Latest patch

Latest patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 398 bytes --]

Allow booloader to run exec_type, so it can pick up consoletype.

Allow initrc to cleanup ptal runtime files in init scripts

Add file contexts for bin_t files in the /usr partition.

Fix policy so htdig will work

Make changes so ipx_interface and friends will run( ALthough I need help 
on this stuff since I don't have access to IPX network, nor do
I want too :*)

Fix console and jave labeling

[-- Attachment #2: policy-20041202.patch --]
[-- Type: text/x-patch, Size: 7488 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.8/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-29 10:24:17.000000000 -0500
+++ policy-1.19.8/domains/program/unused/apache.te	2004-11-30 16:54:39.000000000 -0500
@@ -332,3 +332,6 @@
 ')
 allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
 }
+
+read_sysctl(httpd_sys_script_t)
+allow httpd_sys_script_t var_lib_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.8/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.8/domains/program/unused/bootloader.te	2004-12-01 10:54:10.000000000 -0500
@@ -58,7 +58,7 @@
 # uncomment the following line if you use "lilo -p"
 #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
 
-can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
+can_exec_any(bootloader_t)
 allow bootloader_t shell_exec_t:lnk_file read;
 allow bootloader_t { bin_t sbin_t }:dir search;
 allow bootloader_t { bin_t sbin_t }:lnk_file read;
@@ -131,14 +131,6 @@
 allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
 allow bootloader_t initrc_t:fifo_file { read write };
 
-ifdef(`distro_debian', `
-# for making an initrd
-can_exec(bootloader_t, mount_exec_t)
-ifdef(`chroot.te', `
-can_exec(bootloader_t, chroot_exec_t)
-')dnl end chroot.te
-')dnl end distro_debian
-
 # for reading BIOS data
 allow bootloader_t memory_device_t:chr_file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.8/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-12-02 14:11:41.692784006 -0500
+++ policy-1.19.8/domains/program/unused/cups.te	2004-12-02 13:44:06.204217215 -0500
@@ -157,6 +157,9 @@
 allow cupsd_t ptal_var_run_t:dir search;
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
+allow initrc_t ptal_var_run_t:dir rmdir;
+allow initrc_t ptal_var_run_t:fifo_file unlink;
+
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.8/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.8/file_contexts/distros.fc	2004-12-01 16:26:58.000000000 -0500
@@ -31,6 +31,9 @@
 /usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t
 /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
 /usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
 ')
 
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.8/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.8/file_contexts/program/apache.fc	2004-11-30 16:49:58.000000000 -0500
@@ -40,3 +40,6 @@
 ')
 /var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
 /usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
+/usr/share/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
+/var/lib/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
+/etc/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ifconfig.fc policy-1.19.8/file_contexts/program/ifconfig.fc
--- nsapolicy/file_contexts/program/ifconfig.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.8/file_contexts/program/ifconfig.fc	2004-12-01 09:01:45.000000000 -0500
@@ -7,3 +7,6 @@
 /bin/ip			--	system_u:object_r:ifconfig_exec_t
 /sbin/ethtool		--	system_u:object_r:ifconfig_exec_t
 /sbin/mii-tool		--	system_u:object_r:ifconfig_exec_t
+/sbin/ipx_interface	--	system_u:object_r:ifconfig_exec_t
+/sbin/ipx_configure	--	system_u:object_r:ifconfig_exec_t
+/sbin/ipx_internal_net	--	system_u:object_r:ifconfig_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.8/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-12-02 14:11:43.377594270 -0500
+++ policy-1.19.8/file_contexts/types.fc	2004-12-02 13:27:20.530471384 -0500
@@ -139,6 +139,9 @@
 /u?dev/cu.*		-c	system_u:object_r:tty_device_t
 /u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
 /u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
+/u?dev/hvc.*		-c	system_u:object_r:tty_device_t
+/u?dev/hvsi.*		-c	system_u:object_r:tty_device_t
+/u?dev/ttySG.*		-c	system_u:object_r:tty_device_t
 /u?dev/tty		-c	system_u:object_r:devtty_t
 /dev/lp.*		-c	system_u:object_r:printer_device_t
 /dev/par.*		-c	system_u:object_r:printer_device_t
@@ -334,6 +337,9 @@
 /usr(/.*)?			system_u:object_r:usr_t
 /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.8/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-12-02 14:11:43.625566345 -0500
+++ policy-1.19.8/macros/program/mozilla_macros.te	2004-12-02 13:39:30.762236174 -0500
@@ -98,6 +98,7 @@
 dontaudit $1_mozilla_t boot_t:dir getattr;
 ifdef(`cups.te', `
 allow $1_mozilla_t cupsd_etc_t:dir search;
+allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
 ')
 allow $1_mozilla_t $1_t:tcp_socket { read write };
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.8/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.8/tunables/distro.tun	2004-11-30 16:17:10.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.8/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.8/tunables/tunable.tun	2004-11-30 16:17:10.000000000 -0500
@@ -2,10 +2,10 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
@@ -17,11 +17,11 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest patch

[James Carter]

Merged.

On Thu, 2004-12-02 at 14:27, Daniel J Walsh wrote:
> Allow booloader to run exec_type, so it can pick up consoletype.
> 
> Allow initrc to cleanup ptal runtime files in init scripts
> 
> Add file contexts for bin_t files in the /usr partition.
> 
> Fix policy so htdig will work
> 
> Make changes so ipx_interface and friends will run( ALthough I need help 
> on this stuff since I don't have access to IPX network, nor do
> I want too :*)
> 
> Fix console and jave labeling
> 
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.8/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te	2004-11-29 10:24:17.000000000 -0500
> +++ policy-1.19.8/domains/program/unused/apache.te	2004-11-30 16:54:39.000000000 -0500
> @@ -332,3 +332,6 @@
>  ')
>  allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
>  }
> +
> +read_sysctl(httpd_sys_script_t)
> +allow httpd_sys_script_t var_lib_t:dir search;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.8/domains/program/unused/bootloader.te
> --- nsapolicy/domains/program/unused/bootloader.te	2004-11-05 23:24:16.000000000 -0500
> +++ policy-1.19.8/domains/program/unused/bootloader.te	2004-12-01 10:54:10.000000000 -0500
> @@ -58,7 +58,7 @@
>  # uncomment the following line if you use "lilo -p"
>  #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
>  
> -can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
> +can_exec_any(bootloader_t)
>  allow bootloader_t shell_exec_t:lnk_file read;
>  allow bootloader_t { bin_t sbin_t }:dir search;
>  allow bootloader_t { bin_t sbin_t }:lnk_file read;
> @@ -131,14 +131,6 @@
>  allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
>  allow bootloader_t initrc_t:fifo_file { read write };
>  
> -ifdef(`distro_debian', `
> -# for making an initrd
> -can_exec(bootloader_t, mount_exec_t)
> -ifdef(`chroot.te', `
> -can_exec(bootloader_t, chroot_exec_t)
> -')dnl end chroot.te
> -')dnl end distro_debian
> -
>  # for reading BIOS data
>  allow bootloader_t memory_device_t:chr_file r_file_perms;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.8/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te	2004-12-02 14:11:41.692784006 -0500
> +++ policy-1.19.8/domains/program/unused/cups.te	2004-12-02 13:44:06.204217215 -0500
> @@ -157,6 +157,9 @@
>  allow cupsd_t ptal_var_run_t:dir search;
>  dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
>  
> +allow initrc_t ptal_var_run_t:dir rmdir;
> +allow initrc_t ptal_var_run_t:fifo_file unlink;
> +
>  dontaudit cupsd_t selinux_config_t:dir search;
>  dontaudit cupsd_t selinux_config_t:file { getattr read };
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.8/file_contexts/distros.fc
> --- nsapolicy/file_contexts/distros.fc	2004-11-20 22:29:09.000000000 -0500
> +++ policy-1.19.8/file_contexts/distros.fc	2004-12-01 16:26:58.000000000 -0500
> @@ -31,6 +31,9 @@
>  /usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t
>  /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
>  /usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
>  ')
>  
>  ifdef(`distro_suse', `
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.8/file_contexts/program/apache.fc
> --- nsapolicy/file_contexts/program/apache.fc	2004-11-20 22:29:09.000000000 -0500
> +++ policy-1.19.8/file_contexts/program/apache.fc	2004-11-30 16:49:58.000000000 -0500
> @@ -40,3 +40,6 @@
>  ')
>  /var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
>  /usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
> +/usr/share/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
> +/var/lib/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
> +/etc/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ifconfig.fc policy-1.19.8/file_contexts/program/ifconfig.fc
> --- nsapolicy/file_contexts/program/ifconfig.fc	2004-11-19 11:20:43.000000000 -0500
> +++ policy-1.19.8/file_contexts/program/ifconfig.fc	2004-12-01 09:01:45.000000000 -0500
> @@ -7,3 +7,6 @@
>  /bin/ip			--	system_u:object_r:ifconfig_exec_t
>  /sbin/ethtool		--	system_u:object_r:ifconfig_exec_t
>  /sbin/mii-tool		--	system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_interface	--	system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_configure	--	system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_internal_net	--	system_u:object_r:ifconfig_exec_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.8/file_contexts/types.fc
> --- nsapolicy/file_contexts/types.fc	2004-12-02 14:11:43.377594270 -0500
> +++ policy-1.19.8/file_contexts/types.fc	2004-12-02 13:27:20.530471384 -0500
> @@ -139,6 +139,9 @@
>  /u?dev/cu.*		-c	system_u:object_r:tty_device_t
>  /u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
>  /u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
> +/u?dev/hvc.*		-c	system_u:object_r:tty_device_t
> +/u?dev/hvsi.*		-c	system_u:object_r:tty_device_t
> +/u?dev/ttySG.*		-c	system_u:object_r:tty_device_t
>  /u?dev/tty		-c	system_u:object_r:devtty_t
>  /dev/lp.*		-c	system_u:object_r:printer_device_t
>  /dev/par.*		-c	system_u:object_r:printer_device_t
> @@ -334,6 +337,9 @@
>  /usr(/.*)?			system_u:object_r:usr_t
>  /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
>  /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
>  /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
>  /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
>  /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.8/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te	2004-12-02 14:11:43.625566345 -0500
> +++ policy-1.19.8/macros/program/mozilla_macros.te	2004-12-02 13:39:30.762236174 -0500
> @@ -98,6 +98,7 @@
>  dontaudit $1_mozilla_t boot_t:dir getattr;
>  ifdef(`cups.te', `
>  allow $1_mozilla_t cupsd_etc_t:dir search;
> +allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
>  ')
>  allow $1_mozilla_t $1_t:tcp_socket { read write };
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.8/tunables/distro.tun
> --- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
> +++ policy-1.19.8/tunables/distro.tun	2004-11-30 16:17:10.000000000 -0500
> @@ -5,7 +5,7 @@
>  # appropriate ifdefs.
>  
> 
> -dnl define(`distro_redhat')
> +define(`distro_redhat')
>  
>  dnl define(`distro_suse')
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.8/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.8/tunables/tunable.tun	2004-11-30 16:17:10.000000000 -0500
> @@ -2,10 +2,10 @@
>  dnl define(`user_can_mount')
>  
>  # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>  
>  # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>  
>  # Allow rc scripts to run unconfined, including any daemon
>  # started by an rc script that does not have a domain transition
> @@ -17,11 +17,11 @@
>  
>  # Do not audit things that we know to be broken but which
>  # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>  
>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>  # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>  
>  # Allow xinetd to run unconfined, including any services it starts
>  # that do not have a domain transition explicitly defined.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

patch: add policy for gpg helpers

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 455 bytes --]

This patch adds support for gpg-helpers. These can be used to
automatically fetch gpg keys over the network. Properly configured,
$1_gpg_t doesn't need network access anymore. Unfortunately, eg Debian
doesn't yet include all the necessary helpers, so I left the
can_network() for $1_gpg_t in for now.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: gpg_helper.patch --]
[-- Type: text/plain, Size: 2875 bytes --]

diff -urN orig/domains/program/unused/gpg.te mod/domains/program/unused/gpg.te
--- orig/domains/program/unused/gpg.te	2003-08-14 14:37:36.000000000 +0200
+++ mod/domains/program/unused/gpg.te	2004-12-09 18:38:03.000000000 +0100
@@ -6,6 +6,7 @@
 
 # Type for gpg or pgp executables.
 type gpg_exec_t, file_type, sysadmfile, exec_type;
+type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
 
 allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
 allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
diff -urN orig/file_contexts/program/gpg.fc mod/file_contexts/program/gpg.fc
--- orig/file_contexts/program/gpg.fc	2004-03-09 16:31:36.000000000 +0100
+++ mod/file_contexts/program/gpg.fc	2004-12-09 18:38:03.000000000 +0100
@@ -1,3 +1,4 @@
 # gpg
 HOME_DIR/\.gnupg(/.+)?	system_u:object_r:ROLE_gpg_secret_t
 /usr/bin/gpg		--	system_u:object_r:gpg_exec_t
+/usr/lib/gnupg/gpgkeys.*	--	system_u:object_r:gpg_helper_exec_t
diff -urN orig/macros/program/gpg_macros.te mod/macros/program/gpg_macros.te
--- orig/macros/program/gpg_macros.te	2004-11-30 16:19:26.000000000 +0100
+++ mod/macros/program/gpg_macros.te	2004-12-09 18:38:54.000000000 +0100
@@ -19,7 +19,7 @@
 define(`gpg_domain', `
 # Derived domain based on the calling user domain and the program.
 type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile, $1_file_type;
+type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
@@ -94,4 +94,38 @@
 
 ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
 
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the 
+# mail interface you will likely need additional permissions.
+type $1_gpg_helper_t, domain;
+role $1_r types $1_gpg_helper_t;
+
+domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
+uses_shlib($1_gpg_helper_t)
+
+# allow gpg to fork so it can call the helpers
+allow $1_gpg_t self:process { fork sigchld };
+allow $1_gpg_t self:fifo_file { getattr read write };
+
+dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+if (use_nfs_home_dirs) {
+dontaudit $1_gpg_helper_t nfs_t:file { read write };
+}
+
+# communicate with the user 
+allow $1_gpg_helper_t $1_t:fd use;
+allow $1_gpg_helper_t $1_t:fifo_file write;
+# get keys from the network
+can_network_client($1_gpg_helper_t)
+allow $1_gpg_helper_t etc_t:file { getattr read };
+allow $1_gpg_helper_t urandom_device_t:chr_file read;
+allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+# for nscd
+dontaudit $1_gpg_helper_t var_t:dir search;
+
+ifdef(`xdm.te', `
+dontaudit $1_gpg_t xdm_t:fd use;
+dontaudit $1_gpg_t xdm_t:fifo_file read;
+')
+
 ')dnl end gpg_domain definition

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: patch: add policy for gpg helpers

[James Carter]

Merged.

On Thu, 2004-12-09 at 12:46, Thomas Bleher wrote:
> This patch adds support for gpg-helpers. These can be used to
> automatically fetch gpg keys over the network. Properly configured,
> $1_gpg_t doesn't need network access anymore. Unfortunately, eg Debian
> doesn't yet include all the necessary helpers, so I left the
> can_network() for $1_gpg_t in for now.
> 
> Thomas
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 447 bytes --]

Add winbind policy

Add transitionbool attribute. to indicate whether a domain should have a 
disable_trans boolean created for that domain.
(Mozilla and games in strict policy,  All network domains in targeted)

Added can_secsecparam

Fix httpd_sys_script_t to allow access to mysql sock file.

Began adding user configuration changes, to allow adding users in 
different roles without policy sources installed.

Remove user_can_mount tunable.



[-- Attachment #2: policy-20041216.patch --]
[-- Type: text/x-patch, Size: 20202 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.19.14/attrib.te
--- nsapolicy/attrib.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.14/attrib.te	2004-12-16 11:48:36.939342542 -0500
@@ -390,3 +390,6 @@
 # For labeling of content for httpd
 attribute httpdcontent;
 
+# For labeling of domains whos transition can be disabled
+attribute transitionbool;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.19.14/domains/admin.te
--- nsapolicy/domains/admin.te	2004-09-23 15:08:58.000000000 -0400
+++ policy-1.19.14/domains/admin.te	2004-12-16 11:48:36.940342432 -0500
@@ -23,6 +23,9 @@
 # Allow administrator domains to set policy booleans.
 can_setbool(sysadm_t)
 
+# Allow administrator domains to set security parameters
+can_setsecparam(sysadm_t)
+
 # for su
 allow sysadm_t userdomain:fd use;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.14/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-12-11 06:31:18.000000000 -0500
+++ policy-1.19.14/domains/program/initrc.te	2004-12-16 11:48:36.941342321 -0500
@@ -137,11 +137,6 @@
 # Update /etc/ld.so.cache.
 allow initrc_t ld_so_cache_t:file rw_file_perms;
 
-ifdef(`sendmail.te', `
-# Update /etc/mail.
-allow initrc_t etc_mail_t:file { setattr rw_file_perms };
-')
-
 ifdef(`xfs.te', `
 # Unlink the xfs socket.
 allow initrc_t xfs_tmp_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.14/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-12-11 06:31:18.000000000 -0500
+++ policy-1.19.14/domains/program/unused/apache.te	2004-12-16 11:48:36.941342321 -0500
@@ -243,11 +243,12 @@
 ifdef(`mysqld.te', `
 can_unix_connect(httpd_php_t, mysqld_t)
 can_unix_connect(httpd_t, mysqld_t)
+can_unix_connect(httpd_sys_script_t, mysqld_t)
 allow httpd_php_t mysqld_var_run_t:dir search;
 allow httpd_php_t mysqld_var_run_t:sock_file write;
-allow httpd_t mysqld_db_t:dir search;
-allow httpd_t mysqld_db_t:sock_file rw_file_perms;
-allow httpd_t mysqld_var_run_t:sock_file rw_file_perms;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
+allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
+allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
 ')
 allow httpd_t bin_t:dir search;
 allow httpd_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.14/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.14/domains/program/unused/nscd.te	2004-12-16 11:48:36.942342210 -0500
@@ -59,7 +59,10 @@
 #
 # Handle winbind for samba, Might only be needed for targeted policy
 #
-dontaudit nscd_t var_run_t:sock_file rw_file_perms;
+allow nscd_t winbind_var_run_t:sock_file { read write getattr };
+can_unix_connect(nscd_t, winbind_t)
+allow nscd_t samba_var_t:dir search;
+allow nscd_t winbind_var_run_t:dir { getattr search };
 
 r_dir_file(nscd_t, selinux_config_t)
 can_getsecurity(nscd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openvpn.te policy-1.19.14/domains/program/unused/openvpn.te
--- nsapolicy/domains/program/unused/openvpn.te	2004-12-02 14:11:42.000000000 -0500
+++ policy-1.19.14/domains/program/unused/openvpn.te	2004-12-16 11:48:36.943342100 -0500
@@ -21,7 +21,7 @@
 allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
 allow openvpn_t self:unix_dgram_socket sendto;
 allow openvpn_t self:unix_stream_socket connectto;
-allow openvpn_t self:capability net_admin;
+allow openvpn_t self:capability { net_admin setgid setuid };
 r_dir_file(openvpn_t, sysctl_net_t)
 
 can_network_server(openvpn_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.19.14/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.14/domains/program/unused/sendmail.te	2004-12-16 11:48:36.943342100 -0500
@@ -14,7 +14,7 @@
 #
 
 # etc_mail_t is the type of /etc/mail.
-type etc_mail_t, file_type, sysadmfile;
+type etc_mail_t, file_type, sysadmfile, usercanread;
 
 daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.19.14/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.14/domains/program/unused/winbind.te	2004-12-16 11:48:36.944341989 -0500
@@ -0,0 +1,34 @@
+#DESC winbind - Name  Service  Switch  daemon for resolving names from NT servers
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for winbind
+#
+
+daemon_domain(winbind, `, privhome, auth_chkpwd')
+allow winbind_t self:capability net_admin;
+log_domain(winbind)
+allow winbind_t etc_t:file r_file_perms;
+allow winbind_t etc_t:lnk_file read;
+can_network(winbind_t)
+ifdef(`samba.te', `', `
+type samba_etc_t, file_type, sysadmfile, usercanread;
+type samba_log_t, file_type, sysadmfile, logfile;
+type samba_var_t, file_type, sysadmfile;
+type samba_secrets_t, file_type, sysadmfile;
+')
+rw_dir_file(winbind_t, samba_etc_t)
+rw_dir_file(winbind_t, samba_log_t)
+allow winbind_t samba_secrets_t:file rw_file_perms;
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t urandom_device_t:chr_file { getattr read };
+allow winbind_t self:fifo_file { read write };
+rw_dir_file(winbind_t, samba_var_t)
+allow winbind_t krb5_conf_t:file { getattr read };
+dontaudit winbind_t krb5_conf_t:file { write };
+allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow winbind_t winbind_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.14/domains/user.te
--- nsapolicy/domains/user.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.14/domains/user.te	2004-12-16 11:48:36.944341989 -0500
@@ -27,9 +27,6 @@
 # Allow users to control network interfaces (also needs USERCTL=true)
 bool user_net_control false;
 
-# Disable games transitions
-bool disable_games false;
-
 # Allow regular users direct mouse access 
 bool user_direct_mouse false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.14/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2004-12-09 10:26:09.000000000 -0500
+++ policy-1.19.14/file_contexts/distros.fc	2004-12-16 11:48:36.945341878 -0500
@@ -34,6 +34,7 @@
 /usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
 /usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
 /usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
+/usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
 ')
 
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.19.14/file_contexts/program/samba.fc
--- nsapolicy/file_contexts/program/samba.fc	2004-12-11 06:31:20.000000000 -0500
+++ policy-1.19.14/file_contexts/program/samba.fc	2004-12-16 11:48:36.945341878 -0500
@@ -19,5 +19,3 @@
 /var/run/samba/smbd\.pid --	system_u:object_r:smbd_var_run_t
 /var/run/samba/nmbd\.pid --	system_u:object_r:nmbd_var_run_t
 /var/spool/samba(/.*)?		system_u:object_r:samba_var_t
-/usr/sbin/winbindd		--	system_u:object_r:smbd_exec_t
-/var/run/winbindd(/.*)?		system_u:object_r:smbd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.19.14/file_contexts/program/winbind.fc
--- nsapolicy/file_contexts/program/winbind.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.14/file_contexts/program/winbind.fc	2004-12-16 11:48:36.946341768 -0500
@@ -0,0 +1,10 @@
+/usr/sbin/winbindd	--	system_u:object_r:winbind_exec_t
+/var/run/winbindd(/.*)?		system_u:object_r:winbind_var_run_t
+ifdef(`samba.te', `', `
+/var/log/samba(/.*)?		system_u:object_r:samba_log_t
+/etc/samba(/.*)?		system_u:object_r:samba_etc_t
+/etc/samba/secrets\.tdb	--	system_u:object_r:samba_secrets_t
+/etc/samba/MACHINE\.SID	--	system_u:object_r:samba_secrets_t
+/var/cache/samba(/.*)?		system_u:object_r:samba_var_t
+')
+/var/cache/samba/winbindd_privileged(/.*)?	system_u:object_r:winbind_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.19.14/local.users
--- nsapolicy/local.users	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.14/local.users	2004-12-16 11:48:36.946341768 -0500
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the users.system file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity.  The syntax of a user declaration is:
+#
+# 	user username roles role_set [ ranges MLS_range_set ];
+#
+# The MLS range set should only be specified if MLS was enabled
+# for the module and checkpolicy.
+
+# sample for administrative user
+user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
+
+# sample for regular user
+#user jdoe roles { user_r }; 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.14/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-12-09 10:26:10.000000000 -0500
+++ policy-1.19.14/macros/core_macros.te	2004-12-16 11:48:36.947341657 -0500
@@ -332,6 +332,26 @@
 
 ##################################
 #
+# can_setsecparam(domain)
+#
+# Authorize a domain to set security parameters.
+# Due to its sensitivity, always audit this permission.
+#
+define(`can_setsecparam',`
+# Get the selinuxfs mount point via /proc/self/mounts.
+allow $1 proc_t:dir search;
+allow $1 proc_t:lnk_file read;
+allow $1 self:dir search;
+allow $1 self:file { getattr read };
+# Access selinuxfs.
+allow $1 security_t:dir { read search getattr };
+allow $1 security_t:file { getattr read write };
+allow $1 security_t:security setsecparam;
+auditallow $1 security_t:security setsecparam;
+')
+
+##################################
+#
 # can_loadpol(domain)
 #
 # Authorize a domain to load a policy configuration.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.14/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/global_macros.te	2004-12-16 11:48:36.948341546 -0500
@@ -296,13 +296,13 @@
 #
 # Allows user to define a tunable to disable domain transition
 #
-ifdef(`targeted_policy', `
+ifelse(index(`$2',`transitionbool'), -1, `', `
 bool $1_disable_trans false;
 if ($1_disable_trans) {
 can_exec(initrc_t, $1_exec_t)
 can_exec(sysadm_t, $1_exec_t)
 } else {
-') dnl targeted_policy
+') dnl transitionbool
 domain_auto_trans(initrc_t, $1_exec_t, $1_t)
 allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
 ifdef(`direct_sysadm_daemon', `
@@ -311,10 +311,9 @@
 allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
 ')dnl end direct_sysadm_daemon
 ')dnl end nosysadm
-ifdef(`targeted_policy', `
+ifelse(index(`$2', `transitionbool'), -1, `', `
 }
-') dnl targeted_policy
-
+') dnl end transitionbool
 ifdef(`direct_sysadm_daemon', `
 ifelse(`$3', `nosysadm', `', `
 role_transition sysadm_r $1_exec_t system_r;
@@ -340,9 +339,12 @@
 allow $1_t var_t:dir search;
 allow $1_t $1_var_run_t:dir rw_dir_perms;
 ')
-
 define(`daemon_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `$2, transitionbool', $3)
+', `
 daemon_base_domain($1, `$2', $3)
+')
 # Create pid file.
 allow $1_t var_t:dir { getattr search };
 var_run_domain($1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.19.14/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/program/cdrecord_macros.te	2004-12-16 11:48:36.949341436 -0500
@@ -35,6 +35,7 @@
 if (use_nfs_home_dirs) {
 r_dir_file($1_cdrecord_t, nfs_t)
 }
+allow $1_cdrecord_t etc_t:file { getattr read };
 
 # allow searching for cdrom-drive
 allow $1_cdrecord_t device_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.19.14/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2004-12-02 14:11:43.000000000 -0500
+++ policy-1.19.14/macros/program/games_domain.te	2004-12-16 11:48:36.949341436 -0500
@@ -10,7 +10,7 @@
 #
 #
 define(`games_domain', `
-x_client_domain($1, `games')
+x_client_domain($1, `games', `, transitionbool')
 allow $1_games_t var_t:dir { search getattr };
 rw_dir_create_file($1_games_t, games_data_t)
 allow $1_games_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.14/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/program/mozilla_macros.te	2004-12-16 11:48:36.950341325 -0500
@@ -16,7 +16,7 @@
 # provided separately in domains/program/mozilla.te. 
 #
 define(`mozilla_domain',`
-x_client_domain($1, mozilla, `, web_client_domain, privlog')
+x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.19.14/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2004-11-30 05:59:40.000000000 -0500
+++ policy-1.19.14/macros/program/x_client_macros.te	2004-12-16 11:48:36.951341214 -0500
@@ -29,15 +29,19 @@
 # Type for files that are read-only for this domain
 type $1_$2_ro_t, file_type, $1_file_type, sysadmfile;
 
-# Transition from the user domain to the derived domain.
-ifelse($2, games, `
-if (! disable_games) {
+ifelse(index(`$3', `transitionbool'), -1, `
 domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
 can_exec($1_$2_t, $2_exec_t)
-}
 ', `
+# Only do it once
+ifelse($1, user, `
+bool disable_$2 false;
+')
+# Transition from the user domain to the derived domain.
+if (! disable_$2) {
 domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
 can_exec($1_$2_t, $2_exec_t)
+}
 ')
 
 # The user role is authorized for this domain.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.19.14/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/program/xserver_macros.te	2004-12-16 11:48:36.951341214 -0500
@@ -247,6 +247,10 @@
 # Allow xserver to read events - the synaptics touchpad
 # driver reads raw events
 allow $1_xserver_t event_device_t:chr_file rw_file_perms;
+ifdef(`pamconsole.te', `
+allow $1_xserver_t pam_var_console_t:dir search;
+')
+dontaudit $1_xserver_t selinux_config_t:dir search;
 
 allow $1_xserver_t var_lib_t:dir search;
 rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.19.14/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-12-11 06:31:21.000000000 -0500
+++ policy-1.19.14/macros/user_macros.te	2004-12-16 11:49:34.659954788 -0500
@@ -218,22 +218,6 @@
 dontaudit $1_t init_t:fd use;
 dontaudit $1_t initrc_t:fd use;
 allow $1_t initrc_t:fifo_file write;
-ifdef(`user_can_mount', `
-#
-#  Allow users to mount file systems like floppies and cdrom
-#
-mount_domain($1, $1_mount, `, fs_domain')
-r_dir_file($1_t, mnt_t)
-allow $1_mount_t device_t:lnk_file read;
-allow $1_mount_t removable_device_t:blk_file read;
-allow $1_mount_t iso9660_t:filesystem relabelfrom;
-allow $1_mount_t removable_t:filesystem { mount relabelto };
-allow $1_mount_t removable_t:dir mounton;
-ifdef(`xdm.te', `
-allow $1_mount_t xdm_t:fd use;
-allow $1_mount_t xdm_t:fifo_file { read write };
-')
-')
 
 #
 # Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.14/Makefile
--- nsapolicy/Makefile	2004-12-11 06:31:17.000000000 -0500
+++ policy-1.19.14/Makefile	2004-12-16 11:48:36.953340993 -0500
@@ -26,6 +26,7 @@
 INSTALLDIR = $(DESTDIR)/etc/selinux/strict
 POLICYPATH = $(INSTALLDIR)/policy
 SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
 CONTEXTPATH = $(INSTALLDIR)/contexts
 LOADPATH = $(POLICYPATH)/$(POLICYVER)
 FCPATH = $(CONTEXTPATH)/files/file_contexts
@@ -37,13 +38,13 @@
 ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te 
 TE_RBAC_FILES := $(ALLTEFILES) rbac
 ALL_TUNABLES := $(wildcard tunables/*.tun )
-
+USER_FILES := users serviceusers
 POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
 ifeq ($(MLS),y)
 POLICYFILES += mls
 endif
 POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
-POLICYFILES += users serviceusers
+POLICYFILES += $(USER_FILES)
 POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts
 
 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
@@ -54,9 +55,24 @@
 APPDIR=$(CONTEXTPATH)
 APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
 
+$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
+	@mkdir -p $(USERPATH)
+	@echo "# " > tmp/system.users
+	@echo "# Do not edit this file. " >> tmp/system.users
+	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
+	@echo "# Please edit local.users to make local changes." >> tmp/system.users
+	@echo "#" >> tmp/system.users
+	m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+	install -m 644 tmp/system.users $@
+
+$(USERPATH)/local.users: local.users
+	@mkdir -p $(USERPATH)
+	m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USERPATH)/local.users | sed 's/^user/#user/g' >> tmp/local.users
+	install -m 644 tmp/local.users $@
+
 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
 
-install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) 
+install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
 	@echo "Validating file_contexts ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.14/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.14/tunables/distro.tun	2004-12-16 11:48:36.953340993 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.14/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-12-11 06:31:22.000000000 -0500
+++ policy-1.19.14/tunables/tunable.tun	2004-12-16 11:48:36.954340882 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest patch

[James Carter]

Merged, except for the removal of the user_can_mount tunable.

Others are still using that tunable, and since it is a tunable it won't
effect those that don't want to use it.

On Thu, 2004-12-16 at 11:50, Daniel J Walsh wrote:
> Add winbind policy
> 
> Add transitionbool attribute. to indicate whether a domain should have a 
> disable_trans boolean created for that domain.
> (Mozilla and games in strict policy,  All network domains in targeted)
> 
> Added can_secsecparam
> 
> Fix httpd_sys_script_t to allow access to mysql sock file.
> 
> Began adding user configuration changes, to allow adding users in 
> different roles without policy sources installed.
> 
> Remove user_can_mount tunable.
> 

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]

This patch supersedes the last one.

Basically this patch is for targeted policy.  With this policy initrc 
runs starts all daemons.  If you start a daemon without
using the service script the daemon will run in unconfined_t. 

sendmail, crond, xdm and ssh have targeted policies that allow them to 
run as unconfined_t.

Dan

[-- Attachment #2: policy-20041221.patch --]
[-- Type: text/x-patch, Size: 54402 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.19.15/assert.te
--- nsapolicy/assert.te	2004-12-09 10:26:08.000000000 -0500
+++ policy-1.19.15/assert.te	2004-12-28 12:09:14.000000000 -0500
@@ -30,7 +30,7 @@
 # Verify that only the insmod_t and kernel_t domains 
 # have the sys_module capability.
 #
-neverallow {domain -unrestricted -insmod_t -kernel_t } self:capability sys_module;
+neverallow {domain -unrestricted -insmod_t -kernel_t -howl_t } self:capability sys_module;
 
 #
 # Verify that executable types, the system dynamic loaders, and the
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.15/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.15/domains/program/crond.te	2004-12-28 12:09:14.000000000 -0500
@@ -160,6 +160,7 @@
 # /sbin/runlevel needs lock access however
 dontaudit system_crond_t initrc_var_run_t:file write;
 allow system_crond_t initrc_var_run_t:file { getattr read lock };
+allow initrc_t system_cron_spool_t:file { getattr read };
 
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.15/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/initrc.te	2004-12-28 12:09:14.000000000 -0500
@@ -13,10 +13,6 @@
 #
 # do not use privmail for sendmail as it creates a type transition conflict
 type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
-ifdef(`sendmail.te', `
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-')
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);
@@ -115,14 +111,6 @@
 # Communicate with the init process.
 allow initrc_t initctl_t:fifo_file rw_file_perms;
 
-# Send messages to portmap and ypbind.
-ifdef(`portmap.te', `
-can_udp_send(initrc_t, portmap_t)
-')
-ifdef(`ypbind.te', `
-can_udp_send(initrc_t, ypbind_t)
-')
-
 # Read /proc/PID directories for all domains.
 r_dir_file(initrc_t, domain)
 allow initrc_t domain:process { getattr getsession };
@@ -137,15 +125,6 @@
 # Update /etc/ld.so.cache.
 allow initrc_t ld_so_cache_t:file rw_file_perms;
 
-ifdef(`xfs.te', `
-# Unlink the xfs socket.
-allow initrc_t xfs_tmp_t:dir rw_dir_perms;
-allow initrc_t xfs_tmp_t:dir rmdir;
-allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
-allow initrc_t fonts_t:dir create_dir_perms;
-allow initrc_t fonts_t:file create_file_perms;
-')
-
 # Update /var/log/wtmp and /var/log/dmesg.
 allow initrc_t wtmp_t:file { setattr rw_file_perms };
 allow initrc_t var_log_t:dir rw_dir_perms;
@@ -222,38 +201,14 @@
 # readahead asks for these
 #
 allow initrc_t etc_aliases_t:file { getattr read };
-allow initrc_t system_cron_spool_t:file { getattr read };
 allow initrc_t var_lib_nfs_t:file { getattr read };
 
 # for /halt /.autofsck and other flag files
 file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
 
-ifdef(`rpm.te', `
-# Access /var/lib/rpm.
-allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
-allow initrc_t rpm_var_lib_t:file create_file_perms;
-')
 ')dnl end distro_redhat
 
-ifdef(`distro_gentoo', `
-ifdef(`arpwatch.te', `
-allow initrc_t arpwatch_data_t:dir { add_name write };
-allow initrc_t arpwatch_data_t:file create;
-')
-')dnl end distro_gentoo
-
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-
-ifdef(`rhgb.te', `
-allow initrc_t ramfs_t:dir search;
-allow initrc_t ramfs_t:sock_file write;
-allow initrc_t rhgb_t:unix_stream_socket { read write };
-')
-
-ifdef(`gpm.te', `
-allow initrc_t gpmctl_t:sock_file setattr;
-')
-
 allow initrc_t var_spool_t:file rw_file_perms;
 
 # Allow access to the sysadm TTYs. Note that this will give access to the 
@@ -263,20 +218,6 @@
 
 # Access sound device and files.
 allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
-ifdef(`sound.te', `
-allow initrc_t sound_file_t:file { setattr write };
-')
-
-ifdef(`apmd.te',
-`# Access /dev/apm_bios.
-allow initrc_t apm_bios_t:chr_file { setattr getattr read };
-')
-
-ifdef(`lpd.te',
-`# Read printconf files.
-allow initrc_t printconf_t:dir r_dir_perms;
-allow initrc_t printconf_t:file r_file_perms;
-')
 
 # Read user home directories.
 allow initrc_t { home_root_t home_type }:dir r_dir_perms;
@@ -299,7 +240,14 @@
 #
 # Rules for the run_init_t domain.
 #
+ifdef(`targeted_policy', `
+type run_init_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus send_msg;
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+', `
 run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
+')
 allow initrc_t privfd:fd use;
 
 # Transition to system_r:initrc_t upon executing init scripts.
@@ -323,10 +271,6 @@
 allow initrc_t device_type:chr_file setattr;
 allow initrc_t binfmt_misc_fs_t:dir { getattr search };
 allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
-ifdef(`pam.te', `
-allow initrc_t pam_var_run_t:dir rw_dir_perms;
-allow initrc_t pam_var_run_t:file { getattr read unlink };
-')
 
 # for lsof in shutdown scripts
 can_kerberos(initrc_t)
@@ -351,9 +295,6 @@
 #
 allow initrc_t security_t:dir { getattr search };
 allow initrc_t security_t:file { getattr read };
-ifdef(`dbusd.te', `
-allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
-')
 
 # init script state
 type initrc_state_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.19.15/domains/program/init.te
--- nsapolicy/domains/program/init.te	2004-12-09 10:26:08.000000000 -0500
+++ policy-1.19.15/domains/program/init.te	2004-12-28 12:09:14.000000000 -0500
@@ -14,7 +14,7 @@
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain;
+type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain ifdef(`targeted_policy', `, unrestricted');
 role system_r types init_t;
 uses_shlib(init_t);
 type init_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.15/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2004-12-11 06:31:18.000000000 -0500
+++ policy-1.19.15/domains/program/ldconfig.te	2004-12-28 12:09:14.000000000 -0500
@@ -24,6 +24,7 @@
 file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
 allow ldconfig_t lib_t:dir rw_dir_perms;
 allow ldconfig_t lib_t:lnk_file create_lnk_perms;
+allow ldconfig_t lib_t:file r_file_perms;
 
 allow ldconfig_t userdomain:fd use;
 # unlink for when /etc/ld.so.cache is mislabeled
@@ -38,11 +39,7 @@
 dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
 
-ifdef(`distro_suse', `
-# because of libraries in /var/lib/samba/bin
 allow ldconfig_t { var_t var_lib_t }:dir search;
-')
-
 allow ldconfig_t proc_t:file read;
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.19.15/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.15/domains/program/modutil.te	2004-12-28 12:09:14.000000000 -0500
@@ -69,7 +69,7 @@
 # Rules for the insmod_t domain.
 #
 
-type insmod_t, domain, privlog, sysctl_kernel_writer ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, unrestricted' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, unrestricted' )
 ;
 role system_r types insmod_t;
 role sysadm_r types insmod_t;
@@ -99,7 +99,9 @@
 
 allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
 
-allow insmod_t sound_device_t:chr_file { ioctl write };
+allow insmod_t sound_device_t:chr_file { read ioctl write };
+allow insmod_t zero_device_t:chr_file read;
+allow insmod_t memory_device_t:chr_file rw_file_perms;
 
 # Read module config and dependency information
 allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
@@ -149,7 +151,6 @@
 
 allow insmod_t device_t:dir read;
 allow insmod_t devpts_t:dir { getattr search };
-dontaudit insmod_t sound_device_t:chr_file read;
 
 type insmod_exec_t, file_type, exec_type, sysadmfile;
 domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
@@ -159,9 +160,10 @@
 allow insmod_t privmodule:process sigchld;
 dontaudit sysadm_t self:capability sys_module;
 
+ifdef(`mount.te', `
 # Run mount in the mount_t domain.
 domain_auto_trans(insmod_t, mount_exec_t, mount_t)
-
+')
 # for when /var is not mounted early in the boot
 dontaudit insmod_t file_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.19.15/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-12-11 06:31:18.000000000 -0500
+++ policy-1.19.15/domains/program/ssh.te	2004-12-28 12:09:14.000000000 -0500
@@ -228,5 +228,4 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-dontaudit sshd_t local_login_t:fd { use };
 dontaudit sshd_t sysadm_tty_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.19.15/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.15/domains/program/unused/amanda.te	2004-12-28 12:09:14.000000000 -0500
@@ -241,8 +241,6 @@
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
 allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
 allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
-allow amanda_recover_t local_login_t:fd use;
-
 
 # amrecover network and process communication
 #############################################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.15/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/unused/apache.te	2004-12-28 12:09:14.000000000 -0500
@@ -156,6 +156,7 @@
 # Allow the httpd_t to read the web servers config files
 ###################################################
 r_dir_file(httpd_t, httpd_config_t)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
 # allow logrotate to read the config files for restart
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, httpd_config_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.15/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2004-12-09 10:26:08.000000000 -0500
+++ policy-1.19.15/domains/program/unused/apmd.te	2004-12-28 12:09:14.000000000 -0500
@@ -131,3 +131,5 @@
 dontaudit apmd_t tmpfs_t:dir r_dir_perms;
 dontaudit apmd_t selinux_config_t:dir search;
 allow apmd_t user_tty_type:chr_file rw_file_perms;
+# Access /dev/apm_bios.
+allow initrc_t apm_bios_t:chr_file { setattr getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.15/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.15/domains/program/unused/arpwatch.te	2004-12-28 12:09:14.000000000 -0500
@@ -35,3 +35,8 @@
 allow arpwatch_t bin_t:dir search;
 ')
 
+ifdef(`distro_gentoo', `
+allow initrc_t arpwatch_data_t:dir { add_name write };
+allow initrc_t arpwatch_data_t:file create;
+')dnl end distro_gentoo
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.15/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2004-12-03 14:42:06.000000000 -0500
+++ policy-1.19.15/domains/program/unused/bootloader.te	2004-12-28 12:09:14.000000000 -0500
@@ -29,7 +29,7 @@
 allow bootloader_t { initrc_t privfd }:fd use;
 
 tmp_domain(bootloader, `, device_type')
-allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms;
+allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms;
 
 read_locale(bootloader_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.15/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/cups.te	2004-12-28 12:09:14.000000000 -0500
@@ -33,10 +33,8 @@
 # temporary solution, we need something better
 allow cupsd_t serial_device:chr_file rw_file_perms;
 
-ifdef(`usbmodules.te', `
 r_dir_file(cupsd_t, usbdevfs_t)
 r_dir_file(cupsd_t, usbfs_t)
-')
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
@@ -166,6 +164,8 @@
 
 allow cupsd_t printconf_t:file { getattr read };
 
+dbusd_client(system, cupsd)
+
 ifdef(`hald.te', `
 
 # CUPS configuration daemon
@@ -195,13 +195,12 @@
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 
-can_network_server_tcp(cupsd_config_t)
+can_network_tcp(cupsd_config_t)
 can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 ifdef(`dbusd.te', `
-dbusd_client(system, cupsd)
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
 allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
@@ -243,3 +242,8 @@
 # Alternatives asks for this
 allow cupsd_config_t initrc_exec_t:file getattr;
 ') dnl end if hald.te
+ifdef(`targeted_policy', `
+can_unix_connect(cupsd_t, initrc_t)
+allow cupsd_t initrc_t:dbus send_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.19.15/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.15/domains/program/unused/dbusd.te	2004-12-28 12:09:14.000000000 -0500
@@ -16,3 +16,5 @@
 
 # I expect we need more than this
 
+allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gpm.te policy-1.19.15/domains/program/unused/gpm.te
--- nsapolicy/domains/program/unused/gpm.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.15/domains/program/unused/gpm.te	2004-12-28 12:09:14.000000000 -0500
@@ -40,3 +40,6 @@
 allow gpm_t device_t:lnk_file { getattr read };
 
 read_locale(gpm_t)
+
+allow initrc_t gpmctl_t:sock_file setattr;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.15/domains/program/unused/howl.te
--- nsapolicy/domains/program/unused/howl.te	2004-12-02 14:11:42.000000000 -0500
+++ policy-1.19.15/domains/program/unused/howl.te	2004-12-28 12:09:14.000000000 -0500
@@ -4,17 +4,19 @@
 #
 
 daemon_domain(howl)
-allow howl_t proc_net_t:dir search;
-allow howl_t proc_net_t:file {getattr read };
+r_dir_file(howl_t, proc_net_t)
 can_network_server(howl_t)
 can_ypbind(howl_t)
-allow howl_t self:capability { kill net_admin };
+allow howl_t self:unix_dgram_socket create_socket_perms;
+allow howl_t self:capability { kill net_admin sys_module };
 
 allow howl_t self:fifo_file rw_file_perms;
 
 type howl_port_t, port_type;
 allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
 
+allow howl_t self:unix_dgram_socket create_socket_perms;
+
 allow howl_t etc_t:file { getattr read };
 allow howl_t initrc_var_run_t:file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.19.15/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.15/domains/program/unused/inetd.te	2004-12-28 12:09:14.000000000 -0500
@@ -18,7 +18,7 @@
 # Rules for the inetd_t domain.
 #
 
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' )
 
 can_network(inetd_t)
 allow inetd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.15/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.15/domains/program/unused/innd.te	2004-12-28 12:09:14.000000000 -0500
@@ -76,6 +76,5 @@
 
 allow innd_t self:file { getattr read };
 dontaudit innd_t selinux_config_t:dir { search };
-allow system_crond_t innd_etc_t:file { getattr read };
 allow innd_t bin_t:lnk_file { read };
 allow innd_t sbin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.15/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/kerberos.te	2004-12-28 12:09:14.000000000 -0500
@@ -44,11 +44,10 @@
 can_tcp_connect(kerberos_admin_port_t, kadmind_t)
 
 # Bind to the kerberos, kerberos-adm ports.
-allow krb5kdc_t kerberos_port_t:udp_socket name_bind;
-allow krb5kdc_t kerberos_port_t:tcp_socket name_bind;
+allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
 allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
 allow kadmind_t reserved_port_t:tcp_socket name_bind;
+dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
 
 #
 # Rules for Kerberos5 KDC daemon
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.19.15/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te	2004-12-02 14:11:42.000000000 -0500
+++ policy-1.19.15/domains/program/unused/lpd.te	2004-12-28 12:09:14.000000000 -0500
@@ -154,3 +154,8 @@
 # checkpc needs similar permissions.
 allow checkpc_t printconf_t:file getattr;
 allow checkpc_t printconf_t:dir { getattr search read };
+
+# Read printconf files.
+allow initrc_t printconf_t:dir r_dir_perms;
+allow initrc_t printconf_t:file r_file_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.15/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/mta.te	2004-12-28 12:09:14.000000000 -0500
@@ -76,3 +76,4 @@
 create_dir_file( system_mail_t, mqueue_spool_t)
 ')
 allow system_mail_t etc_runtime_t:file { getattr read };
+allow system_mail_t urandom_device_t:chr_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.15/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/unused/nscd.te	2004-12-28 12:09:14.000000000 -0500
@@ -70,4 +70,4 @@
 allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
-allow nscd_t urandom_device_t:chr_file { getattr read };
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.15/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-12-02 14:11:42.000000000 -0500
+++ policy-1.19.15/domains/program/unused/ntpd.te	2004-12-28 12:09:14.000000000 -0500
@@ -80,3 +80,8 @@
 ifdef(`firstboot.te', `
 dontaudit ntpd_t firstboot_t:fd use;
 ')
+ifdef(`winbind.te', `
+allow ntpd_t winbind_var_run_t:dir r_dir_perms;
+allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.19.15/domains/program/unused/pam.te
--- nsapolicy/domains/program/unused/pam.te	2004-09-10 11:01:02.000000000 -0400
+++ policy-1.19.15/domains/program/unused/pam.te	2004-12-28 12:09:14.000000000 -0500
@@ -34,3 +34,6 @@
 
 allow pam_t local_login_t:fd use;
 dontaudit pam_t self:capability sys_tty_config;
+
+allow initrc_t pam_var_run_t:dir rw_dir_perms;
+allow initrc_t pam_var_run_t:file { getattr read unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.19.15/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/portmap.te	2004-12-28 12:09:14.000000000 -0500
@@ -23,7 +23,7 @@
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
+dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
@@ -55,8 +55,10 @@
 allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
 
 application_domain(portmap_helper)
+role system_r types portmap_helper_t;
 domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
 dontaudit portmap_helper_t self:capability { net_admin };
+allow portmap_helper_t self:capability { net_bind_service };
 allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)
@@ -64,4 +66,5 @@
 dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
 allow portmap_helper_t etc_t:file { getattr read };
 dontaudit portmap_helper_t userdomain:fd use;
-allow portmap_helper_t reserved_port_t:udp_socket name_bind;
+allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.19.15/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2004-12-02 14:11:42.000000000 -0500
+++ policy-1.19.15/domains/program/unused/postfix.te	2004-12-28 12:09:14.000000000 -0500
@@ -50,6 +50,8 @@
 allow postfix_$1_t etc_runtime_t:file r_file_perms;
 allow postfix_$1_t proc_t:dir r_dir_perms;
 allow postfix_$1_t proc_t:file r_file_perms;
+allow postfix_$1_t proc_net_t:dir search;
+allow postfix_$1_t proc_net_t:file { getattr read };
 allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
 allow postfix_$1_t fs_t:filesystem getattr;
 can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -158,8 +160,6 @@
 allow postfix_$1_t self:capability { setuid setgid dac_override };
 can_network_client(postfix_$1_t)
 can_ypbind(postfix_$1_t)
-allow postfix_$1_t proc_net_t:dir search;
-allow postfix_$1_t proc_net_t:file { getattr read };
 ')
 
 postfix_server_domain(smtp, `, mail_server_sender')
@@ -274,8 +274,6 @@
 allow postfix_showq_t self:tcp_socket create_socket_perms;
 allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
 dontaudit postfix_showq_t net_conf_t:file r_file_perms;
-allow postfix_showq_t proc_net_t:dir search;
-allow postfix_showq_t proc_net_t:file { getattr read };
 
 postfix_user_domain(postdrop, `, mta_user_agent')
 allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.15/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/postgresql.te	2004-12-28 12:09:14.000000000 -0500
@@ -112,7 +112,7 @@
 dontaudit postgresql_t selinux_config_t:dir { search };
 allow postgresql_t mail_spool_t:dir { search };
 rw_dir_create_file(postgresql_t, var_lock_t)
-can_exec(postgresql_t, { shell_exec_t bin_t } )
+can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
 ifdef(`apache.te', `
 # 
 # Allow httpd to work with postgresql
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.19.15/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/rhgb.te	2004-12-28 12:09:14.000000000 -0500
@@ -93,3 +93,8 @@
 ')
 allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
 dontaudit rhgb_t default_t:file read;
+
+allow initrc_t ramfs_t:dir search;
+allow initrc_t ramfs_t:sock_file write;
+allow initrc_t rhgb_t:unix_stream_socket { read write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.19.15/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.15/domains/program/unused/rpm.te	2004-12-28 12:09:14.000000000 -0500
@@ -244,6 +244,10 @@
 
 allow rpm_script_t domain:process { signal signull };
 
+# Access /var/lib/rpm.
+allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
+allow initrc_t rpm_var_lib_t:file create_file_perms;
+
 ifdef(`unlimitedRPM', `
 unconfined_domain(rpm_t)
 unconfined_domain(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.19.15/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/unused/sendmail.te	2004-12-28 12:09:14.000000000 -0500
@@ -53,6 +53,8 @@
 # for the start script to run make -C /etc/mail
 allow initrc_t etc_mail_t:dir rw_dir_perms;
 allow initrc_t etc_mail_t:file create_file_perms;
+allow system_mail_t initrc_t:fd use;
+allow system_mail_t initrc_t:fifo_file write;
 
 # Write to /var/spool/mail and /var/spool/mqueue.
 allow sendmail_t var_spool_t:dir { getattr search };
@@ -84,6 +86,7 @@
 allow system_mail_t proc_t:dir search;
 allow system_mail_t proc_t:file { getattr read };
 allow system_mail_t proc_t:lnk_file read;
+dontaudit system_mail_t proc_net_t:dir search;
 allow sendmail_t sysctl_kernel_t:dir search;
 allow sendmail_t sysctl_kernel_t:file { getattr read };
 allow system_mail_t fs_t:filesystem getattr;
@@ -97,9 +100,12 @@
 allow system_mail_t mqueue_spool_t:file create_file_perms;
 
 allow system_mail_t sysctl_kernel_t:file read;
+ifdef(`crond.te', `
 dontaudit system_mail_t system_crond_tmp_t:file append;
+')
 dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
 
 # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
 allow sendmail_t initrc_var_run_t:file { getattr read };
 dontaudit sendmail_t initrc_var_run_t:file { lock write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sound.te policy-1.19.15/domains/program/unused/sound.te
--- nsapolicy/domains/program/unused/sound.te	2004-03-23 15:58:08.000000000 -0500
+++ policy-1.19.15/domains/program/unused/sound.te	2004-12-28 12:09:14.000000000 -0500
@@ -23,3 +23,4 @@
 # Read and write ttys.
 allow sound_t sysadm_tty_device_t:chr_file rw_file_perms;
 read_locale(sound_t)
+allow initrc_t sound_file_t:file { setattr write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.15/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/squid.te	2004-12-28 12:09:14.000000000 -0500
@@ -15,7 +15,7 @@
 
 daemon_domain(squid, `, web_client_domain, nscd_client_domain')
 type squid_conf_t, file_type, sysadmfile;
-
+general_domain_access(squid_t)
 allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
 allow squid_t squid_conf_t:dir r_dir_perms;
 allow squid_t squid_conf_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.19.15/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-12-01 16:51:43.000000000 -0500
+++ policy-1.19.15/domains/program/unused/udev.te	2004-12-28 12:09:14.000000000 -0500
@@ -24,8 +24,9 @@
 #
 # Rules used for udev
 #
-type udev_tbl_t, file_type, sysadmfile, dev_fs;
-file_type_auto_trans(udev_t, device_t, udev_tbl_t, file)
+type udev_tdb_t, file_type, sysadmfile, dev_fs;
+typealias udev_tdb_t alias udev_tbl_t;
+file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
 allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
@@ -97,6 +98,7 @@
 ifdef(`pamconsole.te', `
 allow udev_t pam_var_console_t:dir search;
 allow udev_t pam_var_console_t:file { getattr read };
+domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
 ')
 allow udev_t var_lock_t:dir search;
 allow udev_t var_lock_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.19.15/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2004-12-20 16:27:44.000000000 -0500
+++ policy-1.19.15/domains/program/unused/winbind.te	2004-12-28 12:09:14.000000000 -0500
@@ -21,13 +21,13 @@
 type samba_secrets_t, file_type, sysadmfile;
 ')
 rw_dir_file(winbind_t, samba_etc_t)
-rw_dir_file(winbind_t, samba_log_t)
+rw_dir_create_file(winbind_t, samba_log_t)
 allow winbind_t samba_secrets_t:file rw_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
 allow winbind_t urandom_device_t:chr_file { getattr read };
 allow winbind_t self:fifo_file { read write };
-rw_dir_file(winbind_t, samba_var_t)
+rw_dir_create_file(winbind_t, samba_var_t)
 allow winbind_t krb5_conf_t:file { getattr read };
 dontaudit winbind_t krb5_conf_t:file { write };
 allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.19.15/domains/program/unused/xfs.te
--- nsapolicy/domains/program/unused/xfs.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/xfs.te	2004-12-28 12:09:14.000000000 -0500
@@ -40,3 +40,11 @@
 # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
 allow xfs_t fonts_t:dir search;
 allow xfs_t fonts_t:file { getattr read };
+
+# Unlink the xfs socket.
+allow initrc_t xfs_tmp_t:dir rw_dir_perms;
+allow initrc_t xfs_tmp_t:dir rmdir;
+allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
+allow initrc_t fonts_t:dir create_dir_perms;
+allow initrc_t fonts_t:file create_file_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.19.15/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/ypbind.te	2004-12-28 12:09:14.000000000 -0500
@@ -37,6 +37,7 @@
 allow ypbind_t etc_t:file { getattr read };
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:tcp_socket name_bind;
-allow ypbind_t reserved_port_t:udp_socket name_bind;
-dontaudit ypbind_t reserved_port_type:udp_socket name_bind;
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_udp_send(initrc_t, ypbind_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.15/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/file_contexts/distros.fc	2004-12-28 14:01:00.477435032 -0500
@@ -35,6 +35,32 @@
 /usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
 /usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
 /usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
+#
+# /emul/ia32-linux/usr
+#
+/emul(/.*)?				system_u:object_r:usr_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?		system_u:object_r:lib_t
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/emul/ia32-linux/usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
+/emul/ia32-linux/usr/libexec(/.*)?		system_u:object_r:bin_t
+# /emul/ia32-linux/lib
+/emul/ia32-linux/lib(/.*)?					system_u:object_r:lib_t
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
+# /emul/ia32-linux/bin
+/emul/ia32-linux/bin(/.*)?			system_u:object_r:bin_t
+# /emul/ia32-linux/sbin
+/emul/ia32-linux/sbin(/.*)?			system_u:object_r:sbin_t
+
+ifdef(`dbusd.te', `', `
+/var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t
+')
 ')
 
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.15/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2004-11-24 07:00:50.000000000 -0500
+++ policy-1.19.15/file_contexts/program/cups.fc	2004-12-28 12:09:14.000000000 -0500
@@ -29,9 +29,6 @@
 /var/run/cups/printcap	--	system_u:object_r:cupsd_var_run_t
 /usr/lib(64)?/cups/filter/.*	--	system_u:object_r:bin_t
 /usr/lib(64)?/cups/cgi-bin/.* --	system_u:object_r:bin_t
-/usr/bin/lpr\.cups	--	system_u:object_r:lpr_exec_t
-/usr/bin/lpq\.cups	--	system_u:object_r:lpr_exec_t
-/usr/bin/lprm\.cups	--	system_u:object_r:lpr_exec_t
 /usr/sbin/ptal-printd	--	system_u:object_r:ptal_exec_t
 /usr/sbin/ptal-mlcd	--	system_u:object_r:ptal_exec_t
 /var/run/ptal-printd(/.*)?	system_u:object_r:ptal_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.19.15/file_contexts/program/initrc.fc
--- nsapolicy/file_contexts/program/initrc.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.15/file_contexts/program/initrc.fc	2004-12-28 12:09:14.000000000 -0500
@@ -1,5 +1,9 @@
 # init rc scripts
-/etc/X11/prefdm		--	system_u:object_r:initrc_exec_t
+ifdef(`targeted_policy', `
+/etc/X11/prefdm              --      system_u:object_r:bin_t
+', `
+/etc/X11/prefdm              --      system_u:object_r:initrc_exec_t
+')
 /etc/rc\.d/rc		--	system_u:object_r:initrc_exec_t
 /etc/rc\.d/rc\.sysinit	--	system_u:object_r:initrc_exec_t
 /etc/rc\.d/rc\.local	--	system_u:object_r:initrc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kerberos.fc policy-1.19.15/file_contexts/program/kerberos.fc
--- nsapolicy/file_contexts/program/kerberos.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.15/file_contexts/program/kerberos.fc	2004-12-28 12:09:14.000000000 -0500
@@ -9,4 +9,3 @@
 /var/log/krb5kdc\.log			system_u:object_r:krb5kdc_log_t
 /var/log/kadmind\.log			system_u:object_r:kadmind_log_t
 /usr(/local)?/bin/ksu		--	system_u:object_r:su_exec_t
-/usr/kerberos/sbin/login\.krb5	--	system_u:object_r:login_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/login.fc policy-1.19.15/file_contexts/program/login.fc
--- nsapolicy/file_contexts/program/login.fc	2003-11-26 13:01:07.000000000 -0500
+++ policy-1.19.15/file_contexts/program/login.fc	2004-12-28 12:09:14.000000000 -0500
@@ -1,2 +1,3 @@
 # login
 /bin/login		--	system_u:object_r:login_exec_t
+/usr/kerberos/sbin/login\.krb5	--	system_u:object_r:login_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lpr.fc policy-1.19.15/file_contexts/program/lpr.fc
--- nsapolicy/file_contexts/program/lpr.fc	2003-11-26 13:01:07.000000000 -0500
+++ policy-1.19.15/file_contexts/program/lpr.fc	2004-12-28 12:09:14.000000000 -0500
@@ -1,4 +1,4 @@
 # lp utilities.
-/usr/bin/lpr		--	system_u:object_r:lpr_exec_t
-/usr/bin/lpq		--	system_u:object_r:lpr_exec_t
-/usr/bin/lprm		--	system_u:object_r:lpr_exec_t
+/usr/bin/lpr(\.cups)?	--	system_u:object_r:lpr_exec_t
+/usr/bin/lpq(\.cups)?	--	system_u:object_r:lpr_exec_t
+/usr/bin/lprm(\.cups)?	--	system_u:object_r:lpr_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.19.15/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.15/file_contexts/program/postgresql.fc	2004-12-28 12:09:14.000000000 -0500
@@ -4,6 +4,7 @@
 /usr/bin/pg_dump	--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_dumpall	--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_resetxlog	--	system_u:object_r:postgresql_exec_t
+/usr/bin/initdb		--	system_u:object_r:postgresql_exec_t
 
 # not sure whether the following binaries need labelling
 /usr/bin/createlang	--	system_u:object_r:postgresql_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ssh.fc policy-1.19.15/file_contexts/program/ssh.fc
--- nsapolicy/file_contexts/program/ssh.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.15/file_contexts/program/ssh.fc	2004-12-28 13:28:11.432062741 -0500
@@ -7,7 +7,6 @@
 /etc/ssh/ssh_host_dsa_key --	system_u:object_r:sshd_key_t
 /etc/ssh/ssh_host_rsa_key --	system_u:object_r:sshd_key_t
 /usr/sbin/sshd	        --	system_u:object_r:sshd_exec_t
-HOME_DIR/\.ssh(/.*)?		system_u:object_r:ROLE_home_ssh_t
 /var/run/sshd\.init\.pid	--	system_u:object_r:sshd_var_run_t
 # subsystems
 /usr/lib(64)?/misc/sftp-server --	system_u:object_r:bin_t
@@ -16,3 +15,6 @@
 ifdef(`distro_suse', `
 /usr/lib(64)?/ssh/.*	--	system_u:object_r:bin_t
 ')
+ifdef(`targeted_policy', `', `
+HOME_DIR/\.ssh(/.*)?		system_u:object_r:ROLE_home_ssh_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.19.15/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.15/file_contexts/program/udev.fc	2004-12-28 12:09:14.000000000 -0500
@@ -8,5 +8,5 @@
 /etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
 /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
+/dev/\.udev\.tdb/.*	--	system_u:object_r:udev_tdb_t
 /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.15/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-12-21 10:59:58.000000000 -0500
+++ policy-1.19.15/macros/global_macros.te	2004-12-28 12:09:14.000000000 -0500
@@ -242,7 +242,8 @@
 allow $1_t { self proc_t }:dir r_dir_perms;
 allow $1_t { self proc_t }:lnk_file read;
 
-allow $1_t device_t:dir { getattr search };
+allow $1_t device_t:dir r_dir_perms;
+allow $1_t udev_tdb_t:file r_file_perms;
 allow $1_t null_device_t:chr_file rw_file_perms;
 dontaudit $1_t console_device_t:chr_file rw_file_perms;
 dontaudit $1_t unpriv_userdomain:fd use;
@@ -512,6 +513,8 @@
 allow $1 sysctl_t:{ dir file } *;
 allow $1 device_type:devfile_class_set *;
 allow $1 mtrr_device_t:file *;
+allow domain $1:fd use;
+allow domain $1:process sigchld;
 
 # Create/access other files.  fs_type is to pick up various
 # pseudo filesystem types that are applied to both the filesystem
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.15/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	2004-11-24 14:44:37.000000000 -0500
+++ policy-1.19.15/macros/network_macros.te	2004-12-28 12:09:14.000000000 -0500
@@ -83,7 +83,7 @@
 define(`can_network_tcp',`
 
 can_network_server_tcp($1, `$2')
-can_network_client_tcp($1, `$2')
+allow $1 self:tcp_socket { connect };
 
 ')
 
@@ -144,11 +144,13 @@
 can_network_tcp($1, `$2')
 can_network_udp($1, `$2')
 
+ifdef(`mount.te', `
 #
 # Allow the domain to send NFS client requests via the socket
 # created by mount.
 #
 allow $1 mount_t:udp_socket rw_socket_perms;
+')
 
 ')dnl end can_network definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.19.15/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.15/macros/program/dbusd_macros.te	2004-12-28 12:09:14.000000000 -0500
@@ -54,25 +54,25 @@
 #
 # Define a new derived domain for connecting to dbus_type
 # from domain_prefix_t. 
-define(`dbusd_client',`')
-ifdef(`dbusd.te',`
 undefine(`dbusd_client')
 define(`dbusd_client',`
 
+ifdef(`dbusd.te',`
 # Derived type used for connection
 type $2_dbusd_$1_t;
 type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
 
+# SE-DBus specific permissions
+allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+
 # For connecting to the bus
 allow $2_t $1_dbusd_t:unix_stream_socket connectto;
+
+') dnl endif dbusd.te
 ifelse(`system', `$1', `
 allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
 allow { $2_t } system_dbusd_var_run_t:sock_file write;
-',`
-') dnl endif system
-# SE-DBus specific permissions
-allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-') dnl endif dbusd.te
+',`') dnl endif system
 ')
 
 # can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sendmail_macros.te policy-1.19.15/macros/program/sendmail_macros.te
--- nsapolicy/macros/program/sendmail_macros.te	2004-10-06 09:18:33.000000000 -0400
+++ policy-1.19.15/macros/program/sendmail_macros.te	2004-12-28 12:09:14.000000000 -0500
@@ -45,6 +45,7 @@
 ifelse(`$1', `sysadm', `
 allow $1_mail_t proc_t:dir { getattr search };
 allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
+dontaudit $1_mail_t proc_net_t:dir search;
 allow $1_mail_t sysctl_kernel_t:file { getattr read };
 allow $1_mail_t etc_runtime_t:file { getattr read };
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.15/Makefile
--- nsapolicy/Makefile	2004-12-21 10:59:56.000000000 -0500
+++ policy-1.19.15/Makefile	2004-12-28 12:09:14.000000000 -0500
@@ -50,7 +50,7 @@
 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
 
 FC = file_contexts/file_contexts
-FCFILES=tmp/program_used_flags.te file_contexts/types.fc file_contexts/distros.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)
+FCFILES=tmp/program_used_flags.te file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
 
 APPDIR=$(CONTEXTPATH)
 APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.19.15/targeted/appconfig/default_contexts
--- nsapolicy/targeted/appconfig/default_contexts	2004-05-12 08:56:51.000000000 -0400
+++ policy-1.19.15/targeted/appconfig/default_contexts	2004-12-28 12:09:38.000000000 -0500
@@ -1 +1,2 @@
 system_r:unconfined_t	system_r:unconfined_t
+system_r:initrc_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.19.15/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts	2004-05-12 08:56:51.000000000 -0400
+++ policy-1.19.15/targeted/appconfig/root_default_contexts	2004-12-28 12:09:42.000000000 -0500
@@ -1 +1,2 @@
 system_r:unconfined_t	system_r:unconfined_t
+system_r:initrc_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.19.15/targeted/assert.te
--- nsapolicy/targeted/assert.te	2004-11-30 16:05:23.000000000 -0500
+++ policy-1.19.15/targeted/assert.te	2004-12-28 12:09:14.000000000 -0500
@@ -22,10 +22,10 @@
 
 # Confined domains must never touch an unconfined domain except to
 # send SIGCHLD for child termination notifications.
-neverallow { domain - unconfined_t } unconfined_t:process ~sigchld;
+neverallow { domain -unconfined_t -unrestricted } unconfined_t:process ~sigchld;
 
 # Confined domains must never see unconfined domain's /proc/pid entries.
-neverallow { domain - unconfined_t } unconfined_t:dir { getattr search };
+neverallow { domain -unconfined_t -unrestricted } unconfined_t:dir { getattr search };
 
 #
 # Verify that every type that can be entered by
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.19.15/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.15/targeted/domains/program/crond.te	2004-12-28 13:53:28.152958431 -0500
@@ -0,0 +1,21 @@
+#DESC crond 
+#
+# Authors:  Daniel Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the crond domain.
+#
+# crond_exec_t is the type of the /usr/sbin/crond and other programs.
+# This domain is defined just for targeted policy.
+#
+type crond_exec_t, file_type, sysadmfile, exec_type;
+type anacron_exec_t, file_type, sysadmfile, exec_type;
+type system_crond_tmp_t, file_type, sysadmfile;
+type system_cron_spool_t, file_type, sysadmfile;
+type sysadm_cron_spool_t, file_type, sysadmfile;
+type crond_log_t, file_type, sysadmfile;
+type crond_var_run_t, file_type, sysadmfile;
+domain_auto_trans(initrc_t, crond_exec_t, crond_t)
+domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/initrc.te policy-1.19.15/targeted/domains/program/initrc.te
--- nsapolicy/targeted/domains/program/initrc.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.15/targeted/domains/program/initrc.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,16 +0,0 @@
-#DESC Initrc - System initialization scripts
-#
-# Authors:  Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the initrc_t domain.
-#
-# initrc_exec_t is the type of the rc.sysinit and other programs.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.  
-#
-type initrc_exec_t, file_type, sysadmfile, exec_type;
-type run_init_exec_t, file_type, sysadmfile, exec_type;
-typealias var_run_t alias initrc_var_run_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/init.te policy-1.19.15/targeted/domains/program/init.te
--- nsapolicy/targeted/domains/program/init.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.19.15/targeted/domains/program/init.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,18 +0,0 @@
-#DESC Init - Process initialization
-#
-# Authors:  Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the init_t domain.
-#
-# init_exec_t is the type of the init program.
-# initctl_t is the type of the named pipe created 
-# by init during initialization.  This pipe is used
-# to communicate with init.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.  /sbin/init will get this policy.
-#
-type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/rpm.te policy-1.19.15/targeted/domains/program/rpm.te
--- nsapolicy/targeted/domains/program/rpm.te	2004-10-06 16:21:30.000000000 -0400
+++ policy-1.19.15/targeted/domains/program/rpm.te	2004-12-28 12:09:14.000000000 -0500
@@ -13,3 +13,4 @@
 type rpm_exec_t, file_type, sysadmfile, exec_type;
 type rpm_var_lib_t, file_type, sysadmfile;
 typealias var_log_t alias rpm_log_t;
+type rpm_tmpfs_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.19.15/targeted/domains/program/sendmail.te
--- nsapolicy/targeted/domains/program/sendmail.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.15/targeted/domains/program/sendmail.te	2004-12-28 14:03:00.726360626 -0500
@@ -0,0 +1,17 @@
+#DESC sendmail 
+#
+# Authors:  Daniel Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the sendmaild domain.
+#
+# sendmail_exec_t is the type of the /usr/sbin/sendmail and other programs.
+# This domain is defined just for targeted policy. 
+#
+type sendmail_exec_t, file_type, sysadmfile, exec_type;
+type sendmail_log_t, file_type, sysadmfile;
+type sendmail_var_run_t, file_type, sysadmfile;
+type etc_mail_t, file_type, sysadmfile;
+domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.19.15/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.15/targeted/domains/program/ssh.te	2004-12-28 13:53:28.683899180 -0500
@@ -0,0 +1,19 @@
+#DESC sshd 
+#
+# Authors:  Daniel Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the sshd domain.
+#
+# sshd_exec_t is the type of the /bin/sshd and other programs.
+# This domain is defined just for targeted policy. 
+#
+type sshd_exec_t, file_type, sysadmfile, exec_type;
+type ssh_exec_t, file_type, sysadmfile, exec_type;
+type ssh_keygen_exec_t, file_type, sysadmfile, exec_type;
+type sshd_key_t, file_type, sysadmfile;
+type sshd_var_run_t, file_type, sysadmfile;
+type ssh_port_t, port_type;
+domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/udev.te policy-1.19.15/targeted/domains/program/udev.te
--- nsapolicy/targeted/domains/program/udev.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.19.15/targeted/domains/program/udev.te	2004-12-28 12:09:14.000000000 -0500
@@ -13,4 +13,5 @@
 #
 type udev_exec_t, file_type, sysadmfile, exec_type;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-type udev_tbl_t, file_type, sysadmfile, dev_fs;
+type udev_tdb_t, file_type, sysadmfile, dev_fs;
+typealias udev_tdb_t alias udev_tbl_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.19.15/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.15/targeted/domains/program/xdm.te	2004-12-28 13:53:29.134848854 -0500
@@ -0,0 +1,21 @@
+#DESC xdm - Linux configurable dynamic device naming support
+#
+# Authors:  Daniel Walsh <dwalsh@redhat.com>
+#
+
+#################################
+#
+# Rules for the xdm domain.
+#
+# xdm_exec_t is the type of the /usr/bin/gdm and other programs.
+# This domain is defined just for targeted policy.
+#
+type xdm_exec_t, file_type, sysadmfile, exec_type;
+type xsession_exec_t, file_type, sysadmfile, exec_type;
+type vnc_port_t, port_type;
+type xserver_log_t, file_type, sysadmfile;
+type xdm_xserver_tmp_t, file_type, sysadmfile;
+type xdm_rw_etc_t, file_type, sysadmfile;
+type xdm_var_run_t, file_type, sysadmfile;
+type xdm_var_lib_t, file_type, sysadmfile;
+domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.15/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-11-20 22:29:10.000000000 -0500
+++ policy-1.19.15/targeted/domains/unconfined.te	2004-12-28 13:58:06.169458436 -0500
@@ -13,11 +13,12 @@
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
 typealias bin_t alias su_exec_t;
-typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t };
-type mount_t, domain;
-type initrc_devpts_t, ptyfile;
+typealias unconfined_t alias { crond_t kernel_t logrotate_t sendmail_t sshd_t sysadm_t system_crond_t rpm_t rpm_script_t xdm_t };
 define(`admin_tty_type', `{ tty_device_t devpts_t }')
 
+#type of rundir to communicate with dbus
+type system_dbusd_var_run_t, file_type, sysadmfile;
+
 # User home directory type.
 type user_home_t, file_type, sysadmfile;
 type user_home_dir_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.15/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.15/tunables/distro.tun	2004-12-28 12:09:14.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.15/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-12-11 06:31:22.000000000 -0500
+++ policy-1.19.15/tunables/tunable.tun	2004-12-28 12:09:14.000000000 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest Patch

[James Carter]

Merged.

You didn't actually add anything to tunables.tun, so I added:
+# Do not allow sysadm_t to be in the security manager domain
+dnl define(`separate_secadm')
Feel free to change.

When I tested the policy, I couldn't newrole to secadm_r.  Steve found
that there was a bug in the newrole policy.  It needed the fowner
capability, so that was added.

Other then that, it seems to work as advertised.

On Fri, 2005-04-08 at 14:50 -0400, Daniel J Walsh wrote:
> This one needs to be reviewed.   I have added secadm_r:secadm_t
> 
> Basically I have created a new macro
> 
> security_manager_domain($1)
> 
> Which is called by sysadm and secadm
> 
> This domain has all the rules necessary for manipulating policy and 
> selinux objects.
> 
> It also adds an attribute secadmin, which is the only attribute allowed 
> to transition to checkpolicy_t, setfiles_t, load_policy_t
> 
> A tunable is built around allowing sysadm_t in this domain.   (Defaults 
> to sysadmin in this domain).
> 
> Also created a limited_user_role domain that is called by 
> full_user_role.  With all the allow rules required to get secadm_r to work.
> 
> I had to put the role secadm_r types XYZ types all over the place.  I 
> would be nice if the language made this easier.
> Right now we have role sysadm_r there also, so even if the transition is 
> not allowed the role rule is still there.  
> 
> A few strange rules allowing checkpolicy and load_policy to read 
> sysadm_tmp_t files has been removed.
> 
> I treated restorecon differently from the other policy files since I 
> could see where a sysadm might need access to this while
> setfiles is less likely.  We can argue this point.
> 
> Added a privsysmod attribute for any domain needing sys_module.  
> (kernel, howl, insmod and NetworkManager)
> 
> Changed admin_tty_type from a define to an attribute.  Made it easier to 
> add additional admin ttys in the future.
> 
> Some changes from Ivan are also here.
> 
> mudutil.te removed from targeted directory, since we are now using the 
> full modutil.te from strict.
> 
> I think we can tighten up the differentiation between sysadm_t and 
> secadm_t by removing sysadmfile from all of the policy files.
> 
> The rules in security_manager_domain add those rules back in.   
> limited_user_domain could also be a little tighter. 
> 
> Steve Grubb mentioned to me there is also a need, request for and 
> "auditadmin" role, so with some of these changes that would
> be pretty easy to implement.   Now just need to get libsepol_usermod 
> stuff done.
> 
> 
> Dan

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.