1_t autofs_t:dir { search getattr };
> ')dnl end if automount.te
> ifdef(`targeted_policy', `
>+dontaudit $1_t tty_device_t:chr_file { read write };
> dontaudit $1_t devpts_t:chr_file { read write };
> dontaudit $1_t root_t:file { getattr read };
> ')dnl end if targeted_policy
>
>
>
Looks good.
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.17/domains/program/unused/updfstab.te
>>--- nsapolicy/domains/program/unused/updfstab.te 2004-09-10 10:17:49.000000000 -0400
>>+++ policy-1.17.17/domains/program/unused/updfstab.te 2004-09-16 13:36:58.170098295 -0400
>>@@ -62,3 +62,10 @@
>>
>> r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
>> can_getsecurity(updfstab_t)
>>+
>>+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
>>+dontaudit updfstab_t devtty_t:chr_file { read write };
>>+allow updfstab_t self:fifo_file { getattr read write ioctl };
>>+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
>>+dontaudit updfstab_t home_root_t:dir { getattr search };
>>+dontaudit updfstab_t { home_dir_type home_type }:dir { search };
>>
>>
>
>Why can_exec(ls_exec_t)?
>
>
>
One of the scripts it execs execs ls. Why does ls have it's own domain?
>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.17/macros/user_macros.te
>>--- nsapolicy/macros/user_macros.te 2004-09-14 09:18:11.000000000 -0400
>>+++ policy-1.17.17/macros/user_macros.te 2004-09-16 13:38:06.207431159 -0400
>>@@ -230,6 +230,12 @@
>> mount_domain($1, $1_mount, `, fs_domain')
>> role $1_r types $1_mount_t;
>> r_dir_file($1_t, mnt_t)
>>+allow $1_mount_t removable_device_t:blk_file { read };
>>+allow $1_mount_t iso9660_t:filesystem { relabelfrom };
>>+allow $1_mount_t removable_t:filesystem { mount relabelto };
>>+allow $1_mount_t removable_t:dir { mounton };
>>+allow $1_mount_t xdm_t:fd { use };
>>+allow $1_mount_t xdm_t:fifo_file { write };
>> ')
>>
>>
>
>Shouldn't these rules need to be in other macros as well?
>Also, the xdm_t rules should be in a ifdef.
>
>
>
Probably, just began experimenting with the new updatefstab patch that
adds this, so we
should be seeing lots of complaints.
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: Policy patches
2004-09-17 12:07 ` Russell Coker
@ 2004-09-20 20:03 ` James Carter
0 siblings, 0 replies; 47+ messages in thread
From: James Carter @ 2004-09-20 20:03 UTC (permalink / raw)
To: Russell Coker; +Cc: Daniel J Walsh, SE Linux
Merged, except for the userhelper_macros.te chunk.
The attribute privuser is always needed by userhelper since the current code always switches to
"root".
diff -ru /usr/src/se/policy/macros/program/userhelper_macros.te macros/program/userhelper_macros.te
--- /usr/src/se/policy/macros/program/userhelper_macros.te 2004-09-11 16:21:48.000000000 +1000
+++ macros/program/userhelper_macros.te 2004-09-11 19:24:48.000000000 +1000
@@ -17,7 +17,7 @@
ifdef(`single_userdomain', `
typealias $1_t alias $1_userhelper_t;
', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
in_user_role($1_userhelper_t)
role sysadm_r types $1_userhelper_t;
On Fri, 2004-09-17 at 08:07, Russell Coker wrote:
> +dontaudit updfstab_t home_root_t:dir { getattr search };
> +dontaudit updfstab_t { home_dir_type home_type }:dir { search };
>
> Why is fstab-sync trying to access home directories?
>
> +allow ttyfile tmpfs_t:filesystem { associate };
>
> Better to just use the dev_fs attribute. I have attached a patch to do this
> as well as clean up a few other minor issues with the macros directory.
>
> The patch is against the latest CVS.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Policy patches
2004-09-20 12:35 ` Daniel J Walsh
@ 2004-09-21 20:55 ` Daniel J Walsh
2004-09-22 20:21 ` James Carter
0 siblings, 1 reply; 47+ messages in thread
From: Daniel J Walsh @ 2004-09-21 20:55 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 57 bytes --]
Policy patches off of latest policy.
nscd fixes mainly.
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 14898 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/removable_context policy-1.17.19/appconfig/removable_context
--- nsapolicy/appconfig/removable_context 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.19/appconfig/removable_context 2004-09-21 13:05:04.223318911 -0400
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.19/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.19/domains/program/unused/consoletype.te 2004-09-21 13:05:04.224318800 -0400
@@ -52,5 +52,5 @@
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
-dontaudit consoletype_t tmpfs_t:chr_file { read write };
+allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.19/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.19/domains/program/unused/cups.te 2004-09-21 13:05:04.224318800 -0400
@@ -30,6 +30,7 @@
allow cupsd_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t urandom_device_t:chr_file { getattr read };
dontaudit cupsd_t random_device_t:chr_file ioctl;
+dontaudit cupsd_t device_t:lnk_file { read };
# temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.19/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2004-09-16 16:57:34.000000000 -0400
+++ policy-1.17.19/domains/program/unused/hald.te 2004-09-21 13:05:04.225318690 -0400
@@ -51,8 +51,14 @@
allow hald_t udev_tbl_t:file { getattr read };
')
+ifdef(`udev.te', `
+r_dir_file(hald_t, hotplug_etc_t)
+')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
allow hald_t usbfs_t:dir search;
allow hald_t usbfs_t:file { getattr read };
allow hald_t bin_t:lnk_file read;
+dontaudit hald_t selinux_config_t:dir { search };
+dontaudit hald_t userdomain:fd { use };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mozilla.te policy-1.17.19/domains/program/unused/mozilla.te
--- nsapolicy/domains/program/unused/mozilla.te 2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.19/domains/program/unused/mozilla.te 2004-09-21 13:05:04.225318690 -0400
@@ -6,6 +6,7 @@
# Type for the netscape, mozilla or other browser executables.
type mozilla_exec_t, file_type, sysadmfile, exec_type;
+type mozilla_conf_t, file_type, sysadmfile;
# Allow mozilla to read files in the user home directory
bool mozilla_readhome false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.19/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.19/domains/program/unused/named.te 2004-09-21 13:48:16.136487414 -0400
@@ -31,7 +31,7 @@
can_exec(named_t, named_exec_t)
allow named_t sbin_t:dir search;
-allow named_t self:process setsched;
+allow named_t self:process { setsched setcap setrlimit };
# A type for configuration files of named.
type named_conf_t, file_type, sysadmfile;
@@ -96,8 +96,6 @@
allow named_t self:fifo_file rw_file_perms;
# Set own capabilities.
-allow named_t self:process setcap;
-
#A type for /usr/sbin/ndc
type ndc_exec_t, file_type,sysadmfile, exec_type;
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.19/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2004-09-16 09:48:15.000000000 -0400
+++ policy-1.17.19/domains/program/unused/nscd.te 2004-09-21 16:47:07.510447194 -0400
@@ -55,7 +55,7 @@
allow nscd_t sysctl_kernel_t:dir search;
allow nscd_t sysctl_kernel_t:file read;
-allow nscd_t self:process setsched;
+allow nscd_t self:process { getattr setsched };
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:fifo_file { read write };
allow nscd_t self:capability { kill setgid setuid };
@@ -70,4 +70,6 @@
#
dontaudit nscd_t var_run_t:sock_file rw_file_perms;
-
+r_dir_file(nscd_t, selinux_config_t)
+can_getsecurity(nscd_t)
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.19/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2004-09-09 15:36:13.000000000 -0400
+++ policy-1.17.19/domains/program/unused/rhgb.te 2004-09-21 13:05:04.227318468 -0400
@@ -34,7 +34,7 @@
allow insmod_t rhgb_t:fd use;
allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t root_t:dir { mounton };
+allow rhgb_t mnt_t:dir { mounton };
allow rhgb_t rhgb_t:capability { sys_admin };
dontaudit rhgb_t var_run_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.19/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te 2004-09-10 10:17:49.000000000 -0400
+++ policy-1.17.19/domains/program/unused/updfstab.te 2004-09-21 13:05:04.228318357 -0400
@@ -62,3 +62,10 @@
r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
can_getsecurity(updfstab_t)
+
+allow updfstab_t { sbin_t bin_t }:dir { search getattr };
+dontaudit updfstab_t devtty_t:chr_file { read write };
+allow updfstab_t self:fifo_file { getattr read write ioctl };
+can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
+dontaudit updfstab_t home_root_t:dir { getattr search };
+dontaudit updfstab_t { home_dir_type home_type }:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.17.19/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc 2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.19/file_contexts/program/mozilla.fc 2004-09-21 13:05:04.228318357 -0400
@@ -17,3 +17,4 @@
/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
+/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rhgb.fc policy-1.17.19/file_contexts/program/rhgb.fc
--- nsapolicy/file_contexts/program/rhgb.fc 2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.19/file_contexts/program/rhgb.fc 2004-09-21 13:05:04.229318246 -0400
@@ -1,2 +1,3 @@
/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
#/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t
+/etc/rhgb -d system_u:object_r:mnt_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.19/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2004-09-21 12:51:05.000000000 -0400
+++ policy-1.17.19/file_contexts/types.fc 2004-09-21 13:05:04.230318136 -0400
@@ -302,6 +302,7 @@
/lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/lib(64)?/security/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?/tls/i486/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# /sbin
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.19/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-09-10 10:17:50.000000000 -0400
+++ policy-1.17.19/macros/base_user_macros.te 2004-09-21 13:05:04.230318136 -0400
@@ -64,6 +64,7 @@
')dnl end if nfs_home_dirs
if (user_rw_noexattrfile) {
create_dir_file($1_t, noexattrfile)
+create_dir_file($1_t, removable_t)
# Write floppies
allow $1_t removable_device_t:blk_file rw_file_perms;
allow $1_t usbtty_device_t:chr_file write;
@@ -72,6 +73,10 @@
allow $1_t removable_device_t:blk_file r_file_perms;
}
allow $1_t usbtty_device_t:chr_file read;
+
+# GNOME checks for usb and other devices
+r_dir_file($1_t,usbfs_t)
+
can_exec($1_t, noexattrfile)
# Bind to a Unix domain socket in /tmp.
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.17.19/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2004-09-21 12:51:06.000000000 -0400
+++ policy-1.17.19/macros/core_macros.te 2004-09-21 16:44:32.697773308 -0400
@@ -271,7 +271,7 @@
define(`can_getsecurity',`
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
+allow $1 proc_t:{ file lnk_file } { getattr read };
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.19/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2004-09-16 09:48:16.000000000 -0400
+++ policy-1.17.19/macros/global_macros.te 2004-09-21 16:37:55.572191411 -0400
@@ -294,7 +294,7 @@
allow $1_t autofs_t:dir { search getattr };
')dnl end if automount.te
ifdef(`targeted_policy', `
-dontaudit $1_t devpts_t:chr_file { read write };
+dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
dontaudit $1_t root_t:file { getattr read };
')dnl end if targeted_policy
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.19/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-09-21 12:51:06.000000000 -0400
+++ policy-1.17.19/macros/program/mozilla_macros.te 2004-09-21 13:05:04.231318025 -0400
@@ -71,6 +71,8 @@
allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
')
+dontaudit $1_mozilla_t tmp_t:lnk_file read;
+
#
# This is another place where I sould like to allow system customization.
# We need to allow the admin to select whether then want to allow mozilla
@@ -109,6 +111,8 @@
')
allow $1_mozilla_t $1_t:tcp_socket { read write };
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+dontaudit $1_mozilla_t bin_t:dir { getattr };
dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.19/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2004-09-21 12:51:06.000000000 -0400
+++ policy-1.17.19/macros/user_macros.te 2004-09-21 13:05:04.232317914 -0400
@@ -181,9 +181,6 @@
allow $1_t man_t:dir r_dir_perms;
allow $1_t man_t:notdevfile_class_set r_file_perms;
-# GNOME checks for usb and other devices
-r_dir_file($1_t,usbfs_t)
-
# Allow users to rw usb devices
if (user_rw_usb) {
rw_dir_create_file($1_t,usbdevfs_t)
@@ -230,6 +227,12 @@
mount_domain($1, $1_mount, `, fs_domain')
role $1_r types $1_mount_t;
r_dir_file($1_t, mnt_t)
+allow $1_mount_t removable_device_t:blk_file { read };
+allow $1_mount_t iso9660_t:filesystem { relabelfrom };
+allow $1_mount_t removable_t:filesystem { mount relabelto };
+allow $1_mount_t removable_t:dir { mounton };
+allow $1_mount_t xdm_t:fd { use };
+allow $1_mount_t xdm_t:fifo_file { write };
')
#
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.19/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-09-09 15:36:11.000000000 -0400
+++ policy-1.17.19/tunables/distro.tun 2004-09-21 13:05:04.232317914 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.19/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-09-15 09:15:39.000000000 -0400
+++ policy-1.17.19/tunables/tunable.tun 2004-09-21 13:05:04.233317803 -0400
@@ -1,51 +1,51 @@
# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
# Allow users to control network interfaces (also needs USERCTL=true)
dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
# Allow users to run games
-dnl define(`use_games')
+define(`use_games')
# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow sysadm_t to do almost everything
dnl define(`unrestricted_admin')
# Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
+define(`nfs_export_all_rw')
# Allow the reading on any NFS file system
dnl define(`nfs_export_all_ro')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.19/types/file.te
--- nsapolicy/types/file.te 2004-09-14 09:18:14.000000000 -0400
+++ policy-1.17.19/types/file.te 2004-09-21 13:06:27.444094270 -0400
@@ -259,7 +259,7 @@
#
allow { file_type device_type } fs_t:filesystem associate;
ifdef(`distro_redhat', `
-allow dev_fs tmpfs_t:filesystem associate;
+allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
')
# Allow the pty to be associated with the file system.
@@ -298,3 +298,6 @@
type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
allow cifs_t cifs_t:filesystem associate;
typealias cifs_t alias sambafs_t;
+
+# removable_t is the default type of all removable media
+type removable_t, file_type, sysadmfile, usercanread;
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.17.19/types/nfs.te
--- nsapolicy/types/nfs.te 2004-09-09 15:36:12.000000000 -0400
+++ policy-1.17.19/types/nfs.te 2004-09-21 13:05:04.234317692 -0400
@@ -18,4 +18,5 @@
#
# Allow NFS files to be associated with an NFS file system.
#
-allow nfs_t nfs_t:filesystem associate;
+allow nfs_t self:filesystem associate;
+allow file_type nfs_t:filesystem associate;
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: Policy patches
2004-09-21 20:55 ` Daniel J Walsh
@ 2004-09-22 20:21 ` James Carter
0 siblings, 0 replies; 47+ messages in thread
From: James Carter @ 2004-09-22 20:21 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Merged.
On Tue, 2004-09-21 at 16:55, Daniel J Walsh wrote:
> Policy patches off of latest policy.
>
> nscd fixes mainly.
>
> ______________________________________________________________________
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2004-09-29 13:54 Russell Coker
2004-09-29 17:45 ` Thomas Bleher
0 siblings, 1 reply; 47+ messages in thread
From: Russell Coker @ 2004-09-29 13:54 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 1923 bytes --]
I can't reproduce syslogd_t getting access to a kernel_t fd, so I removed the
rules relating to that (I think it was a kernel bug that has since been
fixed).
kudzu needs to execute /sbin/init to enable/disable serial console.
nash needs to read /dev/mapper/control (temporary thing, hopefully udev will
take care of this soon).
Removed a redundant rule from postfix.te and some redundant rules from
quota.te .
Added some extra rules to rpm.te for the most strict configuration and added
sysadmfile to rpmbuild_exec_t.
Allow udev to execute more types to prepare for removing can_exec_any.
Added a new fc entry for cups so that hal can detect a new printer and add it.
kmodule is part of kudzu.
More name change stuff netsaint -> nagios.
Added start_udev to udev.fc.
Fixed home directory labelling for uml.
Added quagga entries to zebra.fc. Maybe we should rename the policy from
zebra to quagga too.
Added some ifdef(`targeted_policy' conditionals where needed.
Removed a reference to tmp_t:lnk_file, there should never be a tmp_t:lnk_file
in the strict policy (and targetted has no mozilla policy).
Updated ssh_agent_macros.te with the latest stuff from Thomas Bleher. Also
gave him full credit (I don't recall doing anything significant with that
file).
Allow ssh client to execute bash. ssh client can use the shell to launch
scripts and this can be defined in ~/.ssh/config .
Removed a reference to user_home_dir_t from xserver_macros.te. Any time a
policy has a reference to user_t, user_home_dir_t, etc it's a bug.
Removed a line giving xdm access to the NVIDIA device node. xdm has no
business with that, it's for the X server.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 12605 bytes --]
diff -ru /usr/src/se/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /usr/src/se/policy/domains/program/initrc.te 2004-09-29 00:49:54.000000000 +1000
+++ ./domains/program/initrc.te 2004-09-26 02:48:05.000000000 +1000
@@ -219,7 +219,7 @@
allow initrc_t var_lib_rpm_t:dir rw_dir_perms;
allow initrc_t var_lib_rpm_t:file create_file_perms;
')
-')
+')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
diff -ru /usr/src/se/policy/domains/program/syslogd.te ./domains/program/syslogd.te
--- /usr/src/se/policy/domains/program/syslogd.te 2004-09-11 16:21:44.000000000 +1000
+++ ./domains/program/syslogd.te 2004-09-10 14:37:28.000000000 +1000
@@ -95,6 +95,3 @@
#
dontaudit syslogd_t file_t:dir search;
allow syslogd_t devpts_t:dir { search };
-
-dontaudit syslogd_t kernel_t:fd use;
-dontaudit syslogd_t kernel_t:file read;
diff -ru /usr/src/se/policy/domains/program/unused/kudzu.te ./domains/program/unused/kudzu.te
--- /usr/src/se/policy/domains/program/unused/kudzu.te 2004-09-09 04:22:47.000000000 +1000
+++ ./domains/program/unused/kudzu.te 2004-09-21 17:22:19.000000000 +1000
@@ -50,7 +50,7 @@
rw_dir_create_file(kudzu_t, etc_t)
rw_dir_create_file(kudzu_t, mnt_t)
-can_exec(kudzu_t, { bin_t sbin_t })
+can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
# Read /usr/lib/gconv/gconv-modules.*
allow kudzu_t lib_t:file { read getattr };
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
diff -ru /usr/src/se/policy/domains/program/unused/lvm.te ./domains/program/unused/lvm.te
--- /usr/src/se/policy/domains/program/unused/lvm.te 2004-09-23 22:31:17.000000000 +1000
+++ ./domains/program/unused/lvm.te 2004-09-24 20:36:26.000000000 +1000
@@ -110,7 +110,7 @@
allow lvm_t sbin_t:dir search;
dontaudit lvm_t sbin_t:file getattr;
allow lvm_t lvm_control_t:chr_file rw_file_perms;
-allow initrc_t lvm_control_t:chr_file { getattr unlink };
+allow initrc_t lvm_control_t:chr_file { getattr read unlink };
allow initrc_t device_t:chr_file create;
dontaudit lvm_t var_run_t:dir getattr;
diff -ru /usr/src/se/policy/domains/program/unused/postfix.te ./domains/program/unused/postfix.te
--- /usr/src/se/policy/domains/program/unused/postfix.te 2004-09-23 22:31:17.000000000 +1000
+++ ./domains/program/unused/postfix.te 2004-09-23 23:18:20.000000000 +1000
@@ -100,7 +100,6 @@
')
allow postfix_master_t sendmail_exec_t:file r_file_perms;
allow postfix_master_t sbin_t:lnk_file { getattr read };
-domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
ifdef(`pppd.te', `
domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
')
diff -ru /usr/src/se/policy/domains/program/unused/quota.te ./domains/program/unused/quota.te
--- /usr/src/se/policy/domains/program/unused/quota.te 2004-09-23 22:31:17.000000000 +1000
+++ ./domains/program/unused/quota.te 2004-09-23 23:18:49.000000000 +1000
@@ -17,10 +17,6 @@
role sysadm_r types quota_t;
allow quota_t admin_tty_type:chr_file { read write };
-domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
-role sysadm_r types quota_t;
-allow quota_t admin_tty_type:chr_file { read write };
-
type quota_flag_t, file_type, sysadmfile;
type quota_db_t, file_type, sysadmfile;
diff -ru /usr/src/se/policy/domains/program/unused/rpm.te ./domains/program/unused/rpm.te
--- /usr/src/se/policy/domains/program/unused/rpm.te 2004-09-21 14:39:14.000000000 +1000
+++ ./domains/program/unused/rpm.te 2004-09-29 01:05:44.000000000 +1000
@@ -16,9 +16,15 @@
type rpm_exec_t, file_type, sysadmfile, exec_type;
general_domain_access(rpm_t)
+can_ps(rpm_t, domain)
+allow rpm_t self:process setrlimit;
system_crond_entry(rpm_exec_t, rpm_t)
role sysadm_r types rpm_t;
domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
+ifdef(`unlimitedUsers', `
+role staff_r types rpm_t;
+domain_auto_trans(staff_t, rpm_exec_t, rpm_t)
+')
type rpm_file_t, file_type, sysadmfile;
@@ -239,7 +245,7 @@
allow rpm_t rpc_pipefs_t:dir search;
allow rpm_script_t init_t:dir search;
-type rpmbuild_exec_t, file_type, exec_type;
+type rpmbuild_exec_t, file_type, sysadmfile, exec_type;
type rpmbuild_t, domain;
allow rpmbuild_t policy_config_t:dir { search };
allow rpmbuild_t policy_src_t:dir { search };
diff -ru /usr/src/se/policy/domains/program/unused/udev.te ./domains/program/unused/udev.te
--- /usr/src/se/policy/domains/program/unused/udev.te 2004-09-29 00:50:00.000000000 +1000
+++ ./domains/program/unused/udev.te 2004-09-11 17:14:58.000000000 +1000
@@ -42,6 +42,8 @@
allow udev_t { bin_t sbin_t }:dir r_dir_perms;
allow udev_t { sbin_t bin_t }:lnk_file read;
allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
+can_exec(udev_t, udev_exec_t)
r_dir_file(udev_t, sysfs_t)
allow udev_t sysadm_tty_device_t:chr_file { read write };
diff -ru /usr/src/se/policy/file_contexts/program/cups.fc ./file_contexts/program/cups.fc
--- /usr/src/se/policy/file_contexts/program/cups.fc 2004-08-19 17:10:38.000000000 +1000
+++ ./file_contexts/program/cups.fc 2004-09-24 01:44:14.000000000 +1000
@@ -18,6 +18,7 @@
/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
+/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_exec_t
/usr/sbin/printconf-backend -- system_u:object_r:cupsd_exec_t
/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
/var/spool/cups(/.*)? system_u:object_r:print_spool_t
diff -ru /usr/src/se/policy/file_contexts/program/kudzu.fc ./file_contexts/program/kudzu.fc
--- /usr/src/se/policy/file_contexts/program/kudzu.fc 2003-11-27 05:04:46.000000000 +1100
+++ ./file_contexts/program/kudzu.fc 2004-09-26 05:24:38.000000000 +1000
@@ -1,2 +1,3 @@
# kudzu
/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
+/sbin/kmodule -- system_u:object_r:kudzu_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/nagios.fc ./file_contexts/program/nagios.fc
--- /usr/src/se/policy/file_contexts/program/nagios.fc 2004-06-17 03:38:16.000000000 +1000
+++ ./file_contexts/program/nagios.fc 2004-09-24 20:44:24.000000000 +1000
@@ -1,7 +1,10 @@
-# netsaint - network monitoring server
-/usr/sbin/netsaint -- system_u:object_r:nagios_exec_t
-#/var/run/netsaint(/.*)? system_u:object_r:nagios_var_run_t
-/etc/netsaint(/.*)? system_u:object_r:nagios_etc_t
+# nagios - network monitoring server
/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
+# nagios
+/usr/bin/nagios -- system_u:object_r:nagios_exec_t
+/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
+/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
+/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/udev.fc ./file_contexts/program/udev.fc
--- /usr/src/se/policy/file_contexts/program/udev.fc 2004-09-01 10:52:39.000000000 +1000
+++ ./file_contexts/program/udev.fc 2004-09-24 03:38:36.000000000 +1000
@@ -2,6 +2,7 @@
/sbin/udevsend -- system_u:object_r:udev_exec_t
/sbin/udev -- system_u:object_r:udev_exec_t
/sbin/udevd -- system_u:object_r:udev_exec_t
+/sbin/start_udev -- system_u:object_r:udev_exec_t
/usr/bin/udevinfo -- system_u:object_r:udev_exec_t
/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t
/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
diff -ru /usr/src/se/policy/file_contexts/program/uml.fc ./file_contexts/program/uml.fc
--- /usr/src/se/policy/file_contexts/program/uml.fc 2004-03-04 07:53:52.000000000 +1100
+++ ./file_contexts/program/uml.fc 2004-09-24 20:43:58.000000000 +1000
@@ -1,4 +1,4 @@
# User Mode Linux
/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t
/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t
-/home/[^/]+/.uml(/.*)? system_u:object_r:user_uml_rw_t
+HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t
diff -ru /usr/src/se/policy/file_contexts/program/zebra.fc ./file_contexts/program/zebra.fc
--- /usr/src/se/policy/file_contexts/program/zebra.fc 2004-08-19 17:10:45.000000000 +1000
+++ ./file_contexts/program/zebra.fc 2004-09-24 20:43:58.000000000 +1000
@@ -5,3 +5,9 @@
/etc/zebra(/.*)? system_u:object_r:zebra_conf_t
/var/run/.zserv -s system_u:object_r:zebra_var_run_t
/var/run/.zebra -s system_u:object_r:zebra_var_run_t
+# Quagga
+/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t
+/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t
+/etc/quagga(/.*)? system_u:object_r:zebra_conf_t
+/var/log/quagga(/.*)? system_u:object_r:zebra_log_t
+/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t
diff -ru /usr/src/se/policy/macros/admin_macros.te ./macros/admin_macros.te
--- /usr/src/se/policy/macros/admin_macros.te 2004-09-24 06:31:34.000000000 +1000
+++ ./macros/admin_macros.te 2004-09-24 20:38:03.000000000 +1000
@@ -77,6 +77,10 @@
allow $1_t sysadmfile:lnk_file create_lnk_perms;
allow $1_t sysadmfile:dir create_dir_perms;
+# for lsof
+allow $1_t mtrr_device_t:file getattr;
+allow $1_t fs_type:dir getattr;
+
# Set an exec context, e.g. for runcon.
can_setexec($1_t)
diff -ru /usr/src/se/policy/macros/program/chkpwd_macros.te ./macros/program/chkpwd_macros.te
--- /usr/src/se/policy/macros/program/chkpwd_macros.te 2004-09-11 16:21:48.000000000 +1000
+++ ./macros/program/chkpwd_macros.te 2004-09-29 01:15:19.000000000 +1000
@@ -51,7 +51,9 @@
allow $1_chkpwd_t etc_t:file { getattr read };
allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
+ifdef(`targeted_policy', `
allow $1_chkpwd_t tty_device_t:chr_file { read write };
+')
read_locale($1_chkpwd_t)
# Use capabilities.
diff -ru /usr/src/se/policy/macros/program/mozilla_macros.te ./macros/program/mozilla_macros.te
--- /usr/src/se/policy/macros/program/mozilla_macros.te 2004-09-29 00:50:10.000000000 +1000
+++ ./macros/program/mozilla_macros.te 2004-09-16 21:47:34.000000000 +1000
@@ -71,8 +71,6 @@
allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
')
-dontaudit $1_mozilla_t tmp_t:lnk_file read;
-
#
# This is another place where I sould like to allow system customization.
# We need to allow the admin to select whether then want to allow mozilla
diff -ru /usr/src/se/policy/macros/program/ssh_agent_macros.te ./macros/program/ssh_agent_macros.te
--- /usr/src/se/policy/macros/program/ssh_agent_macros.te 2004-09-21 14:39:17.000000000 +1000
+++ ./macros/program/ssh_agent_macros.te 2004-09-12 14:50:44.000000000 +1000
@@ -3,8 +3,7 @@
#
#
-# Authors: Russell Coker <russell@coker.com.au>,
-# Thomas Bleher <ThomasBleher@gmx.de>
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
#
#
@@ -70,7 +69,10 @@
can_unix_connect($1_t, $1_ssh_agent_t)
# transition back to normal privs upon exec
-domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t ifdef(`nfs_home_dirs', `nfs_t')}, $1_t)
+domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
+ifdef(`nfs_home_dirs', `
+domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
+')
allow $1_ssh_agent_t bin_t:dir search;
# allow reading of /usr/bin/X11 (is a symlink)
diff -ru /usr/src/se/policy/macros/program/ssh_macros.te ./macros/program/ssh_macros.te
--- /usr/src/se/policy/macros/program/ssh_macros.te 2004-09-21 14:39:17.000000000 +1000
+++ ./macros/program/ssh_macros.te 2004-09-12 17:18:07.000000000 +1000
@@ -118,6 +118,7 @@
# for /bin/sh used to execute xauth
dontaudit $1_ssh_t proc_t:dir search;
dontaudit $1_ssh_t proc_t:file { getattr read };
+can_exec($1_ssh_t, shell_exec_t)
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
diff -ru /usr/src/se/policy/macros/program/xserver_macros.te ./macros/program/xserver_macros.te
--- /usr/src/se/policy/macros/program/xserver_macros.te 2004-09-21 14:39:17.000000000 +1000
+++ ./macros/program/xserver_macros.te 2004-09-24 01:49:01.000000000 +1000
@@ -64,7 +64,6 @@
allow xdm_xserver_t init_t:fd use;
-dontaudit xdm_xserver_t user_home_dir_t:dir { read search };
dontaudit xdm_xserver_t sysadm_home_dir_t:dir { read search };
', `
# The user role is authorized for this domain.
@@ -162,7 +161,6 @@
ifdef(`xdm.te', `
allow $1_t xdm_tmp_t:sock_file { unlink };
allow $1_xserver_t xdm_var_run_t:dir { search };
-allow xdm_t xserver_misc_device_t:chr_file { getattr };
# for /tmp/.ICE-unix
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
')
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-09-29 13:54 policy patches Russell Coker
@ 2004-09-29 17:45 ` Thomas Bleher
2004-09-29 20:20 ` Russell Coker
0 siblings, 1 reply; 47+ messages in thread
From: Thomas Bleher @ 2004-09-29 17:45 UTC (permalink / raw)
To: Russell Coker; +Cc: SELinux
* Russell Coker <russell@coker.com.au> [2004-09-29 18:49]:
> diff -ru /usr/src/se/policy/domains/program/unused/rpm.te ./domains/program/unused/rpm.te
> --- /usr/src/se/policy/domains/program/unused/rpm.te 2004-09-21 14:39:14.000000000 +1000
> +++ ./domains/program/unused/rpm.te 2004-09-29 01:05:44.000000000 +1000
> @@ -16,9 +16,15 @@
>...
> +ifdef(`unlimitedUsers', `
> +role staff_r types rpm_t;
> +domain_auto_trans(staff_t, rpm_exec_t, rpm_t)
> +')
AFAIK unlimitedUsers was removed recently, so this snippet makes no
sense anymore.
> diff -ru /usr/src/se/policy/file_contexts/program/nagios.fc ./file_contexts/program/nagios.fc
> --- /usr/src/se/policy/file_contexts/program/nagios.fc 2004-06-17 03:38:16.000000000 +1000
> +++ ./file_contexts/program/nagios.fc 2004-09-24 20:44:24.000000000 +1000
> @@ -1,7 +1,10 @@
> -# netsaint - network monitoring server
> -/usr/sbin/netsaint -- system_u:object_r:nagios_exec_t
> -#/var/run/netsaint(/.*)? system_u:object_r:nagios_var_run_t
> -/etc/netsaint(/.*)? system_u:object_r:nagios_etc_t
> +# nagios - network monitoring server
> /var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
> /usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
> /usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
> +# nagios
> +/usr/bin/nagios -- system_u:object_r:nagios_exec_t
> +/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
> +/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
> +/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
> +/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
On Debian, it's
/usr/sbin/nagios -- system_u:object_r:nagios_exec_t
and
/usr/lib/cgi-bin/nagios -- system_u:object_r:nagios_cgi_exec_t
These should be added also.
Everything else looks fine.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-09-29 17:45 ` Thomas Bleher
@ 2004-09-29 20:20 ` Russell Coker
2004-10-01 16:42 ` James Carter
0 siblings, 1 reply; 47+ messages in thread
From: Russell Coker @ 2004-09-29 20:20 UTC (permalink / raw)
To: Thomas Bleher; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 866 bytes --]
On Thu, 30 Sep 2004 03:45, Thomas Bleher <bleher@informatik.uni-muenchen.de>
wrote:
> > +ifdef(`unlimitedUsers', `
> > +role staff_r types rpm_t;
> > +domain_auto_trans(staff_t, rpm_exec_t, rpm_t)
> > +')
>
> AFAIK unlimitedUsers was removed recently, so this snippet makes no
> sense anymore.
Thanks, I've removed that from my tree.
> On Debian, it's
> /usr/sbin/nagios -- system_u:object_r:nagios_exec_t
> and
> /usr/lib/cgi-bin/nagios -- system_u:object_r:nagios_cgi_exec_t
>
> These should be added also.
Thanks for that. I've attached a new nagios.fc with that change.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: nagios.fc --]
[-- Type: text/plain, Size: 675 bytes --]
# nagios - network monitoring server
/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
# nagios
ifdef(`distro_debian', `
/usr/sbin/nagios -- system_u:object_r:nagios_exec_t
/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t
', `
/usr/bin/nagios -- system_u:object_r:nagios_exec_t
/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
')
/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-09-29 20:20 ` Russell Coker
@ 2004-10-01 16:42 ` James Carter
2004-10-01 17:44 ` Russell Coker
0 siblings, 1 reply; 47+ messages in thread
From: James Carter @ 2004-10-01 16:42 UTC (permalink / raw)
To: Russell Coker; +Cc: SELinux
Mostly merged with the corrections.
These two lines caused things to break, so I held off merging these for
now.
+/sbin/kmodule -- system_u:object_r:kudzu_exec_t
+/sbin/start_udev -- system_u:object_r:udev_exec_t
These are the denials I am seeing:
avc: denied { unlink } for pid=705 exe=/bin/rm name=.udev.tdb dev=tmpfs ino=927 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file
avc: denied { read write } for pid=707 exe=/sbin/udev name=.udev.tdb dev=tmpfs ino=927 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file
avc: denied { search } for pid=856 exe=/sbin/kmodule name=usr dev=hda2 ino=162881 scontext=system_u:system_r:kudzu_t tcontext=user_u:object_r:file_t tclass=dir
avc: denied { getattr } for pid=856 exe=/sbin/kmodule path=/lib/modules/2.6.8-1.541/kernel dev=hda2 ino=930725 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:modules_object_t tclass=dir
avc: denied { setattr } for pid=2402 exe=/usr/X11R6/bin/Xorg name=dri dev=tmpfs ino=7757 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=dir
The udev_t tmpfs_t:file { read write } denial occurs a lot.
The xdm_xserver_t device_t:dir setattr denial is not due to this patch.
It is the only denial that I have been seeing lately; I just haven't had
an opportunity to look into it more. It doesn't appear to cause any
problems though.
On Wed, 2004-09-29 at 16:20, Russell Coker wrote:
> On Thu, 30 Sep 2004 03:45, Thomas Bleher <bleher@informatik.uni-muenchen.de>
> wrote:
> > > +ifdef(`unlimitedUsers', `
> > > +role staff_r types rpm_t;
> > > +domain_auto_trans(staff_t, rpm_exec_t, rpm_t)
> > > +')
> >
> > AFAIK unlimitedUsers was removed recently, so this snippet makes no
> > sense anymore.
>
> Thanks, I've removed that from my tree.
>
> > On Debian, it's
> > /usr/sbin/nagios -- system_u:object_r:nagios_exec_t
> > and
> > /usr/lib/cgi-bin/nagios -- system_u:object_r:nagios_cgi_exec_t
> >
> > These should be added also.
>
> Thanks for that. I've attached a new nagios.fc with that change.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-01 16:42 ` James Carter
@ 2004-10-01 17:44 ` Russell Coker
2004-10-01 20:45 ` Daniel J Walsh
2004-10-04 20:12 ` James Carter
0 siblings, 2 replies; 47+ messages in thread
From: Russell Coker @ 2004-10-01 17:44 UTC (permalink / raw)
To: jwcart2; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 2652 bytes --]
On Sat, 2 Oct 2004 02:42, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> Mostly merged with the corrections.
>
> These two lines caused things to break, so I held off merging these for
> now.
> +/sbin/kmodule -- system_u:object_r:kudzu_exec_t
> +/sbin/start_udev -- system_u:object_r:udev_exec_t
>
> These are the denials I am seeing:
> avc: denied { unlink } for pid=705 exe=/bin/rm name=.udev.tdb dev=tmpfs
> ino=927 scontext=system_u:system_r:udev_t
Version 7.85-1 of the initscripts package fixes the restorecon command to use
the -R option to label all of /dev. If you upgrade to the latest rawhide
then the start_udev labelling should work. NB I sent the patch to you
before rawhide was fixed, this was intentional as neither patch worked well
without the other so there was no benefit in delaying.
> avc: denied { search } for pid=856 exe=/sbin/kmodule
> name=usr dev=hda2 ino=162881 scontext=system_u:system_r:kudzu_t
> tcontext=user_u:object_r:file_t tclass=dir
Looks like either mis-labelling or you have /usr on a different file system.
I guess we have to add a dontaudit rule for that for when /usr (or /var or
whatever else it may access that isn't on the root fs).
> avc: denied { getattr } for
> pid=856 exe=/sbin/kmodule path=/lib/modules/2.6.8-1.541/kernel dev=hda2
> ino=930725 scontext=system_u:system_r:kudzu_t
> tcontext=system_u:object_r:modules_object_t tclass=dir
I've attached kudzu.diff to deal with this issue and the above. Please try
including those file contexts changes, with kudzu.diff and the latest
initscripts it should be fine.
> avc: denied {
> setattr } for pid=2402 exe=/usr/X11R6/bin/Xorg name=dri dev=tmpfs ino=7757
> scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:object_r:device_t tclass=dir
I think that Dan's latest patch allowed that one.
> The xdm_xserver_t device_t:dir setattr denial is not due to this patch.
> It is the only denial that I have been seeing lately; I just haven't had
> an opportunity to look into it more. It doesn't appear to cause any
> problems though.
Long term udev has to deal with that too. The X server should not be creating
device nodes. Quite a bit of work has recently gone into reducing /dev/mem
access but allowing arbitrary device node creation wastes that. It'll be
fixed eventually (but at the moment we are already busy enough with udev
issues).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: kudzu.diff --]
[-- Type: text/x-diff, Size: 879 bytes --]
--- /usr/src/se/policy/domains/program/unused/kudzu.te 2004-10-02 03:36:11.000000000 +1000
+++ domains/program/unused/kudzu.te 2004-10-02 03:40:37.000000000 +1000
@@ -15,7 +15,7 @@
allow kudzu_t etc_t:file { getattr read };
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config };
allow kudzu_t modules_conf_t:file { getattr read };
-allow kudzu_t modules_object_t:dir { search };
+allow kudzu_t modules_object_t:dir { getattr search };
allow kudzu_t modules_dep_t:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_t:file { getattr read };
@@ -81,3 +81,6 @@
file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
allow kudzu_t tape_device_t:chr_file r_file_perms;
allow kudzu_t tmp_t:dir { search };
+
+# for file systems that are not yet mounted
+dontaudit kudzu_t file_t:dir search;
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-01 17:44 ` Russell Coker
@ 2004-10-01 20:45 ` Daniel J Walsh
2004-10-02 0:42 ` Russell Coker
2004-10-02 0:43 ` Russell Coker
2004-10-04 20:12 ` James Carter
1 sibling, 2 replies; 47+ messages in thread
From: Daniel J Walsh @ 2004-10-01 20:45 UTC (permalink / raw)
To: russell; +Cc: jwcart2, SELinux
[-- Attachment #1: Type: text/plain, Size: 120 bytes --]
Cleaned up patch with some of russells changes.
chage has been updated to do a checkPasswdAccess(PASSWD__ROOTOK) now.
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 27996 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.17.26/domains/program/getty.te
--- nsapolicy/domains/program/getty.te 2004-08-20 13:57:27.000000000 -0400
+++ policy-1.17.26/domains/program/getty.te 2004-10-01 16:40:12.320803326 -0400
@@ -58,3 +58,4 @@
rw_dir_create_file(getty_t, var_lock_t)
r_dir_file(getty_t, sysfs_t)
+allow getty_t initrc_devpts_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.17.26/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2004-09-23 15:08:59.000000000 -0400
+++ policy-1.17.26/domains/program/passwd.te 2004-10-01 16:40:12.321803216 -0400
@@ -42,7 +42,7 @@
allow $1_t etc_t:lnk_file read;
# Use capabilities.
-allow $1_t self:capability { chown dac_override fsetid setuid sys_resource };
+allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
# Access terminals.
allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.17.26/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.26/domains/program/unused/amanda.te 2004-10-01 16:40:12.322803106 -0400
@@ -33,7 +33,6 @@
type amanda_t, domain, privlog;
role system_r types amanda_t;
-type amandaidx_port_t, port_type;
# type for the amanda executables
type amanda_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.26/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te 2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.26/domains/program/unused/comsat.te 2004-10-01 16:40:12.322803106 -0400
@@ -11,7 +11,10 @@
# comsat_exec_t is the type of the comsat executable.
#
-type comsat_port_t, port_type;
-inetd_child_domain(comsat, udp)
-allow comsat_t initrc_var_run_t:file { read lock };
+inetd_child_domain(comsat,udp)
+allow comsat_t initrc_var_run_t:file r_file_perms;
dontaudit comsat_t initrc_var_run_t:file write;
+allow comsat_t mail_spool_t:dir r_dir_perms;
+allow comsat_t mail_spool_t:lnk_file { read };
+allow comsat_t var_spool_t:dir { search };
+dontaudit comsat_t sysadm_tty_device_t:chr_file { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.26/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.26/domains/program/unused/cups.te 2004-10-01 16:40:12.323802996 -0400
@@ -45,6 +45,7 @@
')
ifdef(`inetd.te', `
+allow inetd_t printer_port_t:tcp_socket { name_bind };
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.26/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te 2004-09-27 15:04:34.000000000 -0400
+++ policy-1.17.26/domains/program/unused/dbskkd.te 2004-10-01 16:40:12.324802886 -0400
@@ -10,5 +10,4 @@
# dbskkd_exec_t is the type of the dbskkd executable.
#
-type dbskkd_port_t, port_type;
inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.26/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.26/domains/program/unused/hald.te 2004-10-01 16:40:12.324802886 -0400
@@ -61,4 +61,3 @@
allow hald_t usbfs_t:file { getattr read };
allow hald_t bin_t:lnk_file read;
dontaudit hald_t selinux_config_t:dir { search };
-dontaudit hald_t userdomain:fd { use };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.26/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.26/domains/program/unused/inetd.te 2004-10-01 16:40:12.325802776 -0400
@@ -12,13 +12,11 @@
#
type telnet_port_t, port_type;
type biff_port_t, port_type;
-type amidxtape_port_t, port_type;
#################################
#
# Rules for the inetd_t domain.
#
-type inetd_port_t, port_type;
daemon_domain(inetd, `, nscd_client_domain ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
@@ -50,26 +48,16 @@
ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
ifdef(`rlogind.te', `allow inetd_t rlogin_port_t:tcp_socket name_bind;')
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
-ifdef(`amanda.te', `allow inetd_t amanda_port_t:tcp_socket name_bind;')
-ifdef(`swat.te', `allow inetd_t swat_port_t:tcp_socket name_bind;')
-ifdef(`amanda.te', `
-allow inetd_t biff_port_t:tcp_socket name_bind;
-allow inetd_t biff_port_t:udp_socket name_bind;
-allow inetd_t amidxtape_port_t:tcp_socket name_bind;
-')
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;
allow inetd_t ntalk_port_t:tcp_socket name_bind;
')
-# allow to bind to chargen, echo, etc
-allow inetd_t inetd_port_t:{ tcp_socket udp_socket } name_bind;
-
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
-inetd_child_domain(inetd_child)
+inetd_child_domain(inetd_child,udp)
ifdef(`unconfined.te', `
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.26/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te 2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.26/domains/program/unused/ktalkd.te 2004-10-01 16:40:12.325802776 -0400
@@ -10,6 +10,4 @@
# ktalkd_exec_t is the type of the ktalkd executable.
#
-type ktalkd_port_t, port_type;
-inetd_child_domain(ktalkd, udp)
-allow inetd_t ktalkd_port_t:udp_socket name_bind;
+inetd_child_domain(ktalkd,udp)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.26/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.26/domains/program/unused/rhgb.te 2004-10-01 16:40:12.326802666 -0400
@@ -29,7 +29,7 @@
# for ramfs file systems
allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
allow rhgb_t ramfs_t:sock_file create_file_perms;
-allow rhgb_t ramfs_t:file unlink;
+allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
allow insmod_t ramfs_t:file write;
allow insmod_t rhgb_t:fd use;
@@ -84,4 +84,9 @@
ifdef(`firstboot.te', `
allow rhgb_t firstboot_rw_t:file r_file_perms;
')
-
+dontaudit rhgb_t tmp_t:dir { search };
+allow rhgb_t xdm_xserver_t:process { sigkill };
+allow domain rhgb_devpts_t:chr_file { read write };
+ifdef(`fsadm.te', `
+dontaudit fsadm_t ramfs_t:fifo_file { write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.26/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2004-09-27 15:04:35.000000000 -0400
+++ policy-1.17.26/domains/program/unused/rsync.te 2004-10-01 16:40:12.326802666 -0400
@@ -10,5 +10,4 @@
# rsync_exec_t is the type of the rsync executable.
#
-type rsync_port_t, port_type;
inetd_child_domain(rsync)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.26/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.26/domains/program/unused/sendmail.te 2004-10-01 16:40:12.327802556 -0400
@@ -65,10 +65,8 @@
# Read /usr/lib/sasl2/.*
allow sendmail_t lib_t:file { getattr read };
-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write and lock denials to utmp.
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
+# /usr/sbin/sendmail asks for w access to utmp
+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
# When sendmail runs as user_mail_domain, it needs some extra permissions
# to update /etc/mail/statistics.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slrnpull.te policy-1.17.26/domains/program/unused/slrnpull.te
--- nsapolicy/domains/program/unused/slrnpull.te 2004-03-31 12:59:08.000000000 -0500
+++ policy-1.17.26/domains/program/unused/slrnpull.te 2004-10-01 16:40:12.328802447 -0400
@@ -19,3 +19,5 @@
')
system_crond_entry(slrnpull_exec_t, slrnpull_t)
allow userdomain slrnpull_spool_t:dir { search };
+rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
+allow slrnpull_t var_spool_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.26/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.26/domains/program/unused/snmpd.te 2004-10-01 16:40:12.328802447 -0400
@@ -24,6 +24,7 @@
# for the .index file
var_lib_domain(snmpd)
+file_type_auto_trans(snmpd_t, { var_t }, snmpd_var_lib_t, dir)
file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
typealias snmpd_var_lib_t alias snmpd_var_rw_t;
@@ -70,3 +71,5 @@
allow snmpd_t var_lib_nfs_t:dir search;
dontaudit snmpd_t domain:dir { getattr search };
+
+dontaudit snmpd_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.26/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te 2004-09-27 15:04:35.000000000 -0400
+++ policy-1.17.26/domains/program/unused/swat.te 2004-10-01 16:40:12.329802337 -0400
@@ -10,5 +10,4 @@
# swat_exec_t is the type of the swat executable.
#
-type swat_port_t, port_type;
inetd_child_domain(swat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tvtime.te policy-1.17.26/domains/program/unused/tvtime.te
--- nsapolicy/domains/program/unused/tvtime.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.26/domains/program/unused/tvtime.te 2004-10-01 16:40:12.329802337 -0400
@@ -0,0 +1,12 @@
+#DESC tvtime - a high quality television application
+#
+# Domains for the tvtime program.
+# Author : Dan Walsh <dwalsh@redhat.com>
+#
+# tvtime_exec_t is the type of the tvtime executable.
+#
+type tvtime_exec_t, file_type, sysadmfile, exec_type;
+type tvtime_dir_t, file_type, sysadmfile, pidfile;
+
+# Everything else is in the tvtime_domain macro in
+# macros/program/tvtime_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.26/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2004-10-01 15:05:31.000000000 -0400
+++ policy-1.17.26/domains/program/unused/udev.te 2004-10-01 16:40:12.330802227 -0400
@@ -107,3 +107,4 @@
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
allow udev_t sysctl_modprobe_t:file { getattr read };
allow udev_t udev_t:rawip_socket create_socket_perms;
+dontaudit udev_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.17.26/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.26/domains/program/unused/vpnc.te 2004-10-01 16:40:12.330802227 -0400
@@ -0,0 +1,30 @@
+#DESC vpnc
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the vpnc_t domain, et al.
+#
+# vpnc_t is the domain for the vpnc program.
+# vpnc_exec_t is the type of the vpnc executable.
+#
+daemon_domain(vpnc)
+
+allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
+
+# Use the network.
+can_network(vpnc_t)
+can_ypbind(vpnc_t)
+
+# Use capabilities.
+allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
+
+allow vpnc_t devpts_t:dir search;
+allow vpnc_t etc_t:file { getattr read };
+allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
+allow vpnc_t vpnc_t:rawip_socket create_socket_perms;
+allow vpnc_t vpnc_t:unix_dgram_socket create_socket_perms;
+allow vpnc_t vpnc_t:unix_stream_socket create_socket_perms;
+allow vpnc_t admin_tty_type:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.26/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.26/domains/program/unused/xdm.te 2004-10-01 16:40:12.331802117 -0400
@@ -215,6 +215,7 @@
dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t devpts_t:dir { search };
# Do not audit denied probes of /proc.
dontaudit xdm_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/passwd.fc policy-1.17.26/file_contexts/program/passwd.fc
--- nsapolicy/file_contexts/program/passwd.fc 2004-03-03 15:53:52.000000000 -0500
+++ policy-1.17.26/file_contexts/program/passwd.fc 2004-10-01 16:40:12.332802007 -0400
@@ -1,5 +1,6 @@
# spasswd
/usr/bin/passwd -- system_u:object_r:passwd_exec_t
+/usr/bin/chage -- system_u:object_r:passwd_exec_t
/usr/bin/chsh -- system_u:object_r:chfn_exec_t
/usr/bin/chfn -- system_u:object_r:chfn_exec_t
/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/tvtime.fc policy-1.17.26/file_contexts/program/tvtime.fc
--- nsapolicy/file_contexts/program/tvtime.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.26/file_contexts/program/tvtime.fc 2004-10-01 16:40:12.332802007 -0400
@@ -0,0 +1,3 @@
+# tvtime
+/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.17.26/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.26/file_contexts/program/vpnc.fc 2004-10-01 16:40:12.333801897 -0400
@@ -0,0 +1,2 @@
+# vpnc
+/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.26/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.26/macros/base_user_macros.te 2004-10-01 16:40:12.333801897 -0400
@@ -152,6 +152,7 @@
ifdef(`crontab.te', `crontab_domain($1)')
ifdef(`screen.te', `screen_domain($1)')
+ifdef(`tvtime.te', `tvtime_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
ifdef(`use_games', `ifdef(`games.te', `games_domain($1)')')
ifdef(`gpg.te', `gpg_domain($1)')
@@ -287,6 +288,7 @@
#
allow $1_t rpc_pipefs_t:dir { getattr };
allow $1_t nfsd_fs_t:dir { getattr };
+allow $1_t binfmt_misc_fs_t:dir { getattr };
# /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.26/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2004-09-22 16:19:13.000000000 -0400
+++ policy-1.17.26/macros/global_macros.te 2004-10-01 16:40:12.334801787 -0400
@@ -287,6 +287,7 @@
allow $1_t device_t:dir { getattr search };
allow $1_t null_device_t:chr_file rw_file_perms;
dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;
r_dir_file($1_t, sysfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.26/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te 2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.26/macros/program/inetd_macros.te 2004-10-01 16:40:12.335801677 -0400
@@ -52,4 +52,9 @@
allow $1_t krb5_conf_t:file r_file_perms;
dontaudit $1_t krb5_conf_t:file write;
allow $1_t urandom_device_t:chr_file { getattr read };
+type $1_port_t, port_type;
+allow inetd_t $1_port_t:tcp_socket { name_bind };
+ifelse($2, udp, `
+allow inetd_t $1_port_t:udp_socket { name_bind };
+')
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.26/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.26/macros/program/mozilla_macros.te 2004-10-01 16:40:12.336801567 -0400
@@ -69,8 +69,12 @@
domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
# $1_lpr_t should only need read access to the tmp files
allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
')
+dontaudit $1_mozilla_t tmp_t:lnk_file read;
+
#
# This is another place where I sould like to allow system customization.
# We need to allow the admin to select whether then want to allow mozilla
@@ -107,6 +111,7 @@
dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
# Mozilla tries to delete .fonts.cache-1
dontaudit $1_mozilla_t $1_home_t:file { unlink };
+dontaudit $1_mozilla_t tmpfile:file getattr;
ifdef(`xdm.te', `
allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sendmail_macros.te policy-1.17.26/macros/program/sendmail_macros.te
--- nsapolicy/macros/program/sendmail_macros.te 2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.26/macros/program/sendmail_macros.te 2004-10-01 16:40:12.336801567 -0400
@@ -44,7 +44,7 @@
ifelse(`$1', `sysadm', `
allow $1_mail_t proc_t:dir { getattr search };
-allow $1_mail_t proc_t:file { getattr read };
+allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
allow $1_mail_t sysctl_kernel_t:file { getattr read };
allow $1_mail_t etc_runtime_t:file { getattr read };
', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.17.26/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.26/macros/program/tvtime_macros.te 2004-10-01 16:40:12.337801457 -0400
@@ -0,0 +1,45 @@
+#
+# Macros for tvtime domains.
+#
+
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# tvtime_domain(domain_prefix)
+#
+# Define a derived domain for the tvtime program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/tvtime.te.
+#
+undefine(`tvtime_domain')
+ifdef(`tvtime.te', `
+define(`tvtime_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+
+x_client_domain($1, tvtime)
+
+allow $1_tvtime_t urandom_device_t:chr_file read;
+allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
+allow $1_tvtime_t kernel_t:system { ipc_info };
+allow $1_tvtime_t sound_device_t:chr_file { read };
+allow $1_tvtime_t $1_home_t:dir { getattr read search };
+allow $1_tvtime_t $1_home_t:file { getattr read };
+tmp_domain($1_tvtime)
+allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+allow $1_tvtime_t self:process { setsched };
+allow $1_tvtime_t usr_t:file { getattr read };
+allow $1_tvtime_t xdm_tmp_t:dir { search };
+
+')dnl end tvtime_domain
+
+', `
+
+define(`tvtime_domain',`')
+
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.26/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te 2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.26/macros/program/xserver_macros.te 2004-10-01 16:40:12.337801457 -0400
@@ -198,7 +198,10 @@
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir create;
+allow $1_xserver_t device_t:dir { setattr };
file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
+# brought on by rhgb
+allow $1_xserver_t mnt_t:dir { search };
allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.26/Makefile
--- nsapolicy/Makefile 2004-09-13 15:58:17.000000000 -0400
+++ policy-1.17.26/Makefile 2004-10-01 16:40:12.338801347 -0400
@@ -52,7 +52,7 @@
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)
APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context) $(CONTEXTPATH)/files/media
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
@@ -68,6 +68,10 @@
mkdir -p $(APPDIR)
install -m 644 $< $@
+$(APPDIR)/removable_context: appconfig/removable_context
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
$(APPDIR)/default_type: appconfig/default_type
mkdir -p $(APPDIR)
install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.26/net_contexts
--- nsapolicy/net_contexts 2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.26/net_contexts 2004-10-01 16:40:12.339801238 -0400
@@ -18,22 +18,25 @@
# protocol low-high context
#
ifdef(`inetd.te', `
-portcon tcp 7 system_u:object_r:inetd_port_t
-portcon udp 7 system_u:object_r:inetd_port_t
-portcon tcp 9 system_u:object_r:inetd_port_t
-portcon udp 9 system_u:object_r:inetd_port_t
-portcon tcp 13 system_u:object_r:inetd_port_t
-portcon udp 13 system_u:object_r:inetd_port_t
-portcon tcp 19 system_u:object_r:inetd_port_t
-portcon udp 19 system_u:object_r:inetd_port_t
-portcon tcp 37 system_u:object_r:inetd_port_t
-portcon udp 37 system_u:object_r:inetd_port_t
-portcon tcp 113 system_u:object_r:inetd_port_t
-portcon udp 512 system_u:object_r:biff_port_t
-portcon tcp 891 system_u:object_r:inetd_port_t
-portcon udp 891 system_u:object_r:inetd_port_t
-portcon tcp 892 system_u:object_r:inetd_port_t
-portcon udp 892 system_u:object_r:inetd_port_t
+portcon tcp 7 system_u:object_r:inetd_child_port_t
+portcon udp 7 system_u:object_r:inetd_child_port_t
+portcon tcp 9 system_u:object_r:inetd_child_port_t
+portcon udp 9 system_u:object_r:inetd_child_port_t
+portcon tcp 13 system_u:object_r:inetd_child_port_t
+portcon udp 13 system_u:object_r:inetd_child_port_t
+portcon tcp 19 system_u:object_r:inetd_child_port_t
+portcon udp 19 system_u:object_r:inetd_child_port_t
+portcon tcp 37 system_u:object_r:inetd_child_port_t
+portcon udp 37 system_u:object_r:inetd_child_port_t
+portcon tcp 113 system_u:object_r:inetd_child_port_t
+portcon tcp 512 system_u:object_r:inetd_child_port_t
+portcon tcp 543 system_u:object_r:inetd_child_port_t
+portcon tcp 544 system_u:object_r:inetd_child_port_t
+portcon tcp 891 system_u:object_r:inetd_child_port_t
+portcon udp 891 system_u:object_r:inetd_child_port_t
+portcon tcp 892 system_u:object_r:inetd_child_port_t
+portcon udp 892 system_u:object_r:inetd_child_port_t
+portcon tcp 2105 system_u:object_r:inetd_child_port_t
')
ifdef(`ftpd.te', `
portcon tcp 20 system_u:object_r:ftp_data_port_t
@@ -87,6 +90,9 @@
portcon udp 162 system_u:object_r:snmp_port_t
portcon tcp 199 system_u:object_r:snmp_port_t
')
+ifdef(`comsat.te', `
+portcon udp 512 system_u:object_r:comsat_port_t
+')
ifdef(`slapd.te', `portcon tcp 389 system_u:object_r:ldap_port_t')
ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
@@ -102,7 +108,17 @@
portcon tcp 631 system_u:object_r:ipp_port_t
portcon udp 631 system_u:object_r:ipp_port_t
')
+ifdef(`kerberos.te', `
+portcon tcp 88 system_u:object_r:kerberos_port_t
+portcon tcp 749 system_u:object_r:kerberos_admin_port_t
+portcon tcp 750 system_u:object_r:kerberos_port_t
+portcon tcp 4444 system_u:object_r:kerberos_master_port_t
+')
ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`rsync.te', `
+portcon tcp 873 system_u:object_r:rsync_port_t
+portcon udp 873 system_u:object_r:rsync_port_t
+')
ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
ifdef(`use_pop', `
@@ -112,10 +128,13 @@
')
ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-ifdef(`radius.te', `portcon udp 1645 system_u:object_r:radius_port_t
+ifdef(`radius.te', `
+portcon udp 1645 system_u:object_r:radius_port_t
portcon udp 1646 system_u:object_r:radacct_port_t
portcon udp 1812 system_u:object_r:radius_port_t
-portcon udp 1813 system_u:object_r:radacct_port_t')
+portcon udp 1813 system_u:object_r:radacct_port_t
+')
+ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
ifdef(`gatekeeper.te', `
portcon udp 1718 system_u:object_r:gatekeeper_port_t
portcon udp 1719 system_u:object_r:gatekeeper_port_t
@@ -146,7 +165,7 @@
portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
')
ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
-ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_port_t')
+ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
ifdef(`xdm.te', `
portcon tcp 5900 system_u:object_r:vnc_port_t
')
@@ -190,8 +209,8 @@
portcon tcp 10080 system_u:object_r:amanda_port_t
portcon udp 10081 system_u:object_r:amanda_port_t
portcon tcp 10081 system_u:object_r:amanda_port_t
-portcon tcp 10082 system_u:object_r:amandaidx_port_t
-portcon tcp 10083 system_u:object_r:amidxtape_port_t
+portcon tcp 10082 system_u:object_r:amanda_port_t
+portcon tcp 10083 system_u:object_r:amanda_port_t
')
ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.26/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.26/tunables/distro.tun 2004-10-01 16:40:12.340801128 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.26/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.26/tunables/tunable.tun 2004-10-01 16:40:12.340801128 -0400
@@ -1,42 +1,42 @@
# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
# Allow users to control network interfaces (also needs USERCTL=true)
dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
# Allow users to run games
-dnl define(`use_games')
+define(`use_games')
# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-01 20:45 ` Daniel J Walsh
@ 2004-10-02 0:42 ` Russell Coker
2004-10-02 10:16 ` Daniel J Walsh
2004-10-02 0:43 ` Russell Coker
1 sibling, 1 reply; 47+ messages in thread
From: Russell Coker @ 2004-10-02 0:42 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SELinux
On Sat, 2 Oct 2004 06:45, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Cleaned up patch with some of russells changes.
>
> chage has been updated to do a checkPasswdAccess(PASSWD__ROOTOK) now.
+allow getty_t initrc_devpts_t:chr_file { read write };
What is this for?
-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write and lock denials to utmp.
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
+# /usr/sbin/sendmail asks for w access to utmp
+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
You missed my fix for this problem.
allow $1_xserver_t device_t:dir create;
+allow $1_xserver_t device_t:dir { setattr };
Probably best to just merge the above two lines with { create setattr }.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-01 20:45 ` Daniel J Walsh
2004-10-02 0:42 ` Russell Coker
@ 2004-10-02 0:43 ` Russell Coker
2004-10-02 10:18 ` Daniel J Walsh
1 sibling, 1 reply; 47+ messages in thread
From: Russell Coker @ 2004-10-02 0:43 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SELinux
+dontaudit $1_mozilla_t tmp_t:lnk_file read;
This should not be possible. If tmp_t:lnk_file gets generated with strict
policy then we have a bug somewhere else.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-02 0:42 ` Russell Coker
@ 2004-10-02 10:16 ` Daniel J Walsh
2004-10-02 20:14 ` Russell Coker
0 siblings, 1 reply; 47+ messages in thread
From: Daniel J Walsh @ 2004-10-02 10:16 UTC (permalink / raw)
To: russell; +Cc: jwcart2, SELinux
Russell Coker wrote:
>On Sat, 2 Oct 2004 06:45, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
>>Cleaned up patch with some of russells changes.
>>
>>chage has been updated to do a checkPasswdAccess(PASSWD__ROOTOK) now.
>>
>>
>
>+allow getty_t initrc_devpts_t:chr_file { read write };
>
>What is this for?
>
>
>
I have been getting AVC messages for it.
>-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
>-# correctly without it. Do not audit write and lock denials to utmp.
>-allow sendmail_t initrc_var_run_t:file { getattr read };
>-dontaudit sendmail_t initrc_var_run_t:file { lock write };
>+# /usr/sbin/sendmail asks for w access to utmp
>+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
>
>You missed my fix for this problem.
>
>
No I know about it but Need to wait for sendmail to be fixed to revert
this change.
> allow $1_xserver_t device_t:dir create;
>+allow $1_xserver_t device_t:dir { setattr };
>
>Probably best to just merge the above two lines with { create setattr }.
>
>
>
Sounds good.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-02 0:43 ` Russell Coker
@ 2004-10-02 10:18 ` Daniel J Walsh
2004-10-02 20:15 ` Russell Coker
0 siblings, 1 reply; 47+ messages in thread
From: Daniel J Walsh @ 2004-10-02 10:18 UTC (permalink / raw)
To: russell; +Cc: jwcart2, SELinux
Russell Coker wrote:
>+dontaudit $1_mozilla_t tmp_t:lnk_file read;
>
>This should not be possible. If tmp_t:lnk_file gets generated with strict
>policy then we have a bug somewhere else.
>
>
>
Something seems to generate it regularly, probably when setenforce 0 in
effect. Have had to
do this alot because of broken kernel(s).
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-02 10:16 ` Daniel J Walsh
@ 2004-10-02 20:14 ` Russell Coker
2004-10-06 15:28 ` Daniel J Walsh
0 siblings, 1 reply; 47+ messages in thread
From: Russell Coker @ 2004-10-02 20:14 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SELinux
On Sat, 2 Oct 2004 20:16, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Russell Coker wrote:
> >On Sat, 2 Oct 2004 06:45, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>Cleaned up patch with some of russells changes.
> >>
> >>chage has been updated to do a checkPasswdAccess(PASSWD__ROOTOK) now.
> >
> >+allow getty_t initrc_devpts_t:chr_file { read write };
> >
> >What is this for?
>
> I have been getting AVC messages for it.
Please show me the AVC messages.
> >-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
> >-# correctly without it. Do not audit write and lock denials to utmp.
> >-allow sendmail_t initrc_var_run_t:file { getattr read };
> >-dontaudit sendmail_t initrc_var_run_t:file { lock write };
> >+# /usr/sbin/sendmail asks for w access to utmp
> >+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
> >
> >You missed my fix for this problem.
>
> No I know about it but Need to wait for sendmail to be fixed to revert
> this change.
The patch I sent needs no changes to sendmail. Please apply it.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-02 10:18 ` Daniel J Walsh
@ 2004-10-02 20:15 ` Russell Coker
0 siblings, 0 replies; 47+ messages in thread
From: Russell Coker @ 2004-10-02 20:15 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SELinux
On Sat, 2 Oct 2004 20:18, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Russell Coker wrote:
> >+dontaudit $1_mozilla_t tmp_t:lnk_file read;
> >
> >This should not be possible. If tmp_t:lnk_file gets generated with strict
> >policy then we have a bug somewhere else.
>
> Something seems to generate it regularly, probably when setenforce 0 in
> effect. Have had to
> do this alot because of broken kernel(s).
What is the name of the lnk_file in question?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-01 17:44 ` Russell Coker
2004-10-01 20:45 ` Daniel J Walsh
@ 2004-10-04 20:12 ` James Carter
2004-10-05 15:41 ` Daniel J Walsh
1 sibling, 1 reply; 47+ messages in thread
From: James Carter @ 2004-10-04 20:12 UTC (permalink / raw)
To: Russell Coker; +Cc: SELinux
Merged the start_udev line and the kudzu patch.
On Fri, 2004-10-01 at 13:44, Russell Coker wrote:
> On Sat, 2 Oct 2004 02:42, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> > Mostly merged with the corrections.
> >
> > These two lines caused things to break, so I held off merging these for
> > now.
> > +/sbin/kmodule -- system_u:object_r:kudzu_exec_t
> > +/sbin/start_udev -- system_u:object_r:udev_exec_t
> >
> > These are the denials I am seeing:
> > avc: denied { unlink } for pid=705 exe=/bin/rm name=.udev.tdb dev=tmpfs
> > ino=927 scontext=system_u:system_r:udev_t
>
> Version 7.85-1 of the initscripts package fixes the restorecon command to use
> the -R option to label all of /dev. If you upgrade to the latest rawhide
> then the start_udev labelling should work. NB I sent the patch to you
> before rawhide was fixed, this was intentional as neither patch worked well
> without the other so there was no benefit in delaying.
> > avc: denied { search } for pid=856 exe=/sbin/kmodule
> > name=usr dev=hda2 ino=162881 scontext=system_u:system_r:kudzu_t
> > tcontext=user_u:object_r:file_t tclass=dir
>
> Looks like either mis-labelling or you have /usr on a different file system.
> I guess we have to add a dontaudit rule for that for when /usr (or /var or
> whatever else it may access that isn't on the root fs).
>
I do have /usr on a different file system.
> > avc: denied { getattr } for
> > pid=856 exe=/sbin/kmodule path=/lib/modules/2.6.8-1.541/kernel dev=hda2
> > ino=930725 scontext=system_u:system_r:kudzu_t
> > tcontext=system_u:object_r:modules_object_t tclass=dir
>
> I've attached kudzu.diff to deal with this issue and the above. Please try
> including those file contexts changes, with kudzu.diff and the latest
> initscripts it should be fine.
>
> > avc: denied {
> > setattr } for pid=2402 exe=/usr/X11R6/bin/Xorg name=dri dev=tmpfs ino=7757
> > scontext=system_u:system_r:xdm_xserver_t
> > tcontext=system_u:object_r:device_t tclass=dir
>
> I think that Dan's latest patch allowed that one.
>
> > The xdm_xserver_t device_t:dir setattr denial is not due to this patch.
> > It is the only denial that I have been seeing lately; I just haven't had
> > an opportunity to look into it more. It doesn't appear to cause any
> > problems though.
>
> Long term udev has to deal with that too. The X server should not be creating
> device nodes. Quite a bit of work has recently gone into reducing /dev/mem
> access but allowing arbitrary device node creation wastes that. It'll be
> fixed eventually (but at the moment we are already busy enough with udev
> issues).
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-04 20:12 ` James Carter
@ 2004-10-05 15:41 ` Daniel J Walsh
2004-10-05 17:35 ` James Carter
2004-10-05 19:06 ` James Carter
0 siblings, 2 replies; 47+ messages in thread
From: Daniel J Walsh @ 2004-10-05 15:41 UTC (permalink / raw)
To: jwcart2; +Cc: Russell Coker, SELinux
[-- Attachment #1: Type: text/plain, Size: 53 bytes --]
Submitting patches against latest policy again.
Dan
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 30535 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.17.27/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2004-09-23 15:08:59.000000000 -0400
+++ policy-1.17.27/domains/program/passwd.te 2004-10-05 11:36:08.000000000 -0400
@@ -42,7 +42,7 @@
allow $1_t etc_t:lnk_file read;
# Use capabilities.
-allow $1_t self:capability { chown dac_override fsetid setuid sys_resource };
+allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
# Access terminals.
allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.17.27/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.27/domains/program/unused/amanda.te 2004-10-05 11:36:08.000000000 -0400
@@ -33,7 +33,6 @@
type amanda_t, domain, privlog;
role system_r types amanda_t;
-type amandaidx_port_t, port_type;
# type for the amanda executables
type amanda_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.27/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te 2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.27/domains/program/unused/comsat.te 2004-10-05 11:36:08.000000000 -0400
@@ -11,7 +11,10 @@
# comsat_exec_t is the type of the comsat executable.
#
-type comsat_port_t, port_type;
-inetd_child_domain(comsat, udp)
-allow comsat_t initrc_var_run_t:file { read lock };
+inetd_child_domain(comsat,udp)
+allow comsat_t initrc_var_run_t:file r_file_perms;
dontaudit comsat_t initrc_var_run_t:file write;
+allow comsat_t mail_spool_t:dir r_dir_perms;
+allow comsat_t mail_spool_t:lnk_file { read };
+allow comsat_t var_spool_t:dir { search };
+dontaudit comsat_t sysadm_tty_device_t:chr_file { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.27/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.27/domains/program/unused/cups.te 2004-10-05 11:36:08.000000000 -0400
@@ -45,6 +45,7 @@
')
ifdef(`inetd.te', `
+allow inetd_t printer_port_t:tcp_socket { name_bind };
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.27/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te 2004-09-27 15:04:34.000000000 -0400
+++ policy-1.17.27/domains/program/unused/dbskkd.te 2004-10-05 11:36:08.000000000 -0400
@@ -10,5 +10,4 @@
# dbskkd_exec_t is the type of the dbskkd executable.
#
-type dbskkd_port_t, port_type;
inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.27/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.27/domains/program/unused/hald.te 2004-10-05 11:36:08.000000000 -0400
@@ -61,4 +61,3 @@
allow hald_t usbfs_t:file { getattr read };
allow hald_t bin_t:lnk_file read;
dontaudit hald_t selinux_config_t:dir { search };
-dontaudit hald_t userdomain:fd { use };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.27/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.27/domains/program/unused/inetd.te 2004-10-05 11:36:08.000000000 -0400
@@ -12,13 +12,11 @@
#
type telnet_port_t, port_type;
type biff_port_t, port_type;
-type amidxtape_port_t, port_type;
#################################
#
# Rules for the inetd_t domain.
#
-type inetd_port_t, port_type;
daemon_domain(inetd, `, nscd_client_domain ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
@@ -50,21 +48,11 @@
ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
ifdef(`rlogind.te', `allow inetd_t rlogin_port_t:tcp_socket name_bind;')
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
-ifdef(`amanda.te', `allow inetd_t amanda_port_t:tcp_socket name_bind;')
-ifdef(`swat.te', `allow inetd_t swat_port_t:tcp_socket name_bind;')
-ifdef(`amanda.te', `
-allow inetd_t biff_port_t:tcp_socket name_bind;
-allow inetd_t biff_port_t:udp_socket name_bind;
-allow inetd_t amidxtape_port_t:tcp_socket name_bind;
-')
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;
allow inetd_t ntalk_port_t:tcp_socket name_bind;
')
-# allow to bind to chargen, echo, etc
-allow inetd_t inetd_port_t:{ tcp_socket udp_socket } name_bind;
-
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.27/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te 2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.27/domains/program/unused/ktalkd.te 2004-10-05 11:36:08.000000000 -0400
@@ -10,6 +10,4 @@
# ktalkd_exec_t is the type of the ktalkd executable.
#
-type ktalkd_port_t, port_type;
-inetd_child_domain(ktalkd, udp)
-allow inetd_t ktalkd_port_t:udp_socket name_bind;
+inetd_child_domain(ktalkd,udp)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.27/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.27/domains/program/unused/rhgb.te 2004-10-05 11:36:08.000000000 -0400
@@ -29,7 +29,7 @@
# for ramfs file systems
allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
allow rhgb_t ramfs_t:sock_file create_file_perms;
-allow rhgb_t ramfs_t:file unlink;
+allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
allow insmod_t ramfs_t:file write;
allow insmod_t rhgb_t:fd use;
@@ -84,4 +84,9 @@
ifdef(`firstboot.te', `
allow rhgb_t firstboot_rw_t:file r_file_perms;
')
-
+dontaudit rhgb_t tmp_t:dir { search };
+allow rhgb_t xdm_xserver_t:process { sigkill };
+allow domain rhgb_devpts_t:chr_file { read write };
+ifdef(`fsadm.te', `
+dontaudit fsadm_t ramfs_t:fifo_file { write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.27/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2004-10-01 15:05:31.000000000 -0400
+++ policy-1.17.27/domains/program/unused/rpm.te 2004-10-05 11:36:08.000000000 -0400
@@ -152,7 +152,7 @@
can_exec_any(rpm_script_t)
# Capabilties needed by rpm scripts utils
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot mknod };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod };
# ideally we would not need this
allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
@@ -172,7 +172,7 @@
allow crond_t rpm_t:fifo_file r_file_perms;
')
-allow rpm_script_t proc_t:dir { search getattr };
+allow rpm_script_t proc_t:dir { search getattr read };
allow rpm_script_t proc_t:{ file lnk_file } r_file_perms;
allow rpm_script_t devtty_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.27/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2004-09-27 15:04:35.000000000 -0400
+++ policy-1.17.27/domains/program/unused/rsync.te 2004-10-05 11:36:08.000000000 -0400
@@ -10,5 +10,4 @@
# rsync_exec_t is the type of the rsync executable.
#
-type rsync_port_t, port_type;
inetd_child_domain(rsync)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.27/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.27/domains/program/unused/sendmail.te 2004-10-05 11:36:08.000000000 -0400
@@ -65,11 +65,6 @@
# Read /usr/lib/sasl2/.*
allow sendmail_t lib_t:file { getattr read };
-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write and lock denials to utmp.
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
-
# When sendmail runs as user_mail_domain, it needs some extra permissions
# to update /etc/mail/statistics.
allow user_mail_domain etc_mail_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slrnpull.te policy-1.17.27/domains/program/unused/slrnpull.te
--- nsapolicy/domains/program/unused/slrnpull.te 2004-03-31 12:59:08.000000000 -0500
+++ policy-1.17.27/domains/program/unused/slrnpull.te 2004-10-05 11:36:08.000000000 -0400
@@ -19,3 +19,5 @@
')
system_crond_entry(slrnpull_exec_t, slrnpull_t)
allow userdomain slrnpull_spool_t:dir { search };
+rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
+allow slrnpull_t var_spool_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.27/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.27/domains/program/unused/snmpd.te 2004-10-05 11:36:08.000000000 -0400
@@ -24,6 +24,7 @@
# for the .index file
var_lib_domain(snmpd)
+file_type_auto_trans(snmpd_t, { var_t }, snmpd_var_lib_t, dir)
file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
typealias snmpd_var_lib_t alias snmpd_var_rw_t;
@@ -70,3 +71,5 @@
allow snmpd_t var_lib_nfs_t:dir search;
dontaudit snmpd_t domain:dir { getattr search };
+
+dontaudit snmpd_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.27/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te 2004-09-27 15:04:35.000000000 -0400
+++ policy-1.17.27/domains/program/unused/swat.te 2004-10-05 11:36:08.000000000 -0400
@@ -10,5 +10,4 @@
# swat_exec_t is the type of the swat executable.
#
-type swat_port_t, port_type;
inetd_child_domain(swat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tvtime.te policy-1.17.27/domains/program/unused/tvtime.te
--- nsapolicy/domains/program/unused/tvtime.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.27/domains/program/unused/tvtime.te 2004-10-05 11:36:08.000000000 -0400
@@ -0,0 +1,12 @@
+#DESC tvtime - a high quality television application
+#
+# Domains for the tvtime program.
+# Author : Dan Walsh <dwalsh@redhat.com>
+#
+# tvtime_exec_t is the type of the tvtime executable.
+#
+type tvtime_exec_t, file_type, sysadmfile, exec_type;
+type tvtime_dir_t, file_type, sysadmfile, pidfile;
+
+# Everything else is in the tvtime_domain macro in
+# macros/program/tvtime_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.27/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2004-10-01 15:05:31.000000000 -0400
+++ policy-1.17.27/domains/program/unused/udev.te 2004-10-05 11:36:08.000000000 -0400
@@ -107,3 +107,4 @@
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
allow udev_t sysctl_modprobe_t:file { getattr read };
allow udev_t udev_t:rawip_socket create_socket_perms;
+dontaudit udev_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.17.27/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.27/domains/program/unused/vpnc.te 2004-10-05 11:36:08.000000000 -0400
@@ -0,0 +1,30 @@
+#DESC vpnc
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the vpnc_t domain, et al.
+#
+# vpnc_t is the domain for the vpnc program.
+# vpnc_exec_t is the type of the vpnc executable.
+#
+daemon_domain(vpnc)
+
+allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
+
+# Use the network.
+can_network(vpnc_t)
+can_ypbind(vpnc_t)
+
+# Use capabilities.
+allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
+
+allow vpnc_t devpts_t:dir search;
+allow vpnc_t etc_t:file { getattr read };
+allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
+allow vpnc_t vpnc_t:rawip_socket create_socket_perms;
+allow vpnc_t vpnc_t:unix_dgram_socket create_socket_perms;
+allow vpnc_t vpnc_t:unix_stream_socket create_socket_perms;
+allow vpnc_t admin_tty_type:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.27/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.27/domains/program/unused/xdm.te 2004-10-05 11:36:08.000000000 -0400
@@ -215,6 +215,7 @@
dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t devpts_t:dir { search };
# Do not audit denied probes of /proc.
dontaudit xdm_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.17.27/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc 2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.27/file_contexts/program/mozilla.fc 2004-10-05 11:37:05.225353688 -0400
@@ -5,6 +5,7 @@
HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_rw_t
HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_rw_t
HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_rw_t
+HOME_DIR/My Downloads(/.*)? system_u:object_r:ROLE_mozilla_rw_t
/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/passwd.fc policy-1.17.27/file_contexts/program/passwd.fc
--- nsapolicy/file_contexts/program/passwd.fc 2004-03-03 15:53:52.000000000 -0500
+++ policy-1.17.27/file_contexts/program/passwd.fc 2004-10-05 11:36:08.000000000 -0400
@@ -1,5 +1,6 @@
# spasswd
/usr/bin/passwd -- system_u:object_r:passwd_exec_t
+/usr/bin/chage -- system_u:object_r:passwd_exec_t
/usr/bin/chsh -- system_u:object_r:chfn_exec_t
/usr/bin/chfn -- system_u:object_r:chfn_exec_t
/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.17.27/file_contexts/program/sendmail.fc
--- nsapolicy/file_contexts/program/sendmail.fc 2004-02-05 15:17:07.000000000 -0500
+++ policy-1.17.27/file_contexts/program/sendmail.fc 2004-10-05 11:36:08.000000000 -0400
@@ -3,3 +3,5 @@
/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t
/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t
/var/log/mail(/.*)? system_u:object_r:sendmail_log_t
+/var/run/sendmail.pid -- system_u:object_r:sendmail_var_run_t
+/var/run/sm-client.pid -- system_u:object_r:sendmail_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/tvtime.fc policy-1.17.27/file_contexts/program/tvtime.fc
--- nsapolicy/file_contexts/program/tvtime.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.27/file_contexts/program/tvtime.fc 2004-10-05 11:36:08.000000000 -0400
@@ -0,0 +1,3 @@
+# tvtime
+/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.17.27/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.27/file_contexts/program/vpnc.fc 2004-10-05 11:36:08.000000000 -0400
@@ -0,0 +1,2 @@
+# vpnc
+/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.27/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.27/macros/base_user_macros.te 2004-10-05 11:36:08.000000000 -0400
@@ -152,6 +152,7 @@
ifdef(`crontab.te', `crontab_domain($1)')
ifdef(`screen.te', `screen_domain($1)')
+ifdef(`tvtime.te', `tvtime_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
ifdef(`use_games', `ifdef(`games.te', `games_domain($1)')')
ifdef(`gpg.te', `gpg_domain($1)')
@@ -287,6 +288,7 @@
#
allow $1_t rpc_pipefs_t:dir { getattr };
allow $1_t nfsd_fs_t:dir { getattr };
+allow $1_t binfmt_misc_fs_t:dir { getattr };
# /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.27/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2004-09-22 16:19:13.000000000 -0400
+++ policy-1.17.27/macros/global_macros.te 2004-10-05 11:36:08.000000000 -0400
@@ -287,6 +287,7 @@
allow $1_t device_t:dir { getattr search };
allow $1_t null_device_t:chr_file rw_file_perms;
dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;
r_dir_file($1_t, sysfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.27/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te 2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.27/macros/program/inetd_macros.te 2004-10-05 11:36:08.000000000 -0400
@@ -37,12 +37,6 @@
allow $1_t var_t:dir search;
var_run_domain($1)
-# Use sockets inherited from inetd.
-ifelse($2, udp, `
-allow $1_t inetd_t:udp_socket rw_socket_perms;
-', `
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
# for identd
allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow $1_t self:capability { setuid setgid };
@@ -52,4 +46,20 @@
allow $1_t krb5_conf_t:file r_file_perms;
dontaudit $1_t krb5_conf_t:file write;
allow $1_t urandom_device_t:chr_file { getattr read };
+type $1_port_t, port_type;
+# Use sockets inherited from inetd.
+ifelse($2, `', `
+allow inetd_t $1_port_t:udp_socket { name_bind };
+allow $1_t inetd_t:udp_socket rw_socket_perms;
+allow inetd_t $1_port_t:tcp_socket { name_bind };
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+')
+ifelse($2, tcp, `
+allow inetd_t $1_port_t:tcp_socket { name_bind };
+allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
+')
+ifelse($2, udp, `
+allow inetd_t $1_port_t:udp_socket { name_bind };
+allow $1_t inetd_t:udp_socket rw_socket_perms;
+')
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.27/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.27/macros/program/mozilla_macros.te 2004-10-05 11:36:08.000000000 -0400
@@ -69,8 +69,12 @@
domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
# $1_lpr_t should only need read access to the tmp files
allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
')
+dontaudit $1_mozilla_t tmp_t:lnk_file read;
+
#
# This is another place where I sould like to allow system customization.
# We need to allow the admin to select whether then want to allow mozilla
@@ -107,6 +111,7 @@
dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
# Mozilla tries to delete .fonts.cache-1
dontaudit $1_mozilla_t $1_home_t:file { unlink };
+dontaudit $1_mozilla_t tmpfile:file getattr;
ifdef(`xdm.te', `
allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sendmail_macros.te policy-1.17.27/macros/program/sendmail_macros.te
--- nsapolicy/macros/program/sendmail_macros.te 2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.27/macros/program/sendmail_macros.te 2004-10-05 11:36:08.000000000 -0400
@@ -44,7 +44,7 @@
ifelse(`$1', `sysadm', `
allow $1_mail_t proc_t:dir { getattr search };
-allow $1_mail_t proc_t:file { getattr read };
+allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
allow $1_mail_t sysctl_kernel_t:file { getattr read };
allow $1_mail_t etc_runtime_t:file { getattr read };
', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.17.27/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.27/macros/program/tvtime_macros.te 2004-10-05 11:36:08.000000000 -0400
@@ -0,0 +1,45 @@
+#
+# Macros for tvtime domains.
+#
+
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# tvtime_domain(domain_prefix)
+#
+# Define a derived domain for the tvtime program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/tvtime.te.
+#
+undefine(`tvtime_domain')
+ifdef(`tvtime.te', `
+define(`tvtime_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+
+x_client_domain($1, tvtime)
+
+allow $1_tvtime_t urandom_device_t:chr_file read;
+allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
+allow $1_tvtime_t kernel_t:system { ipc_info };
+allow $1_tvtime_t sound_device_t:chr_file { read };
+allow $1_tvtime_t $1_home_t:dir { getattr read search };
+allow $1_tvtime_t $1_home_t:file { getattr read };
+tmp_domain($1_tvtime)
+allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+allow $1_tvtime_t self:process { setsched };
+allow $1_tvtime_t usr_t:file { getattr read };
+allow $1_tvtime_t xdm_tmp_t:dir { search };
+
+')dnl end tvtime_domain
+
+', `
+
+define(`tvtime_domain',`')
+
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.27/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te 2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.27/macros/program/xserver_macros.te 2004-10-05 11:36:08.000000000 -0400
@@ -198,7 +198,10 @@
# Create and access /dev/dri devices.
allow $1_xserver_t device_t:dir create;
+allow $1_xserver_t device_t:dir { setattr };
file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
+# brought on by rhgb
+allow $1_xserver_t mnt_t:dir { search };
allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.27/Makefile
--- nsapolicy/Makefile 2004-09-13 15:58:17.000000000 -0400
+++ policy-1.17.27/Makefile 2004-10-05 11:36:08.000000000 -0400
@@ -52,7 +52,7 @@
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)
APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context) $(CONTEXTPATH)/files/media
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
@@ -68,6 +68,10 @@
mkdir -p $(APPDIR)
install -m 644 $< $@
+$(APPDIR)/removable_context: appconfig/removable_context
+ mkdir -p $(APPDIR)
+ install -m 644 $< $@
+
$(APPDIR)/default_type: appconfig/default_type
mkdir -p $(APPDIR)
install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.27/net_contexts
--- nsapolicy/net_contexts 2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.27/net_contexts 2004-10-05 11:36:08.000000000 -0400
@@ -18,22 +18,25 @@
# protocol low-high context
#
ifdef(`inetd.te', `
-portcon tcp 7 system_u:object_r:inetd_port_t
-portcon udp 7 system_u:object_r:inetd_port_t
-portcon tcp 9 system_u:object_r:inetd_port_t
-portcon udp 9 system_u:object_r:inetd_port_t
-portcon tcp 13 system_u:object_r:inetd_port_t
-portcon udp 13 system_u:object_r:inetd_port_t
-portcon tcp 19 system_u:object_r:inetd_port_t
-portcon udp 19 system_u:object_r:inetd_port_t
-portcon tcp 37 system_u:object_r:inetd_port_t
-portcon udp 37 system_u:object_r:inetd_port_t
-portcon tcp 113 system_u:object_r:inetd_port_t
-portcon udp 512 system_u:object_r:biff_port_t
-portcon tcp 891 system_u:object_r:inetd_port_t
-portcon udp 891 system_u:object_r:inetd_port_t
-portcon tcp 892 system_u:object_r:inetd_port_t
-portcon udp 892 system_u:object_r:inetd_port_t
+portcon tcp 7 system_u:object_r:inetd_child_port_t
+portcon udp 7 system_u:object_r:inetd_child_port_t
+portcon tcp 9 system_u:object_r:inetd_child_port_t
+portcon udp 9 system_u:object_r:inetd_child_port_t
+portcon tcp 13 system_u:object_r:inetd_child_port_t
+portcon udp 13 system_u:object_r:inetd_child_port_t
+portcon tcp 19 system_u:object_r:inetd_child_port_t
+portcon udp 19 system_u:object_r:inetd_child_port_t
+portcon tcp 37 system_u:object_r:inetd_child_port_t
+portcon udp 37 system_u:object_r:inetd_child_port_t
+portcon tcp 113 system_u:object_r:inetd_child_port_t
+portcon tcp 512 system_u:object_r:inetd_child_port_t
+portcon tcp 543 system_u:object_r:inetd_child_port_t
+portcon tcp 544 system_u:object_r:inetd_child_port_t
+portcon tcp 891 system_u:object_r:inetd_child_port_t
+portcon udp 891 system_u:object_r:inetd_child_port_t
+portcon tcp 892 system_u:object_r:inetd_child_port_t
+portcon udp 892 system_u:object_r:inetd_child_port_t
+portcon tcp 2105 system_u:object_r:inetd_child_port_t
')
ifdef(`ftpd.te', `
portcon tcp 20 system_u:object_r:ftp_data_port_t
@@ -87,6 +90,9 @@
portcon udp 162 system_u:object_r:snmp_port_t
portcon tcp 199 system_u:object_r:snmp_port_t
')
+ifdef(`comsat.te', `
+portcon udp 512 system_u:object_r:comsat_port_t
+')
ifdef(`slapd.te', `portcon tcp 389 system_u:object_r:ldap_port_t')
ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
@@ -102,7 +108,17 @@
portcon tcp 631 system_u:object_r:ipp_port_t
portcon udp 631 system_u:object_r:ipp_port_t
')
+ifdef(`kerberos.te', `
+portcon tcp 88 system_u:object_r:kerberos_port_t
+portcon tcp 749 system_u:object_r:kerberos_admin_port_t
+portcon tcp 750 system_u:object_r:kerberos_port_t
+portcon tcp 4444 system_u:object_r:kerberos_master_port_t
+')
ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`rsync.te', `
+portcon tcp 873 system_u:object_r:rsync_port_t
+portcon udp 873 system_u:object_r:rsync_port_t
+')
ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
ifdef(`use_pop', `
@@ -112,10 +128,13 @@
')
ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-ifdef(`radius.te', `portcon udp 1645 system_u:object_r:radius_port_t
+ifdef(`radius.te', `
+portcon udp 1645 system_u:object_r:radius_port_t
portcon udp 1646 system_u:object_r:radacct_port_t
portcon udp 1812 system_u:object_r:radius_port_t
-portcon udp 1813 system_u:object_r:radacct_port_t')
+portcon udp 1813 system_u:object_r:radacct_port_t
+')
+ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
ifdef(`gatekeeper.te', `
portcon udp 1718 system_u:object_r:gatekeeper_port_t
portcon udp 1719 system_u:object_r:gatekeeper_port_t
@@ -146,7 +165,7 @@
portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
')
ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
-ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_port_t')
+ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
ifdef(`xdm.te', `
portcon tcp 5900 system_u:object_r:vnc_port_t
')
@@ -190,8 +209,8 @@
portcon tcp 10080 system_u:object_r:amanda_port_t
portcon udp 10081 system_u:object_r:amanda_port_t
portcon tcp 10081 system_u:object_r:amanda_port_t
-portcon tcp 10082 system_u:object_r:amandaidx_port_t
-portcon tcp 10083 system_u:object_r:amidxtape_port_t
+portcon tcp 10082 system_u:object_r:amanda_port_t
+portcon tcp 10083 system_u:object_r:amanda_port_t
')
ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.27/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.27/tunables/distro.tun 2004-10-05 11:36:08.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.27/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.27/tunables/tunable.tun 2004-10-05 11:36:08.000000000 -0400
@@ -1,42 +1,42 @@
# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
# Allow users to control network interfaces (also needs USERCTL=true)
dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
# Allow users to run games
-dnl define(`use_games')
+define(`use_games')
# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-05 15:41 ` Daniel J Walsh
@ 2004-10-05 17:35 ` James Carter
[not found] ` <4162DEC3.4050306@redhat.com>
2004-10-05 19:06 ` James Carter
1 sibling, 1 reply; 47+ messages in thread
From: James Carter @ 2004-10-05 17:35 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Russell Coker, SELinux
On Tue, 2004-10-05 at 11:41, Daniel J Walsh wrote:
> Submitting patches against latest policy again.
>
> Dan
>
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.17.27/file_contexts/program/mozilla.fc
> --- nsapolicy/file_contexts/program/mozilla.fc 2004-09-30 20:48:49.000000000 -0400
> +++ policy-1.17.27/file_contexts/program/mozilla.fc 2004-10-05 11:37:05.225353688 -0400
> @@ -5,6 +5,7 @@
> HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> +HOME_DIR/My Downloads(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> /usr/bin/netscape -- system_u:object_r:mozilla_exec_t
> /usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
> /usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
Shouldn't this have an ifdef(`windows') around it? :)
Is this going to be some sort of default download area for Mozilla?
Is this Fedora specific?
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
[not found] ` <4162DEC3.4050306@redhat.com>
@ 2004-10-05 18:22 ` James Carter
0 siblings, 0 replies; 47+ messages in thread
From: James Carter @ 2004-10-05 18:22 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
On Tue, 2004-10-05 at 13:49, Daniel J Walsh wrote:
> James Carter wrote:
>
> >On Tue, 2004-10-05 at 11:41, Daniel J Walsh wrote:
> >
> >
> >>Submitting patches against latest policy again.
> >>
> >>Dan
> >>
> >>______________________________________________________________________
> >>
> >>
> >
> >
> >
> >>diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.17.27/file_contexts/program/mozilla.fc
> >>--- nsapolicy/file_contexts/program/mozilla.fc 2004-09-30 20:48:49.000000000 -0400
> >>+++ policy-1.17.27/file_contexts/program/mozilla.fc 2004-10-05 11:37:05.225353688 -0400
> >>@@ -5,6 +5,7 @@
> >> HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> >> HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> >> HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> >>+HOME_DIR/My Downloads(/.*)? system_u:object_r:ROLE_mozilla_rw_t
> >> /usr/bin/netscape -- system_u:object_r:mozilla_exec_t
> >> /usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
> >> /usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
> >>
> >>
> >
> >Shouldn't this have an ifdef(`windows') around it? :)
> >
> >Is this going to be some sort of default download area for Mozilla?
> >Is this Fedora specific?
> >
> >
> >
> Default download for Firefox.
This won't work with the space, I used this instead:
HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_rw_t
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-05 15:41 ` Daniel J Walsh
2004-10-05 17:35 ` James Carter
@ 2004-10-05 19:06 ` James Carter
2004-10-06 10:10 ` Luke Kenneth Casson Leighton
1 sibling, 1 reply; 47+ messages in thread
From: James Carter @ 2004-10-05 19:06 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Russell Coker, SELinux
Merged.
There are some minor changes such as My.Downloads instead of My
Downloads and not having {} around a single item.
On Tue, 2004-10-05 at 11:41, Daniel J Walsh wrote:
> Submitting patches against latest policy again.
>
> Dan
>
> ______________________________________________________________________
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-05 19:06 ` James Carter
@ 2004-10-06 10:10 ` Luke Kenneth Casson Leighton
2004-10-06 11:40 ` Erich Schubert
` (2 more replies)
0 siblings, 3 replies; 47+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-10-06 10:10 UTC (permalink / raw)
To: James Carter; +Cc: Daniel J Walsh, Russell Coker, SELinux
james, i didn't see a reply to your question about whether
it was mozilla that defined the "~/My Downloads" directory:
did i miss something?
i appreciate the issues of needing, ultimately, some helper-program
intervention which determines (saaay... by asking for the user's
password) whether a file should be saved with a file context of
user_mozilla_t or user_home_t.
and that there needs to be a sandbox area in which files should be
saved.
... but does it _have_ to be in ~/My windows style downloads???
On Tue, Oct 05, 2004 at 03:06:42PM -0400, James Carter wrote:
> Merged.
>
> There are some minor changes such as My.Downloads instead of My
> Downloads and not having {} around a single item.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-06 10:10 ` Luke Kenneth Casson Leighton
@ 2004-10-06 11:40 ` Erich Schubert
2004-10-06 12:32 ` James Carter
2004-10-06 13:13 ` Daniel J Walsh
2 siblings, 0 replies; 47+ messages in thread
From: Erich Schubert @ 2004-10-06 11:40 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton
Cc: James Carter, Daniel J Walsh, Russell Coker, SELinux
Hi,
> james, i didn't see a reply to your question about whether
> it was mozilla that defined the "~/My Downloads" directory:
> did i miss something?
> ... but does it _have_ to be in ~/My windows style downloads???
In the default configuration Epiphany saves to ~/Desktop/Downloads i
think. IMHO Distributions should configure Mozilla to use this
directory, too, by default.
When i first saw this i was a bit annoyed, that it didn't ask me where
to save the downloads. But when i had my file managers open, i found it
even easier to just move the downloaded files to their destinations than
having the file selector pop up.
Greetings,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
The best things in life are free: Friendship and Love. //\
Für jedes Problem gibt es eine Lösung, V_/_
die einfach, klar und falsch ist.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-06 10:10 ` Luke Kenneth Casson Leighton
2004-10-06 11:40 ` Erich Schubert
@ 2004-10-06 12:32 ` James Carter
2004-10-06 13:13 ` Daniel J Walsh
2 siblings, 0 replies; 47+ messages in thread
From: James Carter @ 2004-10-06 12:32 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton; +Cc: Daniel J Walsh, Russell Coker, SELinux
Dan replied to me that it was the default download place for Firefox.
On Wed, 2004-10-06 at 06:10, Luke Kenneth Casson Leighton wrote:
> james, i didn't see a reply to your question about whether
> it was mozilla that defined the "~/My Downloads" directory:
> did i miss something?
>
> i appreciate the issues of needing, ultimately, some helper-program
> intervention which determines (saaay... by asking for the user's
> password) whether a file should be saved with a file context of
> user_mozilla_t or user_home_t.
>
> and that there needs to be a sandbox area in which files should be
> saved.
>
> ... but does it _have_ to be in ~/My windows style downloads???
>
>
> On Tue, Oct 05, 2004 at 03:06:42PM -0400, James Carter wrote:
> > Merged.
> >
> > There are some minor changes such as My.Downloads instead of My
> > Downloads and not having {} around a single item.
> >
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-06 10:10 ` Luke Kenneth Casson Leighton
2004-10-06 11:40 ` Erich Schubert
2004-10-06 12:32 ` James Carter
@ 2004-10-06 13:13 ` Daniel J Walsh
2004-10-06 13:50 ` Luke Kenneth Casson Leighton
2 siblings, 1 reply; 47+ messages in thread
From: Daniel J Walsh @ 2004-10-06 13:13 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton; +Cc: James Carter, Russell Coker, SELinux
Luke Kenneth Casson Leighton wrote:
>james, i didn't see a reply to your question about whether
>it was mozilla that defined the "~/My Downloads" directory:
>did i miss something?
>
>i appreciate the issues of needing, ultimately, some helper-program
>intervention which determines (saaay... by asking for the user's
>password) whether a file should be saved with a file context of
>user_mozilla_t or user_home_t.
>
>and that there needs to be a sandbox area in which files should be
>saved.
>
>... but does it _have_ to be in ~/My windows style downloads???
>
>
>On Tue, Oct 05, 2004 at 03:06:42PM -0400, James Carter wrote:
>
>
>>Merged.
>>
>>There are some minor changes such as My.Downloads instead of My
>>Downloads and not having {} around a single item.
>>
>>
>>
>
>
>
"My Downloads" is a default of firefox. Don't shoot the messenger.
http://www.mozilla.org/projects/firefox/ue/downloads/
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-06 13:13 ` Daniel J Walsh
@ 2004-10-06 13:50 ` Luke Kenneth Casson Leighton
0 siblings, 0 replies; 47+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-10-06 13:50 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: James Carter, Russell Coker, SELinux
On Wed, Oct 06, 2004 at 09:13:16AM -0400, Daniel J Walsh wrote:
> Luke Kenneth Casson Leighton wrote:
> >
> "My Downloads" is a default of firefox. Don't shoot the messenger.
ah ha, that's the bit of info i was missing.
ta,
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-02 20:14 ` Russell Coker
@ 2004-10-06 15:28 ` Daniel J Walsh
2004-10-10 17:37 ` Russell Coker
0 siblings, 1 reply; 47+ messages in thread
From: Daniel J Walsh @ 2004-10-06 15:28 UTC (permalink / raw)
To: russell; +Cc: jwcart2, SELinux
[-- Attachment #1: Type: text/plain, Size: 560 bytes --]
Russell Coker wrote:
>On Sat, 2 Oct 2004 20:16, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
>>Russell Coker wrote:
>>
>>
>>>On Sat, 2 Oct 2004 06:45, Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>
>>>
>>>>Cleaned up patch with some of russells changes.
>>>>
>>>>chage has been updated to do a checkPasswdAccess(PASSWD__ROOTOK) now.
>>>>
>>>>
>>>+allow getty_t initrc_devpts_t:chr_file { read write };
>>>
>>>What is this for?
>>>
>>>
>>I have been getting AVC messages for it.
>>
>>
>
>Please show me the AVC messages.
>
>
>
[-- Attachment #2: getty --]
[-- Type: text/plain, Size: 2952 bytes --]
Oct 6 07:31:21 dhcppc0 kernel: audit(1097062281.872:0): avc: denied { read write } for pid=3884 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062281.909:0): avc: denied { read write } for pid=3885 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062281.910:0): avc: denied { read write } for pid=3885 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062281.910:0): avc: denied { read write } for pid=3885 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.034:0): avc: denied { read write } for pid=3930 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.157:0): avc: denied { read write } for pid=3975 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.157:0): avc: denied { read write } for pid=3975 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.158:0): avc: denied { read write } for pid=3975 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.279:0): avc: denied { read write } for pid=4020 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.280:0): avc: denied { read write } for pid=4020 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.280:0): avc: denied { read write } for pid=4020 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
Oct 6 07:31:22 dhcppc0 kernel: audit(1097062282.580:0): avc: denied { read write } for pid=4065 exe=/sbin/mingetty path=/dev/pts/0 dev=devpts ino=2 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2004-10-06 15:28 ` Daniel J Walsh
@ 2004-10-10 17:37 ` Russell Coker
0 siblings, 0 replies; 47+ messages in thread
From: Russell Coker @ 2004-10-10 17:37 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SELinux
On Thu, 7 Oct 2004 01:28, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Russell Coker wrote:
> >On Sat, 2 Oct 2004 20:16, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>Russell Coker wrote:
> >>>On Sat, 2 Oct 2004 06:45, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>>>Cleaned up patch with some of russells changes.
> >>>>
> >>>>chage has been updated to do a checkPasswdAccess(PASSWD__ROOTOK) now.
> >>>
> >>>+allow getty_t initrc_devpts_t:chr_file { read write };
> >>>
> >>>What is this for?
> >>
> >>I have been getting AVC messages for it.
> >
> >Please show me the AVC messages.
That's strange. How do you reproduce this?
initrc_devpts_t can only be created by initrc_t, and getty_t can only be
entered from init_t. Somehow getty or init must be trying to open /dev/pts/0
for some reason.
Something must have a bug, it would be good if we could track it down.
In the mean time if this entry is to be included in the policy it should have
ifdef(`distro_redhat' or ifdef(`hide_broken_symptoms' around it.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2005-01-02 12:03 Russell Coker
2005-01-04 19:33 ` James Carter
2005-01-05 16:45 ` James Carter
0 siblings, 2 replies; 47+ messages in thread
From: Russell Coker @ 2005-01-02 12:03 UTC (permalink / raw)
To: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 709 bytes --]
network_macros.diff makes a cosmetic change to the network macros.
quota.diff enables converting quota files from old format to new format and
adds access to raw disk devices which seems to be needed by the newer
versions of the quota utilities.
screen.diff allows screen access to proc files so that it can display the
uptime and other trivial stuff. Screen can work without this, but it's handy
to have it and proc_t is hardly restricted anyway.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: quota.diff --]
[-- Type: text/x-diff, Size: 1349 bytes --]
--- /usr/src/se/policy/file_contexts/program/quota.fc 2004-11-20 01:18:22.000000000 +1100
+++ file_contexts/program/quota.fc 2005-01-02 22:52:18.000000000 +1100
@@ -1,5 +1,10 @@
# quota system
/var/lib/quota(/.*)? system_u:object_r:quota_flag_t
/sbin/quota(check|on) -- system_u:object_r:quota_exec_t
+ifdef(`distro_redhat', `
+/usr/sbin/convertquota -- system_u:object_r:quota_exec_t
+', `
+/sbin/convertquota -- system_u:object_r:quota_exec_t
+')
HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t
/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t
--- /usr/src/se/policy/domains/program/unused/quota.te 2004-11-13 03:56:03.000000000 +1100
+++ domains/program/unused/quota.te 2005-01-02 22:53:20.000000000 +1100
@@ -10,7 +10,7 @@
#
# needs auth attribute because it has read access to shadow_t because checkquota
# is buggy
-daemon_base_domain(quota, `, auth')
+daemon_base_domain(quota, `, auth, fs_domain')
# so the administrator can run quotacheck
domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
@@ -39,6 +39,8 @@
allow quota_t file_type:lnk_file { read getattr };
allow quota_t device_type:{ chr_file blk_file } getattr;
+allow quota_t fixed_disk_device_t:blk_file { getattr read };
+
# for /quota.*
allow quota_t quota_db_t:file { read write };
dontaudit unpriv_userdomain quota_db_t:file getattr;
[-- Attachment #3: network_macros.diff --]
[-- Type: text/x-diff, Size: 542 bytes --]
--- /usr/src/se/policy/macros/network_macros.te 2004-11-25 06:44:37.000000000 +1100
+++ macros/network_macros.te 2004-12-25 12:26:30.000000000 +1100
@@ -79,11 +79,12 @@
# Permissions for accessing the network.
# See types/network.te for the network types.
# See net_contexts for security contexts for network entities.
+# Combination of can_network_client_tcp() and can_network_server_tcp()
#
define(`can_network_tcp',`
can_network_server_tcp($1, `$2')
-can_network_client_tcp($1, `$2')
+allow $1 self:tcp_socket { connect };
')
[-- Attachment #4: screen.diff --]
[-- Type: text/x-diff, Size: 430 bytes --]
--- /usr/src/se/policy/macros/program/screen_macros.te 2004-12-13 09:55:31.000000000 +1100
+++ macros/program/screen_macros.te 2004-12-31 10:34:39.000000000 +1100
@@ -87,6 +87,7 @@
# get stats
allow $1_screen_t proc_t:dir search;
+allow $1_screen_t proc_t:file { getattr read };
allow $1_screen_t proc_t:lnk_file read;
allow $1_screen_t etc_t:{ file lnk_file } { read getattr };
allow $1_screen_t self:dir { search read };
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2005-01-02 12:03 Russell Coker
@ 2005-01-04 19:33 ` James Carter
2005-01-05 16:45 ` James Carter
1 sibling, 0 replies; 47+ messages in thread
From: James Carter @ 2005-01-04 19:33 UTC (permalink / raw)
To: Russell Coker; +Cc: SE-Linux
On Sun, 2005-01-02 at 07:03, Russell Coker wrote:
> network_macros.diff makes a cosmetic change to the network macros.
I don't see the benefit of this, the compiler will take care of the
duplicate rules, and it is easier to maintain as is.
If this were the only thing producing duplicate rules, then it might be
worthwhile.
If we were going to change it, wouldn't this be better anyway?
define(`can_network_tcp',`
base_can_network($1, tcp, `$2')
allow $1 self:tcp_socket { listen accept connect };
')
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: policy patches
2005-01-02 12:03 Russell Coker
2005-01-04 19:33 ` James Carter
@ 2005-01-05 16:45 ` James Carter
1 sibling, 0 replies; 47+ messages in thread
From: James Carter @ 2005-01-05 16:45 UTC (permalink / raw)
To: Russell Coker; +Cc: SE-Linux
Merged quota and screen patches.
On Sun, 2005-01-02 at 07:03, Russell Coker wrote:
> network_macros.diff makes a cosmetic change to the network macros.
>
> quota.diff enables converting quota files from old format to new format and
> adds access to raw disk devices which seems to be needed by the newer
> versions of the quota utilities.
>
> screen.diff allows screen access to proc files so that it can display the
> uptime and other trivial stuff. Screen can work without this, but it's handy
> to have it and proc_t is hardly restricted anyway.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 47+ messages in thread
* policy patches
@ 2005-09-19 5:13 Russell Coker
0 siblings, 0 replies; 47+ messages in thread
From: Russell Coker @ 2005-09-19 5:13 UTC (permalink / raw)
To: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 582 bytes --]
app.diff changes the application_domain() macro to work on the targeted
policy. This is needed for running the Postfix "postmap" program on the
targeted policy among other things.
games.diff adds correct labelling for FreeCiv on Red Hat, adds an ifdef to
reduce redundant rules, and removes an unnecessary lib64 reference.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: app.diff --]
[-- Type: text/x-diff, Size: 390 bytes --]
--- macros/global_macros.te.orig 2005-09-19 14:24:32.000000000 +1000
+++ macros/global_macros.te 2005-09-19 14:25:03.000000000 +1000
@@ -518,6 +518,9 @@
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types $1_t;
+ifdef(`targeted_policy', `
+role system_r types $1_t;
+')
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
uses_shlib($1_t)
')
[-- Attachment #3: games.diff --]
[-- Type: text/x-diff, Size: 1096 bytes --]
--- file_contexts/program/games.fc.orig 2005-09-17 01:59:39.000000000 +1000
+++ file_contexts/program/games.fc 2005-09-19 15:04:30.000000000 +1000
@@ -1,8 +1,10 @@
# games
-/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t:s0
-/var/games(/.*)? system_u:object_r:games_data_t:s0
-/usr/games/.* -- system_u:object_r:games_exec_t:s0
+/usr/lib/games/.* -- system_u:object_r:games_exec_t:s0
/var/lib/games(/.*)? system_u:object_r:games_data_t:s0
+ifdef(`distro_debian', `
+/usr/games/.* -- system_u:object_r:games_exec_t:s0
+/var/games(/.*)? system_u:object_r:games_data_t:s0
+', `
/usr/bin/micq -- system_u:object_r:games_exec_t:s0
/usr/bin/blackjack -- system_u:object_r:games_exec_t:s0
/usr/bin/gataxx -- system_u:object_r:games_exec_t:s0
@@ -53,4 +55,6 @@
/usr/bin/lskat -- system_u:object_r:games_exec_t:s0
/usr/bin/lskatproc -- system_u:object_r:games_exec_t:s0
/usr/bin/Maelstrom -- system_u:object_r:games_exec_t:s0
-
+/usr/bin/civclient.* -- system_u:object_r:games_exec_t:s0
+/usr/bin/civserver.* -- system_u:object_r:games_exec_t:s0
+')dnl end non-Debian section
^ permalink raw reply [flat|nested] 47+ messages in thread
end of thread, other threads:[~2005-09-19 5:17 UTC | newest]
Thread overview: 47+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-29 13:54 policy patches Russell Coker
2004-09-29 17:45 ` Thomas Bleher
2004-09-29 20:20 ` Russell Coker
2004-10-01 16:42 ` James Carter
2004-10-01 17:44 ` Russell Coker
2004-10-01 20:45 ` Daniel J Walsh
2004-10-02 0:42 ` Russell Coker
2004-10-02 10:16 ` Daniel J Walsh
2004-10-02 20:14 ` Russell Coker
2004-10-06 15:28 ` Daniel J Walsh
2004-10-10 17:37 ` Russell Coker
2004-10-02 0:43 ` Russell Coker
2004-10-02 10:18 ` Daniel J Walsh
2004-10-02 20:15 ` Russell Coker
2004-10-04 20:12 ` James Carter
2004-10-05 15:41 ` Daniel J Walsh
2004-10-05 17:35 ` James Carter
[not found] ` <4162DEC3.4050306@redhat.com>
2004-10-05 18:22 ` James Carter
2004-10-05 19:06 ` James Carter
2004-10-06 10:10 ` Luke Kenneth Casson Leighton
2004-10-06 11:40 ` Erich Schubert
2004-10-06 12:32 ` James Carter
2004-10-06 13:13 ` Daniel J Walsh
2004-10-06 13:50 ` Luke Kenneth Casson Leighton
-- strict thread matches above, loose matches on Subject: below --
2005-09-19 5:13 Russell Coker
2005-01-02 12:03 Russell Coker
2005-01-04 19:33 ` James Carter
2005-01-05 16:45 ` James Carter
2004-09-16 11:51 hald fix Russell Coker
2004-09-16 14:52 ` James Carter
2004-09-16 21:23 ` Policy patches Daniel J Walsh
2004-09-17 12:07 ` Russell Coker
2004-09-20 20:03 ` James Carter
2004-09-17 20:56 ` James Carter
2004-09-20 12:35 ` Daniel J Walsh
2004-09-21 20:55 ` Daniel J Walsh
2004-09-22 20:21 ` James Carter
2004-08-19 12:57 policy patches Russell Coker
2004-08-20 19:07 ` Stephen Smalley
2003-04-26 7:30 Russell Coker
2003-03-27 18:25 Kelly_Djahandari
2003-03-26 17:47 Kelly_Djahandari
2003-03-22 22:53 Russell Coker
2003-03-22 22:14 Russell Coker
2003-03-24 17:13 ` Wayne Salamon
2002-11-04 12:41 Russell Coker
2002-09-09 22:59 Russell Coker
2002-09-21 2:39 ` Stephen Smalley
2002-08-09 15:30 Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.