From: Daniel J Walsh <dwalsh@redhat.com>
To: SELinux <SELinux@tycho.nsa.gov>
Subject: More SELinux fixes.
Date: Thu, 07 Oct 2004 17:48:26 -0400 [thread overview]
Message-ID: <4165B9AA.8090803@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 456 bytes --]
Major fixup/cleanup of rpcd for nfs.
Fixes for ypbind.
Please eliminate space before "udp" in inetd_child calls. This will not
work correctly with the space.
Added reserved_port_type attribute for all ports less than 1024. NIS is
causing problems generating avc messages
on these ports for random name_bind. Want to be able to tell system to
don't audit these. Might want to add a boolean
to specifiy whether using NIS or not.
misc fixes.
Dan
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 30897 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.29/attrib.te
--- nsapolicy/attrib.te 2004-09-15 15:59:54.000000000 -0400
+++ policy-1.17.29/attrib.te 2004-10-07 17:41:56.845879967 -0400
@@ -296,6 +296,9 @@
# Identifies all types assigned to port numbers to control binding.
attribute port_type;
+# Identifies all types assigned to reserved port (<1024) numbers to control binding.
+attribute reserved_port_type;
+
# Identifies all types assigned to network interfaces to control
# operations on the interface (XXX obsolete, not supported via LSM)
# and to control traffic sent or received on the interface.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.29/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.29/domains/program/mount.te 2004-10-07 17:40:00.785076302 -0400
@@ -72,7 +72,7 @@
can_udp_send(portmap_t, mount_t)
allow mount_t rpc_pipefs_t:dir search;
')
-dontaudit mount_t port_type:{tcp_socket udp_socket} name_bind;
+dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
#
# required for mount.smbfs
@@ -93,7 +93,8 @@
allow mount_t file_type:filesystem { unmount mount relabelto };
allow mount_t mnt_t:dir { getattr };
-dontaudit mount_t { userdomain kernel_t}:fd use;
+dontaudit mount_t kernel_t:fd use;
+allow mount_t userdomain:fd use;
can_exec(mount_t, { sbin_t bin_t })
allow mount_t device_t:dir r_dir_perms;
ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.29/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.29/domains/program/ssh.te 2004-10-07 17:40:06.769393525 -0400
@@ -19,7 +19,7 @@
type sshd_exec_t, file_type, exec_type, sysadmfile;
type sshd_key_t, file_type, sysadmfile;
-type ssh_port_t, port_type;
+type ssh_port_t, port_type, reserved_port_type;
define(`sshd_program_domain', `
# privowner is for changing the identity on the terminal device
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.29/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/syslogd.te 2004-10-07 17:40:10.781935798 -0400
@@ -88,7 +88,7 @@
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
# Allow name_bind for remote logging
-type syslogd_port_t, port_type;
+type syslogd_port_t, port_type, reserved_port_type;
allow syslogd_t syslogd_port_t:udp_socket name_bind;
#
# /initrd is not umounted before minilog starts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.29/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/apache.te 2004-10-07 17:29:53.660573397 -0400
@@ -19,7 +19,7 @@
# the user CGI scripts, then relabel rule for user_r should be removed.
#
###############################################################################
-type http_port_t, port_type;
+type http_port_t, port_type, reserved_port_type;
# Allow httpd cgi support
bool httpd_enable_cgi false;
@@ -234,6 +234,8 @@
can_unix_connect(httpd_php_t, mysqld_t)
allow httpd_php_t mysqld_var_run_t:dir { search };
allow httpd_php_t mysqld_var_run_t:sock_file { write };
+allow httpd_t mysqld_db_t:dir { search };
+allow httpd_t mysqld_db_t:sock_file rw_file_perms;
')
allow httpd_t bin_t:dir { search };
allow httpd_t sbin_t:dir { search };
@@ -253,11 +255,6 @@
}
')dnl end if nfs_home_dirs
-ifdef(`mysql.te', `
-allow httpd_t mysqld_db_t:dir { search };
-allow httpd_t mysqld_db_t:sock_file rw_socket_perms;
-')
-
#
# Allow users to mount additional directories as http_source
#
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.17.29/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te 2004-08-27 16:51:30.000000000 -0400
+++ policy-1.17.29/domains/program/unused/bootloader.te 2004-10-07 17:24:28.485441537 -0400
@@ -121,6 +121,7 @@
allow bootloader_t proc_t:dir { getattr search };
allow bootloader_t proc_t:file r_file_perms;
allow bootloader_t proc_t:lnk_file { getattr read };
+allow bootloader_t proc_mdstat_t:file r_file_perms;
allow bootloader_t self:dir { getattr search read };
allow bootloader_t sysctl_kernel_t:dir search;
allow bootloader_t sysctl_kernel_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.29/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/comsat.te 2004-10-07 17:24:28.486441423 -0400
@@ -11,7 +11,7 @@
# comsat_exec_t is the type of the comsat executable.
#
-inetd_child_domain(comsat, udp)
+inetd_child_domain(comsat,udp)
allow comsat_t initrc_var_run_t:file r_file_perms;
dontaudit comsat_t initrc_var_run_t:file write;
allow comsat_t mail_spool_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.29/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/cups.te 2004-10-07 17:30:34.084011000 -0400
@@ -11,7 +11,7 @@
# cupsd_t is the domain of cupsd.
# cupsd_exec_t is the type of the cupsd executable.
#
-type ipp_port_t, port_type;
+type ipp_port_t, port_type, reserved_port_type;
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
etcdir_domain(cupsd)
typealias cupsd_etc_t alias etc_cupsd_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.29/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2004-09-29 07:36:46.000000000 -0400
+++ policy-1.17.29/domains/program/unused/dhcpc.te 2004-10-07 17:31:07.542237378 -0400
@@ -15,7 +15,7 @@
# dhcpc_exec_t is the type of the dhcpcd executable.
# The dhcpc_t can be used for other DHCPC related files as well.
#
-type dhcpc_port_t, port_type;
+type dhcpc_port_t, port_type, reserved_port_type;
daemon_domain(dhcpc)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fingerd.te policy-1.17.29/domains/program/unused/fingerd.te
--- nsapolicy/domains/program/unused/fingerd.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/fingerd.te 2004-10-07 17:32:03.462935221 -0400
@@ -12,7 +12,7 @@
#
daemon_domain(fingerd)
-type fingerd_port_t, port_type;
+type fingerd_port_t, port_type, reserved_port_type;
etcdir_domain(fingerd)
typealias fingerd_etc_t alias etc_fingerd_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.29/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ftpd.te 2004-10-07 17:32:31.063826755 -0400
@@ -9,8 +9,8 @@
#
# Rules for the ftpd_t domain
#
-type ftp_port_t, port_type;
-type ftp_data_port_t, port_type;
+type ftp_port_t, port_type, reserved_port_type;
+type ftp_data_port_t, port_type, reserved_port_type;
daemon_domain(ftpd, `, auth_chkpwd')
etc_domain(ftpd)
typealias ftpd_etc_t alias etc_ftpd_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.17.29/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te 2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/i18n_input.te 2004-10-07 17:24:28.486441423 -0400
@@ -32,3 +32,4 @@
allow i18n_input_t etc_t:file r_file_perms;
allow i18n_input_t self:unix_dgram_socket create_socket_perms;
allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.29/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/inetd.te 2004-10-07 17:33:13.884006794 -0400
@@ -10,8 +10,8 @@
# Rules for the inetd_t domain and
# the inetd_child_t domain.
#
-type telnet_port_t, port_type;
-type biff_port_t, port_type;
+type telnet_port_t, port_type, reserved_port_type;
+type biff_port_t, port_type, reserved_port_type;
#################################
#
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.17.29/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/innd.te 2004-10-07 17:33:29.488251060 -0400
@@ -7,7 +7,7 @@
# Types for the server port and news spool.
#
-type innd_port_t, port_type;
+type innd_port_t, port_type, reserved_port_type;
type news_spool_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.17.29/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/kerberos.te 2004-10-07 17:34:13.697278778 -0400
@@ -16,8 +16,8 @@
#
# Rules for the krb5kdc_t,kadmind_t domains.
#
-type kerberos_port_t, port_type;
-type kerberos_admin_port_t, port_type;
+type kerberos_port_t, port_type, reserved_port_type;
+type kerberos_admin_port_t, port_type, reserved_port_type;
type kerberos_master_port_t, port_type;
daemon_domain(krb5kdc)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.29/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ktalkd.te 2004-10-07 17:24:28.487441309 -0400
@@ -10,4 +10,4 @@
# ktalkd_exec_t is the type of the ktalkd executable.
#
-inetd_child_domain(ktalkd, udp)
+inetd_child_domain(ktalkd,udp)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.17.29/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te 2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/lpd.te 2004-10-07 17:34:33.679032292 -0400
@@ -15,7 +15,7 @@
# printer_t is the type of the Unix domain socket created
# by lpd.
#
-type printer_port_t, port_type;
+type printer_port_t, port_type, reserved_port_type;
daemon_domain(lpd)
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.17.29/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/mta.te 2004-10-07 17:35:10.387906603 -0400
@@ -13,7 +13,7 @@
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
')
-type smtp_port_t, port_type;
+type smtp_port_t, port_type, reserved_port_type;
# create a system_mail_t domain for daemons, init scripts, etc when they run
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.29/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/named.te 2004-10-07 17:35:25.596197849 -0400
@@ -10,7 +10,7 @@
#
# Rules for the named_t domain.
#
-type rndc_port_t, port_type;
+type rndc_port_t, port_type, reserved_port_type;
daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.29/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/nscd.te 2004-10-07 17:26:44.804943879 -0400
@@ -73,3 +73,6 @@
r_dir_file(nscd_t, selinux_config_t)
can_getsecurity(nscd_t)
allow nscd_t self:netlink_selinux_socket create_socket_perms;
+
+dontaudit nscd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.29/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ntpd.te 2004-10-07 17:35:49.503512261 -0400
@@ -10,7 +10,7 @@
#
daemon_domain(ntpd, `, nscd_client_domain')
type ntp_drift_t, file_type, sysadmfile;
-type ntp_port_t, port_type;
+type ntp_port_t, port_type, reserved_port_type;
logdir_domain(ntpd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.29/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te 2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.29/domains/program/unused/portmap.te 2004-10-07 17:36:17.399379454 -0400
@@ -18,7 +18,7 @@
allow portmap_t self:unix_dgram_socket create_socket_perms;
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
-type portmap_port_t, port_type;
+type portmap_port_t, port_type, reserved_port_type;
tmp_domain(portmap)
@@ -52,5 +52,3 @@
# Use capabilities
allow portmap_t self:capability { net_bind_service setuid setgid };
-# do not log when it tries to bind to a port belonging to another domain
-#dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.29/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rhgb.te 2004-10-07 17:24:28.488441195 -0400
@@ -22,6 +22,7 @@
allow rhgb_t proc_t:file { getattr read };
allow rhgb_t devtty_t:chr_file { read write };
+allow rhgb_t tty_device_t:chr_file { ioctl read write };
read_locale(rhgb_t)
allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
@@ -35,7 +36,7 @@
allow rhgb_t ramfs_t:filesystem { mount unmount };
allow rhgb_t mnt_t:dir { search mounton };
-allow rhgb_t rhgb_t:capability { sys_admin };
+allow rhgb_t self:capability { sys_admin sys_tty_config };
dontaudit rhgb_t var_run_t:dir { search };
can_network(rhgb_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.17.29/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2004-03-23 15:58:08.000000000 -0500
+++ policy-1.17.29/domains/program/unused/rlogind.te 2004-10-07 17:37:07.537750836 -0400
@@ -9,7 +9,7 @@
#
# Rules for the rlogind_t domain.
#
-type rlogin_port_t, port_type;
+type rlogin_port_t, port_type, reserved_port_type;
type rlogind_t, domain, privlog, auth_chkpwd, privfd;
role system_r types rlogind_t;
uses_shlib(rlogind_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.29/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2004-10-01 15:05:31.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rpcd.te 2004-10-07 17:39:24.209252642 -0400
@@ -8,11 +8,12 @@
#################################
#
-# Rules for the rpcd_t domain.
+# Rules for the rpcd_t and nfsd_t domain.
#
define(`rpc_domain', `
daemon_base_domain($1)
can_network($1_t)
+can_ypbind($1_t)
allow $1_t etc_t:file { getattr read };
read_locale($1_t)
allow $1_t self:capability net_bind_service;
@@ -21,6 +22,15 @@
allow $1_t var_lib_t:dir { search };
allow $1_t var_lib_nfs_t:dir create_dir_perms;
allow $1_t var_lib_nfs_t:file create_file_perms;
+# do not log when it tries to bind to a port belonging to another domain
+dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t self:netlink_route_socket r_netlink_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+# bind to arbitary unused ports
+allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
+allow $1_t sysctl_rpc_t:dir search;
+allow $1_t sysctl_rpc_t:file rw_file_perms;
')
type exports_t, file_type, sysadmfile;
@@ -31,34 +41,20 @@
#
rpc_domain(rpcd)
var_run_domain(rpcd)
+allow rpcd_t rpcd_var_run_t:dir setattr;
# for rpc.rquotad
allow rpcd_t sysctl_t:dir r_dir_perms;
-
-allow rpcd_t self:unix_dgram_socket create_socket_perms;
-allow rpcd_t self:unix_stream_socket create_socket_perms;
allow rpcd_t self:fifo_file rw_file_perms;
-allow rpcd_t self:netlink_route_socket r_netlink_socket_perms;
# rpcd_t needs to talk to the portmap_t domain
can_udp_send(rpcd_t, portmap_t)
-# bind to arbitary unused ports
-allow rpcd_t port_t:{ tcp_socket udp_socket } name_bind;
-
-# do not log when it tries to bind to a port belonging to another domain
-dontaudit rpcd_t port_type:{ tcp_socket udp_socket } name_bind;
-
-# for /var/run/rpc.statd/ directory
-allow rpcd_t rpcd_var_run_t:dir { setattr rw_dir_perms };
-r_dir_file(rpcd_t, var_yp_t);
-
+allow initrc_t exports_t:file r_file_perms;
ifdef(`distro_redhat', `
-allow rpcd_t self:capability { chown dac_override setgid setuid };
+allow rpcd_t self:capability { chown dac_override setgid setuid net_admin };
# for /etc/rc.d/init.d/nfs to create /etc/exports
-allow initrc_t exports_t:file rw_file_perms;
-', `
-allow initrc_t exports_t:file r_file_perms;
+allow initrc_t exports_t:file write;
')
allow rpcd_t self:file { getattr read };
@@ -75,19 +71,13 @@
# for /proc/fs/nfs/exports - should we have a new type?
allow nfsd_t proc_t:file r_file_perms;
-allow nfsd_t self:unix_dgram_socket create_socket_perms;
-allow nfsd_t self:unix_stream_socket create_stream_socket_perms;
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t nfsd_fs_t:filesystem mount;
allow nfsd_t nfsd_fs_t:dir search;
allow nfsd_t nfsd_fs_t:file rw_file_perms;
-allow nfsd_t sysctl_rpc_t:dir search;
-allow nfsd_t sysctl_rpc_t:file rw_file_perms;
allow initrc_t sysctl_rpc_t:dir search;
allow initrc_t sysctl_rpc_t:file rw_file_perms;
-allow rpcd_t sysctl_rpc_t:dir search;
-allow rpcd_t sysctl_rpc_t:file rw_file_perms;
type nfsd_rw_t, file_type, sysadmfile, usercanread;
type nfsd_ro_t, file_type, sysadmfile, usercanread;
@@ -99,11 +89,14 @@
create_dir_file(kernel_t,{ file_type -shadow_t })
}
+dontaudit kernel_t shadow_t:file { getattr };
+
bool nfs_export_all_ro false;
if(nfs_export_all_ro) {
allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
r_dir_file(kernel_t,{ file_type -shadow_t })
+
}
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
create_dir_file(kernel_t, nfsd_rw_t);
@@ -116,15 +109,17 @@
# does not really need this, but it is easier to just allow it
allow nfsd_t var_run_t:dir search;
-allow nfsd_t self:capability { sys_admin sys_resource };
+allow nfsd_t self:capability { sys_admin sys_resource net_admin };
allow nfsd_t fs_t:filesystem getattr;
can_udp_send(nfsd_t, portmap_t)
can_udp_send(portmap_t, nfsd_t)
can_tcp_connect(nfsd_t, portmap_t)
-allow nfsd_t port_t:{ udp_socket tcp_socket } name_bind;
# for exportfs and rpc.mountd
allow nfsd_t tmp_t:dir getattr;
+
r_dir_file(rpcd_t, rpc_pipefs_t)
+allow rpcd_t rpc_pipefs_t:sock_file { read write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.17.29/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rshd.te 2004-10-07 17:37:16.155783617 -0400
@@ -9,7 +9,7 @@
#
# Rules for the rshd_t domain.
#
-type rsh_port_t, port_type;
+type rsh_port_t, port_type, reserved_port_type;
daemon_sub_domain(inetd_t, rshd)
ifdef(`tcpd.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.17.29/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2004-08-18 08:42:50.000000000 -0400
+++ policy-1.17.29/domains/program/unused/samba.te 2004-10-07 17:37:36.879458053 -0400
@@ -41,7 +41,7 @@
general_domain_access(smbd_t)
general_proc_read_access(smbd_t)
-type smbd_port_t, port_type;
+type smbd_port_t, port_type, reserved_port_type;
allow smbd_t smbd_port_t:tcp_socket name_bind;
# Use capabilities.
@@ -90,7 +90,7 @@
general_domain_access(nmbd_t)
general_proc_read_access(nmbd_t)
-type nmbd_port_t, port_type;
+type nmbd_port_t, port_type, reserved_port_type;
allow nmbd_t nmbd_port_t:udp_socket name_bind;
# Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.29/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/sendmail.te 2004-10-07 17:24:28.489441081 -0400
@@ -99,3 +99,5 @@
allow system_mail_t sysctl_kernel_t:file read;
dontaudit system_mail_t system_crond_tmp_t:file { append };
dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+allow sendmail_t initrc_var_run_t:file { getattr read };
+dontaudit sendmail_t initrc_var_run_t:file { lock write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.17.29/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/slapd.te 2004-10-07 17:37:46.329397736 -0400
@@ -12,7 +12,7 @@
#
daemon_domain(slapd)
-type ldap_port_t, port_type;
+type ldap_port_t, port_type, reserved_port_type;
allow slapd_t ldap_port_t:tcp_socket name_bind;
etc_domain(slapd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.29/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/snmpd.te 2004-10-07 17:37:50.655912312 -0400
@@ -16,7 +16,7 @@
can_network(snmpd_t)
can_ypbind(snmpd_t)
-type snmp_port_t, port_type;
+type snmp_port_t, port_type, reserved_port_type;
allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
etc_domain(snmpd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.17.29/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te 2004-08-18 08:42:50.000000000 -0400
+++ policy-1.17.29/domains/program/unused/spamd.te 2004-10-07 17:38:12.609445542 -0400
@@ -9,7 +9,7 @@
tmp_domain(spamd)
-type spamd_port_t, port_type;
+type spamd_port_t, port_type, reserved_port_type;
allow spamd_t spamd_port_t:tcp_socket name_bind;
general_domain_access(spamd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tftpd.te policy-1.17.29/domains/program/unused/tftpd.te
--- nsapolicy/domains/program/unused/tftpd.te 2004-03-23 15:58:08.000000000 -0500
+++ policy-1.17.29/domains/program/unused/tftpd.te 2004-10-07 17:38:27.479741975 -0400
@@ -13,10 +13,10 @@
#
daemon_domain(tftpd)
-type tftp_port_t, port_type;
+type tftp_port_t, port_type, reserved_port_type;
# tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, sysadmfile;
+type tftpdir_t, file_type, root_dir_type, sysadmfile;
r_dir_file(tftpd_t, tftpdir_t)
domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.29/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/udev.te 2004-10-07 17:24:28.490440967 -0400
@@ -105,6 +105,8 @@
dbusd_client(system, udev_t)
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
+allow udev_t sysctl_dev_t:dir { search };
+allow udev_t sysctl_dev_t:file { getattr read };
allow udev_t sysctl_modprobe_t:file { getattr read };
allow udev_t udev_t:rawip_socket create_socket_perms;
dontaudit udev_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.17.29/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te 2004-07-30 14:39:45.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ypbind.te 2004-10-07 17:24:28.491440853 -0400
@@ -15,7 +15,7 @@
tmp_domain(ypbind)
# Use capabilities.
-allow ypbind_t ypbind_t:capability net_bind_service;
+allow ypbind_t self:capability { net_admin net_bind_service };
# Use the network.
can_network(ypbind_t)
@@ -35,4 +35,7 @@
allow ypbind_t var_yp_t:file create_file_perms;
allow initrc_t var_yp_t:dir { getattr read };
allow ypbind_t etc_t:file { getattr read };
-allow ypbind_t self:unix_stream_socket create_socket_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t reserved_port_t:tcp_socket { name_bind };
+allow ypbind_t reserved_port_t:udp_socket { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.17.29/genfs_contexts
--- nsapolicy/genfs_contexts 2004-10-07 08:02:00.000000000 -0400
+++ policy-1.17.29/genfs_contexts 2004-10-07 17:24:28.491440853 -0400
@@ -87,6 +87,7 @@
# nfs
genfscon nfs / system_u:object_r:nfs_t
+genfscon nfs4 / system_u:object_r:nfs_t
# reiserfs - until xattr security support works properly
genfscon reiserfs / system_u:object_r:nfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.29/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/base_user_macros.te 2004-10-07 17:24:28.492440739 -0400
@@ -45,6 +45,8 @@
# open office is looking for the following
dontaudit $1_t dri_device_t:chr_file rw_file_perms;
+# Do not flood message log, if the user does ls /dev
+dontaudit $1_t dev_fs:dir_file_class_set getattr;
# allow ptrace
can_ptrace($1_t, $1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.17.29/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.29/macros/program/chkpwd_macros.te 2004-10-07 17:24:28.492440739 -0400
@@ -27,6 +27,7 @@
role system_r types system_chkpwd_t;
dontaudit auth_chkpwd shadow_t:file { getattr read };
allow auth_chkpwd sbin_t:dir search;
+dontaudit $1_chkpwd_t tty_device_t:chr_file rw_file_perms;
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
allow $1_t sbin_t:dir search;
@@ -51,9 +52,6 @@
allow $1_chkpwd_t etc_t:file { getattr read };
allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
-ifdef(`targeted_policy', `
-allow $1_chkpwd_t tty_device_t:chr_file { read write };
-')
read_locale($1_chkpwd_t)
# Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.29/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te 2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/program/inetd_macros.te 2004-10-07 17:28:18.332348120 -0400
@@ -46,7 +46,7 @@
allow $1_t krb5_conf_t:file r_file_perms;
dontaudit $1_t krb5_conf_t:file write;
allow $1_t urandom_device_t:chr_file { getattr read };
-type $1_port_t, port_type;
+type $1_port_t, port_type, reserved_port_type;
# Use sockets inherited from inetd.
ifelse($2, `', `
allow inetd_t $1_port_t:udp_socket { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.29/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te 2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/program/ssh_macros.te 2004-10-07 17:24:28.493440625 -0400
@@ -117,7 +117,7 @@
# for /bin/sh used to execute xauth
dontaudit $1_ssh_t proc_t:dir search;
-dontaudit $1_ssh_t proc_t:file { getattr read };
+dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
can_exec($1_ssh_t, shell_exec_t)
# Inherit and use descriptors from gnome-pty-helper.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.29/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te 2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/program/xserver_macros.te 2004-10-07 17:24:28.494440511 -0400
@@ -64,7 +64,7 @@
allow xdm_xserver_t init_t:fd use;
-dontaudit xdm_xserver_t sysadm_home_dir_t:dir { read search };
+dontaudit xdm_xserver_t homedirfile:dir { read search };
', `
# The user role is authorized for this domain.
role $1_r types $1_xserver_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.29/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.29/tunables/distro.tun 2004-10-07 17:24:28.494440511 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.29/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.29/tunables/tunable.tun 2004-10-07 17:24:28.495440398 -0400
@@ -1,42 +1,42 @@
# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
# Allow users to control network interfaces (also needs USERCTL=true)
dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
# Allow users to run games
-dnl define(`use_games')
+define(`use_games')
# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
next reply other threads:[~2004-10-07 21:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-07 21:48 Daniel J Walsh [this message]
2004-10-08 13:41 ` More SELinux fixes Russell Coker
2004-10-08 19:11 ` James Carter
2004-10-08 18:06 ` James Carter
2004-10-08 20:04 ` Daniel J Walsh
2004-10-09 6:22 ` Russell Coker
2004-10-10 1:26 ` Daniel J Walsh
2004-10-10 7:36 ` Russell Coker
2004-10-12 18:55 ` Daniel J Walsh
2004-10-13 10:43 ` Russell Coker
2004-10-13 20:28 ` James Carter
2004-10-13 18:36 ` James Carter
2004-10-09 3:10 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4165B9AA.8090803@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.