From: Daniel J Walsh <dwalsh@redhat.com>
To: russell@coker.com.au
Cc: jwcart2@epoch.ncsc.mil, SELinux <selinux@tycho.nsa.gov>
Subject: Re: More SELinux fixes.
Date: Sat, 09 Oct 2004 21:26:07 -0400 [thread overview]
Message-ID: <41688FAF.5010601@redhat.com> (raw)
In-Reply-To: <200410091622.08531.russell@coker.com.au>
[-- Attachment #1: Type: text/plain, Size: 921 bytes --]
Includes Collin's new cups patch.
I turned on every service in an everything install and came up with many
fixes for all the AVC messages.
Added arpwatch policy.
Changed allow_ypbind to a boolean, so policy can be turned on/off by
sysadmin.
Working with ipsec team to get program cleaned up so we can write better
policy.
Temporarily added a rule to allow apache to talk to tmp_t:sock_file in
targeted policy. This allows
it to work with postgresql. Not sure of a good way to fix this. One we
could add postgresql policy to targeted
but I am afraid this is a slipperly slope, Colin suggested that we add
a new policy postgresql_unconfined.te for
targeted that basically runs postgres unconfined but creates /tmp files
with an appropriate security context.
What do you guys think? Lastly we could tell any users who want to use
apache with postgres to turn off the
transition of apache to context.
Dan
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 32446 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.29/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2004-10-09 21:06:13.967473559 -0400
+++ policy-1.17.29/domains/program/mount.te 2004-10-08 10:47:33.000000000 -0400
@@ -72,7 +72,6 @@
can_udp_send(portmap_t, mount_t)
allow mount_t rpc_pipefs_t:dir search;
')
-dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
#
# required for mount.smbfs
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.29/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te 2004-08-20 13:57:28.000000000 -0400
+++ policy-1.17.29/domains/program/unused/acct.te 2004-10-09 10:46:43.000000000 -0400
@@ -65,3 +65,7 @@
allow acct_t devtty_t:chr_file { read write };
allow acct_t { etc_t etc_runtime_t }:file { read getattr };
+
+ifdef(`logrotate.te', `
+allow logrotate_t acct_data_t:file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.29/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2004-10-09 21:06:14.078460984 -0400
+++ policy-1.17.29/domains/program/unused/apache.te 2004-10-08 13:44:21.000000000 -0400
@@ -279,6 +279,10 @@
allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
allow httpd_t user_home_dir_t:dir { getattr search };
}
+#
+# Allow httpd to work with postgresql
+#
+allow httpd_t tmp_t:sock_file rw_file_perms;
') dnl targeted policy
#
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.17.29/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.29/domains/program/unused/arpwatch.te 2004-10-09 14:36:10.000000000 -0400
@@ -0,0 +1,22 @@
+#DESC arpwatch - keep track of ethernet/ip address pairings
+#
+# Author: Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the arpwatch_t domain.
+#
+# arpwatch_exec_t is the type of the arpwatch executable.
+#
+daemon_domain(arpwatch, `, privmail')
+type arpwatch_data_t, file_type, sysadmfile;
+allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+allow arpwatch_t self:capability { net_admin net_raw };
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t arpwatch_t:capability { setgid setuid };
+allow arpwatch_t arpwatch_t:packet_socket create_socket_perms;
+allow arpwatch_t arpwatch_t:unix_stream_socket create_stream_socket_perms;
+create_dir_file(arpwatch_t,arpwatch_data_t)
+allow arpwatch_t tmp_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.29/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2004-10-09 21:06:14.140453960 -0400
+++ policy-1.17.29/domains/program/unused/cups.te 2004-10-09 21:08:35.809404520 -0400
@@ -52,8 +52,6 @@
# write to spool
allow cupsd_t var_spool_t:dir search;
-rw_dir_create_file(cupsd_t, printconf_t)
-
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
@@ -165,11 +163,50 @@
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
+allow cupsd_t printconf_t:file { getattr read };
+
ifdef(`hald.te', `
-allow cupsd_t hald_t:dbus { send_msg };
-allow hald_t cupsd_t:dbus { send_msg };
-allow hald_t cupsd_etc_t:dir search;
-allow hald_t printconf_t:file { getattr read };
-domain_auto_trans(hald_t, cupsd_exec_t, cupsd_t)
+
+# CUPS configuration daemon
+daemon_domain(cupsd_config)
+
+allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
+allow cupsd_config_t self:file { getattr read };
+
+allow cupsd_config_t proc_t:file { getattr read };
+allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+allow cupsd_config_t cupsd_t:process { signal };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+allow cupsd_config_t cupsd_t:dir { search };
+
+allow cupsd_config_t self:capability { chown };
+
+rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
+rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
+
+can_network(cupsd_config_t)
+can_tcp_connect(cupsd_config_t, cupsd_t)
+allow cupsd_config_t self:fifo_file rw_file_perms;
+
+dbusd_client(system, cupsd_config_t)
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t userdomain:dbus { send_msg };
+allow userdomain cupsd_config_t:dbus { send_msg };
+allow cupsd_config_t hald_t:dbus { send_msg };
+allow hald_t cupsd_config_t:dbus { send_msg };
+
+
+can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
+allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
+allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
+
+allow cupsd_config_t usr_t:file { getattr read };
+allow cupsd_config_t var_lib_t:dir { getattr search };
+allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+allow cupsd_config_t printconf_t:file { getattr read };
+
+allow cupsd_config_t urandom_device_t:chr_file { getattr read };
+
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+
')
-allow cupsd_t userdomain:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.29/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2004-10-09 21:06:14.172450335 -0400
+++ policy-1.17.29/domains/program/unused/dhcpc.te 2004-10-08 13:30:19.000000000 -0400
@@ -36,7 +36,9 @@
ifdef(`consoletype.te', `
domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
')
-
+ifdef(`nscd.te', `
+domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
+')
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
@@ -132,3 +134,4 @@
allow dhcpc_t home_root_t:dir { search };
allow initrc_t dhcpc_state_t:file { getattr read };
dontaudit dhcpc_t var_lock_t:dir { search };
+dontaudit dhcpc_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.29/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.29/domains/program/unused/dovecot.te 2004-10-09 14:36:10.000000000 -0400
@@ -44,3 +44,6 @@
allow dovecot_auth_t etc_t:file { getattr read };
allow dovecot_auth_t { self proc_t }:file { getattr read };
read_locale(dovecot_auth_t)
+allow dovecot_auth_t sysctl_kernel_t:dir search;
+allow dovecot_auth_t sysctl_kernel_t:file read;
+allow dovecot_auth_t sysctl_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.29/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/hald.te 2004-10-09 11:22:40.000000000 -0400
@@ -61,3 +61,5 @@
allow hald_t usbfs_t:file { getattr read };
allow hald_t bin_t:lnk_file read;
dontaudit hald_t selinux_config_t:dir { search };
+allow hald_t initrc_t:dbus { send_msg };
+allow initrc_t hald_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.17.29/domains/program/unused/howl.te
--- nsapolicy/domains/program/unused/howl.te 2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/howl.te 2004-10-09 20:49:54.576412905 -0400
@@ -2,7 +2,7 @@
allow howl_t proc_t:file { getattr read };
can_network(howl_t)
can_ypbind(howl_t)
-allow howl_t self:capability net_admin;
+allow howl_t self:capability { kill net_admin };
allow howl_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.17.29/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te 2004-10-09 21:06:14.281437986 -0400
+++ policy-1.17.29/domains/program/unused/innd.te 2004-10-09 10:44:22.000000000 -0400
@@ -69,3 +69,8 @@
allow syslogd_t innd_log_t:dir search;
allow syslogd_t innd_log_t:file create_file_perms;
')
+allow innd_t self:file { getattr read };
+dontaudit innd_t selinux_config_t:dir { search };
+allow system_crond_t innd_etc_t:file { getattr read };
+allow innd_t bin_t:lnk_file { read };
+allow innd_t sbin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.29/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ipsec.te 2004-10-09 14:36:11.000000000 -0400
@@ -30,6 +30,7 @@
domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
+file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
allow ipsec_mgmt_t modules_object_t:dir search;
allow ipsec_mgmt_t modules_object_t:file getattr;
@@ -74,8 +75,6 @@
can_exec(ipsec_t, shell_exec_t)
can_exec(ipsec_t, bin_t)
can_exec(ipsec_t, ipsec_mgmt_exec_t)
-can_exec(ipsec_mgmt_t, ifconfig_exec_t)
-
# now for a icky part...
# pluto runs an updown script (by calling popen()!); as this is by default
# a shell script, we need to find a way to make things work without
@@ -125,6 +124,7 @@
# from initrc.te
domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
########## The following rules were added by cvance@tislabs.com ##########
@@ -224,3 +228,8 @@
dontaudit ipsec_t ttyfile:chr_file { read write };
allow ipsec_t self:capability { dac_override dac_read_search };
allow ipsec_t reserved_port_t:udp_socket { name_bind };
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+dontaudit ipsec_mgmt_t device_t:lnk_file read;
+allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
+allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
+rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.17.29/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te 2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.29/domains/program/unused/iptables.te 2004-10-08 13:30:41.000000000 -0400
@@ -37,10 +37,11 @@
# for iptables -L
allow iptables_t self:unix_stream_socket create_socket_perms;
can_network(iptables_t)
+can_ypbind(iptables_t)
allow iptables_t bin_t:file { execute execute_no_trans };
allow iptables_t iptables_exec_t:file { execute_no_trans };
-allow iptables_t iptables_t:capability { net_admin net_raw };
+allow iptables_t iptables_t:capability { net_admin net_raw net_bind_service };
allow iptables_t iptables_t:rawip_socket create_socket_perms;
allow iptables_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.17.29/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te 2004-09-10 10:45:48.000000000 -0400
+++ policy-1.17.29/domains/program/unused/mdadm.te 2004-10-09 14:36:11.000000000 -0400
@@ -18,7 +18,7 @@
read_locale(mdadm_t)
# Linux capabilities
-allow mdadm_t self:capability { dac_override sys_admin };
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
# Helper program access
can_exec(mdadm_t, { bin_t sbin_t })
@@ -38,3 +38,4 @@
dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
dontaudit mdadm_t initctl_t:fifo_file { getattr };
var_run_domain(mdadm)
+allow mdadm_t var_t:dir { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.29/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2004-10-09 21:06:14.466417028 -0400
+++ policy-1.17.29/domains/program/unused/nscd.te 2004-10-08 13:30:51.000000000 -0400
@@ -58,7 +58,7 @@
allow nscd_t self:process { getattr setsched };
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability { kill setgid setuid net_bind_service };
# for when /etc/passwd has just been updated and has the wrong type
allow nscd_t shadow_t:file getattr;
@@ -74,5 +74,4 @@
can_getsecurity(nscd_t)
allow nscd_t self:netlink_selinux_socket create_socket_perms;
-dontaudit nscd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.17.29/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.29/domains/program/unused/postgresql.te 2004-10-09 16:11:06.000000000 -0400
@@ -32,7 +32,8 @@
allow postgresql_t { var_spool_t cron_spool_t }:dir search;
# capability kill is for shutdown script
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_tty_config };
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
+dontaudit postgresql_t postgresql_t:capability { sys_admin };
etcdir_domain(postgresql)
typealias postgresql_etc_t alias etc_postgresql_t;
@@ -93,7 +94,7 @@
allow postgresql_t devtty_t:chr_file { read write };
allow postgresql_t devpts_t:dir search;
-can_exec(postgresql_t, { postgresql_exec_t bin_t sbin_t ls_exec_t su_exec_t shell_exec_t etc_t })
+can_exec(postgresql_t, { postgresql_exec_t bin_t sbin_t ls_exec_t su_exec_t shell_exec_t etc_t hostname_exec_t })
allow postgresql_t { bin_t sbin_t }:dir search;
allow postgresql_t { bin_t sbin_t }:lnk_file read;
allow postgresql_t postgresql_exec_t:lnk_file read;
@@ -101,3 +102,6 @@
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t initrc_var_run_t:file { getattr read lock };
+dontaudit postgresql_t selinux_config_t:dir { search };
+allow postgresql_t mail_spool_t:dir { search };
+rw_dir_create_file(postgresql_t, var_lock_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.17.29/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2004-08-27 16:51:30.000000000 -0400
+++ policy-1.17.29/domains/program/unused/procmail.te 2004-10-08 10:47:33.000000000 -0400
@@ -71,3 +71,4 @@
ifdef(`sendmail.te', `
r_dir_file(procmail_t, etc_mail_t)
')
+allow procmail_t mqueue_spool_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.29/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2004-10-09 21:06:14.975359364 -0400
+++ policy-1.17.29/domains/program/unused/rpcd.te 2004-10-08 14:27:20.000000000 -0400
@@ -122,4 +122,4 @@
r_dir_file(rpcd_t, rpc_pipefs_t)
allow rpcd_t rpc_pipefs_t:sock_file { read write };
-
+dontaudit rpcd_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.29/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rpm.te 2004-10-08 12:44:01.000000000 -0400
@@ -216,6 +216,7 @@
allow rpm_script_t fs_t:filesystem { getattr mount unmount };
allow rpm_script_t rpm_script_tmp_t:dir { mounton };
can_exec(rpm_script_t, usr_t)
+can_exec(rpm_script_t, sbin_t)
allow rpm_t mount_t:tcp_socket { write };
create_dir_file(rpm_t, nfs_t)
@@ -248,7 +249,7 @@
allow rpmbuild_t policy_src_t:file { getattr read };
can_getsecurity(rpmbuild_t)
-allow rpm_script_t userdomain:process { signal };
+allow rpm_script_t domain:process { signal signull };
ifdef(`unlimitedRPM', `
unconfined_domain(rpm_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.29/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rsync.te 2004-10-08 11:01:29.000000000 -0400
@@ -11,3 +11,5 @@
#
inetd_child_domain(rsync)
+type rsync_data_t, file_type, sysadmfile;
+r_dir_file(rsync_t, rsync_data_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.17.29/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2004-10-09 21:06:15.009355512 -0400
+++ policy-1.17.29/domains/program/unused/samba.te 2004-10-09 14:36:09.000000000 -0400
@@ -113,4 +113,6 @@
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t var_log_t:dir search;
allow nmbd_t samba_log_t:dir ra_dir_perms;
-
+ifdef(`cups.te', `
+allow smbd_t cupsd_rw_etc_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.29/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/sendmail.te 2004-10-08 10:47:33.000000000 -0400
@@ -99,3 +99,5 @@
allow system_mail_t sysctl_kernel_t:file read;
dontaudit system_mail_t system_crond_tmp_t:file { append };
dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+allow sendmail_t initrc_var_run_t:file { getattr read };
+dontaudit sendmail_t initrc_var_run_t:file { lock write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slrnpull.te policy-1.17.29/domains/program/unused/slrnpull.te
--- nsapolicy/domains/program/unused/slrnpull.te 2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/slrnpull.te 2004-10-08 10:47:33.000000000 -0400
@@ -21,3 +21,4 @@
allow userdomain slrnpull_spool_t:dir { search };
rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
allow slrnpull_t var_spool_t:dir { search };
+allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.29/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2004-10-09 21:06:15.044351547 -0400
+++ policy-1.17.29/domains/program/unused/snmpd.te 2004-10-09 14:36:09.000000000 -0400
@@ -25,7 +25,8 @@
# for the .index file
var_lib_domain(snmpd)
file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+file_type_auto_trans(snmpd_t, usr_t, snmpd_var_lib_t, file)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, file)
typealias snmpd_var_lib_t alias snmpd_var_rw_t;
log_domain(snmpd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.29/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2004-10-09 21:06:15.309321525 -0400
+++ policy-1.17.29/domains/program/unused/udev.te 2004-10-08 13:29:55.000000000 -0400
@@ -106,7 +106,8 @@
allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
allow udev_t sysctl_dev_t:dir { search };
-allow udev_t sysctl_dev_t:file { getattr read };
-allow udev_t sysctl_modprobe_t:file { getattr read };
allow udev_t udev_t:rawip_socket create_socket_perms;
dontaudit udev_t domain:dir r_dir_perms;
+allow udev_t mnt_t:dir { search };
+allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
+allow udev_t dev_fs:{ chr_file blk_file } { relabelfrom relabelto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.29/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te 2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/updfstab.te 2004-10-08 14:29:32.000000000 -0400
@@ -69,3 +69,4 @@
can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
dontaudit updfstab_t home_root_t:dir { getattr search };
dontaudit updfstab_t { home_dir_type home_type }:dir { search };
+allow updfstab_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.17.29/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te 2004-10-09 21:06:15.335318580 -0400
+++ policy-1.17.29/domains/program/unused/ypbind.te 2004-10-08 10:47:33.000000000 -0400
@@ -12,6 +12,8 @@
#
daemon_domain(ypbind)
+bool allow_ypbind true;
+
tmp_domain(ypbind)
# Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.17.29/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te 2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.29/domains/program/unused/ypserv.te 2004-10-09 11:22:39.000000000 -0400
@@ -13,7 +13,7 @@
tmp_domain(ypserv)
# Use capabilities.
-allow ypserv_t self:capability net_bind_service;
+allow ypserv_t self:capability { net_admin net_bind_service };
# Use the network.
can_network(ypserv_t)
@@ -35,3 +35,8 @@
allow ypserv_t var_yp_t:file create_file_perms;
allow ypserv_t ypserv_conf_t:file { getattr read };
allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`rpcd.te', `
+allow rpcd_t ypserv_conf_t:file { getattr read };
+')
+allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/arpwatch.fc policy-1.17.29/file_contexts/program/arpwatch.fc
--- nsapolicy/file_contexts/program/arpwatch.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.29/file_contexts/program/arpwatch.fc 2004-10-09 11:24:04.000000000 -0400
@@ -0,0 +1,3 @@
+# arpwatch - keep track of ethernet/ip address pairings
+/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t
+/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.17.29/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.29/file_contexts/program/cups.fc 2004-10-09 21:08:49.289877534 -0400
@@ -18,8 +18,9 @@
/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
-/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_exec_t
-/usr/sbin/printconf-backend -- system_u:object_r:cupsd_exec_t
+/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t
+/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t
+/usr/sbin/printconf-backend -- system_u:object_r:sbin_t
/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
/var/spool/cups(/.*)? system_u:object_r:print_spool_t
/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.17.29/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc 2004-09-02 14:45:46.000000000 -0400
+++ policy-1.17.29/file_contexts/program/ipsec.fc 2004-10-08 16:45:52.000000000 -0400
@@ -3,8 +3,10 @@
/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t
/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t
/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t
-/usr/lib(64)?/ipsec/.* -- system_u:object_r:ipsec_mgmt_exec_t
-/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:ipsec_mgmt_exec_t
+/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
+/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t
+/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t
+/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t
/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
@@ -17,10 +19,7 @@
/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t
/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
-/usr/sbin/ipsec -- system_u:object_r:ipsec_mgmt_exec_t
-/usr/local/sbin/ipsec -- system_u:object_r:ipsec_mgmt_exec_t
-/var/run/ipsec\.info system_u:object_r:ipsec_var_run_t
-/var/run/pluto\.ctl system_u:object_r:ipsec_var_run_t
+/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t
# Kame
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.29/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-10-09 21:06:15.394311896 -0400
+++ policy-1.17.29/macros/base_user_macros.te 2004-10-08 16:27:42.000000000 -0400
@@ -43,6 +43,8 @@
# for eject
allow $1_t fixed_disk_device_t:blk_file { getattr };
+allow $1_t root_dir_type:dir { getattr };
+
# open office is looking for the following
dontaudit $1_t dri_device_t:chr_file rw_file_perms;
# Do not flood message log, if the user does ls /dev
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.29/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/global_macros.te 2004-10-08 10:47:33.000000000 -0400
@@ -396,6 +396,7 @@
# for df
allow $1_t fs_type:filesystem getattr;
+allow $1_t removable_t:filesystem getattr;
read_locale($1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.17.29/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2004-09-02 14:45:47.000000000 -0400
+++ policy-1.17.29/macros/program/apache_macros.te 2004-10-08 10:47:33.000000000 -0400
@@ -45,7 +45,6 @@
uses_shlib(httpd_$1_script_t)
can_network(httpd_$1_script_t)
-can_ypbind(httpd_$1_script_t)
allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_$1_script_t usr_t:lnk_file { getattr read };
@@ -65,7 +64,9 @@
allow httpd_$1_script_t device_t:dir { getattr search };
allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
}
-
+if (httpd_enable_cgi && allow_ypbind) {
+uncond_can_ypbind(httpd_$1_script_t)
+}
# The following are the only areas that
# scripts can read, read/write, or append to
#
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.17.29/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te 2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.29/macros/program/spamassassin_macros.te 2004-10-08 10:57:36.000000000 -0400
@@ -90,9 +90,10 @@
# set tunable if you have spamassassin do DNS lookups
if (spamassasin_can_network) {
can_network($1_spamassassin_t)
-can_ypbind($1_spamassassin_t)
}
-
+if (spamassasin_can_network && allow_ypbind) {
+uncond_can_ypbind($1_spamassassin_t)
+}
###
# Define the domain for /usr/bin/spamc
#
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.29/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te 2004-09-09 16:22:13.000000000 -0400
+++ policy-1.17.29/macros/program/userhelper_macros.te 2004-10-08 14:14:26.000000000 -0400
@@ -142,6 +142,7 @@
domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
')
+allow $1_userhelper_t pam_var_console_t:dir { search };
')dnl end ifdef single_userdomain
')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.29/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te 2004-10-09 21:06:15.724274511 -0400
+++ policy-1.17.29/macros/program/xserver_macros.te 2004-10-09 11:23:24.000000000 -0400
@@ -64,7 +64,7 @@
allow xdm_xserver_t init_t:fd use;
-dontaudit xdm_xserver_t homedirfile:dir { read search };
+dontaudit xdm_xserver_t home_dir_type:dir { read search };
', `
# The user role is authorized for this domain.
role $1_r types $1_xserver_t;
@@ -110,7 +110,7 @@
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
# admin of APM bios?
# sys_nice is so that the X server can set a negative nice value
-allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod };
+allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
allow $1_xserver_t nfs_t:dir { getattr search };
# memory_device_t access is needed if not using the frame buffer
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.17.29/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te 2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.29/macros/program/ypbind_macros.te 2004-10-08 13:31:20.000000000 -0400
@@ -1,21 +1,13 @@
-define(`can_ypbind',`')
-ifdef(`targeted_policy', `
-pushdef(`ypbind.te')
+define(`uncond_can_ypbind', `
+dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_network($1)
+r_dir_file($1,var_yp_t)
+allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
')
-ifdef(`ypbind.te', `
-ifdef(`allow_ypbind', `
-undefine(`can_ypbind')
define(`can_ypbind', `
-r_dir_file($1,var_yp_t)
-can_network($1)
-dontaudit $1 reserved_port_t:{ tcp_socket udp_socket } name_bind;
-allow $1 port_t:{ tcp_socket udp_socket } name_bind;
+if (allow_ypbind) {
+uncond_can_ypbind($1)
+}
') dnl can_ypbind
-') dnl allow_ypbind
-') dnl ypbind.te
-
-ifdef(`targeted_policy', `
-popdef(`ypbind.te')
-')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.29/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.29/tunables/distro.tun 2004-10-08 10:47:33.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.29/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.29/tunables/tunable.tun 2004-10-08 10:47:33.000000000 -0400
@@ -1,42 +1,39 @@
# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
# Allow users to control network interfaces (also needs USERCTL=true)
dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
# Allow users to run games
-dnl define(`use_games')
-
-# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`use_games')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.17.29/types/network.te
--- nsapolicy/types/network.te 2004-08-23 14:54:51.000000000 -0400
+++ policy-1.17.29/types/network.te 2004-10-08 14:26:29.000000000 -0400
@@ -42,7 +42,7 @@
ifdef(`dovecot.te', `define(`use_pop')')
ifdef(`uwimapd.te', `define(`use_pop')')
ifdef(`use_pop', `
-type pop_port_t, port_type;
+type pop_port_t, port_type, reserved_port_type;
')
ifdef(`apache.te', `define(`use_http_cache')')
ifdef(`squid.te', `define(`use_http_cache')')
next prev parent reply other threads:[~2004-10-10 1:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-07 21:48 More SELinux fixes Daniel J Walsh
2004-10-08 13:41 ` Russell Coker
2004-10-08 19:11 ` James Carter
2004-10-08 18:06 ` James Carter
2004-10-08 20:04 ` Daniel J Walsh
2004-10-09 6:22 ` Russell Coker
2004-10-10 1:26 ` Daniel J Walsh [this message]
2004-10-10 7:36 ` Russell Coker
2004-10-12 18:55 ` Daniel J Walsh
2004-10-13 10:43 ` Russell Coker
2004-10-13 20:28 ` James Carter
2004-10-13 18:36 ` James Carter
2004-10-09 3:10 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41688FAF.5010601@redhat.com \
--to=dwalsh@redhat.com \
--cc=jwcart2@epoch.ncsc.mil \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.