gentoo policy for dante

gentoo policy for dante

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 178 bytes --]

Hi,

this must be gentoo-day :)

policy for dante [1], attached

[1] http://www.inet.no/dante/

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: dante.fc --]
[-- Type: text/plain, Size: 164 bytes --]

# dante
/usr/sbin/sockd		--	system_u:object_r:dante_exec_t
/etc/socks(/.*)?		system_u:object_r:dante_conf_t
/var/run/sockd.pid	--	system_u:object_r:dante_var_run_t

[-- Attachment #1.3: dante.te --]
[-- Type: text/plain, Size: 615 bytes --]

#DESC dante - socks daemon
#
# Author: petre rodan <kaiowas@gentoo.org>
#

type dante_conf_t, file_type, sysadmfile;
type socks_port_t, port_type;

daemon_domain(dante)
can_network(dante_t)

allow dante_t self:fifo_file { read write };
allow dante_t self:capability { setuid };
allow dante_t self:unix_dgram_socket { connect create write };
allow dante_t self:unix_stream_socket { connect create read setopt write };

allow dante_t socks_port_t:tcp_socket name_bind;

allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
r_dir_file(dante_t, dante_conf_t)

allow dante_t initrc_var_run_t:file { getattr write };

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo policy for dante

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]


Hi Thomas,

Thomas Bleher wrote:
> * petre rodan <kaiowas@gentoo.org> [2004-11-15 19:35]:
> 
>>policy for dante [1], attached
>>
>>
>>type socks_port_t, port_type;
> 
> 
> The net_contexts part is missing.
> 
> Apart from the issues mentioned in my mails, all policies look very
> fine.
> 
> Thomas

the port the daemon binds to is configurable, but according to RFC 1700, socks should go to 1080.

so we have in the net_contexts:
ifdef(`dante.te', `portcon tcp 1080 system_u:object_r:socks_port_t')

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo policy for dante

[James Carter]

allow dante_t initrc_var_run_t:file { getattr write };

Why does dante need this?

On Mon, 2004-11-15 at 12:37, petre rodan wrote:
> Hi,
> 
> this must be gentoo-day :)
> 
> policy for dante [1], attached
> 
> [1] http://www.inet.no/dante/
> 
> bye,
> peter
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo policy for dante

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 350 bytes --]


Hi James,

James Carter wrote:
> allow dante_t initrc_var_run_t:file { getattr write };
> 
> Why does dante need this?

The current gentoo init scripts create the pid file for the daemon. This will be fixed soon.
Please drop that particular rule from the policy.

thanks,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo policy for dante

[James Carter]

Merged the dante.te and dante.fc files after removing the
initrc_var_run_t rule.


On Thu, 2004-11-18 at 16:57, petre rodan wrote:
> Hi James,
> 
> James Carter wrote:
> > allow dante_t initrc_var_run_t:file { getattr write };
> > 
> > Why does dante need this?
> 
> The current gentoo init scripts create the pid file for the daemon. This will be fixed soon.
> Please drop that particular rule from the policy.
> 
> thanks,
> peter
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo policy for dante

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 21 bytes --]

More policy changes.

[-- Attachment #2: policy-small.patch --]
[-- Type: text/x-patch, Size: 13649 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.4/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.4/domains/program/unused/apache.te	2004-11-20 23:55:38.629090793 -0500
@@ -264,7 +264,7 @@
 r_dir_file(httpd_suexec_t, nfs_t)
 can_exec(httpd_suexec_t, nfs_t)
 }
-
+r_dir_file(httpd_t, fonts_t)
 
 #
 # Allow users to mount additional directories as http_source
@@ -289,10 +289,6 @@
 allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
 allow httpd_t user_home_dir_t:dir { getattr search };
 }
-# 
-# Allow httpd to work with postgresql
-#
-allow httpd_t tmp_t:sock_file rw_file_perms;
 ') dnl targeted policy
 
 ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.19.4/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.4/domains/program/unused/hald.te	2004-11-20 23:55:38.633090342 -0500
@@ -21,6 +21,7 @@
 ifdef(`dbusd.te', `
 allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
 dbusd_client(system, hald)
+allow hald_t self:dbus send_msg;
 ')
 
 allow hald_t { self proc_t }:file { getattr read };
@@ -69,3 +70,4 @@
 allow hald_t device_t:dir create_dir_perms;
 allow hald_t device_t:chr_file create_file_perms;
 tmp_domain(hald)
+allow hald_t mnt_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.4/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.4/domains/program/unused/kerberos.te	2004-11-20 23:55:38.633090342 -0500
@@ -50,26 +50,31 @@
 # Bind to the kerberos, kerberos-adm ports.
 allow krb5kdc_t kerberos_port_t:udp_socket name_bind;
 allow krb5kdc_t kerberos_port_t:tcp_socket name_bind;
-allow kadmind_t kerberos_admin_port_t:tcp_socket name_bind;
+allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
+allow kadmind_t reserved_port_t:tcp_socket name_bind;
 
 #
 # Rules for Kerberos5 KDC daemon
 allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
 allow krb5kdc_t self:unix_stream_socket create_socket_perms;
+allow kadmind_t  self:unix_stream_socket create_socket_perms;
 allow krb5kdc_t krb5kdc_conf_t:dir search;
 allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
 allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
 dontaudit krb5kdc_t krb5kdc_principal_t:file write;
 allow krb5kdc_t locale_t:file { getattr read };
 dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow krb5kdc_t etc_t:dir { getattr search };
-allow krb5kdc_t etc_t:file { getattr read };
-allow krb5kdc_t krb5_conf_t:file r_file_perms;
-dontaudit krb5kdc_t krb5_conf_t:file write;
+allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
+allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
+allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
+dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
 tmp_domain(krb5kdc)
 log_domain(krb5kdc)
-allow krb5kdc_t urandom_device_t:chr_file { getattr read };
-allow krb5kdc_t self:netlink_socket { create bind getattr read write };
+allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
+allow kadmind_t random_device_t:chr_file { getattr read };
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
 allow krb5kdc_t proc_t:dir r_dir_perms;
 allow krb5kdc_t proc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.4/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/domains/program/unused/postgresql.te	2004-11-20 23:55:38.634090229 -0500
@@ -110,6 +110,14 @@
 dontaudit postgresql_t selinux_config_t:dir { search };
 allow postgresql_t mail_spool_t:dir { search };
 rw_dir_create_file(postgresql_t, var_lock_t)
+can_exec(postgresql_t, { shell_exec_t bin_t } )
+ifdef(`httpd.te', `
+# 
+# Allow httpd to work with postgresql
+#
+allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
+can_unix_connect(httpd_t, posgresql_t)
+')
 
 ifdef(`distro_gentoo', `
 # "su - postgres ..." is called from initrc_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.19.4/domains/program/unused/stunnel.te
--- nsapolicy/domains/program/unused/stunnel.te	2004-11-18 14:44:59.000000000 -0500
+++ policy-1.19.4/domains/program/unused/stunnel.te	2004-11-20 23:55:38.635090116 -0500
@@ -2,21 +2,10 @@
 #
 # Author:   petre rodan <kaiowas@gentoo.org>
 #
+inetd_child_domain(stunnel, tcp)
 
-type stunnel_port_t, port_type;
-
-daemon_domain(stunnel)
-
-can_network(stunnel_t)
-
-type stunnel_etc_t, file_type, sysadmfile;
-
-allow stunnel_t self:capability { setgid setuid sys_chroot };
-allow stunnel_t self:fifo_file { read write };
-allow stunnel_t self:tcp_socket { read write };
-allow stunnel_t self:unix_stream_socket { connect create };
-
+allow stunnel_t self:capability sys_chroot;
 allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
 
+type stunnel_etc_t, file_type, sysadmfile;
 r_dir_file(stunnel_t, stunnel_etc_t)
-r_dir_file(stunnel_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.4/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/file_contexts/program/cups.fc	2004-11-20 23:55:38.635090116 -0500
@@ -1,7 +1,7 @@
 # cups printing
 /etc/cups(/.*)?			system_u:object_r:cupsd_etc_t
 /usr/share/cups(/.*)?		system_u:object_r:cupsd_etc_t
-/etc/alchemist/namespace/printconf/(/.*)? system_u:object_r:cupsd_rw_etc_t
+/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
 /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
 /etc/cups/client\.conf	--	system_u:object_r:etc_t
 /etc/cups/cupsd\.conf.* --	system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.19.4/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.4/file_contexts/program/dovecot.fc	2004-11-20 23:55:38.636090003 -0500
@@ -9,4 +9,4 @@
 /usr/share/ssl/certs/dovecot\.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot\.pem --	system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
-/usr/lib/dovecot/.+	--		system_u:object_r:bin_t
+/usr/lib(64)?/dovecot/.+	--		system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dpkg.fc policy-1.19.4/file_contexts/program/dpkg.fc
--- nsapolicy/file_contexts/program/dpkg.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.4/file_contexts/program/dpkg.fc	2004-11-20 23:55:38.636090003 -0500
@@ -47,5 +47,5 @@
 /usr/share/shorewall/.*	--	system_u:object_r:bin_t
 /usr/share/reportbug/.*	--	system_u:object_r:bin_t
 /etc/network/ifstate.*	--	system_u:object_r:etc_runtime_t
-/usr/lib/gconf2/gconfd-2 --	system_u:object_r:bin_t
+/usr/lib(64)?/gconf2/gconfd-2 --	system_u:object_r:bin_t
 /bin/mountpoint		--	system_u:object_r:fsadm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hotplug.fc policy-1.19.4/file_contexts/program/hotplug.fc
--- nsapolicy/file_contexts/program/hotplug.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.4/file_contexts/program/hotplug.fc	2004-11-20 23:55:38.637089890 -0500
@@ -1,10 +1,10 @@
 # hotplug
 /etc/hotplug(/.*)?		system_u:object_r:hotplug_etc_t
 /sbin/hotplug		--	system_u:object_r:hotplug_exec_t
-/etc/hotplug\.d/.*	--	system_u:object_r:hotplug_exec_t
 /sbin/netplugd		--	system_u:object_r:hotplug_exec_t
-/etc/hotplug.d/default/default.* system_u:object_r:sbin_t
-/etc/netplug.d(/.*)? 	 	system_u:object_r:sbin_t
+/etc/hotplug\.d/.*	--	system_u:object_r:hotplug_exec_t
+/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t
+/etc/netplug\.d(/.*)? 	 	system_u:object_r:sbin_t
 /etc/hotplug/.*agent	--	system_u:object_r:sbin_t
 /etc/hotplug/.*rc	-- 	system_u:object_r:sbin_t
 /etc/hotplug/hotplug\.functions --	system_u:object_r:sbin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nrpe.fc policy-1.19.4/file_contexts/program/nrpe.fc
--- nsapolicy/file_contexts/program/nrpe.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.4/file_contexts/program/nrpe.fc	2004-11-20 23:55:38.637089890 -0500
@@ -1,5 +1,5 @@
 # nrpe
 /usr/bin/nrpe		--	system_u:object_r:nrpe_exec_t
 /etc/nagios/nrpe\.cfg	--	system_u:object_r:nrpe_etc_t
-/usr/lib/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
-/usr/lib/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib(64)?/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib(64)?/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.19.4/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.4/file_contexts/program/xdm.fc	2004-11-20 23:55:38.638089778 -0500
@@ -21,7 +21,6 @@
 ifdef(`distro_suse', `
 /var/lib/pam_devperm/:0	--	system_u:object_r:xdm_var_lib_t
 ')
-/usr/lib/qt-3.3/etc/settings/qtrc(/.*)? system_u:object_r:xdm_var_lib_t
 
 #
 # Additional Xsession scripts
@@ -37,4 +36,4 @@
 /etc/kde3?/kdm/Xreset     --		system_u:object_r:xsession_exec_t
 /etc/kde3?/kdm/Xsession		--	system_u:object_r:xsession_exec_t
 /etc/kde3?/kdm/backgroundrc	system_u:object_r:xdm_var_run_t
-/usr/lib(64)?/qt-3.2/etc/settings(/.*)?	system_u:object_r:xdm_var_run_t
+/usr/lib(64)?/qt-.*/etc/settings(/.*)?	system_u:object_r:xdm_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.4/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/file_contexts/types.fc	2004-11-20 23:55:38.639089665 -0500
@@ -458,3 +458,11 @@
 #  we defined a type to dontaudit
 #
 /etc/krb5\.conf		--	system_u:object_r:krb5_conf_t
+
+#
+# Thunderbird
+#
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.4/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/macros/base_user_macros.te	2004-11-20 23:55:38.640089552 -0500
@@ -82,7 +82,7 @@
 allow $1_t usbtty_device_t:chr_file read;
 
 # GNOME checks for usb and other devices
-r_dir_file($1_t,usbfs_t)
+rw_dir_file($1_t,usbfs_t)
 
 can_exec($1_t, noexattrfile)
 # Bind to a Unix domain socket in /tmp.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.4/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/macros/core_macros.te	2004-11-20 23:55:38.640089552 -0500
@@ -152,12 +152,12 @@
 #
 # Permissions for creating and using sockets.
 # 
-define(`connected_socket_perms', `{ create_socket_perms -connect }')
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
 # 
-define(`connected_stream_socket_perms', `{ create_stream_socket_perms -connect }')
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
 
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.19.4/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.4/macros/program/mount_macros.te	2004-11-20 23:55:38.641089439 -0500
@@ -21,7 +21,7 @@
 # macro if $2_def is defined
 define(`$2_def', `')
 #
-type $2_t, domain, privlog $3;
+type $2_t, domain, privlog $3, nscd_client_domain;
 
 allow $2_t sysfs_t:dir search;
 
@@ -65,6 +65,8 @@
 allow $2_t $1_tty_device_t:chr_file { getattr read write ioctl };
 allow $2_t $1_devpts_t:chr_file { getattr read write };
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
+allow $2_t var_t:dir search;
+allow $2_t var_run_t:dir search;
 
 ifdef(`distro_redhat',`
 ifdef(`pamconsole.te',`
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.4/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/macros/program/mozilla_macros.te	2004-11-21 00:00:58.136040632 -0500
@@ -22,6 +22,7 @@
 
 # Unrestricted inheritance from the caller.
 allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
+allow $1_mozilla_t $1_t:process signull;
 
 # Set resource limits and scheduling info.
 allow $1_mozilla_t self:process { setrlimit setsched };
@@ -116,6 +117,11 @@
 dontaudit $1_mozilla_t file_type:dir getattr;
 allow $1_mozilla_t self:sem create_sem_perms;
 
+ifdef(`userhelper.te', `
+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+')
+dontaudit $1_mozilla_t selinux_config_t:dir search;
+
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
 allow $1_mozilla_t xdm_tmp_t:dir search;

Re: gentoo policy for dante

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 80 bytes --]

Small change on previous patch.

Please ignore previous patch and use this one.

[-- Attachment #2: policy-small.patch --]
[-- Type: text/x-patch, Size: 14067 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.4/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.4/domains/program/unused/apache.te	2004-11-21 00:17:07.931618015 -0500
@@ -264,7 +264,7 @@
 r_dir_file(httpd_suexec_t, nfs_t)
 can_exec(httpd_suexec_t, nfs_t)
 }
-
+r_dir_file(httpd_t, fonts_t)
 
 #
 # Allow users to mount additional directories as http_source
@@ -289,10 +289,6 @@
 allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
 allow httpd_t user_home_dir_t:dir { getattr search };
 }
-# 
-# Allow httpd to work with postgresql
-#
-allow httpd_t tmp_t:sock_file rw_file_perms;
 ') dnl targeted policy
 
 ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.19.4/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.4/domains/program/unused/hald.te	2004-11-21 00:17:07.932617902 -0500
@@ -21,6 +21,7 @@
 ifdef(`dbusd.te', `
 allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
 dbusd_client(system, hald)
+allow hald_t self:dbus send_msg;
 ')
 
 allow hald_t { self proc_t }:file { getattr read };
@@ -69,3 +70,4 @@
 allow hald_t device_t:dir create_dir_perms;
 allow hald_t device_t:chr_file create_file_perms;
 tmp_domain(hald)
+allow hald_t mnt_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.4/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.4/domains/program/unused/kerberos.te	2004-11-21 00:17:07.932617902 -0500
@@ -50,26 +50,31 @@
 # Bind to the kerberos, kerberos-adm ports.
 allow krb5kdc_t kerberos_port_t:udp_socket name_bind;
 allow krb5kdc_t kerberos_port_t:tcp_socket name_bind;
-allow kadmind_t kerberos_admin_port_t:tcp_socket name_bind;
+allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
+allow kadmind_t reserved_port_t:tcp_socket name_bind;
 
 #
 # Rules for Kerberos5 KDC daemon
 allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
 allow krb5kdc_t self:unix_stream_socket create_socket_perms;
+allow kadmind_t  self:unix_stream_socket create_socket_perms;
 allow krb5kdc_t krb5kdc_conf_t:dir search;
 allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
 allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
 dontaudit krb5kdc_t krb5kdc_principal_t:file write;
 allow krb5kdc_t locale_t:file { getattr read };
 dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow krb5kdc_t etc_t:dir { getattr search };
-allow krb5kdc_t etc_t:file { getattr read };
-allow krb5kdc_t krb5_conf_t:file r_file_perms;
-dontaudit krb5kdc_t krb5_conf_t:file write;
+allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
+allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
+allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
+dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
 tmp_domain(krb5kdc)
 log_domain(krb5kdc)
-allow krb5kdc_t urandom_device_t:chr_file { getattr read };
-allow krb5kdc_t self:netlink_socket { create bind getattr read write };
+allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
+allow kadmind_t random_device_t:chr_file { getattr read };
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
 allow krb5kdc_t proc_t:dir r_dir_perms;
 allow krb5kdc_t proc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.4/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/domains/program/unused/postgresql.te	2004-11-21 00:17:07.933617789 -0500
@@ -110,6 +110,14 @@
 dontaudit postgresql_t selinux_config_t:dir { search };
 allow postgresql_t mail_spool_t:dir { search };
 rw_dir_create_file(postgresql_t, var_lock_t)
+can_exec(postgresql_t, { shell_exec_t bin_t } )
+ifdef(`httpd.te', `
+# 
+# Allow httpd to work with postgresql
+#
+allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
+can_unix_connect(httpd_t, posgresql_t)
+')
 
 ifdef(`distro_gentoo', `
 # "su - postgres ..." is called from initrc_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.19.4/domains/program/unused/stunnel.te
--- nsapolicy/domains/program/unused/stunnel.te	2004-11-18 14:44:59.000000000 -0500
+++ policy-1.19.4/domains/program/unused/stunnel.te	2004-11-21 00:17:07.934617676 -0500
@@ -2,21 +2,10 @@
 #
 # Author:   petre rodan <kaiowas@gentoo.org>
 #
+inetd_child_domain(stunnel, tcp)
 
-type stunnel_port_t, port_type;
-
-daemon_domain(stunnel)
-
-can_network(stunnel_t)
-
-type stunnel_etc_t, file_type, sysadmfile;
-
-allow stunnel_t self:capability { setgid setuid sys_chroot };
-allow stunnel_t self:fifo_file { read write };
-allow stunnel_t self:tcp_socket { read write };
-allow stunnel_t self:unix_stream_socket { connect create };
-
+allow stunnel_t self:capability sys_chroot;
 allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
 
+type stunnel_etc_t, file_type, sysadmfile;
 r_dir_file(stunnel_t, stunnel_etc_t)
-r_dir_file(stunnel_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.4/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/file_contexts/program/cups.fc	2004-11-21 00:17:07.934617676 -0500
@@ -1,7 +1,7 @@
 # cups printing
 /etc/cups(/.*)?			system_u:object_r:cupsd_etc_t
 /usr/share/cups(/.*)?		system_u:object_r:cupsd_etc_t
-/etc/alchemist/namespace/printconf/(/.*)? system_u:object_r:cupsd_rw_etc_t
+/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
 /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
 /etc/cups/client\.conf	--	system_u:object_r:etc_t
 /etc/cups/cupsd\.conf.* --	system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.19.4/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.4/file_contexts/program/dovecot.fc	2004-11-21 00:17:07.935617563 -0500
@@ -9,4 +9,4 @@
 /usr/share/ssl/certs/dovecot\.pem --	system_u:object_r:dovecot_cert_t
 /usr/share/ssl/private/dovecot\.pem --	system_u:object_r:dovecot_cert_t
 /var/run/dovecot(-login)?(/.*)?		system_u:object_r:dovecot_var_run_t
-/usr/lib/dovecot/.+	--		system_u:object_r:bin_t
+/usr/lib(64)?/dovecot/.+	--		system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dpkg.fc policy-1.19.4/file_contexts/program/dpkg.fc
--- nsapolicy/file_contexts/program/dpkg.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.4/file_contexts/program/dpkg.fc	2004-11-21 00:17:07.935617563 -0500
@@ -47,5 +47,5 @@
 /usr/share/shorewall/.*	--	system_u:object_r:bin_t
 /usr/share/reportbug/.*	--	system_u:object_r:bin_t
 /etc/network/ifstate.*	--	system_u:object_r:etc_runtime_t
-/usr/lib/gconf2/gconfd-2 --	system_u:object_r:bin_t
+/usr/lib(64)?/gconf2/gconfd-2 --	system_u:object_r:bin_t
 /bin/mountpoint		--	system_u:object_r:fsadm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hotplug.fc policy-1.19.4/file_contexts/program/hotplug.fc
--- nsapolicy/file_contexts/program/hotplug.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.4/file_contexts/program/hotplug.fc	2004-11-21 00:17:07.936617451 -0500
@@ -1,10 +1,10 @@
 # hotplug
 /etc/hotplug(/.*)?		system_u:object_r:hotplug_etc_t
 /sbin/hotplug		--	system_u:object_r:hotplug_exec_t
-/etc/hotplug\.d/.*	--	system_u:object_r:hotplug_exec_t
 /sbin/netplugd		--	system_u:object_r:hotplug_exec_t
-/etc/hotplug.d/default/default.* system_u:object_r:sbin_t
-/etc/netplug.d(/.*)? 	 	system_u:object_r:sbin_t
+/etc/hotplug\.d/.*	--	system_u:object_r:hotplug_exec_t
+/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t
+/etc/netplug\.d(/.*)? 	 	system_u:object_r:sbin_t
 /etc/hotplug/.*agent	--	system_u:object_r:sbin_t
 /etc/hotplug/.*rc	-- 	system_u:object_r:sbin_t
 /etc/hotplug/hotplug\.functions --	system_u:object_r:sbin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nrpe.fc policy-1.19.4/file_contexts/program/nrpe.fc
--- nsapolicy/file_contexts/program/nrpe.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.4/file_contexts/program/nrpe.fc	2004-11-21 00:17:07.936617451 -0500
@@ -1,5 +1,5 @@
 # nrpe
 /usr/bin/nrpe		--	system_u:object_r:nrpe_exec_t
 /etc/nagios/nrpe\.cfg	--	system_u:object_r:nrpe_etc_t
-/usr/lib/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
-/usr/lib/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib(64)?/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib(64)?/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.19.4/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.4/file_contexts/program/xdm.fc	2004-11-21 00:17:07.937617338 -0500
@@ -21,7 +21,6 @@
 ifdef(`distro_suse', `
 /var/lib/pam_devperm/:0	--	system_u:object_r:xdm_var_lib_t
 ')
-/usr/lib/qt-3.3/etc/settings/qtrc(/.*)? system_u:object_r:xdm_var_lib_t
 
 #
 # Additional Xsession scripts
@@ -37,4 +36,4 @@
 /etc/kde3?/kdm/Xreset     --		system_u:object_r:xsession_exec_t
 /etc/kde3?/kdm/Xsession		--	system_u:object_r:xsession_exec_t
 /etc/kde3?/kdm/backgroundrc	system_u:object_r:xdm_var_run_t
-/usr/lib(64)?/qt-3.2/etc/settings(/.*)?	system_u:object_r:xdm_var_run_t
+/usr/lib(64)?/qt-.*/etc/settings(/.*)?	system_u:object_r:xdm_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.4/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/file_contexts/types.fc	2004-11-21 00:17:07.938617225 -0500
@@ -458,3 +458,11 @@
 #  we defined a type to dontaudit
 #
 /etc/krb5\.conf		--	system_u:object_r:krb5_conf_t
+
+#
+# Thunderbird
+#
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.4/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/macros/base_user_macros.te	2004-11-21 00:17:07.939617112 -0500
@@ -82,7 +82,7 @@
 allow $1_t usbtty_device_t:chr_file read;
 
 # GNOME checks for usb and other devices
-r_dir_file($1_t,usbfs_t)
+rw_dir_file($1_t,usbfs_t)
 
 can_exec($1_t, noexattrfile)
 # Bind to a Unix domain socket in /tmp.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.4/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/macros/core_macros.te	2004-11-21 00:17:07.940616999 -0500
@@ -152,12 +152,12 @@
 #
 # Permissions for creating and using sockets.
 # 
-define(`connected_socket_perms', `{ create_socket_perms -connect }')
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
 # 
-define(`connected_stream_socket_perms', `{ create_stream_socket_perms -connect }')
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
 
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.19.4/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.4/macros/program/mount_macros.te	2004-11-21 00:17:07.940616999 -0500
@@ -21,7 +21,7 @@
 # macro if $2_def is defined
 define(`$2_def', `')
 #
-type $2_t, domain, privlog $3;
+type $2_t, domain, privlog $3, nscd_client_domain;
 
 allow $2_t sysfs_t:dir search;
 
@@ -65,6 +65,8 @@
 allow $2_t $1_tty_device_t:chr_file { getattr read write ioctl };
 allow $2_t $1_devpts_t:chr_file { getattr read write };
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
+allow $2_t var_t:dir search;
+allow $2_t var_run_t:dir search;
 
 ifdef(`distro_redhat',`
 ifdef(`pamconsole.te',`
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.4/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.4/macros/program/mozilla_macros.te	2004-11-21 00:17:33.188768235 -0500
@@ -22,6 +22,7 @@
 
 # Unrestricted inheritance from the caller.
 allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
+allow $1_mozilla_t $1_t:process signull;
 
 # Set resource limits and scheduling info.
 allow $1_mozilla_t self:process { setrlimit setsched };
@@ -116,6 +117,8 @@
 dontaudit $1_mozilla_t file_type:dir getattr;
 allow $1_mozilla_t self:sem create_sem_perms;
 
+dontaudit $1_mozilla_t selinux_config_t:dir search;
+
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
 allow $1_mozilla_t xdm_tmp_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.19.4/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.4/macros/program/userhelper_macros.te	2004-11-21 00:17:24.007804129 -0500
@@ -143,4 +143,8 @@
 allow $1_userhelper_t pam_var_console_t:dir { search };
 ')
 
+ifdef(`mozilla.te', `
+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+')
+
 ')dnl end userhelper macro

Re: gentoo policy for dante

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]


Hi Daniel,

Daniel J Walsh wrote:
> Small change on previous patch.
> 
> Please ignore previous patch and use this one.
> 
[..]
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.19.4/domains/program/unused/stunnel.te
> --- nsapolicy/domains/program/unused/stunnel.te	2004-11-18 14:44:59.000000000 -0500
> +++ policy-1.19.4/domains/program/unused/stunnel.te	2004-11-21 00:17:07.934617676 -0500
> @@ -2,21 +2,10 @@
>  #
>  # Author:   petre rodan <kaiowas@gentoo.org>
>  #
> +inetd_child_domain(stunnel, tcp)
>  
> -type stunnel_port_t, port_type;
> -
> -daemon_domain(stunnel)
> -
> -can_network(stunnel_t)
> -
> -type stunnel_etc_t, file_type, sysadmfile;
> -
> -allow stunnel_t self:capability { setgid setuid sys_chroot };
> -allow stunnel_t self:fifo_file { read write };
> -allow stunnel_t self:tcp_socket { read write };
> -allow stunnel_t self:unix_stream_socket { connect create };

please put this in a distro or a inetd ifdef.
stunnel is in no way dependent on inetd, and gentoo has dropped inetd support (so we don't even have that macro you're using).

thanks,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo policy for dante

[James Carter]

Merged, except for the stunnel.te part.

On Sun, 2004-11-21 at 00:18, Daniel J Walsh wrote:
> Small change on previous patch.
> 
> Please ignore previous patch and use this one.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo policy for dante

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 865 bytes --]


Hi Daniel,

Daniel J Walsh wrote:
> Small change on previous patch.
> 
> Please ignore previous patch and use this one.
 >
> --- nsapolicy/domains/program/unused/postgresql.te	2004-11-20 22:29:09.000000000 -0500
> +++ policy-1.19.4/domains/program/unused/postgresql.te	2004-11-21 00:17:07.933617789 -0500
> @@ -110,6 +110,14 @@
>  dontaudit postgresql_t selinux_config_t:dir { search };
>  allow postgresql_t mail_spool_t:dir { search };
>  rw_dir_create_file(postgresql_t, var_lock_t)
> +can_exec(postgresql_t, { shell_exec_t bin_t } )
> +ifdef(`httpd.te', `
> +# 
> +# Allow httpd to work with postgresql
> +#
> +allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
> +can_unix_connect(httpd_t, posgresql_t)
> +')

shouldn't this be an ifdef on apache.te instead of httpd.te?

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo policy for dante

[Daniel J Walsh]

petre rodan wrote:

>
> Hi Daniel,
>
> Daniel J Walsh wrote:
>
>> Small change on previous patch.
>>
>> Please ignore previous patch and use this one.
>
> >
>
>> --- nsapolicy/domains/program/unused/postgresql.te    2004-11-20 
>> 22:29:09.000000000 -0500
>> +++ policy-1.19.4/domains/program/unused/postgresql.te    2004-11-21 
>> 00:17:07.933617789 -0500
>> @@ -110,6 +110,14 @@
>>  dontaudit postgresql_t selinux_config_t:dir { search };
>>  allow postgresql_t mail_spool_t:dir { search };
>>  rw_dir_create_file(postgresql_t, var_lock_t)
>> +can_exec(postgresql_t, { shell_exec_t bin_t } )
>> +ifdef(`httpd.te', `
>> +# +# Allow httpd to work with postgresql
>> +#
>> +allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
>> +can_unix_connect(httpd_t, posgresql_t)
>> +')
>
>
> shouldn't this be an ifdef on apache.te instead of httpd.te?
>
> bye,
> peter
>
Yes.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo policy for dante

[James Carter]

Fixed in CVS.

On Mon, 2004-11-29 at 10:23, Daniel J Walsh wrote:
> petre rodan wrote:
> 
> >
> > Hi Daniel,
> >
> > Daniel J Walsh wrote:
> >
> >> Small change on previous patch.
> >>
> >> Please ignore previous patch and use this one.
> >
> > >
> >
> >> --- nsapolicy/domains/program/unused/postgresql.te    2004-11-20 
> >> 22:29:09.000000000 -0500
> >> +++ policy-1.19.4/domains/program/unused/postgresql.te    2004-11-21 
> >> 00:17:07.933617789 -0500
> >> @@ -110,6 +110,14 @@
> >>  dontaudit postgresql_t selinux_config_t:dir { search };
> >>  allow postgresql_t mail_spool_t:dir { search };
> >>  rw_dir_create_file(postgresql_t, var_lock_t)
> >> +can_exec(postgresql_t, { shell_exec_t bin_t } )
> >> +ifdef(`httpd.te', `
> >> +# +# Allow httpd to work with postgresql
> >> +#
> >> +allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
> >> +can_unix_connect(httpd_t, posgresql_t)
> >> +')
> >
> >
> > shouldn't this be an ifdef on apache.te instead of httpd.te?
> >
> > bye,
> > peter
> >
> Yes.
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.