Today's Diffs.

All of lore.kernel.org
 help / color / mirror / Atom feed

* Today's Diffs.
@ 2004-10-06 17:54 Daniel J Walsh
  2004-10-06 20:24 ` James Carter
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2004-10-06 17:54 UTC (permalink / raw)
  To: SELinux

[-- Attachment #1: Type: text/plain, Size: 379 bytes --]

I added a rpm.te for targeted policy.  This will allow snmpd to work 
correctly and read the /var/lib/rpm files.  Doing this required me
to break out the distro specific files at the bottom of the rpm.fc file 
into a distro.fc file.

Added reiserfs changes

Added getty access to initrc_devpts_t.

Some fixes for i18n.

Minor fixes for inetd_child stuff.

Fixes for rpm_script.


[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 23036 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.28/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-09-29 07:36:46.000000000 -0400
+++ policy-1.17.28/domains/program/crond.te	2004-10-06 10:34:25.000000000 -0400
@@ -46,7 +46,7 @@
 log_domain(crond)
 
 # Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
 dontaudit crond_t self:capability sys_resource;
 
 # Get security policy decisions.
@@ -138,7 +138,7 @@
 lock_domain(system_crond)
 
 # for if /var/mail is a symlink
-allow crond_t mail_spool_t:lnk_file read;
+allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
 allow crond_t mail_spool_t:dir search;
 
 ifdef(`mta.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.17.28/domains/program/getty.te
--- nsapolicy/domains/program/getty.te	2004-08-20 13:57:27.000000000 -0400
+++ policy-1.17.28/domains/program/getty.te	2004-10-06 13:52:23.427887318 -0400
@@ -58,3 +58,4 @@
 
 rw_dir_create_file(getty_t, var_lock_t)
 r_dir_file(getty_t, sysfs_t)
+allow getty_t initrc_devpts_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.28/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-01 15:05:30.000000000 -0400
+++ policy-1.17.28/domains/program/syslogd.te	2004-10-06 13:46:58.106176081 -0400
@@ -94,5 +94,5 @@
 # /initrd is not umounted before minilog starts
 #
 dontaudit syslogd_t file_t:dir search;
-allow syslogd_t devpts_t:dir { search };
+allow syslogd_t { tmpfs_t devpts_t }:dir { search };
 dontaudit syslogd_t unlabeled_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.17.28/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.28/domains/program/unused/amanda.te	2004-10-06 10:34:25.000000000 -0400
@@ -302,5 +302,5 @@
 #  Rules to allow amanda to be run as a service in xinetd
 #
 type amanda_port_t, port_type;
-allow inetd_t amanda_port_t:udp_socket { name_bind };
+allow inetd_t amanda_port_t:{ tcp_socket udp_socket } { name_bind };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.28/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.28/domains/program/unused/comsat.te	2004-10-06 10:34:25.000000000 -0400
@@ -11,7 +11,7 @@
 # comsat_exec_t is the type of the comsat executable.
 #
 
-inetd_child_domain(comsat, udp)
+inetd_child_domain(comsat,udp)
 allow comsat_t initrc_var_run_t:file r_file_perms;
 dontaudit comsat_t initrc_var_run_t:file write;
 allow comsat_t mail_spool_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.28/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.28/domains/program/unused/hald.te	2004-10-06 10:34:25.000000000 -0400
@@ -31,7 +31,7 @@
 
 allow hald_t bin_t:file { getattr };
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search };
 can_network(hald_t)
 can_ypbind(hald_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.17.28/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.28/domains/program/unused/i18n_input.te	2004-10-06 10:34:25.000000000 -0400
@@ -25,7 +25,10 @@
 allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
 
 allow i18n_input_t self:capability { kill setgid setuid };
-allow i18n_input_t self:process setsched;
+allow i18n_input_t self:process { setsched setpgid };
 
 allow i18n_input_t { bin_t sbin_t }:dir search;
 
+allow i18n_input_t etc_t:file r_file_perms;
+allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/jabberd.te policy-1.17.28/domains/program/unused/jabberd.te
--- nsapolicy/domains/program/unused/jabberd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.28/domains/program/unused/jabberd.te	2004-10-06 10:34:25.000000000 -0400
@@ -4,7 +4,7 @@
 # X-Debian-Packages: jabber
 
 daemon_domain(jabberd)
-log_domain(jabberd)
+logdir_domain(jabberd)
 var_lib_domain(jabberd)
 
 type jabber_client_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.28/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.28/domains/program/unused/ktalkd.te	2004-10-06 10:34:25.000000000 -0400
@@ -10,4 +10,4 @@
 # ktalkd_exec_t is the type of the ktalkd executable.
 #
 
-inetd_child_domain(ktalkd, udp)
+inetd_child_domain(ktalkd,udp)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.28/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.28/domains/program/unused/rpm.te	2004-10-06 10:34:25.000000000 -0400
@@ -152,7 +152,7 @@
 can_exec_any(rpm_script_t)
 
 # Capabilties needed by rpm scripts utils
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
 
 # ideally we would not need this
 allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
@@ -219,7 +219,7 @@
 
 allow rpm_t mount_t:tcp_socket { write };
 create_dir_file(rpm_t, nfs_t)
-allow rpm_t nfs_t:filesystem getattr;
+allow rpm_t { removable_t nfs_t }:filesystem getattr;
 
 allow rpm_script_t userdomain:fd use;
 
@@ -248,6 +248,8 @@
 allow rpmbuild_t policy_src_t:file { getattr read };
 can_getsecurity(rpmbuild_t)
 
+allow rpm_script_t userdomain:process { signal };
+
 ifdef(`unlimitedRPM', `
 unconfined_domain(rpm_t)
 unconfined_domain(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.28/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.28/domains/program/unused/sendmail.te	2004-10-06 10:34:25.000000000 -0400
@@ -65,11 +65,6 @@
 # Read /usr/lib/sasl2/.*
 allow sendmail_t lib_t:file { getattr read };
 
-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
-# correctly without it.  Do not audit write and lock denials to utmp.
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
-
 # When sendmail runs as user_mail_domain, it needs some extra permissions
 # to update /etc/mail/statistics.
 allow user_mail_domain etc_mail_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.17.28/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.28/file_contexts/distros.fc	2004-10-06 10:34:25.000000000 -0400
@@ -0,0 +1,34 @@
+ifdef(`distro_redhat', `
+/usr/share/system-config-network(/netconfig)?/[^/]+.py -- system_u:object_r:bin_t
+/etc/sysconfig/networking/profiles/.*/resolv.conf -- system_u:object_r:net_conf_t
+/etc/sysconfig/network-scripts/.*resolv.conf -- system_u:object_r:net_conf_t
+/usr/share/rhn/rhn_applet/applet.py -- system_u:object_r:bin_t
+/usr/share/rhn/rhn_applet/eggtrayiconmodule.so -- system_u:object_r:shlib_t
+/usr/share/rhn/rhn_applet/needed-packages.py	--	system_u:object_r:bin_t
+/usr/share/authconfig/authconfig-gtk.py -- system_u:object_r:bin_t
+/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
+/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
+/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
+/usr/share/system-logviewer/system-logviewer.py -- system_u:object_r:bin_t
+/usr/share/system-config-date/system-config-date.py -- system_u:object_r:bin_t
+/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
+/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
+/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
+/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/system-config-netboot.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeos.py -- system_u:object_r:bin_t
+/usr/share/system-config-netboot/pxeboot.py -- system_u:object_r:bin_t
+/usr/share/system-config-nfs/system-config-nfs.py -- system_u:object_r:bin_t
+/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
+/usr/share/system-config-samba/system-config-samba.py -- system_u:object_r:bin_t
+/usr/share/system-config-securitylevel/system-config-securitylevel.py -- system_u:object_r:bin_t
+/usr/share/system-config-services/serviceconf.py -- system_u:object_r:bin_t
+/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
+/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
+/usr/share/switchdesk/switchdesk-gui.py	--	system_u:object_r:bin_t
+/usr/share/system-config-network/neat-control.py	--	system_u:object_r:bin_t
+/usr/share/system-config-nfs/nfs-export.py	--	system_u:object_r:bin_t
+/usr/share/pydict/pydict.py	--	system_u:object_r:bin_t
+/usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.17.28/file_contexts/program/i18n_input.fc
--- nsapolicy/file_contexts/program/i18n_input.fc	2004-06-22 15:14:34.000000000 -0400
+++ policy-1.17.28/file_contexts/program/i18n_input.fc	2004-10-06 10:34:25.000000000 -0400
@@ -4,3 +4,4 @@
 /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
 /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
 /usr/lib(64)?/im/.*\.so.*       --     system_u:object_r:shlib_t
+/var/run/iiim(/.*)?		       system_u:object_r:i18n_input_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpm.fc policy-1.17.28/file_contexts/program/rpm.fc
--- nsapolicy/file_contexts/program/rpm.fc	2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.28/file_contexts/program/rpm.fc	2004-10-06 10:34:25.000000000 -0400
@@ -3,8 +3,6 @@
 /var/lib/alternatives(/.*)?	system_u:object_r:rpm_var_lib_t
 /bin/rpm 		--	system_u:object_r:rpm_exec_t
 /usr/bin/yum 		--	system_u:object_r:rpm_exec_t
-/usr/sbin/up2date	--	system_u:object_r:rpm_exec_t
-/usr/sbin/rhn_check	--	system_u:object_r:rpm_exec_t
 /usr/bin/apt-get 	--	system_u:object_r:rpm_exec_t
 /usr/bin/apt-shell    	-- 	system_u:object_r:rpm_exec_t
 /usr/bin/synaptic   --    	system_u:object_r:rpm_exec_t 
@@ -15,37 +13,8 @@
 /var/log/rpmpkgs.*	--	system_u:object_r:rpm_log_t
 /var/log/yum.log	--	system_u:object_r:rpm_log_t
 ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+.py -- system_u:object_r:bin_t
-/etc/sysconfig/networking/profiles/.*/resolv.conf -- system_u:object_r:net_conf_t
-/etc/sysconfig/network-scripts/.*resolv.conf -- system_u:object_r:net_conf_t
-/usr/share/rhn/rhn_applet/applet.py -- system_u:object_r:bin_t
-/usr/share/rhn/rhn_applet/eggtrayiconmodule.so -- system_u:object_r:shlib_t
-/usr/share/rhn/rhn_applet/needed-packages.py	--	system_u:object_r:bin_t
-/usr/share/authconfig/authconfig-gtk.py -- system_u:object_r:bin_t
-/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
-/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
-/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
-/usr/share/system-logviewer/system-logviewer.py -- system_u:object_r:bin_t
-/usr/share/system-config-date/system-config-date.py -- system_u:object_r:bin_t
-/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
-/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
-/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
-/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/system-config-netboot.py -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/pxeos.py -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/pxeboot.py -- system_u:object_r:bin_t
-/usr/share/system-config-nfs/system-config-nfs.py -- system_u:object_r:bin_t
-/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
-/usr/share/system-config-samba/system-config-samba.py -- system_u:object_r:bin_t
-/usr/share/system-config-securitylevel/system-config-securitylevel.py -- system_u:object_r:bin_t
-/usr/share/system-config-services/serviceconf.py -- system_u:object_r:bin_t
-/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
-/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
-/usr/share/switchdesk/switchdesk-gui.py	--	system_u:object_r:bin_t
-/usr/share/system-config-network/neat-control.py	--	system_u:object_r:bin_t
-/usr/share/system-config-nfs/nfs-export.py	--	system_u:object_r:bin_t
-/usr/share/pydict/pydict.py	--	system_u:object_r:bin_t
-/usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
+/usr/sbin/up2date	--	system_u:object_r:rpm_exec_t
+/usr/sbin/rhn_check	--	system_u:object_r:rpm_exec_t
 ')
 # SuSE
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.17.28/file_contexts/program/sendmail.fc
--- nsapolicy/file_contexts/program/sendmail.fc	2004-02-05 15:17:07.000000000 -0500
+++ policy-1.17.28/file_contexts/program/sendmail.fc	2004-10-06 10:34:25.000000000 -0400
@@ -3,3 +3,5 @@
 /var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 /var/log/sendmail\.st		--	system_u:object_r:sendmail_log_t
 /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
+/var/run/sendmail.pid		--	system_u:object_r:sendmail_var_run_t
+/var/run/sm-client.pid		--	system_u:object_r:sendmail_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.28/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-09-29 07:36:46.000000000 -0400
+++ policy-1.17.28/file_contexts/types.fc	2004-10-06 10:34:25.000000000 -0400
@@ -401,7 +401,7 @@
 # /usr/local/bin
 #
 /usr/local/bin(/.*)?		system_u:object_r:bin_t
-
+/usr/local/Acrobat.*/bin/ 	system_u:object_r:bin_t
 #
 # /usr/local/lib(64)?
 #
@@ -517,10 +517,10 @@
 #
 # The Sun Java development kit, RPM install
 #
-/usr/java/j2.*/bin(/.*)?		system_u:object_r:bin_t
-/usr/java/j2.*/jre/lib(64)?/i386(/.*)?	system_u:object_r:lib_t
-/usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/usr/java/(.*/)?bin(/.*)?		system_u:object_r:bin_t
+/usr/java/(.*/)?jre/lib(64)?/i386(/.*)?	system_u:object_r:lib_t
+/usr/java/(.*/)?plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/usr/java/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* --	system_u:object_r:shlib_t
 
 #
 #  The krb5.conf file is always being tested for writability, so
diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.28/fs_use
--- nsapolicy/fs_use	2004-06-17 09:39:42.000000000 -0400
+++ policy-1.17.28/fs_use	2004-10-06 13:48:47.153347360 -0400
@@ -7,7 +7,6 @@
 fs_use_xattr ext2 system_u:object_r:fs_t;
 fs_use_xattr ext3 system_u:object_r:fs_t;
 fs_use_xattr xfs system_u:object_r:fs_t;
-fs_use_xattr reiserfs system_u:object_r:fs_t;
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.17.28/genfs_contexts
--- nsapolicy/genfs_contexts	2004-09-10 10:45:46.000000000 -0400
+++ policy-1.17.28/genfs_contexts	2004-10-06 13:49:17.074101753 -0400
@@ -88,6 +88,8 @@
 # nfs
 genfscon nfs /				system_u:object_r:nfs_t
 
+# reiserfs - until xattr security support works properly
+genfscon reiserfs /			system_u:object_r:nfs_t
 
 # needs more work
 genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.17.28/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2004-09-13 15:58:20.000000000 -0400
+++ policy-1.17.28/macros/program/dbusd_macros.te	2004-10-06 10:34:25.000000000 -0400
@@ -23,6 +23,7 @@
 role $1_r types $1_dbusd_t;
 domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
 read_locale($1_dbusd_t)
+allow $1_t $1_dbusd_t:process { sigkill signal };
 dontaudit $1_dbusd_t var_t:dir { getattr search };
 ')dnl end ifdef single_userdomain
 ')dnl end ifelse system
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.28/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.28/macros/program/mozilla_macros.te	2004-10-06 10:34:25.000000000 -0400
@@ -73,6 +73,8 @@
 dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
 ')
 
+dontaudit $1_mozilla_t tmp_t:lnk_file read;
+
 #
 # This is another place where I sould like to allow system customization.
 # We need to allow the admin to select whether then want to allow mozilla
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.17.28/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.28/macros/program/ssh_agent_macros.te	2004-10-06 10:34:25.000000000 -0400
@@ -104,6 +104,9 @@
 allow $1_ssh_agent_t etc_t:file { getattr read };
 allow $1_ssh_agent_t lib_t:file { getattr read };
 
+allow $1_ssh_agent_t self:dir { search };
+allow $1_ssh_agent_t self:file { getattr read };
+
 # Allow the ssh program to communicate with ssh-agent.
 allow $1_ssh_t $1_tmp_t:sock_file write;
 allow $1_ssh_t $1_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.28/Makefile
--- nsapolicy/Makefile	2004-10-06 09:18:31.000000000 -0400
+++ policy-1.17.28/Makefile	2004-10-06 10:34:25.000000000 -0400
@@ -49,7 +49,7 @@
 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
 
 FC = file_contexts/file_contexts
-FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)
+FCFILES=file_contexts/types.fc file_contexts/distros.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)
 
 APPDIR=$(CONTEXTPATH)
 APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context) $(CONTEXTPATH)/files/media
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/rpm.te policy-1.17.28/targeted/domains/program/rpm.te
--- nsapolicy/targeted/domains/program/rpm.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.28/targeted/domains/program/rpm.te	2004-10-06 10:34:25.000000000 -0400
@@ -0,0 +1,15 @@
+#DESC rpm - Linux configurable dynamic device naming support
+#
+# Authors:  Daniel Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the rpm domain.
+#
+# rpm_exec_t is the type of the /bin/rpm and other programs.
+# This domain is defined just for targeted policy to labeld /var/lib/rpm
+#
+type rpm_exec_t, file_type, sysadmfile, exec_type;
+type rpm_var_lib_t, file_type, sysadmfile;
+typealias var_log_t alias rpm_log_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.17.28/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.28/targeted/domains/unconfined.te	2004-10-06 10:34:25.000000000 -0400
@@ -14,7 +14,6 @@
 # macros and domains from the "strict" policy.
 typealias bin_t alias su_exec_t;
 typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t };
-typealias var_lib_t alias { rpm_var_lib_t };
 type mount_t, domain;
 type initrc_devpts_t, ptyfile;
 define(`admin_tty_type', `{ tty_device_t devpts_t }')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.28/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.28/tunables/distro.tun	2004-10-06 10:34:25.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.28/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.28/tunables/tunable.tun	2004-10-06 10:34:25.000000000 -0400
@@ -1,42 +1,42 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Today's Diffs.
  2004-10-06 17:54 Today's Diffs Daniel J Walsh
@ 2004-10-06 20:24 ` James Carter
  0 siblings, 0 replies; 7+ messages in thread
From: James Carter @ 2004-10-06 20:24 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux

Merged.

On Wed, 2004-10-06 at 13:54, Daniel J Walsh wrote:
> I added a rpm.te for targeted policy.  This will allow snmpd to work 
> correctly and read the /var/lib/rpm files.  Doing this required me
> to break out the distro specific files at the bottom of the rpm.fc file 
> into a distro.fc file.
> 
> Added reiserfs changes
> 
> Added getty access to initrc_devpts_t.
> 
> Some fixes for i18n.
> 
> Minor fixes for inetd_child stuff.
> 
> Fixes for rpm_script.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Today's diffs
@ 2004-10-01  1:15 Daniel J Walsh
  2004-10-01 15:25 ` Russell Coker
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2004-10-01  1:15 UTC (permalink / raw)
  To: SELinux

[-- Attachment #1: Type: text/plain, Size: 56 bytes --]

New tvtime and vpnc
Fixes for mozilla and inetd daemons

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 25122 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.17.25/domains/program/getty.te
--- nsapolicy/domains/program/getty.te	2004-08-20 13:57:27.000000000 -0400
+++ policy-1.17.25/domains/program/getty.te	2004-09-30 20:59:57.301490136 -0400
@@ -58,3 +58,4 @@
 
 rw_dir_create_file(getty_t, var_lock_t)
 r_dir_file(getty_t, sysfs_t)
+allow getty_t initrc_devpts_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.17.25/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te	2004-09-23 15:08:59.000000000 -0400
+++ policy-1.17.25/domains/program/passwd.te	2004-09-30 20:59:57.302490017 -0400
@@ -42,7 +42,7 @@
 allow $1_t etc_t:lnk_file read;
 
 # Use capabilities.
-allow $1_t self:capability { chown dac_override fsetid setuid sys_resource };
+allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
 
 # Access terminals.
 allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.17.25/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.25/domains/program/unused/amanda.te	2004-09-30 20:59:57.302490017 -0400
@@ -304,4 +304,5 @@
 #
 type amanda_port_t, port_type;
 allow inetd_t amanda_port_t:udp_socket { name_bind };
+allow inetd_t amandaidx_port_t:tcp_socket { name_bind };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.25/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te	2004-09-30 20:48:48.545161402 -0400
+++ policy-1.17.25/domains/program/unused/comsat.te	2004-09-30 21:03:45.725401225 -0400
@@ -11,7 +11,10 @@
 # comsat_exec_t is the type of the comsat executable.
 #
 
-type comsat_port_t, port_type;
 inetd_child_domain(comsat, udp)
-allow comsat_t initrc_var_run_t:file { read lock };
+allow comsat_t initrc_var_run_t:file r_file_perms;
 dontaudit comsat_t initrc_var_run_t:file write;
+allow comsat_t mail_spool_t:dir r_dir_perms;
+allow comsat_t mail_spool_t:lnk_file { read };
+allow comsat_t var_spool_t:dir { search };
+dontaudit comsat_t sysadm_tty_device_t:chr_file { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.25/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.25/domains/program/unused/cups.te	2004-09-30 20:59:57.304489781 -0400
@@ -45,6 +45,7 @@
 ')
 
 ifdef(`inetd.te', `
+allow inetd_t printer_port_t:tcp_socket { name_bind };
 domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.17.25/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te	2004-09-27 15:04:34.000000000 -0400
+++ policy-1.17.25/domains/program/unused/dbskkd.te	2004-09-30 20:59:57.304489781 -0400
@@ -10,5 +10,4 @@
 # dbskkd_exec_t is the type of the dbskkd executable.
 #
 
-type dbskkd_port_t, port_type;
 inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.25/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.25/domains/program/unused/hald.te	2004-09-30 20:59:57.305489662 -0400
@@ -61,4 +61,3 @@
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
 dontaudit hald_t selinux_config_t:dir { search };
-dontaudit hald_t userdomain:fd { use };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.25/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.25/domains/program/unused/inetd.te	2004-09-30 21:01:13.139507178 -0400
@@ -51,7 +51,6 @@
 ifdef(`rlogind.te', `allow inetd_t rlogin_port_t:tcp_socket name_bind;')
 ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
 ifdef(`amanda.te', `allow inetd_t amanda_port_t:tcp_socket name_bind;')
-ifdef(`swat.te', `allow inetd_t swat_port_t:tcp_socket name_bind;')
 ifdef(`amanda.te', `
 allow inetd_t biff_port_t:tcp_socket name_bind;
 allow inetd_t biff_port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.25/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	2004-09-30 20:48:48.662147759 -0400
+++ policy-1.17.25/domains/program/unused/ktalkd.te	2004-09-30 20:59:57.305489662 -0400
@@ -10,6 +10,4 @@
 # ktalkd_exec_t is the type of the ktalkd executable.
 #
 
-type ktalkd_port_t, port_type;
 inetd_child_domain(ktalkd, udp)
-allow inetd_t ktalkd_port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.25/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.25/domains/program/unused/rhgb.te	2004-09-30 20:59:57.306489544 -0400
@@ -29,7 +29,7 @@
 # for ramfs file systems
 allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
 allow rhgb_t ramfs_t:sock_file create_file_perms;
-allow rhgb_t ramfs_t:file unlink;
+allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
 allow insmod_t ramfs_t:file write;
 allow insmod_t rhgb_t:fd use;
 
@@ -84,4 +84,9 @@
 ifdef(`firstboot.te', `
 allow rhgb_t firstboot_rw_t:file r_file_perms;
 ')
-
+dontaudit rhgb_t tmp_t:dir { search };
+allow rhgb_t xdm_xserver_t:process { sigkill };
+allow domain rhgb_devpts_t:chr_file { read write };
+ifdef(`fsadm.te', `
+dontaudit fsadm_t ramfs_t:fifo_file { write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.25/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-09-20 15:40:59.000000000 -0400
+++ policy-1.17.25/domains/program/unused/rpm.te	2004-09-30 20:59:57.306489544 -0400
@@ -251,3 +251,4 @@
 unconfined_domain(rpm_script_t)
 ')
 
+allow rpm_t removable_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.25/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2004-09-27 15:04:35.000000000 -0400
+++ policy-1.17.25/domains/program/unused/rsync.te	2004-09-30 20:59:57.307489425 -0400
@@ -10,5 +10,4 @@
 # rsync_exec_t is the type of the rsync executable.
 #
 
-type rsync_port_t, port_type;
 inetd_child_domain(rsync)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.25/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.25/domains/program/unused/sendmail.te	2004-09-30 20:59:57.307489425 -0400
@@ -65,10 +65,8 @@
 # Read /usr/lib/sasl2/.*
 allow sendmail_t lib_t:file { getattr read };
 
-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
-# correctly without it.  Do not audit write and lock denials to utmp.
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
+# /usr/sbin/sendmail asks for w access to utmp
+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
 
 # When sendmail runs as user_mail_domain, it needs some extra permissions
 # to update /etc/mail/statistics.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slrnpull.te policy-1.17.25/domains/program/unused/slrnpull.te
--- nsapolicy/domains/program/unused/slrnpull.te	2004-03-31 12:59:08.000000000 -0500
+++ policy-1.17.25/domains/program/unused/slrnpull.te	2004-09-30 20:59:57.308489307 -0400
@@ -19,3 +19,5 @@
 ')
 system_crond_entry(slrnpull_exec_t, slrnpull_t)
 allow userdomain slrnpull_spool_t:dir { search };
+rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
+allow slrnpull_t var_spool_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.25/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.25/domains/program/unused/snmpd.te	2004-09-30 20:59:57.308489307 -0400
@@ -24,6 +24,7 @@
 
 # for the .index file
 var_lib_domain(snmpd)
+file_type_auto_trans(snmpd_t, { var_t }, snmpd_var_lib_t, dir)
 file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
 typealias snmpd_var_lib_t alias snmpd_var_rw_t;
 
@@ -70,3 +71,5 @@
 allow snmpd_t var_lib_nfs_t:dir search;
 
 dontaudit snmpd_t domain:dir { getattr search };
+
+dontaudit snmpd_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.17.25/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te	2004-09-27 15:04:35.000000000 -0400
+++ policy-1.17.25/domains/program/unused/swat.te	2004-09-30 20:59:57.309489189 -0400
@@ -10,5 +10,4 @@
 # swat_exec_t is the type of the swat executable.
 #
 
-type swat_port_t, port_type;
 inetd_child_domain(swat)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tvtime.te policy-1.17.25/domains/program/unused/tvtime.te
--- nsapolicy/domains/program/unused/tvtime.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.25/domains/program/unused/tvtime.te	2004-09-30 20:59:57.309489189 -0400
@@ -0,0 +1,13 @@
+#DESC tvtime - a high quality television application
+#
+# Domains for the tvtime program.
+# Author     :  Dan Walsh <dwalsh@redhat.com>
+#
+# tvtime_exec_t is the type of the tvtime executable.
+#
+type tvtime_exec_t, file_type, sysadmfile, exec_type;
+type tvtime_dir_t, file_type, sysadmfile, pidfile;
+
+# Everything else is in the tvtime_domain macro in
+# macros/program/tvtime_macros.te.
+allow user_tvtime_t xdm_tmp_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.25/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.25/domains/program/unused/udev.te	2004-09-30 20:59:57.310489070 -0400
@@ -105,3 +105,4 @@
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
 allow udev_t sysctl_modprobe_t:file { getattr read };
 allow udev_t udev_t:rawip_socket create_socket_perms;
+allow udev_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.17.25/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.25/domains/program/unused/vpnc.te	2004-09-30 20:59:57.311488952 -0400
@@ -0,0 +1,31 @@
+#DESC vpnc
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the vpnc_t domain, et al.
+#
+# vpnc_t is the domain for the vpnc program.
+# vpnc_exec_t is the type of the vpnc executable.
+#
+daemon_domain(vpnc)
+
+# for SSP
+allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
+
+# Use the network.
+can_network(vpnc_t)
+can_ypbind(vpnc_t)
+
+# Use capabilities.
+allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
+
+allow vpnc_t devpts_t:dir search;
+allow vpnc_t etc_t:file { getattr read };
+allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
+allow vpnc_t vpnc_t:rawip_socket create_socket_perms;
+allow vpnc_t vpnc_t:unix_dgram_socket create_socket_perms;
+allow vpnc_t vpnc_t:unix_stream_socket create_socket_perms;
+allow vpnc_t admin_tty_type:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.25/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.25/domains/program/unused/xdm.te	2004-09-30 20:59:57.311488952 -0400
@@ -215,6 +215,7 @@
 dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
 dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
 dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
+dontaudit xdm_t devpts_t:dir { search };
 
 # Do not audit denied probes of /proc.
 dontaudit xdm_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/passwd.fc policy-1.17.25/file_contexts/program/passwd.fc
--- nsapolicy/file_contexts/program/passwd.fc	2004-03-03 15:53:52.000000000 -0500
+++ policy-1.17.25/file_contexts/program/passwd.fc	2004-09-30 20:59:57.312488834 -0400
@@ -1,5 +1,6 @@
 # spasswd
 /usr/bin/passwd		--	system_u:object_r:passwd_exec_t
+/usr/bin/chage		--	system_u:object_r:passwd_exec_t
 /usr/bin/chsh		--	system_u:object_r:chfn_exec_t
 /usr/bin/chfn		--	system_u:object_r:chfn_exec_t
 /usr/sbin/vipw		--	system_u:object_r:admin_passwd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/tvtime.fc policy-1.17.25/file_contexts/program/tvtime.fc
--- nsapolicy/file_contexts/program/tvtime.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.25/file_contexts/program/tvtime.fc	2004-09-30 20:59:57.312488834 -0400
@@ -0,0 +1,3 @@
+# tvtime
+/usr/bin/tvtime		--	system_u:object_r:tvtime_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.17.25/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.25/file_contexts/program/vpnc.fc	2004-09-30 20:59:57.313488715 -0400
@@ -0,0 +1,2 @@
+# vpnc
+/usr/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.25/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.25/macros/base_user_macros.te	2004-09-30 20:59:57.314488597 -0400
@@ -152,6 +152,7 @@
 ifdef(`crontab.te', `crontab_domain($1)')
 
 ifdef(`screen.te', `screen_domain($1)')
+ifdef(`tvtime.te', `tvtime_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
 ifdef(`use_games', `ifdef(`games.te', `games_domain($1)')')
 ifdef(`gpg.te', `gpg_domain($1)')
@@ -287,6 +288,7 @@
 #
 allow $1_t rpc_pipefs_t:dir { getattr };
 allow $1_t nfsd_fs_t:dir { getattr };
+allow $1_t binfmt_misc_fs_t:dir { getattr };
 
 # /initrd is left mounted, various programs try to look at it
 dontaudit $1_t ramfs_t:dir { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.25/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-09-22 16:19:13.000000000 -0400
+++ policy-1.17.25/macros/global_macros.te	2004-09-30 20:59:57.315488479 -0400
@@ -287,6 +287,7 @@
 allow $1_t device_t:dir { getattr search };
 allow $1_t null_device_t:chr_file rw_file_perms;
 dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;
 
 r_dir_file($1_t, sysfs_t) 
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.25/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-09-30 20:48:49.333069517 -0400
+++ policy-1.17.25/macros/program/inetd_macros.te	2004-09-30 21:08:13.662518668 -0400
@@ -52,4 +52,9 @@
 allow $1_t krb5_conf_t:file r_file_perms;
 dontaudit $1_t krb5_conf_t:file write;
 allow $1_t urandom_device_t:chr_file { getattr read };
+type $1_port_t, port_type;
+allow inetd_t $1_port_t:tcp_socket { name_bind };
+ifelse($2, udp, `
+allow inetd_t $1_port_t:udp_socket { name_bind };
+')
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.25/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-09-30 20:48:49.335069283 -0400
+++ policy-1.17.25/macros/program/mozilla_macros.te	2004-09-30 20:59:57.315488479 -0400
@@ -69,6 +69,8 @@
 domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
 # $1_lpr_t should only need read access to the tmp files
 allow $1_lpr_t $1_mozilla_rw_t:file rw_file_perms;
+allow $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+allow $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
 ')
 
 dontaudit $1_mozilla_t tmp_t:lnk_file read;
@@ -109,6 +111,7 @@
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
 # Mozilla tries to delete .fonts.cache-1
 dontaudit $1_mozilla_t $1_home_t:file { unlink };
+dontaudit $1_mozilla_t tmpfile:file getattr;
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sendmail_macros.te policy-1.17.25/macros/program/sendmail_macros.te
--- nsapolicy/macros/program/sendmail_macros.te	2004-09-30 20:48:49.338068933 -0400
+++ policy-1.17.25/macros/program/sendmail_macros.te	2004-09-30 20:59:57.316488360 -0400
@@ -44,7 +44,7 @@
 
 ifelse(`$1', `sysadm', `
 allow $1_mail_t proc_t:dir { getattr search };
-allow $1_mail_t proc_t:file { getattr read };
+allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
 allow $1_mail_t sysctl_kernel_t:file { getattr read };
 allow $1_mail_t etc_runtime_t:file { getattr read };
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.17.25/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.25/macros/program/tvtime_macros.te	2004-09-30 20:59:57.316488360 -0400
@@ -0,0 +1,46 @@
+#
+# Macros for tvtime domains.
+#
+
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# tvtime_domain(domain_prefix)
+#
+# Define a derived domain for the tvtime program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/tvtime.te. 
+#
+undefine(`tvtime_domain')
+ifdef(`tvtime.te', `
+define(`tvtime_domain',`
+# Derived domain based on the calling user domain and the program.
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+
+x_client_domain($1, tvtime)
+
+# for SSP
+allow $1_tvtime_t urandom_device_t:chr_file read;
+allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
+allow $1_tvtime_t kernel_t:system { ipc_info };
+allow $1_tvtime_t sound_device_t:chr_file { read };
+allow $1_tvtime_t $1_home_t:dir { getattr read search };
+allow $1_tvtime_t $1_home_t:file { getattr read };
+tmp_domain($1_tvtime)
+allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
+allow $1_tvtime_t self:process { setsched };
+allow $1_tvtime_t usr_t:file { getattr read };
+allow $1_tvtime_t xdm_tmp_t:dir { search };
+
+')dnl end tvtime_domain
+
+', `
+
+define(`tvtime_domain',`')
+
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.25/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.17.25/macros/program/xserver_macros.te	2004-09-30 20:59:57.317488242 -0400
@@ -200,7 +200,10 @@
 
 # Create and access /dev/dri devices.
 allow $1_xserver_t device_t:dir create;
+allow $1_xserver_t device_t:dir { setattr };
 file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
+# brought on by rhgb
+allow $1_xserver_t mnt_t:dir { search };
 
 allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
 
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.25/Makefile
--- nsapolicy/Makefile	2004-09-13 15:58:17.000000000 -0400
+++ policy-1.17.25/Makefile	2004-09-30 20:59:57.318488123 -0400
@@ -52,7 +52,7 @@
 FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)
 
 APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context) $(CONTEXTPATH)/files/media
 
 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
 
@@ -68,6 +68,10 @@
 	mkdir -p $(APPDIR)
 	install -m 644 $< $@
 
+$(APPDIR)/removable_context: appconfig/removable_context
+	mkdir -p $(APPDIR)
+	install -m 644 $< $@
+
 $(APPDIR)/default_type: appconfig/default_type
 	mkdir -p $(APPDIR)
 	install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.17.25/net_contexts
--- nsapolicy/net_contexts	2004-09-30 20:48:48.065217372 -0400
+++ policy-1.17.25/net_contexts	2004-09-30 20:59:57.319488005 -0400
@@ -29,11 +29,14 @@
 portcon tcp 37 system_u:object_r:inetd_port_t
 portcon udp 37 system_u:object_r:inetd_port_t
 portcon tcp 113 system_u:object_r:inetd_port_t
-portcon udp 512 system_u:object_r:biff_port_t
+portcon tcp 512 system_u:object_r:inetd_port_t
+portcon tcp 543 system_u:object_r:inetd_port_t
+portcon tcp 544 system_u:object_r:inetd_port_t
 portcon tcp 891 system_u:object_r:inetd_port_t
 portcon udp 891 system_u:object_r:inetd_port_t
 portcon tcp 892 system_u:object_r:inetd_port_t
 portcon udp 892 system_u:object_r:inetd_port_t
+portcon tcp 2105 system_u:object_r:inetd_port_t
 ')
 ifdef(`ftpd.te', `
 portcon tcp 20 system_u:object_r:ftp_data_port_t
@@ -87,6 +90,9 @@
 portcon udp 162 system_u:object_r:snmp_port_t
 portcon tcp 199 system_u:object_r:snmp_port_t
 ')
+ifdef(`comsat.te', `
+portcon udp 512 system_u:object_r:comsat_port_t
+')
 ifdef(`slapd.te', `portcon tcp 389 system_u:object_r:ldap_port_t')
 ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
 ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
@@ -102,7 +108,17 @@
 portcon tcp 631 system_u:object_r:ipp_port_t
 portcon udp 631 system_u:object_r:ipp_port_t
 ')
+ifdef(`kerberos.te', `
+portcon tcp 88 system_u:object_r:kerberos_port_t
+portcon tcp 749 system_u:object_r:kerberos_admin_port_t
+portcon tcp 750 system_u:object_r:kerberos_port_t
+portcon tcp 4444 system_u:object_r:kerberos_master_port_t
+')
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`rsync.te', `
+portcon tcp 873 system_u:object_r:rsync_port_t
+portcon udp 873 system_u:object_r:rsync_port_t
+')
 ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
 ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
 ifdef(`use_pop', `
@@ -112,10 +128,13 @@
 ')
 ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
 ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-ifdef(`radius.te', `portcon udp 1645 system_u:object_r:radius_port_t
+ifdef(`radius.te', `
+portcon udp 1645 system_u:object_r:radius_port_t
 portcon udp 1646 system_u:object_r:radacct_port_t
 portcon udp 1812 system_u:object_r:radius_port_t
-portcon udp 1813 system_u:object_r:radacct_port_t')
+portcon udp 1813 system_u:object_r:radacct_port_t
+')
+ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
 ifdef(`gatekeeper.te', `
 portcon udp 1718 system_u:object_r:gatekeeper_port_t
 portcon udp 1719 system_u:object_r:gatekeeper_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.25/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.25/tunables/distro.tun	2004-09-30 20:59:57.319488005 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.25/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.25/tunables/tunable.tun	2004-09-30 20:59:57.320487887 -0400
@@ -1,42 +1,42 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Today's diffs
  2004-10-01  1:15 Today's diffs Daniel J Walsh
@ 2004-10-01 15:25 ` Russell Coker
  2004-10-01 15:36   ` Daniel J Walsh
  0 siblings, 1 reply; 7+ messages in thread
From: Russell Coker @ 2004-10-01 15:25 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux

On Fri, 1 Oct 2004 11:15, Daniel J Walsh <dwalsh@redhat.com> wrote:
> New tvtime and vpnc
> Fixes for mozilla and inetd daemons

allow getty_t initrc_devpts_t:chr_file { read write };

How do you trigger this?  There doesn't seem to be a good reason for getty to 
have such access.  Bug in init?

-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
-# correctly without it.  Do not audit write and lock denials to utmp.
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
+# /usr/sbin/sendmail asks for w access to utmp
+allow sendmail_t initrc_var_run_t:file { getattr read lock write };

Why does sendmail need lock and write access to initrc_var_run_t?

+allow user_tvtime_t xdm_tmp_t:dir { search };

The above rule is redundant, you also have it in 
macros/program/tvtime_macros.te.

Also you have put in comments indicating that several programs have been 
compiled with SSP (Stack Smashing Protection).  If the Fedora GCC packages 
support SSP then we should enable it for newrole etc.

+allow udev_t domain:dir r_dir_perms;

Why does udev need this?  Why would it need read access to the directory but 
not to files inside it?

+/usr/bin/chage         --      system_u:object_r:passwd_exec_t

This is wrong.  It should be admin_passwd_exec_t.  A regular user should not 
execute this.

--- nsapolicy/macros/global_macros.te   2004-09-22 16:19:13.000000000 -0400
+++ policy-1.17.25/macros/global_macros.te      2004-09-30 20:59:57.315488479 
-0400
@@ -287,6 +287,7 @@
 allow $1_t device_t:dir { getattr search };
 allow $1_t null_device_t:chr_file rw_file_perms;
 dontaudit $1_t console_device_t:chr_file rw_file_perms;
+dontaudit $1_t unpriv_userdomain:fd use;

 r_dir_file($1_t, sysfs_t) 

How do you trigger this?  Is it related to the bug in su where su does not 
re-open the terminal when changing role?  I expect that fixing su will fix 
this.

+allow $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+allow $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };

Looks like mozilla is too buggy to close it's file handles before spawning 
lpr.  There's no reason for lpr to access a tcp or unix socket that mozilla 
has created, they should be dontaudit rules.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Today's diffs
  2004-10-01 15:25 ` Russell Coker
@ 2004-10-01 15:36   ` Daniel J Walsh
  2004-10-01 16:36     ` Russell Coker
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2004-10-01 15:36 UTC (permalink / raw)
  To: russell, SELinux

Russell Coker wrote:

>On Fri, 1 Oct 2004 11:15, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>New tvtime and vpnc
>>Fixes for mozilla and inetd daemons
>>    
>>
>
>allow getty_t initrc_devpts_t:chr_file { read write };
>
>How do you trigger this?  There doesn't seem to be a good reason for getty to 
>have such access.  Bug in init?
>
>-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
>-# correctly without it.  Do not audit write and lock denials to utmp.
>-allow sendmail_t initrc_var_run_t:file { getattr read };
>-dontaudit sendmail_t initrc_var_run_t:file { lock write };
>+# /usr/sbin/sendmail asks for w access to utmp
>+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
>
>Why does sendmail need lock and write access to initrc_var_run_t?
>
>  
>
sm-client will not work without this.

>+allow user_tvtime_t xdm_tmp_t:dir { search };
>
>The above rule is redundant, you also have it in 
>macros/program/tvtime_macros.te.
>
>  
>
Ok remove it.

>Also you have put in comments indicating that several programs have been 
>compiled with SSP (Stack Smashing Protection).  If the Fedora GCC packages 
>support SSP then we should enable it for newrole etc.
>
>+allow udev_t domain:dir r_dir_perms;
>
>Why does udev need this?  Why would it need read access to the directory but 
>not to files inside it?
>
>  
>
It is running killall.

>+/usr/bin/chage         --      system_u:object_r:passwd_exec_t
>
>This is wrong.  It should be admin_passwd_exec_t.  A regular user should not 
>execute this.
>
>  
>
chage -l dwalsh is available.

>--- nsapolicy/macros/global_macros.te   2004-09-22 16:19:13.000000000 -0400
>+++ policy-1.17.25/macros/global_macros.te      2004-09-30 20:59:57.315488479 
>-0400
>@@ -287,6 +287,7 @@
> allow $1_t device_t:dir { getattr search };
> allow $1_t null_device_t:chr_file rw_file_perms;
> dontaudit $1_t console_device_t:chr_file rw_file_perms;
>+dontaudit $1_t unpriv_userdomain:fd use;
> 
> r_dir_file($1_t, sysfs_t) 
>
>How do you trigger this?  Is it related to the bug in su where su does not 
>re-open the terminal when changing role?  I expect that fixing su will fix 
>this.
>
>  
>
Maybe, it happens when you do a service daemon restart.  Not sure we can 
easily fix the su bug.

>+allow $1_lpr_t $1_mozilla_t:tcp_socket { read write };
>+allow $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
>
>Looks like mozilla is too buggy to close it's file handles before spawning 
>lpr.  There's no reason for lpr to access a tcp or unix socket that mozilla 
>has created, they should be dontaudit rules.
>
>  
>
Happens when printing from pdf files.  Could they be opening  a pipe to 
the lpr command?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Today's diffs
  2004-10-01 15:36   ` Daniel J Walsh
@ 2004-10-01 16:36     ` Russell Coker
  2004-10-01 17:57       ` Russell Coker
  0 siblings, 1 reply; 7+ messages in thread
From: Russell Coker @ 2004-10-01 16:36 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux

[-- Attachment #1: Type: text/plain, Size: 3023 bytes --]

On Sat, 2 Oct 2004 01:36, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >+# /usr/sbin/sendmail asks for w access to utmp
> >+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
> >
> >Why does sendmail need lock and write access to initrc_var_run_t?
>
> sm-client will not work without this.

That turned out to be a bug in sendmail.fc.  I have attached a patch which 
fixes sendmail.fc and also removes the unnecessary rules from sendmail.te.

> >Also you have put in comments indicating that several programs have been
> >compiled with SSP (Stack Smashing Protection).  If the Fedora GCC packages
> >support SSP then we should enable it for newrole etc.

You missed the bit about SSP.

> >+allow udev_t domain:dir r_dir_perms;
> >
> >Why does udev need this?  Why would it need read access to the directory
> > but not to files inside it?
>
> It is running killall.

OK, then probably we want a dontaudit rule.

> >+/usr/bin/chage         --      system_u:object_r:passwd_exec_t
> >
> >This is wrong.  It should be admin_passwd_exec_t.  A regular user should
> > not execute this.
>
> chage -l dwalsh is available.

OK, we need to patch chage in the same way as passwd then.  We don't want to 
permit root:user_r:user_t to invalidate accounts.

> >--- nsapolicy/macros/global_macros.te   2004-09-22 16:19:13.000000000
> > -0400 +++ policy-1.17.25/macros/global_macros.te      2004-09-30
> > 20:59:57.315488479 -0400
> >@@ -287,6 +287,7 @@
> > allow $1_t device_t:dir { getattr search };
> > allow $1_t null_device_t:chr_file rw_file_perms;
> > dontaudit $1_t console_device_t:chr_file rw_file_perms;
> >+dontaudit $1_t unpriv_userdomain:fd use;
> >
> > r_dir_file($1_t, sysfs_t)
> >
> >How do you trigger this?  Is it related to the bug in su where su does not
> >re-open the terminal when changing role?  I expect that fixing su will fix
> >this.
>
> Maybe, it happens when you do a service daemon restart.  Not sure we can
> easily fix the su bug.

Please give an example of a command that triggers this.

> >+allow $1_lpr_t $1_mozilla_t:tcp_socket { read write };
> >+allow $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
> >
> >Looks like mozilla is too buggy to close it's file handles before spawning
> >lpr.  There's no reason for lpr to access a tcp or unix socket that
> > mozilla has created, they should be dontaudit rules.
>
> Happens when printing from pdf files.  Could they be opening  a pipe to
> the lpr command?

I can't believe that mozilla would use a TCP socket to send data to lpr.  
Creating a unix domain socket for it also seems to be a very odd way of doing 
things that is likely to cause breakage.  It would either be a fifo or a 
temporary file.

Does it work if you replace those allow rules with dontaudit rules?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 1166 bytes --]

--- /usr/src/se/policy/file_contexts/program/sendmail.fc	2004-02-25 17:05:05.000000000 +1100
+++ /tmp/sendmail.fc	2004-10-02 02:28:23.000000000 +1000
@@ -3,3 +3,5 @@
 /var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 /var/log/sendmail\.st		--	system_u:object_r:sendmail_log_t
 /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
+/var/run/sendmail.pid		--	system_u:object_r:sendmail_var_run_t
+/var/run/sm-client.pid		--	system_u:object_r:sendmail_var_run_t
--- /usr/src/se/policy/domains/program/unused/sendmail.te	2004-09-11 16:21:45.000000000 +1000
+++ domains/program/unused/sendmail.te	2004-10-02 02:31:38.000000000 +1000
@@ -65,11 +65,6 @@
 # Read /usr/lib/sasl2/.*
 allow sendmail_t lib_t:file { getattr read };
 
-# /usr/sbin/sendmail asks for w access to utmp, but it will operate
-# correctly without it.  Do not audit write and lock denials to utmp.
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
-
 # When sendmail runs as user_mail_domain, it needs some extra permissions
 # to update /etc/mail/statistics.
 allow user_mail_domain etc_mail_t:file rw_file_perms;

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Today's diffs
  2004-10-01 16:36     ` Russell Coker
@ 2004-10-01 17:57       ` Russell Coker
  0 siblings, 0 replies; 7+ messages in thread
From: Russell Coker @ 2004-10-01 17:57 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux

On Sat, 2 Oct 2004 02:36, Russell Coker <russell@coker.com.au> wrote:
> On Sat, 2 Oct 2004 01:36, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >+# /usr/sbin/sendmail asks for w access to utmp
> > >+allow sendmail_t initrc_var_run_t:file { getattr read lock write };
> > >
> > >Why does sendmail need lock and write access to initrc_var_run_t?
> >
> > sm-client will not work without this.
>
> That turned out to be a bug in sendmail.fc.  I have attached a patch which
> fixes sendmail.fc and also removes the unnecessary rules from sendmail.te.

After further consideration I think that the correct solution is to have those 
files created under /var/run/sendmail/ .

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134363

I have created a bugzilla entry about this.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2004-10-06 20:25 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-06 17:54 Today's Diffs Daniel J Walsh
2004-10-06 20:24 ` James Carter
  -- strict thread matches above, loose matches on Subject: below --
2004-10-01  1:15 Today's diffs Daniel J Walsh
2004-10-01 15:25 ` Russell Coker
2004-10-01 15:36   ` Daniel J Walsh
2004-10-01 16:36     ` Russell Coker
2004-10-01 17:57       ` Russell Coker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.