* [Fwd: New policy patch]
@ 2005-01-12 18:46 Daniel J Walsh
2005-01-21 20:36 ` James Carter
0 siblings, 1 reply; 13+ messages in thread
From: Daniel J Walsh @ 2005-01-12 18:46 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1 bytes --]
[-- Attachment #2: New policy patch --]
[-- Type: message/rfc822, Size: 39682 bytes --]
[-- Attachment #2.1.1: Type: text/plain, Size: 342 bytes --]
Add customizable types.
Add samba_home_dir support.
Fix postgresql to run on ypbind platform
Begin adding support for NFSV4 with Kerberos keys
Add execmod to users for ld_so_t
add execmem for mozilla
Add unrestricted attribute to indicate domains using unconfined_t.
Also began using typeattribute.
[-- Attachment #2.1.2: policy-20050112.patch --]
[-- Type: text/x-patch, Size: 38466 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.21.1/attrib.te
--- nsapolicy/attrib.te 2004-12-21 10:59:56.000000000 -0500
+++ policy-1.21.1/attrib.te 2005-01-12 09:19:59.141059592 -0500
@@ -393,3 +393,8 @@
# For labeling of domains whos transition can be disabled
attribute transitionbool;
+# For labeling of file_context domains which users can change files to rather
+# then the default file context. These file_context can survive a relabeling
+# of the file system.
+attribute customizable;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.21.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-01-12 08:14:47.039693689 -0500
+++ policy-1.21.1/domains/program/initrc.te 2005-01-12 09:18:27.139390056 -0500
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
role system_r types initrc_t;
uses_shlib(initrc_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.21.1/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-01-12 08:14:47.017696186 -0500
+++ policy-1.21.1/domains/program/init.te 2005-01-12 09:18:27.140389944 -0500
@@ -14,7 +14,7 @@
# by init during initialization. This pipe is used
# to communicate with init.
#
-type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain ifdef(`targeted_policy', `, unrestricted');
+type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
@@ -141,3 +141,7 @@
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
+ifdef(`targeted_policy', `
+typeattribute init_t unrestricted;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-01-12 08:14:47.055691874 -0500
+++ policy-1.21.1/domains/program/ldconfig.te 2005-01-12 09:18:27.140389944 -0500
@@ -8,7 +8,7 @@
#
# Rules for the ldconfig_t domain.
#
-type ldconfig_t, domain, privlog, etc_writer ifdef(`targeted_policy', `, unrestricted' );
+type ldconfig_t, domain, privlog, etc_writer;
type ldconfig_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types ldconfig_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.1/domains/program/login.te
--- nsapolicy/domains/program/login.te 2004-12-11 06:31:18.000000000 -0500
+++ policy-1.21.1/domains/program/login.te 2005-01-12 09:18:27.141389832 -0500
@@ -84,6 +84,10 @@
r_dir_file($1_login_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_login_t, cifs_t)
+}
+
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process signull;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.21.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-01-12 08:14:47.086688356 -0500
+++ policy-1.21.1/domains/program/modutil.te 2005-01-12 09:18:27.142389719 -0500
@@ -69,7 +69,7 @@
# Rules for the insmod_t domain.
#
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, unrestricted' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.21.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-01-12 08:14:47.150681092 -0500
+++ policy-1.21.1/domains/program/ssh.te 2005-01-12 09:18:27.143389607 -0500
@@ -80,6 +80,11 @@
allow $1_t nfs_t:file { getattr read };
}
+if (use_samba_home_dirs) {
+allow $1_t cifs_t:dir { search getattr };
+allow $1_t cifs_t:file { getattr read };
+}
+
# Set exec context.
can_setexec($1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unconfined.te policy-1.21.1/domains/program/unconfined.te
--- nsapolicy/domains/program/unconfined.te 2004-08-24 15:35:26.000000000 -0400
+++ policy-1.21.1/domains/program/unconfined.te 2005-01-12 09:18:27.144389495 -0500
@@ -6,7 +6,7 @@
# chcon -t unconfined_exec_t /usr/local/bin/appsrv
# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
-type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write, unrestricted;
+type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
type unconfined_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types unconfined_t;
domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.21.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2004-12-09 10:26:08.000000000 -0500
+++ policy-1.21.1/domains/program/unused/anaconda.te 2005-01-12 09:18:27.144389495 -0500
@@ -10,7 +10,7 @@
#
# anaconda_t is the domain of the installation program
#
-type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted;
+type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
role system_r types anaconda_t;
unconfined_domain(anaconda_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-01-12 08:14:47.372655899 -0500
+++ policy-1.21.1/domains/program/unused/apache.te 2005-01-12 09:18:27.145389382 -0500
@@ -19,6 +19,13 @@
# the user CGI scripts, then relabel rule for user_r should be removed.
#
###############################################################################
+
+define(`httpd_home_dirs', `
+r_dir_file(httpd_t, $1)
+r_dir_file(httpd_suexec_t, $1)
+can_exec(httpd_suexec_t, $1)
+')
+
type http_port_t, port_type, reserved_port_type;
bool httpd_unified false;
@@ -262,9 +269,10 @@
allow httpd_suexec_t autofs_t:dir { search getattr };
')
if (use_nfs_home_dirs && httpd_enable_homedirs) {
-r_dir_file(httpd_t, nfs_t)
-r_dir_file(httpd_suexec_t, nfs_t)
-can_exec(httpd_suexec_t, nfs_t)
+httpd_home_dirs(nfs_t)
+}
+if (use_samba_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(cifs_t)
}
r_dir_file(httpd_t, fonts_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.21.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-01-12 08:14:47.490642507 -0500
+++ policy-1.21.1/domains/program/unused/cups.te 2005-01-12 09:18:27.146389270 -0500
@@ -248,3 +248,6 @@
allow cupsd_t initrc_t:dbus send_msg;
')
+ifdef(`targeted_policy', `
+allow cupsd_t unconfined_t:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.21.1/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te 2004-12-02 14:11:41.000000000 -0500
+++ policy-1.21.1/domains/program/unused/firstboot.te 2005-01-12 09:18:27.147389158 -0500
@@ -10,7 +10,7 @@
#
# firstboot_exec_t is the type of the firstboot executable.
#
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/ftpd.te 2005-01-12 09:18:27.148389046 -0500
@@ -100,14 +100,15 @@
# allow access to /home
allow ftpd_t home_root_t:dir { getattr search };
}
-
-if (ftp_home_dir && use_nfs_home_dirs) {
-allow ftpd_t nfs_t:dir r_dir_perms;
-allow ftpd_t nfs_t:file r_file_perms;
+if (use_nfs_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, nfs_t)
+}
+if (use_samba_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, cifs_t)
}
dontaudit ftpd_t selinux_config_t:dir search;
#
# Type for access to anon ftp
#
-type ftpd_anon_t, file_type, sysadmfile;
+type ftpd_anon_t, file_type, sysadmfile, customizable;
r_dir_file(ftpd_t,ftpd_anon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.21.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/hotplug.te 2005-01-12 09:18:27.149388933 -0500
@@ -11,7 +11,7 @@
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, unrestricted')
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
', `
daemon_domain(hotplug, `, privmodule')
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.21.1/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te 2005-01-12 08:14:47.700618675 -0500
+++ policy-1.21.1/domains/program/unused/inetd.te 2005-01-12 09:18:27.150388821 -0500
@@ -18,7 +18,7 @@
# Rules for the inetd_t domain.
#
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
can_network(inetd_t)
allow inetd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.21.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2004-11-09 13:35:12.000000000 -0500
+++ policy-1.21.1/domains/program/unused/pamconsole.te 2005-01-12 09:18:27.150388821 -0500
@@ -41,3 +41,4 @@
allow pam_console_t xdm_var_run_t:file { getattr read };
')
allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.21.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-01-12 08:14:47.980586899 -0500
+++ policy-1.21.1/domains/program/unused/postgresql.te 2005-01-12 09:18:27.151388709 -0500
@@ -53,6 +53,7 @@
# Use the network.
can_network_server(postgresql_t)
+can_ypbind(postgresql_t)
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(postgresql_t, self)
@@ -84,6 +85,7 @@
# Allow access to the postgresql databases
create_dir_file(postgresql_t, postgresql_db_t)
+file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
allow postgresql_t var_lib_t:dir { getattr search };
# because postgresql start scripts are broken and put the pid file in the DB
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.21.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/rpcd.te 2005-01-12 09:18:27.152388597 -0500
@@ -126,3 +126,15 @@
allow rpcd_t rpc_pipefs_t:sock_file { read write };
dontaudit rpcd_t selinux_config_t:dir { search };
allow rpcd_t proc_net_t:dir search;
+
+
+rpc_domain(gssd)
+can_kerberos(gssd_t)
+allow gssd_t krb5_keytab_t:file r_file_perms;
+allow gssd_t urandom_device_t:chr_file { getattr read };
+r_dir_file(gssd_t, tmp_t)
+tmp_domain(gssd)
+allow gssd_t self:fifo_file { read write };
+r_dir_file(gssd_t, proc_net_t)
+allow gssd_t rpc_pipefs_t:dir r_dir_perms;
+allow gssd_t rpc_pipefs_t:sock_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.21.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-01-12 08:14:48.024581906 -0500
+++ policy-1.21.1/domains/program/unused/rpm.te 2005-01-12 09:18:27.153388484 -0500
@@ -10,7 +10,7 @@
# var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
# var_lib_rpm_t is the type for rpm files in /var/lib
#
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
role system_r types rpm_t;
uses_shlib(rpm_t)
type rpm_exec_t, file_type, sysadmfile, exec_type;
@@ -115,7 +115,7 @@
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
# policy for rpm scriptlet
role system_r types rpm_script_t;
uses_shlib(rpm_script_t)
@@ -249,7 +249,9 @@
allow initrc_t rpm_var_lib_t:file create_file_perms;
ifdef(`unlimitedRPM', `
+typeattribute rpm_t auth_write;
unconfined_domain(rpm_t)
+typeattribute rpm_script_t auth_write;
unconfined_domain(rpm_script_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2004-12-11 06:31:19.000000000 -0500
+++ policy-1.21.1/domains/program/unused/samba.te 2005-01-12 09:18:27.154388372 -0500
@@ -7,14 +7,14 @@
#################################
#
# Declarations for Samba
-#
+#n
daemon_domain(smbd, `, privhome, auth_chkpwd')
daemon_domain(nmbd)
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
-type samba_share_t, file_type, sysadmfile;
+type samba_share_t, file_type, sysadmfile, customizable;
type samba_secrets_t, file_type, sysadmfile;
typealias samba_var_t alias samba_spool_t;
@@ -73,8 +73,7 @@
allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
-allow smbd_t samba_share_t:dir create_dir_perms;
-allow smbd_t samba_share_t:file create_file_perms;
+create_dir_file(smbd_t, samba_share_t)
ifdef(`logrotate.te', `
# the application should be changed
@@ -117,3 +116,14 @@
')
# Needed for winbindd
allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
+
+# Support Samba sharing of home directories
+bool samba_enable_home_dirs false;
+
+if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir { getattr search };
+allow smbd_t home_dir_type:dir { getattr search };
+allow smbd_t home_type:dir create_dir_perms;
+dontaudit smbd_t home_type:{ sock_file fifo_file chr_file blk_file } r_file_perms;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.21.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te 2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/domains/program/unused/spamd.te 2005-01-12 09:18:27.155388260 -0500
@@ -64,5 +64,10 @@
allow spamd_t nfs_t:file create_file_perms;
}
+if (use_samba_home_dirs) {
+allow spamd_t cifs_t:dir rw_dir_perms;
+allow spamd_t cifs_t:file create_file_perms;
+}
+
allow spamd_t home_root_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.21.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/xdm.te 2005-01-12 09:18:27.156388147 -0500
@@ -290,6 +290,12 @@
can_exec(xdm_t, nfs_t)
}
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
# for .dmrc
allow xdm_t user_home_dir_type:dir { getattr search };
allow xdm_t user_home_type:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.21.1/domains/user.te
--- nsapolicy/domains/user.te 2004-12-21 10:59:57.000000000 -0500
+++ policy-1.21.1/domains/user.te 2005-01-12 09:18:27.156388147 -0500
@@ -10,6 +10,9 @@
# Support NFS home directories
bool use_nfs_home_dirs false;
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.21.1/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc 2004-11-19 11:20:43.000000000 -0500
+++ policy-1.21.1/file_contexts/program/innd.fc 2005-01-12 09:18:27.157388035 -0500
@@ -1,5 +1,7 @@
# innd
/usr/sbin/innd.* -- system_u:object_r:innd_exec_t
+/usr/bin/rpost -- system_u:object_r:innd_exec_t
+/usr/bin/suck -- system_u:object_r:innd_exec_t
/var/run/innd(/.*)? system_u:object_r:innd_var_run_t
/etc/news(/.*)? system_u:object_r:innd_etc_t
/etc/news/boot -- system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mysqld.fc policy-1.21.1/file_contexts/program/mysqld.fc
--- nsapolicy/file_contexts/program/mysqld.fc 2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/mysqld.fc 2005-01-12 09:18:27.158387923 -0500
@@ -1,5 +1,5 @@
# mysql database server
-/usr/sbin/mysqld -- system_u:object_r:mysqld_exec_t
+/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t
/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t
/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t
/var/log/mysql.* -- system_u:object_r:mysqld_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.21.1/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc 2005-01-12 08:14:48.738500877 -0500
+++ policy-1.21.1/file_contexts/program/postgresql.fc 2005-01-12 09:18:27.159387811 -0500
@@ -13,8 +13,8 @@
/usr/bin/pg_id -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_restore -- system_u:object_r:postgresql_exec_t
-/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
-/var/lib/pgsql(/.*)? system_u:object_r:postgresql_db_t
+/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
+/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t
/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t
/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t
/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.21.1/file_contexts/program/rpcd.fc
--- nsapolicy/file_contexts/program/rpcd.fc 2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/rpcd.fc 2005-01-12 09:18:27.159387811 -0500
@@ -3,6 +3,8 @@
/usr/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t
/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t
+/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t
+/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t
/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t
/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t
/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.1/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc 2005-01-12 08:14:48.813492366 -0500
+++ policy-1.21.1/file_contexts/program/udev.fc 2005-01-12 09:18:27.204382758 -0500
@@ -8,5 +8,5 @@
/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
/dev/udev\.tbl -- system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb -- system_u:object_r:udev_tdb_t
+/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t
/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-12-09 10:26:10.000000000 -0500
+++ policy-1.21.1/macros/base_user_macros.te 2005-01-12 09:18:27.205382646 -0500
@@ -2,6 +2,12 @@
# Macros for all user login domains.
#
+define(`network_home_dir', `
+create_dir_file($1, $2)
+can_exec($1, $2)
+allow $1 $2:{ sock_file fifo_file } create_file_perms;
+')
+
#
# base_user_domain(domain_prefix)
#
@@ -38,6 +44,7 @@
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t shlib_t:file execmod;
+allow $1_t ld_so_t:file execmod;
#
# kdeinit wants this access
@@ -70,11 +77,15 @@
ifdef(`automount.te', `
allow $1_t autofs_t:dir { search getattr };
')dnl end if automount.te
+
if (use_nfs_home_dirs) {
-create_dir_file($1_t, nfs_t)
-can_exec($1_t, nfs_t)
-allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
+network_home_dir($1_t, nfs_t)
}
+
+if (use_samba_home_dirs) {
+network_home_dir($1_t, cifs_t)
+}
+
if (user_rw_noexattrfile) {
create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t)
@@ -167,6 +178,7 @@
ifdef(`screen.te', `screen_domain($1)')
ifdef(`tvtime.te', `tvtime_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`samba.te', `samba_domain($1)')
ifdef(`games.te', `games_domain($1)')
ifdef(`gpg.te', `gpg_domain($1)')
ifdef(`xauth.te', `xauth_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-01-12 08:14:48.985472846 -0500
+++ policy-1.21.1/macros/global_macros.te 2005-01-12 09:18:27.206382534 -0500
@@ -504,6 +504,8 @@
#
define(`unconfined_domain', `
+typeattribute $1 unrestricted;
+
# Mount/unmount any filesystem.
allow $1 fs_type:filesystem *;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-01-12 08:14:49.097460136 -0500
+++ policy-1.21.1/macros/program/apache_macros.te 2005-01-12 09:18:27.207382421 -0500
@@ -3,7 +3,7 @@
#This type is for webpages
#
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile;
+type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
ifelse($1, sys, `
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
')
@@ -14,7 +14,7 @@
# This type is used for executable scripts files
#
-type httpd_$1_script_exec_t, file_type, sysadmfile;
+type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
# Type that CGI scripts run as
type httpd_$1_script_t, domain, privmail, nscd_client_domain;
@@ -41,6 +41,7 @@
read_locale(httpd_$1_script_t)
allow httpd_$1_script_t fs_t:filesystem getattr;
allow httpd_$1_script_t self:unix_stream_socket create_socket_perms;
+allow httpd_$1_script_t httpd_t:unix_stream_socket { read write };
allow httpd_$1_script_t { self proc_t }:file { getattr read };
allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -57,9 +58,9 @@
# The following are the only areas that
# scripts can read, read/write, or append to
#
-type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
ifdef(`slocate.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.21.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2004-12-21 10:59:58.000000000 -0500
+++ policy-1.21.1/macros/program/cdrecord_macros.te 2005-01-12 09:18:27.208382309 -0500
@@ -35,6 +35,9 @@
if (use_nfs_home_dirs) {
r_dir_file($1_cdrecord_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_cdrecord_t, cifs_t)
+}
allow $1_cdrecord_t etc_t:file { getattr read };
# allow searching for cdrom-drive
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.21.1/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_agent_macros.te 2005-01-12 09:18:27.209382197 -0500
@@ -51,6 +51,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_gpg_agent_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_agent_t, cifs_t)
+}
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
allow $1_gpg_agent_t self:fifo_file { getattr read write };
@@ -111,6 +114,12 @@
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:file write;
}
+if (use_samba_home_dirs) {
+allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t cifs_t:file write;
+}
# read /etc/X11/qtrc
allow $1_gpg_pinentry_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2004-12-16 11:38:03.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_macros.te 2005-01-12 09:18:27.210382085 -0500
@@ -79,6 +79,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_gpg_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_t, cifs_t)
+}
allow $1_gpg_t self:capability { ipc_lock setuid };
allow $1_gpg_t devtty_t:chr_file rw_file_perms;
@@ -111,6 +114,9 @@
if (use_nfs_home_dirs) {
dontaudit $1_gpg_helper_t nfs_t:file { read write };
}
+if (use_samba_home_dirs) {
+dontaudit $1_gpg_helper_t cifs_t:file { read write };
+}
# communicate with the user
allow $1_gpg_helper_t $1_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.21.1/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te 2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/lpr_macros.te 2005-01-12 09:18:27.210382085 -0500
@@ -81,6 +81,10 @@
r_dir_file($1_lpr_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_lpr_t, cifs_t)
+}
+
# Read and write shared files in the spool directory.
allow $1_lpr_t print_spool_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-12-21 10:59:59.000000000 -0500
+++ policy-1.21.1/macros/program/mozilla_macros.te 2005-01-12 09:18:27.211381972 -0500
@@ -25,7 +25,7 @@
allow $1_mozilla_t $1_t:process signull;
# Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+allow $1_mozilla_t self:process { execmem setrlimit setsched };
allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
allow $1_mozilla_t var_lib_t:file { getattr read };
@@ -40,6 +40,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_mozilla_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_mozilla_t, cifs_t)
+}
ifdef(`automount.te', `
allow $1_mozilla_t autofs_t:dir { search getattr };
')dnl end if automount
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.21.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/mta_macros.te 2005-01-12 09:18:27.212381860 -0500
@@ -99,8 +99,8 @@
# Create dead.letter in user home directories.
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-if (use_nfs_home_dirs) {
-rw_dir_create_file($1_mail_t, nfs_t)
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_mail_t, cifs_t)
}
# if you do not want to allow dead.letter then use the following instead
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.1/macros/program/samba_macros.te
--- nsapolicy/macros/program/samba_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.1/macros/program/samba_macros.te 2005-01-12 09:18:27.213381748 -0500
@@ -0,0 +1,28 @@
+#
+# Macros for samba domains.
+#
+
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# samba_domain(domain_prefix)
+#
+# Define a derived domain for the samba program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/samba.te.
+#
+undefine(`samba_domain')
+ifdef(`samba.te', `
+define(`samba_domain',`
+if ( samba_enable_home_dirs ) {
+file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
+}
+')
+', `
+define(`samba_domain',`')
+
+')dnl end if samba.te
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.21.1/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te 2005-01-05 14:37:27.000000000 -0500
+++ policy-1.21.1/macros/program/screen_macros.te 2005-01-12 09:18:27.214381636 -0500
@@ -43,6 +43,9 @@
if (use_nfs_home_dirs) {
domain_auto_trans($1_screen_t, nfs_t, $1_t)
}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_screen_t, cifs_t, $1_t)
+}
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
@@ -53,6 +56,9 @@
if (use_nfs_home_dirs) {
r_dir_file($1_screen_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_screen_t, cifs_t)
+}
allow $1_screen_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.1/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te 2004-11-09 13:35:13.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_agent_macros.te 2005-01-12 09:18:27.215381523 -0500
@@ -43,6 +43,9 @@
')
rw_dir_create_file($1_ssh_agent_t, nfs_t)
}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_ssh_agent_t, cifs_t)
+}
uses_shlib($1_ssh_agent_t)
read_locale($1_ssh_agent_t)
@@ -73,6 +76,9 @@
if (use_nfs_home_dirs) {
domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
+}
allow $1_ssh_agent_t bin_t:dir search;
# allow reading of /usr/bin/X11 (is a symlink)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.1/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_macros.te 2005-01-12 09:18:27.216381411 -0500
@@ -30,6 +30,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_ssh_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_ssh_t, cifs_t)
+}
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.21.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2004-11-18 08:13:59.000000000 -0500
+++ policy-1.21.1/macros/program/su_macros.te 2005-01-12 09:18:27.216381411 -0500
@@ -139,6 +139,9 @@
if (use_nfs_home_dirs) {
allow $1_su_t nfs_t:dir search;
}
+if (use_samba_home_dirs) {
+allow $1_su_t cifs_t:dir search;
+}
# Modify .Xauthority file (via xauth program).
ifdef(`xauth.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.21.1/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te 2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/xauth_macros.te 2005-01-12 09:18:27.217381299 -0500
@@ -86,6 +86,12 @@
')
rw_dir_create_file($1_xauth_t, nfs_t)
}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
')dnl end xauth_domain macro
', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.1/Makefile
--- nsapolicy/Makefile 2005-01-12 08:14:46.613742034 -0500
+++ policy-1.21.1/Makefile 2005-01-12 09:18:27.218381186 -0500
@@ -53,7 +53,7 @@
FCFILES=tmp/program_used_flags.te file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@@ -75,6 +75,7 @@
tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
@echo "Validating file_contexts ..."
$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+ @touch tmp/valid_fc
install: tmp/valid_fc
@@ -90,6 +91,11 @@
mkdir -p $(APPDIR)
install -m 644 $< $@
+$(APPDIR)/customizable_types: policy.conf
+ mkdir -p $(APPDIR)
+ @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+ install -m 644 tmp/customizable_types $@
+
$(APPDIR)/default_type: appconfig/default_type
mkdir -p $(APPDIR)
install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-01-12 08:14:49.606402372 -0500
+++ policy-1.21.1/targeted/domains/unconfined.te 2005-01-12 09:18:27.219381074 -0500
@@ -4,7 +4,7 @@
# is not explicitly confined. It has no restrictions.
# It needs to be carefully protected from the confined domains.
-type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem, unrestricted;
+type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem;
role system_r types unconfined_t;
role user_r types unconfined_t;
role sysadm_r types unconfined_t;
@@ -20,8 +20,8 @@
type system_dbusd_var_run_t, file_type, sysadmfile;
# User home directory type.
-type user_home_t, file_type, sysadmfile;
-type user_home_dir_t, file_type, sysadmfile;
+type user_home_t, file_type, sysadmfile, home_type;
+type user_home_dir_t, file_type, sysadmfile, home_dir_type;
file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
@@ -43,6 +43,11 @@
# Support NFS home directories
bool use_nfs_home_dirs false;
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
+ifdef(`samba.te', `samba_domain(user)')
+
# Allow system to run with NIS
bool allow_ypbind false;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/types/apache.te policy-1.21.1/targeted/types/apache.te
--- nsapolicy/targeted/types/apache.te 2004-05-27 14:52:37.000000000 -0400
+++ policy-1.21.1/targeted/types/apache.te 1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-#
-# Rules required by apache for targeted policy
-#
-define(`admin_tty_type', `{ tty_device_t devpts_t }')
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.21.1/tunables/distro.tun 2005-01-12 09:18:27.220380962 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-12-11 06:31:22.000000000 -0500
+++ policy-1.21.1/tunables/tunable.tun 2005-01-12 09:18:27.221380850 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [Fwd: New policy patch]
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
@ 2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
` (3 more replies)
0 siblings, 4 replies; 13+ messages in thread
From: James Carter @ 2005-01-21 20:36 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Finally merged. Some comments below.
On Wed, 2005-01-12 at 10:44, Daniel J Walsh wrote:
>
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.1/file_contexts/program/udev.fc
> --- nsapolicy/file_contexts/program/udev.fc 2005-01-12 08:14:48.813492366 -0500
> +++ policy-1.21.1/file_contexts/program/udev.fc 2005-01-12 09:18:27.204382758 -0500
> @@ -8,5 +8,5 @@
> /etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
> /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
> /dev/udev\.tbl -- system_u:object_r:udev_tbl_t
> -/dev/\.udev\.tdb -- system_u:object_r:udev_tdb_t
> +/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t
> /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
This is a directory on Rawhide but a file on FC3, so I would prefer to
keep it more general for now.
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.1/macros/base_user_macros.te
> --- nsapolicy/macros/base_user_macros.te 2004-12-09 10:26:10.000000000 -0500
> +++ policy-1.21.1/macros/base_user_macros.te 2005-01-12 09:18:27.205382646 -0500
> @@ -38,6 +44,7 @@
>
> # Allow text relocations on system shared libraries, e.g. libGL.
> allow $1_t shlib_t:file execmod;
> +allow $1_t ld_so_t:file execmod;
>
> #
> # kdeinit wants this access
We don't want to do this
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.1/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te 2004-12-21 10:59:59.000000000 -0500
> +++ policy-1.21.1/macros/program/mozilla_macros.te 2005-01-12 09:18:27.211381972 -0500
> @@ -25,7 +25,7 @@
> allow $1_mozilla_t $1_t:process signull;
>
> # Set resource limits and scheduling info.
> -allow $1_mozilla_t self:process { setrlimit setsched };
> +allow $1_mozilla_t self:process { execmem setrlimit setsched };
>
> allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
> allow $1_mozilla_t var_lib_t:file { getattr read };
We don't want to do this either.
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.1/macros/program/samba_macros.te
> --- nsapolicy/macros/program/samba_macros.te 1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.21.1/macros/program/samba_macros.te 2005-01-12 09:18:27.213381748 -0500
> @@ -0,0 +1,28 @@
> +#
> +# Macros for samba domains.
> +#
> +
> +#
> +# Authors: Dan Walsh <dwalsh@redhat.com>
> +#
> +
> +#
> +# samba_domain(domain_prefix)
> +#
> +# Define a derived domain for the samba program when executed
> +# by a user domain.
> +#
> +# The type declaration for the executable type for this program is
> +# provided separately in domains/program/samba.te.
> +#
> +undefine(`samba_domain')
> +ifdef(`samba.te', `
> +define(`samba_domain',`
> +if ( samba_enable_home_dirs ) {
> +file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
> +}
> +')
> +', `
> +define(`samba_domain',`')
> +
> +')dnl end if samba.te
The file_type_auto_trans rule conflicts with the following rule in the
user_domain macro in user_macros.te:
file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
There is a conflict because smbd_t has the privhome attribute.
For now I removed the privhome attribute from smbd_t. Does it really
need it? NFS doesn't have that attribute.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [Fwd: New policy patch]
2005-01-21 20:36 ` James Carter
@ 2005-01-22 23:37 ` Russell Coker
2005-02-17 23:09 ` Daniel J Walsh
` (2 subsequent siblings)
3 siblings, 0 replies; 13+ messages in thread
From: Russell Coker @ 2005-01-22 23:37 UTC (permalink / raw)
To: jwcart2; +Cc: Daniel J Walsh, SE Linux
On Saturday 22 January 2005 07:36, James Carter <jwcart2@epoch.ncsc.mil>
> > +# samba_domain(domain_prefix)
> > +#
> > +# Define a derived domain for the samba program when executed
> > +# by a user domain.
> > +#
> > +# The type declaration for the executable type for this program is
> > +# provided separately in domains/program/samba.te.
> > +#
> > +undefine(`samba_domain')
> > +ifdef(`samba.te', `
> > +define(`samba_domain',`
> > +if ( samba_enable_home_dirs ) {
> > +file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
> > +}
> > +')
> > +', `
> > +define(`samba_domain',`')
> > +
> > +')dnl end if samba.te
>
> The file_type_auto_trans rule conflicts with the following rule in the
> user_domain macro in user_macros.te:
> file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
> There is a conflict because smbd_t has the privhome attribute.
> For now I removed the privhome attribute from smbd_t. Does it really
> need it? NFS doesn't have that attribute.
The privhome attribute just does the same thing as that file_type_auto_trans,
so either will do.
If we are going to support exporting home directories for read/write by NFS
then it will need privhome too.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [Fwd: New policy patch]
2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
@ 2005-02-17 23:09 ` Daniel J Walsh
2005-02-24 19:10 ` James Carter
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
2005-04-04 18:50 ` New " Daniel J Walsh
3 siblings, 1 reply; 13+ messages in thread
From: Daniel J Walsh @ 2005-02-17 23:09 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 299 bytes --]
Ivan did a few more cleanups in x_client_macros and access_terminals.
Added a couple of ioctls back in.
Had to add back in a dontaudit for net_admin on cups.
Allow dovecot to search certs dir
Fixes for allow squirrelmail to spell check
Privoxy needs to run as a client as well as a server
[-- Attachment #2: policy-20050217.patch --]
[-- Type: text/plain, Size: 16319 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/ChangeLog policy-1.21.14/ChangeLog
--- nsapolicy/ChangeLog 2005-02-17 10:16:42.000000000 -0500
+++ policy-1.21.14/ChangeLog 2005-02-17 10:25:16.000000000 -0500
@@ -1,6 +1,6 @@
1.21 2005-02-07
* Added secure_file_type attribute from Dan Walsh
- * Added access_terminal() macro from Dan Walsh
+ * Added access_terminal() macro from Ivan Gyurdiev
* Updated capability access vector for audit capabilities.
* Added mlsconvert Makefile target to help generate MLS policies
(see selinux-doc/README.MLS for instructions).
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.14/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-02-10 14:48:38.000000000 -0500
+++ policy-1.21.14/domains/program/ldconfig.te 2005-02-17 10:24:21.000000000 -0500
@@ -38,14 +38,14 @@
dontaudit ldconfig_t httpd_modules_t:dir search;
')
-ifdef(`distro_suse', `
-# because of libraries in /var/lib/samba/bin
allow ldconfig_t { var_t var_lib_t }:dir search;
-')
-
allow ldconfig_t proc_t:file read;
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-')
+');
')dnl end hide_broken_symptoms
+ifdef(`targeted_policy', `
+allow ldconfig_t lib_t:file r_file_perms;
+unconfined_domain(ldconfig_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.14/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-02-17 10:16:43.000000000 -0500
+++ policy-1.21.14/domains/program/unused/apache.te 2005-02-17 14:15:21.000000000 -0500
@@ -307,6 +307,7 @@
#
typealias httpd_log_t alias httpd_runtime_t;
allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
+dontaudit httpd_t httpd_runtime_t:file ioctl;
') dnl distro_redhat
#
# Customer reported the following
@@ -323,8 +324,9 @@
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
# File Type of squirrelmail attachments
type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow httpd_t var_spool_t:dir { getattr search };
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
ifdef(`mta.te', `
dontaudit system_mail_t httpd_log_t:file { append getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.21.14/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-02-17 10:16:43.000000000 -0500
+++ policy-1.21.14/domains/program/unused/cups.te 2005-02-17 10:24:21.000000000 -0500
@@ -77,6 +77,7 @@
# Use capabilities.
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+dontaudit cupsd_t self:capability net_admin;
allow cupsd_t self:process setsched;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.21.14/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.14/domains/program/unused/dovecot.te 2005-02-17 13:33:02.000000000 -0500
@@ -26,6 +26,7 @@
allow dovecot_t pop_port_t:tcp_socket name_bind;
allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t cert_t:dir search;
allow dovecot_t dovecot_cert_t:file { getattr read };
allow dovecot_t { self proc_t }:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.21.14/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-02-10 14:48:39.000000000 -0500
+++ policy-1.21.14/domains/program/unused/nscd.te 2005-02-17 10:24:21.000000000 -0500
@@ -72,4 +72,4 @@
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
-allow nscd_t urandom_device_t:chr_file { getattr read };
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.21.14/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.14/domains/program/unused/ping.te 2005-02-17 10:24:21.000000000 -0500
@@ -11,7 +11,7 @@
# ping_t is the domain for the ping program.
# ping_exec_t is the type of the corresponding program.
#
-type ping_t, domain, privlog;
+type ping_t, domain, privlog, nscd_client_domain;
role sysadm_r types ping_t;
role system_r types ping_t;
in_user_role(ping_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.21.14/domains/program/unused/privoxy.te
--- nsapolicy/domains/program/unused/privoxy.te 2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.14/domains/program/unused/privoxy.te 2005-02-17 10:24:21.000000000 -0500
@@ -16,7 +16,7 @@
allow privoxy_t self:capability net_bind_service;
# Use the network.
-can_network_server(privoxy_t)
+can_network(privoxy_t)
allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.14/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-02-17 10:16:44.000000000 -0500
+++ policy-1.21.14/domains/program/unused/samba.te 2005-02-17 10:24:21.000000000 -0500
@@ -176,12 +176,7 @@
# Terminal
read_locale(smbmount_t)
-allow smbmount_t devtty_t:chr_file rw_file_perms;
-allow smbmount_t devpts_t:dir r_dir_perms;
-allow smbmount_t devpts_t:chr_file rw_file_perms;
-allow smbmount_t sysadm_tty_device_t:chr_file rw_file_perms;
-allow smbmount_t sysadm_devpts_t:chr_file rw_file_perms;
-#FIXME: what about user_tty_device_t, user_devpts_t?
+access_terminal(smbmount_t, sysadm)
allow smbmount_t userdomain:fd use;
allow smbmount_t local_login_t:fd use;
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.21.14/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te 2005-02-10 14:48:42.000000000 -0500
+++ policy-1.21.14/macros/program/games_domain.te 2005-02-17 10:24:21.000000000 -0500
@@ -30,7 +30,6 @@
allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
allow $1_games_t xdm_var_lib_t:file { getattr read };
-allow $1_games_t xdm_t:fifo_file rw_file_perms;
')dnl end if xdm.te
can_unix_connect($1_t, $1_games_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.14/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2005-02-17 10:16:46.000000000 -0500
+++ policy-1.21.14/macros/program/gpg_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -44,6 +44,7 @@
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
access_terminal($1_gpg_t, $1)
+allow $1_gpg_t { $1_devpts_t $1_tty_device_t }:chr_file ioctl;
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
# Inherit and use descriptors
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.14/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-02-17 10:16:46.000000000 -0500
+++ policy-1.21.14/macros/program/mozilla_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -123,12 +123,6 @@
allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
')dnl end if mplayer.te
-ifdef(`xdm.te', `
-allow $1_mozilla_t xdm_t:fifo_file { write read };
-allow $1_mozilla_t xdm_tmp_t:dir search;
-allow $1_mozilla_t xdm_tmp_t:file { getattr read };
-allow $1_mozilla_t xdm_tmp_t:sock_file write;
-')dnl end if xdm.te
if (allow_execmem) {
allow $1_mozilla_t self:process { execmem };
}
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.21.14/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te 2005-02-14 14:49:20.000000000 -0500
+++ policy-1.21.14/macros/program/mplayer_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -45,6 +45,7 @@
uses_shlib($1_$2_t)
read_locale($1_$2_t)
access_terminal($1_$2_t, $1)
+allow $1_$2_t { $1_devpts_t $1_tty_device_t }:chr_file ioctl;
# Required for win32 binary loader
allow $1_$2_t zero_device_t:chr_file { read write execute };
@@ -79,11 +80,6 @@
# Mplayer common stuff
mplayer_common($1, mplayer)
-# Additional rules for search /tmp/.X11-unix
-ifdef(`xdm.te', `
-allow $1_mplayer_t xdm_tmp_t:dir search;
-')dnl end if xdm.te
-
# Audio
allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.21.14/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te 2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.14/macros/program/tvtime_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -33,9 +33,6 @@
allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
allow $1_tvtime_t self:process setsched;
allow $1_tvtime_t usr_t:file { getattr read };
-ifdef(`xdm.te', `
-allow $1_tvtime_t xdm_tmp_t:dir search;
-')
')dnl end tvtime_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.14/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2005-02-17 10:16:46.000000000 -0500
+++ policy-1.21.14/macros/program/x_client_macros.te 2005-02-17 10:24:22.000000000 -0500
@@ -179,7 +179,7 @@
allow $1_$2_t xdm_xserver_tmpfs_t:file r_file_perms;
can_unix_connect($1_$2_t, xdm_xserver_t)
-allow $1_$2_t xdm_xserver_tmp_t:dir search;
+allow $1_$2_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
allow $1_$2_t { xdm_xserver_tmp_t xdm_tmp_t }:sock_file { read write };
allow $1_$2_t xdm_t:fd use;
dontaudit $1_$2_t xdm_t:tcp_socket { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.14/Makefile
--- nsapolicy/Makefile 2005-02-17 15:52:02.000000000 -0500
+++ policy-1.21.14/Makefile 2005-02-17 12:22:30.000000000 -0500
@@ -21,21 +21,25 @@
SBINDIR = $(PREFIX)/sbin
LOADPOLICY = $(SBINDIR)/load_policy
CHECKPOLICY = $(BINDIR)/checkpolicy
+GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
KERNVERS := $(shell cat /selinux/policyvers)
POLICYVER := policy.$(VERS)
+TOPDIR = $(DESTDIR)/etc/selinux
ifeq ($(MLS),y)
-INSTALLDIR = $(DESTDIR)/etc/selinux/mls
+TYPE=mls
else
-INSTALLDIR = $(DESTDIR)/etc/selinux/strict
+TYPE=strict
endif
+INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLICYVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
@@ -50,15 +54,18 @@
POLICYFILES += mls
CHECKPOLMLS += -M
endif
+DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
POLICYFILES += $(USER_FILES)
POLICYFILES += constraints
-POLICYFILES += initial_sid_contexts fs_use genfs_contexts net_contexts
-CONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
+POLICYFILES += $(DEFCONTEXTFILES)
+CONTEXTFILES = $(DEFCONTEXTFILES)
+POLICY_DIRS = domains/program domains/misc
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
+HOMEDIR_TEMPLATE = file_contexts/homedir_template
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
CONTEXTFILES += $(FCFILES)
@@ -169,9 +176,9 @@
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
-policy.conf: $(POLICYFILES)
+policy.conf: $(POLICYFILES) $(POLICY_DIRS)
mkdir -p tmp
- m4 $(M4PARAM) -Imacros -s $^ > $@.tmp
+ m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
mv $@.tmp $@
install-src:
@@ -203,14 +210,15 @@
$(FCPATH): $(FC)
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(FC) $(FCPATH)
+ install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+ @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file_contexts ..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
- @grep -v "^/root" $@.tmp > $@.root
- @/usr/sbin/genhomedircon . $@.root > $@
- @grep "^/root" $@.tmp >> $@
- @-rm $@.tmp $@.root
+ @grep -v -e HOME -e ROLE $@.tmp > $@
+ @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
+ @-rm $@.tmp
# Create a tags-file for the policy:
# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.14/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.14/targeted/domains/unconfined.te 2005-02-17 10:24:22.000000000 -0500
@@ -9,6 +9,8 @@
role user_r types unconfined_t;
role sysadm_r types unconfined_t;
unconfined_domain(unconfined_t)
+allow domain unconfined_t:fd use;
+allow domain unconfined_t:process sigchld;
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
@@ -37,6 +39,9 @@
user_typealias(sysadm)
user_typealias(staff)
user_typealias(user)
+attribute user_file_type;
+attribute staff_file_type;
+attribute sysadm_file_type;
allow unconfined_t unlabeled_t:filesystem *;
allow unlabeled_t self:filesystem associate;
@@ -45,14 +50,19 @@
bool use_nfs_home_dirs false;
# Allow execution of anonymous mappings, e.g. executable stack.
-bool allow_execmem false;
+bool allow_execmem true;
# Support Share libraries with Text Relocation
-bool allow_execmod false;
+bool allow_execmod true;
# Support SAMBA home directories
bool use_samba_home_dirs false;
+if (allow_execmod) {
+allow unconfined_t { ld_so_t shlib_t }:file execmod;
+allow unconfined_t { bin_t sbin_t exec_type }:file execmod;
+}
+
ifdef(`samba.te', `samba_domain(user)')
# Allow system to run with NIS
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.14/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.14/tunables/distro.tun 2005-02-17 10:24:22.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.14/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.14/tunables/tunable.tun 2005-02-17 10:24:22.000000000 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [Fwd: New policy patch]
2005-02-17 23:09 ` Daniel J Walsh
@ 2005-02-24 19:10 ` James Carter
0 siblings, 0 replies; 13+ messages in thread
From: James Carter @ 2005-02-24 19:10 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged.
On Thu, 2005-02-17 at 18:09 -0500, Daniel J Walsh wrote:
> Ivan did a few more cleanups in x_client_macros and access_terminals.
> Added a couple of ioctls back in.
>
> Had to add back in a dontaudit for net_admin on cups.
>
> Allow dovecot to search certs dir
>
> Fixes for allow squirrelmail to spell check
>
> Privoxy needs to run as a client as well as a server
>
>
> plain text document attachment (policy-20050217.patch)
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Policy Patch
2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
2005-02-17 23:09 ` Daniel J Walsh
@ 2005-03-29 16:47 ` Daniel J Walsh
2005-04-01 20:28 ` James Carter
2005-04-04 18:50 ` New " Daniel J Walsh
3 siblings, 1 reply; 13+ messages in thread
From: Daniel J Walsh @ 2005-03-29 16:47 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 464 bytes --]
Major cleanup of Makefile. Probably still needs some sanity checks to
it. Added better echo messages, made sure
customizable file gets replaced on make load.
Added policy ssh_keysign_exec_t for /usr/libexec/openssh/ssh-keysign
Better handling of syslog-ng
Whole bunch of changes from Ivan, for desktop apps.
Allow named and nscd to write logs to /var/log
Lots of name_connect fixes.
New bool for squid to connect to any port or just http ports.
--
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 39570 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.5/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/domains/program/ssh.te 2005-03-28 10:21:45.000000000 -0500
@@ -220,6 +220,7 @@
# Type for the ssh executable.
type ssh_exec_t, file_type, exec_type, sysadmfile;
+type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
# Everything else is in the ssh_domain macro in
# macros/program/ssh_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.5/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-03-21 22:32:18.000000000 -0500
+++ policy-1.23.5/domains/program/syslogd.te 2005-03-28 10:21:45.000000000 -0500
@@ -79,16 +79,10 @@
dontaudit syslogd_t initrc_var_run_t:file write;
allow syslogd_t ttyfile:chr_file { getattr write };
-ifdef(`klogd.te', `', `
-# Allow access to /proc/kmsg for syslog-ng
-allow syslogd_t proc_t:dir search;
-allow syslogd_t proc_kmsg_t:file { getattr read };
-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
-')
#
# Special case to handle crashes
#
-allow syslogd_t { device_t file_t }:sock_file unlink;
+allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
@@ -111,6 +105,10 @@
bool use_syslogng false;
if (use_syslogng) {
-allow syslogd_t proc_kmsg_t:file write;
-allow syslogd_t self:capability { sys_admin chown };
+# Allow access to /proc/kmsg for syslog-ng
+allow syslogd_t proc_t:dir search;
+allow syslogd_t proc_kmsg_t:file { getattr read };
+allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+allow syslogd_t self:capability { sys_admin chown fsetid };
+allow syslogd_t var_log_t:dir { create setattr };
}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.5/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/domains/program/unused/apache.te 2005-03-28 10:21:45.000000000 -0500
@@ -152,7 +152,9 @@
allow httpd_t bin_t:lnk_file read;
can_network(httpd_t)
+if (httpd_can_network_connect) {
allow httpd_t port_type:tcp_socket name_connect;
+}
can_ypbind(httpd_t)
###################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.23.5/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/domains/program/unused/canna.te 2005-03-28 10:21:45.000000000 -0500
@@ -42,3 +42,5 @@
can_unix_connect(i18n_input_t, canna_t)
')
+dontaudit canna_t kernel_t:fd use;
+dontaudit canna_t root_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.5/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.5/domains/program/unused/cups.te 2005-03-28 10:21:45.000000000 -0500
@@ -143,8 +143,8 @@
# PTAL
daemon_domain(ptal)
etcdir_domain(ptal)
-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
+
+file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
allow ptal_t self:capability chown;
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.5/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.5/domains/program/unused/hald.te 2005-03-29 10:44:55.000000000 -0500
@@ -31,6 +31,7 @@
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;
+allow hald_t self:netlink_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
can_network_server(hald_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.23.5/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.5/domains/program/unused/mailman.te 2005-03-28 10:21:45.000000000 -0500
@@ -30,7 +30,7 @@
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
-allow mailman_$1_t port_type:tcp_socket name_connect;
+allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.5/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.5/domains/program/unused/mta.te 2005-03-28 10:21:45.000000000 -0500
@@ -13,8 +13,6 @@
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
')
-type smtp_port_t, port_type, reserved_port_type;
-
# create a system_mail_t domain for daemons, init scripts, etc when they run
# "mail user@domain"
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.5/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.5/domains/program/unused/named.te 2005-03-28 10:21:45.000000000 -0500
@@ -60,6 +60,7 @@
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
+log_domain(named)
# Bind to the named port.
allow named_t dns_port_t:udp_socket name_bind;
@@ -104,7 +105,7 @@
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
-allow ndc_t port_type:tcp_socket name_connect;
+allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.23.5/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/nscd.te 2005-03-28 10:21:45.000000000 -0500
@@ -73,3 +73,4 @@
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+log_domain(nscd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.5/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.5/domains/program/unused/pamconsole.te 2005-03-28 10:21:45.000000000 -0500
@@ -10,6 +10,12 @@
allow pam_console_t etc_t:file { getattr read ioctl };
allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
+# Read /etc/mtab
+allow pam_console_t etc_runtime_t:file { read getattr };
+
+# Read /proc/meminfo
+allow pam_console_t proc_t:file { read getattr };
+
allow pam_console_t self:capability { chown fowner fsetid };
# Allow access to /dev/console through the fd:
@@ -24,7 +30,7 @@
allow pam_console_t device_t:dir { getattr read };
allow pam_console_t device_t:lnk_file { getattr read };
# mouse_device_t is for joy sticks
-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
allow pam_console_t mnt_t:dir r_dir_perms;
@@ -36,7 +42,6 @@
dontaudit pam_console_t hotplug_etc_t:dir search;
allow pam_console_t hotplug_t:fd use;
')
-allow pam_console_t proc_t:file read;
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.5/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/samba.te 2005-03-28 10:21:45.000000000 -0500
@@ -41,7 +41,6 @@
general_domain_access(smbd_t)
general_proc_read_access(smbd_t)
-type smbd_port_t, port_type, reserved_port_type;
allow smbd_t smbd_port_t:tcp_socket name_bind;
# Use capabilities.
@@ -88,7 +87,6 @@
general_domain_access(nmbd_t)
general_proc_read_access(nmbd_t)
-type nmbd_port_t, port_type, reserved_port_type;
allow nmbd_t nmbd_port_t:udp_socket name_bind;
# Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.5/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/squid.te 2005-03-28 10:21:45.000000000 -0500
@@ -12,7 +12,7 @@
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
-
+bool squid_connect_any false;
daemon_domain(squid, `, web_client_domain, nscd_client_domain')
type squid_conf_t, file_type, sysadmfile;
general_domain_access(squid_t)
@@ -53,13 +53,16 @@
# Use the network
can_network(squid_t)
+if (squid_connect_any) {
allow squid_t port_type:tcp_socket name_connect;
+} else {
+allow squid_t { http_port_t http_cache_port_t }:tcp_socket name_connect;
+}
can_ypbind(squid_t)
can_tcp_connect(web_client_domain, squid_t)
# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t http_cache_port_t:tcp_socket name_bind;
-allow squid_t http_cache_port_t:udp_socket name_bind;
+allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
# to allow running programs from /usr/lib/squid (IE unlinkd)
# also allow exec()ing itself
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.5/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/domains/program/unused/udev.te 2005-03-28 10:21:45.000000000 -0500
@@ -29,7 +29,7 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin };
allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -71,6 +71,7 @@
allow udev_t kernel_t:fd use;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
+allow udev_t kernel_t:process signal;
allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.5/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/winbind.te 2005-03-28 10:21:45.000000000 -0500
@@ -13,7 +13,9 @@
allow winbind_t etc_t:file r_file_perms;
allow winbind_t etc_t:lnk_file read;
can_network(winbind_t)
-allow winbind_t port_type:tcp_socket name_connect;
+allow winbind_t smbd_port_t:tcp_socket name_connect;
+can_resolve(winbind_t)
+
ifdef(`samba.te', `', `
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
@@ -28,7 +30,6 @@
allow winbind_t urandom_device_t:chr_file { getattr read };
allow winbind_t self:fifo_file { read write };
rw_dir_create_file(winbind_t, samba_var_t)
-allow winbind_t krb5_conf_t:file { getattr read };
-dontaudit winbind_t krb5_conf_t:file { write };
+can_kerberos(winbind_t)
allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t winbind_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.5/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/xdm.te 2005-03-28 10:21:45.000000000 -0500
@@ -311,6 +311,7 @@
allow xdm_t pam_var_run_t:dir create_dir_perms;
allow xdm_t pam_var_run_t:file create_file_perms;
allow pam_t xdm_t:fifo_file { getattr ioctl write };
+can_exec(xdm_t, pam_console_exec_t)
can_exec(xdm_t, pam_exec_t)
# For pam_console
rw_dir_create_file(xdm_t, pam_var_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.5/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/file_contexts/distros.fc 2005-03-28 10:21:45.000000000 -0500
@@ -98,10 +98,10 @@
/usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/vgskin_none\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
# Fedora Extras packages: ladspa, imlib2, ocaml
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
@@ -140,6 +140,11 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
+
+/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
+/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.5/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/file_contexts/program/apache.fc 2005-03-29 09:07:33.000000000 -0500
@@ -44,3 +44,4 @@
/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.23.5/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/file_contexts/program/named.fc 2005-03-28 10:21:45.000000000 -0500
@@ -21,6 +21,8 @@
/var/run/bind(/.*)? system_u:object_r:named_var_run_t
/var/run/named(/.*)? system_u:object_r:named_var_run_t
/usr/sbin/lwresd -- system_u:object_r:named_exec_t
+/var/log/named.* -- system_u:object_r:named_log_t
+
ifdef(`distro_redhat', `
/var/named/named\.ca -- system_u:object_r:named_conf_t
/var/named/chroot(/.*)? system_u:object_r:named_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nscd.fc policy-1.23.5/file_contexts/program/nscd.fc
--- nsapolicy/file_contexts/program/nscd.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/file_contexts/program/nscd.fc 2005-03-28 10:21:45.000000000 -0500
@@ -4,3 +4,4 @@
/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
+/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ssh.fc policy-1.23.5/file_contexts/program/ssh.fc
--- nsapolicy/file_contexts/program/ssh.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/file_contexts/program/ssh.fc 2005-03-28 10:21:45.000000000 -0500
@@ -1,5 +1,6 @@
# ssh
/usr/bin/ssh -- system_u:object_r:ssh_exec_t
+/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t
/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t
# sshd
/etc/ssh/primes -- system_u:object_r:sshd_key_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.5/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/apache_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -3,10 +3,11 @@
#This type is for webpages
#
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
+type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
ifelse($1, sys, `
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
')
+ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;')
# This type is used for .htaccess files
#
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.5/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te 2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.5/macros/program/games_domain.te 2005-03-28 10:21:45.000000000 -0500
@@ -19,10 +19,18 @@
}
role $1_r types $1_games_t;
-# X access, Private tmp
+# X access, /tmp files
x_client_domain($1, games)
tmp_domain($1_games)
+uses_shlib($1_games_t)
+read_locale($1_games_t)
+read_sysctl($1_games_t)
+access_terminal($1_games_t, $1)
+
+# Fork
+allow $1_games_t self:process { fork signal_perms getsched };
+
# Games seem to need this
if (allow_execmem) {
allow $1_games_t self:process execmem;
@@ -37,7 +45,7 @@
# Access /home/user/.gnome2
create_dir_file($1_games_t, $1_home_t)
-allow $1_games_t $1_home_dir_t:dir search;
+allow $1_games_t $1_home_dir_t:dir { read getattr search };
allow $1_games_t $1_home_t:dir { read getattr };
create_dir_file($1_games_t, $1_tmp_t)
@@ -57,6 +65,7 @@
allow $1_games_t var_lib_t:dir search;
r_dir_file($1_games_t, man_t)
+allow $1_games_t proc_t:dir search;
allow $1_games_t proc_t:file { read getattr };
ifdef(`mozilla.te', `
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
@@ -64,10 +73,17 @@
allow $1_games_t event_device_t:chr_file getattr;
allow $1_games_t mouse_device_t:chr_file getattr;
allow $1_games_t self:file { getattr read };
+allow $1_games_t self:fifo_file rw_file_perms;
# kpat spews errors
dontaudit $1_games_t bin_t:dir getattr;
dontaudit $1_games_t var_run_t:dir search;
+# Allow games to read /etc/mtab and /etc/nsswitch.conf
+allow $1_games_t etc_t:file { getattr read };
+allow $1_games_t etc_runtime_t:file { getattr read };
+
+#
+
')dnl end macro definition
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.5/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/gift_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -17,10 +17,15 @@
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
role $1_r types $1_gift_t;
-# X access, Home access
+# X access, Home files
x_client_domain($1, gift)
home_domain($1, gift)
+uses_shlib($1_gift_t)
+read_locale($1_gift_t)
+read_sysctl($1_gift_t)
+access_terminal($1_gift_t, $1)
+
# Self permissions
allow $1_gift_t self:process getsched;
@@ -29,7 +34,8 @@
r_dir_file($1_gift_t, fonts_t)
# Launch gift daemon
-allow $1_gift_t self:process fork;
+allow $1_gift_t bin_t:dir search;
+allow $1_gift_t self:process { fork signal_perms getsched };
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
# Connect to gift daemon
@@ -40,6 +46,10 @@
allow $1_gift_t proc_t:dir search;
allow $1_gift_t proc_t:file { getattr read };
+# Read /etc/mtab, /etc/nsswitch.conf
+allow $1_gift_t etc_t:file { getattr read };
+allow $1_gift_t etc_runtime_t:file { getattr read };
+
# Tmp/ORBit
tmp_domain($1_gift)
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
@@ -78,6 +88,7 @@
read_sysctl($1_giftd_t)
read_locale($1_giftd_t)
uses_shlib($1_giftd_t)
+access_terminal($1_giftd_t, $1)
# Access home domain
home_domain_access($1_giftd_t, $1, gift)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.5/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.5/macros/program/mozilla_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -24,33 +24,52 @@
}
role $1_r types $1_mozilla_t;
+# X access, Home files
home_domain($1, mozilla)
x_client_domain($1, mozilla)
+
+# Browse files
file_browse_domain($1_mozilla_t)
+can_network($1_mozilla_t)
+uses_shlib($1_mozilla_t)
+read_locale($1_mozilla_t)
+read_sysctl($1_mozilla_t)
+access_terminal($1_mozilla_t, $1)
+
allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
# Unrestricted inheritance from the caller.
allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
allow $1_mozilla_t $1_t:process signull;
-# Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+# Fork, set resource limits and scheduling info.
+allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
allow $1_mozilla_t var_lib_t:file { getattr read };
allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
allow $1_mozilla_t self:socket create_socket_perms;
allow $1_mozilla_t self:file { getattr read };
+allow $1_mozilla_t self:fifo_file rw_file_perms;
-# for bash
+# for bash - old mozilla binary
+can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, bin_t)
+allow $1_mozilla_t bin_t:lnk_file read;
allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t devpts_t:dir r_dir_perms;
allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t proc_t:lnk_file read;
+allow $1_mozilla_t self:dir search;
+allow $1_mozilla_t self:lnk_file read;
r_dir_file($1_mozilla_t, proc_net_t)
allow $1_mozilla_t { var_t var_lib_t }:dir search;
+# Allow mozilla to read /etc/mtab, /etc/nsswitch.conf
+allow $1_mozilla_t etc_t:file { getattr read };
+allow $1_mozilla_t etc_runtime_t:file { getattr read };
+
# interacting with gstreamer
r_dir_file($1_mozilla_t, var_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.5/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/ssh_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -80,7 +80,7 @@
# Grant permissions needed to create TCP and UDP sockets and
# to access the network.
can_network_client_tcp($1_ssh_t)
-allow $1_ssh_t port_type:tcp_socket name_connect;
+allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
can_resolve($1_ssh_t)
can_ypbind($1_ssh_t)
can_kerberos($1_ssh_t)
@@ -153,6 +153,22 @@
allow $1_ssh_t mnt_t:dir search;
r_dir_file($1_ssh_t, removable_t)
+type $1_ssh_keysign_t, domain, nscd_client_domain;
+role $1_r types $1_ssh_keysign_t;
+domain_auto_trans($1_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+allow $1_ssh_keysign_t self:capability { setgid setuid };
+allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+uses_shlib($1_ssh_keysign_t)
+dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+allow $1_ssh_keysign_t usr_t:dir search;
+allow $1_ssh_keysign_t etc_t:file { getattr read };
+allow $1_ssh_keysign_t self:dir search;
+allow $1_ssh_keysign_t self:file { getattr read };
+allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
ifdef(`xdm.te', `
# should be able to remove these two later
allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
@@ -164,7 +180,6 @@
allow $1_ssh_t xdm_t:fd use;
')dnl end if xdm.te
')dnl end macro definition
-
', `
define(`ssh_domain',`')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.5/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te 2005-03-21 22:32:20.000000000 -0500
+++ policy-1.23.5/macros/program/tvtime_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -24,11 +24,21 @@
domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
role $1_r types $1_tvtime_t;
-# Home access, X access
+# X access, Home files
home_domain($1, tvtime)
-tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
x_client_domain($1, tvtime)
+uses_shlib($1_tvtime_t)
+read_locale($1_tvtime_t)
+read_sysctl($1_tvtime_t)
+access_terminal($1_tvtime_t, $1)
+
+# Read /etc/tvtime
+allow $1_tvtime_t etc_t:file { getattr read };
+
+# Tmp files
+tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
+
allow $1_tvtime_t urandom_device_t:chr_file read;
allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
allow $1_tvtime_t kernel_t:system ipc_info;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.5/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/x_client_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -43,54 +43,17 @@
#
define(`x_client_domain',`
-# This domain is granted permissions common to most domains (including can_net)
-can_network($1_$2_t)
-allow $1_$2_t port_type:tcp_socket name_connect;
-can_ypbind($1_$2_t)
-allow $1_$2_t self:process { fork signal_perms getsched };
allow $1_$2_t self:unix_dgram_socket create_socket_perms;
allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow $1_$2_t self:fifo_file rw_file_perms;
-allow $1_$2_t etc_runtime_t:file { getattr read };
-allow $1_$2_t etc_t:lnk_file read;
-allow $1_$2_t fs_t:filesystem getattr;
-access_terminal($1_$2_t, $1)
-read_locale($1_$2_t)
-r_dir_file($1_$2_t, readable_t)
-allow $1_$2_t proc_t:dir search;
-allow $1_$2_t proc_t:lnk_file read;
-allow $1_$2_t self:dir search;
-allow $1_$2_t self:lnk_file read;
-read_sysctl($1_$2_t)
ifdef(`xauth.te',`
allow $1_$2_t $1_xauth_home_t:file { getattr read };
')
# Allow the user domain to send any signal to the $2 process.
+can_ps($1_t, $1_$2_t)
allow $1_t $1_$2_t:process signal_perms;
-# Allow the user domain to read the /proc/PID directory for
-# the $2 process.
-allow $1_t $1_$2_t:dir r_dir_perms;
-allow $1_t $1_$2_t:notdevfile_class_set r_file_perms;
-
-# Allow use of /dev/zero by ld.so.
-allow $1_$2_t device_t:dir search;
-allow $1_$2_t zero_device_t:chr_file rw_file_perms;
-allow $1_$2_t zero_device_t:chr_file x_file_perms;
-
-# allow using shared libraries and running programs
-uses_shlib($1_$2_t)
-allow $1_$2_t { bin_t sbin_t }:dir search;
-allow $1_$2_t bin_t:lnk_file read;
-can_exec($1_$2_t, { shell_exec_t bin_t })
-allow $1_$2_t etc_t:file { getattr read };
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;')
-allow $1_$2_t privfd:fd use;
-
# for .xsession-errors
dontaudit $1_$2_t $1_home_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.5/Makefile
--- nsapolicy/Makefile 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.5/Makefile 2005-03-29 11:37:15.000000000 -0500
@@ -77,12 +77,12 @@
all: policy
-tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
- @echo "Validating file_contexts ..."
- $(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+tmp/valid_fc: $(LOADPATH) $(FC)
+ @echo "Validating file contexts files ..."
+ $(SETFILES) -q -c $(LOADPATH) $(FC)
@touch tmp/valid_fc
-install: tmp/valid_fc $(USERPATH)/local.users
+install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@@ -91,56 +91,57 @@
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users
- m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+ @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
install -m 644 tmp/system.users $@
$(USERPATH)/local.users: local.users
@mkdir -p $(USERPATH)
- install -C -b -m 644 $< $@
+ install -b -m 644 $< $@
$(CONTEXTPATH)/files/media: appconfig/media
- mkdir -p $(CONTEXTPATH)/files/
+ @mkdir -p $(CONTEXTPATH)/files/
install -m 644 $< $@
$(APPDIR)/default_contexts: appconfig/default_contexts
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/removable_context: appconfig/removable_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
install -m 644 tmp/customizable_types $@
$(APPDIR)/default_type: appconfig/default_type
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/userhelper_context: appconfig/userhelper_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/failsafe_context: appconfig/failsafe_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/users/root: appconfig/root_default_contexts
- mkdir -p $(APPDIR)/users
+ @mkdir -p $(APPDIR)/users
install -m 644 $< $@
-$(LOADPATH): policy.conf $(CHECKPOLICY)
- mkdir -p $(POLICYPATH)
+$(LOADPATH): policy.conf $(CHECKPOLICY)
+ @echo "Compiling policy ..."
+ @mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
ifneq ($(VERS),18)
@@ -159,10 +160,11 @@
$(CHECKPOLICY) -c 18 -o policy.18 policy.conf
endif
endif
- @echo "Validating file_contexts ..."
+ @echo "Validating file contexts files ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
reload tmp/load: $(FCPATH) $(LOADPATH)
+ @echo "Loading Policy ..."
ifeq ($(VERS), $(KERNVERS))
$(LOADPOLICY) $(LOADPATH)
else
@@ -177,18 +179,19 @@
mv policy.audit policy.conf
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
- mkdir -p tmp
+ @echo "Building policy.conf ..."
+ @mkdir -p tmp
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
- mv $@.tmp $@
+ @mv $@.tmp $@
install-src:
rm -rf $(SRCPATH)/policy.old
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- mkdir -p $(SRCPATH)/policy
+ @mkdir -p $(SRCPATH)/policy
cp -R . $(SRCPATH)/policy
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
- mkdir -p tmp
+ @mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
@@ -205,17 +208,17 @@
$(SETFILES) $(FC) $(FILESYSTEMS)
file_contexts/misc:
- mkdir -p file_contexts/misc
-
+ @mkdir -p file_contexts/misc
-$(FCPATH): $(FC) $(USERPATH)/system.users
+$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types
+ @echo "Installing file contexts files..."
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(FC) $(FCPATH)
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
- @echo "Building file_contexts ..."
+ @echo "Building file contexts files..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
@grep -v -e HOME -e ROLE $@.tmp > $@
@grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.5/net_contexts
--- nsapolicy/net_contexts 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/net_contexts 2005-03-28 10:21:45.000000000 -0500
@@ -44,11 +44,11 @@
')
ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
-ifdef(`mta.te', `
+
portcon tcp 25 system_u:object_r:smtp_port_t
portcon tcp 465 system_u:object_r:smtp_port_t
portcon tcp 587 system_u:object_r:smtp_port_t
-')
+
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
@@ -56,10 +56,10 @@
ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
-ifdef(`use_http', `
+
portcon tcp 80 system_u:object_r:http_port_t
portcon tcp 443 system_u:object_r:http_port_t
-')
+
ifdef(`use_pop', `
portcon tcp 106 system_u:object_r:pop_port_t
portcon tcp 109 system_u:object_r:pop_port_t
@@ -70,7 +70,7 @@
ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
-ifdef(`samba.te', `
+
portcon tcp 137 system_u:object_r:smbd_port_t
portcon udp 137 system_u:object_r:nmbd_port_t
portcon tcp 138 system_u:object_r:smbd_port_t
@@ -78,7 +78,7 @@
portcon tcp 139 system_u:object_r:smbd_port_t
portcon udp 139 system_u:object_r:nmbd_port_t
portcon tcp 445 system_u:object_r:smbd_port_t
-')
+
ifdef(`use_pop', `
portcon tcp 143 system_u:object_r:pop_port_t
portcon tcp 220 system_u:object_r:pop_port_t
@@ -208,11 +208,10 @@
# 9433 is for YIFF
portcon tcp 9433 system_u:object_r:soundd_port_t
')
-ifdef(`use_http_cache', `
portcon tcp 3128 system_u:object_r:http_cache_port_t
portcon tcp 8080 system_u:object_r:http_cache_port_t
portcon udp 3130 system_u:object_r:http_cache_port_t
-')
+
ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
ifdef(`amanda.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.23.5/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.5/targeted/domains/program/ssh.te 2005-03-29 11:16:20.000000000 -0500
@@ -13,6 +13,7 @@
type sshd_exec_t, file_type, sysadmfile, exec_type;
type ssh_exec_t, file_type, sysadmfile, exec_type;
type ssh_keygen_exec_t, file_type, sysadmfile, exec_type;
+type ssh_keysign_exec_t, file_type, sysadmfile, exec_type;
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
type ssh_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.5/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/tunables/distro.tun 2005-03-28 10:21:45.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.5/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/tunables/tunable.tun 2005-03-28 10:21:45.000000000 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.5/types/file.te
--- nsapolicy/types/file.te 2005-03-24 08:58:30.000000000 -0500
+++ policy-1.23.5/types/file.te 2005-03-28 10:21:45.000000000 -0500
@@ -277,8 +277,9 @@
type tmpfs_t, file_type, sysadmfile, fs_type;
allow { tmpfs_t tmpfile } tmpfs_t:filesystem associate;
+allow tmpfile tmp_t:filesystem associate;
ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
+allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
')
type autofs_t, fs_type, noexattrfile, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.5/types/network.te
--- nsapolicy/types/network.te 2005-03-24 08:58:30.000000000 -0500
+++ policy-1.23.5/types/network.te 2005-03-28 10:21:45.000000000 -0500
@@ -22,13 +22,11 @@
#
# Defines used by the te files need to be defined outside of net_constraints
#
-type dns_port_t, port_type;
-
-ifdef(`dhcpd.te', `define(`use_dhcpd')')
-ifdef(`dnsmasq.te', `define(`use_dhcpd')')
-ifdef(`use_dhcpd', `
-type dhcpd_port_t, port_type;
-')
+type dns_port_t, port_type, reserved_port_type;
+type smtp_port_t, port_type, reserved_port_type;
+type dhcpd_port_t, port_type, reserved_port_type;
+type smbd_port_t, port_type, reserved_port_type;
+type nmbd_port_t, port_type, reserved_port_type;
ifdef(`cyrus.te', `define(`use_pop')')
ifdef(`courier.te', `define(`use_pop')')
@@ -38,21 +36,13 @@
ifdef(`use_pop', `
type pop_port_t, port_type, reserved_port_type;
')
-ifdef(`apache.te', `
-define(`use_http_cache')
-define(`use_http')
-')
ifdef(`ftpd.te', `
define(`use_ftpd')
')
ifdef(`publicfile.te', `
-define(`use_http')
define(`use_ftpd')
')
-ifdef(`squid.te', `define(`use_http_cache')')
-ifdef(`use_http_cache', `
type http_cache_port_t, port_type;
-')
ifdef(`dhcpd.te', `define(`use_pxe')')
ifdef(`pxe.te', `define(`use_pxe')')
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: Policy Patch
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
@ 2005-04-01 20:28 ` James Carter
0 siblings, 0 replies; 13+ messages in thread
From: James Carter @ 2005-04-01 20:28 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged.
On Tue, 2005-03-29 at 11:47 -0500, Daniel J Walsh wrote:
> Major cleanup of Makefile. Probably still needs some sanity checks to
> it. Added better echo messages, made sure
> customizable file gets replaced on make load.
>
> Added policy ssh_keysign_exec_t for /usr/libexec/openssh/ssh-keysign
>
> Better handling of syslog-ng
>
> Whole bunch of changes from Ivan, for desktop apps.
>
> Allow named and nscd to write logs to /var/log
>
> Lots of name_connect fixes.
>
> New bool for squid to connect to any port or just http ports.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* New Policy Patch
2005-01-21 20:36 ` James Carter
` (2 preceding siblings ...)
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
@ 2005-04-04 18:50 ` Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
3 siblings, 2 replies; 13+ messages in thread
From: Daniel J Walsh @ 2005-04-04 18:50 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 426 bytes --]
Major regrouping of apache_policy
Now use apache_domain and apache_user_domain
Added boolean httpd_builtin_scripting. Which when turned off only allows
running of external apache scripts, not built in modules like PHP.
Users can now create their own scripts using apache_domain(myscript)
More fixes of can_network and named_connect
Added NetworkManager policy.
A few fixes submitted from Ivan for hal, kudzu
--
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 34018 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.6/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.6/domains/program/ifconfig.te 2005-04-04 10:44:54.000000000 -0400
@@ -66,3 +66,4 @@
rhgb_domain(ifconfig_t)
allow ifconfig_t userdomain:fd use;
dontaudit ifconfig_t root_t:file read;
+r_dir_file(ifconfig_t, sysfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.23.6/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/logrotate.te 2005-04-04 10:44:54.000000000 -0400
@@ -141,5 +141,10 @@
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
+# Supress libselinux initialization denials
dontaudit logrotate_t selinux_config_t:dir search;
+dontaudit logrotate_t selinux_config_t:file { read getattr };
+# Allow selinux_getenforce
+allow logrotate_t security_t:dir search;
+allow logrotate_t security_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.6/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/unused/apache.te 2005-04-04 10:44:54.000000000 -0400
@@ -28,6 +28,9 @@
bool httpd_unified false;
+# Allow httpd to use built in scripting (usually php)
+bool httpd_builtin_scripting false;
+
# Allow httpd cgi support
bool httpd_enable_cgi false;
@@ -86,54 +89,6 @@
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec)
-allow httpd_t httpd_suexec_exec_t:file read;
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir search;
-allow httpd_suexec_t httpd_log_t:file { append getattr };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-if (httpd_can_network_connect) {
-can_network(httpd_suexec_t)
-allow httpd_suexec_t port_type:tcp_socket name_connect;
-}
-
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_t usr_t:lnk_file { getattr read };
@@ -149,15 +104,24 @@
can_exec(httpd_t, { bin_t sbin_t })
allow httpd_t bin_t:lnk_file read;
-can_network(httpd_t)
+########################################
+# Set up networking
+########################################
+
+can_network_server(httpd_t)
+can_kerberos(httpd_t)
+can_resolve(httpd_t)
+can_ypbind(httpd_t)
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+
if (httpd_can_network_connect) {
+can_network_client(httpd_t)
allow httpd_t port_type:tcp_socket name_connect;
}
-can_ypbind(httpd_t)
-###################
-# Allow httpd to search users diretories
-######################
+#########################################
+# Allow httpd to search users directories
+#########################################
allow httpd_t home_root_t:dir { getattr search };
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
@@ -171,7 +135,6 @@
# Allow the httpd_t to read the web servers config files
###################################################
r_dir_file(httpd_t, httpd_config_t)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
@@ -181,11 +144,6 @@
r_dir_file(initrc_t, httpd_config_t)
##################################################
-########################################
-# Allow httpd_t to bind to the HTTP port
-########################################
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-
###############################
# Allow httpd_t to put files in /var/cache/httpd etc
##############################
@@ -217,13 +175,14 @@
allow httpd_t etc_t:file { read getattr ioctl };
allow httpd_t etc_t:lnk_file { getattr read };
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
# Run SSI execs in system CGI script domain.
if (httpd_ssi_exec) {
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
}
-r_dir_file(httpd_t, httpd_sys_script_ro_t)
-create_dir_file(httpd_t, httpd_sys_script_rw_t)
-ra_dir_file(httpd_t, httpd_sys_script_ra_t)
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
##################################################
@@ -250,7 +209,6 @@
# access to /tmp
tmp_domain(httpd)
tmp_domain(httpd_php)
-tmp_domain(httpd_suexec)
# Creation of lock files for apache2
lock_domain(httpd)
@@ -269,11 +227,11 @@
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
+r_dir_file(httpd_t, fonts_t)
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t autofs_t:dir { search getattr };
-allow httpd_suexec_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
@@ -281,23 +239,12 @@
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
-r_dir_file(httpd_t, fonts_t)
#
# Allow users to mount additional directories as http_source
#
allow httpd_t mnt_t:dir r_dir_perms;
-########################################
-# When the admin starts the server, the server wants to acess
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-##################################################
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-
-can_kerberos(httpd_t)
-
ifdef(`targeted_policy', `
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
@@ -308,6 +255,9 @@
}
') dnl targeted policy
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
ifdef(`distro_redhat', `
#
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
@@ -327,33 +277,27 @@
dontaudit httpd_t usr_t:dir write;
')
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
-
application_domain(httpd_helper)
role system_r types httpd_helper_t;
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file { append };
+########################################
+# When the admin starts the server, the server wants to acess
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+##################################################
+
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir { search };
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
')
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
read_sysctl(httpd_sys_script_t)
@@ -368,6 +312,64 @@
type httpd_unconfined_script_t, domain, nscd_client_domain;
role system_r types httpd_unconfined_script_t;
unconfined_domain(httpd_unconfined_script_t)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec)
+allow httpd_t httpd_suexec_exec_t:file read;
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir search;
+allow httpd_suexec_t httpd_log_t:file { append getattr };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+if (httpd_can_network_connect) {
+can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+allow httpd_suexec_t autofs_t:dir { search getattr };
+tmp_domain(httpd_suexec)
+
+ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+')
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+}
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+can_exec(httpd_t, httpdcontent )
+}
if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
@@ -375,3 +377,21 @@
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
}
+#
+# Types for squirrelmail
+#
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
+create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ifdef(`mta.te', `
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.6/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.6/domains/program/unused/dhcpc.te 2005-04-04 10:44:54.000000000 -0400
@@ -44,6 +44,8 @@
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.6/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/unused/hald.te 2005-04-04 10:44:54.000000000 -0400
@@ -43,6 +43,9 @@
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
+allow hald_t mouse_device_t:chr_file r_file_perms;
+
+can_getsecurity(hald_t)
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
@@ -73,3 +76,20 @@
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
+
+
+# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/sbin/dmidecode
+# Violates assertion
+#allow hald_t memory_device_t:chr_file read;
+allow hald_t self:capability sys_rawio;
+
+# ??
+ifdef(`lvm.te', `
+allow hald_t lvm_control_t:chr_file r_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.6/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.6/domains/program/unused/kudzu.te 2005-04-04 10:44:54.000000000 -0400
@@ -100,3 +100,8 @@
allow kudzu_t xserver_exec_t:file getattr;
')
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.6/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.6/domains/program/unused/NetworkManager.te 2005-04-04 10:44:54.000000000 -0400
@@ -0,0 +1,76 @@
+#DESC NetworkManager -
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon.
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow NetworkManager_t named_t:process signal;
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+
+allow NetworkManager_t domain:dir search;
+allow NetworkManager_t domain:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.6/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.6/domains/program/unused/ntpd.te 2005-04-04 10:44:54.000000000 -0400
@@ -41,7 +41,7 @@
# Use the network.
can_network(ntpd_t)
-allow ntpd_t port_type:tcp_socket name_connect;
+allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.23.6/domains/program/unused/pam.te
--- nsapolicy/domains/program/unused/pam.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.6/domains/program/unused/pam.te 2005-04-04 10:44:54.000000000 -0400
@@ -37,4 +37,4 @@
allow initrc_t pam_var_run_t:dir rw_dir_perms;
allow initrc_t pam_var_run_t:file { getattr read unlink };
-dontaudit pam_t initrc_var_run_t:file { read write };
+dontaudit pam_t initrc_var_run_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.23.6/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/domains/program/unused/postgresql.te 2005-04-04 10:44:54.000000000 -0400
@@ -124,11 +124,15 @@
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir { search };
-allow postgresql_t initrc_su_t:process { sigchld };
+allow initrc_su_t postgresql_db_t:dir search;
+allow postgresql_t initrc_su_t:process sigchld;
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
dontaudit postgresql_t home_root_t:dir search;
can_kerberos(postgresql_t)
allow postgresql_t urandom_device_t:chr_file { getattr read };
+
+if (allow_execmem) {
+allow postgresql_t self:process execmem;
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/publicfile.te policy-1.23.6/domains/program/unused/publicfile.te
--- nsapolicy/domains/program/unused/publicfile.te 2005-03-15 12:54:54.000000000 -0500
+++ policy-1.23.6/domains/program/unused/publicfile.te 2005-04-04 10:46:35.000000000 -0400
@@ -12,11 +12,6 @@
type ftp_data_port_t, port_type, reserved_port_type;
')
-ifdef(`apache.te', `
-', `
-type http_port_t, port_type, reserved_port_type;
-')
-
daemon_domain(publicfile)
type publicfile_content_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.6/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.6/domains/program/unused/snmpd.te 2005-04-04 10:44:54.000000000 -0400
@@ -45,7 +45,9 @@
allow snmpd_t proc_t:dir search;
allow snmpd_t proc_t:file r_file_perms;
allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file { read write };
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t { bin_t sbin_t }:dir search;
+can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.6/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/file_contexts/distros.fc 2005-04-04 10:44:54.000000000 -0400
@@ -141,6 +141,10 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.6/file_contexts/program/NetworkManager.fc
--- nsapolicy/file_contexts/program/NetworkManager.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.6/file_contexts/program/NetworkManager.fc 2005-04-04 10:44:54.000000000 -0400
@@ -0,0 +1,2 @@
+# NetworkManager
+/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.6/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/apache_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -4,14 +4,11 @@
#This type is for webpages
#
type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
-ifelse($1, sys, `
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
-ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;')
# This type is used for .htaccess files
#
-type httpd_$1_htaccess_t, file_type, sysadmfile;
+type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
# This type is used for executable scripts files
#
@@ -68,13 +65,6 @@
type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
-
#########################################################
# Permissions for running child processes and scripts
##########################################################
@@ -117,20 +107,9 @@
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-ifelse($1, sys, `
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-can_exec(httpd_t, httpdcontent )
-', `
-can_exec(httpd_$1_script_t, httpdcontent )
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-')
create_dir_file(httpd_$1_script_t, httpdcontent)
}
-ifelse($1, sys, `
#
# If a user starts a script by hand it gets the proper context
#
@@ -138,7 +117,38 @@
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
role sysadm_r types httpd_$1_script_t;
-', `
+
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+# apache should set close-on-exec
+dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+if (httpd_builtin_scripting) {
+r_dir_file(httpd_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_t, httpd_$1_script_rw_t)
+ra_dir_file(httpd_t, httpd_$1_script_ra_t)
+r_dir_file(httpd_t, httpd_$1_content_t)
+}
+
+')
+define(`apache_user_domain', `
+
+apache_domain($1)
+
+typeattribute httpd_$1_content_t $1_file_type;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+}
if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
# If a user starts a script by hand it gets the proper context
@@ -151,11 +161,7 @@
#########################################
create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-create_dir_file($1_crond_t, httpd_$1_content_t)
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-ifdef(`mozilla.te', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
######################################################################
# Allow the user to create htaccess files
@@ -178,26 +184,8 @@
r_dir_file(httpd_$1_script_t, nfs_t)
')dnl end if nfs_home_dirs
}
-')dnl end ifelse sys
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-r_dir_file(httpd_t, httpd_$1_content_t)
-
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-r_dir_file(httpd_t, httpd_$1_script_rw_t)
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ifdef(`crond.te', `
+create_dir_file($1_crond_t, httpd_$1_content_t)
+')
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.6/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/gift_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -90,6 +90,13 @@
uses_shlib($1_giftd_t)
access_terminal($1_giftd_t, $1)
+# Read /proc/meminfo
+allow $1_giftd_t proc_t:dir search;
+allow $1_giftd_t proc_t:file read;
+
+# Read /etc/mtab
+allow $1_giftd_t etc_runtime_t:file { getattr read };
+
# Access home domain
home_domain_access($1_giftd_t, $1, gift)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.6/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.6/macros/program/java_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -31,7 +31,7 @@
can_network_client($1_javaplugin_t)
allow $1_javaplugin_t port_type:tcp_socket name_connect;
can_ypbind($1_javaplugin_t)
-allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
+allow $1_javaplugin_t self:process { execmem fork signal_perms getsched setsched };
allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t etc_runtime_t:file { getattr read };
@@ -42,6 +42,7 @@
allow $1_javaplugin_t self:file { getattr read };
read_sysctl($1_javaplugin_t)
+allow $1_javaplugin_t sysctl_vm_t:dir search;
tmp_domain($1_javaplugin)
r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
@@ -50,6 +51,11 @@
allow $1_javaplugin_t bin_t:dir search;
can_exec($1_javaplugin_t, java_exec_t)
+# libdeploy.so legacy
+if (allow_execmod) {
+allow $1_javaplugin_t texrel_shlib_t:file execmod;
+}
+
# Allow connections to X server.
ifdef(`xserver.te', `
@@ -111,4 +117,6 @@
dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
+# Do not audit read/getattr of .fonts-cache-1
+dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.6/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/mozilla_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -55,6 +55,7 @@
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, shell_exec_t)
can_exec($1_mozilla_t, bin_t)
allow $1_mozilla_t bin_t:lnk_file read;
allow $1_mozilla_t device_t:dir r_dir_perms;
@@ -155,6 +156,11 @@
allow $1_mozilla_t texrel_shlib_t:file execmod;
}
dbusd_client(system, $1_mozilla)
+ifdef(`apache.te', `
+ifelse($1, sysadm, `', `
+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
+')
+')
')dnl end mozilla macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.6/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/macros/program/ssh_agent_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -49,6 +49,7 @@
allow $1_ssh_agent_t proc_t:dir search;
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
+dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
read_sysctl($1_ssh_agent_t)
# Access the ssh temporary files. Should we have an own type here
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.6/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/user_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -44,7 +44,9 @@
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
-ifdef(`apache.te', `apache_domain($1)')
+ifelse($1, sysadm, `',`
+ifdef(`apache.te', `apache_user_domain($1)')
+')
ifdef(`slocate.te', `locate_domain($1)')
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.6/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/tunables/distro.tun 2005-04-04 10:44:54.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.6/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/tunables/tunable.tun 2005-04-04 10:44:54.000000000 -0400
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.6/types/network.te
--- nsapolicy/types/network.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/types/network.te 2005-04-04 10:44:54.000000000 -0400
@@ -27,7 +27,7 @@
type dhcpd_port_t, port_type, reserved_port_type;
type smbd_port_t, port_type, reserved_port_type;
type nmbd_port_t, port_type, reserved_port_type;
-type http_cache_port_t, port_type;
+type http_cache_port_t, port_type, reserved_port_type;
type http_port_t, port_type, reserved_port_type;
ifdef(`cyrus.te', `define(`use_pop')')
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: New Policy Patch
2005-04-04 18:50 ` New " Daniel J Walsh
@ 2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
2005-04-04 19:45 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
1 sibling, 2 replies; 13+ messages in thread
From: Ivan Gyurdiev @ 2005-04-04 19:38 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
> +can_getsecurity(hald_t)
check_context was sufficient for me.. does it
need the rest of the things in can_getsecurity?
+# For /usr/libexec/hald-add-selinux-mount-option
+allow hald_t security_t:dir search;
+allow hald_t security_t:file { read write };
+allow hald_t security_t:security check_context;
> +# For /usr/sbin/dmidecode
> +# Violates assertion
> +#allow hald_t memory_device_t:chr_file read;
> +allow hald_t self:capability sys_rawio;
Hold on - this should go into its own domain for dmidecode...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: New Policy Patch
2005-04-04 19:38 ` Ivan Gyurdiev
@ 2005-04-04 19:40 ` Daniel J Walsh
2005-04-05 22:36 ` Ivan Gyurdiev
2005-04-04 19:45 ` Ivan Gyurdiev
1 sibling, 1 reply; 13+ messages in thread
From: Daniel J Walsh @ 2005-04-04 19:40 UTC (permalink / raw)
To: ivg2; +Cc: jwcart2, SE Linux
Ivan Gyurdiev wrote:
>>+can_getsecurity(hald_t)
>>
>>
>
>check_context was sufficient for me.. does it
>need the rest of the things in can_getsecurity?
>
>+# For /usr/libexec/hald-add-selinux-mount-option
>+allow hald_t security_t:dir search;
>+allow hald_t security_t:file { read write };
>+allow hald_t security_t:security check_context;
>
>
>
>>+# For /usr/sbin/dmidecode
>>+# Violates assertion
>>+#allow hald_t memory_device_t:chr_file read;
>>+allow hald_t self:capability sys_rawio;
>>
>>
>
>Hold on - this should go into its own domain for dmidecode...
>
>
>
Since we do not have that policy yet, we need this for strict to work,
correct?
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: New Policy Patch
2005-04-04 19:40 ` Daniel J Walsh
@ 2005-04-05 22:36 ` Ivan Gyurdiev
0 siblings, 0 replies; 13+ messages in thread
From: Ivan Gyurdiev @ 2005-04-05 22:36 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
> Since we do not have that policy yet, we need this for strict to work,
> correct?
Well, I did get a denial, and that fixes the denial, but I'm not
sure if it should be merged, given that the memory_device_t read
isn't allowed yet...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: New Policy Patch
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
@ 2005-04-04 19:45 ` Ivan Gyurdiev
1 sibling, 0 replies; 13+ messages in thread
From: Ivan Gyurdiev @ 2005-04-04 19:45 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
Also, the java execmem addition does not respect the allow_execmem
boolean.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: New Policy Patch
2005-04-04 18:50 ` New " Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
@ 2005-04-05 20:20 ` James Carter
1 sibling, 0 replies; 13+ messages in thread
From: James Carter @ 2005-04-05 20:20 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged.
I did change the java_macros.te execmem usage to use the allow_execmem
boolean.
On Mon, 2005-04-04 at 14:50 -0400, Daniel J Walsh wrote:
> Major regrouping of apache_policy
>
> Now use apache_domain and apache_user_domain
> Added boolean httpd_builtin_scripting. Which when turned off only allows
> running of external apache scripts, not built in modules like PHP.
> Users can now create their own scripts using apache_domain(myscript)
>
> More fixes of can_network and named_connect
>
> Added NetworkManager policy.
>
> A few fixes submitted from Ivan for hal, kudzu
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2005-04-05 22:32 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
2005-02-17 23:09 ` Daniel J Walsh
2005-02-24 19:10 ` James Carter
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
2005-04-01 20:28 ` James Carter
2005-04-04 18:50 ` New " Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
2005-04-05 22:36 ` Ivan Gyurdiev
2005-04-04 19:45 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.