* patch: add policy for gpg helpers
@ 2004-12-09 17:46 Thomas Bleher
2004-12-15 20:43 ` James Carter
0 siblings, 1 reply; 8+ messages in thread
From: Thomas Bleher @ 2004-12-09 17:46 UTC (permalink / raw)
To: SELinux ML
[-- Attachment #1.1: Type: text/plain, Size: 455 bytes --]
This patch adds support for gpg-helpers. These can be used to
automatically fetch gpg keys over the network. Properly configured,
$1_gpg_t doesn't need network access anymore. Unfortunately, eg Debian
doesn't yet include all the necessary helpers, so I left the
can_network() for $1_gpg_t in for now.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
[-- Attachment #1.2: gpg_helper.patch --]
[-- Type: text/plain, Size: 2875 bytes --]
diff -urN orig/domains/program/unused/gpg.te mod/domains/program/unused/gpg.te
--- orig/domains/program/unused/gpg.te 2003-08-14 14:37:36.000000000 +0200
+++ mod/domains/program/unused/gpg.te 2004-12-09 18:38:03.000000000 +0100
@@ -6,6 +6,7 @@
# Type for gpg or pgp executables.
type gpg_exec_t, file_type, sysadmfile, exec_type;
+type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
diff -urN orig/file_contexts/program/gpg.fc mod/file_contexts/program/gpg.fc
--- orig/file_contexts/program/gpg.fc 2004-03-09 16:31:36.000000000 +0100
+++ mod/file_contexts/program/gpg.fc 2004-12-09 18:38:03.000000000 +0100
@@ -1,3 +1,4 @@
# gpg
HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t
/usr/bin/gpg -- system_u:object_r:gpg_exec_t
+/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
diff -urN orig/macros/program/gpg_macros.te mod/macros/program/gpg_macros.te
--- orig/macros/program/gpg_macros.te 2004-11-30 16:19:26.000000000 +0100
+++ mod/macros/program/gpg_macros.te 2004-12-09 18:38:54.000000000 +0100
@@ -19,7 +19,7 @@
define(`gpg_domain', `
# Derived domain based on the calling user domain and the program.
type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile, $1_file_type;
+type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
@@ -94,4 +94,38 @@
ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+type $1_gpg_helper_t, domain;
+role $1_r types $1_gpg_helper_t;
+
+domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
+uses_shlib($1_gpg_helper_t)
+
+# allow gpg to fork so it can call the helpers
+allow $1_gpg_t self:process { fork sigchld };
+allow $1_gpg_t self:fifo_file { getattr read write };
+
+dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+if (use_nfs_home_dirs) {
+dontaudit $1_gpg_helper_t nfs_t:file { read write };
+}
+
+# communicate with the user
+allow $1_gpg_helper_t $1_t:fd use;
+allow $1_gpg_helper_t $1_t:fifo_file write;
+# get keys from the network
+can_network_client($1_gpg_helper_t)
+allow $1_gpg_helper_t etc_t:file { getattr read };
+allow $1_gpg_helper_t urandom_device_t:chr_file read;
+allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+# for nscd
+dontaudit $1_gpg_helper_t var_t:dir search;
+
+ifdef(`xdm.te', `
+dontaudit $1_gpg_t xdm_t:fd use;
+dontaudit $1_gpg_t xdm_t:fifo_file read;
+')
+
')dnl end gpg_domain definition
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: patch: add policy for gpg helpers 2004-12-09 17:46 patch: add policy for gpg helpers Thomas Bleher @ 2004-12-15 20:43 ` James Carter 2004-12-16 16:50 ` Latest patch Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-12-15 20:43 UTC (permalink / raw) To: Thomas Bleher; +Cc: SELinux ML Merged. On Thu, 2004-12-09 at 12:46, Thomas Bleher wrote: > This patch adds support for gpg-helpers. These can be used to > automatically fetch gpg keys over the network. Properly configured, > $1_gpg_t doesn't need network access anymore. Unfortunately, eg Debian > doesn't yet include all the necessary helpers, so I left the > can_network() for $1_gpg_t in for now. > > Thomas -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Latest patch 2004-12-15 20:43 ` James Carter @ 2004-12-16 16:50 ` Daniel J Walsh 2004-12-20 21:43 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-12-16 16:50 UTC (permalink / raw) To: jwcart2; +Cc: SELinux ML [-- Attachment #1: Type: text/plain, Size: 447 bytes --] Add winbind policy Add transitionbool attribute. to indicate whether a domain should have a disable_trans boolean created for that domain. (Mozilla and games in strict policy, All network domains in targeted) Added can_secsecparam Fix httpd_sys_script_t to allow access to mysql sock file. Began adding user configuration changes, to allow adding users in different roles without policy sources installed. Remove user_can_mount tunable. [-- Attachment #2: policy-20041216.patch --] [-- Type: text/x-patch, Size: 20202 bytes --] diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.19.14/attrib.te --- nsapolicy/attrib.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.14/attrib.te 2004-12-16 11:48:36.939342542 -0500 @@ -390,3 +390,6 @@ # For labeling of content for httpd attribute httpdcontent; +# For labeling of domains whos transition can be disabled +attribute transitionbool; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.19.14/domains/admin.te --- nsapolicy/domains/admin.te 2004-09-23 15:08:58.000000000 -0400 +++ policy-1.19.14/domains/admin.te 2004-12-16 11:48:36.940342432 -0500 @@ -23,6 +23,9 @@ # Allow administrator domains to set policy booleans. can_setbool(sysadm_t) +# Allow administrator domains to set security parameters +can_setsecparam(sysadm_t) + # for su allow sysadm_t userdomain:fd use; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.14/domains/program/initrc.te --- nsapolicy/domains/program/initrc.te 2004-12-11 06:31:18.000000000 -0500 +++ policy-1.19.14/domains/program/initrc.te 2004-12-16 11:48:36.941342321 -0500 @@ -137,11 +137,6 @@ # Update /etc/ld.so.cache. allow initrc_t ld_so_cache_t:file rw_file_perms; -ifdef(`sendmail.te', ` -# Update /etc/mail. -allow initrc_t etc_mail_t:file { setattr rw_file_perms }; -') - ifdef(`xfs.te', ` # Unlink the xfs socket. allow initrc_t xfs_tmp_t:dir rw_dir_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.14/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2004-12-11 06:31:18.000000000 -0500 +++ policy-1.19.14/domains/program/unused/apache.te 2004-12-16 11:48:36.941342321 -0500 @@ -243,11 +243,12 @@ ifdef(`mysqld.te', ` can_unix_connect(httpd_php_t, mysqld_t) can_unix_connect(httpd_t, mysqld_t) +can_unix_connect(httpd_sys_script_t, mysqld_t) allow httpd_php_t mysqld_var_run_t:dir search; allow httpd_php_t mysqld_var_run_t:sock_file write; -allow httpd_t mysqld_db_t:dir search; -allow httpd_t mysqld_db_t:sock_file rw_file_perms; -allow httpd_t mysqld_var_run_t:sock_file rw_file_perms; +allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search; +allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms; +allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms; ') allow httpd_t bin_t:dir search; allow httpd_t sbin_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.14/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.14/domains/program/unused/nscd.te 2004-12-16 11:48:36.942342210 -0500 @@ -59,7 +59,10 @@ # # Handle winbind for samba, Might only be needed for targeted policy # -dontaudit nscd_t var_run_t:sock_file rw_file_perms; +allow nscd_t winbind_var_run_t:sock_file { read write getattr }; +can_unix_connect(nscd_t, winbind_t) +allow nscd_t samba_var_t:dir search; +allow nscd_t winbind_var_run_t:dir { getattr search }; r_dir_file(nscd_t, selinux_config_t) can_getsecurity(nscd_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openvpn.te policy-1.19.14/domains/program/unused/openvpn.te --- nsapolicy/domains/program/unused/openvpn.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.14/domains/program/unused/openvpn.te 2004-12-16 11:48:36.943342100 -0500 @@ -21,7 +21,7 @@ allow openvpn_t self:unix_stream_socket create_stream_socket_perms; allow openvpn_t self:unix_dgram_socket sendto; allow openvpn_t self:unix_stream_socket connectto; -allow openvpn_t self:capability net_admin; +allow openvpn_t self:capability { net_admin setgid setuid }; r_dir_file(openvpn_t, sysctl_net_t) can_network_server(openvpn_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.19.14/domains/program/unused/sendmail.te --- nsapolicy/domains/program/unused/sendmail.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.14/domains/program/unused/sendmail.te 2004-12-16 11:48:36.943342100 -0500 @@ -14,7 +14,7 @@ # # etc_mail_t is the type of /etc/mail. -type etc_mail_t, file_type, sysadmfile; +type etc_mail_t, file_type, sysadmfile, usercanread; daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.19.14/domains/program/unused/winbind.te --- nsapolicy/domains/program/unused/winbind.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.14/domains/program/unused/winbind.te 2004-12-16 11:48:36.944341989 -0500 @@ -0,0 +1,34 @@ +#DESC winbind - Name Service Switch daemon for resolving names from NT servers +# +# Author: Dan Walsh (dwalsh@redhat.com) +# + +################################# +# +# Declarations for winbind +# + +daemon_domain(winbind, `, privhome, auth_chkpwd') +allow winbind_t self:capability net_admin; +log_domain(winbind) +allow winbind_t etc_t:file r_file_perms; +allow winbind_t etc_t:lnk_file read; +can_network(winbind_t) +ifdef(`samba.te', `', ` +type samba_etc_t, file_type, sysadmfile, usercanread; +type samba_log_t, file_type, sysadmfile, logfile; +type samba_var_t, file_type, sysadmfile; +type samba_secrets_t, file_type, sysadmfile; +') +rw_dir_file(winbind_t, samba_etc_t) +rw_dir_file(winbind_t, samba_log_t) +allow winbind_t samba_secrets_t:file rw_file_perms; +allow winbind_t self:unix_dgram_socket create_socket_perms; +allow winbind_t self:unix_stream_socket create_stream_socket_perms; +allow winbind_t urandom_device_t:chr_file { getattr read }; +allow winbind_t self:fifo_file { read write }; +rw_dir_file(winbind_t, samba_var_t) +allow winbind_t krb5_conf_t:file { getattr read }; +dontaudit winbind_t krb5_conf_t:file { write }; +allow winbind_t self:netlink_route_socket r_netlink_socket_perms; +allow winbind_t winbind_var_run_t:sock_file create_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.14/domains/user.te --- nsapolicy/domains/user.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.14/domains/user.te 2004-12-16 11:48:36.944341989 -0500 @@ -27,9 +27,6 @@ # Allow users to control network interfaces (also needs USERCTL=true) bool user_net_control false; -# Disable games transitions -bool disable_games false; - # Allow regular users direct mouse access bool user_direct_mouse false; diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.14/file_contexts/distros.fc --- nsapolicy/file_contexts/distros.fc 2004-12-09 10:26:09.000000000 -0500 +++ policy-1.19.14/file_contexts/distros.fc 2004-12-16 11:48:36.945341878 -0500 @@ -34,6 +34,7 @@ /usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t /usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t /usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t +/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t ') ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.19.14/file_contexts/program/samba.fc --- nsapolicy/file_contexts/program/samba.fc 2004-12-11 06:31:20.000000000 -0500 +++ policy-1.19.14/file_contexts/program/samba.fc 2004-12-16 11:48:36.945341878 -0500 @@ -19,5 +19,3 @@ /var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t /var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t /var/spool/samba(/.*)? system_u:object_r:samba_var_t -/usr/sbin/winbindd -- system_u:object_r:smbd_exec_t -/var/run/winbindd(/.*)? system_u:object_r:smbd_var_run_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.19.14/file_contexts/program/winbind.fc --- nsapolicy/file_contexts/program/winbind.fc 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.14/file_contexts/program/winbind.fc 2004-12-16 11:48:36.946341768 -0500 @@ -0,0 +1,10 @@ +/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t +/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t +ifdef(`samba.te', `', ` +/var/log/samba(/.*)? system_u:object_r:samba_log_t +/etc/samba(/.*)? system_u:object_r:samba_etc_t +/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t +/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t +/var/cache/samba(/.*)? system_u:object_r:samba_var_t +') +/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.19.14/local.users --- nsapolicy/local.users 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.14/local.users 2004-12-16 11:48:36.946341768 -0500 @@ -0,0 +1,21 @@ +################################## +# +# User configuration. +# +# This file defines additional users recognized by the system security policy. +# Only the user identities defined in this file and the users.system file +# may be used as the user attribute in a security context. +# +# Each user has a set of roles that may be entered by processes +# with the users identity. The syntax of a user declaration is: +# +# user username roles role_set [ ranges MLS_range_set ]; +# +# The MLS range set should only be specified if MLS was enabled +# for the module and checkpolicy. + +# sample for administrative user +user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') }; + +# sample for regular user +#user jdoe roles { user_r }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.14/macros/core_macros.te --- nsapolicy/macros/core_macros.te 2004-12-09 10:26:10.000000000 -0500 +++ policy-1.19.14/macros/core_macros.te 2004-12-16 11:48:36.947341657 -0500 @@ -332,6 +332,26 @@ ################################## # +# can_setsecparam(domain) +# +# Authorize a domain to set security parameters. +# Due to its sensitivity, always audit this permission. +# +define(`can_setsecparam',` +# Get the selinuxfs mount point via /proc/self/mounts. +allow $1 proc_t:dir search; +allow $1 proc_t:lnk_file read; +allow $1 self:dir search; +allow $1 self:file { getattr read }; +# Access selinuxfs. +allow $1 security_t:dir { read search getattr }; +allow $1 security_t:file { getattr read write }; +allow $1 security_t:security setsecparam; +auditallow $1 security_t:security setsecparam; +') + +################################## +# # can_loadpol(domain) # # Authorize a domain to load a policy configuration. diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.14/macros/global_macros.te --- nsapolicy/macros/global_macros.te 2004-12-11 06:31:21.000000000 -0500 +++ policy-1.19.14/macros/global_macros.te 2004-12-16 11:48:36.948341546 -0500 @@ -296,13 +296,13 @@ # # Allows user to define a tunable to disable domain transition # -ifdef(`targeted_policy', ` +ifelse(index(`$2',`transitionbool'), -1, `', ` bool $1_disable_trans false; if ($1_disable_trans) { can_exec(initrc_t, $1_exec_t) can_exec(sysadm_t, $1_exec_t) } else { -') dnl targeted_policy +') dnl transitionbool domain_auto_trans(initrc_t, $1_exec_t, $1_t) allow initrc_t $1_t:process { noatsecure siginh rlimitinh }; ifdef(`direct_sysadm_daemon', ` @@ -311,10 +311,9 @@ allow sysadm_t $1_t:process { noatsecure siginh rlimitinh }; ')dnl end direct_sysadm_daemon ')dnl end nosysadm -ifdef(`targeted_policy', ` +ifelse(index(`$2', `transitionbool'), -1, `', ` } -') dnl targeted_policy - +') dnl end transitionbool ifdef(`direct_sysadm_daemon', ` ifelse(`$3', `nosysadm', `', ` role_transition sysadm_r $1_exec_t system_r; @@ -340,9 +339,12 @@ allow $1_t var_t:dir search; allow $1_t $1_var_run_t:dir rw_dir_perms; ') - define(`daemon_domain', ` +ifdef(`targeted_policy', ` +daemon_base_domain($1, `$2, transitionbool', $3) +', ` daemon_base_domain($1, `$2', $3) +') # Create pid file. allow $1_t var_t:dir { getattr search }; var_run_domain($1) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.19.14/macros/program/cdrecord_macros.te --- nsapolicy/macros/program/cdrecord_macros.te 2004-12-11 06:31:21.000000000 -0500 +++ policy-1.19.14/macros/program/cdrecord_macros.te 2004-12-16 11:48:36.949341436 -0500 @@ -35,6 +35,7 @@ if (use_nfs_home_dirs) { r_dir_file($1_cdrecord_t, nfs_t) } +allow $1_cdrecord_t etc_t:file { getattr read }; # allow searching for cdrom-drive allow $1_cdrecord_t device_t:dir { getattr search }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.19.14/macros/program/games_domain.te --- nsapolicy/macros/program/games_domain.te 2004-12-02 14:11:43.000000000 -0500 +++ policy-1.19.14/macros/program/games_domain.te 2004-12-16 11:48:36.949341436 -0500 @@ -10,7 +10,7 @@ # # define(`games_domain', ` -x_client_domain($1, `games') +x_client_domain($1, `games', `, transitionbool') allow $1_games_t var_t:dir { search getattr }; rw_dir_create_file($1_games_t, games_data_t) allow $1_games_t sound_device_t:chr_file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.14/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2004-12-11 06:31:21.000000000 -0500 +++ policy-1.19.14/macros/program/mozilla_macros.te 2004-12-16 11:48:36.950341325 -0500 @@ -16,7 +16,7 @@ # provided separately in domains/program/mozilla.te. # define(`mozilla_domain',` -x_client_domain($1, mozilla, `, web_client_domain, privlog') +x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool') allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.19.14/macros/program/x_client_macros.te --- nsapolicy/macros/program/x_client_macros.te 2004-11-30 05:59:40.000000000 -0500 +++ policy-1.19.14/macros/program/x_client_macros.te 2004-12-16 11:48:36.951341214 -0500 @@ -29,15 +29,19 @@ # Type for files that are read-only for this domain type $1_$2_ro_t, file_type, $1_file_type, sysadmfile; -# Transition from the user domain to the derived domain. -ifelse($2, games, ` -if (! disable_games) { +ifelse(index(`$3', `transitionbool'), -1, ` domain_auto_trans($1_t, $2_exec_t, $1_$2_t) can_exec($1_$2_t, $2_exec_t) -} ', ` +# Only do it once +ifelse($1, user, ` +bool disable_$2 false; +') +# Transition from the user domain to the derived domain. +if (! disable_$2) { domain_auto_trans($1_t, $2_exec_t, $1_$2_t) can_exec($1_$2_t, $2_exec_t) +} ') # The user role is authorized for this domain. diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.19.14/macros/program/xserver_macros.te --- nsapolicy/macros/program/xserver_macros.te 2004-12-11 06:31:21.000000000 -0500 +++ policy-1.19.14/macros/program/xserver_macros.te 2004-12-16 11:48:36.951341214 -0500 @@ -247,6 +247,10 @@ # Allow xserver to read events - the synaptics touchpad # driver reads raw events allow $1_xserver_t event_device_t:chr_file rw_file_perms; +ifdef(`pamconsole.te', ` +allow $1_xserver_t pam_var_console_t:dir search; +') +dontaudit $1_xserver_t selinux_config_t:dir search; allow $1_xserver_t var_lib_t:dir search; rw_dir_create_file($1_xserver_t, var_lib_xkb_t) diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.19.14/macros/user_macros.te --- nsapolicy/macros/user_macros.te 2004-12-11 06:31:21.000000000 -0500 +++ policy-1.19.14/macros/user_macros.te 2004-12-16 11:49:34.659954788 -0500 @@ -218,22 +218,6 @@ dontaudit $1_t init_t:fd use; dontaudit $1_t initrc_t:fd use; allow $1_t initrc_t:fifo_file write; -ifdef(`user_can_mount', ` -# -# Allow users to mount file systems like floppies and cdrom -# -mount_domain($1, $1_mount, `, fs_domain') -r_dir_file($1_t, mnt_t) -allow $1_mount_t device_t:lnk_file read; -allow $1_mount_t removable_device_t:blk_file read; -allow $1_mount_t iso9660_t:filesystem relabelfrom; -allow $1_mount_t removable_t:filesystem { mount relabelto }; -allow $1_mount_t removable_t:dir mounton; -ifdef(`xdm.te', ` -allow $1_mount_t xdm_t:fd use; -allow $1_mount_t xdm_t:fifo_file { read write }; -') -') # # Rules used to associate a homedir as a mountpoint diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.14/Makefile --- nsapolicy/Makefile 2004-12-11 06:31:17.000000000 -0500 +++ policy-1.19.14/Makefile 2004-12-16 11:48:36.953340993 -0500 @@ -26,6 +26,7 @@ INSTALLDIR = $(DESTDIR)/etc/selinux/strict POLICYPATH = $(INSTALLDIR)/policy SRCPATH = $(INSTALLDIR)/src +USERPATH = $(INSTALLDIR)/users CONTEXTPATH = $(INSTALLDIR)/contexts LOADPATH = $(POLICYPATH)/$(POLICYVER) FCPATH = $(CONTEXTPATH)/files/file_contexts @@ -37,13 +38,13 @@ ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te TE_RBAC_FILES := $(ALLTEFILES) rbac ALL_TUNABLES := $(wildcard tunables/*.tun ) - +USER_FILES := users serviceusers POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) ifeq ($(MLS),y) POLICYFILES += mls endif POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) -POLICYFILES += users serviceusers +POLICYFILES += $(USER_FILES) POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) @@ -54,9 +55,24 @@ APPDIR=$(CONTEXTPATH) APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media +$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf + @mkdir -p $(USERPATH) + @echo "# " > tmp/system.users + @echo "# Do not edit this file. " >> tmp/system.users + @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users + @echo "# Please edit local.users to make local changes." >> tmp/system.users + @echo "#" >> tmp/system.users + m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users + install -m 644 tmp/system.users $@ + +$(USERPATH)/local.users: local.users + @mkdir -p $(USERPATH) + m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USERPATH)/local.users | sed 's/^user/#user/g' >> tmp/local.users + install -m 644 tmp/local.users $@ + ROOTFILES = $(addprefix $(APPDIR)/users/,root) -install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) +install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users @echo "Validating file_contexts ..." $(SETFILES) -q -c $(LOADPATH) $(FCPATH) diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.14/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.19.14/tunables/distro.tun 2004-12-16 11:48:36.953340993 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.14/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-12-11 06:31:22.000000000 -0500 +++ policy-1.19.14/tunables/tunable.tun 2004-12-16 11:48:36.954340882 -0500 @@ -1,27 +1,24 @@ -# Allow users to execute the mount command -dnl define(`user_can_mount') - # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Latest patch 2004-12-16 16:50 ` Latest patch Daniel J Walsh @ 2004-12-20 21:43 ` James Carter 0 siblings, 0 replies; 8+ messages in thread From: James Carter @ 2004-12-20 21:43 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux ML Merged, except for the removal of the user_can_mount tunable. Others are still using that tunable, and since it is a tunable it won't effect those that don't want to use it. On Thu, 2004-12-16 at 11:50, Daniel J Walsh wrote: > Add winbind policy > > Add transitionbool attribute. to indicate whether a domain should have a > disable_trans boolean created for that domain. > (Mozilla and games in strict policy, All network domains in targeted) > > Added can_secsecparam > > Fix httpd_sys_script_t to allow access to mysql sock file. > > Began adding user configuration changes, to allow adding users in > different roles without policy sources installed. > > Remove user_can_mount tunable. > -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <4256D267.7050403@comcast.net>]
* Re: Latest Patch [not found] <4256D267.7050403@comcast.net> @ 2005-04-14 14:04 ` James Carter 0 siblings, 0 replies; 8+ messages in thread From: James Carter @ 2005-04-14 14:04 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux, Steve Smalley Merged. You didn't actually add anything to tunables.tun, so I added: +# Do not allow sysadm_t to be in the security manager domain +dnl define(`separate_secadm') Feel free to change. When I tested the policy, I couldn't newrole to secadm_r. Steve found that there was a bug in the newrole policy. It needed the fowner capability, so that was added. Other then that, it seems to work as advertised. On Fri, 2005-04-08 at 14:50 -0400, Daniel J Walsh wrote: > This one needs to be reviewed. I have added secadm_r:secadm_t > > Basically I have created a new macro > > security_manager_domain($1) > > Which is called by sysadm and secadm > > This domain has all the rules necessary for manipulating policy and > selinux objects. > > It also adds an attribute secadmin, which is the only attribute allowed > to transition to checkpolicy_t, setfiles_t, load_policy_t > > A tunable is built around allowing sysadm_t in this domain. (Defaults > to sysadmin in this domain). > > Also created a limited_user_role domain that is called by > full_user_role. With all the allow rules required to get secadm_r to work. > > I had to put the role secadm_r types XYZ types all over the place. I > would be nice if the language made this easier. > Right now we have role sysadm_r there also, so even if the transition is > not allowed the role rule is still there. > > A few strange rules allowing checkpolicy and load_policy to read > sysadm_tmp_t files has been removed. > > I treated restorecon differently from the other policy files since I > could see where a sysadm might need access to this while > setfiles is less likely. We can argue this point. > > Added a privsysmod attribute for any domain needing sys_module. > (kernel, howl, insmod and NetworkManager) > > Changed admin_tty_type from a define to an attribute. Made it easier to > add additional admin ttys in the future. > > Some changes from Ivan are also here. > > mudutil.te removed from targeted directory, since we are now using the > full modutil.te from strict. > > I think we can tighten up the differentiation between sysadm_t and > secadm_t by removing sysadmfile from all of the policy files. > > The rules in security_manager_domain add those rules back in. > limited_user_domain could also be a little tighter. > > Steve Grubb mentioned to me there is also a need, request for and > "auditadmin" role, so with some of these changes that would > be pretty easy to implement. Now just need to get libsepol_usermod > stuff done. > > > Dan -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [patch] misc. policy updates
@ 2004-12-17 1:22 Greg Norris
2004-12-20 1:01 ` Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Greg Norris @ 2004-12-17 1:22 UTC (permalink / raw)
To: SELinux
[-- Attachment #1.1: Type: text/plain, Size: 275 bytes --]
The attached diff against ddclient.te is necessary in order for it to
work properly with the new networking macros. Also, it updates my email
address in the policy header. The other two simply perform the latter
update for the other policies I've submitted.
Please apply.
[-- Attachment #1.2: ddclient.te.diff --]
[-- Type: text/plain, Size: 1224 bytes --]
--- ddclient.te.orig 2004-12-16 19:03:49.000000000 -0600
+++ ddclient.te 2004-12-16 19:04:50.000000000 -0600
@@ -1,6 +1,6 @@
#DESC ddclient - Update dynamic IP address at DynDNS.org
#
-# Author: Greg Norris <adric@debian.org>
+# Author: Greg Norris <haphazard@kc.rr.com>
# X-Debian-Packages: ddclient
#
@@ -20,17 +20,18 @@
# misc. requirements
allow ddclient_t self:fifo_file rw_file_perms;
-allow ddclient_t self:unix_stream_socket create_socket_perms;
+allow ddclient_t self:socket create_socket_perms;
allow ddclient_t etc_t:file { getattr read };
allow ddclient_t etc_runtime_t:file r_file_perms;
allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
allow ddclient_t urandom_device_t:chr_file { read };
-allow ddclient_t proc_t:file r_file_perms;
+general_proc_read_access(ddclient_t)
allow ddclient_t sysctl_net_t:dir { search };
# network-related goodies
-can_network_server(ddclient_t)
+can_network_udp(ddclient_t)
allow ddclient_t self:unix_dgram_socket create_socket_perms;
+allow ddclient_t self:unix_stream_socket create_socket_perms;
# allow access to ddclient.conf and ddclient.cache
allow ddclient_t ddclient_etc_t:file r_file_perms;
[-- Attachment #1.3: dnsmasq.te.diff --]
[-- Type: text/plain, Size: 305 bytes --]
--- dnsmasq.te.orig 2004-12-16 19:08:32.000000000 -0600
+++ dnsmasq.te 2004-12-16 19:09:34.000000000 -0600
@@ -1,6 +1,6 @@
#DESC dnsmasq - DNS forwarder and DHCP server
#
-# Author: Greg Norris <adric@debian.org>
+# Author: Greg Norris <haphazard@kc.rr.com>
# X-Debian-Packages: dnsmasq
#
[-- Attachment #1.4: fetchmail.te.diff --]
[-- Type: text/plain, Size: 378 bytes --]
--- fetchmail.te.orig 2004-12-16 19:08:37.000000000 -0600
+++ fetchmail.te 2004-12-16 19:09:42.000000000 -0600
@@ -1,6 +1,6 @@
#DESC fetchmail - remote-mail retrieval utility
#
-# Author: Greg Norris <adric@debian.org>
+# Author: Greg Norris <haphazard@kc.rr.com>
# X-Debian-Packages: fetchmail
#
# Note: This policy is only required when running fetchmail in daemon mode.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [patch] misc. policy updates 2004-12-17 1:22 [patch] misc. policy updates Greg Norris @ 2004-12-20 1:01 ` Russell Coker 2004-12-20 21:54 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Russell Coker @ 2004-12-20 1:01 UTC (permalink / raw) To: Greg Norris; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 928 bytes --] On Friday 17 December 2004 12:22, Greg Norris <haphazard@kc.rr.com> wrote: > The attached diff against ddclient.te is necessary in order for it to > work properly with the new networking macros. Also, it updates my email > address in the policy header. The other two simply perform the latter > update for the other policies I've submitted. I've added them to my tree. I also added "log_domain(ddclient)" at the end of the file (no patch attached as a patch for a patch is painful) and added the attached patch to the file_contexts. This means that ddclient takes over the policy of ddt-client. Please delete ddt-client.te and ddt-client.fc from the policy source. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page [-- Attachment #2: diff --] [-- Type: text/x-diff, Size: 690 bytes --] --- /usr/src/se/policy/file_contexts/program/ddclient.fc 2004-11-20 01:18:19.000000000 +1100 +++ file_contexts/program/ddclient.fc 2004-12-20 11:56:53.000000000 +1100 @@ -3,3 +3,9 @@ /usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t /var/cache/ddclient(/.*)? -- system_u:object_r:ddclient_var_t /var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t +# ddt - Dynamic DNS client +/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t +/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t +/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t +/var/lib/ddt-client(/.*)? system_u:object_r:var_lib_ddclient_t +/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] misc. policy updates 2004-12-20 1:01 ` Russell Coker @ 2004-12-20 21:54 ` James Carter 2004-12-28 22:29 ` Latest patch Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-12-20 21:54 UTC (permalink / raw) To: Russell Coker; +Cc: Greg Norris, SELinux Merged both Greg's and Russell's patches. Russell, I added "log_domain(ddclient)" as you mention below. I also added "var_lib_domain(ddclient)" since your patch assigns a var_lib_ddclient_t. Or did you do something different there? I've removed ddt-client.te and ddt-client.fc from CVS. On Sun, 2004-12-19 at 20:01, Russell Coker wrote: > On Friday 17 December 2004 12:22, Greg Norris <haphazard@kc.rr.com> wrote: > > The attached diff against ddclient.te is necessary in order for it to > > work properly with the new networking macros. Also, it updates my email > > address in the policy header. The other two simply perform the latter > > update for the other policies I've submitted. > > I've added them to my tree. I also added "log_domain(ddclient)" at the end of > the file (no patch attached as a patch for a patch is painful) and added the > attached patch to the file_contexts. > > This means that ddclient takes over the policy of ddt-client. Please delete > ddt-client.te and ddt-client.fc from the policy source. -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Latest patch 2004-12-20 21:54 ` James Carter @ 2004-12-28 22:29 ` Daniel J Walsh 0 siblings, 0 replies; 8+ messages in thread From: Daniel J Walsh @ 2004-12-28 22:29 UTC (permalink / raw) To: jwcart2; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 326 bytes --] This patch supersedes the last one. Basically this patch is for targeted policy. With this policy initrc runs starts all daemons. If you start a daemon without using the service script the daemon will run in unconfined_t. sendmail, crond, xdm and ssh have targeted policies that allow them to run as unconfined_t. Dan [-- Attachment #2: policy-20041221.patch --] [-- Type: text/x-patch, Size: 54402 bytes --] diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.19.15/assert.te --- nsapolicy/assert.te 2004-12-09 10:26:08.000000000 -0500 +++ policy-1.19.15/assert.te 2004-12-28 12:09:14.000000000 -0500 @@ -30,7 +30,7 @@ # Verify that only the insmod_t and kernel_t domains # have the sys_module capability. # -neverallow {domain -unrestricted -insmod_t -kernel_t } self:capability sys_module; +neverallow {domain -unrestricted -insmod_t -kernel_t -howl_t } self:capability sys_module; # # Verify that executable types, the system dynamic loaders, and the diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.15/domains/program/crond.te --- nsapolicy/domains/program/crond.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/crond.te 2004-12-28 12:09:14.000000000 -0500 @@ -160,6 +160,7 @@ # /sbin/runlevel needs lock access however dontaudit system_crond_t initrc_var_run_t:file write; allow system_crond_t initrc_var_run_t:file { getattr read lock }; +allow initrc_t system_cron_spool_t:file { getattr read }; # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.15/domains/program/initrc.te --- nsapolicy/domains/program/initrc.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/initrc.te 2004-12-28 12:09:14.000000000 -0500 @@ -13,10 +13,6 @@ # # do not use privmail for sendmail as it creates a type transition conflict type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain; -ifdef(`sendmail.te', ` -allow system_mail_t initrc_t:fd use; -allow system_mail_t initrc_t:fifo_file write; -') role system_r types initrc_t; uses_shlib(initrc_t); @@ -115,14 +111,6 @@ # Communicate with the init process. allow initrc_t initctl_t:fifo_file rw_file_perms; -# Send messages to portmap and ypbind. -ifdef(`portmap.te', ` -can_udp_send(initrc_t, portmap_t) -') -ifdef(`ypbind.te', ` -can_udp_send(initrc_t, ypbind_t) -') - # Read /proc/PID directories for all domains. r_dir_file(initrc_t, domain) allow initrc_t domain:process { getattr getsession }; @@ -137,15 +125,6 @@ # Update /etc/ld.so.cache. allow initrc_t ld_so_cache_t:file rw_file_perms; -ifdef(`xfs.te', ` -# Unlink the xfs socket. -allow initrc_t xfs_tmp_t:dir rw_dir_perms; -allow initrc_t xfs_tmp_t:dir rmdir; -allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; -allow initrc_t fonts_t:dir create_dir_perms; -allow initrc_t fonts_t:file create_file_perms; -') - # Update /var/log/wtmp and /var/log/dmesg. allow initrc_t wtmp_t:file { setattr rw_file_perms }; allow initrc_t var_log_t:dir rw_dir_perms; @@ -222,38 +201,14 @@ # readahead asks for these # allow initrc_t etc_aliases_t:file { getattr read }; -allow initrc_t system_cron_spool_t:file { getattr read }; allow initrc_t var_lib_nfs_t:file { getattr read }; # for /halt /.autofsck and other flag files file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) -ifdef(`rpm.te', ` -# Access /var/lib/rpm. -allow initrc_t rpm_var_lib_t:dir rw_dir_perms; -allow initrc_t rpm_var_lib_t:file create_file_perms; -') ')dnl end distro_redhat -ifdef(`distro_gentoo', ` -ifdef(`arpwatch.te', ` -allow initrc_t arpwatch_data_t:dir { add_name write }; -allow initrc_t arpwatch_data_t:file create; -') -')dnl end distro_gentoo - allow initrc_t system_map_t:{ file lnk_file } r_file_perms; - -ifdef(`rhgb.te', ` -allow initrc_t ramfs_t:dir search; -allow initrc_t ramfs_t:sock_file write; -allow initrc_t rhgb_t:unix_stream_socket { read write }; -') - -ifdef(`gpm.te', ` -allow initrc_t gpmctl_t:sock_file setattr; -') - allow initrc_t var_spool_t:file rw_file_perms; # Allow access to the sysadm TTYs. Note that this will give access to the @@ -263,20 +218,6 @@ # Access sound device and files. allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; -ifdef(`sound.te', ` -allow initrc_t sound_file_t:file { setattr write }; -') - -ifdef(`apmd.te', -`# Access /dev/apm_bios. -allow initrc_t apm_bios_t:chr_file { setattr getattr read }; -') - -ifdef(`lpd.te', -`# Read printconf files. -allow initrc_t printconf_t:dir r_dir_perms; -allow initrc_t printconf_t:file r_file_perms; -') # Read user home directories. allow initrc_t { home_root_t home_type }:dir r_dir_perms; @@ -299,7 +240,14 @@ # # Rules for the run_init_t domain. # +ifdef(`targeted_policy', ` +type run_init_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) +allow unconfined_t initrc_t:dbus send_msg; +domain_trans(initrc_t, shell_exec_t, unconfined_t) +', ` run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) +') allow initrc_t privfd:fd use; # Transition to system_r:initrc_t upon executing init scripts. @@ -323,10 +271,6 @@ allow initrc_t device_type:chr_file setattr; allow initrc_t binfmt_misc_fs_t:dir { getattr search }; allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write }; -ifdef(`pam.te', ` -allow initrc_t pam_var_run_t:dir rw_dir_perms; -allow initrc_t pam_var_run_t:file { getattr read unlink }; -') # for lsof in shutdown scripts can_kerberos(initrc_t) @@ -351,9 +295,6 @@ # allow initrc_t security_t:dir { getattr search }; allow initrc_t security_t:file { getattr read }; -ifdef(`dbusd.te', ` -allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; -') # init script state type initrc_state_t, file_type, sysadmfile; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.19.15/domains/program/init.te --- nsapolicy/domains/program/init.te 2004-12-09 10:26:08.000000000 -0500 +++ policy-1.19.15/domains/program/init.te 2004-12-28 12:09:14.000000000 -0500 @@ -14,7 +14,7 @@ # by init during initialization. This pipe is used # to communicate with init. # -type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain; +type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain ifdef(`targeted_policy', `, unrestricted'); role system_r types init_t; uses_shlib(init_t); type init_exec_t, file_type, sysadmfile, exec_type; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.15/domains/program/ldconfig.te --- nsapolicy/domains/program/ldconfig.te 2004-12-11 06:31:18.000000000 -0500 +++ policy-1.19.15/domains/program/ldconfig.te 2004-12-28 12:09:14.000000000 -0500 @@ -24,6 +24,7 @@ file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file) allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:lnk_file create_lnk_perms; +allow ldconfig_t lib_t:file r_file_perms; allow ldconfig_t userdomain:fd use; # unlink for when /etc/ld.so.cache is mislabeled @@ -38,11 +39,7 @@ dontaudit ldconfig_t httpd_modules_t:dir search; ') -ifdef(`distro_suse', ` -# because of libraries in /var/lib/samba/bin allow ldconfig_t { var_t var_lib_t }:dir search; -') - allow ldconfig_t proc_t:file read; ifdef(`unconfined.te',` dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.19.15/domains/program/modutil.te --- nsapolicy/domains/program/modutil.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/modutil.te 2004-12-28 12:09:14.000000000 -0500 @@ -69,7 +69,7 @@ # Rules for the insmod_t domain. # -type insmod_t, domain, privlog, sysctl_kernel_writer ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, unrestricted' ) +type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, unrestricted' ) ; role system_r types insmod_t; role sysadm_r types insmod_t; @@ -99,7 +99,9 @@ allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; -allow insmod_t sound_device_t:chr_file { ioctl write }; +allow insmod_t sound_device_t:chr_file { read ioctl write }; +allow insmod_t zero_device_t:chr_file read; +allow insmod_t memory_device_t:chr_file rw_file_perms; # Read module config and dependency information allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; @@ -149,7 +151,6 @@ allow insmod_t device_t:dir read; allow insmod_t devpts_t:dir { getattr search }; -dontaudit insmod_t sound_device_t:chr_file read; type insmod_exec_t, file_type, exec_type, sysadmfile; domain_auto_trans(privmodule, insmod_exec_t, insmod_t) @@ -159,9 +160,10 @@ allow insmod_t privmodule:process sigchld; dontaudit sysadm_t self:capability sys_module; +ifdef(`mount.te', ` # Run mount in the mount_t domain. domain_auto_trans(insmod_t, mount_exec_t, mount_t) - +') # for when /var is not mounted early in the boot dontaudit insmod_t file_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.19.15/domains/program/ssh.te --- nsapolicy/domains/program/ssh.te 2004-12-11 06:31:18.000000000 -0500 +++ policy-1.19.15/domains/program/ssh.te 2004-12-28 12:09:14.000000000 -0500 @@ -228,5 +228,4 @@ allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write }; allow ssh_keygen_t urandom_device_t:chr_file { getattr read }; -dontaudit sshd_t local_login_t:fd { use }; dontaudit sshd_t sysadm_tty_device_t:chr_file { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.19.15/domains/program/unused/amanda.te --- nsapolicy/domains/program/unused/amanda.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/unused/amanda.te 2004-12-28 12:09:14.000000000 -0500 @@ -241,8 +241,6 @@ allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service }; allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read }; -allow amanda_recover_t local_login_t:fd use; - # amrecover network and process communication ############################################# diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.15/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/unused/apache.te 2004-12-28 12:09:14.000000000 -0500 @@ -156,6 +156,7 @@ # Allow the httpd_t to read the web servers config files ################################################### r_dir_file(httpd_t, httpd_config_t) +dontaudit httpd_sys_script_t httpd_config_t:dir search; # allow logrotate to read the config files for restart ifdef(`logrotate.te', ` r_dir_file(logrotate_t, httpd_config_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.15/domains/program/unused/apmd.te --- nsapolicy/domains/program/unused/apmd.te 2004-12-09 10:26:08.000000000 -0500 +++ policy-1.19.15/domains/program/unused/apmd.te 2004-12-28 12:09:14.000000000 -0500 @@ -131,3 +131,5 @@ dontaudit apmd_t tmpfs_t:dir r_dir_perms; dontaudit apmd_t selinux_config_t:dir search; allow apmd_t user_tty_type:chr_file rw_file_perms; +# Access /dev/apm_bios. +allow initrc_t apm_bios_t:chr_file { setattr getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.15/domains/program/unused/arpwatch.te --- nsapolicy/domains/program/unused/arpwatch.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/unused/arpwatch.te 2004-12-28 12:09:14.000000000 -0500 @@ -35,3 +35,8 @@ allow arpwatch_t bin_t:dir search; ') +ifdef(`distro_gentoo', ` +allow initrc_t arpwatch_data_t:dir { add_name write }; +allow initrc_t arpwatch_data_t:file create; +')dnl end distro_gentoo + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.15/domains/program/unused/bootloader.te --- nsapolicy/domains/program/unused/bootloader.te 2004-12-03 14:42:06.000000000 -0500 +++ policy-1.19.15/domains/program/unused/bootloader.te 2004-12-28 12:09:14.000000000 -0500 @@ -29,7 +29,7 @@ allow bootloader_t { initrc_t privfd }:fd use; tmp_domain(bootloader, `, device_type') -allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms; +allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms; read_locale(bootloader_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.15/domains/program/unused/cups.te --- nsapolicy/domains/program/unused/cups.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/cups.te 2004-12-28 12:09:14.000000000 -0500 @@ -33,10 +33,8 @@ # temporary solution, we need something better allow cupsd_t serial_device:chr_file rw_file_perms; -ifdef(`usbmodules.te', ` r_dir_file(cupsd_t, usbdevfs_t) r_dir_file(cupsd_t, usbfs_t) -') ifdef(`logrotate.te', ` domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) @@ -166,6 +164,8 @@ allow cupsd_t printconf_t:file { getattr read }; +dbusd_client(system, cupsd) + ifdef(`hald.te', ` # CUPS configuration daemon @@ -195,13 +195,12 @@ rw_dir_create_file(cupsd_config_t, cupsd_etc_t) rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) -can_network_server_tcp(cupsd_config_t) +can_network_tcp(cupsd_config_t) can_tcp_connect(cupsd_config_t, cupsd_t) allow cupsd_config_t self:fifo_file rw_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; ifdef(`dbusd.te', ` -dbusd_client(system, cupsd) dbusd_client(system, cupsd_config) allow cupsd_config_t userdomain:dbus send_msg; allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc }; @@ -243,3 +242,8 @@ # Alternatives asks for this allow cupsd_config_t initrc_exec_t:file getattr; ') dnl end if hald.te +ifdef(`targeted_policy', ` +can_unix_connect(cupsd_t, initrc_t) +allow cupsd_t initrc_t:dbus send_msg; +') + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.19.15/domains/program/unused/dbusd.te --- nsapolicy/domains/program/unused/dbusd.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.15/domains/program/unused/dbusd.te 2004-12-28 12:09:14.000000000 -0500 @@ -16,3 +16,5 @@ # I expect we need more than this +allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gpm.te policy-1.19.15/domains/program/unused/gpm.te --- nsapolicy/domains/program/unused/gpm.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.15/domains/program/unused/gpm.te 2004-12-28 12:09:14.000000000 -0500 @@ -40,3 +40,6 @@ allow gpm_t device_t:lnk_file { getattr read }; read_locale(gpm_t) + +allow initrc_t gpmctl_t:sock_file setattr; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.15/domains/program/unused/howl.te --- nsapolicy/domains/program/unused/howl.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/howl.te 2004-12-28 12:09:14.000000000 -0500 @@ -4,17 +4,19 @@ # daemon_domain(howl) -allow howl_t proc_net_t:dir search; -allow howl_t proc_net_t:file {getattr read }; +r_dir_file(howl_t, proc_net_t) can_network_server(howl_t) can_ypbind(howl_t) -allow howl_t self:capability { kill net_admin }; +allow howl_t self:unix_dgram_socket create_socket_perms; +allow howl_t self:capability { kill net_admin sys_module }; allow howl_t self:fifo_file rw_file_perms; type howl_port_t, port_type; allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind; +allow howl_t self:unix_dgram_socket create_socket_perms; + allow howl_t etc_t:file { getattr read }; allow howl_t initrc_var_run_t:file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.19.15/domains/program/unused/inetd.te --- nsapolicy/domains/program/unused/inetd.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.15/domains/program/unused/inetd.te 2004-12-28 12:09:14.000000000 -0500 @@ -18,7 +18,7 @@ # Rules for the inetd_t domain. # -daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) +daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' ) can_network(inetd_t) allow inetd_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.15/domains/program/unused/innd.te --- nsapolicy/domains/program/unused/innd.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.15/domains/program/unused/innd.te 2004-12-28 12:09:14.000000000 -0500 @@ -76,6 +76,5 @@ allow innd_t self:file { getattr read }; dontaudit innd_t selinux_config_t:dir { search }; -allow system_crond_t innd_etc_t:file { getattr read }; allow innd_t bin_t:lnk_file { read }; allow innd_t sbin_t:lnk_file { read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.15/domains/program/unused/kerberos.te --- nsapolicy/domains/program/unused/kerberos.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/kerberos.te 2004-12-28 12:09:14.000000000 -0500 @@ -44,11 +44,10 @@ can_tcp_connect(kerberos_admin_port_t, kadmind_t) # Bind to the kerberos, kerberos-adm ports. -allow krb5kdc_t kerberos_port_t:udp_socket name_bind; -allow krb5kdc_t kerberos_port_t:tcp_socket name_bind; +allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind; allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; allow kadmind_t reserved_port_t:tcp_socket name_bind; +dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; # # Rules for Kerberos5 KDC daemon diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.19.15/domains/program/unused/lpd.te --- nsapolicy/domains/program/unused/lpd.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/lpd.te 2004-12-28 12:09:14.000000000 -0500 @@ -154,3 +154,8 @@ # checkpc needs similar permissions. allow checkpc_t printconf_t:file getattr; allow checkpc_t printconf_t:dir { getattr search read }; + +# Read printconf files. +allow initrc_t printconf_t:dir r_dir_perms; +allow initrc_t printconf_t:file r_file_perms; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.15/domains/program/unused/mta.te --- nsapolicy/domains/program/unused/mta.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/mta.te 2004-12-28 12:09:14.000000000 -0500 @@ -76,3 +76,4 @@ create_dir_file( system_mail_t, mqueue_spool_t) ') allow system_mail_t etc_runtime_t:file { getattr read }; +allow system_mail_t urandom_device_t:chr_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.15/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/unused/nscd.te 2004-12-28 12:09:14.000000000 -0500 @@ -70,4 +70,4 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms; allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; -allow nscd_t urandom_device_t:chr_file { getattr read }; +allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.15/domains/program/unused/ntpd.te --- nsapolicy/domains/program/unused/ntpd.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/ntpd.te 2004-12-28 12:09:14.000000000 -0500 @@ -80,3 +80,8 @@ ifdef(`firstboot.te', ` dontaudit ntpd_t firstboot_t:fd use; ') +ifdef(`winbind.te', ` +allow ntpd_t winbind_var_run_t:dir r_dir_perms; +allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; +') + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.19.15/domains/program/unused/pam.te --- nsapolicy/domains/program/unused/pam.te 2004-09-10 11:01:02.000000000 -0400 +++ policy-1.19.15/domains/program/unused/pam.te 2004-12-28 12:09:14.000000000 -0500 @@ -34,3 +34,6 @@ allow pam_t local_login_t:fd use; dontaudit pam_t self:capability sys_tty_config; + +allow initrc_t pam_var_run_t:dir rw_dir_perms; +allow initrc_t pam_var_run_t:file { getattr read unlink }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.19.15/domains/program/unused/portmap.te --- nsapolicy/domains/program/unused/portmap.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/portmap.te 2004-12-28 12:09:14.000000000 -0500 @@ -23,7 +23,7 @@ tmp_domain(portmap) allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit portmap_t reserved_port_type:tcp_socket name_bind; +dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; # portmap binds to arbitary ports allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; @@ -55,8 +55,10 @@ allow portmap_t self:netlink_route_socket r_netlink_socket_perms; application_domain(portmap_helper) +role system_r types portmap_helper_t; domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) dontaudit portmap_helper_t self:capability { net_admin }; +allow portmap_helper_t self:capability { net_bind_service }; allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms; allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; can_network(portmap_helper_t) @@ -64,4 +66,5 @@ dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; allow portmap_helper_t etc_t:file { getattr read }; dontaudit portmap_helper_t userdomain:fd use; -allow portmap_helper_t reserved_port_t:udp_socket name_bind; +allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.19.15/domains/program/unused/postfix.te --- nsapolicy/domains/program/unused/postfix.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/postfix.te 2004-12-28 12:09:14.000000000 -0500 @@ -50,6 +50,8 @@ allow postfix_$1_t etc_runtime_t:file r_file_perms; allow postfix_$1_t proc_t:dir r_dir_perms; allow postfix_$1_t proc_t:file r_file_perms; +allow postfix_$1_t proc_net_t:dir search; +allow postfix_$1_t proc_net_t:file { getattr read }; allow postfix_$1_t postfix_exec_t:dir r_dir_perms; allow postfix_$1_t fs_t:filesystem getattr; can_exec(postfix_$1_t, postfix_$1_exec_t) @@ -158,8 +160,6 @@ allow postfix_$1_t self:capability { setuid setgid dac_override }; can_network_client(postfix_$1_t) can_ypbind(postfix_$1_t) -allow postfix_$1_t proc_net_t:dir search; -allow postfix_$1_t proc_net_t:file { getattr read }; ') postfix_server_domain(smtp, `, mail_server_sender') @@ -274,8 +274,6 @@ allow postfix_showq_t self:tcp_socket create_socket_perms; allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; dontaudit postfix_showq_t net_conf_t:file r_file_perms; -allow postfix_showq_t proc_net_t:dir search; -allow postfix_showq_t proc_net_t:file { getattr read }; postfix_user_domain(postdrop, `, mta_user_agent') allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.15/domains/program/unused/postgresql.te --- nsapolicy/domains/program/unused/postgresql.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/postgresql.te 2004-12-28 12:09:14.000000000 -0500 @@ -112,7 +112,7 @@ dontaudit postgresql_t selinux_config_t:dir { search }; allow postgresql_t mail_spool_t:dir { search }; rw_dir_create_file(postgresql_t, var_lock_t) -can_exec(postgresql_t, { shell_exec_t bin_t } ) +can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) ifdef(`apache.te', ` # # Allow httpd to work with postgresql diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.19.15/domains/program/unused/rhgb.te --- nsapolicy/domains/program/unused/rhgb.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/rhgb.te 2004-12-28 12:09:14.000000000 -0500 @@ -93,3 +93,8 @@ ') allow rhgb_t xdm_xserver_tmp_t:file { getattr read }; dontaudit rhgb_t default_t:file read; + +allow initrc_t ramfs_t:dir search; +allow initrc_t ramfs_t:sock_file write; +allow initrc_t rhgb_t:unix_stream_socket { read write }; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.19.15/domains/program/unused/rpm.te --- nsapolicy/domains/program/unused/rpm.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.15/domains/program/unused/rpm.te 2004-12-28 12:09:14.000000000 -0500 @@ -244,6 +244,10 @@ allow rpm_script_t domain:process { signal signull }; +# Access /var/lib/rpm. +allow initrc_t rpm_var_lib_t:dir rw_dir_perms; +allow initrc_t rpm_var_lib_t:file create_file_perms; + ifdef(`unlimitedRPM', ` unconfined_domain(rpm_t) unconfined_domain(rpm_script_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.19.15/domains/program/unused/sendmail.te --- nsapolicy/domains/program/unused/sendmail.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/unused/sendmail.te 2004-12-28 12:09:14.000000000 -0500 @@ -53,6 +53,8 @@ # for the start script to run make -C /etc/mail allow initrc_t etc_mail_t:dir rw_dir_perms; allow initrc_t etc_mail_t:file create_file_perms; +allow system_mail_t initrc_t:fd use; +allow system_mail_t initrc_t:fifo_file write; # Write to /var/spool/mail and /var/spool/mqueue. allow sendmail_t var_spool_t:dir { getattr search }; @@ -84,6 +86,7 @@ allow system_mail_t proc_t:dir search; allow system_mail_t proc_t:file { getattr read }; allow system_mail_t proc_t:lnk_file read; +dontaudit system_mail_t proc_net_t:dir search; allow sendmail_t sysctl_kernel_t:dir search; allow sendmail_t sysctl_kernel_t:file { getattr read }; allow system_mail_t fs_t:filesystem getattr; @@ -97,9 +100,12 @@ allow system_mail_t mqueue_spool_t:file create_file_perms; allow system_mail_t sysctl_kernel_t:file read; +ifdef(`crond.te', ` dontaudit system_mail_t system_crond_tmp_t:file append; +') dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console allow sendmail_t initrc_var_run_t:file { getattr read }; dontaudit sendmail_t initrc_var_run_t:file { lock write }; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sound.te policy-1.19.15/domains/program/unused/sound.te --- nsapolicy/domains/program/unused/sound.te 2004-03-23 15:58:08.000000000 -0500 +++ policy-1.19.15/domains/program/unused/sound.te 2004-12-28 12:09:14.000000000 -0500 @@ -23,3 +23,4 @@ # Read and write ttys. allow sound_t sysadm_tty_device_t:chr_file rw_file_perms; read_locale(sound_t) +allow initrc_t sound_file_t:file { setattr write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.15/domains/program/unused/squid.te --- nsapolicy/domains/program/unused/squid.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/squid.te 2004-12-28 12:09:14.000000000 -0500 @@ -15,7 +15,7 @@ daemon_domain(squid, `, web_client_domain, nscd_client_domain') type squid_conf_t, file_type, sysadmfile; - +general_domain_access(squid_t) allow { squid_t initrc_t } squid_conf_t:file r_file_perms; allow squid_t squid_conf_t:dir r_dir_perms; allow squid_t squid_conf_t:lnk_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.19.15/domains/program/unused/udev.te --- nsapolicy/domains/program/unused/udev.te 2004-12-01 16:51:43.000000000 -0500 +++ policy-1.19.15/domains/program/unused/udev.te 2004-12-28 12:09:14.000000000 -0500 @@ -24,8 +24,9 @@ # # Rules used for udev # -type udev_tbl_t, file_type, sysadmfile, dev_fs; -file_type_auto_trans(udev_t, device_t, udev_tbl_t, file) +type udev_tdb_t, file_type, sysadmfile, dev_fs; +typealias udev_tdb_t alias udev_tbl_t; +file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin }; allow udev_t self:file { getattr read }; allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; @@ -97,6 +98,7 @@ ifdef(`pamconsole.te', ` allow udev_t pam_var_console_t:dir search; allow udev_t pam_var_console_t:file { getattr read }; +domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) ') allow udev_t var_lock_t:dir search; allow udev_t var_lock_t:file getattr; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.19.15/domains/program/unused/winbind.te --- nsapolicy/domains/program/unused/winbind.te 2004-12-20 16:27:44.000000000 -0500 +++ policy-1.19.15/domains/program/unused/winbind.te 2004-12-28 12:09:14.000000000 -0500 @@ -21,13 +21,13 @@ type samba_secrets_t, file_type, sysadmfile; ') rw_dir_file(winbind_t, samba_etc_t) -rw_dir_file(winbind_t, samba_log_t) +rw_dir_create_file(winbind_t, samba_log_t) allow winbind_t samba_secrets_t:file rw_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; allow winbind_t urandom_device_t:chr_file { getattr read }; allow winbind_t self:fifo_file { read write }; -rw_dir_file(winbind_t, samba_var_t) +rw_dir_create_file(winbind_t, samba_var_t) allow winbind_t krb5_conf_t:file { getattr read }; dontaudit winbind_t krb5_conf_t:file { write }; allow winbind_t self:netlink_route_socket r_netlink_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.19.15/domains/program/unused/xfs.te --- nsapolicy/domains/program/unused/xfs.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/xfs.te 2004-12-28 12:09:14.000000000 -0500 @@ -40,3 +40,11 @@ # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.* allow xfs_t fonts_t:dir search; allow xfs_t fonts_t:file { getattr read }; + +# Unlink the xfs socket. +allow initrc_t xfs_tmp_t:dir rw_dir_perms; +allow initrc_t xfs_tmp_t:dir rmdir; +allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; +allow initrc_t fonts_t:dir create_dir_perms; +allow initrc_t fonts_t:file create_file_perms; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.19.15/domains/program/unused/ypbind.te --- nsapolicy/domains/program/unused/ypbind.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/ypbind.te 2004-12-28 12:09:14.000000000 -0500 @@ -37,6 +37,7 @@ allow ypbind_t etc_t:file { getattr read }; allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t reserved_port_t:tcp_socket name_bind; -allow ypbind_t reserved_port_t:udp_socket name_bind; -dontaudit ypbind_t reserved_port_type:udp_socket name_bind; +allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +can_udp_send(initrc_t, ypbind_t) + diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.15/file_contexts/distros.fc --- nsapolicy/file_contexts/distros.fc 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/file_contexts/distros.fc 2004-12-28 14:01:00.477435032 -0500 @@ -35,6 +35,32 @@ /usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t /usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t /usr/share/ssl/misc(/.*)? system_u:object_r:bin_t +# +# /emul/ia32-linux/usr +# +/emul(/.*)? system_u:object_r:usr_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t +/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t +# /emul/ia32-linux/lib +/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +# /emul/ia32-linux/bin +/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t +# /emul/ia32-linux/sbin +/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t + +ifdef(`dbusd.te', `', ` +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t +') ') ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.15/file_contexts/program/cups.fc --- nsapolicy/file_contexts/program/cups.fc 2004-11-24 07:00:50.000000000 -0500 +++ policy-1.19.15/file_contexts/program/cups.fc 2004-12-28 12:09:14.000000000 -0500 @@ -29,9 +29,6 @@ /var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t /usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t /usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t -/usr/bin/lpr\.cups -- system_u:object_r:lpr_exec_t -/usr/bin/lpq\.cups -- system_u:object_r:lpr_exec_t -/usr/bin/lprm\.cups -- system_u:object_r:lpr_exec_t /usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t /usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t /var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.19.15/file_contexts/program/initrc.fc --- nsapolicy/file_contexts/program/initrc.fc 2004-11-19 11:20:43.000000000 -0500 +++ policy-1.19.15/file_contexts/program/initrc.fc 2004-12-28 12:09:14.000000000 -0500 @@ -1,5 +1,9 @@ # init rc scripts -/etc/X11/prefdm -- system_u:object_r:initrc_exec_t +ifdef(`targeted_policy', ` +/etc/X11/prefdm -- system_u:object_r:bin_t +', ` +/etc/X11/prefdm -- system_u:object_r:initrc_exec_t +') /etc/rc\.d/rc -- system_u:object_r:initrc_exec_t /etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t /etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kerberos.fc policy-1.19.15/file_contexts/program/kerberos.fc --- nsapolicy/file_contexts/program/kerberos.fc 2004-11-19 11:20:43.000000000 -0500 +++ policy-1.19.15/file_contexts/program/kerberos.fc 2004-12-28 12:09:14.000000000 -0500 @@ -9,4 +9,3 @@ /var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t /var/log/kadmind\.log system_u:object_r:kadmind_log_t /usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t -/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/login.fc policy-1.19.15/file_contexts/program/login.fc --- nsapolicy/file_contexts/program/login.fc 2003-11-26 13:01:07.000000000 -0500 +++ policy-1.19.15/file_contexts/program/login.fc 2004-12-28 12:09:14.000000000 -0500 @@ -1,2 +1,3 @@ # login /bin/login -- system_u:object_r:login_exec_t +/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lpr.fc policy-1.19.15/file_contexts/program/lpr.fc --- nsapolicy/file_contexts/program/lpr.fc 2003-11-26 13:01:07.000000000 -0500 +++ policy-1.19.15/file_contexts/program/lpr.fc 2004-12-28 12:09:14.000000000 -0500 @@ -1,4 +1,4 @@ # lp utilities. -/usr/bin/lpr -- system_u:object_r:lpr_exec_t -/usr/bin/lpq -- system_u:object_r:lpr_exec_t -/usr/bin/lprm -- system_u:object_r:lpr_exec_t +/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t +/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t +/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.19.15/file_contexts/program/postgresql.fc --- nsapolicy/file_contexts/program/postgresql.fc 2004-11-19 11:20:44.000000000 -0500 +++ policy-1.19.15/file_contexts/program/postgresql.fc 2004-12-28 12:09:14.000000000 -0500 @@ -4,6 +4,7 @@ /usr/bin/pg_dump -- system_u:object_r:postgresql_exec_t /usr/bin/pg_dumpall -- system_u:object_r:postgresql_exec_t /usr/bin/pg_resetxlog -- system_u:object_r:postgresql_exec_t +/usr/bin/initdb -- system_u:object_r:postgresql_exec_t # not sure whether the following binaries need labelling /usr/bin/createlang -- system_u:object_r:postgresql_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ssh.fc policy-1.19.15/file_contexts/program/ssh.fc --- nsapolicy/file_contexts/program/ssh.fc 2004-11-19 11:20:44.000000000 -0500 +++ policy-1.19.15/file_contexts/program/ssh.fc 2004-12-28 13:28:11.432062741 -0500 @@ -7,7 +7,6 @@ /etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t /etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t /usr/sbin/sshd -- system_u:object_r:sshd_exec_t -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t /var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t # subsystems /usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t @@ -16,3 +15,6 @@ ifdef(`distro_suse', ` /usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t ') +ifdef(`targeted_policy', `', ` +HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t +') diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.19.15/file_contexts/program/udev.fc --- nsapolicy/file_contexts/program/udev.fc 2004-11-19 11:20:44.000000000 -0500 +++ policy-1.19.15/file_contexts/program/udev.fc 2004-12-28 12:09:14.000000000 -0500 @@ -8,5 +8,5 @@ /etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t /dev/udev\.tbl -- system_u:object_r:udev_tbl_t -/dev/\.udev\.tdb -- system_u:object_r:udev_tbl_t +/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.15/macros/global_macros.te --- nsapolicy/macros/global_macros.te 2004-12-21 10:59:58.000000000 -0500 +++ policy-1.19.15/macros/global_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -242,7 +242,8 @@ allow $1_t { self proc_t }:dir r_dir_perms; allow $1_t { self proc_t }:lnk_file read; -allow $1_t device_t:dir { getattr search }; +allow $1_t device_t:dir r_dir_perms; +allow $1_t udev_tdb_t:file r_file_perms; allow $1_t null_device_t:chr_file rw_file_perms; dontaudit $1_t console_device_t:chr_file rw_file_perms; dontaudit $1_t unpriv_userdomain:fd use; @@ -512,6 +513,8 @@ allow $1 sysctl_t:{ dir file } *; allow $1 device_type:devfile_class_set *; allow $1 mtrr_device_t:file *; +allow domain $1:fd use; +allow domain $1:process sigchld; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.15/macros/network_macros.te --- nsapolicy/macros/network_macros.te 2004-11-24 14:44:37.000000000 -0500 +++ policy-1.19.15/macros/network_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -83,7 +83,7 @@ define(`can_network_tcp',` can_network_server_tcp($1, `$2') -can_network_client_tcp($1, `$2') +allow $1 self:tcp_socket { connect }; ') @@ -144,11 +144,13 @@ can_network_tcp($1, `$2') can_network_udp($1, `$2') +ifdef(`mount.te', ` # # Allow the domain to send NFS client requests via the socket # created by mount. # allow $1 mount_t:udp_socket rw_socket_perms; +') ')dnl end can_network definition diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.19.15/macros/program/dbusd_macros.te --- nsapolicy/macros/program/dbusd_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.15/macros/program/dbusd_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -54,25 +54,25 @@ # # Define a new derived domain for connecting to dbus_type # from domain_prefix_t. -define(`dbusd_client',`') -ifdef(`dbusd.te',` undefine(`dbusd_client') define(`dbusd_client',` +ifdef(`dbusd.te',` # Derived type used for connection type $2_dbusd_$1_t; type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; +# SE-DBus specific permissions +allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; + # For connecting to the bus allow $2_t $1_dbusd_t:unix_stream_socket connectto; + +') dnl endif dbusd.te ifelse(`system', `$1', ` allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; allow { $2_t } system_dbusd_var_run_t:sock_file write; -',` -') dnl endif system -# SE-DBus specific permissions -allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; -') dnl endif dbusd.te +',`') dnl endif system ') # can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sendmail_macros.te policy-1.19.15/macros/program/sendmail_macros.te --- nsapolicy/macros/program/sendmail_macros.te 2004-10-06 09:18:33.000000000 -0400 +++ policy-1.19.15/macros/program/sendmail_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -45,6 +45,7 @@ ifelse(`$1', `sysadm', ` allow $1_mail_t proc_t:dir { getattr search }; allow $1_mail_t proc_t:{ lnk_file file } { getattr read }; +dontaudit $1_mail_t proc_net_t:dir search; allow $1_mail_t sysctl_kernel_t:file { getattr read }; allow $1_mail_t etc_runtime_t:file { getattr read }; ', ` diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.15/Makefile --- nsapolicy/Makefile 2004-12-21 10:59:56.000000000 -0500 +++ policy-1.19.15/Makefile 2004-12-28 12:09:14.000000000 -0500 @@ -50,7 +50,7 @@ UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) FC = file_contexts/file_contexts -FCFILES=tmp/program_used_flags.te file_contexts/types.fc file_contexts/distros.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc) +FCFILES=tmp/program_used_flags.te file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) APPDIR=$(CONTEXTPATH) APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.19.15/targeted/appconfig/default_contexts --- nsapolicy/targeted/appconfig/default_contexts 2004-05-12 08:56:51.000000000 -0400 +++ policy-1.19.15/targeted/appconfig/default_contexts 2004-12-28 12:09:38.000000000 -0500 @@ -1 +1,2 @@ system_r:unconfined_t system_r:unconfined_t +system_r:initrc_t system_r:unconfined_t diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.19.15/targeted/appconfig/root_default_contexts --- nsapolicy/targeted/appconfig/root_default_contexts 2004-05-12 08:56:51.000000000 -0400 +++ policy-1.19.15/targeted/appconfig/root_default_contexts 2004-12-28 12:09:42.000000000 -0500 @@ -1 +1,2 @@ system_r:unconfined_t system_r:unconfined_t +system_r:initrc_t system_r:unconfined_t diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.19.15/targeted/assert.te --- nsapolicy/targeted/assert.te 2004-11-30 16:05:23.000000000 -0500 +++ policy-1.19.15/targeted/assert.te 2004-12-28 12:09:14.000000000 -0500 @@ -22,10 +22,10 @@ # Confined domains must never touch an unconfined domain except to # send SIGCHLD for child termination notifications. -neverallow { domain - unconfined_t } unconfined_t:process ~sigchld; +neverallow { domain -unconfined_t -unrestricted } unconfined_t:process ~sigchld; # Confined domains must never see unconfined domain's /proc/pid entries. -neverallow { domain - unconfined_t } unconfined_t:dir { getattr search }; +neverallow { domain -unconfined_t -unrestricted } unconfined_t:dir { getattr search }; # # Verify that every type that can be entered by diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.19.15/targeted/domains/program/crond.te --- nsapolicy/targeted/domains/program/crond.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/crond.te 2004-12-28 13:53:28.152958431 -0500 @@ -0,0 +1,21 @@ +#DESC crond +# +# Authors: Daniel Walsh <dwalsh@redhat.com> +# + +################################# +# +# Rules for the crond domain. +# +# crond_exec_t is the type of the /usr/sbin/crond and other programs. +# This domain is defined just for targeted policy. +# +type crond_exec_t, file_type, sysadmfile, exec_type; +type anacron_exec_t, file_type, sysadmfile, exec_type; +type system_crond_tmp_t, file_type, sysadmfile; +type system_cron_spool_t, file_type, sysadmfile; +type sysadm_cron_spool_t, file_type, sysadmfile; +type crond_log_t, file_type, sysadmfile; +type crond_var_run_t, file_type, sysadmfile; +domain_auto_trans(initrc_t, crond_exec_t, crond_t) +domain_auto_trans(initrc_t, anacron_exec_t, crond_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/initrc.te policy-1.19.15/targeted/domains/program/initrc.te --- nsapolicy/targeted/domains/program/initrc.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/initrc.te 1969-12-31 19:00:00.000000000 -0500 @@ -1,16 +0,0 @@ -#DESC Initrc - System initialization scripts -# -# Authors: Daniel Walsh <dwalsh@redhat.com> -# - -################################# -# -# Rules for the initrc_t domain. -# -# initrc_exec_t is the type of the rc.sysinit and other programs. -# This domain is defined just for targeted policy to allow easy conversion to -# strict policy. -# -type initrc_exec_t, file_type, sysadmfile, exec_type; -type run_init_exec_t, file_type, sysadmfile, exec_type; -typealias var_run_t alias initrc_var_run_t; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/init.te policy-1.19.15/targeted/domains/program/init.te --- nsapolicy/targeted/domains/program/init.te 2004-09-20 15:41:01.000000000 -0400 +++ policy-1.19.15/targeted/domains/program/init.te 1969-12-31 19:00:00.000000000 -0500 @@ -1,18 +0,0 @@ -#DESC Init - Process initialization -# -# Authors: Daniel Walsh <dwalsh@redhat.com> -# - -################################# -# -# Rules for the init_t domain. -# -# init_exec_t is the type of the init program. -# initctl_t is the type of the named pipe created -# by init during initialization. This pipe is used -# to communicate with init. -# This domain is defined just for targeted policy to allow easy conversion to -# strict policy. /sbin/init will get this policy. -# -type init_exec_t, file_type, sysadmfile, exec_type; -type initctl_t, file_type, sysadmfile, dev_fs; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/rpm.te policy-1.19.15/targeted/domains/program/rpm.te --- nsapolicy/targeted/domains/program/rpm.te 2004-10-06 16:21:30.000000000 -0400 +++ policy-1.19.15/targeted/domains/program/rpm.te 2004-12-28 12:09:14.000000000 -0500 @@ -13,3 +13,4 @@ type rpm_exec_t, file_type, sysadmfile, exec_type; type rpm_var_lib_t, file_type, sysadmfile; typealias var_log_t alias rpm_log_t; +type rpm_tmpfs_t, file_type, sysadmfile; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.19.15/targeted/domains/program/sendmail.te --- nsapolicy/targeted/domains/program/sendmail.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/sendmail.te 2004-12-28 14:03:00.726360626 -0500 @@ -0,0 +1,17 @@ +#DESC sendmail +# +# Authors: Daniel Walsh <dwalsh@redhat.com> +# + +################################# +# +# Rules for the sendmaild domain. +# +# sendmail_exec_t is the type of the /usr/sbin/sendmail and other programs. +# This domain is defined just for targeted policy. +# +type sendmail_exec_t, file_type, sysadmfile, exec_type; +type sendmail_log_t, file_type, sysadmfile; +type sendmail_var_run_t, file_type, sysadmfile; +type etc_mail_t, file_type, sysadmfile; +domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.19.15/targeted/domains/program/ssh.te --- nsapolicy/targeted/domains/program/ssh.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/ssh.te 2004-12-28 13:53:28.683899180 -0500 @@ -0,0 +1,19 @@ +#DESC sshd +# +# Authors: Daniel Walsh <dwalsh@redhat.com> +# + +################################# +# +# Rules for the sshd domain. +# +# sshd_exec_t is the type of the /bin/sshd and other programs. +# This domain is defined just for targeted policy. +# +type sshd_exec_t, file_type, sysadmfile, exec_type; +type ssh_exec_t, file_type, sysadmfile, exec_type; +type ssh_keygen_exec_t, file_type, sysadmfile, exec_type; +type sshd_key_t, file_type, sysadmfile; +type sshd_var_run_t, file_type, sysadmfile; +type ssh_port_t, port_type; +domain_auto_trans(initrc_t, sshd_exec_t, sshd_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/udev.te policy-1.19.15/targeted/domains/program/udev.te --- nsapolicy/targeted/domains/program/udev.te 2004-09-20 15:41:01.000000000 -0400 +++ policy-1.19.15/targeted/domains/program/udev.te 2004-12-28 12:09:14.000000000 -0500 @@ -13,4 +13,5 @@ # type udev_exec_t, file_type, sysadmfile, exec_type; type udev_helper_exec_t, file_type, sysadmfile, exec_type; -type udev_tbl_t, file_type, sysadmfile, dev_fs; +type udev_tdb_t, file_type, sysadmfile, dev_fs; +typealias udev_tdb_t alias udev_tbl_t; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.19.15/targeted/domains/program/xdm.te --- nsapolicy/targeted/domains/program/xdm.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/xdm.te 2004-12-28 13:53:29.134848854 -0500 @@ -0,0 +1,21 @@ +#DESC xdm - Linux configurable dynamic device naming support +# +# Authors: Daniel Walsh <dwalsh@redhat.com> +# + +################################# +# +# Rules for the xdm domain. +# +# xdm_exec_t is the type of the /usr/bin/gdm and other programs. +# This domain is defined just for targeted policy. +# +type xdm_exec_t, file_type, sysadmfile, exec_type; +type xsession_exec_t, file_type, sysadmfile, exec_type; +type vnc_port_t, port_type; +type xserver_log_t, file_type, sysadmfile; +type xdm_xserver_tmp_t, file_type, sysadmfile; +type xdm_rw_etc_t, file_type, sysadmfile; +type xdm_var_run_t, file_type, sysadmfile; +type xdm_var_lib_t, file_type, sysadmfile; +domain_auto_trans(initrc_t, xdm_exec_t, xdm_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.15/targeted/domains/unconfined.te --- nsapolicy/targeted/domains/unconfined.te 2004-11-20 22:29:10.000000000 -0500 +++ policy-1.19.15/targeted/domains/unconfined.te 2004-12-28 13:58:06.169458436 -0500 @@ -13,11 +13,12 @@ # Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. typealias bin_t alias su_exec_t; -typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t }; -type mount_t, domain; -type initrc_devpts_t, ptyfile; +typealias unconfined_t alias { crond_t kernel_t logrotate_t sendmail_t sshd_t sysadm_t system_crond_t rpm_t rpm_script_t xdm_t }; define(`admin_tty_type', `{ tty_device_t devpts_t }') +#type of rundir to communicate with dbus +type system_dbusd_var_run_t, file_type, sysadmfile; + # User home directory type. type user_home_t, file_type, sysadmfile; type user_home_dir_t, file_type, sysadmfile; diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.15/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.19.15/tunables/distro.tun 2004-12-28 12:09:14.000000000 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.15/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-12-11 06:31:22.000000000 -0500 +++ policy-1.19.15/tunables/tunable.tun 2004-12-28 12:09:14.000000000 -0500 @@ -1,27 +1,24 @@ -# Allow users to execute the mount command -dnl define(`user_can_mount') - # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Adding alternate root patch to restorecon (setfiles?) @ 2004-10-18 19:31 Daniel J Walsh 2004-10-25 15:38 ` Russell Coker 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-10-18 19:31 UTC (permalink / raw) To: Stephen Smalley, SELinux We are beginning to look into how we could support clusters with SELinux. Usually in clusters you move your configuration off on to some shared storage. So you might do a cp -a /var/named /shared/var/named We need some way of relabeling these directories with file context. My idea is to add an alternate root qualifier to restorecon So in the above example you would do a restorecon -R -p /shared /shared/var/named I think this would work fairly well for chroot environments also. Ideas? Dan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Adding alternate root patch to restorecon (setfiles?) @ 2004-10-25 15:38 ` Russell Coker 2004-10-25 21:31 ` Thomas Bleher 0 siblings, 1 reply; 8+ messages in thread From: Russell Coker @ 2004-10-25 15:38 UTC (permalink / raw) To: Thomas Bleher; +Cc: SELinux On Tue, 19 Oct 2004 06:51, Thomas Bleher <bleher@informatik.uni-muenchen.de> wrote: > One thing to note here is that restorecon becomes more dangerous with > your changes. Right now restorecon is relatively safe in that you can > only change file labels to their system default. It would probably be > acceptable in most environments to give users access to restorecon so > they could properly set labels for files in their home dir. > > With your changes and this scenario, users could do something like > restorecon -p /home/foo /home/foo/sbin/unix_chkpwd If the user is to run restorecon then they must run it in their own domain. There is no harm in allowing a user to run restorecon as user_t. They can only relabel files that have their own identity and a certain set of types. Maybe we should even have a script to run restorecon -R on the user's home directory that they can run at any time if SE Linux stops them doing what they want? If user_t can run restorecon as restorecon_t then you will lose even if there is no -p option. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Adding alternate root patch to restorecon (setfiles?) 2004-10-25 15:38 ` Russell Coker @ 2004-10-25 21:31 ` Thomas Bleher 2004-10-26 14:36 ` Russell Coker 0 siblings, 1 reply; 8+ messages in thread From: Thomas Bleher @ 2004-10-25 21:31 UTC (permalink / raw) To: Russell Coker; +Cc: SELinux [-- Attachment #1.1: Type: text/plain, Size: 1801 bytes --] * Russell Coker <russell@coker.com.au> [2004-10-25 19:09]: > On Tue, 19 Oct 2004 06:51, Thomas Bleher <bleher@informatik.uni-muenchen.de> > wrote: > > One thing to note here is that restorecon becomes more dangerous with > > your changes. Right now restorecon is relatively safe in that you can > > only change file labels to their system default. It would probably be > > acceptable in most environments to give users access to restorecon so > > they could properly set labels for files in their home dir. > > > > With your changes and this scenario, users could do something like > > restorecon -p /home/foo /home/foo/sbin/unix_chkpwd > > If the user is to run restorecon then they must run it in their own domain. > There is no harm in allowing a user to run restorecon as user_t. They can > only relabel files that have their own identity and a certain set of types. > > Maybe we should even have a script to run restorecon -R on the user's home > directory that they can run at any time if SE Linux stops them doing what > they want? OK, what do you guys think about the following patch: It adds an attribute $1_domain_file_type, so all file types from derived user domains can be grouped together. It also adds a restorecon_domain() macro, so users can call restorecon to reset the labels on their files. It is very lightly tested and probably missing a few permissions but should give a good overview of the general idea. Is such a thing safe? Thomas PS: It may be good to add a password check before restorecon (like newrole does) so we are sure that it's the user who wants to relabel his files. -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7 [-- Attachment #1.2: restorecon.patch --] [-- Type: text/plain, Size: 16345 bytes --] diff -urN orig/macros/admin_macros.te mod/macros/admin_macros.te --- orig/macros/admin_macros.te 2004-10-11 10:03:26.000000000 +0200 +++ mod/macros/admin_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -14,9 +14,12 @@ # undefine(`admin_domain') define(`admin_domain',` +# define an attribute for all files created by this role +attribute $1_domain_file_type; + # Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; -type $1_home_t, file_type, sysadmfile, home_type; +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, $1_domain_file_type; +type $1_home_t, file_type, sysadmfile, home_type, $1_domain_file_type; # Type and access for pty devices. can_create_pty($1) diff -urN orig/macros/program/apache_macros.te mod/macros/program/apache_macros.te --- orig/macros/program/apache_macros.te 2004-10-17 13:07:14.000000000 +0200 +++ mod/macros/program/apache_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -18,18 +18,23 @@ file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t) ', ` +ifelse($1, sys, ` #This type is for webpages # type httpd_$1_content_t, file_type, homedirfile, sysadmfile; -ifelse($1, sys, ` typealias httpd_sys_content_t alias httpd_sysadm_content_t; -') # This type is used for .htaccess files # type httpd_$1_htaccess_t, file_type, sysadmfile; type httpd_$1_script_exec_t, file_type, sysadmfile; +', ` +# same as above, add $1_domain_file_type attribute +type httpd_$1_content_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; +type httpd_$1_htaccess_t, file_type, sysadmfile, $1_domain_file_type; +type httpd_$1_script_exec_t, file_type, sysadmfile, $1_domain_file_type; +') # Type that CGI scripts run as type httpd_$1_script_t, domain, privmail; @@ -69,13 +74,20 @@ uncond_can_ypbind(httpd_$1_script_t) } ') + +ifelse($1, `sys', ` # The following are the only areas that # scripts can read, read/write, or append to # type httpd_$1_script_ro_t, file_type, sysadmfile; type httpd_$1_script_rw_t, file_type, sysadmfile; -file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) type httpd_$1_script_ra_t, file_type, sysadmfile; +', ` +type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type; +type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type; +type httpd_$1_script_ra_t, file_type, sysadmfile, $1_domain_file_type; +') +file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) ifdef(`slocate.te', ` ifelse($1, `sys', `', ` diff -urN orig/macros/program/crond_macros.te mod/macros/program/crond_macros.te --- orig/macros/program/crond_macros.te 2004-09-11 14:31:47.000000000 +0200 +++ mod/macros/program/crond_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -36,7 +36,7 @@ r_dir_file($1_crond_t, selinux_config_t) # Type of user crontabs once moved to cron spool. -type $1_cron_spool_t, file_type, sysadmfile; +type $1_cron_spool_t, file_type, sysadmfile ifelse($1, `system', `', `, $1_domain_file_type'); ifdef(`fcron.te', ` allow crond_t $1_cron_spool_t:file create_file_perms; diff -urN orig/macros/program/fingerd_macros.te mod/macros/program/fingerd_macros.te --- orig/macros/program/fingerd_macros.te 2003-08-14 14:37:36.000000000 +0200 +++ mod/macros/program/fingerd_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -10,6 +10,6 @@ # allow fingerd to create a fingerlog file in the user home dir # define(`fingerd_macro', ` -type $1_home_fingerlog_t, file_type, sysadmfile; +type $1_home_fingerlog_t, file_type, sysadmfile, $1_domain_file_type; file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t) ') diff -urN orig/macros/program/gpg_agent_macros.te mod/macros/program/gpg_agent_macros.te --- orig/macros/program/gpg_agent_macros.te 2004-09-21 22:24:44.000000000 +0200 +++ mod/macros/program/gpg_agent_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -58,7 +58,7 @@ allow $1_gpg_agent_t self:fifo_file { getattr read write }; # create /tmp files -tmp_domain($1_gpg_agent) +tmp_domain($1_gpg_agent, `, $1_domain_file_type') # gpg connect allow $1_gpg_t $1_gpg_agent_tmp_t:dir { search }; diff -urN orig/macros/program/gpg_macros.te mod/macros/program/gpg_macros.te --- orig/macros/program/gpg_macros.te 2004-09-11 14:31:47.000000000 +0200 +++ mod/macros/program/gpg_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -25,7 +25,7 @@ allow $1_t self:capability { setuid }; ', ` type $1_gpg_t, domain, privlog; -type $1_gpg_secret_t, file_type, homedirfile, sysadmfile; +type $1_gpg_secret_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; ')dnl end ifdef single_userdomain # Transition from the user domain to the derived domain. diff -urN orig/macros/program/irc_macros.te mod/macros/program/irc_macros.te --- orig/macros/program/irc_macros.te 2004-03-23 21:58:10.000000000 +0100 +++ mod/macros/program/irc_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -24,8 +24,8 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_irc_t, domain; -type $1_home_irc_t, file_type, homedirfile, sysadmfile; -type $1_irc_exec_t, file_type, sysadmfile; +type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; +type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type; ifdef(`slocate.te', ` allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search }; diff -urN orig/macros/program/lpr_macros.te mod/macros/program/lpr_macros.te --- orig/macros/program/lpr_macros.te 2004-09-11 14:31:47.000000000 +0200 +++ mod/macros/program/lpr_macros.te 2004-10-25 23:28:02.000000000 +0200 @@ -54,11 +54,11 @@ r_dir_file($1_lpr_t, printconf_t) ') -tmp_domain($1_lpr) +tmp_domain($1_lpr, `, $1_domain_file_type') r_dir_file($1_lpr_t, $1_tmp_t) # Type for spool files. -type $1_print_spool_t, file_type, sysadmfile; +type $1_print_spool_t, file_type, sysadmfile, $1_domain_file_type; # Use this type when creating files in /var/spool/lpd and /var/spool/cups. file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) allow $1_lpr_t var_spool_t:dir { search }; diff -urN orig/macros/program/restorecon_macros.te mod/macros/program/restorecon_macros.te --- orig/macros/program/restorecon_macros.te 1970-01-01 01:00:00.000000000 +0100 +++ mod/macros/program/restorecon_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -0,0 +1,34 @@ +# Macro for the user restorecon domain +# +# Allow the user to call restorecon and to relabel all his files +# +# Author: Thomas Bleher <ThomasBleher@gmx.de> +# + +define(`restorecon_domain', ` + +type $1_restorecon_t, domain; +role $1_r types $1_restorecon_t; + +domain_auto_trans($1_t, restorecon_exec_t, $1_restorecon_t) + +base_file_read_access($1_restorecon_t) +uses_shlib($1_restorecon_t) + +allow $1_restorecon_t $1_devpts_t:chr_file { read write }; + +allow $1_restorecon_t privfd:fd use; + +r_dir_file($1_restorecon_t, selinux_config_t) +r_dir_file($1_restorecon_t, default_context_t) +r_dir_file($1_restorecon_t, file_context_t) +r_dir_file($1_restorecon_t, policy_config_t) + +allow $1_restorecon_t proc_t:dir search; +allow $1_restorecon_t proc_t:file { getattr read }; +dontaudit $1_restorecon_t proc_t:lnk_file { getattr read }; + +allow $1_restorecon_t { tmp_t $1_domain_file_type }:dir { getattr search }; +allow $1_restorecon_t $1_domain_file_type:{ notdevfile_class_set dir } { getattr relabelfrom relabelto }; + +') diff -urN orig/macros/program/rssh_macros.te mod/macros/program/rssh_macros.te --- orig/macros/program/rssh_macros.te 2004-09-23 11:38:30.000000000 +0200 +++ mod/macros/program/rssh_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -19,8 +19,8 @@ role rssh_$1_r types rssh_$1_t; allow system_r rssh_$1_r; -type rssh_$1_rw_t, file_type, sysadmfile; -type rssh_$1_ro_t, file_type, sysadmfile; +type rssh_$1_rw_t, file_type, sysadmfile, $1_domain_file_type; +type rssh_$1_ro_t, file_type, sysadmfile, $1_domain_file_type; general_domain_access(rssh_$1_t); uses_shlib(rssh_$1_t); diff -urN orig/macros/program/screen_macros.te mod/macros/program/screen_macros.te --- orig/macros/program/screen_macros.te 2004-10-11 10:03:26.000000000 +0200 +++ mod/macros/program/screen_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -26,12 +26,12 @@ typealias $1_home_t alias $1_home_screen_t; ', ` type $1_screen_t, domain, privlog, privfd; -type $1_home_screen_t, file_type, homedirfile, sysadmfile; +type $1_home_screen_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; # Transition from the user domain to this domain. domain_auto_trans($1_t, screen_exec_t, $1_screen_t) -tmp_domain($1_screen) +tmp_domain($1_screen, `, $1_domain_file_type') base_file_read_access($1_screen_t) # The user role is authorized for this domain. role $1_r types $1_screen_t; @@ -72,7 +72,7 @@ # Create fifo allow $1_screen_t var_t:dir search; file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir) -type $1_screen_var_run_t, file_type, sysadmfile, pidfile; +type $1_screen_var_run_t, file_type, sysadmfile, pidfile, $1_domain_file_type; file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) allow $1_screen_t self:process { fork signal_perms }; diff -urN orig/macros/program/spamassassin_macros.te mod/macros/program/spamassassin_macros.te --- orig/macros/program/spamassassin_macros.te 2004-10-14 13:09:56.000000000 +0200 +++ mod/macros/program/spamassassin_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -80,7 +80,7 @@ dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; # The type of ~/.spamassassin -type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile; +type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; create_dir_file($1_t, $1_home_spamassassin_t) allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto }; allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto }; diff -urN orig/macros/program/ssh_macros.te mod/macros/program/ssh_macros.te --- orig/macros/program/ssh_macros.te 2004-10-17 13:07:15.000000000 +0200 +++ mod/macros/program/ssh_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -26,7 +26,7 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_ssh_t, domain, privlog; -type $1_home_ssh_t, file_type, homedirfile, sysadmfile; +type $1_home_ssh_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; ifdef(`automount.te', ` allow $1_ssh_t autofs_t:dir { search getattr }; diff -urN orig/macros/program/tvtime_macros.te mod/macros/program/tvtime_macros.te --- orig/macros/program/tvtime_macros.te 2004-10-05 20:52:36.000000000 +0200 +++ mod/macros/program/tvtime_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -19,7 +19,7 @@ ifdef(`tvtime.te', ` define(`tvtime_domain',` # Derived domain based on the calling user domain and the program. -type $1_home_tvtime_t, file_type, homedirfile, sysadmfile; +type $1_home_tvtime_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; x_client_domain($1, tvtime) diff -urN orig/macros/program/uml_macros.te mod/macros/program/uml_macros.te --- orig/macros/program/uml_macros.te 2004-07-12 23:41:25.000000000 +0200 +++ mod/macros/program/uml_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -25,9 +25,9 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_uml_t, domain; -type $1_uml_exec_t, file_type, sysadmfile; -type $1_uml_ro_t, file_type, sysadmfile; -type $1_uml_rw_t, file_type, sysadmfile; +type $1_uml_exec_t, file_type, sysadmfile, $1_domain_file_type; +type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type; +type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type; ifdef(`slocate.te', ` allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search }; diff -urN orig/macros/program/vmware_macros.te mod/macros/program/vmware_macros.te --- orig/macros/program/vmware_macros.te 2004-09-24 17:42:14.000000000 +0200 +++ mod/macros/program/vmware_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -23,10 +23,10 @@ role $1_r types $1_vmware_t; # The user file type is for files created when the user is running VMWare -type $1_vmware_file_t, homedirfile, file_type, sysadmfile; +type $1_vmware_file_t, homedirfile, file_type, sysadmfile, $1_domain_file_type; # The user file type for the VMWare configuration files -type $1_vmware_conf_t, homedirfile, file_type, sysadmfile; +type $1_vmware_conf_t, homedirfile, file_type, sysadmfile, $1_domain_file_type; # for compatibility with older policy versions typealias $1_vmware_t alias vmware_$1_t; diff -urN orig/macros/program/xauth_macros.te mod/macros/program/xauth_macros.te --- orig/macros/program/xauth_macros.te 2004-06-19 10:31:44.000000000 +0200 +++ mod/macros/program/xauth_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -24,7 +24,7 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_xauth_t, domain; -type $1_home_xauth_t, file_type, homedirfile, sysadmfile; +type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; ifdef(`slocate.te', ` allow $1_locate_t $1_home_xauth_t:file { getattr read }; @@ -84,7 +84,7 @@ allow $1_xauth_t home_root_t:dir search; file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_home_xauth_t, file) -tmp_domain($1_xauth) +tmp_domain($1_xauth, `, $1_domain_file_type') allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; ifdef(`nfs_home_dirs', ` diff -urN orig/macros/program/x_client_macros.te mod/macros/program/x_client_macros.te --- orig/macros/program/x_client_macros.te 2004-09-11 14:31:47.000000000 +0200 +++ mod/macros/program/x_client_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -30,9 +30,9 @@ ', ` type $1_$2_t, domain $3; # Type for files that are writeable by this domain. -type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile; +type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile, $1_domain_file_type; # Type for files that are read-only for this domain -type $1_$2_ro_t, file_type, homedirfile, sysadmfile; +type $1_$2_ro_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; ') # Transition from the user domain to the derived domain. diff -urN orig/macros/user_macros.te mod/macros/user_macros.te --- orig/macros/user_macros.te 2004-10-19 21:15:26.000000000 +0200 +++ mod/macros/user_macros.te 2004-10-25 23:26:44.000000000 +0200 @@ -23,16 +23,16 @@ ')dnl end single_userdomain # Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type; -type $1_home_t, file_type, sysadmfile, home_type, user_home_type; +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, $1_domain_file_type; +type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_domain_file_type; -tmp_domain($1, `, user_tmpfile') +tmp_domain($1, `, user_tmpfile, $1_domain_file_type') # Type and access for pty devices. -can_create_pty($1, `, userpty_type, user_tty_type') +can_create_pty($1, `, userpty_type, user_tty_type, $1_domain_file_type') #Type for tty devices. -type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs; +type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs, $1_domain_file_type; base_user_domain($1) @@ -61,6 +61,7 @@ # user domains. ifdef(`apache.te', `apache_domain($1)') ifdef(`slocate.te', `locate_domain($1)') +ifdef(`restorecon.te', `restorecon_domain($1)') allow $1_t krb5_conf_t:file { getattr read }; # allow port_t name binding for UDP because it is not very usable otherwise @@ -135,6 +136,9 @@ # user_t/$1_t is an unprivileged users domain. type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd; +# define an attribute for all files created by this role +attribute $1_domain_file_type; + # Grant read/search permissions to some of /proc. allow $1_t proc_t:dir r_dir_perms; allow $1_t proc_t:{ file lnk_file } r_file_perms; [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Adding alternate root patch to restorecon (setfiles?) 2004-10-25 21:31 ` Thomas Bleher @ 2004-10-26 14:36 ` Russell Coker 2004-11-05 21:39 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Russell Coker @ 2004-10-26 14:36 UTC (permalink / raw) To: Thomas Bleher; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 1377 bytes --] On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> wrote: > OK, what do you guys think about the following patch: > It adds an attribute $1_domain_file_type, so all file types from derived > user domains can be grouped together. It also adds a restorecon_domain() > macro, so users can call restorecon to reset the labels on their files. I've attached a patch named "tom.diff" which applies after your patch to tweak a few things. The new attribute allows a better way of dealing with the locate policy so I changed it appropriately. I added some use of sysadm_domain_file_type. Some of the types you had given the attribute $1_domain_file_type seemed inappropriate, this includes the print spool type, some temporary files, and files under /var/run. Whether we have the user_restorecon_t domain etc is something that needs more consideration. The attached patch named "diff" has the user_domain_file_type stuff from your patch with my amendments but none of the restorecon changes. I think that "diff" is worthy of being included in CVS regardless of what we do with restorecon. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page [-- Attachment #2: tom.diff --] [-- Type: text/x-diff, Size: 8609 bytes --] diff -ru policy.tom/macros/program/apache_macros.te policy.new/macros/program/apache_macros.te --- policy.tom/macros/program/apache_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/apache_macros.te 2004-10-26 23:19:27.000000000 +1000 @@ -21,7 +21,7 @@ ifelse($1, sys, ` #This type is for webpages # -type httpd_$1_content_t, file_type, homedirfile, sysadmfile; +type httpd_$1_content_t, file_type, homedirfile, sysadmfile, sysadm_domain_file_type; typealias httpd_sys_content_t alias httpd_sysadm_content_t; # This type is used for .htaccess files @@ -79,9 +79,9 @@ # The following are the only areas that # scripts can read, read/write, or append to # -type httpd_$1_script_ro_t, file_type, sysadmfile; -type httpd_$1_script_rw_t, file_type, sysadmfile; -type httpd_$1_script_ra_t, file_type, sysadmfile; +type httpd_$1_script_ro_t, file_type, sysadmfile, sysadm_domain_file_type; +type httpd_$1_script_rw_t, file_type, sysadmfile, sysadm_domain_file_type; +type httpd_$1_script_ra_t, file_type, sysadmfile, sysadm_domain_file_type; ', ` type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type; type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type; @@ -89,13 +89,6 @@ ') file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) -ifdef(`slocate.te', ` -ifelse($1, `sys', `', ` -allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search }; -allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read }; -')dnl end ifelse -')dnl end slocate.te - ######################################################### # Permissions for running child processes and scripts ########################################################## diff -ru policy.tom/macros/program/crond_macros.te policy.new/macros/program/crond_macros.te --- policy.tom/macros/program/crond_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/crond_macros.te 2004-10-27 00:18:59.000000000 +1000 @@ -36,7 +36,7 @@ r_dir_file($1_crond_t, selinux_config_t) # Type of user crontabs once moved to cron spool. -type $1_cron_spool_t, file_type, sysadmfile ifelse($1, `system', `', `, $1_domain_file_type'); +type $1_cron_spool_t, file_type, sysadmfile; ifdef(`fcron.te', ` allow crond_t $1_cron_spool_t:file create_file_perms; diff -ru policy.tom/macros/program/irc_macros.te policy.new/macros/program/irc_macros.te --- policy.tom/macros/program/irc_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/irc_macros.te 2004-10-26 23:46:34.000000000 +1000 @@ -27,11 +27,6 @@ type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type; -ifdef(`slocate.te', ` -allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search }; -allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:file { getattr read }; -') - allow $1_t { $1_home_irc_t $1_irc_exec_t }:file { relabelfrom relabelto create_file_perms }; # Transition from the user domain to this domain. diff -ru policy.tom/macros/program/lpr_macros.te policy.new/macros/program/lpr_macros.te --- policy.tom/macros/program/lpr_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/lpr_macros.te 2004-10-26 23:21:33.000000000 +1000 @@ -54,11 +54,11 @@ r_dir_file($1_lpr_t, printconf_t) ') -tmp_domain($1_lpr, `, $1_domain_file_type') +tmp_domain($1_lpr) r_dir_file($1_lpr_t, $1_tmp_t) # Type for spool files. -type $1_print_spool_t, file_type, sysadmfile, $1_domain_file_type; +type $1_print_spool_t, file_type, sysadmfile; # Use this type when creating files in /var/spool/lpd and /var/spool/cups. file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file) allow $1_lpr_t var_spool_t:dir { search }; diff -ru policy.tom/macros/program/screen_macros.te policy.new/macros/program/screen_macros.te --- policy.tom/macros/program/screen_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/screen_macros.te 2004-10-26 23:22:33.000000000 +1000 @@ -31,7 +31,7 @@ # Transition from the user domain to this domain. domain_auto_trans($1_t, screen_exec_t, $1_screen_t) -tmp_domain($1_screen, `, $1_domain_file_type') +tmp_domain($1_screen) base_file_read_access($1_screen_t) # The user role is authorized for this domain. role $1_r types $1_screen_t; @@ -72,7 +72,7 @@ # Create fifo allow $1_screen_t var_t:dir search; file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir) -type $1_screen_var_run_t, file_type, sysadmfile, pidfile, $1_domain_file_type; +type $1_screen_var_run_t, file_type, sysadmfile, pidfile; file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file) allow $1_screen_t self:process { fork signal_perms }; diff -ru policy.tom/macros/program/slocate_macros.te policy.new/macros/program/slocate_macros.te --- policy.tom/macros/program/slocate_macros.te 2004-09-03 14:10:35.000000000 +1000 +++ policy.new/macros/program/slocate_macros.te 2004-10-26 23:33:57.000000000 +1000 @@ -52,8 +52,8 @@ allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms; allow $1_locate_t $1_devpts_t:chr_file rw_file_perms; -allow $1_locate_t { home_root_t $1_home_dir_t $1_home_t }:dir { getattr search }; -allow $1_locate_t $1_home_t:{ file lnk_file } { getattr read }; +allow $1_locate_t $1_domain_file_type:dir { getattr search }; +allow $1_locate_t $1_domain_file_type:{ file lnk_file sock_file fifo_file } { getattr read }; base_file_read_access($1_locate_t) r_dir_file($1_locate_t, { etc_t lib_t var_t }) diff -ru policy.tom/macros/program/ssh_macros.te policy.new/macros/program/ssh_macros.te --- policy.tom/macros/program/ssh_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/ssh_macros.te 2004-10-26 23:46:14.000000000 +1000 @@ -115,11 +115,6 @@ r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t) rw_dir_create_file($1_t, $1_home_ssh_t) -ifdef(`slocate.te', ` -allow $1_locate_t $1_home_ssh_t:dir { getattr search }; -allow $1_locate_t $1_home_ssh_t:file { getattr read }; -') - # for /bin/sh used to execute xauth dontaudit $1_ssh_t proc_t:dir search; dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; diff -ru policy.tom/macros/program/uml_macros.te policy.new/macros/program/uml_macros.te --- policy.tom/macros/program/uml_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/uml_macros.te 2004-10-26 23:46:42.000000000 +1000 @@ -29,11 +29,6 @@ type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type; type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type; -ifdef(`slocate.te', ` -allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search }; -allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:file { getattr read }; -') - can_ptrace($1_t, $1_uml_t) # for X diff -ru policy.tom/macros/program/x_client_macros.te policy.new/macros/program/x_client_macros.te --- policy.tom/macros/program/x_client_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/x_client_macros.te 2004-10-26 23:46:20.000000000 +1000 @@ -81,11 +81,6 @@ allow $1_t $1_$2_ro_t:fifo_file create_file_perms; allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom }; -ifdef(`slocate.te', ` -allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:dir { getattr search }; -allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:file { getattr read }; -') - # Allow the user domain to send any signal to the $2 process. allow $1_t $1_$2_t:process signal_perms; diff -ru policy.tom/macros/program/xauth_macros.te policy.new/macros/program/xauth_macros.te --- policy.tom/macros/program/xauth_macros.te 2004-10-26 23:20:42.000000000 +1000 +++ policy.new/macros/program/xauth_macros.te 2004-10-26 23:46:26.000000000 +1000 @@ -26,10 +26,6 @@ type $1_xauth_t, domain; type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; -ifdef(`slocate.te', ` -allow $1_locate_t $1_home_xauth_t:file { getattr read }; -') - allow $1_xauth_t self:process signal; allow $1_t $1_home_xauth_t:file { relabelfrom relabelto create_file_perms }; @@ -84,7 +80,7 @@ allow $1_xauth_t home_root_t:dir search; file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_home_xauth_t, file) -tmp_domain($1_xauth, `, $1_domain_file_type') +tmp_domain($1_xauth) allow $1_xauth_t $1_tmp_t:file { getattr ioctl read }; ifdef(`nfs_home_dirs', ` [-- Attachment #3: diff --] [-- Type: text/x-diff, Size: 15166 bytes --] diff -ru policy/macros/admin_macros.te policy.new/macros/admin_macros.te --- policy/macros/admin_macros.te 2004-10-02 03:36:13.000000000 +1000 +++ policy.new/macros/admin_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -14,9 +14,12 @@ # undefine(`admin_domain') define(`admin_domain',` +# define an attribute for all files created by this role +attribute $1_domain_file_type; + # Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; -type $1_home_t, file_type, sysadmfile, home_type; +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, $1_domain_file_type; +type $1_home_t, file_type, sysadmfile, home_type, $1_domain_file_type; # Type and access for pty devices. can_create_pty($1) diff -ru policy/macros/program/apache_macros.te policy.new/macros/program/apache_macros.te --- policy/macros/program/apache_macros.te 2004-10-15 14:57:20.000000000 +1000 +++ policy.new/macros/program/apache_macros.te 2004-10-26 23:19:27.000000000 +1000 @@ -18,18 +18,23 @@ file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t) ', ` +ifelse($1, sys, ` #This type is for webpages # -type httpd_$1_content_t, file_type, homedirfile, sysadmfile; -ifelse($1, sys, ` +type httpd_$1_content_t, file_type, homedirfile, sysadmfile, sysadm_domain_file_type; typealias httpd_sys_content_t alias httpd_sysadm_content_t; -') # This type is used for .htaccess files # type httpd_$1_htaccess_t, file_type, sysadmfile; type httpd_$1_script_exec_t, file_type, sysadmfile; +', ` +# same as above, add $1_domain_file_type attribute +type httpd_$1_content_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; +type httpd_$1_htaccess_t, file_type, sysadmfile, $1_domain_file_type; +type httpd_$1_script_exec_t, file_type, sysadmfile, $1_domain_file_type; +') # Type that CGI scripts run as type httpd_$1_script_t, domain, privmail; @@ -69,20 +74,20 @@ uncond_can_ypbind(httpd_$1_script_t) } ') + +ifelse($1, `sys', ` # The following are the only areas that # scripts can read, read/write, or append to # -type httpd_$1_script_ro_t, file_type, sysadmfile; -type httpd_$1_script_rw_t, file_type, sysadmfile; +type httpd_$1_script_ro_t, file_type, sysadmfile, sysadm_domain_file_type; +type httpd_$1_script_rw_t, file_type, sysadmfile, sysadm_domain_file_type; +type httpd_$1_script_ra_t, file_type, sysadmfile, sysadm_domain_file_type; +', ` +type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type; +type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type; +type httpd_$1_script_ra_t, file_type, sysadmfile, $1_domain_file_type; +') file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) -type httpd_$1_script_ra_t, file_type, sysadmfile; - -ifdef(`slocate.te', ` -ifelse($1, `sys', `', ` -allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search }; -allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read }; -')dnl end ifelse -')dnl end slocate.te ######################################################### # Permissions for running child processes and scripts diff -ru policy/macros/program/fingerd_macros.te policy.new/macros/program/fingerd_macros.te --- policy/macros/program/fingerd_macros.te 2003-08-14 22:37:36.000000000 +1000 +++ policy.new/macros/program/fingerd_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -10,6 +10,6 @@ # allow fingerd to create a fingerlog file in the user home dir # define(`fingerd_macro', ` -type $1_home_fingerlog_t, file_type, sysadmfile; +type $1_home_fingerlog_t, file_type, sysadmfile, $1_domain_file_type; file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t) ') diff -ru policy/macros/program/gpg_agent_macros.te policy.new/macros/program/gpg_agent_macros.te --- policy/macros/program/gpg_agent_macros.te 2004-09-21 14:39:17.000000000 +1000 +++ policy.new/macros/program/gpg_agent_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -58,7 +58,7 @@ allow $1_gpg_agent_t self:fifo_file { getattr read write }; # create /tmp files -tmp_domain($1_gpg_agent) +tmp_domain($1_gpg_agent, `, $1_domain_file_type') # gpg connect allow $1_gpg_t $1_gpg_agent_tmp_t:dir { search }; diff -ru policy/macros/program/gpg_macros.te policy.new/macros/program/gpg_macros.te --- policy/macros/program/gpg_macros.te 2004-08-28 12:05:12.000000000 +1000 +++ policy.new/macros/program/gpg_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -25,7 +25,7 @@ allow $1_t self:capability { setuid }; ', ` type $1_gpg_t, domain, privlog; -type $1_gpg_secret_t, file_type, homedirfile, sysadmfile; +type $1_gpg_secret_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; ')dnl end ifdef single_userdomain # Transition from the user domain to the derived domain. diff -ru policy/macros/program/irc_macros.te policy.new/macros/program/irc_macros.te --- policy/macros/program/irc_macros.te 2004-03-27 00:46:45.000000000 +1100 +++ policy.new/macros/program/irc_macros.te 2004-10-26 23:46:34.000000000 +1000 @@ -24,13 +24,8 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_irc_t, domain; -type $1_home_irc_t, file_type, homedirfile, sysadmfile; -type $1_irc_exec_t, file_type, sysadmfile; - -ifdef(`slocate.te', ` -allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search }; -allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:file { getattr read }; -') +type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; +type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type; allow $1_t { $1_home_irc_t $1_irc_exec_t }:file { relabelfrom relabelto create_file_perms }; diff -ru policy/macros/program/rssh_macros.te policy.new/macros/program/rssh_macros.te --- policy/macros/program/rssh_macros.te 2004-09-23 22:31:25.000000000 +1000 +++ policy.new/macros/program/rssh_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -19,8 +19,8 @@ role rssh_$1_r types rssh_$1_t; allow system_r rssh_$1_r; -type rssh_$1_rw_t, file_type, sysadmfile; -type rssh_$1_ro_t, file_type, sysadmfile; +type rssh_$1_rw_t, file_type, sysadmfile, $1_domain_file_type; +type rssh_$1_ro_t, file_type, sysadmfile, $1_domain_file_type; general_domain_access(rssh_$1_t); uses_shlib(rssh_$1_t); diff -ru policy/macros/program/screen_macros.te policy.new/macros/program/screen_macros.te --- policy/macros/program/screen_macros.te 2004-10-02 03:36:13.000000000 +1000 +++ policy.new/macros/program/screen_macros.te 2004-10-26 23:22:33.000000000 +1000 @@ -26,7 +26,7 @@ typealias $1_home_t alias $1_home_screen_t; ', ` type $1_screen_t, domain, privlog, privfd; -type $1_home_screen_t, file_type, homedirfile, sysadmfile; +type $1_home_screen_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; # Transition from the user domain to this domain. domain_auto_trans($1_t, screen_exec_t, $1_screen_t) diff -ru policy/macros/program/slocate_macros.te policy.new/macros/program/slocate_macros.te --- policy/macros/program/slocate_macros.te 2004-09-03 14:10:35.000000000 +1000 +++ policy.new/macros/program/slocate_macros.te 2004-10-26 23:33:57.000000000 +1000 @@ -52,8 +52,8 @@ allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms; allow $1_locate_t $1_devpts_t:chr_file rw_file_perms; -allow $1_locate_t { home_root_t $1_home_dir_t $1_home_t }:dir { getattr search }; -allow $1_locate_t $1_home_t:{ file lnk_file } { getattr read }; +allow $1_locate_t $1_domain_file_type:dir { getattr search }; +allow $1_locate_t $1_domain_file_type:{ file lnk_file sock_file fifo_file } { getattr read }; base_file_read_access($1_locate_t) r_dir_file($1_locate_t, { etc_t lib_t var_t }) diff -ru policy/macros/program/spamassassin_macros.te policy.new/macros/program/spamassassin_macros.te --- policy/macros/program/spamassassin_macros.te 2004-10-14 10:10:03.000000000 +1000 +++ policy.new/macros/program/spamassassin_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -80,7 +80,7 @@ dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; # The type of ~/.spamassassin -type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile; +type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; create_dir_file($1_t, $1_home_spamassassin_t) allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto }; allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto }; diff -ru policy/macros/program/ssh_macros.te policy.new/macros/program/ssh_macros.te --- policy/macros/program/ssh_macros.te 2004-10-15 14:57:20.000000000 +1000 +++ policy.new/macros/program/ssh_macros.te 2004-10-26 23:46:14.000000000 +1000 @@ -26,7 +26,7 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_ssh_t, domain, privlog; -type $1_home_ssh_t, file_type, homedirfile, sysadmfile; +type $1_home_ssh_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; ifdef(`automount.te', ` allow $1_ssh_t autofs_t:dir { search getattr }; @@ -115,11 +115,6 @@ r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t) rw_dir_create_file($1_t, $1_home_ssh_t) -ifdef(`slocate.te', ` -allow $1_locate_t $1_home_ssh_t:dir { getattr search }; -allow $1_locate_t $1_home_ssh_t:file { getattr read }; -') - # for /bin/sh used to execute xauth dontaudit $1_ssh_t proc_t:dir search; dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; diff -ru policy/macros/program/tvtime_macros.te policy.new/macros/program/tvtime_macros.te --- policy/macros/program/tvtime_macros.te 2004-10-06 04:52:36.000000000 +1000 +++ policy.new/macros/program/tvtime_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -19,7 +19,7 @@ ifdef(`tvtime.te', ` define(`tvtime_domain',` # Derived domain based on the calling user domain and the program. -type $1_home_tvtime_t, file_type, homedirfile, sysadmfile; +type $1_home_tvtime_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; x_client_domain($1, tvtime) diff -ru policy/macros/program/uml_macros.te policy.new/macros/program/uml_macros.te --- policy/macros/program/uml_macros.te 2004-07-13 09:08:07.000000000 +1000 +++ policy.new/macros/program/uml_macros.te 2004-10-26 23:46:42.000000000 +1000 @@ -25,14 +25,9 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_uml_t, domain; -type $1_uml_exec_t, file_type, sysadmfile; -type $1_uml_ro_t, file_type, sysadmfile; -type $1_uml_rw_t, file_type, sysadmfile; - -ifdef(`slocate.te', ` -allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search }; -allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:file { getattr read }; -') +type $1_uml_exec_t, file_type, sysadmfile, $1_domain_file_type; +type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type; +type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type; can_ptrace($1_t, $1_uml_t) diff -ru policy/macros/program/vmware_macros.te policy.new/macros/program/vmware_macros.te --- policy/macros/program/vmware_macros.te 2004-09-25 01:42:14.000000000 +1000 +++ policy.new/macros/program/vmware_macros.te 2004-10-26 23:15:16.000000000 +1000 @@ -23,10 +23,10 @@ role $1_r types $1_vmware_t; # The user file type is for files created when the user is running VMWare -type $1_vmware_file_t, homedirfile, file_type, sysadmfile; +type $1_vmware_file_t, homedirfile, file_type, sysadmfile, $1_domain_file_type; # The user file type for the VMWare configuration files -type $1_vmware_conf_t, homedirfile, file_type, sysadmfile; +type $1_vmware_conf_t, homedirfile, file_type, sysadmfile, $1_domain_file_type; # for compatibility with older policy versions typealias $1_vmware_t alias vmware_$1_t; diff -ru policy/macros/program/x_client_macros.te policy.new/macros/program/x_client_macros.te --- policy/macros/program/x_client_macros.te 2004-09-11 16:21:48.000000000 +1000 +++ policy.new/macros/program/x_client_macros.te 2004-10-26 23:46:20.000000000 +1000 @@ -30,9 +30,9 @@ ', ` type $1_$2_t, domain $3; # Type for files that are writeable by this domain. -type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile; +type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile, $1_domain_file_type; # Type for files that are read-only for this domain -type $1_$2_ro_t, file_type, homedirfile, sysadmfile; +type $1_$2_ro_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; ') # Transition from the user domain to the derived domain. @@ -81,11 +81,6 @@ allow $1_t $1_$2_ro_t:fifo_file create_file_perms; allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom }; -ifdef(`slocate.te', ` -allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:dir { getattr search }; -allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:file { getattr read }; -') - # Allow the user domain to send any signal to the $2 process. allow $1_t $1_$2_t:process signal_perms; diff -ru policy/macros/program/xauth_macros.te policy.new/macros/program/xauth_macros.te --- policy/macros/program/xauth_macros.te 2004-06-17 15:10:45.000000000 +1000 +++ policy.new/macros/program/xauth_macros.te 2004-10-26 23:46:26.000000000 +1000 @@ -24,11 +24,7 @@ ', ` # Derived domain based on the calling user domain and the program. type $1_xauth_t, domain; -type $1_home_xauth_t, file_type, homedirfile, sysadmfile; - -ifdef(`slocate.te', ` -allow $1_locate_t $1_home_xauth_t:file { getattr read }; -') +type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type; allow $1_xauth_t self:process signal; diff -ru policy/macros/user_macros.te policy.new/macros/user_macros.te --- policy/macros/user_macros.te 2004-10-20 09:31:18.000000000 +1000 +++ policy.new/macros/user_macros.te 2004-10-27 00:20:47.000000000 +1000 @@ -23,16 +23,16 @@ ')dnl end single_userdomain # Type for home directory. -type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type; -type $1_home_t, file_type, sysadmfile, home_type, user_home_type; +type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, $1_domain_file_type; +type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_domain_file_type; -tmp_domain($1, `, user_tmpfile') +tmp_domain($1, `, user_tmpfile, $1_domain_file_type') # Type and access for pty devices. -can_create_pty($1, `, userpty_type, user_tty_type') +can_create_pty($1, `, userpty_type, user_tty_type, $1_domain_file_type') #Type for tty devices. -type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs; +type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs, $1_domain_file_type; base_user_domain($1) @@ -135,6 +135,9 @@ # user_t/$1_t is an unprivileged users domain. type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd; +# define an attribute for all files created by this role +attribute $1_domain_file_type; + # Grant read/search permissions to some of /proc. allow $1_t proc_t:dir r_dir_perms; allow $1_t proc_t:{ file lnk_file } r_file_perms; ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Adding alternate root patch to restorecon (setfiles?) 2004-10-26 14:36 ` Russell Coker @ 2004-11-05 21:39 ` James Carter 2004-11-10 23:11 ` Patches without the can_network patch Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-11-05 21:39 UTC (permalink / raw) To: Russell Coker; +Cc: Thomas Bleher, SELinux I haven't forgotten about this patch. I will probably be working on merging it Monday, without the restorecon stuff at first. The $1_domain_file_type attribute is an interesting idea, although the name is rather long. This patch came just before I merged Dan's patch that added a httpdcontent attribute, so some changes will be needed to this patch. On Tue, 2004-10-26 at 10:36, Russell Coker wrote: > On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> > wrote: > > OK, what do you guys think about the following patch: > > It adds an attribute $1_domain_file_type, so all file types from derived > > user domains can be grouped together. It also adds a restorecon_domain() > > macro, so users can call restorecon to reset the labels on their files. > > I've attached a patch named "tom.diff" which applies after your patch to tweak > a few things. The new attribute allows a better way of dealing with the > locate policy so I changed it appropriately. I added some use of > sysadm_domain_file_type. Some of the types you had given the attribute > $1_domain_file_type seemed inappropriate, this includes the print spool type, > some temporary files, and files under /var/run. > > Whether we have the user_restorecon_t domain etc is something that needs more > consideration. The attached patch named "diff" has the user_domain_file_type > stuff from your patch with my amendments but none of the restorecon changes. > I think that "diff" is worthy of being included in CVS regardless of what we > do with restorecon. -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Patches without the can_network patch. 2004-11-05 21:39 ` James Carter @ 2004-11-10 23:11 ` Daniel J Walsh 2004-11-17 20:15 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-11-10 23:11 UTC (permalink / raw) To: jwcart2; +Cc: Russell Coker, Thomas Bleher, SELinux [-- Attachment #1: Type: text/plain, Size: 394 bytes --] Removal of alot of kerberos and can_ypbind calls. (Centralized under the auth call). Several apache fixes to make squirrelmail work as well as mod_perl and mod_python. Fixes to dovecot to get it to work with squirrelmail Fixes to hal to allow it to create a chr_file device for pcmcia card communication. Added lockdev policy Fixes for mailman policy A few more nscd_client_domains [-- Attachment #2: policy-small.patch --] [-- Type: text/x-patch, Size: 48748 bytes --] diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.1/domains/program/crond.te --- nsapolicy/domains/program/crond.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/crond.te 2004-11-10 17:30:03.409889426 -0500 @@ -23,7 +23,6 @@ # Type for temporary files. tmp_domain(crond) -can_ypbind(crond_t) crond_domain(system) @@ -114,6 +113,8 @@ # Use capabilities. allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid }; +allow crond_t urandom_device_t:chr_file { getattr read }; + # Read the system crontabs. allow system_crond_t system_cron_spool_t:file r_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.1/domains/program/initrc.te --- nsapolicy/domains/program/initrc.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/initrc.te 2004-11-10 17:30:03.410889314 -0500 @@ -303,8 +303,8 @@ ') # for lsof in shutdown scripts -allow initrc_t krb5_conf_t:file read; -dontaudit initrc_t krb5_conf_t:file write; +can_kerberos(initrc_t) + # # Wants to remove udev.tbl # diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.19.1/domains/program/login.te --- nsapolicy/domains/program/login.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/login.te 2004-11-10 17:30:03.411889201 -0500 @@ -117,8 +117,6 @@ allow $1_login_t mail_spool_t:file getattr; allow $1_login_t mail_spool_t:lnk_file read; -dontaudit $1_login_t krb5_conf_t:file write; -allow $1_login_t krb5_conf_t:file { getattr read }; # Get security policy decisions. can_getsecurity($1_login_t) @@ -127,8 +125,6 @@ allow $1_login_t default_context_t:dir search; r_dir_file($1_login_t, selinux_config_t) -can_ypbind($1_login_t) - allow $1_login_t mouse_device_t:chr_file { getattr setattr }; dontaudit $1_login_t init_t:fd use; ')dnl end login_domain macro diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.19.1/domains/program/ssh.te --- nsapolicy/domains/program/ssh.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/ssh.te 2004-11-10 17:34:01.995972995 -0500 @@ -70,9 +70,8 @@ can_network($1_t) -allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; +allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow $1_t { home_root_t home_dir_type }:dir { search getattr }; -can_ypbind($1_t) if (use_nfs_home_dirs) { ifdef(`automount.te', ` allow $1_t autofs_t:dir { search getattr }; @@ -213,8 +212,6 @@ ifdef(`automount.te', ` allow sshd_t autofs_t:dir search; ') -dontaudit sshd_t krb5_conf_t:file write; -allow sshd_t krb5_conf_t:file { getattr read }; # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.19.1/domains/program/syslogd.te --- nsapolicy/domains/program/syslogd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/syslogd.te 2004-11-10 17:34:55.342954578 -0500 @@ -96,4 +96,4 @@ dontaudit syslogd_t file_t:dir search; allow syslogd_t { tmpfs_t devpts_t }:dir search; dontaudit syslogd_t unlabeled_t:file read; -dontaudit syslogd_t devpts_t:chr_file getattr; +dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.19.1/domains/program/unused/anaconda.te --- nsapolicy/domains/program/unused/anaconda.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/anaconda.te 2004-11-10 17:30:03.411889201 -0500 @@ -242,8 +242,7 @@ ifdef(`udev.te', ` domain_auto_trans(anaconda_t, udev_exec_t, udev_t) ') -allow anaconda_t krb5_conf_t:file read; -dontaudit anaconda_t krb5_conf_t:file write; +can_kerberos(anaconda_t) ifdef(`ssh-agent.te', ` role system_r types sysadm_ssh_agent_t; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.1/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/apache.te 2004-11-10 17:56:47.888877824 -0500 @@ -133,6 +133,7 @@ # execute perl allow httpd_t { bin_t sbin_t }:dir r_dir_perms; can_exec(httpd_t, { bin_t sbin_t }) +allow httpd_t bin_t:lnk_file read; can_network(httpd_t) can_ypbind(httpd_t) @@ -201,6 +202,10 @@ if (httpd_ssi_exec) { domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) } +r_dir_file(httpd_t, httpd_sys_script_ro_t) +create_dir_file(httpd_t, httpd_sys_script_rw_t) +ra_dir_file(httpd_t, httpd_sys_script_ra_t) +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; ################################################## # @@ -269,8 +274,7 @@ ################################################## dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; -allow httpd_t krb5_conf_t:file { getattr read }; -dontaudit httpd_t krb5_conf_t:file write; +can_kerberos(httpd_t) ifdef(`targeted_policy', ` typealias httpd_sys_content_t alias httpd_user_content_t; @@ -298,5 +302,13 @@ # Customer reported the following # ifdef(`snmpd.te', ` +dontaudit httpd_t snmpd_var_lib_t:dir search; dontaudit httpd_t snmpd_var_lib_t:file { getattr write read }; ') + +# Running squirrelmail requires this permissions +ifdef(`mta.te', ` +allow system_mail_t httpd_log_t:file { append getattr }; +allow system_mail_t httpd_sys_script_rw_t:file { append read }; +allow system_mail_t httpd_t:tcp_socket { read write }; +') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.1/domains/program/unused/arpwatch.te --- nsapolicy/domains/program/unused/arpwatch.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.1/domains/program/unused/arpwatch.te 2004-11-10 17:30:03.412889088 -0500 @@ -27,6 +27,7 @@ allow arpwatch_t sbin_t:dir search; allow arpwatch_t sbin_t:lnk_file read; +r_dir_file(arpwatch_t, etc_t) can_ypbind(arpwatch_t) allow system_mail_t arpwatch_tmp_t:file rw_file_perms; ifdef(`postfix.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.19.1/domains/program/unused/bluetooth.te --- nsapolicy/domains/program/unused/bluetooth.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.1/domains/program/unused/bluetooth.te 2004-11-10 17:30:03.412889088 -0500 @@ -22,7 +22,10 @@ # Use the network. can_network(bluetooth_t) can_ypbind(bluetooth_t) +ifdef(`dbusd.te', ` dbusd_client(system, bluetooth) +allow bluetooth_t system_dbusd_t:dbus send_msg; +') allow bluetooth_t self:socket { create setopt ioctl bind listen }; allow bluetooth_t self:unix_dgram_socket create_socket_perms; allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/courier.te policy-1.19.1/domains/program/unused/courier.te --- nsapolicy/domains/program/unused/courier.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.1/domains/program/unused/courier.te 2004-11-10 17:30:03.413888975 -0500 @@ -47,7 +47,6 @@ # Use the network. can_network(courier_$1_t) -can_ypbind(courier_$1_t) allow courier_$1_t self:fifo_file { read write getattr }; allow courier_$1_t self:unix_stream_socket create_stream_socket_perms; allow courier_$1_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.1/domains/program/unused/cups.te --- nsapolicy/domains/program/unused/cups.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/cups.te 2004-11-10 17:36:49.019130037 -0500 @@ -19,7 +19,6 @@ typealias cupsd_rw_etc_t alias etc_cupsd_rw_t; can_network(cupsd_t) -can_ypbind(cupsd_t) logdir_domain(cupsd) tmp_domain(cupsd) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.19.1/domains/program/unused/dovecot.te --- nsapolicy/domains/program/unused/dovecot.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/dovecot.te 2004-11-10 17:38:35.374131445 -0500 @@ -31,10 +31,14 @@ allow dovecot_t { self proc_t }:file { getattr read }; allow dovecot_t self:fifo_file rw_file_perms; -dontaudit dovecot_t krb5_conf_t:file write; -allow dovecot_t krb5_conf_t:file { getattr read }; +can_kerberos(dovecot_t) -daemon_sub_domain(dovecot_t, dovecot_auth, `, auth') +allow dovecot_t tmp_t:dir search; +rw_dir_file(dovecot_t, mail_spool_t) +allow dovecot_t mail_spool_t:lnk_file read; +allow dovecot_t var_spool_t:dir { search }; + +daemon_sub_domain(dovecot_t, dovecot_auth, `, auth, auth_chkpwd') allow dovecot_auth_t self:process { fork signal_perms }; allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; @@ -47,3 +51,5 @@ allow dovecot_auth_t sysctl_kernel_t:dir search; allow dovecot_auth_t sysctl_kernel_t:file read; allow dovecot_auth_t sysctl_t:dir search; +dontaudit dovecot_auth_t selinux_config_t:dir search; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.19.1/domains/program/unused/ftpd.te --- nsapolicy/domains/program/unused/ftpd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/ftpd.te 2004-11-10 17:39:19.706130067 -0500 @@ -16,7 +16,6 @@ typealias ftpd_etc_t alias etc_ftpd_t; can_network(ftpd_t) -can_ypbind(ftpd_t) allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_socket_perms; allow ftpd_t self:process { getcap setcap setsched setrlimit }; @@ -85,9 +84,7 @@ allow ftpd_t proc_t:file { getattr read }; dontaudit ftpd_t sysadm_home_dir_t:dir getattr; -dontaudit ftpd_t krb5_conf_t:file write; dontaudit ftpd_t selinux_config_t:dir search; -allow ftpd_t krb5_conf_t:file { getattr read }; ifdef(`automount.te', ` allow ftpd_t autofs_t:dir search; ') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.19.1/domains/program/unused/hald.te --- nsapolicy/domains/program/unused/hald.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/hald.te 2004-11-10 17:40:15.314856488 -0500 @@ -31,12 +31,13 @@ allow hald_t bin_t:file getattr; allow hald_t self:netlink_route_socket r_netlink_socket_perms; -allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search }; +allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; can_network(hald_t) can_ypbind(hald_t) allow hald_t device_t:lnk_file read; allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl }; +allow hald_t removable_device_t:blk_file write; allow hald_t event_device_t:chr_file { getattr read ioctl }; allow hald_t printer_device_t:chr_file rw_file_perms; allow hald_t urandom_device_t:chr_file read; @@ -64,3 +65,7 @@ allow hald_t initrc_t:dbus send_msg; allow initrc_t hald_t:dbus send_msg; allow hald_t etc_runtime_t:file rw_file_perms; +allow hald_t var_lib_t:dir search; +allow hald_t device_t:dir create_dir_perms; +allow hald_t device_t:chr_file create_file_perms; +tmp_domain(hald) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lockdev.te policy-1.19.1/domains/program/unused/lockdev.te --- nsapolicy/domains/program/unused/lockdev.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.1/domains/program/unused/lockdev.te 2004-11-10 17:59:50.581267119 -0500 @@ -0,0 +1,11 @@ +#DESC Lockdev - libblockdev helper application +# +# Authors: Daniel Walsh <dwalsh@redhat.com> +# + + +# Type for the lockdev +type lockdev_exec_t, file_type, sysadmfile, exec_type; + +# Everything else is in the lockdev_domain macro in +# macros/program/lockdev_macros.te. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.19.1/domains/program/unused/mailman.te --- nsapolicy/domains/program/unused/mailman.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/mailman.te 2004-11-10 17:44:21.526079815 -0500 @@ -20,7 +20,7 @@ can_exec_any(mailman_$1_t) allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search; allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr }; -allow mailman_$1_t var_lib_t:dir { getattr search }; +allow mailman_$1_t var_lib_t:dir { getattr search read }; allow mailman_$1_t var_lib_t:lnk_file read; allow mailman_$1_t device_t:dir search; allow mailman_$1_t etc_runtime_t:file { read getattr }; @@ -29,7 +29,6 @@ allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; allow mailman_$1_t fs_t:filesystem getattr; can_network(mailman_$1_t) -can_ypbind(mailman_$1_t) allow mailman_$1_t self:unix_stream_socket create_socket_perms; allow mailman_$1_t var_t:dir r_dir_perms; ') @@ -72,8 +71,9 @@ domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t) # should have separate types for public and private archives r_dir_file(httpd_t, mailman_archive_t) -allow httpd_t mailman_data_t:dir search; -r_dir_file(mailman_cgi_t, mailman_archive_t) +rw_dir_file(mailman_cgi_t, mailman_archive_t) +allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms; +allow httpd_t mailman_data_t:dir { getattr search }; dontaudit mailman_cgi_t httpd_log_t:file append; allow httpd_t mailman_cgi_t:process signal; @@ -83,6 +83,8 @@ allow mailman_cgi_t httpd_sys_script_t:dir search; allow mailman_cgi_t devtty_t:chr_file { read write }; allow mailman_cgi_t self:process { fork sigchld }; +allow mailman_cgi_t var_spool_t:dir search; +dontaudit mailman_cgi_t src_t:dir search; ') allow mta_delivery_agent mailman_data_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.1/domains/program/unused/ntpd.te --- nsapolicy/domains/program/unused/ntpd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/ntpd.te 2004-11-10 17:45:02.917410193 -0500 @@ -12,7 +12,10 @@ type ntp_drift_t, file_type, sysadmfile; type ntp_port_t, port_type, reserved_port_type; +type ntpdate_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t) + logdir_domain(ntpd) allow ntpd_t var_lib_t:dir r_dir_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.19.1/domains/program/unused/ping.te --- nsapolicy/domains/program/unused/ping.te 2004-06-16 13:33:36.000000000 -0400 +++ policy-1.19.1/domains/program/unused/ping.te 2004-11-10 17:45:38.999339558 -0500 @@ -54,4 +54,6 @@ # it tries to access /var/run dontaudit ping_t var_t:dir search; +dontaudit ping_t devtty_t:chr_file { read write }; +dontaudit ping_t ping_t:capability sys_tty_config; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.1/domains/program/unused/postgresql.te --- nsapolicy/domains/program/unused/postgresql.te 2004-10-13 22:41:57.000000000 -0400 +++ policy-1.19.1/domains/program/unused/postgresql.te 2004-11-10 17:46:14.180370560 -0500 @@ -13,6 +13,7 @@ type postgresql_port_t, port_type; daemon_domain(postgresql) allow initrc_t postgresql_exec_t:lnk_file read; +allow postgresql_t usr_t:file { getattr read }; allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.19.1/domains/program/unused/procmail.te --- nsapolicy/domains/program/unused/procmail.te 2004-10-13 22:41:57.000000000 -0400 +++ policy-1.19.1/domains/program/unused/procmail.te 2004-11-10 17:30:03.458883899 -0500 @@ -11,7 +11,7 @@ # procmail_exec_t is the type of the procmail executable. # # privhome only works until we define a different type for maildir -type procmail_t, domain, privlog, privhome; +type procmail_t, domain, privlog, privhome, nscd_client_domain; type procmail_exec_t, file_type, sysadmfile, exec_type; role system_r types procmail_t; @@ -70,8 +70,9 @@ ifdef(`sendmail.te', ` r_dir_file(procmail_t, etc_mail_t) +allow procmail_t sendmail_t:tcp_socket { read write }; ') ifdef(`hide_broken_symptoms', ` -dontaudit procmail_t mqueue_spool_t:file { getattr read }; +dontaudit procmail_t mqueue_spool_t:file { getattr read write }; ') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.19.1/domains/program/unused/rlogind.te --- nsapolicy/domains/program/unused/rlogind.te 2004-10-19 16:03:06.000000000 -0400 +++ policy-1.19.1/domains/program/unused/rlogind.te 2004-11-10 17:30:03.459883786 -0500 @@ -14,7 +14,6 @@ role system_r types rlogind_t; uses_shlib(rlogind_t) can_network(rlogind_t) -can_ypbind(rlogind_t) type rlogind_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(inetd_t, rlogind_exec_t, rlogind_t) ifdef(`tcpd.te', ` @@ -75,8 +74,6 @@ # Modify /var/log/wtmp. allow rlogind_t var_log_t:dir search; allow rlogind_t wtmp_t:file rw_file_perms; -allow rlogind_t krb5_conf_t:file { getattr read }; -dontaudit rlogind_t krb5_conf_t:file write; allow rlogind_t urandom_device_t:chr_file { getattr read }; dontaudit rlogind_t selinux_config_t:dir search; allow rlogind_t staff_home_dir_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.19.1/domains/program/unused/rshd.te --- nsapolicy/domains/program/unused/rshd.te 2004-10-19 16:03:06.000000000 -0400 +++ policy-1.19.1/domains/program/unused/rshd.te 2004-11-10 17:30:03.459883786 -0500 @@ -31,8 +31,9 @@ allow rshd_t self:unix_dgram_socket create_socket_perms; allow rshd_t self:unix_stream_socket create_stream_socket_perms; allow rshd_t { home_root_t home_dir_type }:dir { search getattr }; -allow rshd_t krb5_conf_t:file { getattr read }; -dontaudit rshd_t krb5_conf_t:file write; +can_kerberos(rshd_t) allow rshd_t tmp_t:dir { search }; +ifdef(`rlogind.te', ` allow rshd_t rlogind_tmp_t:file rw_file_perms; +') allow rshd_t urandom_device_t:chr_file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.19.1/domains/program/unused/samba.te --- nsapolicy/domains/program/unused/samba.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.1/domains/program/unused/samba.te 2004-11-10 17:30:03.460883673 -0500 @@ -49,7 +49,6 @@ # Use the network. can_network(smbd_t) -can_ypbind(smbd_t) allow smbd_t urandom_device_t:chr_file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.19.1/domains/program/unused/swat.te --- nsapolicy/domains/program/unused/swat.te 2004-10-06 09:18:32.000000000 -0400 +++ policy-1.19.1/domains/program/unused/swat.te 2004-11-10 17:30:03.460883673 -0500 @@ -2,6 +2,7 @@ # # Author: Dan Walsh <dwalsh@redhat.com> # +# Depends: inetd.te ################################# # diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uwimapd.te policy-1.19.1/domains/program/unused/uwimapd.te --- nsapolicy/domains/program/unused/uwimapd.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/domains/program/unused/uwimapd.te 2004-11-10 17:30:03.461883561 -0500 @@ -9,7 +9,6 @@ tmp_domain(imapd) can_network(imapd_t) -can_ypbind(imapd_t) #declare our own services allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.19.1/domains/program/unused/xdm.te --- nsapolicy/domains/program/unused/xdm.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/domains/program/unused/xdm.te 2004-11-10 17:47:38.531854326 -0500 @@ -46,7 +46,6 @@ allow xdm_t default_context_t:file { read getattr }; can_network(xdm_t) -can_ypbind(xdm_t) allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow xdm_t self:unix_dgram_socket create_socket_perms; allow xdm_t self:fifo_file rw_file_perms; @@ -287,7 +286,7 @@ } # for .dmrc -allow xdm_t user_home_dir_type:dir search; +allow xdm_t user_home_dir_type:dir { getattr search }; allow xdm_t user_home_type:file { getattr read }; allow xdm_t mnt_t:dir { getattr read search }; @@ -309,8 +308,6 @@ ') allow xdm_t var_log_t:file read; -dontaudit xdm_t krb5_conf_t:file write; -allow xdm_t krb5_conf_t:file { getattr read }; allow xdm_t self:capability { sys_nice sys_rawio net_bind_service }; allow xdm_t self:process setrlimit; allow xdm_t wtmp_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.19.1/domains/program/unused/ypbind.te --- nsapolicy/domains/program/unused/ypbind.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/domains/program/unused/ypbind.te 2004-11-10 17:47:51.590381109 -0500 @@ -12,8 +12,6 @@ # daemon_domain(ypbind) -bool allow_ypbind true; - tmp_domain(ypbind) # Use capabilities. diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.1/domains/user.te --- nsapolicy/domains/user.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.1/domains/user.te 2004-11-10 17:30:03.462883448 -0500 @@ -15,6 +15,9 @@ # and may change other protocols bool user_tcp_server false; +# Allow system to run with NIS +bool allow_ypbind false; + # Allow users to rw usb devices bool user_rw_usb false; diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.1/file_contexts/program/apache.fc --- nsapolicy/file_contexts/program/apache.fc 2004-10-14 23:25:19.000000000 -0400 +++ policy-1.19.1/file_contexts/program/apache.fc 2004-11-10 17:30:03.463883335 -0500 @@ -37,3 +37,4 @@ # suse puts shell scripts there :-( /usr/share/apache2/.* -- system_u:object_r:bin_t ') +/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_sys_script_rw_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bootloader.fc policy-1.19.1/file_contexts/program/bootloader.fc --- nsapolicy/file_contexts/program/bootloader.fc 2004-08-18 08:42:50.000000000 -0400 +++ policy-1.19.1/file_contexts/program/bootloader.fc 2004-11-10 17:30:03.463883335 -0500 @@ -9,4 +9,3 @@ /etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t /sbin/ybin.* -- system_u:object_r:bootloader_exec_t /etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t -/boot/grub/menu.lst -- system_u:object_r:boot_runtime_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lockdev.fc policy-1.19.1/file_contexts/program/lockdev.fc --- nsapolicy/file_contexts/program/lockdev.fc 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.1/file_contexts/program/lockdev.fc 2004-11-10 17:30:03.464883222 -0500 @@ -0,0 +1,2 @@ +# lockdev +/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.19.1/file_contexts/program/ntpd.fc --- nsapolicy/file_contexts/program/ntpd.fc 2004-10-09 21:06:15.000000000 -0400 +++ policy-1.19.1/file_contexts/program/ntpd.fc 2004-11-10 17:30:03.464883222 -0500 @@ -3,7 +3,7 @@ /etc/ntp(d)?\.conf -- system_u:object_r:net_conf_t /etc/ntp/step-tickers -- system_u:object_r:net_conf_t /usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t -/usr/sbin/ntpdate -- system_u:object_r:ntpd_exec_t +/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t /var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t /var/log/ntpd.* -- system_u:object_r:ntpd_log_t /var/log/xntpd.* -- system_u:object_r:ntpd_log_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.1/file_contexts/types.fc --- nsapolicy/file_contexts/types.fc 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/file_contexts/types.fc 2004-11-10 17:30:03.465883109 -0500 @@ -111,7 +111,6 @@ # /boot(/.*)? system_u:object_r:boot_t /boot/System\.map-.* -- system_u:object_r:system_map_t -/boot/kernel\.h.* -- system_u:object_r:boot_runtime_t # # /dev diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.1/macros/admin_macros.te --- nsapolicy/macros/admin_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/admin_macros.te 2004-11-10 17:30:03.466882997 -0500 @@ -17,6 +17,7 @@ # Type for home directory. type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type; type $1_home_t, file_type, sysadmfile, home_type; +attribute $1_homedirfile; # Type and access for pty devices. can_create_pty($1) @@ -106,6 +107,7 @@ allow $1_t tty_device_t:chr_file rw_file_perms; allow $1_t ttyfile:chr_file rw_file_perms; allow $1_t ptyfile:chr_file rw_file_perms; +allow $1_t serial_device:chr_file setattr; # allow setting up tunnels allow $1_t tun_tap_device_t:chr_file rw_file_perms; @@ -155,6 +157,7 @@ allow xdm_t $1_home_t:lnk_file read; allow xdm_t $1_home_t:dir search; } +allow $1_t xdm_t:fifo_file rw_file_perms; ')dnl end ifdef xauth.te ')dnl end ifdef xdm.te diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.1/macros/base_user_macros.te --- nsapolicy/macros/base_user_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/base_user_macros.te 2004-11-10 17:48:49.047898957 -0500 @@ -197,6 +197,12 @@ can_network($1_t) can_ypbind($1_t) +ifdef(`pamconsole.te', ` +allow $1_t pam_var_console_t:dir search; +') + +allow $1_t var_lock_t:dir search; + # Grant permissions to access the system DBus ifdef(`dbusd.te', ` dbusd_client(system, $1) @@ -269,7 +275,8 @@ allow $1_t xdm_xserver_tmp_t:sock_file { read write }; allow $1_t xdm_xserver_tmp_t:dir search; allow $1_t xdm_xserver_t:unix_stream_socket connectto; -allow $1_t xdm_var_run_t:dir search; +# certain apps want to read xdm.pid file +r_dir_file($1_t, xdm_var_run_t) allow $1_t xdm_var_lib_t:file { getattr read }; allow xdm_t $1_home_dir_t:dir getattr; ifdef(`xauth.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.1/macros/global_macros.te --- nsapolicy/macros/global_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/global_macros.te 2004-11-10 17:49:34.622757364 -0500 @@ -271,6 +271,7 @@ define(`daemon_core_rules', ` type $1_t, domain, privlog, daemon $2; type $1_exec_t, file_type, sysadmfile, exec_type; +dontaudit $1_t self:capability sys_tty_config; role system_r types $1_t; diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.1/macros/network_macros.te --- nsapolicy/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.1/macros/network_macros.te 2004-11-10 17:50:28.419688186 -0500 @@ -0,0 +1,5 @@ +define(`can_kerberos',` +can_network($1) +dontaudit $1 krb5_conf_t:file write; +allow $1 krb5_conf_t:file { getattr read }; +') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.1/macros/program/apache_macros.te --- nsapolicy/macros/program/apache_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/apache_macros.te 2004-11-10 17:30:03.467882884 -0500 @@ -3,7 +3,7 @@ #This type is for webpages # -type httpd_$1_content_t, file_type, homedirfile, httpdcontent, sysadmfile; +type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_homedirfile, ') httpdcontent, sysadmfile; ifelse($1, sys, ` typealias httpd_sys_content_t alias httpd_sysadm_content_t; ') @@ -17,7 +17,7 @@ type httpd_$1_script_exec_t, file_type, sysadmfile; # Type that CGI scripts run as -type httpd_$1_script_t, domain, privmail; +type httpd_$1_script_t, domain, privmail, nscd_client_domain; role system_r types httpd_$1_script_t; if (httpd_enable_cgi) { @@ -91,7 +91,7 @@ ######################################################################### can_exec(httpd_$1_script_t, { bin_t shell_exec_t }) allow httpd_$1_script_t { bin_t sbin_t }:dir { getattr search }; -allow httpd_$1_script_t bin_t:lnk_file read; +allow httpd_$1_script_t { sbin_t bin_t }:lnk_file read; allow httpd_$1_script_t etc_t:file { getattr read }; ############################################################################ @@ -178,6 +178,6 @@ ############################################ # Allow scripts to append to http logs ######################################### -allow httpd_$1_script_t httpd_log_t:file append; +allow httpd_$1_script_t httpd_log_t:file { getattr append }; ') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.19.1/macros/program/chkpwd_macros.te --- nsapolicy/macros/program/chkpwd_macros.te 2004-10-09 21:06:15.000000000 -0400 +++ policy-1.19.1/macros/program/chkpwd_macros.te 2004-11-10 17:54:43.803876651 -0500 @@ -15,19 +15,22 @@ ifdef(`chkpwd.te', ` define(`chkpwd_domain',` # Derived domain based on the calling user domain and the program. -type $1_chkpwd_t, domain, privlog, auth; +type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; # is_selinux_enabled allow $1_chkpwd_t proc_t:file read; can_getcon($1_chkpwd_t) can_ypbind($1_chkpwd_t) +can_kerberos($1_chkpwd_t) # Transition from the user domain to this domain. ifelse($1, system, ` domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) role system_r types system_chkpwd_t; dontaudit auth_chkpwd shadow_t:file { getattr read }; allow auth_chkpwd sbin_t:dir search; -dontaudit $1_chkpwd_t tty_device_t:chr_file rw_file_perms; +dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; +can_ypbind(auth_chkpwd) +can_kerberos(auth_chkpwd) ', ` domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) allow $1_t sbin_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.19.1/macros/program/gpg_macros.te --- nsapolicy/macros/program/gpg_macros.te 2004-11-05 23:24:17.000000000 -0500 +++ policy-1.19.1/macros/program/gpg_macros.te 2004-11-10 17:30:03.468882771 -0500 @@ -19,7 +19,7 @@ define(`gpg_domain', ` # Derived domain based on the calling user domain and the program. type $1_gpg_t, domain, privlog; -type $1_gpg_secret_t, file_type, homedirfile, sysadmfile; +type $1_gpg_secret_t, file_type, $1_homedirfile, sysadmfile; # Transition from the user domain to the derived domain. domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t) @@ -82,6 +82,7 @@ allow $1_gpg_t self:capability { ipc_lock setuid }; allow $1_gpg_t devtty_t:chr_file rw_file_perms; +rw_dir_create_file($1_gpg_t, $1_homedirfile) allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms; allow $1_gpg_t fs_t:filesystem getattr; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.1/macros/program/inetd_macros.te --- nsapolicy/macros/program/inetd_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/inetd_macros.te 2004-11-10 17:30:03.469882658 -0500 @@ -43,8 +43,7 @@ allow $1_t home_root_t:dir search; allow $1_t self:dir search; allow $1_t self:file { getattr read }; -allow $1_t krb5_conf_t:file r_file_perms; -dontaudit $1_t krb5_conf_t:file write; +can_kerberos($1_t) allow $1_t urandom_device_t:chr_file { getattr read }; type $1_port_t, port_type, reserved_port_type; # Use sockets inherited from inetd. diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.19.1/macros/program/irc_macros.te --- nsapolicy/macros/program/irc_macros.te 2004-11-05 23:24:17.000000000 -0500 +++ policy-1.19.1/macros/program/irc_macros.te 2004-11-10 17:30:03.469882658 -0500 @@ -20,7 +20,7 @@ define(`irc_domain',` # Derived domain based on the calling user domain and the program. type $1_irc_t, domain; -type $1_home_irc_t, file_type, homedirfile, sysadmfile; +type $1_home_irc_t, file_type, $1_homedirfile, sysadmfile; type $1_irc_exec_t, file_type, sysadmfile; ifdef(`slocate.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lockdev_macros.te policy-1.19.1/macros/program/lockdev_macros.te --- nsapolicy/macros/program/lockdev_macros.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.1/macros/program/lockdev_macros.te 2004-11-10 17:30:03.470882545 -0500 @@ -0,0 +1,46 @@ +# +# Macros for lockdev domains. +# + +# +# Authors: Daniel Walsh <dwalsh@redhat.com> +# + +# +# lockdev_domain(domain_prefix) +# +# Define a derived domain for the lockdev programs when executed +# by a user domain. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/lockdev.te. +# +undefine(`lockdev_domain') +define(`lockdev_domain',` +# Derived domain based on the calling user domain and the program +type $1_lockdev_t, domain, privlog; +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t) + +# The user role is authorized for this domain. +role $1_r types $1_lockdev_t; +# Use capabilities. +allow $1_lockdev_t self:capability setgid; +allow $1_lockdev_t $1_t:process signull; + +allow $1_lockdev_t var_t:dir search; + +lock_domain($1_lockdev) + +r_dir_file($1_lockdev_t, lockfile) + +allow $1_lockdev_t device_t:dir search; +allow $1_lockdev_t null_device_t:chr_file rw_file_perms; +allow $1_lockdev_t { $1_tty_device_t $1_devpts_t }:chr_file rw_file_perms; +dontaudit $1_lockdev_t root_t:dir search; + +uses_shlib($1_lockdev_t) +allow $1_lockdev_t fs_t:filesystem getattr; + +')dnl end macro definition + diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.19.1/macros/program/mount_macros.te --- nsapolicy/macros/program/mount_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/mount_macros.te 2004-11-10 17:30:03.470882545 -0500 @@ -81,7 +81,7 @@ # mount domain. # define(`mount_loopback_privs',` -type $1_$2_source_t, file_type, sysadmfile, homedirfile; +type $1_$2_source_t, file_type, sysadmfile, $1_homedirfile; allow $1_t $1_$2_source_t:file create_file_perms; allow $1_t $1_$2_source_t:file { relabelto relabelfrom }; allow $2_t $1_$2_source_t:file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.1/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/mozilla_macros.te 2004-11-10 17:51:41.396455207 -0500 @@ -78,7 +78,7 @@ # if (mozilla_readhome || mozilla_writehome) { r_dir_file($1_mozilla_t, $1_home_t) -dontaudit $1_mozilla_t homedirfile:{ file dir } getattr; +dontaudit $1_mozilla_t $1_homedirfile:{ file dir } getattr; file_type_auto_trans($1_mozilla_t, tmp_t, $1_tmp_t) } else { file_type_auto_trans($1_mozilla_t, tmp_t, $1_mozilla_rw_t) @@ -112,6 +112,7 @@ # Eliminate errors from scanning with the # dontaudit $1_mozilla_t file_type:dir getattr; +allow $1_mozilla_t self:sem create_sem_perms; ifdef(`xdm.te', ` allow $1_mozilla_t xdm_t:fifo_file { write read }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.1/macros/program/mta_macros.te --- nsapolicy/macros/program/mta_macros.te 2004-11-05 23:24:17.000000000 -0500 +++ policy-1.19.1/macros/program/mta_macros.te 2004-11-10 17:51:56.986696371 -0500 @@ -20,7 +20,7 @@ undefine(`mail_domain') define(`mail_domain',` # Derived domain based on the calling user domain and the program. -type $1_mail_t, domain, privlog, user_mail_domain; +type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain; ifdef(`sendmail.te', ` sendmail_user_domain($1) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.19.1/macros/program/newrole_macros.te --- nsapolicy/macros/program/newrole_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/newrole_macros.te 2004-11-10 17:30:03.493879951 -0500 @@ -34,9 +34,6 @@ allow $1_t bin_t:lnk_file read; allow $1_t shell_exec_t:file r_file_perms; -can_ypbind($1_t) -dontaudit $1_t krb5_conf_t:file write; -allow $1_t krb5_conf_t:file { getattr read }; allow $1_t urandom_device_t:chr_file { getattr read }; # Allow $1_t to transition to user domains. diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.19.1/macros/program/screen_macros.te --- nsapolicy/macros/program/screen_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/screen_macros.te 2004-11-10 17:30:03.494879838 -0500 @@ -22,7 +22,7 @@ define(`screen_domain',` # Derived domain based on the calling user domain and the program. type $1_screen_t, domain, privlog, privfd; -type $1_home_screen_t, file_type, homedirfile, sysadmfile; +type $1_home_screen_t, file_type, $1_homedirfile, sysadmfile; # Transition from the user domain to this domain. domain_auto_trans($1_t, screen_exec_t, $1_screen_t) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.19.1/macros/program/spamassassin_macros.te --- nsapolicy/macros/program/spamassassin_macros.te 2004-10-13 22:41:58.000000000 -0400 +++ policy-1.19.1/macros/program/spamassassin_macros.te 2004-11-10 17:30:03.495879725 -0500 @@ -80,7 +80,7 @@ dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search; # The type of ~/.spamassassin -type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile; +type $1_home_spamassassin_t, file_type, $1_homedirfile, sysadmfile; create_dir_file($1_t, $1_home_spamassassin_t) allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto }; allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.1/macros/program/ssh_macros.te --- nsapolicy/macros/program/ssh_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/ssh_macros.te 2004-11-10 17:52:36.231268938 -0500 @@ -22,7 +22,7 @@ define(`ssh_domain',` # Derived domain based on the calling user domain and the program. type $1_ssh_t, domain, privlog, nscd_client_domain; -type $1_home_ssh_t, file_type, homedirfile, sysadmfile; +type $1_home_ssh_t, file_type, $1_homedirfile, sysadmfile; ifdef(`automount.te', ` allow $1_ssh_t autofs_t:dir { search getattr }; @@ -157,8 +157,7 @@ allow $1_ssh_t xdm_xserver_t:shm r_shm_perms; allow $1_ssh_t xdm_xserver_t:fd use; allow $1_ssh_t xdm_xserver_tmpfs_t:file read; -allow $1_ssh_t krb5_conf_t:file { getattr read }; -dontaudit $1_ssh_t krb5_conf_t:file write; +can_kerberos($1_ssh_t) ')dnl end if xdm.te ')dnl end macro definition diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.19.1/macros/program/su_macros.te --- nsapolicy/macros/program/su_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/su_macros.te 2004-11-10 17:30:03.495879725 -0500 @@ -87,8 +87,7 @@ # Write to utmp. allow $1_su_t { var_t var_run_t }:dir search; allow $1_su_t initrc_var_run_t:file rw_file_perms; -dontaudit $1_su_t krb5_conf_t:file write; -allow $1_su_t krb5_conf_t:file { getattr read }; +can_kerberos($1_su_t) ') dnl end su_restricted_domain define(`su_mini_domain', ` diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.19.1/macros/program/tvtime_macros.te --- nsapolicy/macros/program/tvtime_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/tvtime_macros.te 2004-11-10 17:30:03.496879613 -0500 @@ -19,7 +19,7 @@ ifdef(`tvtime.te', ` define(`tvtime_domain',` # Derived domain based on the calling user domain and the program. -type $1_home_tvtime_t, file_type, homedirfile, sysadmfile; +type $1_home_tvtime_t, file_type, $1_homedirfile, sysadmfile; x_client_domain($1, tvtime) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.19.1/macros/program/userhelper_macros.te --- nsapolicy/macros/program/userhelper_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/userhelper_macros.te 2004-11-10 17:30:03.496879613 -0500 @@ -123,7 +123,6 @@ ') allow $1_userhelper_t sysctl_t:dir search; role system_r types $1_userhelper_t; -allow $1_userhelper_t krb5_conf_t:file { getattr read }; r_dir_file($1_userhelper_t, nfs_t) ifdef(`xdm.te', ` @@ -139,6 +138,9 @@ domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t) allow $1_userhelper_t $1_home_xauth_t:file { getattr read }; ') + +ifdef(`pamconsole.te', ` allow $1_userhelper_t pam_var_console_t:dir { search }; +') ')dnl end userhelper macro diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/vmware_macros.te policy-1.19.1/macros/program/vmware_macros.te --- nsapolicy/macros/program/vmware_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/program/vmware_macros.te 2004-11-10 17:30:03.497879500 -0500 @@ -23,10 +23,10 @@ role $1_r types $1_vmware_t; # The user file type is for files created when the user is running VMWare -type $1_vmware_file_t, homedirfile, file_type, sysadmfile; +type $1_vmware_file_t, $1_homedirfile, file_type, sysadmfile; # The user file type for the VMWare configuration files -type $1_vmware_conf_t, homedirfile, file_type, sysadmfile; +type $1_vmware_conf_t, $1_homedirfile, file_type, sysadmfile; # for compatibility with older policy versions typealias $1_vmware_t alias vmware_$1_t; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.19.1/macros/program/xauth_macros.te --- nsapolicy/macros/program/xauth_macros.te 2004-11-05 23:24:17.000000000 -0500 +++ policy-1.19.1/macros/program/xauth_macros.te 2004-11-10 17:30:03.497879500 -0500 @@ -20,7 +20,7 @@ define(`xauth_domain',` # Derived domain based on the calling user domain and the program. type $1_xauth_t, domain; -type $1_home_xauth_t, file_type, homedirfile, sysadmfile; +type $1_home_xauth_t, file_type, $1_homedirfile, sysadmfile; ifdef(`slocate.te', ` allow $1_locate_t $1_home_xauth_t:file { getattr read }; @@ -48,6 +48,7 @@ ') allow $1_xauth_t privfd:fd use; +allow $1_xauth_t ptmx_t:chr_file { read write }; # allow ps to show xauth allow $1_t $1_xauth_t:dir { search getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.19.1/macros/program/x_client_macros.te --- nsapolicy/macros/program/x_client_macros.te 2004-11-05 23:24:17.000000000 -0500 +++ policy-1.19.1/macros/program/x_client_macros.te 2004-11-10 17:30:03.498879387 -0500 @@ -25,9 +25,9 @@ # Derived domain based on the calling user domain and the program. type $1_$2_t, domain $3; # Type for files that are writeable by this domain. -type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile; +type $1_$2_rw_t, file_type, $1_homedirfile, sysadmfile, tmpfile; # Type for files that are read-only for this domain -type $1_$2_ro_t, file_type, homedirfile, sysadmfile; +type $1_$2_ro_t, file_type, $1_homedirfile, sysadmfile; # Transition from the user domain to the derived domain. ifelse($2, games, ` diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.19.1/macros/program/ypbind_macros.te --- nsapolicy/macros/program/ypbind_macros.te 2004-10-13 22:41:58.000000000 -0400 +++ policy-1.19.1/macros/program/ypbind_macros.te 2004-11-10 17:32:37.064554655 -0500 @@ -4,12 +4,15 @@ can_network($1) r_dir_file($1,var_yp_t) allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; +dontaudit $1 self:capability net_bind_service; ') define(`can_ypbind', ` ifdef(`ypbind.te', ` if (allow_ypbind) { uncond_can_ypbind($1) +} else { +dontaudit $1 var_yp_t:dir search; } ') dnl ypbind.te ') dnl can_ypbind diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.19.1/macros/user_macros.te --- nsapolicy/macros/user_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/macros/user_macros.te 2004-11-10 17:30:03.499879274 -0500 @@ -56,8 +56,9 @@ # user domains. ifdef(`apache.te', `apache_domain($1)') ifdef(`slocate.te', `locate_domain($1)') +ifdef(`lockdev.te', `lockdev_domain($1)') -allow $1_t krb5_conf_t:file { getattr read }; +can_kerberos($1_t) # allow port_t name binding for UDP because it is not very usable otherwise allow $1_t port_t:udp_socket name_bind; @@ -123,9 +124,14 @@ undefine(`full_user_role') define(`full_user_role', ` +# certain apps ask for this priv kdesu, fetchmail +# dac controls force the user to only lower priority +allow $1_t self:process setrlimit; + # user_t/$1_t is an unprivileged users domain. type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd; +attribute $1_homedirfile; # Grant read/search permissions to some of /proc. allow $1_t proc_t:dir r_dir_perms; allow $1_t proc_t:{ file lnk_file } r_file_perms; @@ -142,11 +148,6 @@ # Stat lost+found. allow $1_t lost_found_t:dir getattr; -# Read the /tmp directory and any /tmp files with the base type. -# Temporary files created at runtime will typically use derived types. -allow $1_t tmp_t:dir r_dir_perms; -allow $1_t tmp_t:{ file lnk_file } r_file_perms; - # Read /var, /var/spool, /var/run. allow $1_t var_t:dir r_dir_perms; allow $1_t var_t:notdevfile_class_set r_file_perms; @@ -224,15 +225,17 @@ allow $1_mount_t iso9660_t:filesystem relabelfrom; allow $1_mount_t removable_t:filesystem { mount relabelto }; allow $1_mount_t removable_t:dir mounton; +ifdef(`xdm.te', ` allow $1_mount_t xdm_t:fd use; allow $1_mount_t xdm_t:fifo_file write; ') +') # # Rules used to associate a homedir as a mountpoint # allow $1_home_t $1_home_t:filesystem associate; -allow homedirfile $1_home_t:filesystem associate; +allow $1_homedirfile $1_home_t:filesystem associate; ') undefine(`in_user_role') diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.19.1/net_contexts --- nsapolicy/net_contexts 2004-11-09 13:35:11.000000000 -0500 +++ policy-1.19.1/net_contexts 2004-11-10 17:30:03.500879161 -0500 @@ -113,7 +113,6 @@ portcon tcp 631 system_u:object_r:ipp_port_t portcon udp 631 system_u:object_r:ipp_port_t ') -ifdef(`kerberos.te', ` portcon tcp 88 system_u:object_r:kerberos_port_t portcon udp 88 system_u:object_r:kerberos_port_t portcon tcp 749 system_u:object_r:kerberos_admin_port_t @@ -121,7 +120,6 @@ portcon udp 750 system_u:object_r:kerberos_port_t portcon tcp 4444 system_u:object_r:kerberos_master_port_t portcon udp 4444 system_u:object_r:kerberos_master_port_t -') ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') ifdef(`rsync.te', ` portcon tcp 873 system_u:object_r:rsync_port_t diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.1/targeted/domains/unconfined.te --- nsapolicy/targeted/domains/unconfined.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/targeted/domains/unconfined.te 2004-11-10 17:30:03.501879048 -0500 @@ -42,4 +42,7 @@ # Support NFS home directories bool use_nfs_home_dirs false; +# Allow system to run with NIS +bool allow_ypbind false; + diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.1/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.19.1/tunables/distro.tun 2004-11-10 17:30:03.501879048 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.1/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.1/tunables/tunable.tun 2004-11-10 17:30:03.502878936 -0500 @@ -1,27 +1,27 @@ # Allow users to execute the mount command -dnl define(`user_can_mount') +define(`user_can_mount') # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Patches without the can_network patch. 2004-11-10 23:11 ` Patches without the can_network patch Daniel J Walsh @ 2004-11-17 20:15 ` James Carter 2004-11-18 14:33 ` Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-11-17 20:15 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Russell Coker, Thomas Bleher, SELinux Merged with some changes. - Changed the attribute $1_homedirfile to $1_file_type - Removed the attribute homedirfile since it is not being used. - Moved can_kerberos to a new file named kerberos_macros.te instead of network_macros.te - Added "ifdef(`kerberos.te', `" to the can_kerberos macro. - Did not remove the "ifdef`kerberos.te', `" in net_contexts. On Wed, 2004-11-10 at 18:11, Daniel J Walsh wrote: > Removal of alot of kerberos and can_ypbind calls. (Centralized under > the auth call). > > Several apache fixes to make squirrelmail work as well as mod_perl and > mod_python. > > Fixes to dovecot to get it to work with squirrelmail > > Fixes to hal to allow it to create a chr_file device for pcmcia card > communication. > > Added lockdev policy > > Fixes for mailman policy > > A few more nscd_client_domains > <snip> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.1/macros/network_macros.te > --- nsapolicy/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500 > +++ policy-1.19.1/macros/network_macros.te 2004-11-10 17:50:28.419688186 -0500 > @@ -0,0 +1,5 @@ > +define(`can_kerberos',` > +can_network($1) > +dontaudit $1 krb5_conf_t:file write; > +allow $1 krb5_conf_t:file { getattr read }; > +') <snip> > diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.19.1/net_contexts > --- nsapolicy/net_contexts 2004-11-09 13:35:11.000000000 -0500 > +++ policy-1.19.1/net_contexts 2004-11-10 17:30:03.500879161 -0500 > @@ -113,7 +113,6 @@ > portcon tcp 631 system_u:object_r:ipp_port_t > portcon udp 631 system_u:object_r:ipp_port_t > ') > -ifdef(`kerberos.te', ` > portcon tcp 88 system_u:object_r:kerberos_port_t > portcon udp 88 system_u:object_r:kerberos_port_t > portcon tcp 749 system_u:object_r:kerberos_admin_port_t > @@ -121,7 +120,6 @@ > portcon udp 750 system_u:object_r:kerberos_port_t > portcon tcp 4444 system_u:object_r:kerberos_master_port_t > portcon udp 4444 system_u:object_r:kerberos_master_port_t > -') > ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') > ifdef(`rsync.te', ` > portcon tcp 873 system_u:object_r:rsync_port_t -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* can_network patch. 2004-11-17 20:15 ` James Carter @ 2004-11-18 14:33 ` Daniel J Walsh 2004-11-23 18:52 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-11-18 14:33 UTC (permalink / raw) To: jwcart2; +Cc: Russell Coker, Thomas Bleher, SELinux [-- Attachment #1: Type: text/plain, Size: 1 bytes --] [-- Attachment #2: policy-network.patch --] [-- Type: text/x-patch, Size: 31941 bytes --] diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/ssh.te policy-1.19.2.good/domains/program/ssh.te --- policy-1.19.2/domains/program/ssh.te 2004-11-18 08:14:48.000000000 -0500 +++ policy-1.19.2.good/domains/program/ssh.te 2004-11-18 08:35:53.834772235 -0500 @@ -69,6 +69,7 @@ allow $1_t urandom_device_t:chr_file { getattr read }; can_network($1_t) +allow $1_t self:{ udp_socket tcp_socket } connect; allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; allow $1_t { home_root_t home_dir_type }:dir { search getattr }; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/apache.te policy-1.19.2.good/domains/program/unused/apache.te --- policy-1.19.2/domains/program/unused/apache.te 2004-11-18 08:50:10.113157831 -0500 +++ policy-1.19.2.good/domains/program/unused/apache.te 2004-11-18 08:35:53.836772009 -0500 @@ -140,6 +140,7 @@ can_network(httpd_t) can_ypbind(httpd_t) +allow httpd_t self:{ tcp_socket udp_socket } connect; ################### # Allow httpd to search users diretories diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/canna.te policy-1.19.2.good/domains/program/unused/canna.te --- policy-1.19.2/domains/program/unused/canna.te 2004-11-18 08:14:51.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/canna.te 2004-11-18 08:35:53.837771897 -0500 @@ -28,8 +28,9 @@ rw_dir_create_file(canna_t, canna_var_lib_t) -can_network(canna_t) +can_tcp_network(canna_t) can_ypbind(canna_t) +allow canna_t self:tcp_socket connect; allow userdomain canna_var_run_t:dir search; allow userdomain canna_var_run_t:sock_file write; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/cups.te policy-1.19.2.good/domains/program/unused/cups.te --- policy-1.19.2/domains/program/unused/cups.te 2004-11-18 08:51:22.563983161 -0500 +++ policy-1.19.2.good/domains/program/unused/cups.te 2004-11-18 08:35:53.839771671 -0500 @@ -19,6 +19,7 @@ typealias cupsd_rw_etc_t alias etc_cupsd_rw_t; can_network(cupsd_t) +allow cupsd_t self:{ tcp_socket udp_socket } connect; logdir_domain(cupsd) @@ -194,6 +195,7 @@ can_network(cupsd_config_t) can_tcp_connect(cupsd_config_t, cupsd_t) +allow cupsd_config_t self:tcp_socket connect; allow cupsd_config_t self:fifo_file rw_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/cyrus.te policy-1.19.2.good/domains/program/unused/cyrus.te --- policy-1.19.2/domains/program/unused/cyrus.te 2004-11-18 08:51:47.260196672 -0500 +++ policy-1.19.2.good/domains/program/unused/cyrus.te 2004-11-18 08:35:53.839771671 -0500 @@ -20,6 +20,7 @@ can_network(cyrus_t) can_ypbind(cyrus_t) +allow cyrus_t self:{ tcp_socket udp_socket } connect; can_exec(cyrus_t, bin_t) allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dhcpc.te policy-1.19.2.good/domains/program/unused/dhcpc.te --- policy-1.19.2/domains/program/unused/dhcpc.te 2004-11-18 08:14:53.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/dhcpc.te 2004-11-18 08:52:51.492949252 -0500 @@ -22,8 +22,9 @@ # for SSP allow dhcpc_t urandom_device_t:chr_file read; -can_network(dhcpc_t) +can_network(dhcpc_t, `{ dhcpc_port_t dhcpd_port_t }') can_ypbind(dhcpc_t) +allow dhcpc_t self:tcp_socket connect; allow dhcpc_t self:unix_dgram_socket create_socket_perms; allow dhcpc_t self:unix_stream_socket create_socket_perms; allow dhcpc_t self:fifo_file rw_file_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dhcpd.te policy-1.19.2.good/domains/program/unused/dhcpd.te --- policy-1.19.2/domains/program/unused/dhcpd.te 2004-11-18 08:53:24.057275000 -0500 +++ policy-1.19.2.good/domains/program/unused/dhcpd.te 2004-11-18 08:35:53.840771558 -0500 @@ -31,6 +31,7 @@ # Use the network. can_network(dhcpd_t) can_ypbind(dhcpd_t) +allow dhcpd_t self:tcp_socket connect; allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dovecot.te policy-1.19.2.good/domains/program/unused/dovecot.te --- policy-1.19.2/domains/program/unused/dovecot.te 2004-11-18 08:14:48.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/dovecot.te 2004-11-18 08:35:53.841771445 -0500 @@ -15,6 +15,8 @@ allow dovecot_t self:process setrlimit; can_network(dovecot_t) can_ypbind(dovecot_t) +allow dovecot_t self:tcp_socket connect; + allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket create_stream_socket_perms; can_unix_connect(dovecot_t, self) diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ftpd.te policy-1.19.2.good/domains/program/unused/ftpd.te --- policy-1.19.2/domains/program/unused/ftpd.te 2004-11-18 08:54:09.695125653 -0500 +++ policy-1.19.2.good/domains/program/unused/ftpd.te 2004-11-18 08:35:53.842771333 -0500 @@ -16,6 +16,7 @@ typealias ftpd_etc_t alias etc_ftpd_t; can_network(ftpd_t) +allow ftpd_t self:udp_socket connect; allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_socket_perms; allow ftpd_t self:process { getcap setcap setsched setrlimit }; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/i18n_input.te policy-1.19.2.good/domains/program/unused/i18n_input.te --- policy-1.19.2/domains/program/unused/i18n_input.te 2004-11-18 08:14:53.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/i18n_input.te 2004-11-18 08:35:53.842771333 -0500 @@ -11,6 +11,7 @@ can_exec(i18n_input_t, i18n_input_exec_t) can_network(i18n_input_t) can_ypbind(i18n_input_t) +allow i18n_input_t self:udp_socket connect; can_tcp_connect(userdomain, i18n_input_t) diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/inetd.te policy-1.19.2.good/domains/program/unused/inetd.te --- policy-1.19.2/domains/program/unused/inetd.te 2004-11-18 08:14:56.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/inetd.te 2004-11-18 08:35:53.843771220 -0500 @@ -21,6 +21,8 @@ daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) can_network(inetd_t) +allow inetd_t self:{ tcp_socket udp_socket } connect; + allow inetd_t self:unix_dgram_socket create_socket_perms; allow inetd_t self:unix_stream_socket create_socket_perms; allow inetd_t self:fifo_file rw_file_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/innd.te policy-1.19.2.good/domains/program/unused/innd.te --- policy-1.19.2/domains/program/unused/innd.te 2004-11-18 08:54:50.625507454 -0500 +++ policy-1.19.2.good/domains/program/unused/innd.te 2004-11-18 08:35:53.843771220 -0500 @@ -30,6 +30,7 @@ can_network(innd_t) can_ypbind(innd_t) +allow innd_t self:udp_socket connect; can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } ) allow innd_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/kerberos.te policy-1.19.2.good/domains/program/unused/kerberos.te --- policy-1.19.2/domains/program/unused/kerberos.te 2004-11-18 08:14:50.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/kerberos.te 2004-11-18 08:35:53.844771107 -0500 @@ -16,10 +16,6 @@ # # Rules for the krb5kdc_t,kadmind_t domains. # -type kerberos_port_t, port_type, reserved_port_type; -type kerberos_admin_port_t, port_type, reserved_port_type; -type kerberos_master_port_t, port_type; - daemon_domain(krb5kdc) daemon_domain(kadmind) diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/mailman.te policy-1.19.2.good/domains/program/unused/mailman.te --- policy-1.19.2/domains/program/unused/mailman.te 2004-11-18 08:14:49.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/mailman.te 2004-11-18 08:35:53.845770994 -0500 @@ -29,12 +29,14 @@ allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; allow mailman_$1_t fs_t:filesystem getattr; can_network(mailman_$1_t) +allow mailman_$1_t self:udp_socket connect; allow mailman_$1_t self:unix_stream_socket create_socket_perms; allow mailman_$1_t var_t:dir r_dir_perms; ') mailman_domain(queue, `, auth_chkpwd, nscd_client_domain') can_tcp_connect(mailman_queue_t, mail_server_domain) +allow mailman_queue_t self:tcp_socket connect; can_exec(mailman_queue_t, su_exec_t) allow mailman_queue_t self:capability { setgid setuid }; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/named.te policy-1.19.2.good/domains/program/unused/named.te --- policy-1.19.2/domains/program/unused/named.te 2004-11-18 08:55:41.707743815 -0500 +++ policy-1.19.2.good/domains/program/unused/named.te 2004-11-18 08:35:53.847770768 -0500 @@ -51,6 +51,8 @@ #Named can use network can_network(named_t) can_ypbind(named_t) +allow named_t self:tcp_socket connect; + # allow UDP transfer to/from any program can_udp_send(domain, named_t) can_udp_send(named_t, domain) @@ -102,6 +104,8 @@ uses_shlib(ndc_t) can_network(ndc_t) can_ypbind(ndc_t) +allow ndc_t self:tcp_socket connect; +can_resolve(ndc_t) read_locale(ndc_t) can_tcp_connect(ndc_t, named_t) diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/nscd.te policy-1.19.2.good/domains/program/unused/nscd.te --- policy-1.19.2/domains/program/unused/nscd.te 2004-11-18 08:14:48.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/nscd.te 2004-11-18 08:35:53.847770768 -0500 @@ -24,6 +24,7 @@ allow nscd_t etc_t:lnk_file read; can_network(nscd_t) can_ypbind(nscd_t) +allow nscd_t self:{ tcp_socket udp_socket } connect; file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ntpd.te policy-1.19.2.good/domains/program/unused/ntpd.te --- policy-1.19.2/domains/program/unused/ntpd.te 2004-11-18 09:16:48.946760475 -0500 +++ policy-1.19.2.good/domains/program/unused/ntpd.te 2004-11-18 08:35:53.848770656 -0500 @@ -39,6 +39,7 @@ # Use the network. can_network(ntpd_t) can_ypbind(ntpd_t) +allow ntpd_t self:{ tcp_socket udp_socket } connect; allow ntpd_t ntp_port_t:udp_socket name_bind; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ping.te policy-1.19.2.good/domains/program/unused/ping.te --- policy-1.19.2/domains/program/unused/ping.te 2004-11-18 08:14:51.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/ping.te 2004-11-18 08:35:53.848770656 -0500 @@ -35,6 +35,7 @@ can_ypbind(ping_t) allow ping_t etc_t:file { getattr read }; allow ping_t self:unix_stream_socket create_socket_perms; +allow ping_t self:{ tcp_socket udp_socket } connect; # Let ping create raw ICMP packets. allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/postfix.te policy-1.19.2.good/domains/program/unused/postfix.te --- policy-1.19.2/domains/program/unused/postfix.te 2004-11-18 08:14:50.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/postfix.te 2004-11-18 08:35:53.849770543 -0500 @@ -119,6 +119,8 @@ allow postfix_master_t postfix_private_t:fifo_file create_file_perms; can_network(postfix_master_t) can_ypbind(postfix_master_t) +allow postfix_master_t self:{ tcp_socket udp_socket } connect; + allow postfix_master_t smtp_port_t:tcp_socket name_bind; allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; @@ -158,6 +160,7 @@ allow postfix_$1_t self:capability { setuid setgid dac_override }; can_network(postfix_$1_t) can_ypbind(postfix_$1_t) +allow postfix_$1_t self:{ tcp_socket udp_socket } connect; ') postfix_server_domain(smtp, `, mail_server_sender') diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/postgresql.te policy-1.19.2.good/domains/program/unused/postgresql.te --- policy-1.19.2/domains/program/unused/postgresql.te 2004-11-18 08:57:40.718315780 -0500 +++ policy-1.19.2.good/domains/program/unused/postgresql.te 2004-11-18 08:35:53.850770430 -0500 @@ -14,6 +14,7 @@ daemon_domain(postgresql) allow initrc_t postgresql_exec_t:lnk_file read; allow postgresql_t usr_t:file { getattr read }; +allow postgresql_t self:udp_socket connect; allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/privoxy.te policy-1.19.2.good/domains/program/unused/privoxy.te --- policy-1.19.2/domains/program/unused/privoxy.te 2004-11-18 08:14:49.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/privoxy.te 2004-11-18 08:35:53.851770317 -0500 @@ -18,6 +18,7 @@ # Use the network. can_network(privoxy_t) allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind; +allow privoxy_t self:{ tcp_socket udp_socket } connect; allow privoxy_t etc_t:file { getattr read }; allow privoxy_t self:capability { setgid setuid }; allow privoxy_t self:unix_stream_socket create_socket_perms ; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/rpcd.te policy-1.19.2.good/domains/program/unused/rpcd.te --- policy-1.19.2/domains/program/unused/rpcd.te 2004-11-18 08:58:17.120208533 -0500 +++ policy-1.19.2.good/domains/program/unused/rpcd.te 2004-11-18 08:35:53.851770317 -0500 @@ -14,6 +14,7 @@ daemon_base_domain($1) can_network($1_t) can_ypbind($1_t) +allow $1_t self:{ udp_socket tcp_socket } connect; allow $1_t etc_t:file { getattr read }; read_locale($1_t) allow $1_t self:capability net_bind_service; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/sendmail.te policy-1.19.2.good/domains/program/unused/sendmail.te --- policy-1.19.2/domains/program/unused/sendmail.te 2004-11-18 08:14:51.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/sendmail.te 2004-11-18 08:35:53.852770204 -0500 @@ -27,6 +27,7 @@ # Use the network. can_network(sendmail_t) can_ypbind(sendmail_t) +allow sendmail_t self:{ tcp_socket udp_socket } connect; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/slapd.te policy-1.19.2.good/domains/program/unused/slapd.te --- policy-1.19.2/domains/program/unused/slapd.te 2004-11-18 08:14:51.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/slapd.te 2004-11-18 08:35:53.852770204 -0500 @@ -30,6 +30,7 @@ allow slapd_t self:unix_dgram_socket create_socket_perms; # allow any domain to connect to the LDAP server can_tcp_connect(domain, slapd_t) +allow slapd_t self:{ tcp_socket udp_socket } connect; # Use capabilities should not need kill... allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw }; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/snmpd.te policy-1.19.2.good/domains/program/unused/snmpd.te --- policy-1.19.2/domains/program/unused/snmpd.te 2004-11-18 08:58:52.256244113 -0500 +++ policy-1.19.2.good/domains/program/unused/snmpd.te 2004-11-18 08:35:53.853770092 -0500 @@ -15,6 +15,7 @@ can_network(snmpd_t) can_ypbind(snmpd_t) +allow snmpd_t self:{ tcp_socket udp_socket } connect; type snmp_port_t, port_type, reserved_port_type; allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/spamd.te policy-1.19.2.good/domains/program/unused/spamd.te --- policy-1.19.2/domains/program/unused/spamd.te 2004-11-18 08:14:53.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/spamd.te 2004-11-18 08:35:53.853770092 -0500 @@ -24,6 +24,7 @@ dontaudit spamd_t sysadm_home_dir_t:dir getattr; can_network(spamd_t) +allow spamd_t self:{ tcp_socket udp_socket } connect; allow spamd_t self:capability net_bind_service; allow spamd_t proc_t:file { getattr read }; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/squid.te policy-1.19.2.good/domains/program/unused/squid.te --- policy-1.19.2/domains/program/unused/squid.te 2004-11-18 08:59:29.988986705 -0500 +++ policy-1.19.2.good/domains/program/unused/squid.te 2004-11-18 08:35:53.854769979 -0500 @@ -55,6 +55,7 @@ can_network(squid_t) can_ypbind(squid_t) can_tcp_connect(web_client_domain, squid_t) +allow squid_t self:{ tcp_socket udp_socket } connect; # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) allow squid_t http_cache_port_t:tcp_socket name_bind; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/traceroute.te policy-1.19.2.good/domains/program/unused/traceroute.te --- policy-1.19.2/domains/program/unused/traceroute.te 2004-11-18 08:14:54.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/traceroute.te 2004-11-18 08:35:53.855769866 -0500 @@ -20,6 +20,7 @@ uses_shlib(traceroute_t) can_network(traceroute_t) can_ypbind(traceroute_t) +allow traceroute_t self:{ tcp_socket udp_socket } connect; allow traceroute_t node_t:rawip_socket node_bind; type traceroute_exec_t, file_type, sysadmfile, exec_type; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/vpnc.te policy-1.19.2.good/domains/program/unused/vpnc.te --- policy-1.19.2/domains/program/unused/vpnc.te 2004-11-18 09:17:37.765252256 -0500 +++ policy-1.19.2.good/domains/program/unused/vpnc.te 2004-11-18 08:35:53.855769866 -0500 @@ -17,6 +17,7 @@ # Use the network. can_network(vpnc_t) can_ypbind(vpnc_t) +allow vpnc_t self:udp_socket connect; allow vpnc_t self:socket create_socket_perms; # Use capabilities. diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/xdm.te policy-1.19.2.good/domains/program/unused/xdm.te --- policy-1.19.2/domains/program/unused/xdm.te 2004-11-18 09:01:02.054598887 -0500 +++ policy-1.19.2.good/domains/program/unused/xdm.te 2004-11-18 08:35:53.856769753 -0500 @@ -46,6 +46,7 @@ allow xdm_t default_context_t:file { read getattr }; can_network(xdm_t) +allow xdm_t self:udp_socket connect; allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow xdm_t self:unix_dgram_socket create_socket_perms; allow xdm_t self:fifo_file rw_file_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ypbind.te policy-1.19.2.good/domains/program/unused/ypbind.te --- policy-1.19.2/domains/program/unused/ypbind.te 2004-11-18 08:14:53.000000000 -0500 +++ policy-1.19.2.good/domains/program/unused/ypbind.te 2004-11-18 08:35:53.857769640 -0500 @@ -20,6 +20,7 @@ # Use the network. can_network(ypbind_t) allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind; +allow ypbind_t self:{ tcp_socket udp_socket } connect; allow ypbind_t self:fifo_file rw_file_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/base_user_macros.te policy-1.19.2.good/macros/base_user_macros.te --- policy-1.19.2/macros/base_user_macros.te 2004-11-18 09:01:27.432735456 -0500 +++ policy-1.19.2.good/macros/base_user_macros.te 2004-11-18 08:35:53.862769076 -0500 @@ -196,6 +196,7 @@ # Use the network. can_network($1_t) can_ypbind($1_t) +allow $1_t self:{ tcp_socket udp_socket } connect; ifdef(`pamconsole.te', ` allow $1_t pam_var_console_t:dir search; diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/global_macros.te policy-1.19.2.good/macros/global_macros.te --- policy-1.19.2/macros/global_macros.te 2004-11-18 08:14:45.000000000 -0500 +++ policy-1.19.2.good/macros/global_macros.te 2004-11-18 08:35:53.865768738 -0500 @@ -118,64 +118,6 @@ ################################# # -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network',` -# -# Allow the domain to create and use UDP and TCP sockets. -# Other kinds of sockets must be separately authorized for use. -allow $1 self:udp_socket create_socket_perms; -allow $1 self:tcp_socket create_stream_socket_perms; - -# -# Allow the domain to send or receive using any network interface. -# netif_type is a type attribute for all network interface types. -# -allow $1 netif_type:netif { tcp_send udp_send rawip_send }; -allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv }; - -# -# Allow the domain to send to or receive from any node. -# node_type is a type attribute for all node types. -# -allow $1 node_type:node { tcp_send udp_send rawip_send }; -allow $1 node_type:node { tcp_recv udp_recv rawip_recv }; - -# -# Allow the domain to send to or receive from any port. -# port_type is a type attribute for all port types. -# -allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; - -# -# Allow the domain to send NFS client requests via the socket -# created by mount. -# -allow $1 mount_t:udp_socket rw_socket_perms; - -# -# Bind to the default port type. -# Other port types must be separately authorized. -# -#allow $1 port_t:udp_socket name_bind; -#allow $1 port_t:tcp_socket name_bind; - -# XXX Allow binding to any node type. Remove once -# individual rules have been added to all domains that -# bind sockets. -allow $1 node_type: { tcp_socket udp_socket } node_bind; -# -# Allow access to network files including /etc/resolv.conf -# -allow $1 net_conf_t:file r_file_perms; -')dnl end can_network definition - -################################# -# # can_sysctl(domain) # # Permissions for modifying sysctl parameters. diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/network_macros.te policy-1.19.2.good/macros/network_macros.te --- policy-1.19.2/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.2.good/macros/network_macros.te 2004-11-18 08:35:53.865768738 -0500 @@ -0,0 +1,103 @@ +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`base_can_network',` +# +# Allow the domain to create and use $2 sockets. +# Other kinds of sockets must be separately authorized for use. +allow $1 self:$2_socket connected_socket_perms; + +# +# Allow the domain to send or receive using any network interface. +# netif_type is a type attribute for all network interface types. +# +allow $1 netif_type:netif { $2_send rawip_send }; +allow $1 netif_type:netif { $2_recv rawip_recv }; + +# +# Allow the domain to send to or receive from any node. +# node_type is a type attribute for all node types. +# +allow $1 node_type:node { $2_send rawip_send }; +allow $1 node_type:node { $2_recv rawip_recv }; + +# +# Allow the domain to send to or receive from any port. +# port_type is a type attribute for all port types. +# +ifelse($3, `', ` +allow $1 port_type:$2_socket { send_msg recv_msg }; +', ` +allow $1 $3:$2_socket { send_msg recv_msg }; +') + +# XXX Allow binding to any node type. Remove once +# individual rules have been added to all domains that +# bind sockets. +allow $1 node_type:$2_socket node_bind; +# +# Allow access to network files including /etc/resolv.conf +# +allow $1 net_conf_t:file r_file_perms; +')dnl end can_network definition + +################################# +# +# can_tcp_network(domain) +# +# Permissions for accessing a tcp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_tcp_network',` +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { listen accept }; +') + +################################# +# +# can_udp_network(domain) +# +# Permissions for accessing a udp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_udp_network',` +base_can_network($1, udp, `$2') +') + +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network',` + +can_tcp_network($1, `$2') +can_udp_network($1, `$2') + +# +# Allow the domain to send NFS client requests via the socket +# created by mount. +# +allow $1 mount_t:udp_socket rw_socket_perms; + +')dnl end can_network definition + +define(`can_resolve',` +can_udp_network($1, `dns_port_t') +allow $1 self:udp_socket connect; +') +define(`can_ldap',` +can_tcp_network($1, `ldap_port_t') +allow $1 self:tcp_socket connect; +') + diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/chkpwd_macros.te policy-1.19.2.good/macros/program/chkpwd_macros.te --- policy-1.19.2/macros/program/chkpwd_macros.te 2004-11-18 08:14:45.000000000 -0500 +++ policy-1.19.2.good/macros/program/chkpwd_macros.te 2004-11-18 08:35:53.904764338 -0500 @@ -22,6 +22,8 @@ can_getcon($1_chkpwd_t) can_ypbind($1_chkpwd_t) can_kerberos($1_chkpwd_t) +can_ldap($1_chkpwd_t) +can_resolve($1_chkpwd_t) # Transition from the user domain to this domain. ifelse($1, system, ` domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) @@ -31,6 +33,8 @@ dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; can_ypbind(auth_chkpwd) can_kerberos(auth_chkpwd) +can_ldap(auth_chkpwd) +can_resolve(auth_chkpwd) ', ` domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) allow $1_t sbin_t:dir search; diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/crond_macros.te policy-1.19.2.good/macros/program/crond_macros.te --- policy-1.19.2/macros/program/crond_macros.te 2004-11-18 08:14:44.000000000 -0500 +++ policy-1.19.2.good/macros/program/crond_macros.te 2004-11-18 08:35:53.905764225 -0500 @@ -68,6 +68,7 @@ # This domain is granted permissions common to most domains. can_network($1_crond_t) can_ypbind($1_crond_t) +allow $1_crond_t self:{ tcp_socket udp_socket } connect; r_dir_file($1_crond_t, self) allow $1_crond_t self:fifo_file rw_file_perms; allow $1_crond_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/kerberos_macros.te policy-1.19.2.good/macros/program/kerberos_macros.te --- policy-1.19.2/macros/program/kerberos_macros.te 2004-11-18 09:08:04.893889675 -0500 +++ policy-1.19.2.good/macros/program/kerberos_macros.te 2004-11-18 08:35:53.906764112 -0500 @@ -1,7 +1,8 @@ define(`can_kerberos',` ifdef(`kerberos.te',` if (allow_kerberos) { -can_network($1) +allow $1 self:{ udp_socket tcp_socket } connect; +can_network($1, `kerberos_port_t') dontaudit $1 krb5_conf_t:file write; allow $1 krb5_conf_t:file { getattr read }; } diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/lpr_macros.te policy-1.19.2.good/macros/program/lpr_macros.te --- policy-1.19.2/macros/program/lpr_macros.te 2004-11-18 09:09:14.527032926 -0500 +++ policy-1.19.2.good/macros/program/lpr_macros.te 2004-11-18 08:35:53.906764112 -0500 @@ -103,6 +103,7 @@ # Connect to lpd via a TCP socket. can_tcp_connect($1_lpr_t, lpd_t) +allow $1_lpr_t self:tcp_socket connect; allow $1_lpr_t fs_t:filesystem getattr; # Send SIGHUP to lpd. diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/mozilla_macros.te policy-1.19.2.good/macros/program/mozilla_macros.te --- policy-1.19.2/macros/program/mozilla_macros.te 2004-11-18 09:10:42.462111158 -0500 +++ policy-1.19.2.good/macros/program/mozilla_macros.te 2004-11-18 09:10:17.656909944 -0500 @@ -17,6 +17,7 @@ # define(`mozilla_domain',` x_client_domain($1, mozilla, `, web_client_domain, privlog') +allow $1_mozilla_t self:{ tcp_socket udp_socket } connect; allow $1_mozilla_t sound_device_t:chr_file rw_file_perms; diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/mta_macros.te policy-1.19.2.good/macros/program/mta_macros.te --- policy-1.19.2/macros/program/mta_macros.te 2004-11-18 09:11:15.394395389 -0500 +++ policy-1.19.2.good/macros/program/mta_macros.te 2004-11-18 08:35:53.908763887 -0500 @@ -37,6 +37,7 @@ can_ypbind($1_mail_t) allow $1_mail_t self:unix_dgram_socket create_socket_perms; allow $1_mail_t self:unix_stream_socket create_socket_perms; +allow $1_mail_t self:{ tcp_socket udp_socket } connect; read_locale($1_mail_t) read_sysctl($1_mail_t) diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/ssh_macros.te policy-1.19.2.good/macros/program/ssh_macros.te --- policy-1.19.2/macros/program/ssh_macros.te 2004-11-18 08:14:45.000000000 -0500 +++ policy-1.19.2.good/macros/program/ssh_macros.te 2004-11-18 08:35:53.909763774 -0500 @@ -84,6 +84,7 @@ # to access the network. can_network($1_ssh_t) can_ypbind($1_ssh_t) +allow $1_ssh_t self:{ tcp_socket udp_socket } connect; # Use capabilities. allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search }; diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/xserver_macros.te policy-1.19.2.good/macros/program/xserver_macros.te --- policy-1.19.2/macros/program/xserver_macros.te 2004-11-18 09:12:18.809240254 -0500 +++ policy-1.19.2.good/macros/program/xserver_macros.te 2004-11-18 08:35:53.909763774 -0500 @@ -53,6 +52,7 @@ uses_shlib($1_xserver_t) can_network($1_xserver_t) can_ypbind($1_xserver_t) +allow $1_xserver_t self:udp_socket connect; allow $1_xserver_t xserver_port_t:tcp_socket name_bind; # for access within the domain diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/ypbind_macros.te policy-1.19.2.good/macros/program/ypbind_macros.te --- policy-1.19.2/macros/program/ypbind_macros.te 2004-11-18 08:14:45.000000000 -0500 +++ policy-1.19.2.good/macros/program/ypbind_macros.te 2004-11-18 08:35:53.910763661 -0500 @@ -4,6 +4,7 @@ can_network($1) r_dir_file($1,var_yp_t) allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind; +allow $1 self:{ tcp_socket udp_socket } connect; dontaudit $1 self:capability net_bind_service; ') diff --exclude-from=exclude -N -u -r policy-1.19.2/net_contexts policy-1.19.2.good/net_contexts --- policy-1.19.2/net_contexts 2004-11-18 08:14:45.000000000 -0500 +++ policy-1.19.2.good/net_contexts 2004-11-18 08:35:53.911763548 -0500 @@ -113,7 +113,6 @@ portcon tcp 631 system_u:object_r:ipp_port_t portcon udp 631 system_u:object_r:ipp_port_t ') -ifdef(`kerberos.te', ` portcon tcp 88 system_u:object_r:kerberos_port_t portcon udp 88 system_u:object_r:kerberos_port_t portcon tcp 749 system_u:object_r:kerberos_admin_port_t @@ -121,7 +120,6 @@ portcon udp 750 system_u:object_r:kerberos_port_t portcon tcp 4444 system_u:object_r:kerberos_master_port_t portcon udp 4444 system_u:object_r:kerberos_master_port_t -') ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') ifdef(`rsync.te', ` portcon tcp 873 system_u:object_r:rsync_port_t diff --exclude-from=exclude -N -u -r policy-1.19.2/types/network.te policy-1.19.2.good/types/network.te --- policy-1.19.2/types/network.te 2004-11-18 08:14:44.000000000 -0500 +++ policy-1.19.2.good/types/network.te 2004-11-18 08:35:53.913763323 -0500 @@ -64,6 +64,13 @@ type mail_port_t, port_type; # +# Ports used to communicate with kerberos server +# +type kerberos_port_t, port_type, reserved_port_type; +type kerberos_admin_port_t, port_type, reserved_port_type; +type kerberos_master_port_t, port_type; + +# # port_t is the default type of INET port numbers. # The *_port_t types are used for specific port # numbers in net_contexts or net_contexts.mls. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: can_network patch. 2004-11-18 14:33 ` Daniel J Walsh @ 2004-11-23 18:52 ` James Carter 2004-11-24 16:22 ` Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-11-23 18:52 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Russell Coker, Thomas Bleher, SELinux I am OK with what the changes do, but I would rather see a new macro then to just remove the connect permission from can_network(). On the other hand, it looks like there is 119 uses of can_network() and Dan is only adding 32 lines with connect permissions, so only 25% seem to need the connect permisison. Would anyone be upset if the functionality of can_network() changes? Any comments? On Thu, 2004-11-18 at 09:33, Daniel J Walsh wrote: <snip> > diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/global_macros.te policy-1.19.2.good/macros/global_macros.te > --- policy-1.19.2/macros/global_macros.te 2004-11-18 08:14:45.000000000 -0500 > +++ policy-1.19.2.good/macros/global_macros.te 2004-11-18 08:35:53.865768738 -0500 > @@ -118,64 +118,6 @@ > > ################################# > # > -# can_network(domain) > -# > -# Permissions for accessing the network. > -# See types/network.te for the network types. > -# See net_contexts for security contexts for network entities. > -# > -define(`can_network',` > -# > -# Allow the domain to create and use UDP and TCP sockets. > -# Other kinds of sockets must be separately authorized for use. > -allow $1 self:udp_socket create_socket_perms; > -allow $1 self:tcp_socket create_stream_socket_perms; > - > -# > -# Allow the domain to send or receive using any network interface. > -# netif_type is a type attribute for all network interface types. > -# > -allow $1 netif_type:netif { tcp_send udp_send rawip_send }; > -allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv }; > - > -# > -# Allow the domain to send to or receive from any node. > -# node_type is a type attribute for all node types. > -# > -allow $1 node_type:node { tcp_send udp_send rawip_send }; > -allow $1 node_type:node { tcp_recv udp_recv rawip_recv }; > - > -# > -# Allow the domain to send to or receive from any port. > -# port_type is a type attribute for all port types. > -# > -allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; > - > -# > -# Allow the domain to send NFS client requests via the socket > -# created by mount. > -# > -allow $1 mount_t:udp_socket rw_socket_perms; > - > -# > -# Bind to the default port type. > -# Other port types must be separately authorized. > -# > -#allow $1 port_t:udp_socket name_bind; > -#allow $1 port_t:tcp_socket name_bind; > - > -# XXX Allow binding to any node type. Remove once > -# individual rules have been added to all domains that > -# bind sockets. > -allow $1 node_type: { tcp_socket udp_socket } node_bind; > -# > -# Allow access to network files including /etc/resolv.conf > -# > -allow $1 net_conf_t:file r_file_perms; > -')dnl end can_network definition > - > -################################# > -# > # can_sysctl(domain) > # > # Permissions for modifying sysctl parameters. > diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/network_macros.te policy-1.19.2.good/macros/network_macros.te > --- policy-1.19.2/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500 > +++ policy-1.19.2.good/macros/network_macros.te 2004-11-18 08:35:53.865768738 -0500 > @@ -0,0 +1,103 @@ > +################################# > +# > +# can_network(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`base_can_network',` > +# > +# Allow the domain to create and use $2 sockets. > +# Other kinds of sockets must be separately authorized for use. > +allow $1 self:$2_socket connected_socket_perms; > + > +# > +# Allow the domain to send or receive using any network interface. > +# netif_type is a type attribute for all network interface types. > +# > +allow $1 netif_type:netif { $2_send rawip_send }; > +allow $1 netif_type:netif { $2_recv rawip_recv }; > + > +# > +# Allow the domain to send to or receive from any node. > +# node_type is a type attribute for all node types. > +# > +allow $1 node_type:node { $2_send rawip_send }; > +allow $1 node_type:node { $2_recv rawip_recv }; > + > +# > +# Allow the domain to send to or receive from any port. > +# port_type is a type attribute for all port types. > +# > +ifelse($3, `', ` > +allow $1 port_type:$2_socket { send_msg recv_msg }; > +', ` > +allow $1 $3:$2_socket { send_msg recv_msg }; > +') > + > +# XXX Allow binding to any node type. Remove once > +# individual rules have been added to all domains that > +# bind sockets. > +allow $1 node_type:$2_socket node_bind; > +# > +# Allow access to network files including /etc/resolv.conf > +# > +allow $1 net_conf_t:file r_file_perms; > +')dnl end can_network definition > + > +################################# > +# > +# can_tcp_network(domain) > +# > +# Permissions for accessing a tcp network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_tcp_network',` > +base_can_network($1, tcp, `$2') > +allow $1 self:tcp_socket { listen accept }; > +') > + > +################################# > +# > +# can_udp_network(domain) > +# > +# Permissions for accessing a udp network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_udp_network',` > +base_can_network($1, udp, `$2') > +') > + > +################################# > +# > +# can_network(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network',` > + > +can_tcp_network($1, `$2') > +can_udp_network($1, `$2') > + > +# > +# Allow the domain to send NFS client requests via the socket > +# created by mount. > +# > +allow $1 mount_t:udp_socket rw_socket_perms; > + > +')dnl end can_network definition > + > +define(`can_resolve',` > +can_udp_network($1, `dns_port_t') > +allow $1 self:udp_socket connect; > +') > +define(`can_ldap',` > +can_tcp_network($1, `ldap_port_t') > +allow $1 self:tcp_socket connect; > +') > + -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: can_network patch. 2004-11-23 18:52 ` James Carter @ 2004-11-24 16:22 ` Daniel J Walsh 2004-11-24 19:48 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-11-24 16:22 UTC (permalink / raw) To: jwcart2; +Cc: Russell Coker, Thomas Bleher, SELinux [-- Attachment #1: Type: text/plain, Size: 918 bytes --] * This patch includes the ugliness to get sun's jre plugin to work in Mozilla. (otherwize mozilla crashes). * Removed distro_gentoo checks around proc_net since we want these also. * Futzed around with userhelper so that mozilla can run it. * Cleaned up stunnel.te so it should be usable for gentoo and other distributions. * Some cleanup of apache to allow starting of apache with ssl keys * Includes modification to global_macros to extract out network_macros.te network_macros.te includes can_network - with all the current functionaility I added can_network_server (Has listen and accept, both udp and tcp) can_network_server_udp can_network_server_tcp can_network_client (Has connect, both udp and tcp) can_network_client_tcp can_network_client_udp can_network_udp - Same as can_network but only for udp can_network_tcp - Same as can_network but only for tcp [-- Attachment #2: policy-small.patch --] [-- Type: text/x-patch, Size: 22534 bytes --] diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.19.5/domains/program/ifconfig.te --- nsapolicy/domains/program/ifconfig.te 2004-11-20 22:29:08.000000000 -0500 +++ policy-1.19.5/domains/program/ifconfig.te 2004-11-24 10:57:51.317336099 -0500 @@ -38,12 +38,8 @@ allow ifconfig_t { kernel_t init_t }:fd use; # Access /proc -allow ifconfig_t proc_t:dir r_dir_perms; -allow ifconfig_t proc_t:file r_file_perms; -ifdef(`distro_gentoo', ` -allow ifconfig_t proc_net_t:dir r_dir_perms; -allow ifconfig_t proc_net_t:file r_file_perms; -') +r_dir_file(ifconfig_t, proc_t) +r_dir_file(ifconfig_t, proc_net_t) allow ifconfig_t privfd:fd use; allow ifconfig_t run_init_t:fd use; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.5/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2004-11-24 07:00:50.000000000 -0500 +++ policy-1.19.5/domains/program/unused/apache.te 2004-11-24 10:57:51.318335986 -0500 @@ -322,14 +322,13 @@ application_domain(httpd_helper) role system_r types httpd_helper_t; domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) - -allow httpd_helper_t devpts_t:dir { search }; -allow httpd_helper_t devtty_t:chr_file rw_file_perms; allow httpd_helper_t httpd_config_t:file { getattr read }; allow httpd_helper_t httpd_log_t:file { append }; + if (httpd_tty_comm) { +allow { httpd_t httpd_helper_t } devpts_t:dir { search }; ifdef(`targeted_policy', ` -allow { httpd_helper_t httpd_t } devpts_t:chr_file { read write }; +allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write }; ') allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; } diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.19.5/domains/program/unused/iptables.te --- nsapolicy/domains/program/unused/iptables.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.5/domains/program/unused/iptables.te 2004-11-24 10:57:51.319335873 -0500 @@ -54,10 +54,8 @@ ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') allow iptables_t proc_t:file { getattr read }; -ifdef(`distro_gentoo', ` allow iptables_t proc_net_t:dir { search }; allow iptables_t proc_net_t:file { read getattr }; -') # system-config-network appends to /var/log allow iptables_t var_log_t:file append; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.5/domains/program/unused/rpcd.te --- nsapolicy/domains/program/unused/rpcd.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.5/domains/program/unused/rpcd.te 2004-11-24 10:59:38.728216864 -0500 @@ -72,9 +72,7 @@ # for /proc/fs/nfs/exports - should we have a new type? allow nfsd_t proc_t:file r_file_perms; -ifdef(`distro_gentoo', ` allow nfsd_t proc_net_t:dir search; -') allow nfsd_t exports_t:file { getattr read }; allow nfsd_t nfsd_fs_t:filesystem mount; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.5/domains/program/unused/snmpd.te --- nsapolicy/domains/program/unused/snmpd.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.5/domains/program/unused/snmpd.te 2004-11-24 10:57:51.320335760 -0500 @@ -70,11 +70,9 @@ ') allow snmpd_t var_lib_nfs_t:dir search; -ifdef(`distro_gentoo', ` # needed in order to retrieve net traffic data allow snmpd_t proc_net_t:dir search; allow snmpd_t proc_net_t:file r_file_perms; -') dontaudit snmpd_t domain:dir { getattr search }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.19.5/domains/program/unused/stunnel.te --- nsapolicy/domains/program/unused/stunnel.te 2004-11-24 08:36:21.000000000 -0500 +++ policy-1.19.5/domains/program/unused/stunnel.te 2004-11-24 10:57:51.322335534 -0500 @@ -2,6 +2,12 @@ # # Author: petre rodan <kaiowas@gentoo.org> # +ifelse(`distro_gentoo', `', ` + +inetd_child_domain(stunnel, tcp) +allow stunnel_t self:capability sys_chroot; + +', ` type stunnel_port_t, port_type; @@ -9,14 +15,15 @@ can_network(stunnel_t) -type stunnel_etc_t, file_type, sysadmfile; - allow stunnel_t self:capability { setgid setuid sys_chroot }; allow stunnel_t self:fifo_file { read write }; allow stunnel_t self:tcp_socket { read write }; allow stunnel_t self:unix_stream_socket { connect create }; -allow stunnel_t stunnel_port_t:tcp_socket { name_bind }; +r_dir_file(stunnel_t, etc_t) +') +type stunnel_etc_t, file_type, sysadmfile; r_dir_file(stunnel_t, stunnel_etc_t) -r_dir_file(stunnel_t, etc_t) +allow stunnel_t stunnel_port_t:tcp_socket { name_bind }; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/watchdog.te policy-1.19.5/domains/program/unused/watchdog.te --- nsapolicy/domains/program/unused/watchdog.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.5/domains/program/unused/watchdog.te 2004-11-24 10:57:51.322335534 -0500 @@ -25,7 +25,6 @@ allow watchdog_t self:unix_stream_socket create_socket_perms; can_network(watchdog_t) can_ypbind(watchdog_t) -allow watchdog_t self:udp_socket create_socket_perms; allow watchdog_t bin_t:dir search; allow watchdog_t bin_t:lnk_file read; allow watchdog_t init_t:process signal; diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.5/domains/user.te --- nsapolicy/domains/user.te 2004-11-20 22:29:08.000000000 -0500 +++ policy-1.19.5/domains/user.te 2004-11-24 10:57:51.323335422 -0500 @@ -53,7 +53,6 @@ # Reach sysadm_t via programs like userhelper/sudo/su undefine(`reach_sysadm') define(`reach_sysadm', ` -ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`sudo.te', `sudo_domain($1)') ifdef(`su.te', ` su_domain($1) diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.5/file_contexts/types.fc --- nsapolicy/file_contexts/types.fc 2004-11-24 07:00:50.000000000 -0500 +++ policy-1.19.5/file_contexts/types.fc 2004-11-24 10:57:51.324335309 -0500 @@ -334,6 +334,9 @@ /usr(/.*)? system_u:object_r:usr_t /usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t /usr(/.*)?/bin(/.*)? system_u:object_r:bin_t /usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.19.5/genfs_contexts --- nsapolicy/genfs_contexts 2004-11-20 22:29:08.000000000 -0500 +++ policy-1.19.5/genfs_contexts 2004-11-24 10:57:51.325335196 -0500 @@ -36,9 +36,7 @@ genfscon proc /kcore system_u:object_r:proc_kcore_t genfscon proc /mdstat system_u:object_r:proc_mdstat_t genfscon proc /mtrr system_u:object_r:mtrr_device_t -ifdef(`distro_gentoo', ` genfscon proc /net system_u:object_r:proc_net_t -') genfscon proc /sysvipc system_u:object_r:proc_t genfscon proc /sys system_u:object_r:sysctl_t genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.5/macros/admin_macros.te --- nsapolicy/macros/admin_macros.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.5/macros/admin_macros.te 2004-11-24 10:57:51.325335196 -0500 @@ -33,7 +33,6 @@ allow $1_t self:capability setuid; ifdef(`su.te', `su_domain($1)') -ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`sudo.te', `sudo_domain($1)') # Violates the goal of limiting write access to checkpolicy. diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.5/macros/base_user_macros.te --- nsapolicy/macros/base_user_macros.te 2004-11-24 07:00:51.000000000 -0500 +++ policy-1.19.5/macros/base_user_macros.te 2004-11-24 10:57:51.326335083 -0500 @@ -160,6 +160,7 @@ ifdef(`screen.te', `screen_domain($1)') ifdef(`tvtime.te', `tvtime_domain($1)') +ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`mozilla.te', `mozilla_domain($1)') ifdef(`games.te', `games_domain($1)') ifdef(`gpg.te', `gpg_domain($1)') diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.5/macros/global_macros.te --- nsapolicy/macros/global_macros.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.5/macros/global_macros.te 2004-11-24 10:57:51.327334970 -0500 @@ -118,64 +118,6 @@ ################################# # -# can_network(domain) -# -# Permissions for accessing the network. -# See types/network.te for the network types. -# See net_contexts for security contexts for network entities. -# -define(`can_network',` -# -# Allow the domain to create and use UDP and TCP sockets. -# Other kinds of sockets must be separately authorized for use. -allow $1 self:udp_socket create_socket_perms; -allow $1 self:tcp_socket create_stream_socket_perms; - -# -# Allow the domain to send or receive using any network interface. -# netif_type is a type attribute for all network interface types. -# -allow $1 netif_type:netif { tcp_send udp_send rawip_send }; -allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv }; - -# -# Allow the domain to send to or receive from any node. -# node_type is a type attribute for all node types. -# -allow $1 node_type:node { tcp_send udp_send rawip_send }; -allow $1 node_type:node { tcp_recv udp_recv rawip_recv }; - -# -# Allow the domain to send to or receive from any port. -# port_type is a type attribute for all port types. -# -allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg }; - -# -# Allow the domain to send NFS client requests via the socket -# created by mount. -# -allow $1 mount_t:udp_socket rw_socket_perms; - -# -# Bind to the default port type. -# Other port types must be separately authorized. -# -#allow $1 port_t:udp_socket name_bind; -#allow $1 port_t:tcp_socket name_bind; - -# XXX Allow binding to any node type. Remove once -# individual rules have been added to all domains that -# bind sockets. -allow $1 node_type: { tcp_socket udp_socket } node_bind; -# -# Allow access to network files including /etc/resolv.conf -# -allow $1 net_conf_t:file r_file_perms; -')dnl end can_network definition - -################################# -# # can_sysctl(domain) # # Permissions for modifying sysctl parameters. @@ -215,10 +157,7 @@ allow $1 proc_t:dir r_dir_perms; allow $1 proc_t:notdevfile_class_set r_file_perms; allow $1 proc_mdstat_t:file r_file_perms; -ifdef(`distro_gentoo', ` -allow $1 proc_net_t:dir r_dir_perms; -allow $1 proc_net_t:file r_file_perms; -') +r_dir_file($1, proc_net_t) # Stat /proc/kmsg and /proc/kcore. allow $1 proc_fs:file stat_file_perms; @@ -558,7 +497,7 @@ # pseudo filesystem types that are applied to both the filesystem # and its files. allow $1 { unlabeled_t fs_type }:dir_file_class_set *; -allow $1 proc_fs: file *; +allow $1 proc_fs:{ dir file } *; # For /proc/pid r_dir_file($1,domain) diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.5/macros/network_macros.te --- nsapolicy/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.5/macros/network_macros.te 2004-11-24 10:57:51.328334858 -0500 @@ -0,0 +1,189 @@ +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`base_can_network',` +# +# Allow the domain to create and use $2 sockets. +# Other kinds of sockets must be separately authorized for use. +allow $1 self:$2_socket connected_socket_perms; + +# +# Allow the domain to send or receive using any network interface. +# netif_type is a type attribute for all network interface types. +# +allow $1 netif_type:netif { $2_send rawip_send }; +allow $1 netif_type:netif { $2_recv rawip_recv }; + +# +# Allow the domain to send to or receive from any node. +# node_type is a type attribute for all node types. +# +allow $1 node_type:node { $2_send rawip_send }; +allow $1 node_type:node { $2_recv rawip_recv }; + +# +# Allow the domain to send to or receive from any port. +# port_type is a type attribute for all port types. +# +ifelse($3, `', ` +allow $1 port_type:$2_socket { send_msg recv_msg }; +', ` +allow $1 $3:$2_socket { send_msg recv_msg }; +') + +# XXX Allow binding to any node type. Remove once +# individual rules have been added to all domains that +# bind sockets. +allow $1 node_type:$2_socket node_bind; +# +# Allow access to network files including /etc/resolv.conf +# +allow $1 net_conf_t:file r_file_perms; +')dnl end can_network definition + +################################# +# +# can_network_server_tcp(domain) +# +# Permissions for accessing a tcp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_server_tcp',` +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { listen accept }; +') + +################################# +# +# can_network_server_udp(domain) +# +# Permissions for accessing a udp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_server_udp',` +base_can_network($1, udp, `$2') +') + +################################# +# +# can_network_client_tcp(domain) +# +# Permissions for accessing a tcp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_client_tcp',` +base_can_network($1, tcp, `$2') +allow $1 self:tcp_socket { connect }; +') + +################################# +# +# can_network_client_udp(domain) +# +# Permissions for accessing a udp network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_client_udp',` +base_can_network($1, udp, `$2') +allow $1 self:udp_socket { connect }; +') + +################################# +# +# can_network_tcp(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_tcp',` + +can_network_server_tcp($1, `$2') +can_network_client_tcp($1, `$2') + +') + +################################# +# +# can_network_udp(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_udp',` + +can_network_client_udp($1, `$2') +can_network_server_udp($1, `$2') + +') + +################################# +# +# can_network_server(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_server',` + +can_network_server_tcp($1, `$2') +can_network_server_udp($1, `$2') + +')dnl end can_network_server definition + + +################################# +# +# can_network_client(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network_client',` + +can_network_client_tcp($1, `$2') +can_network_client_udp($1, `$2') + +')dnl end can_network_client definition + +################################# +# +# can_network(domain) +# +# Permissions for accessing the network. +# See types/network.te for the network types. +# See net_contexts for security contexts for network entities. +# +define(`can_network',` + +can_network_tcp($1, `$2') +can_network_udp($1, `$2') + +# +# Allow the domain to send NFS client requests via the socket +# created by mount. +# +allow $1 mount_t:udp_socket rw_socket_perms; + +')dnl end can_network definition + +define(`can_resolve',` +can_network_client_udp($1, `dns_port_t') +') + +define(`can_ldap',` +can_network_client_tcp($1, `ldap_port_t') +') + diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.5/macros/program/apache_macros.te --- nsapolicy/macros/program/apache_macros.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.5/macros/program/apache_macros.te 2004-11-24 10:57:51.329334745 -0500 @@ -42,6 +42,7 @@ allow httpd_$1_script_t fs_t:filesystem getattr; allow httpd_$1_script_t self:unix_stream_socket create_socket_perms; allow httpd_$1_script_t proc_t:file { getattr read }; +allow httpd_$1_script_t httpd_t:unix_stream_socket { read write }; allow httpd_$1_script_t { self proc_t }:dir r_dir_perms; allow httpd_$1_script_t { self proc_t }:lnk_file read; @@ -89,9 +90,7 @@ # Allow the script interpreters to run the scripts. So # the perl executable will be able to run a perl script ######################################################################### -can_exec(httpd_$1_script_t, { bin_t shell_exec_t }) -allow httpd_$1_script_t { bin_t sbin_t }:dir { getattr search }; -allow httpd_$1_script_t { sbin_t bin_t }:lnk_file read; +can_exec_any(httpd_$1_script_t) allow httpd_$1_script_t etc_t:file { getattr read }; ############################################################################ @@ -117,10 +116,10 @@ domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) create_dir_file(httpd_t, httpdcontent) ', ` -create_dir_file(httpd_$1_script_t, httpdcontent) can_exec(httpd_$1_script_t, httpdcontent ) domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) ') +create_dir_file(httpd_$1_script_t, httpdcontent) } ifelse($1, sys, ` @@ -167,6 +166,9 @@ } ')dnl end ifelse sys +dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; +dontaudit httpd_$1_script_t sysctl_t:dir search; + ################################################################ # Allow the web server to run scripts and serve pages ############################################################## diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.19.5/macros/program/chkpwd_macros.te --- nsapolicy/macros/program/chkpwd_macros.te 2004-11-18 08:13:59.000000000 -0500 +++ policy-1.19.5/macros/program/chkpwd_macros.te 2004-11-24 10:57:51.330334632 -0500 @@ -22,6 +22,8 @@ can_getcon($1_chkpwd_t) can_ypbind($1_chkpwd_t) can_kerberos($1_chkpwd_t) +can_ldap($1_chkpwd_t) +can_resolve($1_chkpwd_t) # Transition from the user domain to this domain. ifelse($1, system, ` domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) @@ -31,6 +33,8 @@ dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; can_ypbind(auth_chkpwd) can_kerberos(auth_chkpwd) +can_ldap(auth_chkpwd) +can_resolve(auth_chkpwd) ', ` domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) allow $1_t sbin_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.5/macros/program/kerberos_macros.te --- nsapolicy/macros/program/kerberos_macros.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.5/macros/program/kerberos_macros.te 2004-11-24 10:57:51.331334519 -0500 @@ -1,7 +1,8 @@ define(`can_kerberos',` ifdef(`kerberos.te',` if (allow_kerberos) { -can_network($1) +can_network_client($1, `kerberos_port_t') +can_resolve($1) dontaudit $1 krb5_conf_t:file write; allow $1 krb5_conf_t:file { getattr read }; } diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.5/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2004-11-24 07:00:51.000000000 -0500 +++ policy-1.19.5/macros/program/mozilla_macros.te 2004-11-24 10:57:51.332334406 -0500 @@ -29,7 +29,8 @@ allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read }; allow $1_mozilla_t var_lib_t:file { getattr read }; -allow $1_mozilla_t urandom_device_t:chr_file { getattr ioctl read }; +allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read append }; + allow $1_mozilla_t self:socket create_socket_perms; allow $1_mozilla_t self:file { getattr read }; @@ -117,8 +118,20 @@ dontaudit $1_mozilla_t file_type:dir getattr; allow $1_mozilla_t self:sem create_sem_perms; +ifdef(`userhelper.te', ` +domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) +') dontaudit $1_mozilla_t selinux_config_t:dir search; +# +# Rules needed to run java apps +# +allow $1_mozilla_t ld_so_cache_t:file execute; +allow $1_mozilla_t locale_t:file execute; +dontaudit $1_mozilla_t *:{ chr_file file } execute; +dontaudit $1_t ld_so_cache_t:file execute; +dontaudit $1_t locale_t:file execute; + ifdef(`xdm.te', ` allow $1_mozilla_t xdm_t:fifo_file { write read }; allow $1_mozilla_t xdm_tmp_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.19.5/macros/program/userhelper_macros.te --- nsapolicy/macros/program/userhelper_macros.te 2004-11-24 07:00:51.000000000 -0500 +++ policy-1.19.5/macros/program/userhelper_macros.te 2004-11-24 10:57:51.332334406 -0500 @@ -143,8 +143,4 @@ allow $1_userhelper_t pam_var_console_t:dir { search }; ') -ifdef(`mozilla.te', ` -domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) -') - ')dnl end userhelper macro diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/vmware_macros.te policy-1.19.5/macros/program/vmware_macros.te --- nsapolicy/macros/program/vmware_macros.te 2004-11-20 22:29:10.000000000 -0500 +++ policy-1.19.5/macros/program/vmware_macros.te 2004-11-24 10:57:51.333334293 -0500 @@ -55,10 +55,8 @@ # Access /proc r_dir_file($1_vmware_t, proc_t) -ifdef(`distro_gentoo', ` allow $1_vmware_t proc_net_t:dir search; allow $1_vmware_t proc_net_t:file { getattr read }; -') # Access to some files in the user home directory r_dir_file($1_vmware_t, $1_home_t) diff --exclude-from=exclude -N -u -r nsapolicy/types/procfs.te policy-1.19.5/types/procfs.te --- nsapolicy/types/procfs.te 2004-11-20 22:29:10.000000000 -0500 +++ policy-1.19.5/types/procfs.te 2004-11-24 10:57:51.334334181 -0500 @@ -12,14 +12,13 @@ # proc_kmsg_t is the type of /proc/kmsg. # proc_kcore_t is the type of /proc/kcore. # proc_mdstat_t is the type of /proc/mdstat. +# proc_net_t is the type of /proc/net. # type proc_t, fs_type, proc_fs, root_dir_type; type proc_kmsg_t, proc_fs; type proc_kcore_t, proc_fs; type proc_mdstat_t, proc_fs; -ifdef(`distro_gentoo', ` type proc_net_t, proc_fs; -') # # sysctl_t is the type of /proc/sys. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: can_network patch. 2004-11-24 16:22 ` Daniel J Walsh @ 2004-11-24 19:48 ` James Carter 2004-11-30 21:19 ` Reissue previous patch Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-11-24 19:48 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Russell Coker, Thomas Bleher, SELinux Merged with some changes. After talking with Steve, I removed can_network_server_udp and can_network_client_udp, and just used can_network_udp. There is no security gained for udp in not allowing the connect if they already can send and receive. Also removed, for now, the mozilla_macros.te chunk that allowed mozilla to execute userhelper and the rules giving mozilla more execute permissions. I missed the userhelper stuff yesterday. Letting mozilla run userhelper has some serious security implications. Isn't it possible to give the JRE the execute permisisons without giving it to $1_mozilla_t? On Wed, 2004-11-24 at 11:22, Daniel J Walsh wrote: > * This patch includes the ugliness to get sun's jre plugin to work > in Mozilla. (otherwize mozilla crashes). > * Removed distro_gentoo checks around proc_net since we want these also. > * Futzed around with userhelper so that mozilla can run it. > * Cleaned up stunnel.te so it should be usable for gentoo and other > distributions. > * Some cleanup of apache to allow starting of apache with ssl keys > * Includes modification to global_macros to extract out > network_macros.te > > > network_macros.te includes > > can_network - with all the current functionaility > > I added > > can_network_server (Has listen and accept, both udp and tcp) > can_network_server_udp > can_network_server_tcp > > can_network_client (Has connect, both udp and tcp) > can_network_client_tcp > can_network_client_udp > > can_network_udp - Same as can_network but only for udp > can_network_tcp - Same as can_network but only for tcp > > > ______________________________________________________________________ <snip> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.5/macros/network_macros.te > --- nsapolicy/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500 > +++ policy-1.19.5/macros/network_macros.te 2004-11-24 10:57:51.328334858 -0500 > @@ -0,0 +1,189 @@ > +################################# > +# > +# can_network(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`base_can_network',` > +# > +# Allow the domain to create and use $2 sockets. > +# Other kinds of sockets must be separately authorized for use. > +allow $1 self:$2_socket connected_socket_perms; > + > +# > +# Allow the domain to send or receive using any network interface. > +# netif_type is a type attribute for all network interface types. > +# > +allow $1 netif_type:netif { $2_send rawip_send }; > +allow $1 netif_type:netif { $2_recv rawip_recv }; > + > +# > +# Allow the domain to send to or receive from any node. > +# node_type is a type attribute for all node types. > +# > +allow $1 node_type:node { $2_send rawip_send }; > +allow $1 node_type:node { $2_recv rawip_recv }; > + > +# > +# Allow the domain to send to or receive from any port. > +# port_type is a type attribute for all port types. > +# > +ifelse($3, `', ` > +allow $1 port_type:$2_socket { send_msg recv_msg }; > +', ` > +allow $1 $3:$2_socket { send_msg recv_msg }; > +') > + > +# XXX Allow binding to any node type. Remove once > +# individual rules have been added to all domains that > +# bind sockets. > +allow $1 node_type:$2_socket node_bind; > +# > +# Allow access to network files including /etc/resolv.conf > +# > +allow $1 net_conf_t:file r_file_perms; > +')dnl end can_network definition > + > +################################# > +# > +# can_network_server_tcp(domain) > +# > +# Permissions for accessing a tcp network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_server_tcp',` > +base_can_network($1, tcp, `$2') > +allow $1 self:tcp_socket { listen accept }; > +') > + > +################################# > +# > +# can_network_server_udp(domain) > +# > +# Permissions for accessing a udp network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_server_udp',` > +base_can_network($1, udp, `$2') > +') > + > +################################# > +# > +# can_network_client_tcp(domain) > +# > +# Permissions for accessing a tcp network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_client_tcp',` > +base_can_network($1, tcp, `$2') > +allow $1 self:tcp_socket { connect }; > +') > + > +################################# > +# > +# can_network_client_udp(domain) > +# > +# Permissions for accessing a udp network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_client_udp',` > +base_can_network($1, udp, `$2') > +allow $1 self:udp_socket { connect }; > +') > + > +################################# > +# > +# can_network_tcp(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_tcp',` > + > +can_network_server_tcp($1, `$2') > +can_network_client_tcp($1, `$2') > + > +') > + > +################################# > +# > +# can_network_udp(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_udp',` > + > +can_network_client_udp($1, `$2') > +can_network_server_udp($1, `$2') > + > +') > + > +################################# > +# > +# can_network_server(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_server',` > + > +can_network_server_tcp($1, `$2') > +can_network_server_udp($1, `$2') > + > +')dnl end can_network_server definition > + > + > +################################# > +# > +# can_network_client(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network_client',` > + > +can_network_client_tcp($1, `$2') > +can_network_client_udp($1, `$2') > + > +')dnl end can_network_client definition > + > +################################# > +# > +# can_network(domain) > +# > +# Permissions for accessing the network. > +# See types/network.te for the network types. > +# See net_contexts for security contexts for network entities. > +# > +define(`can_network',` > + > +can_network_tcp($1, `$2') > +can_network_udp($1, `$2') > + > +# > +# Allow the domain to send NFS client requests via the socket > +# created by mount. > +# > +allow $1 mount_t:udp_socket rw_socket_perms; > + > +')dnl end can_network definition > + > +define(`can_resolve',` > +can_network_client_udp($1, `dns_port_t') > +') > + > +define(`can_ldap',` > +can_network_client_tcp($1, `ldap_port_t') > +') > + <snip> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.5/macros/program/mozilla_macros.te > --- nsapolicy/macros/program/mozilla_macros.te 2004-11-24 07:00:51.000000000 -0500 > +++ policy-1.19.5/macros/program/mozilla_macros.te 2004-11-24 10:57:51.332334406 -0500 > @@ -29,7 +29,8 @@ > > allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read }; > allow $1_mozilla_t var_lib_t:file { getattr read }; > -allow $1_mozilla_t urandom_device_t:chr_file { getattr ioctl read }; > +allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read append }; > + > allow $1_mozilla_t self:socket create_socket_perms; > allow $1_mozilla_t self:file { getattr read }; > > @@ -117,8 +118,20 @@ > dontaudit $1_mozilla_t file_type:dir getattr; > allow $1_mozilla_t self:sem create_sem_perms; > > +ifdef(`userhelper.te', ` > +domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) > +') > dontaudit $1_mozilla_t selinux_config_t:dir search; > > +# > +# Rules needed to run java apps > +# > +allow $1_mozilla_t ld_so_cache_t:file execute; > +allow $1_mozilla_t locale_t:file execute; > +dontaudit $1_mozilla_t *:{ chr_file file } execute; > +dontaudit $1_t ld_so_cache_t:file execute; > +dontaudit $1_t locale_t:file execute; > + > ifdef(`xdm.te', ` > allow $1_mozilla_t xdm_t:fifo_file { write read }; > allow $1_mozilla_t xdm_tmp_t:dir search; -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Reissue previous patch 2004-11-24 19:48 ` James Carter @ 2004-11-30 21:19 ` Daniel J Walsh 2004-12-02 13:54 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-11-30 21:19 UTC (permalink / raw) To: jwcart2; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 40 bytes --] Several can_network_clients were wrong [-- Attachment #2: policy-20041130.patch --] [-- Type: text/x-patch, Size: 84255 bytes --] diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.19.7/attrib.te --- nsapolicy/attrib.te 2004-11-18 08:13:57.000000000 -0500 +++ policy-1.19.7/attrib.te 2004-11-30 11:29:15.000000000 -0500 @@ -225,14 +225,6 @@ # overall filesystem statistics. attribute fs_type; -# The root_dir_type attribute identifies all types assigned to -# root directories of filesystems (not limited to persistent -# filesystems). -# XXX This attribute was used to grant mountassociate permission, -# XXX but this permission is no longer defined. We can likely -# XXX remove this attribute. -attribute root_dir_type; - # The exec_type attribute identifies all types assigned # to entrypoint executables for domains. This attribute is # used in TE rules and assertions that should be applied to all diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.7/domains/program/crond.te --- nsapolicy/domains/program/crond.te 2004-11-18 08:13:57.000000000 -0500 +++ policy-1.19.7/domains/program/crond.te 2004-11-30 11:28:52.000000000 -0500 @@ -147,7 +147,7 @@ ') # Stat any file and search any directory for find. -allow system_crond_t { root_dir_type file_type fs_type }:notdevfile_class_set getattr; +allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr; allow system_crond_t device_type:{ chr_file blk_file } getattr; allow system_crond_t file_type:dir { read search getattr }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.7/domains/program/ldconfig.te --- nsapolicy/domains/program/ldconfig.te 2004-11-20 22:29:08.000000000 -0500 +++ policy-1.19.7/domains/program/ldconfig.te 2004-11-30 06:18:45.000000000 -0500 @@ -42,3 +42,4 @@ allow ldconfig_t { var_lib_t bin_t }:dir search; ') +allow ldconfig_t proc_t:file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.19.7/domains/program/modutil.te --- nsapolicy/domains/program/modutil.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/modutil.te 2004-11-30 06:18:45.000000000 -0500 @@ -77,7 +77,6 @@ ifdef(`unlimitedUtils', ` unconfined_domain(insmod_t) ') -can_network(insmod_t) can_ypbind(insmod_t) uses_shlib(insmod_t) read_locale(insmod_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.19.7/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/mount.te 2004-11-30 06:18:45.000000000 -0500 @@ -64,7 +64,7 @@ ifdef(`portmap.te', ` # for nfs -can_network(mount_t) +can_network_server(mount_t) can_ypbind(mount_t) allow mount_t port_t:{ tcp_socket udp_socket } name_bind; allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.19.7/domains/program/syslogd.te --- nsapolicy/domains/program/syslogd.te 2004-11-20 22:29:08.000000000 -0500 +++ policy-1.19.7/domains/program/syslogd.te 2004-11-30 06:18:45.000000000 -0500 @@ -20,7 +20,7 @@ ') # can_network is for the UDP socket -can_network(syslogd_t) +can_network_udp(syslogd_t) can_ypbind(syslogd_t) r_dir_file(syslogd_t, sysfs_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.19.7/domains/program/unused/amanda.te --- nsapolicy/domains/program/unused/amanda.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/amanda.te 2004-11-30 06:18:45.000000000 -0500 @@ -170,7 +170,7 @@ # Network and process communication ################################### -can_network(amanda_t); +can_network_server(amanda_t); can_ypbind(amanda_t); allow amanda_t self:fifo_file { getattr read write ioctl lock }; @@ -247,7 +247,7 @@ # amrecover network and process communication ############################################# -can_network(amanda_recover_t); +can_network_server(amanda_recover_t); can_ypbind(amanda_recover_t); allow amanda_recover_t self:fifo_file { getattr ioctl read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.19.7/domains/program/unused/anaconda.te --- nsapolicy/domains/program/unused/anaconda.te 2004-11-18 08:13:57.000000000 -0500 +++ policy-1.19.7/domains/program/unused/anaconda.te 2004-11-30 07:09:53.000000000 -0500 @@ -12,241 +12,36 @@ # type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted; role system_r types anaconda_t; -uses_shlib(anaconda_t); +unconfined_domain(anaconda_t); -# for halt to down interfaces -allow anaconda_t self:udp_socket create_socket_perms; - -# read files in /etc/init.d -allow anaconda_t etc_t:lnk_file r_file_perms; - -allow anaconda_t self:passwd rootok; -read_locale(anaconda_t) - -r_dir_file(anaconda_t, usr_t) - -# Read system information files in /proc. -allow anaconda_t proc_t:dir r_dir_perms; -allow anaconda_t proc_t:{ file lnk_file } r_file_perms; - -# Allow IPC with self -allow anaconda_t self:unix_dgram_socket create_socket_perms; -allow anaconda_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow anaconda_t self:fifo_file rw_file_perms; - -# Read the root directory of a usbdevfs filesystem, and -# the devices and drivers files. Permit stating of the -# device nodes, but nothing else. -allow anaconda_t usbdevfs_t:dir r_dir_perms; -allow anaconda_t usbdevfs_t:lnk_file r_file_perms; -allow anaconda_t usbdevfs_t:file getattr; - -# allow anaconda to fork and renice itself -allow anaconda_t self:process { fork sigchld setsched setpgid }; - -# Can create ptys for open_init_pty -can_create_pty(anaconda) - -tmp_domain(anaconda) - -var_run_domain(anaconda) -allow anaconda_t var_run_t:{ file sock_file lnk_file } unlink; -allow anaconda_t var_run_t:dir { create rmdir }; - -allow anaconda_t framebuf_device_t:chr_file r_file_perms; - -# Use capabilities. -allow anaconda_t self:capability ~{ sys_admin sys_module }; - -# Use system operations. -allow anaconda_t kernel_t:system *; - -# Run helper programs in the anaconda_t domain. -allow anaconda_t { bin_t sbin_t }:dir r_dir_perms; -allow anaconda_t { bin_t sbin_t }:lnk_file read; -can_exec(anaconda_t, etc_t) -can_exec(anaconda_t, lib_t) -can_exec(anaconda_t, bin_t) -can_exec(anaconda_t, sbin_t) -can_exec(anaconda_t, exec_type) -# -# These rules are here to allow init scripts to su -# role system_r types ldconfig_t; domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t) role system_r types sysadm_su_t; domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t) -allow anaconda_t self:passwd rootok; - -# read /lib/modules -allow anaconda_t modules_object_t:dir { search read }; - -# Read conf.modules. -allow anaconda_t modules_conf_t:file r_file_perms; # Run other rc scripts in the anaconda_t domain. domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t) -# Run init (telinit) in the anaconda_t domain. -can_exec(anaconda_t, init_exec_t) - -# Communicate with the init process. -allow anaconda_t initctl_t:fifo_file rw_file_perms; - -# Read /proc/PID directories for all domains. -can_ps(anaconda_t, domain) -allow anaconda_t domain:process getsession; - -# Mount and unmount file systems. -allow anaconda_t fs_type:filesystem mount_fs_perms; -allow anaconda_t file_t:dir { read search getattr mounton }; - -# Update /etc/ld.so.cache. -allow anaconda_t ld_so_cache_t:file rw_file_perms; - -ifdef(`sendmail.te', ` -# Update /etc/mail. -allow anaconda_t etc_mail_t:file { setattr rw_file_perms }; -') - -# Update /var/log/wtmp and /var/log/dmesg. -allow anaconda_t wtmp_t:file { setattr rw_file_perms }; -allow anaconda_t var_log_t:file { setattr rw_file_perms }; -allow anaconda_t lastlog_t:file { setattr rw_file_perms }; domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t) -# remove old locks -allow anaconda_t lockfile:dir rw_dir_perms; -allow anaconda_t lockfile:file { getattr unlink }; - -# Access /var/lib/random-seed. -allow anaconda_t var_lib_t:file rw_file_perms; -allow anaconda_t var_lib_t:file unlink; - -# Create lock file. -allow anaconda_t var_lock_t:dir create_dir_perms; -allow anaconda_t var_lock_t:file create_file_perms; - -# Set the clock. -allow anaconda_t clock_device_t:devfile_class_set rw_file_perms; - -# Kill all processes. -allow anaconda_t domain:process signal_perms; - -# Write to /dev/urandom. -allow anaconda_t urandom_device_t:chr_file rw_file_perms; - -# Set device ownerships/modes. -allow anaconda_t framebuf_device_t:lnk_file read; -allow anaconda_t framebuf_device_t:devfile_class_set setattr; -allow anaconda_t misc_device_t:devfile_class_set setattr; -allow anaconda_t device_t:devfile_class_set setattr; -allow anaconda_t fixed_disk_device_t:devfile_class_set setattr; -allow anaconda_t removable_device_t:devfile_class_set setattr; - -# Stat any file. -allow anaconda_t file_type:file_class_set getattr; -allow anaconda_t file_type:dir { search getattr }; - -# Read and write console and ttys. -allow anaconda_t devtty_t:chr_file rw_file_perms; -allow anaconda_t console_device_t:chr_file rw_file_perms; -allow anaconda_t tty_device_t:chr_file rw_file_perms; -allow anaconda_t ttyfile:chr_file rw_file_perms; -allow anaconda_t ptyfile:chr_file rw_file_perms; - -# Reset tty labels. -allow anaconda_t ttyfile:chr_file relabelfrom; -allow anaconda_t tty_device_t:chr_file relabelto; - ifdef(`distro_redhat', ` -# Create and read /boot/kernel.h and /boot/System.map. -# Redhat systems typically create this file at boot time. -allow anaconda_t boot_t:lnk_file rw_file_perms; file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file) ') -allow anaconda_t system_map_t:{ file lnk_file } r_file_perms; - -# Unlink /halt. -allow anaconda_t root_t:dir { search write remove_name }; -allow anaconda_t root_t:file { unlink write }; - -allow anaconda_t var_spool_t:file rw_file_perms; - -# Allow access to the sysadm TTYs. Note that this will give access to the -# TTYs to any process in the anaconda_t domain. Therefore, daemons and such -# started from init should be placed in their own domain. -allow anaconda_t admin_tty_type:chr_file rw_file_perms; - -# Access sound device and files. -allow anaconda_t sound_device_t:chr_file { setattr ioctl read write }; -ifdef(`sound.te', `allow anaconda_t sound_file_t:file { setattr write };') - -ifdef(`distro_redhat', ` ifdef(`rpm.te', ` # Access /var/lib/rpm. -allow anaconda_t rpm_var_lib_t:dir rw_dir_perms; -allow anaconda_t rpm_var_lib_t:file create_file_perms; domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t) ') -') -# Update /var/log/ksyms.*. -# badly named type, /var/log/boot gets the same name too which is confusing file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file) -ifdef(`apmd.te', ` -# Access /dev/apm_bios. -allow anaconda_t apm_bios_t:chr_file { setattr getattr };') - -ifdef(`lpd.te', ` -# Read printconf files. -allow anaconda_t printconf_t:dir r_dir_perms; -allow anaconda_t printconf_t:file r_file_perms;') - -# Create and delete /.autofsck -allow anaconda_t root_t:dir { search write add_name }; -allow anaconda_t root_t:file { create setattr unlink getattr }; -allow anaconda_t file_t:file { unlink getattr }; - -# Read user home directories. -allow anaconda_t { home_root_t home_type }:dir r_dir_perms; -allow anaconda_t home_type:file r_file_perms; - -# for system start scripts -allow anaconda_t pidfile:dir rw_dir_perms; -allow anaconda_t pidfile:sock_file unlink; -rw_dir_create_file(anaconda_t, var_lib_t) - -# allow start scripts to clean /tmp -allow anaconda_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir }; -allow anaconda_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink }; - -# for lsof which is used by alsa shutdown -dontaudit anaconda_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr; -dontaudit anaconda_t proc_kmsg_t:file getattr; - -# Rsync -dontaudit anaconda_t mail_spool_t:lnk_file read; - -allow anaconda_t sysfs_t:dir { getattr read search }; -allow anaconda_t sysfs_t:file { getattr read }; -allow anaconda_t sysfs_t:lnk_file { getattr read }; -allow anaconda_t udev_runtime_t:file rw_file_perms; -allow anaconda_t device_type:chr_file setattr; - -# for lsof in shutdown scripts -allow anaconda_t security_t:dir getattr; ifdef(`udev.te', ` domain_auto_trans(anaconda_t, udev_exec_t, udev_t) ') -can_kerberos(anaconda_t) ifdef(`ssh-agent.te', ` role system_r types sysadm_ssh_agent_t; domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t) ') domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t) -unconfined_domain(anaconda_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.7/domains/program/unused/arpwatch.te --- nsapolicy/domains/program/unused/arpwatch.te 2004-11-20 22:29:08.000000000 -0500 +++ policy-1.19.7/domains/program/unused/arpwatch.te 2004-11-30 06:18:45.000000000 -0500 @@ -18,7 +18,7 @@ allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; -can_network(arpwatch_t) +can_network_server(arpwatch_t) allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; allow arpwatch_t self:udp_socket create_socket_perms; allow arpwatch_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/asterisk.te policy-1.19.7/domains/program/unused/asterisk.te --- nsapolicy/domains/program/unused/asterisk.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/program/unused/asterisk.te 2004-11-30 06:18:45.000000000 -0500 @@ -39,7 +39,7 @@ # are labeled usr_t allow asterisk_t usr_t:file r_file_perms; -can_network(asterisk_t) +can_network_server(asterisk_t) can_ypbind(asterisk_t) allow asterisk_t etc_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.19.7/domains/program/unused/automount.te --- nsapolicy/domains/program/unused/automount.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/automount.te 2004-11-30 06:18:45.000000000 -0500 @@ -33,7 +33,7 @@ # because config files can be shell scripts can_exec(automount_t, { etc_t automount_etc_t }) -can_network(automount_t) +can_network_server(automount_t) can_ypbind(automount_t) ifdef(`fsadm.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.19.7/domains/program/unused/backup.te --- nsapolicy/domains/program/unused/backup.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/backup.te 2004-11-30 06:18:45.000000000 -0500 @@ -26,7 +26,7 @@ # for SSP allow backup_t urandom_device_t:chr_file read; -can_network(backup_t) +can_network_server(backup_t) can_ypbind(backup_t) uses_shlib(backup_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.19.7/domains/program/unused/bluetooth.te --- nsapolicy/domains/program/unused/bluetooth.te 2004-11-18 08:13:57.000000000 -0500 +++ policy-1.19.7/domains/program/unused/bluetooth.te 2004-11-30 06:18:45.000000000 -0500 @@ -20,7 +20,7 @@ rw_dir_create_file(bluetooth_t, var_lock_t) # Use the network. -can_network(bluetooth_t) +can_network_server(bluetooth_t) can_ypbind(bluetooth_t) ifdef(`dbusd.te', ` dbusd_client(system, bluetooth) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/calamaris.te policy-1.19.7/domains/program/unused/calamaris.te --- nsapolicy/domains/program/unused/calamaris.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.7/domains/program/unused/calamaris.te 2004-11-30 06:18:45.000000000 -0500 @@ -59,7 +59,7 @@ allow calamaris_t etc_t:lnk_file read; dontaudit calamaris_t etc_t:file ioctl; dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search }; -can_network(calamaris_t) +can_network_server(calamaris_t) can_ypbind(calamaris_t) ifdef(`named.te', ` can_udp_send(calamaris_t, named_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.19.7/domains/program/unused/canna.te --- nsapolicy/domains/program/unused/canna.te 2004-10-19 16:03:06.000000000 -0400 +++ policy-1.19.7/domains/program/unused/canna.te 2004-11-30 06:18:45.000000000 -0500 @@ -28,7 +28,7 @@ rw_dir_create_file(canna_t, canna_var_lib_t) -can_network(canna_t) +can_network_tcp(canna_t) can_ypbind(canna_t) allow userdomain canna_var_run_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ciped.te policy-1.19.7/domains/program/unused/ciped.te --- nsapolicy/domains/program/unused/ciped.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/ciped.te 2004-11-30 06:18:45.000000000 -0500 @@ -7,7 +7,7 @@ type cipe_port_t, port_type; -can_network(ciped_t) +can_network_server(ciped_t) can_ypbind(ciped_t) allow ciped_t cipe_port_t:udp_socket name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.19.7/domains/program/unused/clamav.te --- nsapolicy/domains/program/unused/clamav.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/clamav.te 2004-11-30 06:18:45.000000000 -0500 @@ -22,7 +22,7 @@ allow freshclam_t sysctl_kernel_t:dir search; allow freshclam_t sysctl_kernel_t:file { getattr read }; -can_network(freshclam_t) +can_network_server(freshclam_t) can_ypbind(freshclam_t) # Access virus signatures diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/courier.te policy-1.19.7/domains/program/unused/courier.te --- nsapolicy/domains/program/unused/courier.te 2004-11-18 08:13:57.000000000 -0500 +++ policy-1.19.7/domains/program/unused/courier.te 2004-11-30 06:18:45.000000000 -0500 @@ -46,7 +46,7 @@ allow courier_$1_t self:capability dac_override; # Use the network. -can_network(courier_$1_t) +can_network_server(courier_$1_t) allow courier_$1_t self:fifo_file { read write getattr }; allow courier_$1_t self:unix_stream_socket create_stream_socket_perms; allow courier_$1_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.7/domains/program/unused/cups.te --- nsapolicy/domains/program/unused/cups.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/program/unused/cups.te 2004-11-30 06:20:21.000000000 -0500 @@ -191,7 +191,7 @@ rw_dir_create_file(cupsd_config_t, cupsd_etc_t) rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) -can_network(cupsd_config_t) +can_network_server_tcp(cupsd_config_t) can_tcp_connect(cupsd_config_t, cupsd_t) allow cupsd_config_t self:fifo_file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dante.te policy-1.19.7/domains/program/unused/dante.te --- nsapolicy/domains/program/unused/dante.te 2004-11-19 14:25:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/dante.te 2004-11-30 06:18:45.000000000 -0500 @@ -7,7 +7,7 @@ type socks_port_t, port_type; daemon_domain(dante) -can_network(dante_t) +can_network_server(dante_t) allow dante_t self:fifo_file { read write }; allow dante_t self:capability { setuid }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.19.7/domains/program/unused/ddclient.te --- nsapolicy/domains/program/unused/ddclient.te 2004-10-29 14:33:17.000000000 -0400 +++ policy-1.19.7/domains/program/unused/ddclient.te 2004-11-30 06:18:45.000000000 -0500 @@ -29,7 +29,7 @@ allow ddclient_t sysctl_net_t:dir { search }; # network-related goodies -can_network(ddclient_t) +can_network_server(ddclient_t) allow ddclient_t self:unix_dgram_socket create_socket_perms; # allow access to ddclient.conf and ddclient.cache diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddt-client.te policy-1.19.7/domains/program/unused/ddt-client.te --- nsapolicy/domains/program/unused/ddt-client.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/ddt-client.te 2004-11-30 06:18:45.000000000 -0500 @@ -23,7 +23,7 @@ file_type_trans(ddt_client_t, var_lib_t, var_lib_ddt_client_t) # Use the network. -can_network(ddt_client_t) +can_network_server(ddt_client_t) can_ypbind(ddt_client_t) allow ddt_client_t self:unix_stream_socket create_socket_perms; allow ddt_client_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/devfsd.te policy-1.19.7/domains/program/unused/devfsd.te --- nsapolicy/domains/program/unused/devfsd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/devfsd.te 2004-11-30 06:18:45.000000000 -0500 @@ -89,6 +89,5 @@ allow kernel_t device_t:filesystem mount; # for nss-ldap etc -can_network(devfsd_t) +can_network_client_tcp(devfsd_t) can_ypbind(devfsd_t) -allow devfsd_t self:tcp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dictd.te policy-1.19.7/domains/program/unused/dictd.te --- nsapolicy/domains/program/unused/dictd.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/dictd.te 2004-11-30 06:18:45.000000000 -0500 @@ -42,7 +42,7 @@ allow dictd_t self:unix_stream_socket create_stream_socket_perms; -can_network(dictd_t) +can_network_server(dictd_t) can_ypbind(dictd_t) can_tcp_connect(userdomain, dictd_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/distcc.te policy-1.19.7/domains/program/unused/distcc.te --- nsapolicy/domains/program/unused/distcc.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.7/domains/program/unused/distcc.te 2004-11-30 06:18:45.000000000 -0500 @@ -4,7 +4,7 @@ # daemon_domain(distccd) -can_network(distccd_t) +can_network_server(distccd_t) can_ypbind(distccd_t) log_domain(distccd) tmp_domain(distccd) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dnsmasq.te policy-1.19.7/domains/program/unused/dnsmasq.te --- nsapolicy/domains/program/unused/dnsmasq.te 2004-09-29 07:36:46.000000000 -0400 +++ policy-1.19.7/domains/program/unused/dnsmasq.te 2004-11-30 06:18:45.000000000 -0500 @@ -16,7 +16,7 @@ allow dnsmasq_t urandom_device_t:chr_file read; # network-related goodies -can_network(dnsmasq_t) +can_network_server(dnsmasq_t) can_ypbind(dnsmasq_t) allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.19.7/domains/program/unused/dovecot.te --- nsapolicy/domains/program/unused/dovecot.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/program/unused/dovecot.te 2004-11-30 15:52:17.539853018 -0500 @@ -13,7 +13,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; allow dovecot_t self:process setrlimit; -can_network(dovecot_t) +can_network_tcp(dovecot_t) can_ypbind(dovecot_t) allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dpkg.te policy-1.19.7/domains/program/unused/dpkg.te --- nsapolicy/domains/program/unused/dpkg.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/dpkg.te 2004-11-30 11:27:40.000000000 -0500 @@ -297,7 +297,7 @@ allow dpkg_t device_type:{ chr_file blk_file } getattr; dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; allow dpkg_t proc_kmsg_t:file getattr; -allow dpkg_t root_dir_type:dir getattr; +allow dpkg_t fs_type:dir getattr; # allow compiling and loading new policy create_dir_file(dpkg_t, { policy_src_t policy_config_t }) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fingerd.te policy-1.19.7/domains/program/unused/fingerd.te --- nsapolicy/domains/program/unused/fingerd.te 2004-10-09 21:06:14.000000000 -0400 +++ policy-1.19.7/domains/program/unused/fingerd.te 2004-11-30 06:18:45.000000000 -0500 @@ -47,7 +47,7 @@ allow fingerd_t { ttyfile ptyfile }:chr_file getattr; # Use the network. -can_network(fingerd_t) +can_network_server(fingerd_t) can_ypbind(fingerd_t) allow fingerd_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.19.7/domains/program/unused/firstboot.te --- nsapolicy/domains/program/unused/firstboot.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/firstboot.te 2004-11-30 06:18:45.000000000 -0500 @@ -114,7 +114,7 @@ allow iptables_t firstboot_t:fd use; allow iptables_t firstboot_t:fifo_file write; ') -can_network(firstboot_t) +can_network_server(firstboot_t) can_ypbind(firstboot_t) ifdef(`printconf.te', ` can_exec(firstboot_t, printconf_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gatekeeper.te policy-1.19.7/domains/program/unused/gatekeeper.te --- nsapolicy/domains/program/unused/gatekeeper.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.7/domains/program/unused/gatekeeper.te 2004-11-30 06:18:45.000000000 -0500 @@ -22,7 +22,7 @@ logdir_domain(gatekeeper) # Use the network. -can_network(gatekeeper_t) +can_network_server(gatekeeper_t) can_ypbind(gatekeeper_t) allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind; allow gatekeeper_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.19.7/domains/program/unused/hald.te --- nsapolicy/domains/program/unused/hald.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/program/unused/hald.te 2004-11-30 06:18:45.000000000 -0500 @@ -33,7 +33,7 @@ allow hald_t bin_t:file getattr; allow hald_t self:netlink_route_socket r_netlink_socket_perms; allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; -can_network(hald_t) +can_network_server(hald_t) can_ypbind(hald_t) allow hald_t device_t:lnk_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.19.7/domains/program/unused/hotplug.te --- nsapolicy/domains/program/unused/hotplug.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/hotplug.te 2004-11-30 11:41:09.000000000 -0500 @@ -149,7 +149,7 @@ file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file) -can_network(hotplug_t) +can_network_server(hotplug_t) can_ypbind(hotplug_t) dbusd_client(system, hotplug) @@ -165,3 +165,4 @@ unconfined_domain(hotplug_t) ') + allow kernel_t hotplug_etc_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.7/domains/program/unused/howl.te --- nsapolicy/domains/program/unused/howl.te 2004-10-13 22:41:57.000000000 -0400 +++ policy-1.19.7/domains/program/unused/howl.te 2004-11-30 06:18:45.000000000 -0500 @@ -5,7 +5,7 @@ daemon_domain(howl) allow howl_t proc_t:file { getattr read }; -can_network(howl_t) +can_network_server(howl_t) can_ypbind(howl_t) allow howl_t self:capability { kill net_admin }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/imazesrv.te policy-1.19.7/domains/program/unused/imazesrv.te --- nsapolicy/domains/program/unused/imazesrv.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/imazesrv.te 2004-11-30 06:18:45.000000000 -0500 @@ -21,7 +21,7 @@ create_append_log_file(imazesrv_t,imazesrv_log_t) -can_network(imazesrv_t) +can_network_server(imazesrv_t) allow imazesrv_t self:capability net_bind_service; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.19.7/domains/program/unused/ipsec.te --- nsapolicy/domains/program/unused/ipsec.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/ipsec.te 2004-11-30 06:18:45.000000000 -0500 @@ -167,7 +167,7 @@ allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write }; # Pluto needs network access -can_network(ipsec_t) +can_network_server(ipsec_t) can_ypbind(ipsec_t) allow ipsec_t self:unix_dgram_socket { create connect write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.19.7/domains/program/unused/iptables.te --- nsapolicy/domains/program/unused/iptables.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/program/unused/iptables.te 2004-11-30 06:18:45.000000000 -0500 @@ -36,7 +36,7 @@ # for iptables -L allow iptables_t self:unix_stream_socket create_socket_perms; -can_network(iptables_t) +can_network_server(iptables_t) can_ypbind(iptables_t) allow iptables_t bin_t:file { execute execute_no_trans }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ircd.te policy-1.19.7/domains/program/unused/ircd.te --- nsapolicy/domains/program/unused/ircd.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/ircd.te 2004-11-30 06:18:45.000000000 -0500 @@ -23,7 +23,7 @@ var_lib_domain(ircd) # Use the network. -can_network(ircd_t) +can_network_server(ircd_t) can_ypbind(ircd_t) #allow ircd_t self:fifo_file { read write }; allow ircd_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/jabberd.te policy-1.19.7/domains/program/unused/jabberd.te --- nsapolicy/domains/program/unused/jabberd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/jabberd.te 2004-11-30 06:18:45.000000000 -0500 @@ -19,7 +19,7 @@ # For SSL allow jabberd_t random_device_t:file r_file_perms; -can_network(jabberd_t) +can_network_server(jabberd_t) can_ypbind(jabberd_t) allow jabberd_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.7/domains/program/unused/kerberos.te --- nsapolicy/domains/program/unused/kerberos.te 2004-11-24 07:00:50.000000000 -0500 +++ policy-1.19.7/domains/program/unused/kerberos.te 2004-11-30 06:18:45.000000000 -0500 @@ -16,10 +16,6 @@ # # Rules for the krb5kdc_t,kadmind_t domains. # -type kerberos_port_t, port_type, reserved_port_type; -type kerberos_admin_port_t, port_type, reserved_port_type; -type kerberos_master_port_t, port_type; - daemon_domain(krb5kdc) daemon_domain(kadmind) @@ -38,7 +34,7 @@ allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice }; # krb5kdc and kadmind can use network -can_network( { krb5kdc_t kadmind_t } ) +can_network_server( { krb5kdc_t kadmind_t } ) can_ypbind( { krb5kdc_t kadmind_t } ) # allow UDP transfer to/from any program diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.19.7/domains/program/unused/kudzu.te --- nsapolicy/domains/program/unused/kudzu.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/program/unused/kudzu.te 2004-11-30 06:22:11.000000000 -0500 @@ -22,7 +22,8 @@ allow kudzu_t modules_object_t:dir r_dir_perms; allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; allow kudzu_t mouse_device_t:chr_file { read write }; -allow kudzu_t proc_t:file { getattr read }; +allow kudzu_t proc_net_t:dir r_dir_perms; +allow kudzu_t { proc_net_t proc_t }:file { getattr read }; allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; allow kudzu_t scsi_generic_device_t:chr_file r_file_perms; allow kudzu_t { bin_t sbin_t }:dir { getattr search }; @@ -92,4 +93,5 @@ ifdef(`lpd.te', ` allow kudzu_t printconf_t:file { getattr read }; ') -allow kudzu_t zero_device_t:chr_file r_file_perms; +allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; +dontaudit kudzu_t src_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.19.7/domains/program/unused/lpd.te --- nsapolicy/domains/program/unused/lpd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/lpd.te 2004-11-30 06:18:45.000000000 -0500 @@ -36,7 +36,7 @@ type checkpc_t, domain, privlog; role system_r types checkpc_t; uses_shlib(checkpc_t) -can_network(checkpc_t) +can_network_server(checkpc_t) can_ypbind(checkpc_t) log_domain(checkpc) type checkpc_exec_t, file_type, sysadmfile, exec_type; @@ -103,7 +103,7 @@ allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner }; # Use the network. -can_network(lpd_t) +can_network_server(lpd_t) can_ypbind(lpd_t) allow lpd_t self:fifo_file rw_file_perms; allow lpd_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lrrd.te policy-1.19.7/domains/program/unused/lrrd.te --- nsapolicy/domains/program/unused/lrrd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/lrrd.te 2004-11-30 06:18:45.000000000 -0500 @@ -58,7 +58,7 @@ can_unix_connect(sysadm_t, lrrd_t) can_unix_connect(lrrd_t, lrrd_t) can_unix_send(lrrd_t, lrrd_t) -can_network(lrrd_t) +can_network_server(lrrd_t) can_ypbind(lrrd_t) ifdef(`logrotate.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/monopd.te policy-1.19.7/domains/program/unused/monopd.te --- nsapolicy/domains/program/unused/monopd.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/monopd.te 2004-11-30 06:18:45.000000000 -0500 @@ -15,7 +15,7 @@ type share_monopd_t, file_type, sysadmfile; # Use the network. -can_network(monopd_t) +can_network_server(monopd_t) can_ypbind(monopd_t) type monopd_port_t, port_type; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.19.7/domains/program/unused/mrtg.te --- nsapolicy/domains/program/unused/mrtg.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/mrtg.te 2004-11-30 06:18:45.000000000 -0500 @@ -31,7 +31,7 @@ r_dir_file(mrtg_t, lib_t) # Use the network. -can_network(mrtg_t) +can_network_server(mrtg_t) can_ypbind(mrtg_t) allow mrtg_t self:fifo_file { getattr read write ioctl }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.19.7/domains/program/unused/mysqld.te --- nsapolicy/domains/program/unused/mysqld.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/mysqld.te 2004-11-30 06:18:45.000000000 -0500 @@ -44,7 +44,7 @@ create_dir_file(mysqld_t, mysqld_db_t) allow mysqld_t var_lib_t:dir { getattr search }; -can_network(mysqld_t) +can_network_server(mysqld_t) can_ypbind(mysqld_t) # read config files diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nagios.te policy-1.19.7/domains/program/unused/nagios.te --- nsapolicy/domains/program/unused/nagios.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/nagios.te 2004-11-30 06:18:45.000000000 -0500 @@ -41,7 +41,7 @@ allow nagios_t proc_t:file { getattr read }; -can_network(nagios_t) +can_network_server(nagios_t) can_ypbind(nagios_t) # read config files diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.19.7/domains/program/unused/named.te --- nsapolicy/domains/program/unused/named.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/domains/program/unused/named.te 2004-11-30 15:55:47.302243130 -0500 @@ -100,8 +101,9 @@ type ndc_exec_t, file_type,sysadmfile, exec_type; domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) uses_shlib(ndc_t) -can_network(ndc_t) +can_network_client_tcp(ndc_t) can_ypbind(ndc_t) +can_resolve(ndc_t) read_locale(ndc_t) can_tcp_connect(ndc_t, named_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nessusd.te policy-1.19.7/domains/program/unused/nessusd.te --- nsapolicy/domains/program/unused/nessusd.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/nessusd.te 2004-11-30 06:18:45.000000000 -0500 @@ -22,7 +22,7 @@ #tmp_domain(nessusd) # Use the network. -can_network(nessusd_t) +can_network_server(nessusd_t) can_ypbind(nessusd_t) allow nessusd_t self:unix_stream_socket create_socket_perms; #allow nessusd_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.7/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/nscd.te 2004-11-30 06:18:45.000000000 -0500 @@ -22,7 +22,7 @@ allow nscd_t etc_t:file r_file_perms; allow nscd_t etc_t:lnk_file read; -can_network(nscd_t) +can_network_client(nscd_t) can_ypbind(nscd_t) file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nsd.te policy-1.19.7/domains/program/unused/nsd.te --- nsapolicy/domains/program/unused/nsd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/nsd.te 2004-11-30 06:18:45.000000000 -0500 @@ -19,7 +19,7 @@ type nsd_crond_t, domain, privlog; role system_r types nsd_crond_t; uses_shlib(nsd_crond_t) -can_network(nsd_crond_t) +can_network_server(nsd_crond_t) can_ypbind(nsd_crond_t) allow nsd_crond_t self:unix_dgram_socket create_socket_perms; allow nsd_crond_t self:process { fork signal_perms }; @@ -78,7 +78,7 @@ allow nsd_t etc_t:{ file lnk_file } { getattr read }; # nsd can use network -can_network(nsd_t) +can_network_server(nsd_t) can_ypbind(nsd_t) # allow client access from caching BIND ifdef(`named.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.7/domains/program/unused/ntpd.te --- nsapolicy/domains/program/unused/ntpd.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/domains/program/unused/ntpd.te 2004-11-30 15:56:08.200890874 -0500 @@ -19,6 +19,8 @@ allow ntpd_t var_lib_t:dir r_dir_perms; allow ntpd_t usr_t:file r_file_perms; +# reading /usr/share/ssl/cert.pem requires +allow ntpd_t usr_t:lnk_file read; allow ntpd_t ntp_drift_t:dir rw_dir_perms; allow ntpd_t ntp_drift_t:file create_file_perms; @@ -26,6 +28,7 @@ allow ntpd_t urandom_device_t:chr_file read; allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot }; +dontaudit ntpd_t self:capability { net_admin }; allow ntpd_t self:process { setcap setsched }; # ntpdate wants sys_nice dontaudit ntpd_t self:capability { fsetid sys_nice }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/oav-update.te policy-1.19.7/domains/program/unused/oav-update.te --- nsapolicy/domains/program/unused/oav-update.te 2003-08-14 08:37:36.000000000 -0400 +++ policy-1.19.7/domains/program/unused/oav-update.te 2004-11-30 06:18:45.000000000 -0500 @@ -35,4 +35,4 @@ allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms; # Can download via network -can_network(oav_update_t) +can_network_server(oav_update_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openvpn.te policy-1.19.7/domains/program/unused/openvpn.te --- nsapolicy/domains/program/unused/openvpn.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/openvpn.te 2004-11-30 06:18:45.000000000 -0500 @@ -24,7 +24,7 @@ allow openvpn_t self:capability net_admin; r_dir_file(openvpn_t, sysctl_net_t) -can_network(openvpn_t) +can_network_server(openvpn_t) allow openvpn_t openvpn_port_t:udp_socket name_bind; # OpenVPN executes a lot of helper programs and scripts diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/perdition.te policy-1.19.7/domains/program/unused/perdition.te --- nsapolicy/domains/program/unused/perdition.te 2004-03-23 15:58:08.000000000 -0500 +++ policy-1.19.7/domains/program/unused/perdition.te 2004-11-30 06:18:45.000000000 -0500 @@ -16,7 +16,7 @@ typealias perdition_etc_t alias etc_perdition_t; # Use the network. -can_network(perdition_t) +can_network_server(perdition_t) allow perdition_t self:unix_stream_socket create_socket_perms; allow perdition_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.19.7/domains/program/unused/ping.te --- nsapolicy/domains/program/unused/ping.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/program/unused/ping.te 2004-11-30 06:18:45.000000000 -0500 @@ -31,7 +31,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t) uses_shlib(ping_t) -can_network(ping_t) +can_network_client(ping_t) can_ypbind(ping_t) allow ping_t etc_t:file { getattr read }; allow ping_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.19.7/domains/program/unused/portmap.te --- nsapolicy/domains/program/unused/portmap.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/portmap.te 2004-11-30 06:18:45.000000000 -0500 @@ -13,7 +13,7 @@ # daemon_domain(portmap, `, nscd_client_domain') -can_network(portmap_t) +can_network_server(portmap_t) can_ypbind(portmap_t) allow portmap_t self:unix_dgram_socket create_socket_perms; allow portmap_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portslave.te policy-1.19.7/domains/program/unused/portslave.te --- nsapolicy/domains/program/unused/portslave.te 2004-10-14 23:25:18.000000000 -0400 +++ policy-1.19.7/domains/program/unused/portslave.te 2004-11-30 06:18:45.000000000 -0500 @@ -38,7 +38,7 @@ allow portslave_t pppd_secret_t:file r_file_perms; -can_network(portslave_t) +can_network_server(portslave_t) allow portslave_t fs_t:filesystem getattr; ifdef(`radius.te', ` can_udp_send(portslave_t, radiusd_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.19.7/domains/program/unused/postfix.te --- nsapolicy/domains/program/unused/postfix.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/domains/program/unused/postfix.te 2004-11-30 15:56:27.879675921 -0500 @@ -156,7 +157,7 @@ domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:capability { setuid setgid dac_override }; -can_network(postfix_$1_t) +can_network_client(postfix_$1_t) can_ypbind(postfix_$1_t) ') @@ -349,6 +350,6 @@ allow postfix_map_t self:capability setgid; allow postfix_map_t self:unix_dgram_socket create_socket_perms; dontaudit postfix_map_t var_t:dir search; -can_network(postfix_map_t) +can_network_server(postfix_map_t) allow postfix_local_t mail_spool_t:dir { remove_name }; allow postfix_local_t mail_spool_t:file { unlink }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.7/domains/program/unused/postgresql.te --- nsapolicy/domains/program/unused/postgresql.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/domains/program/unused/postgresql.te 2004-11-30 06:18:45.000000000 -0500 @@ -52,7 +52,7 @@ file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t) # Use the network. -can_network(postgresql_t) +can_network_server(postgresql_t) allow postgresql_t self:fifo_file { getattr read write ioctl }; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; can_unix_connect(postgresql_t, self) @@ -126,3 +126,6 @@ dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; ') +dontaudit postgresql_t home_root_t:dir search; +can_kerberos(postgresql_t) +allow postgresql_t urandom_device_t:chr_file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgrey.te policy-1.19.7/domains/program/unused/postgrey.te --- nsapolicy/domains/program/unused/postgrey.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/domains/program/unused/postgrey.te 2004-11-30 06:24:17.000000000 -0500 @@ -17,7 +17,7 @@ allow postgrey_t { etc_t etc_runtime_t }:file { getattr read }; etcdir_domain(postgrey) -can_network(postgrey_t) +can_network_server_tcp(postgrey_t) can_ypbind(postgrey_t) allow postgrey_t postgrey_port_t:tcp_socket name_bind; allow postgrey_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.19.7/domains/program/unused/pppd.te --- nsapolicy/domains/program/unused/pppd.te 2004-10-14 23:25:18.000000000 -0400 +++ policy-1.19.7/domains/program/unused/pppd.te 2004-11-30 06:18:45.000000000 -0500 @@ -30,7 +30,7 @@ log_domain(pppd) # Use the network. -can_network(pppd_t) +can_network_server(pppd_t) can_ypbind(pppd_t) # Use capabilities. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.19.7/domains/program/unused/privoxy.te --- nsapolicy/domains/program/unused/privoxy.te 2004-03-17 13:26:05.000000000 -0500 +++ policy-1.19.7/domains/program/unused/privoxy.te 2004-11-30 06:18:45.000000000 -0500 @@ -16,7 +16,7 @@ allow privoxy_t self:capability net_bind_service; # Use the network. -can_network(privoxy_t) +can_network_server(privoxy_t) allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind; allow privoxy_t etc_t:file { getattr read }; allow privoxy_t self:capability { setgid setuid }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.19.7/domains/program/unused/procmail.te --- nsapolicy/domains/program/unused/procmail.te 2004-11-18 08:13:58.000000000 -0500 +++ policy-1.19.7/domains/program/unused/procmail.te 2004-11-30 06:18:45.000000000 -0500 @@ -18,7 +18,7 @@ uses_shlib(procmail_t) allow procmail_t device_t:dir search; -can_network(procmail_t) +can_network_server(procmail_t) can_ypbind(procmail_t) allow procmail_t self:capability { sys_nice chown setuid setgid dac_override }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/qmail.te policy-1.19.7/domains/program/unused/qmail.te --- nsapolicy/domains/program/unused/qmail.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/domains/program/unused/qmail.te 2004-11-30 06:18:45.000000000 -0500 @@ -84,7 +84,7 @@ qmaild_sub_domain(qmail_rspawn_t, qmail_remote) allow qmail_rspawn_t qmail_remote_exec_t:file read; -can_network(qmail_remote_t) +can_network_server(qmail_remote_t) can_ypbind(qmail_remote_t) allow qmail_remote_t qmail_spool_t:dir search; allow qmail_remote_t qmail_spool_t:file rw_file_perms; @@ -125,12 +125,12 @@ allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr }; allow qmail_tcp_env_t inetd_t:process sigchld; allow qmail_tcp_env_t sbin_t:dir search; -can_network(qmail_tcp_env_t) +can_network_server(qmail_tcp_env_t) can_ypbind(qmail_tcp_env_t) qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd) allow qmail_tcp_env_t qmail_smtpd_exec_t:file read; -can_network(qmail_smtpd_t) +can_network_server(qmail_smtpd_t) can_ypbind(qmail_smtpd_t) allow qmail_smtpd_t inetd_t:fd use; allow qmail_smtpd_t inetd_t:tcp_socket { read write }; @@ -181,7 +181,7 @@ qmaild_sub_domain(user_crond_t, qmail_serialmail) in_user_role(qmail_serialmail_t) -can_network(qmail_serialmail_t) +can_network_server(qmail_serialmail_t) can_ypbind(qmail_serialmail_t) can_exec(qmail_serialmail_t, qmail_serialmail_exec_t) allow qmail_serialmail_t self:process { fork signal_perms }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radius.te policy-1.19.7/domains/program/unused/radius.te --- nsapolicy/domains/program/unused/radius.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/radius.te 2004-11-30 06:18:45.000000000 -0500 @@ -50,7 +50,7 @@ # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; -can_network(radiusd_t) +can_network_server(radiusd_t) can_ypbind(radiusd_t) allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.19.7/domains/program/unused/radvd.te --- nsapolicy/domains/program/unused/radvd.te 2004-11-09 13:35:12.000000000 -0500 +++ policy-1.19.7/domains/program/unused/radvd.te 2004-11-30 06:18:45.000000000 -0500 @@ -19,7 +19,7 @@ allow radvd_t self:{ unix_dgram_socket rawip_socket } create; allow radvd_t self:unix_stream_socket create_socket_perms; -can_network(radvd_t) +can_network_server(radvd_t) allow radvd_t proc_t:dir r_dir_perms; allow radvd_t proc_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.19.7/domains/program/unused/rhgb.te --- nsapolicy/domains/program/unused/rhgb.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/domains/program/unused/rhgb.te 2004-11-30 06:18:45.000000000 -0500 @@ -39,7 +39,7 @@ allow rhgb_t self:capability { sys_admin sys_tty_config }; dontaudit rhgb_t var_run_t:dir search; -can_network(rhgb_t) +can_network_server(rhgb_t) can_ypbind(rhgb_t) # for fonts diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.19.7/domains/program/unused/rlogind.te --- nsapolicy/domains/program/unused/rlogind.te 2004-11-18 08:13:58.000000000 -0500 +++ policy-1.19.7/domains/program/unused/rlogind.te 2004-11-30 06:18:45.000000000 -0500 @@ -13,7 +13,7 @@ type rlogind_t, domain, privlog, auth_chkpwd, privfd; role system_r types rlogind_t; uses_shlib(rlogind_t) -can_network(rlogind_t) +can_network_server(rlogind_t) type rlogind_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(inetd_t, rlogind_exec_t, rlogind_t) ifdef(`tcpd.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.7/domains/program/unused/rpcd.te --- nsapolicy/domains/program/unused/rpcd.te 2004-11-29 10:24:17.000000000 -0500 +++ policy-1.19.7/domains/program/unused/rpcd.te 2004-11-30 15:56:56.484456299 -0500 @@ -62,7 +62,7 @@ # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. -can_network(kernel_t) +can_network_server(kernel_t) #can_udp_send(kernel_t, rpcd_t) #can_udp_send(rpcd_t, kernel_t) @@ -125,3 +125,4 @@ r_dir_file(rpcd_t, rpc_pipefs_t) allow rpcd_t rpc_pipefs_t:sock_file { read write }; dontaudit rpcd_t selinux_config_t:dir { search }; +allow rpcd_t proc_net_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.19.7/domains/program/unused/rshd.te --- nsapolicy/domains/program/unused/rshd.te 2004-11-18 08:13:58.000000000 -0500 +++ policy-1.19.7/domains/program/unused/rshd.te 2004-11-30 06:18:45.000000000 -0500 @@ -23,7 +23,7 @@ allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override}; # Use the network. -can_network(rshd_t) +can_network_server(rshd_t) can_ypbind(rshd_t) allow rshd_t etc_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.19.7/domains/program/unused/samba.te --- nsapolicy/domains/program/unused/samba.te 2004-11-18 08:13:58.000000000 -0500 +++ policy-1.19.7/domains/program/unused/samba.te 2004-11-30 06:18:45.000000000 -0500 @@ -48,7 +48,7 @@ allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease }; # Use the network. -can_network(smbd_t) +can_network_server(smbd_t) allow smbd_t urandom_device_t:chr_file { getattr read }; @@ -96,7 +96,7 @@ allow nmbd_t self:capability net_bind_service; # Use the network. -can_network(nmbd_t) +can_network_server(nmbd_t) # Permissions for Samba files in /etc/samba allow nmbd_t samba_etc_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/scannerdaemon.te policy-1.19.7/domains/program/unused/scannerdaemon.te --- nsapolicy/domains/program/unused/scannerdaemon.te 2004-03-17 13:26:05.000000000 -0500 +++ policy-1.19.7/domains/program/unused/scannerdaemon.te 2004-11-30 06:18:45.000000000 -0500 @@ -12,7 +12,7 @@ #networking daemon_domain(scannerdaemon) -can_network(scannerdaemon_t) +can_network_server(scannerdaemon_t) ifdef(`postfix.te', `can_tcp_connect(postfix_bounce_t,scannerdaemon_t);') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.19.7/domains/program/unused/slocate.te --- nsapolicy/domains/program/unused/slocate.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/domains/program/unused/slocate.te 2004-11-30 11:25:41.000000000 -0500 @@ -23,9 +23,9 @@ allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms; -allow locate_t { root_dir_type file_type }:dir r_dir_perms; +allow locate_t { fs_type file_type }:dir r_dir_perms; allow locate_t file_type:lnk_file r_file_perms; -allow locate_t { root_dir_type file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; +allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read; dontaudit locate_t security_t:dir getattr; dontaudit locate_t shadow_t:file getattr; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.7/domains/program/unused/snmpd.te --- nsapolicy/domains/program/unused/snmpd.te 2004-11-29 10:24:17.000000000 -0500 +++ policy-1.19.7/domains/program/unused/snmpd.te 2004-11-30 15:48:35.206877793 -0500 @@ -13,7 +13,7 @@ #temp allow snmpd_t var_t:dir getattr; -can_network(snmpd_t) +can_network_server(snmpd_t) can_ypbind(snmpd_t) type snmp_port_t, port_type, reserved_port_type; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snort.te policy-1.19.7/domains/program/unused/snort.te --- nsapolicy/domains/program/unused/snort.te 2004-11-19 11:20:43.000000000 -0500 +++ policy-1.19.7/domains/program/unused/snort.te 2004-11-30 06:18:45.000000000 -0500 @@ -9,7 +9,7 @@ logdir_domain(snort) allow snort_t snort_log_t:dir create; -can_network(snort_t) +can_network_server(snort_t) type snort_etc_t, file_type, sysadmfile; # Create temporary files. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sound-server.te policy-1.19.7/domains/program/unused/sound-server.te --- nsapolicy/domains/program/unused/sound-server.te 2004-03-17 13:26:05.000000000 -0500 +++ policy-1.19.7/domains/program/unused/sound-server.te 2004-11-30 06:18:45.000000000 -0500 @@ -24,7 +24,7 @@ allow soundd_t device_t:lnk_file read; # Use the network. -can_network(soundd_t) +can_network_server(soundd_t) allow soundd_t self:unix_stream_socket create_stream_socket_perms; allow soundd_t self:unix_dgram_socket create_socket_perms; # allow any domain to connect to the sound server diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.19.7/domains/program/unused/spamd.te --- nsapolicy/domains/program/unused/spamd.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/domains/program/unused/spamd.te 2004-11-30 06:18:45.000000000 -0500 @@ -23,7 +23,7 @@ dontaudit spamd_t initrc_var_run_t:file { read write lock }; dontaudit spamd_t sysadm_home_dir_t:dir getattr; -can_network(spamd_t) +can_network_server(spamd_t) allow spamd_t self:capability net_bind_service; allow spamd_t proc_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.7/domains/program/unused/squid.te --- nsapolicy/domains/program/unused/squid.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/domains/program/unused/squid.te 2004-11-30 06:18:45.000000000 -0500 @@ -62,7 +62,7 @@ # to allow running programs from /usr/lib/squid (IE unlinkd) # also allow exec()ing itself -can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t } ) +can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } ) allow squid_t { bin_t sbin_t }:dir search; allow squid_t { bin_t sbin_t }:lnk_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sxid.te policy-1.19.7/domains/program/unused/sxid.te --- nsapolicy/domains/program/unused/sxid.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/domains/program/unused/sxid.te 2004-11-30 11:28:08.000000000 -0500 @@ -32,10 +32,10 @@ allow sxid_t ttyfile:chr_file getattr; allow sxid_t file_type:dir { getattr read search }; allow sxid_t sysadmfile:file read; -allow sxid_t root_dir_type:dir { getattr read search }; +allow sxid_t fs_type:dir { getattr read search }; # Use the network. -can_network(sxid_t) +can_network_server(sxid_t) allow sxid_t self:fifo_file rw_file_perms; allow sxid_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sysstat.te policy-1.19.7/domains/program/unused/sysstat.te --- nsapolicy/domains/program/unused/sysstat.te 2004-06-16 13:33:36.000000000 -0400 +++ policy-1.19.7/domains/program/unused/sysstat.te 2004-11-30 06:18:45.000000000 -0500 @@ -51,8 +51,8 @@ allow sysstat_t fs_t:filesystem getattr; # get info from /proc -allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms; -allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr }; +allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms; +allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr }; domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t) allow sysstat_t init_t:fd use; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tcpd.te policy-1.19.7/domains/program/unused/tcpd.te --- nsapolicy/domains/program/unused/tcpd.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/tcpd.te 2004-11-30 06:18:45.000000000 -0500 @@ -21,7 +21,7 @@ # no good reason for this, probably nscd dontaudit tcpd_t var_t:dir search; -can_network(tcpd_t) +can_network_server(tcpd_t) can_ypbind(tcpd_t) allow tcpd_t self:unix_dgram_socket create_socket_perms; allow tcpd_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tftpd.te policy-1.19.7/domains/program/unused/tftpd.te --- nsapolicy/domains/program/unused/tftpd.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/domains/program/unused/tftpd.te 2004-11-30 11:17:39.000000000 -0500 @@ -22,7 +22,7 @@ domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t) # Use the network. -can_network(tftpd_t) +can_network_udp(tftpd_t) allow tftpd_t tftp_port_t:udp_socket name_bind; ifdef(`inetd.te', ` allow inetd_t tftp_port_t:udp_socket name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/timidity.te policy-1.19.7/domains/program/unused/timidity.te --- nsapolicy/domains/program/unused/timidity.te 2004-10-29 14:33:17.000000000 -0400 +++ policy-1.19.7/domains/program/unused/timidity.te 2004-11-30 06:18:45.000000000 -0500 @@ -5,7 +5,7 @@ # Note: You only need this policy if you want to run timidity as a server daemon_base_domain(timidity) -can_network(timidity_t) +can_network_server(timidity_t) allow timidity_t device_t:lnk_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tinydns.te policy-1.19.7/domains/program/unused/tinydns.te --- nsapolicy/domains/program/unused/tinydns.te 2004-07-07 16:46:41.000000000 -0400 +++ policy-1.19.7/domains/program/unused/tinydns.te 2004-11-30 06:18:45.000000000 -0500 @@ -30,7 +30,7 @@ allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read }; #tinydns can use network -can_network(tinydns_t) +can_network_server(tinydns_t) allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind; # allow UDP transfer to/from any program can_udp_send(domain, tinydns_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.19.7/domains/program/unused/traceroute.te --- nsapolicy/domains/program/unused/traceroute.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/traceroute.te 2004-11-30 06:18:45.000000000 -0500 @@ -18,7 +18,7 @@ # for user_ping: in_user_role(traceroute_t) uses_shlib(traceroute_t) -can_network(traceroute_t) +can_network_client(traceroute_t) can_ypbind(traceroute_t) allow traceroute_t node_t:rawip_socket node_bind; type traceroute_exec_t, file_type, sysadmfile, exec_type; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/transproxy.te policy-1.19.7/domains/program/unused/transproxy.te --- nsapolicy/domains/program/unused/transproxy.te 2004-03-23 15:58:08.000000000 -0500 +++ policy-1.19.7/domains/program/unused/transproxy.te 2004-11-30 06:18:45.000000000 -0500 @@ -15,7 +15,7 @@ type transproxy_port_t, port_type; # Use the network. -can_network(transproxy_t) +can_network_server_tcp(transproxy_t) allow transproxy_t transproxy_port_t:tcp_socket name_bind; #allow transproxy_t self:fifo_file { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uwimapd.te policy-1.19.7/domains/program/unused/uwimapd.te --- nsapolicy/domains/program/unused/uwimapd.te 2004-11-18 08:13:58.000000000 -0500 +++ policy-1.19.7/domains/program/unused/uwimapd.te 2004-11-30 06:18:45.000000000 -0500 @@ -8,7 +8,7 @@ daemon_domain(imapd, `, auth_chkpwd, privhome') tmp_domain(imapd) -can_network(imapd_t) +can_network_server_tcp(imapd_t) #declare our own services allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.19.7/domains/program/unused/webalizer.te --- nsapolicy/domains/program/unused/webalizer.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/domains/program/unused/webalizer.te 2004-11-30 06:18:45.000000000 -0500 @@ -40,7 +40,7 @@ allow webalizer_t proc_t:file r_file_perms; # network -can_network(webalizer_t) +can_network_server(webalizer_t) #process communication inside webalizer itself general_domain_access(webalizer_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xprint.te policy-1.19.7/domains/program/unused/xprint.te --- nsapolicy/domains/program/unused/xprint.te 2004-08-27 16:51:30.000000000 -0400 +++ policy-1.19.7/domains/program/unused/xprint.te 2004-11-30 06:18:45.000000000 -0500 @@ -30,7 +30,7 @@ ') # Use the network. -can_network(xprint_t) +can_network_server(xprint_t) can_ypbind(xprint_t) allow xprint_t self:fifo_file rw_file_perms; allow xprint_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.19.7/domains/program/unused/ypserv.te --- nsapolicy/domains/program/unused/ypserv.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/domains/program/unused/ypserv.te 2004-11-30 06:28:40.000000000 -0500 @@ -16,8 +16,7 @@ allow ypserv_t self:capability { net_admin net_bind_service }; # Use the network. -can_network(ypserv_t) -allow ypserv_t port_t:{ tcp_socket udp_socket } name_bind; +can_network_server(ypserv_t) allow ypserv_t self:fifo_file rw_file_perms; @@ -39,5 +38,5 @@ ifdef(`rpcd.te', ` allow rpcd_t ypserv_conf_t:file { getattr read }; ') -allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind }; +allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind; dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/zebra.te policy-1.19.7/domains/program/unused/zebra.te --- nsapolicy/domains/program/unused/zebra.te 2004-08-27 09:30:29.000000000 -0400 +++ policy-1.19.7/domains/program/unused/zebra.te 2004-11-30 06:18:45.000000000 -0500 @@ -9,7 +9,7 @@ type zebra_conf_t, file_type, sysadmfile; r_dir_file({ initrc_t zebra_t }, zebra_conf_t) -can_network(zebra_t) +can_network_server(zebra_t) can_ypbind(zebra_t) allow zebra_t { etc_t etc_runtime_t }:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.7/domains/user.te --- nsapolicy/domains/user.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.7/domains/user.te 2004-11-30 06:29:22.000000000 -0500 @@ -55,6 +55,7 @@ # Reach sysadm_t via programs like userhelper/sudo/su undefine(`reach_sysadm') define(`reach_sysadm', ` +ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`sudo.te', `sudo_domain($1)') ifdef(`su.te', ` su_domain($1) diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hotplug.fc policy-1.19.7/file_contexts/program/hotplug.fc --- nsapolicy/file_contexts/program/hotplug.fc 2004-11-24 07:00:50.000000000 -0500 +++ policy-1.19.7/file_contexts/program/hotplug.fc 2004-11-30 11:40:10.000000000 -0500 @@ -10,3 +10,4 @@ /etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t /var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t /var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t +/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.19.7/file_contexts/program/mozilla.fc --- nsapolicy/file_contexts/program/mozilla.fc 2004-11-19 11:20:44.000000000 -0500 +++ policy-1.19.7/file_contexts/program/mozilla.fc 2004-11-30 13:10:00.000000000 -0500 @@ -1,4 +1,5 @@ # netscape/mozilla +HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_rw_t HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_rw_t HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_rw_t HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_rw_t @@ -12,6 +13,7 @@ /usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t /usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t /usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t +/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t /usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t /usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t /usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.19.7/file_contexts/program/sendmail.fc --- nsapolicy/file_contexts/program/sendmail.fc 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/file_contexts/program/sendmail.fc 2004-11-30 06:18:45.000000000 -0500 @@ -1,6 +1,5 @@ # sendmail /etc/mail(/.*)? system_u:object_r:etc_mail_t -/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t /var/log/sendmail\.st -- system_u:object_r:sendmail_log_t /var/log/mail(/.*)? system_u:object_r:sendmail_log_t /var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.7/file_contexts/types.fc --- nsapolicy/file_contexts/types.fc 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/file_contexts/types.fc 2004-11-30 06:18:45.000000000 -0500 @@ -334,9 +334,6 @@ /usr(/.*)? system_u:object_r:usr_t /usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t -/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t /usr(/.*)?/bin(/.*)? system_u:object_r:bin_t /usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t @@ -399,6 +396,7 @@ # /var/spool(/.*)? system_u:object_r:var_spool_t /var/spool/texmf(/.*)? system_u:object_r:tetex_data_t +/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t # # /var/log diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.7/macros/admin_macros.te --- nsapolicy/macros/admin_macros.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/macros/admin_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -33,6 +33,7 @@ allow $1_t self:capability setuid; ifdef(`su.te', `su_domain($1)') +ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`sudo.te', `sudo_domain($1)') # Violates the goal of limiting write access to checkpolicy. diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.7/macros/base_user_macros.te --- nsapolicy/macros/base_user_macros.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/macros/base_user_macros.te 2004-11-30 11:26:55.000000000 -0500 @@ -43,7 +43,7 @@ # for eject allow $1_t fixed_disk_device_t:blk_file getattr; -allow $1_t root_dir_type:dir { getattr }; +allow $1_t fs_type:dir { getattr }; # open office is looking for the following allow $1_t dri_device_t:chr_file getattr; @@ -160,7 +160,6 @@ ifdef(`screen.te', `screen_domain($1)') ifdef(`tvtime.te', `tvtime_domain($1)') -ifdef(`userhelper.te', `userhelper_domain($1)') ifdef(`mozilla.te', `mozilla_domain($1)') ifdef(`games.te', `games_domain($1)') ifdef(`gpg.te', `gpg_domain($1)') @@ -207,7 +206,7 @@ # Grant permissions to access the system DBus ifdef(`dbusd.te', ` dbusd_client(system, $1) -can_network($1_dbusd_t) +can_network_server_tcp($1_dbusd_t) allow $1_dbusd_t reserved_port_t:tcp_socket name_bind; allow $1_t system_dbusd_t:dbus { send_msg acquire_svc }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.19.7/macros/program/games_domain.te --- nsapolicy/macros/program/games_domain.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/macros/program/games_domain.te 2004-11-30 06:18:45.000000000 -0500 @@ -46,5 +46,13 @@ allow $1_games_t event_device_t:chr_file getattr; allow $1_games_t mouse_device_t:chr_file getattr; allow $1_games_t self:file { getattr read }; + +# kpat spews errors +dontaudit $1_games_t bin_t:dir getattr; +dontaudit $1_games_t var_run_t:dir search; +ifdef(`xdm.te', ` +dontaudit $1_games_t xdm_xserver_tmp_t:dir getattr; +') + ')dnl end macro definition diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gph_macros.te policy-1.19.7/macros/program/gph_macros.te --- nsapolicy/macros/program/gph_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/macros/program/gph_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -55,7 +55,7 @@ allow $1_t $1_gph_t:fd use; # Use the network, e.g. for NIS lookups. -can_network($1_gph_t) +can_resolve($1_gph_t) can_ypbind($1_gph_t) allow $1_gph_t etc_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.7/macros/program/inetd_macros.te --- nsapolicy/macros/program/inetd_macros.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/macros/program/inetd_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -14,7 +14,7 @@ domain_auto_trans(inetd_t, $1_exec_t, $1_t) allow inetd_t $1_t:process sigkill; -can_network($1_t) +can_network_server($1_t) can_ypbind($1_t) uses_shlib($1_t) allow $1_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.19.7/macros/program/irc_macros.te --- nsapolicy/macros/program/irc_macros.te 2004-11-18 08:13:59.000000000 -0500 +++ policy-1.19.7/macros/program/irc_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -47,7 +47,7 @@ allow $1_t $1_irc_t:process signal; # Use the network. -can_network($1_irc_t) +can_network_client($1_irc_t) can_ypbind($1_irc_t) allow $1_irc_t usr_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.7/macros/program/kerberos_macros.te --- nsapolicy/macros/program/kerberos_macros.te 2004-11-29 10:24:17.000000000 -0500 +++ policy-1.19.7/macros/program/kerberos_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -3,8 +3,8 @@ if (allow_kerberos) { can_network_client($1, `kerberos_port_t') can_resolve($1) -dontaudit $1 krb5_conf_t:file write; -allow $1 krb5_conf_t:file { getattr read }; } ') dnl kerberos.te +dontaudit $1 krb5_conf_t:file write; +allow $1 krb5_conf_t:file { getattr read }; ') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.19.7/macros/program/lpr_macros.te --- nsapolicy/macros/program/lpr_macros.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/macros/program/lpr_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -34,7 +34,7 @@ role $1_r types $1_lpr_t; # This domain is granted permissions common to most domains (including can_net) -can_network($1_lpr_t) +can_network_client($1_lpr_t) can_ypbind($1_lpr_t) # Use capabilities. diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.7/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2004-11-30 05:59:39.000000000 -0500 +++ policy-1.19.7/macros/program/mozilla_macros.te 2004-11-30 06:19:08.000000000 -0500 @@ -48,6 +48,7 @@ allow $1_mozilla_t device_t:dir r_dir_perms; allow $1_mozilla_t devpts_t:dir r_dir_perms; allow $1_mozilla_t proc_t:file { getattr read }; +r_dir_file($1_mozilla_t, proc_net_t) dontaudit $1_mozilla_t tty_device_t:chr_file getattr; dontaudit $1_mozilla_t proc_t:dir read; @@ -115,6 +116,20 @@ dontaudit $1_mozilla_t file_type:dir getattr; allow $1_mozilla_t self:sem create_sem_perms; +ifdef(`userhelper.te', ` +domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) +') +dontaudit $1_mozilla_t selinux_config_t:dir search; + +# +# Rules needed to run java apps +# +allow $1_mozilla_t ld_so_cache_t:file execute; +allow $1_mozilla_t locale_t:file execute; +dontaudit $1_mozilla_t *:{ chr_file file } execute; +dontaudit $1_t ld_so_cache_t:file execute; +dontaudit $1_t locale_t:file execute; + dontaudit $1_mozilla_t selinux_config_t:dir search; ifdef(`xdm.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.7/macros/program/mta_macros.te --- nsapolicy/macros/program/mta_macros.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.7/macros/program/mta_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -33,7 +33,7 @@ role $1_r types $1_mail_t; uses_shlib($1_mail_t) -can_network($1_mail_t) +can_network_client_tcp($1_mail_t) can_ypbind($1_mail_t) allow $1_mail_t self:unix_dgram_socket create_socket_perms; allow $1_mail_t self:unix_stream_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/slocate_macros.te policy-1.19.7/macros/program/slocate_macros.te --- nsapolicy/macros/program/slocate_macros.te 2004-11-30 05:59:40.000000000 -0500 +++ policy-1.19.7/macros/program/slocate_macros.te 2004-11-30 11:26:11.000000000 -0500 @@ -57,8 +57,8 @@ base_file_read_access($1_locate_t) r_dir_file($1_locate_t, { etc_t lib_t var_t }) -dontaudit $1_locate_t { root_dir_type file_type }:dir r_dir_perms; -dontaudit $1_locate_t { root_dir_type file_type -shadow_t}:file { getattr read }; +dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms; +dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read }; ') ', ` diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te --- nsapolicy/macros/program/ssh_macros.te 2004-11-30 05:59:40.000000000 -0500 +++ policy-1.19.7/macros/program/ssh_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -82,7 +82,7 @@ # Grant permissions needed to create TCP and UDP sockets and # to access the network. -can_network($1_ssh_t) +can_network_client_tcp($1_ssh_t) can_ypbind($1_ssh_t) # Use capabilities. diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.19.7/macros/program/userhelper_macros.te --- nsapolicy/macros/program/userhelper_macros.te 2004-11-30 05:59:40.000000000 -0500 +++ policy-1.19.7/macros/program/userhelper_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -140,4 +140,8 @@ allow $1_userhelper_t pam_var_console_t:dir { search }; ') +ifdef(`mozilla.te', ` +domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) +') + ')dnl end userhelper macro diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.19.7/macros/program/xauth_macros.te --- nsapolicy/macros/program/xauth_macros.te 2004-11-30 05:59:40.000000000 -0500 +++ policy-1.19.7/macros/program/xauth_macros.te 2004-11-30 06:18:45.000000000 -0500 @@ -54,7 +54,7 @@ uses_shlib($1_xauth_t) # allow DNS lookups... -can_network($1_xauth_t) +can_resolve($1_xauth_t) can_ypbind($1_xauth_t) ifdef(`named.te', ` can_udp_send($1_xauth_t, named_t) diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.19.7/net_contexts --- nsapolicy/net_contexts 2004-11-09 13:35:11.000000000 -0500 +++ policy-1.19.7/net_contexts 2004-11-30 06:18:45.000000000 -0500 @@ -113,7 +113,6 @@ portcon tcp 631 system_u:object_r:ipp_port_t portcon udp 631 system_u:object_r:ipp_port_t ') -ifdef(`kerberos.te', ` portcon tcp 88 system_u:object_r:kerberos_port_t portcon udp 88 system_u:object_r:kerberos_port_t portcon tcp 749 system_u:object_r:kerberos_admin_port_t @@ -121,7 +120,6 @@ portcon udp 750 system_u:object_r:kerberos_port_t portcon tcp 4444 system_u:object_r:kerberos_master_port_t portcon udp 4444 system_u:object_r:kerberos_master_port_t -') ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') ifdef(`rsync.te', ` portcon tcp 873 system_u:object_r:rsync_port_t diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.7/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.19.7/tunables/distro.tun 2004-11-30 06:18:45.000000000 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.7/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/tunables/tunable.tun 2004-11-30 06:31:15.000000000 -0500 @@ -2,10 +2,10 @@ dnl define(`user_can_mount') # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition @@ -17,11 +17,11 @@ # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.19.7/types/devpts.te --- nsapolicy/types/devpts.te 2004-09-22 16:19:14.000000000 -0400 +++ policy-1.19.7/types/devpts.te 2004-11-30 11:31:48.000000000 -0500 @@ -16,6 +16,6 @@ # devpts_t is the type of the devpts file system and # the type of the root directory of the file system. # -type devpts_t, fs_type, root_dir_type; +type devpts_t, fs_type; diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.19.7/types/file.te --- nsapolicy/types/file.te 2004-11-30 05:59:40.000000000 -0500 +++ policy-1.19.7/types/file.te 2004-11-30 11:31:55.000000000 -0500 @@ -33,12 +33,12 @@ # assigned an extended attribute (EA) value (when using a filesystem # that supports EAs). # -type file_t, file_type, root_dir_type, sysadmfile; +type file_t, file_type, sysadmfile; # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. -type default_t, file_type, root_dir_type, sysadmfile; +type default_t, file_type, sysadmfile; # # root_t is the type for the root directory. @@ -64,7 +64,7 @@ # boot_t is the type for files in /boot, # including the kernel. # -type boot_t, file_type, root_dir_type, sysadmfile; +type boot_t, file_type, sysadmfile; # system_map_t is for the system.map files in /boot type system_map_t, file_type, sysadmfile; @@ -157,7 +157,7 @@ # # usr_t is the type for /usr. # -type usr_t, file_type, root_dir_type, sysadmfile; +type usr_t, file_type, sysadmfile; # # src_t is the type of files in the system src directories. @@ -167,7 +167,7 @@ # # var_t is the type for /var. # -type var_t, file_type, root_dir_type, sysadmfile; +type var_t, file_type, sysadmfile; # # Types for subdirectories of /var. @@ -264,28 +264,28 @@ # Allow the pty to be associated with the file system. allow devpts_t self:filesystem associate; -type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type; +type tmpfs_t, file_type, sysadmfile, fs_type; allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate; -type autofs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; +type autofs_t, fs_type, noexattrfile, sysadmfile; allow autofs_t self:filesystem associate; -type usbdevfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; +type usbdevfs_t, fs_type, noexattrfile, sysadmfile; allow usbdevfs_t self:filesystem associate; -type sysfs_t, fs_type, root_dir_type, sysadmfile; +type sysfs_t, fs_type, sysadmfile; allow sysfs_t self:filesystem associate; -type iso9660_t, fs_type, root_dir_type, noexattrfile, sysadmfile; +type iso9660_t, fs_type, noexattrfile, sysadmfile; allow iso9660_t self:filesystem associate; -type romfs_t, fs_type, root_dir_type, sysadmfile; +type romfs_t, fs_type, sysadmfile; allow romfs_t self:filesystem associate; -type ramfs_t, fs_type, root_dir_type, sysadmfile; +type ramfs_t, fs_type, sysadmfile; allow ramfs_t self:filesystem associate; -type dosfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; +type dosfs_t, fs_type, noexattrfile, sysadmfile; allow dosfs_t self:filesystem associate; # udev_runtime_t is the type of the udev table file @@ -294,7 +294,7 @@ # krb5_conf_t is the type of the /etc/krb5.conf file type krb5_conf_t, file_type, sysadmfile; -type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile; +type cifs_t, fs_type, noexattrfile, sysadmfile; allow cifs_t self:filesystem associate; typealias cifs_t alias sambafs_t; diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.19.7/types/network.te --- nsapolicy/types/network.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.7/types/network.te 2004-11-30 06:18:45.000000000 -0500 @@ -64,6 +64,13 @@ type mail_port_t, port_type; # +# Ports used to communicate with kerberos server +# +type kerberos_port_t, port_type, reserved_port_type; +type kerberos_admin_port_t, port_type, reserved_port_type; +type kerberos_master_port_t, port_type; + +# # port_t is the default type of INET port numbers. # The *_port_t types are used for specific port # numbers in net_contexts or net_contexts.mls. diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.19.7/types/nfs.te --- nsapolicy/types/nfs.te 2004-09-22 16:19:14.000000000 -0400 +++ policy-1.19.7/types/nfs.te 2004-11-30 11:31:36.000000000 -0500 @@ -13,7 +13,7 @@ # The nfs_*_t types are used for specific NFS # servers in net_contexts or net_contexts.mls. # -type nfs_t, fs_type, root_dir_type; +type nfs_t, fs_type; # # Allow NFS files to be associated with an NFS file system. diff --exclude-from=exclude -N -u -r nsapolicy/types/procfs.te policy-1.19.7/types/procfs.te --- nsapolicy/types/procfs.te 2004-11-29 10:24:18.000000000 -0500 +++ policy-1.19.7/types/procfs.te 2004-11-30 11:32:00.000000000 -0500 @@ -14,7 +14,7 @@ # proc_mdstat_t is the type of /proc/mdstat. # proc_net_t is the type of /proc/net. # -type proc_t, fs_type, proc_fs, root_dir_type; +type proc_t, fs_type, proc_fs; type proc_kmsg_t, proc_fs; type proc_kcore_t, proc_fs; type proc_mdstat_t, proc_fs; ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Reissue previous patch 2004-11-30 21:19 ` Reissue previous patch Daniel J Walsh @ 2004-12-02 13:54 ` James Carter 2004-12-02 14:16 ` Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-12-02 13:54 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux Merged with some changes. On Tue, 2004-11-30 at 16:19, Daniel J Walsh wrote: > Several can_network_clients were wrong <snip> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.19.7/domains/program/mount.te > --- nsapolicy/domains/program/mount.te 2004-11-09 13:35:12.000000000 -0500 > +++ policy-1.19.7/domains/program/mount.te 2004-11-30 06:18:45.000000000 -0500 > @@ -64,7 +64,7 @@ > > ifdef(`portmap.te', ` > # for nfs > -can_network(mount_t) > +can_network_server(mount_t) > can_ypbind(mount_t) > allow mount_t port_t:{ tcp_socket udp_socket } name_bind; > allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; Left it as can_network(), otherwise, I can't mount a NFS partition. May be able to separate the NFS client and server usages, by I haven't looked into it. <snip> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.7/domains/program/unused/howl.te > --- nsapolicy/domains/program/unused/howl.te 2004-10-13 22:41:57.000000000 -0400 > +++ policy-1.19.7/domains/program/unused/howl.te 2004-11-30 06:18:45.000000000 -0500 > @@ -5,7 +5,7 @@ > > daemon_domain(howl) > allow howl_t proc_t:file { getattr read }; > -can_network(howl_t) > +can_network_server(howl_t) > can_ypbind(howl_t) > allow howl_t self:capability { kill net_admin }; > I used: -allow howl_t proc_t:file { getattr read }; -can_network(howl_t) +allow howl_t proc_net_t:dir search; +allow howl_t proc_net_t:file {getattr read }; +can_network_server(howl_t) <snip> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te > --- nsapolicy/macros/program/ssh_macros.te 2004-11-30 05:59:40.000000000 -0500 > +++ policy-1.19.7/macros/program/ssh_macros.te 2004-11-30 06:18:45.000000000 -0500 > @@ -82,7 +82,7 @@ > > # Grant permissions needed to create TCP and UDP sockets and > # to access the network. > -can_network($1_ssh_t) > +can_network_client_tcp($1_ssh_t) > can_ypbind($1_ssh_t) > > # Use capabilities. I used can_network_client() instead. The following was needed by ssh during my normal usage of it (like updating the CVS tree on sourceforge.) allow user_ssh_t self:udp_socket create -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Reissue previous patch 2004-12-02 13:54 ` James Carter @ 2004-12-02 14:16 ` Daniel J Walsh 2004-12-02 17:51 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-12-02 14:16 UTC (permalink / raw) To: jwcart2; +Cc: SELinux James Carter wrote: >Merged with some changes. > >On Tue, 2004-11-30 at 16:19, Daniel J Walsh wrote: > > >>Several can_network_clients were wrong >> >> ><snip> > > >>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.19.7/domains/program/mount.te >>--- nsapolicy/domains/program/mount.te 2004-11-09 13:35:12.000000000 -0500 >>+++ policy-1.19.7/domains/program/mount.te 2004-11-30 06:18:45.000000000 -0500 >>@@ -64,7 +64,7 @@ >> >> ifdef(`portmap.te', ` >> # for nfs >>-can_network(mount_t) >>+can_network_server(mount_t) >> can_ypbind(mount_t) >> allow mount_t port_t:{ tcp_socket udp_socket } name_bind; >> allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind; >> >> > >Left it as can_network(), otherwise, I can't mount a NFS partition. May >be able to separate the NFS client and server usages, by I haven't >looked into it. > ><snip> > > >>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.7/domains/program/unused/howl.te >>--- nsapolicy/domains/program/unused/howl.te 2004-10-13 22:41:57.000000000 -0400 >>+++ policy-1.19.7/domains/program/unused/howl.te 2004-11-30 06:18:45.000000000 -0500 >>@@ -5,7 +5,7 @@ >> >> daemon_domain(howl) >> allow howl_t proc_t:file { getattr read }; >>-can_network(howl_t) >>+can_network_server(howl_t) >> can_ypbind(howl_t) >> allow howl_t self:capability { kill net_admin }; >> >> >> > >I used: >-allow howl_t proc_t:file { getattr read }; >-can_network(howl_t) >+allow howl_t proc_net_t:dir search; >+allow howl_t proc_net_t:file {getattr read }; >+can_network_server(howl_t) > ><snip> > > >>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te >>--- nsapolicy/macros/program/ssh_macros.te 2004-11-30 05:59:40.000000000 -0500 >>+++ policy-1.19.7/macros/program/ssh_macros.te 2004-11-30 06:18:45.000000000 -0500 >>@@ -82,7 +82,7 @@ >> >> # Grant permissions needed to create TCP and UDP sockets and >> # to access the network. >>-can_network($1_ssh_t) >>+can_network_client_tcp($1_ssh_t) >> can_ypbind($1_ssh_t) >> >> # Use capabilities. >> >> > >I used can_network_client() instead. > >The following was needed by ssh during my normal usage of it (like >updating the CVS tree on sourceforge.) > >allow user_ssh_t self:udp_socket create > > > I think this is caused by the resolver. This is why I would like to get to the point of using can_resolve() where we specify the exact port that you can connect to. Dan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Reissue previous patch 2004-12-02 14:16 ` Daniel J Walsh @ 2004-12-02 17:51 ` James Carter 2004-12-02 19:27 ` Latest patch Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2004-12-02 17:51 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux On Thu, 2004-12-02 at 09:16, Daniel J Walsh wrote: > James Carter wrote: > <snip> > >>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te > >>--- nsapolicy/macros/program/ssh_macros.te 2004-11-30 05:59:40.000000000 -0500 > >>+++ policy-1.19.7/macros/program/ssh_macros.te 2004-11-30 06:18:45.000000000 -0500 > >>@@ -82,7 +82,7 @@ > >> > >> # Grant permissions needed to create TCP and UDP sockets and > >> # to access the network. > >>-can_network($1_ssh_t) > >>+can_network_client_tcp($1_ssh_t) > >> can_ypbind($1_ssh_t) > >> > >> # Use capabilities. > >> > >> > > > >I used can_network_client() instead. > > > >The following was needed by ssh during my normal usage of it (like > >updating the CVS tree on sourceforge.) > > > >allow user_ssh_t self:udp_socket create > > > > > > > I think this is caused by the resolver. This is why I would like to get > to the point of using > can_resolve() where we specify the exact port that you can connect to. You're right. I changed it to use can_network_client_tcp() and can_resolve(). -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Latest patch 2004-12-02 17:51 ` James Carter @ 2004-12-02 19:27 ` Daniel J Walsh 2004-12-03 13:40 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Daniel J Walsh @ 2004-12-02 19:27 UTC (permalink / raw) To: jwcart2; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 398 bytes --] Allow booloader to run exec_type, so it can pick up consoletype. Allow initrc to cleanup ptal runtime files in init scripts Add file contexts for bin_t files in the /usr partition. Fix policy so htdig will work Make changes so ipx_interface and friends will run( ALthough I need help on this stuff since I don't have access to IPX network, nor do I want too :*) Fix console and jave labeling [-- Attachment #2: policy-20041202.patch --] [-- Type: text/x-patch, Size: 7488 bytes --] diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.8/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2004-11-29 10:24:17.000000000 -0500 +++ policy-1.19.8/domains/program/unused/apache.te 2004-11-30 16:54:39.000000000 -0500 @@ -332,3 +332,6 @@ ') allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; } + +read_sysctl(httpd_sys_script_t) +allow httpd_sys_script_t var_lib_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.8/domains/program/unused/bootloader.te --- nsapolicy/domains/program/unused/bootloader.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.8/domains/program/unused/bootloader.te 2004-12-01 10:54:10.000000000 -0500 @@ -58,7 +58,7 @@ # uncomment the following line if you use "lilo -p" #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file); -can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t }) +can_exec_any(bootloader_t) allow bootloader_t shell_exec_t:lnk_file read; allow bootloader_t { bin_t sbin_t }:dir search; allow bootloader_t { bin_t sbin_t }:lnk_file read; @@ -131,14 +131,6 @@ allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; allow bootloader_t initrc_t:fifo_file { read write }; -ifdef(`distro_debian', ` -# for making an initrd -can_exec(bootloader_t, mount_exec_t) -ifdef(`chroot.te', ` -can_exec(bootloader_t, chroot_exec_t) -')dnl end chroot.te -')dnl end distro_debian - # for reading BIOS data allow bootloader_t memory_device_t:chr_file r_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.8/domains/program/unused/cups.te --- nsapolicy/domains/program/unused/cups.te 2004-12-02 14:11:41.692784006 -0500 +++ policy-1.19.8/domains/program/unused/cups.te 2004-12-02 13:44:06.204217215 -0500 @@ -157,6 +157,9 @@ allow cupsd_t ptal_var_run_t:dir search; dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; +allow initrc_t ptal_var_run_t:dir rmdir; +allow initrc_t ptal_var_run_t:fifo_file unlink; + dontaudit cupsd_t selinux_config_t:dir search; dontaudit cupsd_t selinux_config_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.8/file_contexts/distros.fc --- nsapolicy/file_contexts/distros.fc 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.8/file_contexts/distros.fc 2004-12-01 16:26:58.000000000 -0500 @@ -31,6 +31,9 @@ /usr/share/pydict/pydict\.py -- system_u:object_r:bin_t /usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t /usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t ') ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.8/file_contexts/program/apache.fc --- nsapolicy/file_contexts/program/apache.fc 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.8/file_contexts/program/apache.fc 2004-11-30 16:49:58.000000000 -0500 @@ -40,3 +40,6 @@ ') /var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t /usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t +/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t +/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t +/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ifconfig.fc policy-1.19.8/file_contexts/program/ifconfig.fc --- nsapolicy/file_contexts/program/ifconfig.fc 2004-11-19 11:20:43.000000000 -0500 +++ policy-1.19.8/file_contexts/program/ifconfig.fc 2004-12-01 09:01:45.000000000 -0500 @@ -7,3 +7,6 @@ /bin/ip -- system_u:object_r:ifconfig_exec_t /sbin/ethtool -- system_u:object_r:ifconfig_exec_t /sbin/mii-tool -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t +/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.8/file_contexts/types.fc --- nsapolicy/file_contexts/types.fc 2004-12-02 14:11:43.377594270 -0500 +++ policy-1.19.8/file_contexts/types.fc 2004-12-02 13:27:20.530471384 -0500 @@ -139,6 +139,9 @@ /u?dev/cu.* -c system_u:object_r:tty_device_t /u?dev/vcs[^/]* -c system_u:object_r:tty_device_t /u?dev/ip2[^/]* -c system_u:object_r:tty_device_t +/u?dev/hvc.* -c system_u:object_r:tty_device_t +/u?dev/hvsi.* -c system_u:object_r:tty_device_t +/u?dev/ttySG.* -c system_u:object_r:tty_device_t /u?dev/tty -c system_u:object_r:devtty_t /dev/lp.* -c system_u:object_r:printer_device_t /dev/par.* -c system_u:object_r:printer_device_t @@ -334,6 +337,9 @@ /usr(/.*)? system_u:object_r:usr_t /usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t /usr(/.*)?/bin(/.*)? system_u:object_r:bin_t /usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.8/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2004-12-02 14:11:43.625566345 -0500 +++ policy-1.19.8/macros/program/mozilla_macros.te 2004-12-02 13:39:30.762236174 -0500 @@ -98,6 +98,7 @@ dontaudit $1_mozilla_t boot_t:dir getattr; ifdef(`cups.te', ` allow $1_mozilla_t cupsd_etc_t:dir search; +allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; ') allow $1_mozilla_t $1_t:tcp_socket { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.8/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.19.8/tunables/distro.tun 2004-11-30 16:17:10.000000000 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.8/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.8/tunables/tunable.tun 2004-11-30 16:17:10.000000000 -0500 @@ -2,10 +2,10 @@ dnl define(`user_can_mount') # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition @@ -17,11 +17,11 @@ # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Latest patch 2004-12-02 19:27 ` Latest patch Daniel J Walsh @ 2004-12-03 13:40 ` James Carter 0 siblings, 0 replies; 8+ messages in thread From: James Carter @ 2004-12-03 13:40 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux Merged. On Thu, 2004-12-02 at 14:27, Daniel J Walsh wrote: > Allow booloader to run exec_type, so it can pick up consoletype. > > Allow initrc to cleanup ptal runtime files in init scripts > > Add file contexts for bin_t files in the /usr partition. > > Fix policy so htdig will work > > Make changes so ipx_interface and friends will run( ALthough I need help > on this stuff since I don't have access to IPX network, nor do > I want too :*) > > Fix console and jave labeling > > ______________________________________________________________________ > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.8/domains/program/unused/apache.te > --- nsapolicy/domains/program/unused/apache.te 2004-11-29 10:24:17.000000000 -0500 > +++ policy-1.19.8/domains/program/unused/apache.te 2004-11-30 16:54:39.000000000 -0500 > @@ -332,3 +332,6 @@ > ') > allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; > } > + > +read_sysctl(httpd_sys_script_t) > +allow httpd_sys_script_t var_lib_t:dir search; > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.8/domains/program/unused/bootloader.te > --- nsapolicy/domains/program/unused/bootloader.te 2004-11-05 23:24:16.000000000 -0500 > +++ policy-1.19.8/domains/program/unused/bootloader.te 2004-12-01 10:54:10.000000000 -0500 > @@ -58,7 +58,7 @@ > # uncomment the following line if you use "lilo -p" > #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file); > > -can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t }) > +can_exec_any(bootloader_t) > allow bootloader_t shell_exec_t:lnk_file read; > allow bootloader_t { bin_t sbin_t }:dir search; > allow bootloader_t { bin_t sbin_t }:lnk_file read; > @@ -131,14 +131,6 @@ > allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; > allow bootloader_t initrc_t:fifo_file { read write }; > > -ifdef(`distro_debian', ` > -# for making an initrd > -can_exec(bootloader_t, mount_exec_t) > -ifdef(`chroot.te', ` > -can_exec(bootloader_t, chroot_exec_t) > -')dnl end chroot.te > -')dnl end distro_debian > - > # for reading BIOS data > allow bootloader_t memory_device_t:chr_file r_file_perms; > > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.8/domains/program/unused/cups.te > --- nsapolicy/domains/program/unused/cups.te 2004-12-02 14:11:41.692784006 -0500 > +++ policy-1.19.8/domains/program/unused/cups.te 2004-12-02 13:44:06.204217215 -0500 > @@ -157,6 +157,9 @@ > allow cupsd_t ptal_var_run_t:dir search; > dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search }; > > +allow initrc_t ptal_var_run_t:dir rmdir; > +allow initrc_t ptal_var_run_t:fifo_file unlink; > + > dontaudit cupsd_t selinux_config_t:dir search; > dontaudit cupsd_t selinux_config_t:file { getattr read }; > > diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.8/file_contexts/distros.fc > --- nsapolicy/file_contexts/distros.fc 2004-11-20 22:29:09.000000000 -0500 > +++ policy-1.19.8/file_contexts/distros.fc 2004-12-01 16:26:58.000000000 -0500 > @@ -31,6 +31,9 @@ > /usr/share/pydict/pydict\.py -- system_u:object_r:bin_t > /usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t > /usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t > +/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t > +/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t > +/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t > ') > > ifdef(`distro_suse', ` > diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.8/file_contexts/program/apache.fc > --- nsapolicy/file_contexts/program/apache.fc 2004-11-20 22:29:09.000000000 -0500 > +++ policy-1.19.8/file_contexts/program/apache.fc 2004-11-30 16:49:58.000000000 -0500 > @@ -40,3 +40,6 @@ > ') > /var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t > /usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t > +/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t > +/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t > +/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t > diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ifconfig.fc policy-1.19.8/file_contexts/program/ifconfig.fc > --- nsapolicy/file_contexts/program/ifconfig.fc 2004-11-19 11:20:43.000000000 -0500 > +++ policy-1.19.8/file_contexts/program/ifconfig.fc 2004-12-01 09:01:45.000000000 -0500 > @@ -7,3 +7,6 @@ > /bin/ip -- system_u:object_r:ifconfig_exec_t > /sbin/ethtool -- system_u:object_r:ifconfig_exec_t > /sbin/mii-tool -- system_u:object_r:ifconfig_exec_t > +/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t > +/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t > +/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t > diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.8/file_contexts/types.fc > --- nsapolicy/file_contexts/types.fc 2004-12-02 14:11:43.377594270 -0500 > +++ policy-1.19.8/file_contexts/types.fc 2004-12-02 13:27:20.530471384 -0500 > @@ -139,6 +139,9 @@ > /u?dev/cu.* -c system_u:object_r:tty_device_t > /u?dev/vcs[^/]* -c system_u:object_r:tty_device_t > /u?dev/ip2[^/]* -c system_u:object_r:tty_device_t > +/u?dev/hvc.* -c system_u:object_r:tty_device_t > +/u?dev/hvsi.* -c system_u:object_r:tty_device_t > +/u?dev/ttySG.* -c system_u:object_r:tty_device_t > /u?dev/tty -c system_u:object_r:devtty_t > /dev/lp.* -c system_u:object_r:printer_device_t > /dev/par.* -c system_u:object_r:printer_device_t > @@ -334,6 +337,9 @@ > /usr(/.*)? system_u:object_r:usr_t > /usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t > /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t > +/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t > +/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t > +/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t > /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t > /usr(/.*)?/bin(/.*)? system_u:object_r:bin_t > /usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.8/macros/program/mozilla_macros.te > --- nsapolicy/macros/program/mozilla_macros.te 2004-12-02 14:11:43.625566345 -0500 > +++ policy-1.19.8/macros/program/mozilla_macros.te 2004-12-02 13:39:30.762236174 -0500 > @@ -98,6 +98,7 @@ > dontaudit $1_mozilla_t boot_t:dir getattr; > ifdef(`cups.te', ` > allow $1_mozilla_t cupsd_etc_t:dir search; > +allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read }; > ') > allow $1_mozilla_t $1_t:tcp_socket { read write }; > > diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.8/tunables/distro.tun > --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 > +++ policy-1.19.8/tunables/distro.tun 2004-11-30 16:17:10.000000000 -0500 > @@ -5,7 +5,7 @@ > # appropriate ifdefs. > > > -dnl define(`distro_redhat') > +define(`distro_redhat') > > dnl define(`distro_suse') > > diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.8/tunables/tunable.tun > --- nsapolicy/tunables/tunable.tun 2004-11-09 13:35:13.000000000 -0500 > +++ policy-1.19.8/tunables/tunable.tun 2004-11-30 16:17:10.000000000 -0500 > @@ -2,10 +2,10 @@ > dnl define(`user_can_mount') > > # Allow rpm to run unconfined. > -dnl define(`unlimitedRPM') > +define(`unlimitedRPM') > > # Allow privileged utilities like hotplug and insmod to run unconfined. > -dnl define(`unlimitedUtils') > +define(`unlimitedUtils') > > # Allow rc scripts to run unconfined, including any daemon > # started by an rc script that does not have a domain transition > @@ -17,11 +17,11 @@ > > # Do not audit things that we know to be broken but which > # are not security risks > -dnl define(`hide_broken_symptoms') > +define(`hide_broken_symptoms') > > # Allow user_r to reach sysadm_r via su, sudo, or userhelper. > # Otherwise, only staff_r can do so. > -dnl define(`user_canbe_sysadm') > +define(`user_canbe_sysadm') > > # Allow xinetd to run unconfined, including any services it starts > # that do not have a domain transition explicitly defined. -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-04-14 14:07 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-09 17:46 patch: add policy for gpg helpers Thomas Bleher
2004-12-15 20:43 ` James Carter
2004-12-16 16:50 ` Latest patch Daniel J Walsh
2004-12-20 21:43 ` James Carter
[not found] <4256D267.7050403@comcast.net>
2005-04-14 14:04 ` Latest Patch James Carter
-- strict thread matches above, loose matches on Subject: below --
2004-12-17 1:22 [patch] misc. policy updates Greg Norris
2004-12-20 1:01 ` Russell Coker
2004-12-20 21:54 ` James Carter
2004-12-28 22:29 ` Latest patch Daniel J Walsh
2004-10-18 19:31 Adding alternate root patch to restorecon (setfiles?) Daniel J Walsh
2004-10-25 15:38 ` Russell Coker
2004-10-25 21:31 ` Thomas Bleher
2004-10-26 14:36 ` Russell Coker
2004-11-05 21:39 ` James Carter
2004-11-10 23:11 ` Patches without the can_network patch Daniel J Walsh
2004-11-17 20:15 ` James Carter
2004-11-18 14:33 ` Daniel J Walsh
2004-11-23 18:52 ` James Carter
2004-11-24 16:22 ` Daniel J Walsh
2004-11-24 19:48 ` James Carter
2004-11-30 21:19 ` Reissue previous patch Daniel J Walsh
2004-12-02 13:54 ` James Carter
2004-12-02 14:16 ` Daniel J Walsh
2004-12-02 17:51 ` James Carter
2004-12-02 19:27 ` Latest patch Daniel J Walsh
2004-12-03 13:40 ` James Carter
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.