From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j03IxjIi018955 for ; Mon, 3 Jan 2005 13:59:45 -0500 (EST) Received: from moss-lions.epoch.ncsc.mil (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id j03IvrFS015111 for ; Mon, 3 Jan 2005 18:57:53 GMT Received: from moss-lions.epoch.ncsc.mil (localhost.localdomain [127.0.0.1]) by moss-lions.epoch.ncsc.mil (8.12.11/8.12.11) with ESMTP id j03J21pm014750 for ; Mon, 3 Jan 2005 14:02:01 -0500 Received: (from jwcart2@localhost) by moss-lions.epoch.ncsc.mil (8.12.11/8.12.11/Submit) id j03J21oQ014749 for selinux@tycho.nsa.gov; Mon, 3 Jan 2005 14:02:01 -0500 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id iBSMTmIi025067 for ; Tue, 28 Dec 2004 17:29:48 -0500 (EST) Message-ID: <41D1DE5C.8080905@redhat.com> Date: Tue, 28 Dec 2004 17:29:48 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: jwcart2@epoch.ncsc.mil CC: SELinux Subject: Latest patch References: <20041217012224.GA11330@yggdrasil.localdomain> <200412201201.11825.russell@coker.com.au> <1103579643.3220.32.camel@moss-lions.epoch.ncsc.mil> In-Reply-To: <1103579643.3220.32.camel@moss-lions.epoch.ncsc.mil> Content-Type: multipart/mixed; boundary="------------040305050003010804070006" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. --------------040305050003010804070006 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit This patch supersedes the last one. Basically this patch is for targeted policy. With this policy initrc runs starts all daemons. If you start a daemon without using the service script the daemon will run in unconfined_t. sendmail, crond, xdm and ssh have targeted policies that allow them to run as unconfined_t. Dan --------------040305050003010804070006 Content-Type: text/x-patch; name="policy-20041221.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="policy-20041221.patch" diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.19.15/assert.te --- nsapolicy/assert.te 2004-12-09 10:26:08.000000000 -0500 +++ policy-1.19.15/assert.te 2004-12-28 12:09:14.000000000 -0500 @@ -30,7 +30,7 @@ # Verify that only the insmod_t and kernel_t domains # have the sys_module capability. # -neverallow {domain -unrestricted -insmod_t -kernel_t } self:capability sys_module; +neverallow {domain -unrestricted -insmod_t -kernel_t -howl_t } self:capability sys_module; # # Verify that executable types, the system dynamic loaders, and the diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.15/domains/program/crond.te --- nsapolicy/domains/program/crond.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/crond.te 2004-12-28 12:09:14.000000000 -0500 @@ -160,6 +160,7 @@ # /sbin/runlevel needs lock access however dontaudit system_crond_t initrc_var_run_t:file write; allow system_crond_t initrc_var_run_t:file { getattr read lock }; +allow initrc_t system_cron_spool_t:file { getattr read }; # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.15/domains/program/initrc.te --- nsapolicy/domains/program/initrc.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/initrc.te 2004-12-28 12:09:14.000000000 -0500 @@ -13,10 +13,6 @@ # # do not use privmail for sendmail as it creates a type transition conflict type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain; -ifdef(`sendmail.te', ` -allow system_mail_t initrc_t:fd use; -allow system_mail_t initrc_t:fifo_file write; -') role system_r types initrc_t; uses_shlib(initrc_t); @@ -115,14 +111,6 @@ # Communicate with the init process. allow initrc_t initctl_t:fifo_file rw_file_perms; -# Send messages to portmap and ypbind. -ifdef(`portmap.te', ` -can_udp_send(initrc_t, portmap_t) -') -ifdef(`ypbind.te', ` -can_udp_send(initrc_t, ypbind_t) -') - # Read /proc/PID directories for all domains. r_dir_file(initrc_t, domain) allow initrc_t domain:process { getattr getsession }; @@ -137,15 +125,6 @@ # Update /etc/ld.so.cache. allow initrc_t ld_so_cache_t:file rw_file_perms; -ifdef(`xfs.te', ` -# Unlink the xfs socket. -allow initrc_t xfs_tmp_t:dir rw_dir_perms; -allow initrc_t xfs_tmp_t:dir rmdir; -allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; -allow initrc_t fonts_t:dir create_dir_perms; -allow initrc_t fonts_t:file create_file_perms; -') - # Update /var/log/wtmp and /var/log/dmesg. allow initrc_t wtmp_t:file { setattr rw_file_perms }; allow initrc_t var_log_t:dir rw_dir_perms; @@ -222,38 +201,14 @@ # readahead asks for these # allow initrc_t etc_aliases_t:file { getattr read }; -allow initrc_t system_cron_spool_t:file { getattr read }; allow initrc_t var_lib_nfs_t:file { getattr read }; # for /halt /.autofsck and other flag files file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) -ifdef(`rpm.te', ` -# Access /var/lib/rpm. -allow initrc_t rpm_var_lib_t:dir rw_dir_perms; -allow initrc_t rpm_var_lib_t:file create_file_perms; -') ')dnl end distro_redhat -ifdef(`distro_gentoo', ` -ifdef(`arpwatch.te', ` -allow initrc_t arpwatch_data_t:dir { add_name write }; -allow initrc_t arpwatch_data_t:file create; -') -')dnl end distro_gentoo - allow initrc_t system_map_t:{ file lnk_file } r_file_perms; - -ifdef(`rhgb.te', ` -allow initrc_t ramfs_t:dir search; -allow initrc_t ramfs_t:sock_file write; -allow initrc_t rhgb_t:unix_stream_socket { read write }; -') - -ifdef(`gpm.te', ` -allow initrc_t gpmctl_t:sock_file setattr; -') - allow initrc_t var_spool_t:file rw_file_perms; # Allow access to the sysadm TTYs. Note that this will give access to the @@ -263,20 +218,6 @@ # Access sound device and files. allow initrc_t sound_device_t:chr_file { setattr ioctl read write }; -ifdef(`sound.te', ` -allow initrc_t sound_file_t:file { setattr write }; -') - -ifdef(`apmd.te', -`# Access /dev/apm_bios. -allow initrc_t apm_bios_t:chr_file { setattr getattr read }; -') - -ifdef(`lpd.te', -`# Read printconf files. -allow initrc_t printconf_t:dir r_dir_perms; -allow initrc_t printconf_t:file r_file_perms; -') # Read user home directories. allow initrc_t { home_root_t home_type }:dir r_dir_perms; @@ -299,7 +240,14 @@ # # Rules for the run_init_t domain. # +ifdef(`targeted_policy', ` +type run_init_exec_t, file_type, sysadmfile, exec_type; +domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) +allow unconfined_t initrc_t:dbus send_msg; +domain_trans(initrc_t, shell_exec_t, unconfined_t) +', ` run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t) +') allow initrc_t privfd:fd use; # Transition to system_r:initrc_t upon executing init scripts. @@ -323,10 +271,6 @@ allow initrc_t device_type:chr_file setattr; allow initrc_t binfmt_misc_fs_t:dir { getattr search }; allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write }; -ifdef(`pam.te', ` -allow initrc_t pam_var_run_t:dir rw_dir_perms; -allow initrc_t pam_var_run_t:file { getattr read unlink }; -') # for lsof in shutdown scripts can_kerberos(initrc_t) @@ -351,9 +295,6 @@ # allow initrc_t security_t:dir { getattr search }; allow initrc_t security_t:file { getattr read }; -ifdef(`dbusd.te', ` -allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; -') # init script state type initrc_state_t, file_type, sysadmfile; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.19.15/domains/program/init.te --- nsapolicy/domains/program/init.te 2004-12-09 10:26:08.000000000 -0500 +++ policy-1.19.15/domains/program/init.te 2004-12-28 12:09:14.000000000 -0500 @@ -14,7 +14,7 @@ # by init during initialization. This pipe is used # to communicate with init. # -type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain; +type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain ifdef(`targeted_policy', `, unrestricted'); role system_r types init_t; uses_shlib(init_t); type init_exec_t, file_type, sysadmfile, exec_type; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.15/domains/program/ldconfig.te --- nsapolicy/domains/program/ldconfig.te 2004-12-11 06:31:18.000000000 -0500 +++ policy-1.19.15/domains/program/ldconfig.te 2004-12-28 12:09:14.000000000 -0500 @@ -24,6 +24,7 @@ file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file) allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:lnk_file create_lnk_perms; +allow ldconfig_t lib_t:file r_file_perms; allow ldconfig_t userdomain:fd use; # unlink for when /etc/ld.so.cache is mislabeled @@ -38,11 +39,7 @@ dontaudit ldconfig_t httpd_modules_t:dir search; ') -ifdef(`distro_suse', ` -# because of libraries in /var/lib/samba/bin allow ldconfig_t { var_t var_lib_t }:dir search; -') - allow ldconfig_t proc_t:file read; ifdef(`unconfined.te',` dontaudit ldconfig_t unconfined_t:tcp_socket { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.19.15/domains/program/modutil.te --- nsapolicy/domains/program/modutil.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/modutil.te 2004-12-28 12:09:14.000000000 -0500 @@ -69,7 +69,7 @@ # Rules for the insmod_t domain. # -type insmod_t, domain, privlog, sysctl_kernel_writer ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, unrestricted' ) +type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, unrestricted' ) ; role system_r types insmod_t; role sysadm_r types insmod_t; @@ -99,7 +99,9 @@ allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write }; -allow insmod_t sound_device_t:chr_file { ioctl write }; +allow insmod_t sound_device_t:chr_file { read ioctl write }; +allow insmod_t zero_device_t:chr_file read; +allow insmod_t memory_device_t:chr_file rw_file_perms; # Read module config and dependency information allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read }; @@ -149,7 +151,6 @@ allow insmod_t device_t:dir read; allow insmod_t devpts_t:dir { getattr search }; -dontaudit insmod_t sound_device_t:chr_file read; type insmod_exec_t, file_type, exec_type, sysadmfile; domain_auto_trans(privmodule, insmod_exec_t, insmod_t) @@ -159,9 +160,10 @@ allow insmod_t privmodule:process sigchld; dontaudit sysadm_t self:capability sys_module; +ifdef(`mount.te', ` # Run mount in the mount_t domain. domain_auto_trans(insmod_t, mount_exec_t, mount_t) - +') # for when /var is not mounted early in the boot dontaudit insmod_t file_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.19.15/domains/program/ssh.te --- nsapolicy/domains/program/ssh.te 2004-12-11 06:31:18.000000000 -0500 +++ policy-1.19.15/domains/program/ssh.te 2004-12-28 12:09:14.000000000 -0500 @@ -228,5 +228,4 @@ allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write }; allow ssh_keygen_t urandom_device_t:chr_file { getattr read }; -dontaudit sshd_t local_login_t:fd { use }; dontaudit sshd_t sysadm_tty_device_t:chr_file { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.19.15/domains/program/unused/amanda.te --- nsapolicy/domains/program/unused/amanda.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/unused/amanda.te 2004-12-28 12:09:14.000000000 -0500 @@ -241,8 +241,6 @@ allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal }; allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service }; allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read }; -allow amanda_recover_t local_login_t:fd use; - # amrecover network and process communication ############################################# diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.15/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/unused/apache.te 2004-12-28 12:09:14.000000000 -0500 @@ -156,6 +156,7 @@ # Allow the httpd_t to read the web servers config files ################################################### r_dir_file(httpd_t, httpd_config_t) +dontaudit httpd_sys_script_t httpd_config_t:dir search; # allow logrotate to read the config files for restart ifdef(`logrotate.te', ` r_dir_file(logrotate_t, httpd_config_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.15/domains/program/unused/apmd.te --- nsapolicy/domains/program/unused/apmd.te 2004-12-09 10:26:08.000000000 -0500 +++ policy-1.19.15/domains/program/unused/apmd.te 2004-12-28 12:09:14.000000000 -0500 @@ -131,3 +131,5 @@ dontaudit apmd_t tmpfs_t:dir r_dir_perms; dontaudit apmd_t selinux_config_t:dir search; allow apmd_t user_tty_type:chr_file rw_file_perms; +# Access /dev/apm_bios. +allow initrc_t apm_bios_t:chr_file { setattr getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.15/domains/program/unused/arpwatch.te --- nsapolicy/domains/program/unused/arpwatch.te 2004-12-02 14:11:41.000000000 -0500 +++ policy-1.19.15/domains/program/unused/arpwatch.te 2004-12-28 12:09:14.000000000 -0500 @@ -35,3 +35,8 @@ allow arpwatch_t bin_t:dir search; ') +ifdef(`distro_gentoo', ` +allow initrc_t arpwatch_data_t:dir { add_name write }; +allow initrc_t arpwatch_data_t:file create; +')dnl end distro_gentoo + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.15/domains/program/unused/bootloader.te --- nsapolicy/domains/program/unused/bootloader.te 2004-12-03 14:42:06.000000000 -0500 +++ policy-1.19.15/domains/program/unused/bootloader.te 2004-12-28 12:09:14.000000000 -0500 @@ -29,7 +29,7 @@ allow bootloader_t { initrc_t privfd }:fd use; tmp_domain(bootloader, `, device_type') -allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms; +allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms; read_locale(bootloader_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.15/domains/program/unused/cups.te --- nsapolicy/domains/program/unused/cups.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/cups.te 2004-12-28 12:09:14.000000000 -0500 @@ -33,10 +33,8 @@ # temporary solution, we need something better allow cupsd_t serial_device:chr_file rw_file_perms; -ifdef(`usbmodules.te', ` r_dir_file(cupsd_t, usbdevfs_t) r_dir_file(cupsd_t, usbfs_t) -') ifdef(`logrotate.te', ` domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t) @@ -166,6 +164,8 @@ allow cupsd_t printconf_t:file { getattr read }; +dbusd_client(system, cupsd) + ifdef(`hald.te', ` # CUPS configuration daemon @@ -195,13 +195,12 @@ rw_dir_create_file(cupsd_config_t, cupsd_etc_t) rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t) -can_network_server_tcp(cupsd_config_t) +can_network_tcp(cupsd_config_t) can_tcp_connect(cupsd_config_t, cupsd_t) allow cupsd_config_t self:fifo_file rw_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; ifdef(`dbusd.te', ` -dbusd_client(system, cupsd) dbusd_client(system, cupsd_config) allow cupsd_config_t userdomain:dbus send_msg; allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc }; @@ -243,3 +242,8 @@ # Alternatives asks for this allow cupsd_config_t initrc_exec_t:file getattr; ') dnl end if hald.te +ifdef(`targeted_policy', ` +can_unix_connect(cupsd_t, initrc_t) +allow cupsd_t initrc_t:dbus send_msg; +') + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.19.15/domains/program/unused/dbusd.te --- nsapolicy/domains/program/unused/dbusd.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.15/domains/program/unused/dbusd.te 2004-12-28 12:09:14.000000000 -0500 @@ -16,3 +16,5 @@ # I expect we need more than this +allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc }; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gpm.te policy-1.19.15/domains/program/unused/gpm.te --- nsapolicy/domains/program/unused/gpm.te 2004-11-30 05:59:38.000000000 -0500 +++ policy-1.19.15/domains/program/unused/gpm.te 2004-12-28 12:09:14.000000000 -0500 @@ -40,3 +40,6 @@ allow gpm_t device_t:lnk_file { getattr read }; read_locale(gpm_t) + +allow initrc_t gpmctl_t:sock_file setattr; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.15/domains/program/unused/howl.te --- nsapolicy/domains/program/unused/howl.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/howl.te 2004-12-28 12:09:14.000000000 -0500 @@ -4,17 +4,19 @@ # daemon_domain(howl) -allow howl_t proc_net_t:dir search; -allow howl_t proc_net_t:file {getattr read }; +r_dir_file(howl_t, proc_net_t) can_network_server(howl_t) can_ypbind(howl_t) -allow howl_t self:capability { kill net_admin }; +allow howl_t self:unix_dgram_socket create_socket_perms; +allow howl_t self:capability { kill net_admin sys_module }; allow howl_t self:fifo_file rw_file_perms; type howl_port_t, port_type; allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind; +allow howl_t self:unix_dgram_socket create_socket_perms; + allow howl_t etc_t:file { getattr read }; allow howl_t initrc_var_run_t:file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.19.15/domains/program/unused/inetd.te --- nsapolicy/domains/program/unused/inetd.te 2004-11-05 23:24:16.000000000 -0500 +++ policy-1.19.15/domains/program/unused/inetd.te 2004-12-28 12:09:14.000000000 -0500 @@ -18,7 +18,7 @@ # Rules for the inetd_t domain. # -daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) +daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' ) can_network(inetd_t) allow inetd_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.15/domains/program/unused/innd.te --- nsapolicy/domains/program/unused/innd.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.15/domains/program/unused/innd.te 2004-12-28 12:09:14.000000000 -0500 @@ -76,6 +76,5 @@ allow innd_t self:file { getattr read }; dontaudit innd_t selinux_config_t:dir { search }; -allow system_crond_t innd_etc_t:file { getattr read }; allow innd_t bin_t:lnk_file { read }; allow innd_t sbin_t:lnk_file { read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.15/domains/program/unused/kerberos.te --- nsapolicy/domains/program/unused/kerberos.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/kerberos.te 2004-12-28 12:09:14.000000000 -0500 @@ -44,11 +44,10 @@ can_tcp_connect(kerberos_admin_port_t, kadmind_t) # Bind to the kerberos, kerberos-adm ports. -allow krb5kdc_t kerberos_port_t:udp_socket name_bind; -allow krb5kdc_t kerberos_port_t:tcp_socket name_bind; +allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind; allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; allow kadmind_t reserved_port_t:tcp_socket name_bind; +dontaudit kadmind_t reserved_port_type:tcp_socket name_bind; # # Rules for Kerberos5 KDC daemon diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.19.15/domains/program/unused/lpd.te --- nsapolicy/domains/program/unused/lpd.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/lpd.te 2004-12-28 12:09:14.000000000 -0500 @@ -154,3 +154,8 @@ # checkpc needs similar permissions. allow checkpc_t printconf_t:file getattr; allow checkpc_t printconf_t:dir { getattr search read }; + +# Read printconf files. +allow initrc_t printconf_t:dir r_dir_perms; +allow initrc_t printconf_t:file r_file_perms; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.15/domains/program/unused/mta.te --- nsapolicy/domains/program/unused/mta.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/mta.te 2004-12-28 12:09:14.000000000 -0500 @@ -76,3 +76,4 @@ create_dir_file( system_mail_t, mqueue_spool_t) ') allow system_mail_t etc_runtime_t:file { getattr read }; +allow system_mail_t urandom_device_t:chr_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.15/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/unused/nscd.te 2004-12-28 12:09:14.000000000 -0500 @@ -70,4 +70,4 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms; allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; -allow nscd_t urandom_device_t:chr_file { getattr read }; +allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.15/domains/program/unused/ntpd.te --- nsapolicy/domains/program/unused/ntpd.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/ntpd.te 2004-12-28 12:09:14.000000000 -0500 @@ -80,3 +80,8 @@ ifdef(`firstboot.te', ` dontaudit ntpd_t firstboot_t:fd use; ') +ifdef(`winbind.te', ` +allow ntpd_t winbind_var_run_t:dir r_dir_perms; +allow ntpd_t winbind_var_run_t:sock_file rw_file_perms; +') + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.19.15/domains/program/unused/pam.te --- nsapolicy/domains/program/unused/pam.te 2004-09-10 11:01:02.000000000 -0400 +++ policy-1.19.15/domains/program/unused/pam.te 2004-12-28 12:09:14.000000000 -0500 @@ -34,3 +34,6 @@ allow pam_t local_login_t:fd use; dontaudit pam_t self:capability sys_tty_config; + +allow initrc_t pam_var_run_t:dir rw_dir_perms; +allow initrc_t pam_var_run_t:file { getattr read unlink }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.19.15/domains/program/unused/portmap.te --- nsapolicy/domains/program/unused/portmap.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/portmap.te 2004-12-28 12:09:14.000000000 -0500 @@ -23,7 +23,7 @@ tmp_domain(portmap) allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; -dontaudit portmap_t reserved_port_type:tcp_socket name_bind; +dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; # portmap binds to arbitary ports allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; @@ -55,8 +55,10 @@ allow portmap_t self:netlink_route_socket r_netlink_socket_perms; application_domain(portmap_helper) +role system_r types portmap_helper_t; domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) dontaudit portmap_helper_t self:capability { net_admin }; +allow portmap_helper_t self:capability { net_bind_service }; allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms; allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; can_network(portmap_helper_t) @@ -64,4 +66,5 @@ dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; allow portmap_helper_t etc_t:file { getattr read }; dontaudit portmap_helper_t userdomain:fd use; -allow portmap_helper_t reserved_port_t:udp_socket name_bind; +allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.19.15/domains/program/unused/postfix.te --- nsapolicy/domains/program/unused/postfix.te 2004-12-02 14:11:42.000000000 -0500 +++ policy-1.19.15/domains/program/unused/postfix.te 2004-12-28 12:09:14.000000000 -0500 @@ -50,6 +50,8 @@ allow postfix_$1_t etc_runtime_t:file r_file_perms; allow postfix_$1_t proc_t:dir r_dir_perms; allow postfix_$1_t proc_t:file r_file_perms; +allow postfix_$1_t proc_net_t:dir search; +allow postfix_$1_t proc_net_t:file { getattr read }; allow postfix_$1_t postfix_exec_t:dir r_dir_perms; allow postfix_$1_t fs_t:filesystem getattr; can_exec(postfix_$1_t, postfix_$1_exec_t) @@ -158,8 +160,6 @@ allow postfix_$1_t self:capability { setuid setgid dac_override }; can_network_client(postfix_$1_t) can_ypbind(postfix_$1_t) -allow postfix_$1_t proc_net_t:dir search; -allow postfix_$1_t proc_net_t:file { getattr read }; ') postfix_server_domain(smtp, `, mail_server_sender') @@ -274,8 +274,6 @@ allow postfix_showq_t self:tcp_socket create_socket_perms; allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write }; dontaudit postfix_showq_t net_conf_t:file r_file_perms; -allow postfix_showq_t proc_net_t:dir search; -allow postfix_showq_t proc_net_t:file { getattr read }; postfix_user_domain(postdrop, `, mta_user_agent') allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.15/domains/program/unused/postgresql.te --- nsapolicy/domains/program/unused/postgresql.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/postgresql.te 2004-12-28 12:09:14.000000000 -0500 @@ -112,7 +112,7 @@ dontaudit postgresql_t selinux_config_t:dir { search }; allow postgresql_t mail_spool_t:dir { search }; rw_dir_create_file(postgresql_t, var_lock_t) -can_exec(postgresql_t, { shell_exec_t bin_t } ) +can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } ) ifdef(`apache.te', ` # # Allow httpd to work with postgresql diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.19.15/domains/program/unused/rhgb.te --- nsapolicy/domains/program/unused/rhgb.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/rhgb.te 2004-12-28 12:09:14.000000000 -0500 @@ -93,3 +93,8 @@ ') allow rhgb_t xdm_xserver_tmp_t:file { getattr read }; dontaudit rhgb_t default_t:file read; + +allow initrc_t ramfs_t:dir search; +allow initrc_t ramfs_t:sock_file write; +allow initrc_t rhgb_t:unix_stream_socket { read write }; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.19.15/domains/program/unused/rpm.te --- nsapolicy/domains/program/unused/rpm.te 2004-11-20 22:29:09.000000000 -0500 +++ policy-1.19.15/domains/program/unused/rpm.te 2004-12-28 12:09:14.000000000 -0500 @@ -244,6 +244,10 @@ allow rpm_script_t domain:process { signal signull }; +# Access /var/lib/rpm. +allow initrc_t rpm_var_lib_t:dir rw_dir_perms; +allow initrc_t rpm_var_lib_t:file create_file_perms; + ifdef(`unlimitedRPM', ` unconfined_domain(rpm_t) unconfined_domain(rpm_script_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.19.15/domains/program/unused/sendmail.te --- nsapolicy/domains/program/unused/sendmail.te 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/domains/program/unused/sendmail.te 2004-12-28 12:09:14.000000000 -0500 @@ -53,6 +53,8 @@ # for the start script to run make -C /etc/mail allow initrc_t etc_mail_t:dir rw_dir_perms; allow initrc_t etc_mail_t:file create_file_perms; +allow system_mail_t initrc_t:fd use; +allow system_mail_t initrc_t:fifo_file write; # Write to /var/spool/mail and /var/spool/mqueue. allow sendmail_t var_spool_t:dir { getattr search }; @@ -84,6 +86,7 @@ allow system_mail_t proc_t:dir search; allow system_mail_t proc_t:file { getattr read }; allow system_mail_t proc_t:lnk_file read; +dontaudit system_mail_t proc_net_t:dir search; allow sendmail_t sysctl_kernel_t:dir search; allow sendmail_t sysctl_kernel_t:file { getattr read }; allow system_mail_t fs_t:filesystem getattr; @@ -97,9 +100,12 @@ allow system_mail_t mqueue_spool_t:file create_file_perms; allow system_mail_t sysctl_kernel_t:file read; +ifdef(`crond.te', ` dontaudit system_mail_t system_crond_tmp_t:file append; +') dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console allow sendmail_t initrc_var_run_t:file { getattr read }; dontaudit sendmail_t initrc_var_run_t:file { lock write }; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sound.te policy-1.19.15/domains/program/unused/sound.te --- nsapolicy/domains/program/unused/sound.te 2004-03-23 15:58:08.000000000 -0500 +++ policy-1.19.15/domains/program/unused/sound.te 2004-12-28 12:09:14.000000000 -0500 @@ -23,3 +23,4 @@ # Read and write ttys. allow sound_t sysadm_tty_device_t:chr_file rw_file_perms; read_locale(sound_t) +allow initrc_t sound_file_t:file { setattr write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.15/domains/program/unused/squid.te --- nsapolicy/domains/program/unused/squid.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/squid.te 2004-12-28 12:09:14.000000000 -0500 @@ -15,7 +15,7 @@ daemon_domain(squid, `, web_client_domain, nscd_client_domain') type squid_conf_t, file_type, sysadmfile; - +general_domain_access(squid_t) allow { squid_t initrc_t } squid_conf_t:file r_file_perms; allow squid_t squid_conf_t:dir r_dir_perms; allow squid_t squid_conf_t:lnk_file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.19.15/domains/program/unused/udev.te --- nsapolicy/domains/program/unused/udev.te 2004-12-01 16:51:43.000000000 -0500 +++ policy-1.19.15/domains/program/unused/udev.te 2004-12-28 12:09:14.000000000 -0500 @@ -24,8 +24,9 @@ # # Rules used for udev # -type udev_tbl_t, file_type, sysadmfile, dev_fs; -file_type_auto_trans(udev_t, device_t, udev_tbl_t, file) +type udev_tdb_t, file_type, sysadmfile, dev_fs; +typealias udev_tdb_t alias udev_tbl_t; +file_type_auto_trans(udev_t, device_t, udev_tdb_t, file) allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin }; allow udev_t self:file { getattr read }; allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; @@ -97,6 +98,7 @@ ifdef(`pamconsole.te', ` allow udev_t pam_var_console_t:dir search; allow udev_t pam_var_console_t:file { getattr read }; +domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t) ') allow udev_t var_lock_t:dir search; allow udev_t var_lock_t:file getattr; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.19.15/domains/program/unused/winbind.te --- nsapolicy/domains/program/unused/winbind.te 2004-12-20 16:27:44.000000000 -0500 +++ policy-1.19.15/domains/program/unused/winbind.te 2004-12-28 12:09:14.000000000 -0500 @@ -21,13 +21,13 @@ type samba_secrets_t, file_type, sysadmfile; ') rw_dir_file(winbind_t, samba_etc_t) -rw_dir_file(winbind_t, samba_log_t) +rw_dir_create_file(winbind_t, samba_log_t) allow winbind_t samba_secrets_t:file rw_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; allow winbind_t urandom_device_t:chr_file { getattr read }; allow winbind_t self:fifo_file { read write }; -rw_dir_file(winbind_t, samba_var_t) +rw_dir_create_file(winbind_t, samba_var_t) allow winbind_t krb5_conf_t:file { getattr read }; dontaudit winbind_t krb5_conf_t:file { write }; allow winbind_t self:netlink_route_socket r_netlink_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.19.15/domains/program/unused/xfs.te --- nsapolicy/domains/program/unused/xfs.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/xfs.te 2004-12-28 12:09:14.000000000 -0500 @@ -40,3 +40,11 @@ # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.* allow xfs_t fonts_t:dir search; allow xfs_t fonts_t:file { getattr read }; + +# Unlink the xfs socket. +allow initrc_t xfs_tmp_t:dir rw_dir_perms; +allow initrc_t xfs_tmp_t:dir rmdir; +allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; +allow initrc_t fonts_t:dir create_dir_perms; +allow initrc_t fonts_t:file create_file_perms; + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.19.15/domains/program/unused/ypbind.te --- nsapolicy/domains/program/unused/ypbind.te 2004-12-11 06:31:19.000000000 -0500 +++ policy-1.19.15/domains/program/unused/ypbind.te 2004-12-28 12:09:14.000000000 -0500 @@ -37,6 +37,7 @@ allow ypbind_t etc_t:file { getattr read }; allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; -allow ypbind_t reserved_port_t:tcp_socket name_bind; -allow ypbind_t reserved_port_t:udp_socket name_bind; -dontaudit ypbind_t reserved_port_type:udp_socket name_bind; +allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind; +dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind; +can_udp_send(initrc_t, ypbind_t) + diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.15/file_contexts/distros.fc --- nsapolicy/file_contexts/distros.fc 2004-12-21 10:59:57.000000000 -0500 +++ policy-1.19.15/file_contexts/distros.fc 2004-12-28 14:01:00.477435032 -0500 @@ -35,6 +35,32 @@ /usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t /usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t /usr/share/ssl/misc(/.*)? system_u:object_r:bin_t +# +# /emul/ia32-linux/usr +# +/emul(/.*)? system_u:object_r:usr_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t +/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t +# /emul/ia32-linux/lib +/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +# /emul/ia32-linux/bin +/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t +# /emul/ia32-linux/sbin +/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t + +ifdef(`dbusd.te', `', ` +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t +') ') ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.15/file_contexts/program/cups.fc --- nsapolicy/file_contexts/program/cups.fc 2004-11-24 07:00:50.000000000 -0500 +++ policy-1.19.15/file_contexts/program/cups.fc 2004-12-28 12:09:14.000000000 -0500 @@ -29,9 +29,6 @@ /var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t /usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t /usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t -/usr/bin/lpr\.cups -- system_u:object_r:lpr_exec_t -/usr/bin/lpq\.cups -- system_u:object_r:lpr_exec_t -/usr/bin/lprm\.cups -- system_u:object_r:lpr_exec_t /usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t /usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t /var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.19.15/file_contexts/program/initrc.fc --- nsapolicy/file_contexts/program/initrc.fc 2004-11-19 11:20:43.000000000 -0500 +++ policy-1.19.15/file_contexts/program/initrc.fc 2004-12-28 12:09:14.000000000 -0500 @@ -1,5 +1,9 @@ # init rc scripts -/etc/X11/prefdm -- system_u:object_r:initrc_exec_t +ifdef(`targeted_policy', ` +/etc/X11/prefdm -- system_u:object_r:bin_t +', ` +/etc/X11/prefdm -- system_u:object_r:initrc_exec_t +') /etc/rc\.d/rc -- system_u:object_r:initrc_exec_t /etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t /etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kerberos.fc policy-1.19.15/file_contexts/program/kerberos.fc --- nsapolicy/file_contexts/program/kerberos.fc 2004-11-19 11:20:43.000000000 -0500 +++ policy-1.19.15/file_contexts/program/kerberos.fc 2004-12-28 12:09:14.000000000 -0500 @@ -9,4 +9,3 @@ /var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t /var/log/kadmind\.log system_u:object_r:kadmind_log_t /usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t -/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/login.fc policy-1.19.15/file_contexts/program/login.fc --- nsapolicy/file_contexts/program/login.fc 2003-11-26 13:01:07.000000000 -0500 +++ policy-1.19.15/file_contexts/program/login.fc 2004-12-28 12:09:14.000000000 -0500 @@ -1,2 +1,3 @@ # login /bin/login -- system_u:object_r:login_exec_t +/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lpr.fc policy-1.19.15/file_contexts/program/lpr.fc --- nsapolicy/file_contexts/program/lpr.fc 2003-11-26 13:01:07.000000000 -0500 +++ policy-1.19.15/file_contexts/program/lpr.fc 2004-12-28 12:09:14.000000000 -0500 @@ -1,4 +1,4 @@ # lp utilities. -/usr/bin/lpr -- system_u:object_r:lpr_exec_t -/usr/bin/lpq -- system_u:object_r:lpr_exec_t -/usr/bin/lprm -- system_u:object_r:lpr_exec_t +/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t +/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t +/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.19.15/file_contexts/program/postgresql.fc --- nsapolicy/file_contexts/program/postgresql.fc 2004-11-19 11:20:44.000000000 -0500 +++ policy-1.19.15/file_contexts/program/postgresql.fc 2004-12-28 12:09:14.000000000 -0500 @@ -4,6 +4,7 @@ /usr/bin/pg_dump -- system_u:object_r:postgresql_exec_t /usr/bin/pg_dumpall -- system_u:object_r:postgresql_exec_t /usr/bin/pg_resetxlog -- system_u:object_r:postgresql_exec_t +/usr/bin/initdb -- system_u:object_r:postgresql_exec_t # not sure whether the following binaries need labelling /usr/bin/createlang -- system_u:object_r:postgresql_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ssh.fc policy-1.19.15/file_contexts/program/ssh.fc --- nsapolicy/file_contexts/program/ssh.fc 2004-11-19 11:20:44.000000000 -0500 +++ policy-1.19.15/file_contexts/program/ssh.fc 2004-12-28 13:28:11.432062741 -0500 @@ -7,7 +7,6 @@ /etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t /etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t /usr/sbin/sshd -- system_u:object_r:sshd_exec_t -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t /var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t # subsystems /usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t @@ -16,3 +15,6 @@ ifdef(`distro_suse', ` /usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t ') +ifdef(`targeted_policy', `', ` +HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t +') diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.19.15/file_contexts/program/udev.fc --- nsapolicy/file_contexts/program/udev.fc 2004-11-19 11:20:44.000000000 -0500 +++ policy-1.19.15/file_contexts/program/udev.fc 2004-12-28 12:09:14.000000000 -0500 @@ -8,5 +8,5 @@ /etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t /dev/udev\.tbl -- system_u:object_r:udev_tbl_t -/dev/\.udev\.tdb -- system_u:object_r:udev_tbl_t +/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.15/macros/global_macros.te --- nsapolicy/macros/global_macros.te 2004-12-21 10:59:58.000000000 -0500 +++ policy-1.19.15/macros/global_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -242,7 +242,8 @@ allow $1_t { self proc_t }:dir r_dir_perms; allow $1_t { self proc_t }:lnk_file read; -allow $1_t device_t:dir { getattr search }; +allow $1_t device_t:dir r_dir_perms; +allow $1_t udev_tdb_t:file r_file_perms; allow $1_t null_device_t:chr_file rw_file_perms; dontaudit $1_t console_device_t:chr_file rw_file_perms; dontaudit $1_t unpriv_userdomain:fd use; @@ -512,6 +513,8 @@ allow $1 sysctl_t:{ dir file } *; allow $1 device_type:devfile_class_set *; allow $1 mtrr_device_t:file *; +allow domain $1:fd use; +allow domain $1:process sigchld; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.15/macros/network_macros.te --- nsapolicy/macros/network_macros.te 2004-11-24 14:44:37.000000000 -0500 +++ policy-1.19.15/macros/network_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -83,7 +83,7 @@ define(`can_network_tcp',` can_network_server_tcp($1, `$2') -can_network_client_tcp($1, `$2') +allow $1 self:tcp_socket { connect }; ') @@ -144,11 +144,13 @@ can_network_tcp($1, `$2') can_network_udp($1, `$2') +ifdef(`mount.te', ` # # Allow the domain to send NFS client requests via the socket # created by mount. # allow $1 mount_t:udp_socket rw_socket_perms; +') ')dnl end can_network definition diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.19.15/macros/program/dbusd_macros.te --- nsapolicy/macros/program/dbusd_macros.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.15/macros/program/dbusd_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -54,25 +54,25 @@ # # Define a new derived domain for connecting to dbus_type # from domain_prefix_t. -define(`dbusd_client',`') -ifdef(`dbusd.te',` undefine(`dbusd_client') define(`dbusd_client',` +ifdef(`dbusd.te',` # Derived type used for connection type $2_dbusd_$1_t; type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t; +# SE-DBus specific permissions +allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; + # For connecting to the bus allow $2_t $1_dbusd_t:unix_stream_socket connectto; + +') dnl endif dbusd.te ifelse(`system', `$1', ` allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search; allow { $2_t } system_dbusd_var_run_t:sock_file write; -',` -') dnl endif system -# SE-DBus specific permissions -allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; -') dnl endif dbusd.te +',`') dnl endif system ') # can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sendmail_macros.te policy-1.19.15/macros/program/sendmail_macros.te --- nsapolicy/macros/program/sendmail_macros.te 2004-10-06 09:18:33.000000000 -0400 +++ policy-1.19.15/macros/program/sendmail_macros.te 2004-12-28 12:09:14.000000000 -0500 @@ -45,6 +45,7 @@ ifelse(`$1', `sysadm', ` allow $1_mail_t proc_t:dir { getattr search }; allow $1_mail_t proc_t:{ lnk_file file } { getattr read }; +dontaudit $1_mail_t proc_net_t:dir search; allow $1_mail_t sysctl_kernel_t:file { getattr read }; allow $1_mail_t etc_runtime_t:file { getattr read }; ', ` diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.15/Makefile --- nsapolicy/Makefile 2004-12-21 10:59:56.000000000 -0500 +++ policy-1.19.15/Makefile 2004-12-28 12:09:14.000000000 -0500 @@ -50,7 +50,7 @@ UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) FC = file_contexts/file_contexts -FCFILES=tmp/program_used_flags.te file_contexts/types.fc file_contexts/distros.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc) +FCFILES=tmp/program_used_flags.te file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) APPDIR=$(CONTEXTPATH) APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.19.15/targeted/appconfig/default_contexts --- nsapolicy/targeted/appconfig/default_contexts 2004-05-12 08:56:51.000000000 -0400 +++ policy-1.19.15/targeted/appconfig/default_contexts 2004-12-28 12:09:38.000000000 -0500 @@ -1 +1,2 @@ system_r:unconfined_t system_r:unconfined_t +system_r:initrc_t system_r:unconfined_t diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.19.15/targeted/appconfig/root_default_contexts --- nsapolicy/targeted/appconfig/root_default_contexts 2004-05-12 08:56:51.000000000 -0400 +++ policy-1.19.15/targeted/appconfig/root_default_contexts 2004-12-28 12:09:42.000000000 -0500 @@ -1 +1,2 @@ system_r:unconfined_t system_r:unconfined_t +system_r:initrc_t system_r:unconfined_t diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.19.15/targeted/assert.te --- nsapolicy/targeted/assert.te 2004-11-30 16:05:23.000000000 -0500 +++ policy-1.19.15/targeted/assert.te 2004-12-28 12:09:14.000000000 -0500 @@ -22,10 +22,10 @@ # Confined domains must never touch an unconfined domain except to # send SIGCHLD for child termination notifications. -neverallow { domain - unconfined_t } unconfined_t:process ~sigchld; +neverallow { domain -unconfined_t -unrestricted } unconfined_t:process ~sigchld; # Confined domains must never see unconfined domain's /proc/pid entries. -neverallow { domain - unconfined_t } unconfined_t:dir { getattr search }; +neverallow { domain -unconfined_t -unrestricted } unconfined_t:dir { getattr search }; # # Verify that every type that can be entered by diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.19.15/targeted/domains/program/crond.te --- nsapolicy/targeted/domains/program/crond.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/crond.te 2004-12-28 13:53:28.152958431 -0500 @@ -0,0 +1,21 @@ +#DESC crond +# +# Authors: Daniel Walsh +# + +################################# +# +# Rules for the crond domain. +# +# crond_exec_t is the type of the /usr/sbin/crond and other programs. +# This domain is defined just for targeted policy. +# +type crond_exec_t, file_type, sysadmfile, exec_type; +type anacron_exec_t, file_type, sysadmfile, exec_type; +type system_crond_tmp_t, file_type, sysadmfile; +type system_cron_spool_t, file_type, sysadmfile; +type sysadm_cron_spool_t, file_type, sysadmfile; +type crond_log_t, file_type, sysadmfile; +type crond_var_run_t, file_type, sysadmfile; +domain_auto_trans(initrc_t, crond_exec_t, crond_t) +domain_auto_trans(initrc_t, anacron_exec_t, crond_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/initrc.te policy-1.19.15/targeted/domains/program/initrc.te --- nsapolicy/targeted/domains/program/initrc.te 2004-11-09 13:35:13.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/initrc.te 1969-12-31 19:00:00.000000000 -0500 @@ -1,16 +0,0 @@ -#DESC Initrc - System initialization scripts -# -# Authors: Daniel Walsh -# - -################################# -# -# Rules for the initrc_t domain. -# -# initrc_exec_t is the type of the rc.sysinit and other programs. -# This domain is defined just for targeted policy to allow easy conversion to -# strict policy. -# -type initrc_exec_t, file_type, sysadmfile, exec_type; -type run_init_exec_t, file_type, sysadmfile, exec_type; -typealias var_run_t alias initrc_var_run_t; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/init.te policy-1.19.15/targeted/domains/program/init.te --- nsapolicy/targeted/domains/program/init.te 2004-09-20 15:41:01.000000000 -0400 +++ policy-1.19.15/targeted/domains/program/init.te 1969-12-31 19:00:00.000000000 -0500 @@ -1,18 +0,0 @@ -#DESC Init - Process initialization -# -# Authors: Daniel Walsh -# - -################################# -# -# Rules for the init_t domain. -# -# init_exec_t is the type of the init program. -# initctl_t is the type of the named pipe created -# by init during initialization. This pipe is used -# to communicate with init. -# This domain is defined just for targeted policy to allow easy conversion to -# strict policy. /sbin/init will get this policy. -# -type init_exec_t, file_type, sysadmfile, exec_type; -type initctl_t, file_type, sysadmfile, dev_fs; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/rpm.te policy-1.19.15/targeted/domains/program/rpm.te --- nsapolicy/targeted/domains/program/rpm.te 2004-10-06 16:21:30.000000000 -0400 +++ policy-1.19.15/targeted/domains/program/rpm.te 2004-12-28 12:09:14.000000000 -0500 @@ -13,3 +13,4 @@ type rpm_exec_t, file_type, sysadmfile, exec_type; type rpm_var_lib_t, file_type, sysadmfile; typealias var_log_t alias rpm_log_t; +type rpm_tmpfs_t, file_type, sysadmfile; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.19.15/targeted/domains/program/sendmail.te --- nsapolicy/targeted/domains/program/sendmail.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/sendmail.te 2004-12-28 14:03:00.726360626 -0500 @@ -0,0 +1,17 @@ +#DESC sendmail +# +# Authors: Daniel Walsh +# + +################################# +# +# Rules for the sendmaild domain. +# +# sendmail_exec_t is the type of the /usr/sbin/sendmail and other programs. +# This domain is defined just for targeted policy. +# +type sendmail_exec_t, file_type, sysadmfile, exec_type; +type sendmail_log_t, file_type, sysadmfile; +type sendmail_var_run_t, file_type, sysadmfile; +type etc_mail_t, file_type, sysadmfile; +domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.19.15/targeted/domains/program/ssh.te --- nsapolicy/targeted/domains/program/ssh.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/ssh.te 2004-12-28 13:53:28.683899180 -0500 @@ -0,0 +1,19 @@ +#DESC sshd +# +# Authors: Daniel Walsh +# + +################################# +# +# Rules for the sshd domain. +# +# sshd_exec_t is the type of the /bin/sshd and other programs. +# This domain is defined just for targeted policy. +# +type sshd_exec_t, file_type, sysadmfile, exec_type; +type ssh_exec_t, file_type, sysadmfile, exec_type; +type ssh_keygen_exec_t, file_type, sysadmfile, exec_type; +type sshd_key_t, file_type, sysadmfile; +type sshd_var_run_t, file_type, sysadmfile; +type ssh_port_t, port_type; +domain_auto_trans(initrc_t, sshd_exec_t, sshd_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/udev.te policy-1.19.15/targeted/domains/program/udev.te --- nsapolicy/targeted/domains/program/udev.te 2004-09-20 15:41:01.000000000 -0400 +++ policy-1.19.15/targeted/domains/program/udev.te 2004-12-28 12:09:14.000000000 -0500 @@ -13,4 +13,5 @@ # type udev_exec_t, file_type, sysadmfile, exec_type; type udev_helper_exec_t, file_type, sysadmfile, exec_type; -type udev_tbl_t, file_type, sysadmfile, dev_fs; +type udev_tdb_t, file_type, sysadmfile, dev_fs; +typealias udev_tdb_t alias udev_tbl_t; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.19.15/targeted/domains/program/xdm.te --- nsapolicy/targeted/domains/program/xdm.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.15/targeted/domains/program/xdm.te 2004-12-28 13:53:29.134848854 -0500 @@ -0,0 +1,21 @@ +#DESC xdm - Linux configurable dynamic device naming support +# +# Authors: Daniel Walsh +# + +################################# +# +# Rules for the xdm domain. +# +# xdm_exec_t is the type of the /usr/bin/gdm and other programs. +# This domain is defined just for targeted policy. +# +type xdm_exec_t, file_type, sysadmfile, exec_type; +type xsession_exec_t, file_type, sysadmfile, exec_type; +type vnc_port_t, port_type; +type xserver_log_t, file_type, sysadmfile; +type xdm_xserver_tmp_t, file_type, sysadmfile; +type xdm_rw_etc_t, file_type, sysadmfile; +type xdm_var_run_t, file_type, sysadmfile; +type xdm_var_lib_t, file_type, sysadmfile; +domain_auto_trans(initrc_t, xdm_exec_t, xdm_t) diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.15/targeted/domains/unconfined.te --- nsapolicy/targeted/domains/unconfined.te 2004-11-20 22:29:10.000000000 -0500 +++ policy-1.19.15/targeted/domains/unconfined.te 2004-12-28 13:58:06.169458436 -0500 @@ -13,11 +13,12 @@ # Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. typealias bin_t alias su_exec_t; -typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t }; -type mount_t, domain; -type initrc_devpts_t, ptyfile; +typealias unconfined_t alias { crond_t kernel_t logrotate_t sendmail_t sshd_t sysadm_t system_crond_t rpm_t rpm_script_t xdm_t }; define(`admin_tty_type', `{ tty_device_t devpts_t }') +#type of rundir to communicate with dbus +type system_dbusd_var_run_t, file_type, sysadmfile; + # User home directory type. type user_home_t, file_type, sysadmfile; type user_home_dir_t, file_type, sysadmfile; diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.15/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400 +++ policy-1.19.15/tunables/distro.tun 2004-12-28 12:09:14.000000000 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.15/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-12-11 06:31:22.000000000 -0500 +++ policy-1.19.15/tunables/tunable.tun 2004-12-28 12:09:14.000000000 -0500 @@ -1,27 +1,24 @@ -# Allow users to execute the mount command -dnl define(`user_can_mount') - # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. --------------040305050003010804070006-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.