More SELinux fixes.

More SELinux fixes.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 456 bytes --]

Major fixup/cleanup of rpcd for nfs.

Fixes for ypbind.

Please eliminate space before "udp" in inetd_child calls.  This will not 
work correctly with the space.

Added reserved_port_type attribute for all ports less than 1024.  NIS is 
causing problems generating avc messages
on these ports for random name_bind.  Want to be able to tell system to 
don't audit these.   Might want to add a boolean
to specifiy whether using NIS or not.

misc fixes.

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 30897 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.29/attrib.te
--- nsapolicy/attrib.te	2004-09-15 15:59:54.000000000 -0400
+++ policy-1.17.29/attrib.te	2004-10-07 17:41:56.845879967 -0400
@@ -296,6 +296,9 @@
 # Identifies all types assigned to port numbers to control binding.
 attribute port_type;
 
+# Identifies all types assigned to reserved port (<1024) numbers to control binding.
+attribute reserved_port_type;
+
 # Identifies all types assigned to network interfaces to control
 # operations on the interface (XXX obsolete, not supported via LSM) 
 # and to control traffic sent or received on the interface.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.29/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.29/domains/program/mount.te	2004-10-07 17:40:00.785076302 -0400
@@ -72,7 +72,7 @@
 can_udp_send(portmap_t, mount_t)
 allow mount_t rpc_pipefs_t:dir search;
 ')
-dontaudit mount_t port_type:{tcp_socket udp_socket} name_bind;
+dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
 
 #
 # required for mount.smbfs
@@ -93,7 +93,8 @@
 allow mount_t file_type:filesystem { unmount mount relabelto };
 
 allow mount_t mnt_t:dir { getattr };
-dontaudit mount_t { userdomain kernel_t}:fd use;
+dontaudit mount_t kernel_t:fd use;
+allow mount_t userdomain:fd use;
 can_exec(mount_t, { sbin_t bin_t })
 allow mount_t device_t:dir r_dir_perms;
 ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.29/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.29/domains/program/ssh.te	2004-10-07 17:40:06.769393525 -0400
@@ -19,7 +19,7 @@
 type sshd_exec_t, file_type, exec_type, sysadmfile;
 type sshd_key_t, file_type, sysadmfile;
 
-type ssh_port_t, port_type;
+type ssh_port_t, port_type, reserved_port_type;
 
 define(`sshd_program_domain', `
 # privowner is for changing the identity on the terminal device
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.29/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/syslogd.te	2004-10-07 17:40:10.781935798 -0400
@@ -88,7 +88,7 @@
 allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
 
 # Allow name_bind for remote logging
-type syslogd_port_t, port_type;
+type syslogd_port_t, port_type, reserved_port_type;
 allow syslogd_t syslogd_port_t:udp_socket name_bind;
 #
 # /initrd is not umounted before minilog starts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.29/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/apache.te	2004-10-07 17:29:53.660573397 -0400
@@ -19,7 +19,7 @@
 #  the user CGI scripts, then relabel rule for user_r should be removed.
 #
 ###############################################################################
-type http_port_t, port_type;
+type http_port_t, port_type, reserved_port_type;
 
 # Allow httpd cgi support
 bool httpd_enable_cgi false;
@@ -234,6 +234,8 @@
 can_unix_connect(httpd_php_t, mysqld_t)
 allow httpd_php_t mysqld_var_run_t:dir { search };
 allow httpd_php_t mysqld_var_run_t:sock_file { write };
+allow httpd_t mysqld_db_t:dir { search };
+allow httpd_t mysqld_db_t:sock_file rw_file_perms;
 ')
 allow httpd_t bin_t:dir { search };
 allow httpd_t sbin_t:dir { search };
@@ -253,11 +255,6 @@
 }
 ')dnl end if nfs_home_dirs
 
-ifdef(`mysql.te', `
-allow httpd_t mysqld_db_t:dir { search };
-allow httpd_t mysqld_db_t:sock_file rw_socket_perms;
-')
-
 #
 # Allow users to mount additional directories as http_source
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.17.29/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2004-08-27 16:51:30.000000000 -0400
+++ policy-1.17.29/domains/program/unused/bootloader.te	2004-10-07 17:24:28.485441537 -0400
@@ -121,6 +121,7 @@
 allow bootloader_t proc_t:dir { getattr search };
 allow bootloader_t proc_t:file r_file_perms;
 allow bootloader_t proc_t:lnk_file { getattr read };
+allow bootloader_t proc_mdstat_t:file r_file_perms;
 allow bootloader_t self:dir { getattr search read };
 allow bootloader_t sysctl_kernel_t:dir search;
 allow bootloader_t sysctl_kernel_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.29/domains/program/unused/comsat.te
--- nsapolicy/domains/program/unused/comsat.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/comsat.te	2004-10-07 17:24:28.486441423 -0400
@@ -11,7 +11,7 @@
 # comsat_exec_t is the type of the comsat executable.
 #
 
-inetd_child_domain(comsat, udp)
+inetd_child_domain(comsat,udp)
 allow comsat_t initrc_var_run_t:file r_file_perms;
 dontaudit comsat_t initrc_var_run_t:file write;
 allow comsat_t mail_spool_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.29/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/cups.te	2004-10-07 17:30:34.084011000 -0400
@@ -11,7 +11,7 @@
 # cupsd_t is the domain of cupsd.
 # cupsd_exec_t is the type of the cupsd executable.
 #
-type ipp_port_t, port_type;
+type ipp_port_t, port_type, reserved_port_type;
 daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
 etcdir_domain(cupsd)
 typealias cupsd_etc_t alias etc_cupsd_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.29/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2004-09-29 07:36:46.000000000 -0400
+++ policy-1.17.29/domains/program/unused/dhcpc.te	2004-10-07 17:31:07.542237378 -0400
@@ -15,7 +15,7 @@
 # dhcpc_exec_t is the type of the dhcpcd executable.
 # The dhcpc_t can be used for other DHCPC related files as well.
 #
-type dhcpc_port_t, port_type;
+type dhcpc_port_t, port_type, reserved_port_type;
 
 daemon_domain(dhcpc)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fingerd.te policy-1.17.29/domains/program/unused/fingerd.te
--- nsapolicy/domains/program/unused/fingerd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/fingerd.te	2004-10-07 17:32:03.462935221 -0400
@@ -12,7 +12,7 @@
 #
 daemon_domain(fingerd)
 
-type fingerd_port_t, port_type;
+type fingerd_port_t, port_type, reserved_port_type;
 etcdir_domain(fingerd)
 typealias fingerd_etc_t alias etc_fingerd_t;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.29/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-09-30 20:48:48.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ftpd.te	2004-10-07 17:32:31.063826755 -0400
@@ -9,8 +9,8 @@
 #
 # Rules for the ftpd_t domain 
 #
-type ftp_port_t, port_type;
-type ftp_data_port_t, port_type;
+type ftp_port_t, port_type, reserved_port_type;
+type ftp_data_port_t, port_type, reserved_port_type;
 daemon_domain(ftpd, `, auth_chkpwd')
 etc_domain(ftpd)
 typealias ftpd_etc_t alias etc_ftpd_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.17.29/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/i18n_input.te	2004-10-07 17:24:28.486441423 -0400
@@ -32,3 +32,4 @@
 allow i18n_input_t etc_t:file r_file_perms;
 allow i18n_input_t self:unix_dgram_socket create_socket_perms;
 allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.17.29/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/inetd.te	2004-10-07 17:33:13.884006794 -0400
@@ -10,8 +10,8 @@
 # Rules for the inetd_t domain and
 # the inetd_child_t domain.
 #
-type telnet_port_t, port_type;
-type biff_port_t, port_type;
+type telnet_port_t, port_type, reserved_port_type;
+type biff_port_t, port_type, reserved_port_type;
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.17.29/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/innd.te	2004-10-07 17:33:29.488251060 -0400
@@ -7,7 +7,7 @@
 
 # Types for the server port and news spool.
 #
-type innd_port_t, port_type;
+type innd_port_t, port_type, reserved_port_type;
 type news_spool_t, file_type, sysadmfile;
 
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.17.29/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/kerberos.te	2004-10-07 17:34:13.697278778 -0400
@@ -16,8 +16,8 @@
 #
 # Rules for the krb5kdc_t,kadmind_t domains.
 #
-type kerberos_port_t, port_type;
-type kerberos_admin_port_t, port_type;
+type kerberos_port_t, port_type, reserved_port_type;
+type kerberos_admin_port_t, port_type, reserved_port_type;
 type kerberos_master_port_t, port_type;
 
 daemon_domain(krb5kdc)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.17.29/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ktalkd.te	2004-10-07 17:24:28.487441309 -0400
@@ -10,4 +10,4 @@
 # ktalkd_exec_t is the type of the ktalkd executable.
 #
 
-inetd_child_domain(ktalkd, udp)
+inetd_child_domain(ktalkd,udp)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.17.29/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te	2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/lpd.te	2004-10-07 17:34:33.679032292 -0400
@@ -15,7 +15,7 @@
 # printer_t is the type of the Unix domain socket created
 # by lpd.
 #
-type printer_port_t, port_type;
+type printer_port_t, port_type, reserved_port_type;
 daemon_domain(lpd)
 
 allow lpd_t lpd_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.17.29/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/mta.te	2004-10-07 17:35:10.387906603 -0400
@@ -13,7 +13,7 @@
 ifdef(`sendmail.te', `', `
 type sendmail_exec_t, file_type, exec_type, sysadmfile;
 ')
-type smtp_port_t, port_type;
+type smtp_port_t, port_type, reserved_port_type;
 
 
 # create a system_mail_t domain for daemons, init scripts, etc when they run
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.29/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/named.te	2004-10-07 17:35:25.596197849 -0400
@@ -10,7 +10,7 @@
 #
 # Rules for the named_t domain.
 #
-type rndc_port_t, port_type;
+type rndc_port_t, port_type, reserved_port_type;
 
 daemon_domain(named, `, nscd_client_domain')
 tmp_domain(named)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.29/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/nscd.te	2004-10-07 17:26:44.804943879 -0400
@@ -73,3 +73,6 @@
 r_dir_file(nscd_t, selinux_config_t)
 can_getsecurity(nscd_t)
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
+
+dontaudit nscd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.29/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ntpd.te	2004-10-07 17:35:49.503512261 -0400
@@ -10,7 +10,7 @@
 #
 daemon_domain(ntpd, `, nscd_client_domain')
 type ntp_drift_t, file_type, sysadmfile;
-type ntp_port_t, port_type;
+type ntp_port_t, port_type, reserved_port_type;
 
 logdir_domain(ntpd)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.17.29/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.29/domains/program/unused/portmap.te	2004-10-07 17:36:17.399379454 -0400
@@ -18,7 +18,7 @@
 allow portmap_t self:unix_dgram_socket create_socket_perms;
 allow portmap_t self:unix_stream_socket create_stream_socket_perms;
 
-type portmap_port_t, port_type;
+type portmap_port_t, port_type, reserved_port_type;
 
 tmp_domain(portmap)
 
@@ -52,5 +52,3 @@
 # Use capabilities
 allow portmap_t self:capability { net_bind_service setuid setgid };
 
-# do not log when it tries to bind to a port belonging to another domain
-#dontaudit portmap_t port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.29/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rhgb.te	2004-10-07 17:24:28.488441195 -0400
@@ -22,6 +22,7 @@
 allow rhgb_t proc_t:file { getattr read };
 
 allow rhgb_t devtty_t:chr_file { read write };
+allow rhgb_t tty_device_t:chr_file { ioctl read write };
 
 read_locale(rhgb_t)
 allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
@@ -35,7 +36,7 @@
 
 allow rhgb_t ramfs_t:filesystem { mount unmount };
 allow rhgb_t mnt_t:dir { search mounton };
-allow rhgb_t rhgb_t:capability { sys_admin };
+allow rhgb_t self:capability { sys_admin sys_tty_config };
 dontaudit rhgb_t var_run_t:dir { search };
 
 can_network(rhgb_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.17.29/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2004-03-23 15:58:08.000000000 -0500
+++ policy-1.17.29/domains/program/unused/rlogind.te	2004-10-07 17:37:07.537750836 -0400
@@ -9,7 +9,7 @@
 #
 # Rules for the rlogind_t domain.
 #
-type rlogin_port_t, port_type;
+type rlogin_port_t, port_type, reserved_port_type;
 type rlogind_t, domain, privlog, auth_chkpwd, privfd;
 role system_r types rlogind_t;
 uses_shlib(rlogind_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.29/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-10-01 15:05:31.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rpcd.te	2004-10-07 17:39:24.209252642 -0400
@@ -8,11 +8,12 @@
 
 #################################
 #
-# Rules for the rpcd_t domain.
+# Rules for the rpcd_t and nfsd_t domain.
 #
 define(`rpc_domain', `
 daemon_base_domain($1)
 can_network($1_t)
+can_ypbind($1_t)
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
@@ -21,6 +22,15 @@
 allow $1_t var_lib_t:dir { search };
 allow $1_t var_lib_nfs_t:dir create_dir_perms;
 allow $1_t var_lib_nfs_t:file create_file_perms;
+# do not log when it tries to bind to a port belonging to another domain
+dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t self:netlink_route_socket r_netlink_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+# bind to arbitary unused ports
+allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
+allow $1_t sysctl_rpc_t:dir search;
+allow $1_t sysctl_rpc_t:file rw_file_perms;
 ')
 
 type exports_t, file_type, sysadmfile;
@@ -31,34 +41,20 @@
 #
 rpc_domain(rpcd)
 var_run_domain(rpcd)
+allow rpcd_t rpcd_var_run_t:dir setattr;
 
 # for rpc.rquotad
 allow rpcd_t sysctl_t:dir r_dir_perms;
-
-allow rpcd_t self:unix_dgram_socket create_socket_perms;
-allow rpcd_t self:unix_stream_socket create_socket_perms;
 allow rpcd_t self:fifo_file rw_file_perms;
-allow rpcd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # rpcd_t needs to talk to the portmap_t domain
 can_udp_send(rpcd_t, portmap_t)
 
-# bind to arbitary unused ports
-allow rpcd_t port_t:{ tcp_socket udp_socket } name_bind;
-
-# do not log when it tries to bind to a port belonging to another domain
-dontaudit rpcd_t port_type:{ tcp_socket udp_socket } name_bind;
-
-# for /var/run/rpc.statd/ directory
-allow rpcd_t rpcd_var_run_t:dir { setattr rw_dir_perms };
-r_dir_file(rpcd_t, var_yp_t);
-
+allow initrc_t exports_t:file r_file_perms;
 ifdef(`distro_redhat', `
-allow rpcd_t self:capability { chown dac_override setgid setuid };
+allow rpcd_t self:capability { chown dac_override setgid setuid net_admin };
 # for /etc/rc.d/init.d/nfs to create /etc/exports
-allow initrc_t exports_t:file rw_file_perms;
-', `
-allow initrc_t exports_t:file r_file_perms;
+allow initrc_t exports_t:file write;
 ')
 
 allow rpcd_t self:file { getattr read };
@@ -75,19 +71,13 @@
 
 # for /proc/fs/nfs/exports - should we have a new type?
 allow nfsd_t proc_t:file r_file_perms;
-allow nfsd_t self:unix_dgram_socket create_socket_perms;
-allow nfsd_t self:unix_stream_socket create_stream_socket_perms;
 allow nfsd_t exports_t:file { getattr read };
 
 allow nfsd_t nfsd_fs_t:filesystem mount;
 allow nfsd_t nfsd_fs_t:dir search;
 allow nfsd_t nfsd_fs_t:file rw_file_perms;
-allow nfsd_t sysctl_rpc_t:dir search;
-allow nfsd_t sysctl_rpc_t:file rw_file_perms;
 allow initrc_t sysctl_rpc_t:dir search;
 allow initrc_t sysctl_rpc_t:file rw_file_perms;
-allow rpcd_t sysctl_rpc_t:dir search;
-allow rpcd_t sysctl_rpc_t:file rw_file_perms;
 
 type nfsd_rw_t, file_type, sysadmfile, usercanread;
 type nfsd_ro_t, file_type, sysadmfile, usercanread;
@@ -99,11 +89,14 @@
 create_dir_file(kernel_t,{ file_type -shadow_t })
 }
 
+dontaudit kernel_t shadow_t:file { getattr };
+
 bool nfs_export_all_ro false;
 
 if(nfs_export_all_ro) {
 allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
 r_dir_file(kernel_t,{ file_type -shadow_t })
+
 }
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
 create_dir_file(kernel_t, nfsd_rw_t);
@@ -116,15 +109,17 @@
 # does not really need this, but it is easier to just allow it
 allow nfsd_t var_run_t:dir search;
 
-allow nfsd_t self:capability { sys_admin sys_resource };
+allow nfsd_t self:capability { sys_admin sys_resource net_admin };
 allow nfsd_t fs_t:filesystem getattr;
 
 can_udp_send(nfsd_t, portmap_t)
 can_udp_send(portmap_t, nfsd_t)
 
 can_tcp_connect(nfsd_t, portmap_t)
-allow nfsd_t port_t:{ udp_socket tcp_socket } name_bind;
 
 # for exportfs and rpc.mountd
 allow nfsd_t tmp_t:dir getattr;
+
 r_dir_file(rpcd_t, rpc_pipefs_t)
+allow rpcd_t rpc_pipefs_t:sock_file { read write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.17.29/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rshd.te	2004-10-07 17:37:16.155783617 -0400
@@ -9,7 +9,7 @@
 #
 # Rules for the rshd_t domain.
 #
-type rsh_port_t, port_type;
+type rsh_port_t, port_type, reserved_port_type;
 daemon_sub_domain(inetd_t, rshd)
 
 ifdef(`tcpd.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.17.29/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2004-08-18 08:42:50.000000000 -0400
+++ policy-1.17.29/domains/program/unused/samba.te	2004-10-07 17:37:36.879458053 -0400
@@ -41,7 +41,7 @@
 general_domain_access(smbd_t)
 general_proc_read_access(smbd_t)
 
-type smbd_port_t, port_type;
+type smbd_port_t, port_type, reserved_port_type;
 allow smbd_t smbd_port_t:tcp_socket name_bind;
 
 # Use capabilities.
@@ -90,7 +90,7 @@
 general_domain_access(nmbd_t)
 general_proc_read_access(nmbd_t)
 
-type nmbd_port_t, port_type;
+type nmbd_port_t, port_type, reserved_port_type;
 allow nmbd_t nmbd_port_t:udp_socket name_bind;
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.29/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/sendmail.te	2004-10-07 17:24:28.489441081 -0400
@@ -99,3 +99,5 @@
 allow system_mail_t sysctl_kernel_t:file read;
 dontaudit system_mail_t system_crond_tmp_t:file { append };
 dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+allow sendmail_t initrc_var_run_t:file { getattr read };
+dontaudit sendmail_t initrc_var_run_t:file { lock write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.17.29/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/slapd.te	2004-10-07 17:37:46.329397736 -0400
@@ -12,7 +12,7 @@
 #
 daemon_domain(slapd)
 
-type ldap_port_t, port_type;
+type ldap_port_t, port_type, reserved_port_type;
 allow slapd_t ldap_port_t:tcp_socket name_bind;
 
 etc_domain(slapd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.29/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/snmpd.te	2004-10-07 17:37:50.655912312 -0400
@@ -16,7 +16,7 @@
 can_network(snmpd_t)
 can_ypbind(snmpd_t)
 
-type snmp_port_t, port_type;
+type snmp_port_t, port_type, reserved_port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
 
 etc_domain(snmpd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.17.29/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-08-18 08:42:50.000000000 -0400
+++ policy-1.17.29/domains/program/unused/spamd.te	2004-10-07 17:38:12.609445542 -0400
@@ -9,7 +9,7 @@
 
 tmp_domain(spamd)
 
-type spamd_port_t, port_type;
+type spamd_port_t, port_type, reserved_port_type;
 allow spamd_t spamd_port_t:tcp_socket name_bind;
 
 general_domain_access(spamd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tftpd.te policy-1.17.29/domains/program/unused/tftpd.te
--- nsapolicy/domains/program/unused/tftpd.te	2004-03-23 15:58:08.000000000 -0500
+++ policy-1.17.29/domains/program/unused/tftpd.te	2004-10-07 17:38:27.479741975 -0400
@@ -13,10 +13,10 @@
 #
 daemon_domain(tftpd)
 
-type tftp_port_t, port_type;
+type tftp_port_t, port_type, reserved_port_type;
 
 # tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, sysadmfile;
+type tftpdir_t, file_type, root_dir_type, sysadmfile;
 r_dir_file(tftpd_t, tftpdir_t)
 
 domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.29/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/udev.te	2004-10-07 17:24:28.490440967 -0400
@@ -105,6 +105,8 @@
 dbusd_client(system, udev_t)
 
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
+allow udev_t sysctl_dev_t:dir { search };
+allow udev_t sysctl_dev_t:file { getattr read };
 allow udev_t sysctl_modprobe_t:file { getattr read };
 allow udev_t udev_t:rawip_socket create_socket_perms;
 dontaudit  udev_t domain:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.17.29/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-07-30 14:39:45.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ypbind.te	2004-10-07 17:24:28.491440853 -0400
@@ -15,7 +15,7 @@
 tmp_domain(ypbind)
 
 # Use capabilities.
-allow ypbind_t ypbind_t:capability net_bind_service;
+allow ypbind_t self:capability { net_admin net_bind_service };
 
 # Use the network.
 can_network(ypbind_t)
@@ -35,4 +35,7 @@
 allow ypbind_t var_yp_t:file create_file_perms;
 allow initrc_t var_yp_t:dir { getattr read };
 allow ypbind_t etc_t:file { getattr read };
-allow ypbind_t self:unix_stream_socket create_socket_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t reserved_port_t:tcp_socket { name_bind };
+allow ypbind_t reserved_port_t:udp_socket { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.17.29/genfs_contexts
--- nsapolicy/genfs_contexts	2004-10-07 08:02:00.000000000 -0400
+++ policy-1.17.29/genfs_contexts	2004-10-07 17:24:28.491440853 -0400
@@ -87,6 +87,7 @@
 
 # nfs
 genfscon nfs /				system_u:object_r:nfs_t
+genfscon nfs4 /				system_u:object_r:nfs_t
 
 # reiserfs - until xattr security support works properly
 genfscon reiserfs /			system_u:object_r:nfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.29/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/base_user_macros.te	2004-10-07 17:24:28.492440739 -0400
@@ -45,6 +45,8 @@
 
 # open office is looking for the following
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
+# Do not flood message log, if the user does ls /dev 
+dontaudit $1_t dev_fs:dir_file_class_set getattr;
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.17.29/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.29/macros/program/chkpwd_macros.te	2004-10-07 17:24:28.492440739 -0400
@@ -27,6 +27,7 @@
 role system_r types system_chkpwd_t;
 dontaudit auth_chkpwd shadow_t:file { getattr read };
 allow auth_chkpwd sbin_t:dir search;
+dontaudit $1_chkpwd_t tty_device_t:chr_file rw_file_perms;
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
@@ -51,9 +52,6 @@
 allow $1_chkpwd_t etc_t:file { getattr read };
 allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
 allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
-ifdef(`targeted_policy', `
-allow $1_chkpwd_t tty_device_t:chr_file { read write };
-')
 read_locale($1_chkpwd_t)
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.17.29/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/program/inetd_macros.te	2004-10-07 17:28:18.332348120 -0400
@@ -46,7 +46,7 @@
 allow $1_t krb5_conf_t:file r_file_perms;
 dontaudit $1_t krb5_conf_t:file write;
 allow $1_t urandom_device_t:chr_file { getattr read };
-type $1_port_t, port_type;
+type $1_port_t, port_type, reserved_port_type;
 # Use sockets inherited from inetd.
 ifelse($2, `', `
 allow inetd_t $1_port_t:udp_socket { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.29/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/program/ssh_macros.te	2004-10-07 17:24:28.493440625 -0400
@@ -117,7 +117,7 @@
 
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
-dontaudit $1_ssh_t proc_t:file { getattr read };
+dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
 can_exec($1_ssh_t, shell_exec_t)
 
 # Inherit and use descriptors from gnome-pty-helper.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.29/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/program/xserver_macros.te	2004-10-07 17:24:28.494440511 -0400
@@ -64,7 +64,7 @@
 
 allow xdm_xserver_t init_t:fd use;
 
-dontaudit xdm_xserver_t sysadm_home_dir_t:dir { read search };
+dontaudit xdm_xserver_t homedirfile:dir { read search };
 ', `
 # The user role is authorized for this domain.
 role $1_r types $1_xserver_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.29/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.29/tunables/distro.tun	2004-10-07 17:24:28.494440511 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.29/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.29/tunables/tunable.tun	2004-10-07 17:24:28.495440398 -0400
@@ -1,42 +1,42 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: More SELinux fixes.

[Russell Coker]

On Fri, 8 Oct 2004 07:48, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Please eliminate space before "udp" in inetd_child calls.  This will not
> work correctly with the space.

In what way doesn't it work correctly?

I just did a quick test and diff didn't report any difference in the result 
when I added a space.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[James Carter]

Merged, with the exception of the sendmail part.

The sendmail.te part is a revision of Russell's patch from Oct 1st, is
this intentional?  Should these rules be added back?

On Thu, 2004-10-07 at 17:48, Daniel J Walsh wrote:
> Major fixup/cleanup of rpcd for nfs.
> 
> Fixes for ypbind.
> 
> Please eliminate space before "udp" in inetd_child calls.  This will not 
> work correctly with the space.
> 
> Added reserved_port_type attribute for all ports less than 1024.  NIS is 
> causing problems generating avc messages
> on these ports for random name_bind.  Want to be able to tell system to 
> don't audit these.   Might want to add a boolean
> to specifiy whether using NIS or not.
> 
> misc fixes.
> 
> Dan
> 
> ______________________________________________________________________

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.29/domains/program/unused/sendmail.te
> --- nsapolicy/domains/program/unused/sendmail.te	2004-10-07 08:02:01.000000000 -0400
> +++ policy-1.17.29/domains/program/unused/sendmail.te	2004-10-07 17:24:28.489441081 -0400
> @@ -99,3 +99,5 @@
>  allow system_mail_t sysctl_kernel_t:file read;
>  dontaudit system_mail_t system_crond_tmp_t:file { append };
>  dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
> +allow sendmail_t initrc_var_run_t:file { getattr read };
> +dontaudit sendmail_t initrc_var_run_t:file { lock write };

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[James Carter]

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

For now, I have removed the spaces, but it seems awfully brittle if
there are problems depending on the presence or lack of spaces.

I tried it with the quotes around the udp in the inetd_child calls and
in inetd_macros.te and there was no difference between the two
policy.conf files.  Attached is the patch to add quotes.

Should we go with the quotes?  Or is there a reason not to?

On Fri, 2004-10-08 at 09:41, Russell Coker wrote:
> On Fri, 8 Oct 2004 07:48, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > Please eliminate space before "udp" in inetd_child calls.  This will not
> > work correctly with the space.
> 
> In what way doesn't it work correctly?
> 
> I just did a quick test and diff didn't report any difference in the result 
> when I added a space.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: inetd_child.diff --]
[-- Type: text/x-patch, Size: 2009 bytes --]

Index: domains/program/unused/comsat.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/comsat.te,v
retrieving revision 1.4
diff -u -r1.4 comsat.te
--- domains/program/unused/comsat.te	8 Oct 2004 17:56:44 -0000	1.4
+++ domains/program/unused/comsat.te	8 Oct 2004 18:14:55 -0000
@@ -11,7 +11,7 @@
 # comsat_exec_t is the type of the comsat executable.
 #
 
-inetd_child_domain(comsat,udp)
+inetd_child_domain(comsat, `udp')
 allow comsat_t initrc_var_run_t:file r_file_perms;
 dontaudit comsat_t initrc_var_run_t:file write;
 allow comsat_t mail_spool_t:dir r_dir_perms;
Index: domains/program/unused/ktalkd.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/ktalkd.te,v
retrieving revision 1.4
diff -u -r1.4 ktalkd.te
--- domains/program/unused/ktalkd.te	8 Oct 2004 17:56:45 -0000	1.4
+++ domains/program/unused/ktalkd.te	8 Oct 2004 18:15:36 -0000
@@ -10,4 +10,4 @@
 # ktalkd_exec_t is the type of the ktalkd executable.
 #
 
-inetd_child_domain(ktalkd,udp)
+inetd_child_domain(ktalkd, `udp')
Index: macros/program/inetd_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/inetd_macros.te,v
retrieving revision 1.4
diff -u -r1.4 inetd_macros.te
--- macros/program/inetd_macros.te	8 Oct 2004 17:56:46 -0000	1.4
+++ macros/program/inetd_macros.te	8 Oct 2004 18:47:45 -0000
@@ -54,11 +54,11 @@
 allow inetd_t $1_port_t:tcp_socket { name_bind };
 allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
 ')
-ifelse($2, tcp, `
+ifelse($2, `tcp', `
 allow inetd_t $1_port_t:tcp_socket { name_bind };
 allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
 ')
-ifelse($2, udp, `
+ifelse($2, `udp', `
 allow inetd_t $1_port_t:udp_socket { name_bind };
 allow $1_t inetd_t:udp_socket rw_socket_perms;
 ')

Re: More SELinux fixes.

[Daniel J Walsh]

James Carter wrote:

>Merged, with the exception of the sendmail part.
>
>The sendmail.te part is a revision of Russell's patch from Oct 1st, is
>this intentional?  Should these rules be added back?
>
>On Thu, 2004-10-07 at 17:48, Daniel J Walsh wrote:
>  
>
>>Major fixup/cleanup of rpcd for nfs.
>>
>>Fixes for ypbind.
>>
>>Please eliminate space before "udp" in inetd_child calls.  This will not 
>>work correctly with the space.
>>
>>Added reserved_port_type attribute for all ports less than 1024.  NIS is 
>>causing problems generating avc messages
>>on these ports for random name_bind.  Want to be able to tell system to 
>>don't audit these.   Might want to add a boolean
>>to specifiy whether using NIS or not.
>>
>>misc fixes.
>>
>>Dan
>>
>>______________________________________________________________________
>>    
>>
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.29/domains/program/unused/sendmail.te
>>--- nsapolicy/domains/program/unused/sendmail.te	2004-10-07 08:02:01.000000000 -0400
>>+++ policy-1.17.29/domains/program/unused/sendmail.te	2004-10-07 17:24:28.489441081 -0400
>>@@ -99,3 +99,5 @@
>> allow system_mail_t sysctl_kernel_t:file read;
>> dontaudit system_mail_t system_crond_tmp_t:file { append };
>> dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
>>+allow sendmail_t initrc_var_run_t:file { getattr read };
>>+dontaudit sendmail_t initrc_var_run_t:file { lock write };
>>    
>>
>
>  
>
No that is a mistake.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[Russell Coker]

On Fri, 8 Oct 2004 07:48, Daniel J Walsh <dwalsh@redhat.com> wrote:
policy-1.17.29/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te   2004-10-01 15:05:32.000000000 
-0400
+++ policy-1.17.29/macros/program/chkpwd_macros.te      2004-10-07 
17:24:28.492440739 -0400
@@ -27,6 +27,7 @@
 role system_r types system_chkpwd_t;
 dontaudit auth_chkpwd shadow_t:file { getattr read };
 allow auth_chkpwd sbin_t:dir search;
+dontaudit $1_chkpwd_t tty_device_t:chr_file rw_file_perms;
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
@@ -51,9 +52,6 @@
 allow $1_chkpwd_t etc_t:file { getattr read };
 allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
 allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
-ifdef(`targeted_policy', `
-allow $1_chkpwd_t tty_device_t:chr_file { read write };
-')
 read_locale($1_chkpwd_t)
 
 # Use capabilities.

Do we have a bug in the PAM code?  If the PAM code is working as designed then 
the terminal will be closed before unix_chkpwd is executed.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[Russell Coker]

On Sat, 9 Oct 2004 04:06, James Carter <jwcart2@epoch.ncsc.mil> wrote:
> Merged, with the exception of the sendmail part.
>
> The sendmail.te part is a revision of Russell's patch from Oct 1st, is
> this intentional?  Should these rules be added back?

If sendmail is started with file handle 0 being /dev/console then it wants to 
access /var/run/utmp.  If file handle 0 refers to /dev/null then it doesn't.

I'm currently looking into this, I suspect that a minor change to sendmail or 
it's startup scripts might be the most appropriate thing.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 921 bytes --]

Includes Collin's new cups patch.

I turned on every service in an everything install and came up with many 
fixes for all the AVC messages.

Added arpwatch policy.

Changed allow_ypbind to a boolean, so policy can be turned on/off by 
sysadmin.

Working with ipsec team to get program cleaned up so we can write better 
policy.

Temporarily added a rule to allow apache to talk to tmp_t:sock_file in 
targeted policy.  This allows
it to work with postgresql.  Not sure of a good way to fix this.  One we 
could add postgresql policy to targeted
but I am afraid this is a slipperly slope,  Colin suggested that we add 
a new policy postgresql_unconfined.te for
targeted that basically runs postgres unconfined but creates /tmp files 
with an appropriate security context. 
What do you guys think?  Lastly we could tell any users who want to use 
apache with postgres to turn off the
transition of apache to context.

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 32446 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.29/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-10-09 21:06:13.967473559 -0400
+++ policy-1.17.29/domains/program/mount.te	2004-10-08 10:47:33.000000000 -0400
@@ -72,7 +72,6 @@
 can_udp_send(portmap_t, mount_t)
 allow mount_t rpc_pipefs_t:dir search;
 ')
-dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
 
 #
 # required for mount.smbfs
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.29/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-08-20 13:57:28.000000000 -0400
+++ policy-1.17.29/domains/program/unused/acct.te	2004-10-09 10:46:43.000000000 -0400
@@ -65,3 +65,7 @@
 allow acct_t devtty_t:chr_file { read write };
 
 allow acct_t { etc_t etc_runtime_t }:file { read getattr };
+
+ifdef(`logrotate.te', `
+allow logrotate_t acct_data_t:file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.29/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-10-09 21:06:14.078460984 -0400
+++ policy-1.17.29/domains/program/unused/apache.te	2004-10-08 13:44:21.000000000 -0400
@@ -279,6 +279,10 @@
 allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
 allow httpd_t user_home_dir_t:dir { getattr search };
 }
+# 
+# Allow httpd to work with postgresql
+#
+allow httpd_t tmp_t:sock_file rw_file_perms;
 ') dnl targeted policy
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.17.29/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.29/domains/program/unused/arpwatch.te	2004-10-09 14:36:10.000000000 -0400
@@ -0,0 +1,22 @@
+#DESC arpwatch -  keep track of ethernet/ip address pairings
+#
+# Author:  Dan Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the arpwatch_t domain.
+#
+# arpwatch_exec_t is the type of the arpwatch executable.
+#
+daemon_domain(arpwatch, `, privmail')
+type arpwatch_data_t, file_type, sysadmfile;
+allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+allow arpwatch_t self:capability { net_admin net_raw };
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t arpwatch_t:capability { setgid setuid };
+allow arpwatch_t arpwatch_t:packet_socket create_socket_perms;
+allow arpwatch_t arpwatch_t:unix_stream_socket create_stream_socket_perms;
+create_dir_file(arpwatch_t,arpwatch_data_t)
+allow arpwatch_t tmp_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.29/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-10-09 21:06:14.140453960 -0400
+++ policy-1.17.29/domains/program/unused/cups.te	2004-10-09 21:08:35.809404520 -0400
@@ -52,8 +52,6 @@
 # write to spool
 allow cupsd_t var_spool_t:dir search;
 
-rw_dir_create_file(cupsd_t, printconf_t)
-
 # this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
 file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
@@ -165,11 +163,50 @@
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
 
+allow cupsd_t printconf_t:file { getattr read };
+
 ifdef(`hald.te', `
-allow cupsd_t hald_t:dbus { send_msg };
-allow hald_t cupsd_t:dbus { send_msg };
-allow hald_t cupsd_etc_t:dir search;
-allow hald_t printconf_t:file { getattr read };
-domain_auto_trans(hald_t, cupsd_exec_t, cupsd_t)
+
+# CUPS configuration daemon
+daemon_domain(cupsd_config)
+
+allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
+allow cupsd_config_t self:file { getattr read };
+
+allow cupsd_config_t proc_t:file { getattr read };
+allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+allow cupsd_config_t cupsd_t:process { signal };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+allow cupsd_config_t cupsd_t:dir { search };
+
+allow cupsd_config_t self:capability { chown };
+
+rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
+rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
+
+can_network(cupsd_config_t)
+can_tcp_connect(cupsd_config_t, cupsd_t)
+allow cupsd_config_t self:fifo_file rw_file_perms;
+
+dbusd_client(system, cupsd_config_t)
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t userdomain:dbus { send_msg };
+allow userdomain cupsd_config_t:dbus { send_msg };
+allow cupsd_config_t hald_t:dbus { send_msg };
+allow hald_t cupsd_config_t:dbus { send_msg };
+
+
+can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
+allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
+allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
+
+allow cupsd_config_t usr_t:file { getattr read };
+allow cupsd_config_t var_lib_t:dir { getattr search };
+allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+allow cupsd_config_t printconf_t:file { getattr read };
+
+allow cupsd_config_t urandom_device_t:chr_file { getattr read };
+
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+
 ')
-allow cupsd_t userdomain:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.29/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2004-10-09 21:06:14.172450335 -0400
+++ policy-1.17.29/domains/program/unused/dhcpc.te	2004-10-08 13:30:19.000000000 -0400
@@ -36,7 +36,9 @@
 ifdef(`consoletype.te', `
 domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
 ')
-
+ifdef(`nscd.te', `
+domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
+')
 ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
 allow cardmgr_t dhcpc_var_run_t:file { getattr read };
@@ -132,3 +134,4 @@
 allow dhcpc_t home_root_t:dir { search };
 allow initrc_t dhcpc_state_t:file { getattr read };
 dontaudit dhcpc_t var_lock_t:dir { search };
+dontaudit dhcpc_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.29/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.29/domains/program/unused/dovecot.te	2004-10-09 14:36:10.000000000 -0400
@@ -44,3 +44,6 @@
 allow dovecot_auth_t etc_t:file { getattr read };
 allow dovecot_auth_t { self proc_t }:file { getattr read };
 read_locale(dovecot_auth_t)
+allow dovecot_auth_t sysctl_kernel_t:dir search;
+allow dovecot_auth_t sysctl_kernel_t:file read;
+allow dovecot_auth_t sysctl_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.29/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/hald.te	2004-10-09 11:22:40.000000000 -0400
@@ -61,3 +61,5 @@
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
 dontaudit hald_t selinux_config_t:dir { search };
+allow hald_t initrc_t:dbus { send_msg };
+allow initrc_t hald_t:dbus { send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.17.29/domains/program/unused/howl.te
--- nsapolicy/domains/program/unused/howl.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.17.29/domains/program/unused/howl.te	2004-10-09 20:49:54.576412905 -0400
@@ -2,7 +2,7 @@
 allow howl_t proc_t:file { getattr read };
 can_network(howl_t)
 can_ypbind(howl_t)
-allow howl_t self:capability net_admin;
+allow howl_t self:capability { kill net_admin };
 
 allow howl_t self:fifo_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.17.29/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-10-09 21:06:14.281437986 -0400
+++ policy-1.17.29/domains/program/unused/innd.te	2004-10-09 10:44:22.000000000 -0400
@@ -69,3 +69,8 @@
 allow syslogd_t innd_log_t:dir search;
 allow syslogd_t innd_log_t:file create_file_perms;
 ')
+allow innd_t self:file { getattr read };
+dontaudit innd_t selinux_config_t:dir { search };
+allow system_crond_t innd_etc_t:file { getattr read };
+allow innd_t bin_t:lnk_file { read };
+allow innd_t sbin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.29/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.29/domains/program/unused/ipsec.te	2004-10-09 14:36:11.000000000 -0400
@@ -30,6 +30,7 @@
 domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
 file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
+file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
 
 allow ipsec_mgmt_t modules_object_t:dir search;
 allow ipsec_mgmt_t modules_object_t:file getattr;
@@ -74,8 +75,6 @@
 can_exec(ipsec_t, shell_exec_t)
 can_exec(ipsec_t, bin_t)
 can_exec(ipsec_t, ipsec_mgmt_exec_t)
-can_exec(ipsec_mgmt_t, ifconfig_exec_t)
-
 # now for a icky part...
 # pluto runs an updown script (by calling popen()!); as this is by default
 # a shell script, we need to find a way to make things work without
@@ -125,6 +124,7 @@
 
 # from initrc.te
 domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
 
 
 ########## The following rules were added by cvance@tislabs.com ##########
@@ -224,3 +228,8 @@
 dontaudit ipsec_t ttyfile:chr_file { read write };
 allow ipsec_t self:capability { dac_override dac_read_search };
 allow ipsec_t reserved_port_t:udp_socket { name_bind };
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+dontaudit ipsec_mgmt_t device_t:lnk_file read;
+allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
+allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
+rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.17.29/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.17.29/domains/program/unused/iptables.te	2004-10-08 13:30:41.000000000 -0400
@@ -37,10 +37,11 @@
 # for iptables -L
 allow iptables_t self:unix_stream_socket create_socket_perms;
 can_network(iptables_t)
+can_ypbind(iptables_t)
 
 allow iptables_t bin_t:file { execute execute_no_trans };
 allow iptables_t iptables_exec_t:file { execute_no_trans };
-allow iptables_t iptables_t:capability { net_admin net_raw };
+allow iptables_t iptables_t:capability { net_admin net_raw net_bind_service };
 allow iptables_t iptables_t:rawip_socket create_socket_perms;
 
 allow iptables_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.17.29/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te	2004-09-10 10:45:48.000000000 -0400
+++ policy-1.17.29/domains/program/unused/mdadm.te	2004-10-09 14:36:11.000000000 -0400
@@ -18,7 +18,7 @@
 read_locale(mdadm_t)
 
 # Linux capabilities
-allow mdadm_t self:capability { dac_override sys_admin };
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
 
 # Helper program access
 can_exec(mdadm_t, { bin_t sbin_t })
@@ -38,3 +38,4 @@
 dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
 dontaudit mdadm_t initctl_t:fifo_file { getattr };
 var_run_domain(mdadm)
+allow mdadm_t var_t:dir { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.29/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-10-09 21:06:14.466417028 -0400
+++ policy-1.17.29/domains/program/unused/nscd.te	2004-10-08 13:30:51.000000000 -0400
@@ -58,7 +58,7 @@
 allow nscd_t self:process { getattr setsched };
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability { kill setgid setuid net_bind_service };
 
 # for when /etc/passwd has just been updated and has the wrong type
 allow nscd_t shadow_t:file getattr;
@@ -74,5 +74,4 @@
 can_getsecurity(nscd_t)
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
 
-dontaudit nscd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.17.29/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-09-13 15:58:18.000000000 -0400
+++ policy-1.17.29/domains/program/unused/postgresql.te	2004-10-09 16:11:06.000000000 -0400
@@ -32,7 +32,8 @@
 allow postgresql_t { var_spool_t cron_spool_t }:dir search;
 
 # capability kill is for shutdown script
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_tty_config };
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
+dontaudit postgresql_t postgresql_t:capability { sys_admin };
 
 etcdir_domain(postgresql)
 typealias postgresql_etc_t alias etc_postgresql_t;
@@ -93,7 +94,7 @@
 allow postgresql_t devtty_t:chr_file { read write };
 allow postgresql_t devpts_t:dir search;
 
-can_exec(postgresql_t, { postgresql_exec_t bin_t sbin_t ls_exec_t su_exec_t shell_exec_t etc_t })
+can_exec(postgresql_t, { postgresql_exec_t bin_t sbin_t ls_exec_t su_exec_t shell_exec_t etc_t hostname_exec_t })
 allow postgresql_t { bin_t sbin_t }:dir search;
 allow postgresql_t { bin_t sbin_t }:lnk_file read;
 allow postgresql_t postgresql_exec_t:lnk_file read;
@@ -101,3 +102,6 @@
 allow postgresql_t self:sem create_sem_perms;
 
 allow postgresql_t initrc_var_run_t:file { getattr read lock };
+dontaudit postgresql_t selinux_config_t:dir { search };
+allow postgresql_t mail_spool_t:dir { search };
+rw_dir_create_file(postgresql_t, var_lock_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.17.29/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te	2004-08-27 16:51:30.000000000 -0400
+++ policy-1.17.29/domains/program/unused/procmail.te	2004-10-08 10:47:33.000000000 -0400
@@ -71,3 +71,4 @@
 ifdef(`sendmail.te', `
 r_dir_file(procmail_t, etc_mail_t)
 ')
+allow procmail_t mqueue_spool_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.17.29/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-10-09 21:06:14.975359364 -0400
+++ policy-1.17.29/domains/program/unused/rpcd.te	2004-10-08 14:27:20.000000000 -0400
@@ -122,4 +122,4 @@
 
 r_dir_file(rpcd_t, rpc_pipefs_t)
 allow rpcd_t rpc_pipefs_t:sock_file { read write };
-
+dontaudit rpcd_t selinux_config_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.29/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rpm.te	2004-10-08 12:44:01.000000000 -0400
@@ -216,6 +216,7 @@
 allow rpm_script_t fs_t:filesystem { getattr mount unmount };
 allow rpm_script_t rpm_script_tmp_t:dir { mounton };
 can_exec(rpm_script_t, usr_t)
+can_exec(rpm_script_t, sbin_t)
 
 allow rpm_t mount_t:tcp_socket { write };
 create_dir_file(rpm_t, nfs_t)
@@ -248,7 +249,7 @@
 allow rpmbuild_t policy_src_t:file { getattr read };
 can_getsecurity(rpmbuild_t)
 
-allow rpm_script_t userdomain:process { signal };
+allow rpm_script_t domain:process { signal signull };
 
 ifdef(`unlimitedRPM', `
 unconfined_domain(rpm_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.29/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/rsync.te	2004-10-08 11:01:29.000000000 -0400
@@ -11,3 +11,5 @@
 #
 
 inetd_child_domain(rsync)
+type rsync_data_t, file_type, sysadmfile;
+r_dir_file(rsync_t, rsync_data_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.17.29/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2004-10-09 21:06:15.009355512 -0400
+++ policy-1.17.29/domains/program/unused/samba.te	2004-10-09 14:36:09.000000000 -0400
@@ -113,4 +113,6 @@
 allow nmbd_t samba_log_t:file { create ra_file_perms };
 allow nmbd_t var_log_t:dir search;
 allow nmbd_t samba_log_t:dir ra_dir_perms;
-
+ifdef(`cups.te', `
+allow smbd_t cupsd_rw_etc_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.29/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.29/domains/program/unused/sendmail.te	2004-10-08 10:47:33.000000000 -0400
@@ -99,3 +99,5 @@
 allow system_mail_t sysctl_kernel_t:file read;
 dontaudit system_mail_t system_crond_tmp_t:file { append };
 dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+allow sendmail_t initrc_var_run_t:file { getattr read };
+dontaudit sendmail_t initrc_var_run_t:file { lock write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slrnpull.te policy-1.17.29/domains/program/unused/slrnpull.te
--- nsapolicy/domains/program/unused/slrnpull.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.17.29/domains/program/unused/slrnpull.te	2004-10-08 10:47:33.000000000 -0400
@@ -21,3 +21,4 @@
 allow userdomain slrnpull_spool_t:dir { search };
 rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
 allow slrnpull_t var_spool_t:dir { search };
+allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.29/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-10-09 21:06:15.044351547 -0400
+++ policy-1.17.29/domains/program/unused/snmpd.te	2004-10-09 14:36:09.000000000 -0400
@@ -25,7 +25,8 @@
 # for the .index file
 var_lib_domain(snmpd)
 file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+file_type_auto_trans(snmpd_t, usr_t, snmpd_var_lib_t, file)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, file)
 typealias snmpd_var_lib_t alias snmpd_var_rw_t;
 
 log_domain(snmpd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.29/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-10-09 21:06:15.309321525 -0400
+++ policy-1.17.29/domains/program/unused/udev.te	2004-10-08 13:29:55.000000000 -0400
@@ -106,7 +106,8 @@
 
 allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
 allow udev_t sysctl_dev_t:dir { search };
-allow udev_t sysctl_dev_t:file { getattr read };
-allow udev_t sysctl_modprobe_t:file { getattr read };
 allow udev_t udev_t:rawip_socket create_socket_perms;
 dontaudit  udev_t domain:dir r_dir_perms;
+allow udev_t mnt_t:dir { search };
+allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
+allow udev_t dev_fs:{ chr_file blk_file } { relabelfrom relabelto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.29/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-09-22 16:19:12.000000000 -0400
+++ policy-1.17.29/domains/program/unused/updfstab.te	2004-10-08 14:29:32.000000000 -0400
@@ -69,3 +69,4 @@
 can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
 dontaudit updfstab_t home_root_t:dir { getattr search };
 dontaudit updfstab_t { home_dir_type home_type }:dir { search };
+allow updfstab_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.17.29/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-10-09 21:06:15.335318580 -0400
+++ policy-1.17.29/domains/program/unused/ypbind.te	2004-10-08 10:47:33.000000000 -0400
@@ -12,6 +12,8 @@
 #
 daemon_domain(ypbind)
 
+bool allow_ypbind true;
+
 tmp_domain(ypbind)
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.17.29/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.17.29/domains/program/unused/ypserv.te	2004-10-09 11:22:39.000000000 -0400
@@ -13,7 +13,7 @@
 tmp_domain(ypserv)
 
 # Use capabilities.
-allow ypserv_t self:capability net_bind_service;
+allow ypserv_t self:capability { net_admin net_bind_service };
 
 # Use the network.
 can_network(ypserv_t)
@@ -35,3 +35,8 @@
 allow ypserv_t var_yp_t:file create_file_perms;
 allow ypserv_t ypserv_conf_t:file { getattr read };
 allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`rpcd.te', `
+allow rpcd_t ypserv_conf_t:file { getattr read };
+')
+allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/arpwatch.fc policy-1.17.29/file_contexts/program/arpwatch.fc
--- nsapolicy/file_contexts/program/arpwatch.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.29/file_contexts/program/arpwatch.fc	2004-10-09 11:24:04.000000000 -0400
@@ -0,0 +1,3 @@
+# arpwatch - keep track of ethernet/ip address pairings
+/usr/sbin/arpwatch	--	system_u:object_r:arpwatch_exec_t
+/var/arpwatch(/.*)?	system_u:object_r:arpwatch_data_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.17.29/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2004-10-01 15:05:32.000000000 -0400
+++ policy-1.17.29/file_contexts/program/cups.fc	2004-10-09 21:08:49.289877534 -0400
@@ -18,8 +18,9 @@
 /usr/lib(64)?/cups/backend/.* --	system_u:object_r:cupsd_exec_t
 /usr/lib(64)?/cups/daemon/.*	 --	system_u:object_r:cupsd_exec_t
 /usr/sbin/cupsd		--	system_u:object_r:cupsd_exec_t
-/usr/bin/cups-config-daemon --	system_u:object_r:cupsd_exec_t
-/usr/sbin/printconf-backend --	system_u:object_r:cupsd_exec_t
+/usr/bin/cups-config-daemon --	system_u:object_r:cupsd_config_exec_t
+/usr/sbin/hal_lpadmin --	system_u:object_r:cupsd_config_exec_t
+/usr/sbin/printconf-backend --	system_u:object_r:sbin_t
 /var/log/cups(/.*)?		system_u:object_r:cupsd_log_t
 /var/spool/cups(/.*)?		system_u:object_r:print_spool_t
 /var/run/cups/printcap	--	system_u:object_r:cupsd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.17.29/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc	2004-09-02 14:45:46.000000000 -0400
+++ policy-1.17.29/file_contexts/program/ipsec.fc	2004-10-08 16:45:52.000000000 -0400
@@ -3,8 +3,10 @@
 /etc/ipsec\.secrets	--	system_u:object_r:ipsec_key_file_t
 /etc/ipsec\.conf	--	system_u:object_r:ipsec_conf_file_t
 /etc/ipsec\.d(/.*)?		system_u:object_r:ipsec_key_file_t
-/usr/lib(64)?/ipsec/.*	--	system_u:object_r:ipsec_mgmt_exec_t
-/usr/local/lib(64)?/ipsec/.*	--	system_u:object_r:ipsec_mgmt_exec_t
+/usr/lib(64)?/ipsec/.*	--	system_u:object_r:sbin_t
+/usr/lib(64)?/ipsec/_plutoload -- 	system_u:object_r:ipsec_mgmt_exec_t
+/usr/lib(64)?/ipsec/_plutorun  --	system_u:object_r:ipsec_mgmt_exec_t
+/usr/local/lib(64)?/ipsec/.*	--	system_u:object_r:sbin_t
 /usr/libexec/ipsec/eroute	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/eroute	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/eroute --	system_u:object_r:ipsec_exec_t
@@ -17,10 +19,7 @@
 /usr/libexec/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/spi --	system_u:object_r:ipsec_exec_t
-/usr/sbin/ipsec		--	system_u:object_r:ipsec_mgmt_exec_t
-/usr/local/sbin/ipsec	--	system_u:object_r:ipsec_mgmt_exec_t
-/var/run/ipsec\.info		system_u:object_r:ipsec_var_run_t
-/var/run/pluto\.ctl		system_u:object_r:ipsec_var_run_t
+/var/run/pluto(/.*)?		system_u:object_r:ipsec_var_run_t
 
 # Kame
 /usr/sbin/racoon	--	system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.29/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-10-09 21:06:15.394311896 -0400
+++ policy-1.17.29/macros/base_user_macros.te	2004-10-08 16:27:42.000000000 -0400
@@ -43,6 +43,8 @@
 # for eject
 allow $1_t fixed_disk_device_t:blk_file { getattr };
 
+allow $1_t root_dir_type:dir { getattr };
+
 # open office is looking for the following
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
 # Do not flood message log, if the user does ls /dev 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.29/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-10-06 09:18:33.000000000 -0400
+++ policy-1.17.29/macros/global_macros.te	2004-10-08 10:47:33.000000000 -0400
@@ -396,6 +396,7 @@
 
 # for df
 allow $1_t fs_type:filesystem getattr;
+allow $1_t removable_t:filesystem getattr;
 
 read_locale($1_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.17.29/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-09-02 14:45:47.000000000 -0400
+++ policy-1.17.29/macros/program/apache_macros.te	2004-10-08 10:47:33.000000000 -0400
@@ -45,7 +45,6 @@
 
 uses_shlib(httpd_$1_script_t)
 can_network(httpd_$1_script_t)
-can_ypbind(httpd_$1_script_t)
 allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_$1_script_t usr_t:lnk_file { getattr read };
 
@@ -65,7 +64,9 @@
 allow httpd_$1_script_t device_t:dir { getattr search };
 allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
 }
-
+if (httpd_enable_cgi && allow_ypbind) {
+uncond_can_ypbind(httpd_$1_script_t)
+}
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.17.29/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te	2004-09-30 20:48:49.000000000 -0400
+++ policy-1.17.29/macros/program/spamassassin_macros.te	2004-10-08 10:57:36.000000000 -0400
@@ -90,9 +90,10 @@
 # set tunable if you have spamassassin do DNS lookups
 if (spamassasin_can_network) {
 can_network($1_spamassassin_t)
-can_ypbind($1_spamassassin_t)
 }
-
+if (spamassasin_can_network && allow_ypbind) {
+uncond_can_ypbind($1_spamassassin_t)
+}
 ###
 # Define the domain for /usr/bin/spamc
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.29/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-09-09 16:22:13.000000000 -0400
+++ policy-1.17.29/macros/program/userhelper_macros.te	2004-10-08 14:14:26.000000000 -0400
@@ -142,6 +142,7 @@
 domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
 allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
 ')
+allow $1_userhelper_t pam_var_console_t:dir { search };
 
 ')dnl end ifdef single_userdomain
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.29/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-10-09 21:06:15.724274511 -0400
+++ policy-1.17.29/macros/program/xserver_macros.te	2004-10-09 11:23:24.000000000 -0400
@@ -64,7 +64,7 @@
 
 allow xdm_xserver_t init_t:fd use;
 
-dontaudit xdm_xserver_t homedirfile:dir { read search };
+dontaudit xdm_xserver_t home_dir_type:dir { read search };
 ', `
 # The user role is authorized for this domain.
 role $1_r types $1_xserver_t;
@@ -110,7 +110,7 @@
 # sys_admin, locking shared mem?  chowning IPC message queues or semaphores?
 # admin of APM bios?
 # sys_nice is so that the X server can set a negative nice value
-allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod };
+allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 allow $1_xserver_t nfs_t:dir { getattr search };
 
 # memory_device_t access is needed if not using the frame buffer
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.17.29/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te	2004-09-15 15:59:55.000000000 -0400
+++ policy-1.17.29/macros/program/ypbind_macros.te	2004-10-08 13:31:20.000000000 -0400
@@ -1,21 +1,13 @@
-define(`can_ypbind',`')
 
-ifdef(`targeted_policy', `
-pushdef(`ypbind.te')
+define(`uncond_can_ypbind', `
+dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_network($1)
+r_dir_file($1,var_yp_t)
+allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
 ')
 
-ifdef(`ypbind.te', `
-ifdef(`allow_ypbind', `
-undefine(`can_ypbind')
 define(`can_ypbind', `
-r_dir_file($1,var_yp_t)
-can_network($1)
-dontaudit $1 reserved_port_t:{ tcp_socket udp_socket } name_bind;
-allow $1 port_t:{ tcp_socket udp_socket } name_bind;
+if (allow_ypbind) {
+uncond_can_ypbind($1)
+}
 ') dnl can_ypbind
-') dnl allow_ypbind
-') dnl ypbind.te
-
-ifdef(`targeted_policy', `
-popdef(`ypbind.te')
-')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.29/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.29/tunables/distro.tun	2004-10-08 10:47:33.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.29/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-09-27 20:48:36.000000000 -0400
+++ policy-1.17.29/tunables/tunable.tun	2004-10-08 10:47:33.000000000 -0400
@@ -1,42 +1,39 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
-
-# Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`use_games')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.17.29/types/network.te
--- nsapolicy/types/network.te	2004-08-23 14:54:51.000000000 -0400
+++ policy-1.17.29/types/network.te	2004-10-08 14:26:29.000000000 -0400
@@ -42,7 +42,7 @@
 ifdef(`dovecot.te', `define(`use_pop')')
 ifdef(`uwimapd.te', `define(`use_pop')')
 ifdef(`use_pop', `
-type pop_port_t, port_type;
+type pop_port_t, port_type, reserved_port_type;
 ')
 ifdef(`apache.te', `define(`use_http_cache')')
 ifdef(`squid.te', `define(`use_http_cache')')

Re: More SELinux fixes.

[Russell Coker]

On Sun, 10 Oct 2004 11:26, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Temporarily added a rule to allow apache to talk to tmp_t:sock_file in
> targeted policy.  This allows
> it to work with postgresql.  Not sure of a good way to fix this.  One we

I don't think that there is any other option.  As long as apache has to talk 
to programs in unconfined_t via unix domain sockets such access is required.

> could add postgresql policy to targeted
> but I am afraid this is a slipperly slope,  Colin suggested that we add
> a new policy postgresql_unconfined.te for
> targeted that basically runs postgres unconfined but creates /tmp files
> with an appropriate security context.

Might as well go the whole hog and make Postgresql use it's regular policy.  
Postgresql isn't THAT difficult to do.

dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;

Why remove all the rules of that form?  Has something equivalent been added to 
a macro?

+can_exec(postgresql_t, { postgresql_exec_t bin_t sbin_t ls_exec_t su_exec_t 
shell_exec_t etc_t hostname_exec_t })

The above really needs to become:
ifdef(`hostname.te', `
can_exec(postgresql_t, hostname_exec_t)
')

+allow procmail_t mqueue_spool_t:file { getattr read };

I believe that this is a bug in sendmail.  Put in the following instead:
ifdef(`hide_broken_symptoms', `
dontaudit procmail_t mqueue_spool_t:file { getattr read };
')

Also put it inside ifdef(`sendmail.te', only sendmail.te uses mqueue_spool_t, 
so we should move the type declaration into sendmail.te.

-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+file_type_auto_trans(snmpd_t, usr_t, snmpd_var_lib_t, file)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, file)

What is the point of this change?

+allow udev_t dev_fs:{ chr_file blk_file } { relabelfrom relabelto };

The above is redundant, the below line covers it.

allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom 
relabelto create_file_perms };

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[Daniel J Walsh]

Russell Coker wrote:

>On Sun, 10 Oct 2004 11:26, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>Temporarily added a rule to allow apache to talk to tmp_t:sock_file in
>>targeted policy.  This allows
>>it to work with postgresql.  Not sure of a good way to fix this.  One we
>>    
>>
>
>I don't think that there is any other option.  As long as apache has to talk 
>to programs in unconfined_t via unix domain sockets such access is required.
>
>  
>
Ok.  It is in there.

>>could add postgresql policy to targeted
>>but I am afraid this is a slipperly slope,  Colin suggested that we add
>>a new policy postgresql_unconfined.te for
>>targeted that basically runs postgres unconfined but creates /tmp files
>>with an appropriate security context.
>>    
>>
>
>Might as well go the whole hog and make Postgresql use it's regular policy.  
>Postgresql isn't THAT difficult to do.
>
>dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
>
>Why remove all the rules of that form?  Has something equivalent been added to 
>a macro?
>
>  
>
This is now defined in can_ypbind, but I guess for mount_t it should 
remain.  Some of these
rules were proliferating because of yp.  If the app uses portmap, it 
will need this rule otherwise it
can rely in the rule in can_ypbind.

>+can_exec(postgresql_t, { postgresql_exec_t bin_t sbin_t ls_exec_t su_exec_t 
>shell_exec_t etc_t hostname_exec_t })
>
>The above really needs to become:
>ifdef(`hostname.te', `
>can_exec(postgresql_t, hostname_exec_t)
>')
>  
>
Done

>+allow procmail_t mqueue_spool_t:file { getattr read };
>
>I believe that this is a bug in sendmail.  Put in the following instead:
>ifdef(`hide_broken_symptoms', `
>dontaudit procmail_t mqueue_spool_t:file { getattr read };
>')
>  
>
Ok I changed it.

>Also put it inside ifdef(`sendmail.te', only sendmail.te uses mqueue_spool_t, 
>so we should move the type declaration into sendmail.te.
>
>-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
>+file_type_auto_trans(snmpd_t, usr_t, snmpd_var_lib_t, file)
>+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, file)
>
>What is the point of this change?
>  
>
I thought combining these caused problems.  I saw some avc messages with 
snmpd trying to write to var_t, which
I thought might have been caused by a macro expansion problem.  When I 
changed to the above, the problem
went away, could have been a red herring.

>+allow udev_t dev_fs:{ chr_file blk_file } { relabelfrom relabelto };
>
>The above is redundant, the below line covers it.
>
>allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom 
>relabelto create_file_perms };
>
>  
>
I think the problem came in because these files are not covered by the 
above command
type sysadm_tty_device_t, file_type, sysadmfile, ttyfile, dev_fs;
type user_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, 
dev_fs;
type staff_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, 
dev_fs;

If you stop and restart udev, you get lots of AVC's from these.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 2378 bytes --]

On Wed, 13 Oct 2004 04:55, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
> >
> >Why remove all the rules of that form?  Has something equivalent been
> > added to a macro?
>
> This is now defined in can_ypbind, but I guess for mount_t it should
> remain.  Some of these
> rules were proliferating because of yp.  If the app uses portmap, it
> will need this rule otherwise it
> can rely in the rule in can_ypbind.

Yes, I think that mount does some port access in the case of NFS mounts.

> >Also put it inside ifdef(`sendmail.te', only sendmail.te uses
> > mqueue_spool_t, so we should move the type declaration into sendmail.te.
> >
> >-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
> >+file_type_auto_trans(snmpd_t, usr_t, snmpd_var_lib_t, file)
> >+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, file)
> >
> >What is the point of this change?
>
> I thought combining these caused problems.  I saw some avc messages with
> snmpd trying to write to var_t, which
> I thought might have been caused by a macro expansion problem.  When I
> changed to the above, the problem
> went away, could have been a red herring.

It's a red herring, please revert it.

> >+allow udev_t dev_fs:{ chr_file blk_file } { relabelfrom relabelto };
> >
> >The above is redundant, the below line covers it.
> >
> >allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom
> >relabelto create_file_perms };
>
> I think the problem came in because these files are not covered by the
> above command
> type sysadm_tty_device_t, file_type, sysadmfile, ttyfile, dev_fs;
> type user_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type,
> dev_fs;
> type staff_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type,
> dev_fs;
>
> If you stop and restart udev, you get lots of AVC's from these.

I've attached a patch to deal with this.  udev_t needs privowner if it's to 
work after being restarted.  Also it's not desirable for terminals with 
active sessions to be relabeled, so I've put in a dontaudit rule for that.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: udev.diff --]
[-- Type: text/x-diff, Size: 2440 bytes --]

--- /usr/src/se/policy/domains/program/unused/udev.te	2004-10-11 03:50:38.000000000 +1000
+++ domains/program/unused/udev.te	2004-10-13 20:39:06.000000000 +1000
@@ -9,14 +9,14 @@
 #
 # udev_exec_t is the type of the udev executable.
 #
-daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd')
+daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner')
 
 general_domain_access(udev_t)
 
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-can_exec_any(udev_t)
+can_exec_any(udev_t)
 
 #
 # Rules used for udev
@@ -37,6 +37,9 @@
 allow udev_t tmpfs_t:lnk_file create_lnk_perms;
 allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
 allow udev_t tmpfs_t:dir search;
+
+# for arping used for static IP addresses on PCMCIA ethernet
+domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
 ')
 allow udev_t etc_t:file { getattr read };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
@@ -51,7 +54,8 @@
 r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
 
 allow udev_t policy_config_t:dir { search };
-allow udev_t proc_t:file { read };
+allow udev_t proc_t:file { getattr read };
+allow udev_t proc_kcore_t:file getattr;
 
 # Get security policy decisions.
 can_getsecurity(udev_t)
@@ -71,10 +75,9 @@
 ifdef(`hide_broken_symptoms', `
 dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
 ')
-allow udev_t devpts_t:dir { search };
+allow udev_t devpts_t:dir { getattr search };
 allow udev_t etc_runtime_t:file { getattr read };
 allow udev_t etc_t:file { ioctl };
-allow udev_t proc_t:file { getattr };
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
@@ -84,6 +87,9 @@
 ')
 allow udev_t var_log_t:dir { search };
 
+ifdef(`consoletype.te', `
+can_exec(udev_t, consoletype_exec_t)
+')
 ifdef(`pamconsole.te', `
 allow udev_t pam_var_console_t:dir search;
 allow udev_t pam_var_console_t:file { getattr read };
@@ -108,5 +114,6 @@
 allow udev_t sysctl_dev_t:dir { search };
 allow udev_t sysctl_dev_t:file { getattr read };
 allow udev_t sysctl_modprobe_t:file { getattr read };
-allow udev_t udev_t:rawip_socket create_socket_perms;
-dontaudit  udev_t domain:dir r_dir_perms;
+allow udev_t self:rawip_socket create_socket_perms;
+dontaudit udev_t domain:dir r_dir_perms;
+dontaudit udev_t ttyfile:chr_file unlink;

Re: More SELinux fixes.

[James Carter]

Merged with changes.

I added the space back before the udp in the inet_child_domain macros.

I did not remove the ifdef(`ypbind.te', ' ... ') from ypbind_macros.te,
since the allow_ypbind bool is declared in ypbind.te.

I think I got all of Russell's suggested changes made, except for the
udev patch.

On Sat, 2004-10-09 at 21:26, Daniel J Walsh wrote:
> Includes Collin's new cups patch.
> 
> I turned on every service in an everything install and came up with many 
> fixes for all the AVC messages.
> 
> Added arpwatch policy.
> 
> Changed allow_ypbind to a boolean, so policy can be turned on/off by 
> sysadmin.
> 
> Working with ipsec team to get program cleaned up so we can write better 
> policy.
> 
> Temporarily added a rule to allow apache to talk to tmp_t:sock_file in 
> targeted policy.  This allows
> it to work with postgresql.  Not sure of a good way to fix this.  One we 
> could add postgresql policy to targeted
> but I am afraid this is a slipperly slope,  Colin suggested that we add 
> a new policy postgresql_unconfined.te for
> targeted that basically runs postgres unconfined but creates /tmp files 
> with an appropriate security context. 
> What do you guys think?  Lastly we could tell any users who want to use 
> apache with postgres to turn off the
> transition of apache to context.
> 
> Dan

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More SELinux fixes.

[James Carter]

Merged udev patch.

There were a few lines from Dan's patch that are not in Russell's
patch.  I am not sure if they are needed.  They are in CVS for now.
allow udev_t mnt_t:dir { search };
allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t
sysctl_hotplug_t }:file { getattr read };

On Wed, 2004-10-13 at 06:43, Russell Coker wrote:
> On Wed, 13 Oct 2004 04:55, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
> > >
> > >Why remove all the rules of that form?  Has something equivalent been
> > > added to a macro?
> >
> > This is now defined in can_ypbind, but I guess for mount_t it should
> > remain.  Some of these
> > rules were proliferating because of yp.  If the app uses portmap, it
> > will need this rule otherwise it
> > can rely in the rule in can_ypbind.
> 
> Yes, I think that mount does some port access in the case of NFS mounts.
> 
> > >Also put it inside ifdef(`sendmail.te', only sendmail.te uses
> > > mqueue_spool_t, so we should move the type declaration into sendmail.te.
> > >
> > >-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
> > >+file_type_auto_trans(snmpd_t, usr_t, snmpd_var_lib_t, file)
> > >+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, file)
> > >
> > >What is the point of this change?
> >
> > I thought combining these caused problems.  I saw some avc messages with
> > snmpd trying to write to var_t, which
> > I thought might have been caused by a macro expansion problem.  When I
> > changed to the above, the problem
> > went away, could have been a red herring.
> 
> It's a red herring, please revert it.
> 
> > >+allow udev_t dev_fs:{ chr_file blk_file } { relabelfrom relabelto };
> > >
> > >The above is redundant, the below line covers it.
> > >
> > >allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom
> > >relabelto create_file_perms };
> >
> > I think the problem came in because these files are not covered by the
> > above command
> > type sysadm_tty_device_t, file_type, sysadmfile, ttyfile, dev_fs;
> > type user_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type,
> > dev_fs;
> > type staff_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type,
> > dev_fs;
> >
> > If you stop and restart udev, you get lots of AVC's from these.
> 
> I've attached a patch to deal with this.  udev_t needs privowner if it's to 
> work after being restarted.  Also it's not desirable for terminals with 
> active sessions to be relabeled, so I've put in a dontaudit rule for that.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.