All of lore.kernel.org
 help / color / mirror / Atom feed
* More patches for policy.
@ 2004-10-18 19:45 Daniel J Walsh
  2004-10-18 21:04 ` Thomas Bleher
  2004-10-19 16:44 ` James Carter
  0 siblings, 2 replies; 4+ messages in thread
From: Daniel J Walsh @ 2004-10-18 19:45 UTC (permalink / raw)
  To: SELinux

[-- Attachment #1: Type: text/plain, Size: 72 bytes --]

Some are repeats of previous supplied patch.  This one supersedes.

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 31428 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.32/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-10-07 08:02:01.000000000 -0400
+++ policy-1.17.32/domains/program/crond.te	2004-10-18 13:37:22.000000000 -0400
@@ -203,3 +203,11 @@
 r_dir_file(system_crond_t, file_context_t)
 can_getsecurity(system_crond_t)
 }
+allow system_crond_t removable_t:filesystem { getattr };
+#
+# Required for webalizer
+#
+ifdef(`apache.te', `
+allow system_crond_t httpd_log_t:file { getattr read };
+')
+dontaudit crond_t self:capability { sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.32/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-10-14 23:25:17.000000000 -0400
+++ policy-1.17.32/domains/program/initrc.te	2004-10-18 13:37:22.000000000 -0400
@@ -52,7 +52,7 @@
 allow initrc_t usbfs_t:file getattr;
 
 # allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld setsched setpgid setrlimit };
+allow initrc_t self:process { fork sigchld setsched setpgid setrlimit getsched };
 
 # Can create ptys for open_init_pty
 can_create_pty(initrc)
@@ -143,6 +143,7 @@
 allow initrc_t var_log_t:dir rw_dir_perms;
 allow initrc_t var_log_t:file { setattr rw_file_perms };
 allow initrc_t lastlog_t:file { setattr rw_file_perms };
+allow initrc_t logfile:file { read append };
 
 # remove old locks
 allow initrc_t lockfile:dir rw_dir_perms;
@@ -309,10 +310,11 @@
 #
 allow initrc_t device_t:dir rw_dir_perms;
 allow initrc_t device_t:lnk_file { unlink };
-allow initrc_t self:process { getsched };
 
 r_dir_file(initrc_t,selinux_config_t)
 
+allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+
 ifdef(`unlimitedRC', `
 unconfined_domain(initrc_t) 
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.17.32/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.32/domains/program/login.te	2004-10-18 13:37:22.000000000 -0400
@@ -130,6 +130,7 @@
 can_ypbind($1_login_t)
 
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
+dontaudit $1_login_t init_t:fd { use };
 ')dnl end login_domain macro
 #################################
 #
@@ -206,5 +207,5 @@
 # Relabel ptys created by rlogind.
 allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
 ')
-allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto };
-
+allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
+allow remote_login_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.17.32/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-10-09 21:06:13.000000000 -0400
+++ policy-1.17.32/domains/program/ssh.te	2004-10-18 13:37:22.000000000 -0400
@@ -241,3 +241,5 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+dontaudit sshd_t local_login_t:fd { use };
+dontaudit sshd_t sysadm_tty_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.32/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.32/domains/program/syslogd.te	2004-10-18 13:37:22.000000000 -0400
@@ -94,4 +94,5 @@
 # /initrd is not umounted before minilog starts
 #
 dontaudit syslogd_t file_t:dir search;
-allow syslogd_t devpts_t:dir { search };
+allow syslogd_t { tmpfs_t devpts_t }:dir { search };
+dontaudit syslogd_t unlabeled_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.32/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.32/domains/program/unused/acct.te	2004-10-18 13:37:22.000000000 -0400
@@ -21,11 +21,6 @@
 # for SSP
 allow acct_t urandom_device_t:chr_file read;
 
-ifdef(`logrotate.te', `
-can_exec(acct_t, logrotate_exec_t)
-r_dir_file(logrotate_t, acct_data_t)
-')
-
 type acct_data_t, file_type, sysadmfile;
 
 allow acct_t self:capability sys_pacct;
@@ -67,5 +62,7 @@
 allow acct_t { etc_t etc_runtime_t }:file { read getattr };
 
 ifdef(`logrotate.te', `
-allow logrotate_t acct_data_t:file create_file_perms;
+domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
+allow logrotate_t acct_data_t:file { create_file_perms };
 ')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.17.32/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-10-13 14:26:54.000000000 -0400
+++ policy-1.17.32/domains/program/unused/arpwatch.te	2004-10-18 13:37:22.000000000 -0400
@@ -20,3 +20,15 @@
 allow arpwatch_t arpwatch_t:unix_stream_socket create_stream_socket_perms;
 create_dir_file(arpwatch_t,arpwatch_data_t)
 allow arpwatch_t tmp_t:dir { search };
+tmp_domain(arpwatch)
+allow arpwatch_t net_conf_t:file { getattr read };
+allow arpwatch_t netif_lo_t:netif { udp_send };
+allow arpwatch_t sbin_t:dir { search };
+allow arpwatch_t sbin_t:lnk_file { read };
+can_network(arpwatch_t)
+can_ypbind(arpwatch_t)
+allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
+ifdef(`postfix.te', `
+allow postfix_local_t arpwatch_data_t:dir { search };
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.17.32/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-09-09 16:22:12.000000000 -0400
+++ policy-1.17.32/domains/program/unused/bluetooth.te	2004-10-18 13:37:22.000000000 -0400
@@ -35,3 +35,5 @@
 # Read /etc/bluetooth
 allow bluetooth_t bluetooth_conf_t:dir search;
 allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
+#/usr/sbin/hid2hci causes the following
+allow initrc_t usbfs_t:file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.17.32/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.32/domains/program/unused/bootloader.te	2004-10-18 13:37:22.000000000 -0400
@@ -121,7 +121,7 @@
 allow bootloader_t proc_t:dir { getattr search };
 allow bootloader_t proc_t:file r_file_perms;
 allow bootloader_t proc_t:lnk_file { getattr read };
-allow bootloader_t proc_mdstat_t:file { getattr read };
+allow bootloader_t proc_mdstat_t:file r_file_perms;
 allow bootloader_t self:dir { getattr search read };
 allow bootloader_t sysctl_kernel_t:dir search;
 allow bootloader_t sysctl_kernel_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.17.32/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2004-09-01 11:17:48.000000000 -0400
+++ policy-1.17.32/domains/program/unused/canna.te	2004-10-18 13:37:22.000000000 -0400
@@ -15,7 +15,8 @@
 logdir_domain(canna)
 var_lib_domain(canna)
 
-allow canna_t self:capability { setgid setuid };
+allow canna_t self:capability { setgid setuid net_bind_service };
+allow canna_t tmp_t:dir { search };
 allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
 allow canna_t self:unix_dgram_socket create_stream_socket_perms;
 allow canna_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.32/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.32/domains/program/unused/cups.te	2004-10-18 13:37:22.000000000 -0400
@@ -20,7 +20,6 @@
 
 can_network(cupsd_t)
 can_ypbind(cupsd_t)
-dbusd_client(system, cupsd_t)
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
@@ -170,6 +169,8 @@
 # CUPS configuration daemon
 daemon_domain(cupsd_config)
 
+allow cupsd_config_t devpts_t:dir search;
+
 ifdef(`distro_redhat', `
 ifdef(`rpm.te', `
 allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
@@ -196,13 +197,18 @@
 can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
-dbusd_client(system, cupsd_config_t)
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+ifdef(`dbusd.te', `
+dbusd_client(system, cupsd_t)
+dbusd_client(system, cupsd_config_t)
 allow cupsd_config_t userdomain:dbus { send_msg };
 allow userdomain cupsd_config_t:dbus { send_msg };
 allow cupsd_config_t hald_t:dbus { send_msg };
 allow hald_t cupsd_config_t:dbus { send_msg };
-
+allow cupsd_t userdomain:dbus { send_msg };
+allow cupsd_t hald_t:dbus { send_msg };
+allow hald_t cupsd_t:dbus { send_msg };
+')
 
 can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
 allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
@@ -218,3 +224,5 @@
 domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
 
 ')
+# Alternatives asks for this
+allow cupsd_config_t initrc_exec_t:file { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.17.32/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.17.32/domains/program/unused/ftpd.te	2004-10-18 13:37:22.000000000 -0400
@@ -69,9 +69,8 @@
 
 # Append to /var/log/wtmp.
 allow ftpd_t wtmp_t:file { getattr append };
-
-# allow access to /home
-allow ftpd_t home_root_t:dir { getattr search };
+#kerberized ftp requires the following
+allow ftpd_t wtmp_t:file { write lock };
 
 # Create and modify /var/log/xferlog.
 type xferlog_t, file_type, sysadmfile, logfile;
@@ -97,10 +96,22 @@
 
 # Allow ftp to read/write files in the user home directories.
 bool ftp_home_dir false;
-ifdef(`nfs_home_dirs', `
 if (ftp_home_dir) {
+ifdef(`nfs_home_dirs', `
 allow ftpd_t nfs_t:dir r_dir_perms;
 allow ftpd_t nfs_t:file r_file_perms;
-}
+# dont allow access to /home
+dontaudit ftpd_t home_root_t:dir { getattr search };
 ')dnl end if nfs_home_dirs
+} 
+else 
+{
+# allow access to /home
+allow ftpd_t home_root_t:dir { getattr search };
+}
 dontaudit ftpd_t selinux_config_t:dir { search };
+#
+# Type for access to anon ftp
+#
+type ftpd_anon_t, file_type, sysadmfile;
+r_dir_file(ftpd_t,ftpd_anon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.32/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.32/domains/program/unused/hald.te	2004-10-18 13:37:22.000000000 -0400
@@ -63,3 +63,4 @@
 dontaudit hald_t selinux_config_t:dir { search };
 allow hald_t initrc_t:dbus { send_msg };
 allow initrc_t hald_t:dbus { send_msg };
+allow hald_t etc_runtime_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.32/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.17.32/domains/program/unused/named.te	2004-10-18 13:37:22.000000000 -0400
@@ -151,3 +151,6 @@
 dontaudit ndc_t sysadm_home_t:dir { getattr search read };
 ')
 allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
+# Allow init script to cp localtime to named_conf_t
+allow initrc_t named_conf_t:file { write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.32/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.32/domains/program/unused/nscd.te	2004-10-18 13:37:22.000000000 -0400
@@ -58,7 +58,7 @@
 allow nscd_t self:process { getattr setsched };
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid net_bind_service };
+allow nscd_t self:capability { kill setgid setuid net_bind_service net_admin };
 
 # for when /etc/passwd has just been updated and has the wrong type
 allow nscd_t shadow_t:file getattr;
@@ -73,5 +73,8 @@
 r_dir_file(nscd_t, selinux_config_t)
 can_getsecurity(nscd_t)
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
+allow nscd_t tmp_t:dir { search getattr };
+allow nscd_t tmp_t:lnk_file { read };
 
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.32/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.17.32/domains/program/unused/ntpd.te	2004-10-18 13:37:22.000000000 -0400
@@ -50,7 +50,7 @@
 can_exec(ntpd_t, initrc_exec_t)
 allow ntpd_t self:fifo_file { read write getattr };
 allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
+can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t logrotate_exec_t ntpd_exec_t })
 allow ntpd_t { sbin_t bin_t }:dir search;
 allow ntpd_t bin_t:lnk_file read;
 allow ntpd_t sysctl_kernel_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.17.32/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te	2004-09-10 11:01:02.000000000 -0400
+++ policy-1.17.32/domains/program/unused/pamconsole.te	2004-10-18 13:37:22.000000000 -0400
@@ -40,3 +40,4 @@
 ifdef(`xdm.te', `
 allow pam_console_t xdm_var_run_t:file { getattr read };
 ')
+allow initrc_t pam_var_console_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.17.32/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.32/domains/program/unused/postfix.te	2004-10-18 13:37:22.000000000 -0400
@@ -124,7 +124,7 @@
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
 allow postfix_master_t postfix_prng_t:file getattr;
 allow postfix_master_t privfd:fd use;
-allow postfix_master_t etc_aliases_t:file r_file_perms;
+allow postfix_master_t etc_aliases_t:file rw_file_perms;
 
 ifdef(`saslauthd.te',`
 allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
@@ -347,3 +347,5 @@
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 dontaudit postfix_map_t var_t:dir search;
 can_network(postfix_map_t)
+allow postfix_local_t mail_spool_t:dir { remove_name };
+allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.17.32/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.17.32/domains/program/unused/rlogind.te	2004-10-18 13:37:22.000000000 -0400
@@ -14,6 +14,7 @@
 role system_r types rlogind_t;
 uses_shlib(rlogind_t)
 can_network(rlogind_t)
+can_ypbind(rlogind_t)
 type rlogind_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(inetd_t, rlogind_exec_t, rlogind_t)
 ifdef(`tcpd.te', `
@@ -32,7 +33,7 @@
 allow rlogind_t inetd_t:tcp_socket rw_stream_socket_perms;
 
 # Use capabilities.
-allow rlogind_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override };
+allow rlogind_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override sys_tty_config };
 
 # so telnetd can start a child process for the login
 allow rlogind_t self:process { fork signal_perms };
@@ -74,3 +75,12 @@
 # Modify /var/log/wtmp.
 allow rlogind_t var_log_t:dir search;
 allow rlogind_t wtmp_t:file rw_file_perms;
+allow rlogind_t krb5_conf_t:file { getattr read };
+dontaudit rlogind_t krb5_conf_t:file write;
+allow rlogind_t urandom_device_t:chr_file { getattr read };
+dontaudit rlogind_t selinux_config_t:dir search;
+allow rlogind_t staff_home_dir_t:dir search;
+allow rlogind_t proc_t:file read;
+allow rlogind_t self:file { getattr read };
+allow rlogind_t self:fifo_file rw_file_perms;
+allow rlogind_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.17.32/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.17.32/domains/program/unused/rshd.te	2004-10-18 13:37:22.000000000 -0400
@@ -26,3 +26,13 @@
 can_network(rshd_t)
 can_ypbind(rshd_t)
 
+allow rshd_t etc_t:file { getattr read };
+read_locale(rshd_t)
+allow rshd_t self:unix_dgram_socket create_socket_perms;
+allow rshd_t self:unix_stream_socket create_stream_socket_perms;
+allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
+allow rshd_t krb5_conf_t:file { getattr read };
+dontaudit rshd_t krb5_conf_t:file write;
+allow rshd_t tmp_t:dir { search };
+allow rshd_t rlogind_tmp_t:file rw_file_perms;
+allow rshd_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.17.32/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.17.32/domains/program/unused/rsync.te	2004-10-18 13:37:22.000000000 -0400
@@ -13,3 +13,6 @@
 inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
+ifdef(`ftpd.te', `
+r_dir_file(rsync_t, ftpd_anon_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.17.32/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.17.32/domains/program/unused/slapd.te	2004-10-18 13:37:22.000000000 -0400
@@ -39,6 +39,7 @@
 
 # Allow access to the slapd databases
 create_dir_file(slapd_t, slapd_db_t)
+allow initrc_t slapd_db_t:dir r_dir_perms;
 allow slapd_t var_lib_t:dir r_dir_perms;
 
 # Allow access to write the replication log (should tighten this)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tftpd.te policy-1.17.32/domains/program/unused/tftpd.te
--- nsapolicy/domains/program/unused/tftpd.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.32/domains/program/unused/tftpd.te	2004-10-18 13:37:22.000000000 -0400
@@ -16,7 +16,7 @@
 type tftp_port_t, port_type, reserved_port_type;
 
 # tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, sysadmfile;
+type tftpdir_t, file_type, root_dir_type, sysadmfile;
 r_dir_file(tftpd_t, tftpdir_t)
 
 domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.32/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.32/domains/program/unused/udev.te	2004-10-18 13:37:22.000000000 -0400
@@ -54,7 +54,7 @@
 r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
 
 allow udev_t policy_config_t:dir { search };
-allow udev_t proc_t:file { getattr read };
+allow udev_t proc_t:file { getattr read ioctl };
 allow udev_t proc_kcore_t:file getattr;
 
 # Get security policy decisions.
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.17.32/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc	2004-03-17 13:26:06.000000000 -0500
+++ policy-1.17.32/file_contexts/program/ftpd.fc	2004-10-18 13:37:22.000000000 -0400
@@ -12,3 +12,4 @@
 /var/log/xferlog.*	--	system_u:object_r:xferlog_t
 /var/log/xferreport.*	--	system_u:object_r:xferlog_t
 /etc/cron\.monthly/proftpd --	system_u:object_r:ftpd_exec_t
+/var/ftp(/.*)?			system_u:object_r:ftpd_anon_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hotplug.fc policy-1.17.32/file_contexts/program/hotplug.fc
--- nsapolicy/file_contexts/program/hotplug.fc	2004-07-26 16:16:11.000000000 -0400
+++ policy-1.17.32/file_contexts/program/hotplug.fc	2004-10-18 13:37:22.000000000 -0400
@@ -1,7 +1,9 @@
 # hotplug
 /etc/hotplug(/.*)?		system_u:object_r:hotplug_etc_t
 /sbin/hotplug		--	system_u:object_r:hotplug_exec_t
+/sbin/netplugd		--	system_u:object_r:hotplug_exec_t
 /etc/hotplug.d/default/default.* system_u:object_r:sbin_t
+/etc/netplug.d(/.*)? 	 	system_u:object_r:sbin_t
 /etc/hotplug/.*agent	--	system_u:object_r:sbin_t
 /etc/hotplug/.*rc	-- 	system_u:object_r:sbin_t
 /etc/hotplug/hotplug.functions --	system_u:object_r:sbin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.17.32/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc	2004-06-16 13:33:37.000000000 -0400
+++ policy-1.17.32/file_contexts/program/innd.fc	2004-10-18 13:37:22.000000000 -0400
@@ -8,8 +8,41 @@
 /var/lib/news(/.*)?		system_u:object_r:innd_var_lib_t
 /var/run/news(/.*)?	 	system_u:object_r:innd_var_run_t
 /usr/sbin/in.nnrpd	--	system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/.*	--	system_u:object_r:innd_exec_t
 /usr/bin/inews		--	system_u:object_r:innd_exec_t
 /usr/bin/rnews		--	system_u:object_r:innd_exec_t
-/usr/lib/news/bin/innd 	--	system_u:object_r:innd_exec_t
-
+/usr/lib(64)?/news/bin(/.*)?		system_u:object_r:bin_t
+/usr/lib(64)?/news/bin/innd 	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/actsync	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/archive	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/batcher	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/buffchan	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/convdate	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/ctlinnd	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/cvtbatch	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/expire	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/expireover	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/fastrm	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/filechan	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/getlist	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/grephistory	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/inews	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innconfval	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innd	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/inndf	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/inndstart	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innfeed	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innxbatch	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/innxmit	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/makedbz	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/makehistory	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/newsrequeue	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/nnrpd	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/nntpget	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/ovdb_recover	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/overchan	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/prunehistory	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/rnews	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/shlock	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/shrinkfile	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/sm	--	system_u:object_r:innd_exec_t
+/usr/lib(64)?/news/bin/startinnfeed	--	system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kerberos.fc policy-1.17.32/file_contexts/program/kerberos.fc
--- nsapolicy/file_contexts/program/kerberos.fc	2004-08-30 16:13:29.000000000 -0400
+++ policy-1.17.32/file_contexts/program/kerberos.fc	2004-10-18 13:37:22.000000000 -0400
@@ -9,3 +9,4 @@
 /var/log/krb5kdc.log			system_u:object_r:krb5kdc_log_t
 /var/log/kadmind.log			system_u:object_r:kadmind_log_t
 /usr(/local)?/bin/ksu		--	system_u:object_r:su_exec_t
+/usr/kerberos/sbin/login.krb5	--	system_u:object_r:login_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.17.32/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2004-07-07 16:46:41.000000000 -0400
+++ policy-1.17.32/file_contexts/program/postgresql.fc	2004-10-18 13:37:22.000000000 -0400
@@ -4,7 +4,6 @@
 /usr/bin/pg_dump	--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_dumpall	--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_resetxlog	--	system_u:object_r:postgresql_exec_t
-/etc/rc.d/init.d/postgresql --	system_u:object_r:postgresql_exec_t
 
 # not sure whether the following binaries need labelling
 /usr/bin/createlang	--	system_u:object_r:postgresql_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/snmpd.fc policy-1.17.32/file_contexts/program/snmpd.fc
--- nsapolicy/file_contexts/program/snmpd.fc	2004-06-16 13:33:37.000000000 -0400
+++ policy-1.17.32/file_contexts/program/snmpd.fc	2004-10-18 13:37:22.000000000 -0400
@@ -5,4 +5,5 @@
 /usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t
 /var/run/snmpd\.pid	--	system_u:object_r:snmpd_var_run_t
 /var/run/snmpd		-d	system_u:object_r:snmpd_var_run_t
-/var/log/snmbd.log	--	system_u:object_r:snmpd_log_t
+/var/net-snmp(/.*)		system_u:object_r:snmpd_var_lib_t
+/var/log/snmpd.log	--	system_u:object_r:snmpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/squid.fc policy-1.17.32/file_contexts/program/squid.fc
--- nsapolicy/file_contexts/program/squid.fc	2004-06-16 13:33:37.000000000 -0400
+++ policy-1.17.32/file_contexts/program/squid.fc	2004-10-18 13:37:22.000000000 -0400
@@ -3,6 +3,6 @@
 /var/cache/squid(/.*)?		system_u:object_r:squid_cache_t
 /var/spool/squid(/.*)?		system_u:object_r:squid_cache_t
 /var/log/squid(/.*)?		system_u:object_r:squid_log_t
-/etc/squid\.conf	--	system_u:object_r:squid_conf_t
+/etc/squid(/.*)?		system_u:object_r:squid_conf_t
 /var/run/squid\.pid	--	system_u:object_r:squid_var_run_t
 /usr/share/squid(/.*)?		system_u:object_r:squid_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.32/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.17.32/macros/base_user_macros.te	2004-10-18 13:37:22.000000000 -0400
@@ -281,6 +281,7 @@
 
 # Get attributes of file systems.
 allow $1_t fs_type:filesystem getattr;
+allow $1_t removable_t:filesystem getattr;
 
 # Read and write /dev/tty and /dev/null.
 allow $1_t devtty_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.17.32/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-05-21 16:12:23.000000000 -0400
+++ policy-1.17.32/macros/program/mount_macros.te	2004-10-18 15:38:13.742555070 -0400
@@ -56,6 +56,8 @@
 allow $2_t home_root_t:dir { search };
 allow $2_t $1_home_dir_t:dir { search };
 allow $2_t noexattrfile:filesystem { mount unmount };
+allow $2_t fs_t:filesystem { getattr };
+allow $2_t removable_t:filesystem { mount unmount };
 allow $2_t mnt_t:dir { mounton search };
 allow $2_t sbin_t:dir { search };
 
@@ -63,7 +65,13 @@
 allow $2_t $1_tty_device_t:chr_file { getattr read write ioctl };
 allow $2_t $1_devpts_t:chr_file { getattr read write };
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
-')
+
+ifdef(`distro_redhat',`
+r_dir_file($2_t,pam_var_console_t)
+# mount config by default sets fscontext=removable_t
+allow $2_t dosfs_t:filesystem { relabelfrom };
+') dnl end distro_redhat
+') dnl end mount_domain
 
 # mount_loopback_privs(domain_prefix,dst_domain_prefix)
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.32/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-10-07 08:02:02.000000000 -0400
+++ policy-1.17.32/macros/program/mozilla_macros.te	2004-10-18 13:37:22.000000000 -0400
@@ -112,6 +112,10 @@
 # Mozilla tries to delete .fonts.cache-1
 dontaudit $1_mozilla_t $1_home_t:file { unlink };
 dontaudit $1_mozilla_t tmpfile:file getattr;
+#
+# Eliminate errors from scanning with the 
+#
+dontaudit $1_mozilla_t file_type:dir getattr;
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.32/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-10-14 23:25:20.000000000 -0400
+++ policy-1.17.32/macros/user_macros.te	2004-10-18 13:37:22.000000000 -0400
@@ -205,6 +205,8 @@
 
 dontaudit $1_t sysadm_home_t:dir { read search getattr };
 dontaudit $1_t sysadm_home_t:file { read getattr append };
+# gam_server fires off these when exploring with mozilla/nautilous
+dontaudit $1_t file_type:dir getattr;
 
 ifdef(`syslogd.te', `
 # Some programs that are left in $1_t will try to connect
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.32/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.17.32/tunables/distro.tun	2004-10-18 13:37:22.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.32/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-10-14 23:25:21.000000000 -0400
+++ policy-1.17.32/tunables/tunable.tun	2004-10-18 13:37:22.000000000 -0400
@@ -1,39 +1,39 @@
 # Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
+define(`nscd_all_connect')
 
 # Allow users to control network interfaces (also needs USERCTL=true)
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.32/types/file.te
--- nsapolicy/types/file.te	2004-10-14 23:25:21.000000000 -0400
+++ policy-1.17.32/types/file.te	2004-10-18 13:37:22.000000000 -0400
@@ -301,3 +301,4 @@
 
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
+allow removable_t self:filesystem associate;

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-10-19 16:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-18 19:45 More patches for policy Daniel J Walsh
2004-10-18 21:04 ` Thomas Bleher
2004-10-19 13:18   ` Daniel J Walsh
2004-10-19 16:44 ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.