Latest diffs

Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

Changes include

removal of ifdef automount.te
autofs is defined outside of automount.te so this is not necassary and 
was causing targeted policy problems.

Introduction of texrel_shlib_t which define shlib_t libraries that use 
text relocation (execmod).  I have only labeled a few of these so far,
as Red Hat is working to clean these up.  Also using a boolean to turn 
this feature off allow_execmod

Changes to make smbmount work

Fixes for tmpreaper

Changed postgres helper apps back to default context, running them in 
postgresql breaks alot.

Added HelixPlayer file_context

Modified the Makefile so that it defaults to
make -> make policy

make load and make reload no longer install the context files, only make 
install does.

This prevents people from overwriting the system context files if they 
have modified them.





[-- Attachment #2: policy-20050128.patch --]
[-- Type: text/x-patch, Size: 32345 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.5/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-01-28 11:50:48.000000000 -0500
+++ policy-1.21.5/domains/program/login.te	2005-01-28 14:02:57.000000000 -0500
@@ -73,9 +73,7 @@
 # Set exec context.
 can_setexec($1_login_t)
 
-ifdef(`automount.te', `
 allow $1_login_t autofs_t:dir { search read getattr };
-')
 allow $1_login_t mnt_t:dir r_dir_perms;
 
 if (use_nfs_home_dirs) {
@@ -128,6 +126,11 @@
 
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
 
+ifdef(`targeted_policy',`
+unconfined_domain($1_login_t)
+domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
+')
+
 ')dnl end login_domain macro
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.21.5/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-01-24 16:57:04.000000000 -0500
+++ policy-1.21.5/domains/program/mount.te	2005-01-28 14:02:57.000000000 -0500
@@ -49,6 +49,7 @@
 allow mount_t devpts_t:dir mounton;
 allow mount_t usbdevfs_t:dir mounton;
 allow mount_t sysfs_t:dir mounton;
+allow mount_t binfmt_misc_fs_t:dir mounton;
 allow mount_t nfs_t:dir mounton;
 allow mount_t nfs_t:dir search;
 # nfsv4 has a filesystem to mount for its userspace daemons
@@ -83,9 +84,7 @@
 
 # for localization
 allow mount_t lib_t:file { getattr read };
-ifdef(`automount.te', `
 allow mount_t autofs_t:dir read;
-')
 allow mount_t fs_t:filesystem relabelfrom;
 #
 # This rule needs to be generalized.  Only admin, initrc should have it.
@@ -101,5 +100,13 @@
 allow mount_t tmpfs_t:chr_file { read write };
 allow mount_t tmpfs_t:dir mounton;
 ')
+
+
 # tries to read /init
 dontaudit mount_t root_t:file {getattr read };
+dontaudit mount_t root_t:file read;
+
+allow kernel_t mount_t:tcp_socket { read write };
+allow mount_t self:capability { setgid setuid };
+allow user_t mount_t:tcp_socket write;
+allow mount_t proc_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.21.5/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/ssh.te	2005-01-28 14:02:57.000000000 -0500
@@ -73,9 +73,7 @@
 allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
-')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
 }
@@ -213,11 +211,6 @@
 can_exec(sshd_t, pam_exec_t)
 ')
 
-
-ifdef(`automount.te', `
-allow sshd_t autofs_t:dir search;
-')
-
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
 daemon_base_domain(ssh_keygen)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.21.5/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te	2005-01-20 15:55:02.000000000 -0500
+++ policy-1.21.5/domains/program/tmpreaper.te	2005-01-28 14:02:57.000000000 -0500
@@ -30,6 +30,8 @@
 allow tmpreaper_t urandom_device_t:chr_file { getattr read };
 rw_dir_file(tmpreaper_t, var_spool_t)
 allow tmpreaper_t var_spool_t:dir setattr;
+allow tmpreaper_t print_spool_t:dir setattr;
+rw_dir_file(tmpreaper_t, print_spool_t)
 
 ifdef(`distro_redhat', `
 # for the Red Hat tmpreaper program which also manages tetex indexes
@@ -37,4 +39,4 @@
 allow tmpreaper_t catman_t:dir setattr;
 ')
 read_locale(tmpreaper_t)
-
+dontaudit tmpreaper_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.5/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/apache.te	2005-01-28 14:02:57.000000000 -0500
@@ -264,10 +264,9 @@
 
 allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
 
-ifdef(`automount.te', `
 allow httpd_t autofs_t:dir { search getattr };
 allow httpd_suexec_t autofs_t:dir { search getattr };
-')
+
 if (use_nfs_home_dirs && httpd_enable_homedirs) {
 httpd_home_dirs(nfs_t)
 }
@@ -315,6 +314,8 @@
 ifdef(`snmpd.te', `
 dontaudit httpd_t snmpd_var_lib_t:dir search;
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
+', `
+dontaudit httpd_t usr_t:dir write;
 ')
 
 type httpd_squirrelmail_t, file_type, sysadmfile;
@@ -347,3 +348,4 @@
 
 read_sysctl(httpd_sys_script_t)
 allow httpd_sys_script_t var_lib_t:dir search;
+dontaudit httpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.21.5/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-01-20 15:55:04.000000000 -0500
+++ policy-1.21.5/domains/program/unused/dhcpc.te	2005-01-28 14:02:57.000000000 -0500
@@ -128,3 +128,5 @@
 dontaudit dhcpc_t var_lock_t:dir search;
 dontaudit dhcpc_t selinux_config_t:dir search;
 allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit dhcpc_t domain:dir getattr;
+allow dhcpc_t initrc_var_run_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.5/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/ftpd.te	2005-01-28 14:02:57.000000000 -0500
@@ -87,9 +87,7 @@
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
 dontaudit ftpd_t selinux_config_t:dir search;
-ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir search;
-')
 allow ftpd_t self:file { getattr read };
 tmp_domain(ftpd)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.21.5/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2005-01-20 15:55:07.000000000 -0500
+++ policy-1.21.5/domains/program/unused/kudzu.te	2005-01-28 14:02:57.000000000 -0500
@@ -94,3 +94,7 @@
 ')
 allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
 dontaudit kudzu_t src_t:dir search;
+ifdef(`xserver.te', `
+allow kudzu_t xserver_exec_t:file getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.21.5/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te	2005-01-20 15:55:09.000000000 -0500
+++ policy-1.21.5/domains/program/unused/prelink.te	2005-01-28 14:02:57.000000000 -0500
@@ -12,7 +12,7 @@
 daemon_base_domain(prelink, `, admin')
 
 allow prelink_t self:process execmem;
-allow prelink_t shlib_t:file execmod;
+allow prelink_t { texrel_shlib_t shlib_t }:file execmod;
 
 allow prelink_t fs_t:filesystem getattr;
 
@@ -32,7 +32,7 @@
 allow prelink_t file_type:dir rw_dir_perms;
 allow prelink_t file_type:lnk_file r_file_perms;
 allow prelink_t file_type:file getattr;
-allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
 allow prelink_t ld_so_t:file execute_no_trans;
 
 allow prelink_t self:capability { chown dac_override fowner fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.21.5/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/rpm.te	2005-01-28 14:02:57.000000000 -0500
@@ -75,11 +75,9 @@
 # bash tries ioctl for some reason
 dontaudit initrc_t pidfile:file ioctl;
 
-ifdef(`automount.te', `
 allow rpm_t autofs_t:dir { search getattr };
 allow rpm_t autofs_t:filesystem getattr;
 allow rpm_script_t autofs_t:dir { search getattr };
-')
 allow rpm_t devpts_t:dir { setattr r_dir_perms };
 allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr;
 dontaudit rpm_t security_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.5/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-01-28 11:50:49.000000000 -0500
+++ policy-1.21.5/domains/program/unused/samba.te	2005-01-28 14:02:57.000000000 -0500
@@ -120,3 +120,36 @@
 # Support Samba sharing of home directories
 bool samba_enable_home_dirs false;
 
+ifdef(`mount.te', `
+#
+# Domain for running smbmount
+#
+application_domain(smbmount, `, fs_domain, nscd_client_domain');
+can_network(smbmount_t)
+can_ypbind(smbmount_t)
+allow smbmount_t cifs_t:dir r_dir_perms;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t samba_etc_t:file r_file_perms;
+allow smbmount_t samba_log_t:dir r_dir_perms;
+allow smbmount_t samba_log_t:file ra_file_perms;
+rw_dir_create_file(smbmount_t, samba_var_t)
+domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+r_dir_file(smbmount_t, proc_t)
+allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+allow smbmount_t self:process { fork signal_perms };
+file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
+allow smbmount_t cifs_t:dir mounton;
+allow smbmount_t cifs_t:dir search;
+allow smbmount_t mnt_t:dir mounton;
+read_locale(smbmount_t)
+allow smbmount_t userdomain:fd use;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+can_exec(smbmount_t, bin_t)
+allow kernel_t smbmount_t:tcp_socket { read write };
+allow smbmount_t file_type:filesystem { unmount mount relabelto };
+allow smbmount_t local_login_t:fd use;
+allow smbmount_t mnt_t:dir { search getattr };
+allow smbmount_t samba_etc_t:dir search;
+allow smbmount_t sysadm_tty_device_t:chr_file { read write };
+allow smbmount_t etc_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.21.5/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2005-01-24 12:08:36.000000000 -0500
+++ policy-1.21.5/domains/program/unused/spamd.te	2005-01-28 14:02:57.000000000 -0500
@@ -55,9 +55,7 @@
 
 system_crond_entry(spamd_exec_t, spamd_t)
 
-ifdef(`automount.te', `
 allow spamd_t autofs_t:dir { search getattr };
-')
 
 if (use_nfs_home_dirs) {
 allow spamd_t nfs_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.21.5/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.5/domains/program/unused/xdm.te	2005-01-28 14:02:57.000000000 -0500
@@ -282,9 +282,7 @@
 allow xdm_xserver_t user_home_type:file { getattr read };
 
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
-')
 allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
 allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
 can_exec(xdm_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.21.5/domains/user.te
--- nsapolicy/domains/user.te	2005-01-24 12:08:35.000000000 -0500
+++ policy-1.21.5/domains/user.te	2005-01-28 14:02:57.000000000 -0500
@@ -10,6 +10,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support Share libraries with Text Relocation
+bool allow_execmod false;
+
 # Support SAMBA home directories
 bool use_samba_home_dirs false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.21.5/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-01-28 11:50:49.000000000 -0500
+++ policy-1.21.5/file_contexts/distros.fc	2005-01-28 14:02:57.000000000 -0500
@@ -63,6 +63,10 @@
 ifdef(`dbusd.te', `', `
 /var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t
 ')
+
+/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
+
 ')
 
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.21.5/file_contexts/program/initrc.fc
--- nsapolicy/file_contexts/program/initrc.fc	2005-01-20 15:55:17.000000000 -0500
+++ policy-1.21.5/file_contexts/program/initrc.fc	2005-01-28 14:40:08.000000000 -0500
@@ -30,9 +30,7 @@
 
 # run_init
 /usr/sbin/run_init	--	system_u:object_r:run_init_exec_t
-ifdef(`distro_debian', `
 /usr/sbin/open_init_pty	--	system_u:object_r:initrc_exec_t
-')
 /etc/nologin.*		--	system_u:object_r:etc_runtime_t
 /etc/nohotplug		--	system_u:object_r:etc_runtime_t
 ifdef(`distro_redhat', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.21.5/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.5/file_contexts/program/postgresql.fc	2005-01-28 14:02:57.000000000 -0500
@@ -1,18 +1,8 @@
-# postgresql - ldap server
+# postgresql - database server
 /usr/lib(64)?/postgresql/bin/.* --	system_u:object_r:postgresql_exec_t
 /usr/bin/postgres	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_dump	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_dumpall	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_resetxlog	--	system_u:object_r:postgresql_exec_t
 /usr/bin/initdb		--	system_u:object_r:postgresql_exec_t
 
-# not sure whether the following binaries need labelling
-/usr/bin/createlang	--	system_u:object_r:postgresql_exec_t
-/usr/bin/droplang	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_encoding	--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_id		--	system_u:object_r:postgresql_exec_t
-/usr/bin/pg_restore	--	system_u:object_r:postgresql_exec_t
-
 /var/lib/postgres(ql)?(/.*)? 	system_u:object_r:postgresql_db_t
 /var/lib/pgsql/data(/.*)?	system_u:object_r:postgresql_db_t
 /var/run/postgresql(/.*)?	system_u:object_r:postgresql_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.21.5/file_contexts/program/samba.fc
--- nsapolicy/file_contexts/program/samba.fc	2005-01-20 15:55:19.000000000 -0500
+++ policy-1.21.5/file_contexts/program/samba.fc	2005-01-28 14:02:57.000000000 -0500
@@ -19,3 +19,6 @@
 /var/run/samba/smbd\.pid --	system_u:object_r:smbd_var_run_t
 /var/run/samba/nmbd\.pid --	system_u:object_r:nmbd_var_run_t
 /var/spool/samba(/.*)?		system_u:object_r:samba_var_t
+ifdef(`mount.te', `
+/usr/bin/smbmount		system_u:object_r:smbmount_exec_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.21.5/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-01-24 16:57:05.000000000 -0500
+++ policy-1.21.5/file_contexts/types.fc	2005-01-28 14:02:57.000000000 -0500
@@ -336,6 +336,7 @@
 /usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
+/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
@@ -350,6 +351,11 @@
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
 /usr/share(/.*)?/lib(64)?(/.*)?	system_u:object_r:usr_t
+
+# nvidia share libraries
+/usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
+
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.5/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/base_user_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -42,8 +42,10 @@
 # Allow loading DSOs that require executable stack.
 allow $1_t self:process execmem;
 
+if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1_t shlib_t:file execmod;
+}
 
 #
 # kdeinit wants this access
@@ -73,9 +75,7 @@
 allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
 can_setfscreate($1_t)
 
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
-')dnl end if automount.te
 
 if (use_nfs_home_dirs) {
 network_home_dir($1_t, nfs_t)
@@ -85,6 +85,7 @@
 network_home_dir($1_t, cifs_t)
 }
 
+can_exec($1_t, { removable_t noexattrfile } )
 if (user_rw_noexattrfile) {
 create_dir_file($1_t, noexattrfile)
 create_dir_file($1_t, removable_t)
@@ -93,6 +94,7 @@
 allow $1_t usbtty_device_t:chr_file write;
 } else {
 r_dir_file($1_t, noexattrfile)
+r_dir_file($1_t, removable_t)
 allow $1_t removable_device_t:blk_file r_file_perms;
 }
 allow $1_t usbtty_device_t:chr_file read;
@@ -281,6 +283,7 @@
 ifdef(`xserver.te', `
 # for /tmp/.ICE-unix
 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
 ')
 
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.21.5/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2005-01-20 15:55:21.000000000 -0500
+++ policy-1.21.5/macros/core_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -692,7 +692,5 @@
 # eventually this should become can_nsswitch
 #
 can_ypbind($1)
-ifdef(`automount.te', `
 allow $1 autofs_t:dir { search getattr };
-')
 ')dnl end general_domain_access
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.5/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/global_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -104,8 +104,11 @@
 allow $1 ld_so_t:file rx_file_perms;
 #allow $1 ld_so_t:file execute_no_trans;
 allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 shlib_t:file rx_file_perms;
-allow $1 shlib_t:lnk_file r_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
+allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+if (allow_execmod) {
+allow $1 texrel_shlib_t:file execmod;
+}
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
@@ -252,9 +255,7 @@
 
 r_dir_file($1_t, sysfs_t) 
 
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
-')dnl end if automount.te
 ifdef(`targeted_policy', `
 dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
 dontaudit $1_t root_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.5/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/apache_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -19,6 +19,7 @@
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail, nscd_client_domain;
 role system_r types httpd_$1_script_t;
+uses_shlib(httpd_$1_script_t)
 
 if (httpd_enable_cgi) {
 domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -28,7 +29,6 @@
 allow httpd_$1_script_t httpd_t:fd use;
 allow httpd_$1_script_t httpd_t:process sigchld;
 
-uses_shlib(httpd_$1_script_t)
 can_network(httpd_$1_script_t)
 allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_$1_script_t usr_t:lnk_file { getattr read };
@@ -41,7 +41,6 @@
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
 allow httpd_$1_script_t self:unix_stream_socket create_socket_perms;
-allow httpd_$1_script_t httpd_t:unix_stream_socket { read write };
 
 allow httpd_$1_script_t { self proc_t }:file { getattr read };
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -117,6 +116,7 @@
 domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
 create_dir_file(httpd_t, httpdcontent)
+can_exec(httpd_t, httpdcontent )
 ', `
 can_exec(httpd_$1_script_t, httpdcontent )
 domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.21.5/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2005-01-20 15:55:23.000000000 -0500
+++ policy-1.21.5/macros/program/dbusd_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -14,7 +14,7 @@
 typealias system_dbusd_t alias dbusd_t;
 type etc_dbusd_t, file_type, sysadmfile;
 ',`
-type $1_dbusd_t, domain, privlog, userspace_objmgr;
+type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
 role $1_r types $1_dbusd_t;
 domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
 read_locale($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.5/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-01-28 11:50:50.000000000 -0500
+++ policy-1.21.5/macros/program/mozilla_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -25,7 +25,7 @@
 allow $1_mozilla_t $1_t:process signull;
 
 # Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+allow $1_mozilla_t self:process { execmem setrlimit setsched };
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
 allow $1_mozilla_t var_lib_t:file { getattr read };
@@ -43,9 +43,7 @@
 if (use_samba_home_dirs) {
 create_dir_file($1_mozilla_t, cifs_t)
 }
-ifdef(`automount.te', `
 allow $1_mozilla_t autofs_t:dir { search getattr };
-')dnl end if automount
 
 # for bash
 allow $1_mozilla_t device_t:dir r_dir_perms;
@@ -127,7 +125,7 @@
 #
 allow $1_mozilla_t ld_so_cache_t:file execute;
 allow $1_mozilla_t locale_t:file execute;
-dontaudit $1_mozilla_t device_type:{ chr_file file } execute;
+dontaudit $1_mozilla_t *:{ chr_file file } execute;
 dontaudit $1_t ld_so_cache_t:file execute;
 dontaudit $1_t locale_t:file execute;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.21.5/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te	2005-01-20 15:55:25.000000000 -0500
+++ policy-1.21.5/macros/program/newrole_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -46,9 +46,7 @@
 
 can_setexec($1_t)
 
-ifdef(`automount.te', `
 allow $1_t autofs_t:dir search;
-')
 
 # Use capabilities.
 allow $1_t self:capability { setuid setgid net_bind_service dac_override };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.5/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/ssh_agent_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -38,9 +38,7 @@
 
 can_ypbind($1_ssh_agent_t)
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow $1_ssh_agent_t autofs_t:dir { search getattr };
-')
 rw_dir_create_file($1_ssh_agent_t, nfs_t)
 }
 if (use_samba_home_dirs) {
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.5/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/ssh_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -24,9 +24,7 @@
 type $1_ssh_t, domain, privlog, nscd_client_domain;
 type $1_home_ssh_t, file_type, $1_file_type, sysadmfile;
 
-ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
-')
 if (use_nfs_home_dirs) {
 create_dir_file($1_ssh_t, nfs_t)
 }
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.21.5/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/su_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -133,9 +133,7 @@
 dontaudit $1_su_t home_dir_type:dir { search write };
 ')
 
-ifdef(`automount.te', `
 allow $1_su_t autofs_t:dir { search getattr };
-')
 if (use_nfs_home_dirs) {
 allow $1_su_t nfs_t:dir search;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.21.5/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2005-01-20 15:55:26.000000000 -0500
+++ policy-1.21.5/macros/program/userhelper_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -115,9 +115,7 @@
 
 allow $1_userhelper_t urandom_device_t:chr_file { getattr read };
 
-ifdef(`automount.te', `
 allow $1_userhelper_t autofs_t:dir search;
-')
 allow $1_userhelper_t sysctl_t:dir search;
 role system_r types $1_userhelper_t;
 r_dir_file($1_userhelper_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.21.5/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2005-01-24 12:08:37.000000000 -0500
+++ policy-1.21.5/macros/program/xauth_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -81,9 +81,7 @@
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
 if (use_nfs_home_dirs) {
-ifdef(`automount.te', `
 allow $1_xauth_t autofs_t:dir { search getattr };
-')
 rw_dir_create_file($1_xauth_t, nfs_t)
 }
 if (use_samba_home_dirs) {
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.5/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-01-28 11:50:50.000000000 -0500
+++ policy-1.21.5/macros/program/x_client_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -23,7 +23,7 @@
 #
 define(`x_client_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_$2_t, domain $3;
+type $1_$2_t, domain, nscd_client_domain $3;
 # Type for files that are writeable by this domain.
 type $1_$2_rw_t, file_type, $1_file_type, sysadmfile, tmpfile;
 # Type for files that are read-only for this domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.21.5/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2005-01-20 15:55:22.000000000 -0500
+++ policy-1.21.5/macros/user_macros.te	2005-01-28 14:02:57.000000000 -0500
@@ -126,10 +126,6 @@
 undefine(`full_user_role')
 define(`full_user_role', `
 
-# certain apps ask for this priv kdesu, fetchmail
-# dac controls force the user to only lower priority
-allow $1_t self:process setrlimit;
-
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.5/Makefile
--- nsapolicy/Makefile	2005-01-28 11:50:46.000000000 -0500
+++ policy-1.21.5/Makefile	2005-01-28 14:16:21.000000000 -0500
@@ -3,7 +3,7 @@
 #
 # Targets:
 # 
-# install - compile and install the policy configuration.
+# install - compile and install the policy configuration, and context files.
 # load    - compile, install, and load the policy configuration.
 # reload  - compile, install, and load/reload the policy configuration.
 # relabel - relabel filesystems based on the file contexts configuration.
@@ -60,7 +60,7 @@
 
 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
 
-all:  install
+all:  policy
 
 tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
 	@echo "Validating file_contexts ..."	
@@ -81,10 +81,9 @@
 
 $(USERPATH)/local.users: local.users
 	@mkdir -p $(USERPATH)
-	m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USERPATH)/local.users | sed 's/^user/#user/g' > tmp/local.users
+	m4 $(ALL_TUNABLES) tmp/program_used_flags.te local.users | sed 's/^user/#user/g' > tmp/local.users
 	install -m 644 tmp/local.users $@
 
-
 $(CONTEXTPATH)/files/media: appconfig/media
 	mkdir -p $(CONTEXTPATH)/files/
 	install -m 644 $< $@
@@ -145,7 +144,7 @@
 	@echo "Validating file_contexts ..."
 	$(SETFILES) -q -c $(POLICYVER) $(FC)
 
-reload tmp/load: install
+reload tmp/load: $(FCPATH) $(LOADPATH)
 ifeq ($(VERS), $(KERNVERS))
 	$(LOADPOLICY) $(LOADPATH)
 else
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.21.5/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-01-24 16:57:06.000000000 -0500
+++ policy-1.21.5/targeted/domains/program/crond.te	2005-01-28 14:02:57.000000000 -0500
@@ -12,12 +12,18 @@
 #
 type crond_exec_t, file_type, sysadmfile, exec_type;
 type crond_t, domain;
-type system_crond_t, domain;
+typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
 type system_crond_tmp_t, file_type, sysadmfile;
 type system_cron_spool_t, file_type, sysadmfile;
 type sysadm_cron_spool_t, file_type, sysadmfile;
 type crond_log_t, file_type, sysadmfile;
 type crond_var_run_t, file_type, sysadmfile;
+role system_r types system_crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+unconfined_domain(crond_t)
+# Access log files
+file_type_auto_trans(crond_t, var_log_t, crond_log_t, file)
+file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
+file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.5/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-01-28 11:50:50.000000000 -0500
+++ policy-1.21.5/targeted/domains/unconfined.te	2005-01-28 14:02:57.000000000 -0500
@@ -44,6 +44,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Support Share libraries with Text Relocation
+bool allow_execmod false;
+
 # Support SAMBA home directories
 bool use_samba_home_dirs false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.5/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.21.5/tunables/distro.tun	2005-01-28 14:02:57.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.5/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-01-20 15:55:28.000000000 -0500
+++ policy-1.21.5/tunables/tunable.tun	2005-01-28 14:02:57.000000000 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.21.5/types/file.te
--- nsapolicy/types/file.te	2005-01-20 15:55:28.000000000 -0500
+++ policy-1.21.5/types/file.te	2005-01-28 14:02:57.000000000 -0500
@@ -127,9 +127,18 @@
 # shlib_t is the type of shared objects in the system lib
 # directories.
 #
+ifdef(`targeted_policy', `
+typealias lib_t alias shlib_t;
+', `
 type shlib_t, file_type, sysadmfile;
+')
 
 #
+# texrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+type texrel_shlib_t, file_type, sysadmfile;
+
 # ld_so_t is the type of the system dynamic loaders.
 #
 type ld_so_t, file_type, sysadmfile;

Re: Latest diffs

[James Carter]

Merged.  Some comments below.

On Fri, 2005-01-28 at 14:48, Daniel J Walsh wrote:
> Changes include
> 
> removal of ifdef automount.te
> autofs is defined outside of automount.te so this is not necassary and 
> was causing targeted policy problems.
> 
> Introduction of texrel_shlib_t which define shlib_t libraries that use 
> text relocation (execmod).  I have only labeled a few of these so far,
> as Red Hat is working to clean these up.  Also using a boolean to turn 
> this feature off allow_execmod
> 
> Changes to make smbmount work
> 
> Fixes for tmpreaper
> 
> Changed postgres helper apps back to default context, running them in 
> postgresql breaks alot.
> 
> Added HelixPlayer file_context
> 
> Modified the Makefile so that it defaults to
> make -> make policy
> 
> make load and make reload no longer install the context files, only make 
> install does.
> 
> This prevents people from overwriting the system context files if they 
> have modified them.
> 

> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.5/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te	2005-01-28 11:50:50.000000000 -0500
> +++ policy-1.21.5/macros/program/mozilla_macros.te	2005-01-28 14:02:57.000000000 -0500
> @@ -25,7 +25,7 @@
>  allow $1_mozilla_t $1_t:process signull;
>  
>  # Set resource limits and scheduling info.
> -allow $1_mozilla_t self:process { setrlimit setsched };
> +allow $1_mozilla_t self:process { execmem setrlimit setsched };
>  
>  allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
>  allow $1_mozilla_t var_lib_t:file { getattr read };
Didn't merge this.

> @@ -127,7 +125,7 @@
>  #
>  allow $1_mozilla_t ld_so_cache_t:file execute;
>  allow $1_mozilla_t locale_t:file execute;
> -dontaudit $1_mozilla_t device_type:{ chr_file file } execute;
> +dontaudit $1_mozilla_t *:{ chr_file file } execute;
>  dontaudit $1_t ld_so_cache_t:file execute;
>  dontaudit $1_t locale_t:file execute;
Can we be a little bit more specific here?

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

After Jim's merge of some of your changes, I've committed the patch
below, which introduces an allow_execmem boolean for all execmem allow
rules, wraps some additional execmod allow rules with your boolean,
removes execmod permission to shlib_t entirely (should only be allowed
to texrel_shlib_t except for special domains for programs like java),
and assigns texrel_shlib_t to libGL.  Actually, some of the individual
execmod allow rules may now be redundant with the conditional rule you
put in uses_shlib.  I think that we may need to further break up these
booleans to allow certain programs to have these permissions without
granting them more widely.

Index: policy/domains/user.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/user.te,v
retrieving revision 1.31
diff -u -r1.31 user.te
--- policy/domains/user.te	1 Feb 2005 18:39:50 -0000	1.31
+++ policy/domains/user.te	1 Feb 2005 18:48:31 -0000
@@ -10,6 +10,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Allow execution of anonymous mappings, e.g. executable stack.
+bool allow_execmem false;
+
 # Support Share libraries with Text Relocation
 bool allow_execmod false;
 
Index: policy/domains/program/modutil.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/modutil.te,v
retrieving revision 1.30
diff -u -r1.30 modutil.te
--- policy/domains/program/modutil.te	21 Jan 2005 20:03:06 -0000	1.30
+++ policy/domains/program/modutil.te	1 Feb 2005 19:04:21 -0000
@@ -124,7 +124,7 @@
 allow insmod_t self:rawip_socket create_socket_perms;
 allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
 allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms execmem };
+allow insmod_t self:process { fork signal_perms };
 allow insmod_t device_t:dir search;
 allow insmod_t etc_runtime_t:file { getattr read };
 
Index: policy/domains/program/unused/kudzu.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/kudzu.te,v
retrieving revision 1.21
diff -u -r1.21 kudzu.te
--- policy/domains/program/unused/kudzu.te	1 Feb 2005 18:39:51 -0000	1.21
+++ policy/domains/program/unused/kudzu.te	1 Feb 2005 19:03:36 -0000
@@ -11,7 +11,9 @@
 allow kudzu_t etc_runtime_t:file rw_file_perms;
 
 # for kmodule
+if (allow_execmem) {
 allow kudzu_t self:process execmem;
+}
 allow kudzu_t zero_device_t:chr_file rx_file_perms;
 allow kudzu_t memory_device_t:chr_file { read write execute };
 
Index: policy/domains/program/unused/prelink.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/prelink.te,v
retrieving revision 1.17
diff -u -r1.17 prelink.te
--- policy/domains/program/unused/prelink.te	1 Feb 2005 18:39:51 -0000	1.17
+++ policy/domains/program/unused/prelink.te	1 Feb 2005 18:46:21 -0000
@@ -11,8 +11,12 @@
 #
 daemon_base_domain(prelink, `, admin')
 
+if (allow_execmem) {
 allow prelink_t self:process execmem;
-allow prelink_t { texrel_shlib_t shlib_t }:file execmod;
+}
+if (allow_execmod) {
+allow prelink_t texrel_shlib_t:file execmod;
+}
 
 allow prelink_t fs_t:filesystem getattr;
 
Index: policy/domains/program/unused/udev.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/udev.te,v
retrieving revision 1.38
diff -u -r1.38 udev.te
--- policy/domains/program/unused/udev.te	24 Jan 2005 19:00:42 -0000	1.38
+++ policy/domains/program/unused/udev.te	1 Feb 2005 19:03:20 -0000
@@ -13,8 +13,10 @@
 
 general_domain_access(udev_t)
 
+if (allow_execmem) {
 # for alsactl
 allow udev_t self:process execmem;
+}
 
 etc_domain(udev)
 typealias udev_etc_t alias etc_udev_t;
Index: policy/file_contexts/types.fc
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/file_contexts/types.fc,v
retrieving revision 1.70
diff -u -r1.70 types.fc
--- policy/file_contexts/types.fc	1 Feb 2005 18:39:51 -0000	1.70
+++ policy/file_contexts/types.fc	1 Feb 2005 18:45:11 -0000
@@ -356,6 +356,9 @@
 /usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
 
+# libGL
+/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
+
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 ')
Index: policy/macros/base_user_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/base_user_macros.te,v
retrieving revision 1.44
diff -u -r1.44 base_user_macros.te
--- policy/macros/base_user_macros.te	1 Feb 2005 18:39:52 -0000	1.44
+++ policy/macros/base_user_macros.te	1 Feb 2005 18:49:51 -0000
@@ -39,12 +39,14 @@
 # Grant permissions within the domain.
 general_domain_access($1_t)
 
+if (allow_execmem) {
 # Allow loading DSOs that require executable stack.
 allow $1_t self:process execmem;
+}
 
 if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
-allow $1_t shlib_t:file execmod;
+allow $1_t texrel_shlib_t:file execmod;
 }
 
 #
Index: policy/macros/program/xserver_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/program/xserver_macros.te,v
retrieving revision 1.41
diff -u -r1.41 xserver_macros.te
--- policy/macros/program/xserver_macros.te	20 Dec 2004 21:26:20 -0000	1.41
+++ policy/macros/program/xserver_macros.te	1 Feb 2005 19:02:41 -0000
@@ -58,7 +58,9 @@
 # for access within the domain
 general_domain_access($1_xserver_t)
 
+if (allow_execmem) {
 allow $1_xserver_t self:process execmem;
+}
 
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
Index: policy/targeted/domains/unconfined.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/targeted/domains/unconfined.te,v
retrieving revision 1.25
diff -u -r1.25 unconfined.te
--- policy/targeted/domains/unconfined.te	1 Feb 2005 18:39:53 -0000	1.25
+++ policy/targeted/domains/unconfined.te	1 Feb 2005 18:47:44 -0000
@@ -44,6 +44,9 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Allow execution of anonymous mappings, e.g. executable stack.
+bool allow_execmem false;
+
 # Support Share libraries with Text Relocation
 bool allow_execmod false;
 

  
-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

> +# libGL
> +/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
> +

How about those:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145067

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Tue, 2005-02-01 at 16:41, Ivan Gyurdiev wrote:
> > +# libGL
> > +/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
> > +
> 
> How about those:
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145067

Dan has already marked certain shared objects with texrel_shlib_t in his
diffs; I was only adding libGL because I was also changing an existing
execmod allow rule for it to use the new texrel_shlib_t type.  I think
that the shared objects you originally listed are being reviewed by Red
Hat and some of them will be fixed, as not all of them truly require
text relocations.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Tue, 2005-02-01 at 14:48, Stephen Smalley wrote:
> After Jim's merge of some of your changes, I've committed the patch
> below, which introduces an allow_execmem boolean for all execmem allow
> rules, wraps some additional execmod allow rules with your boolean,
> removes execmod permission to shlib_t entirely (should only be allowed
> to texrel_shlib_t except for special domains for programs like java),
> and assigns texrel_shlib_t to libGL.  Actually, some of the individual
> execmod allow rules may now be redundant with the conditional rule you
> put in uses_shlib.  I think that we may need to further break up these
> booleans to allow certain programs to have these permissions without
> granting them more widely.

BTW, I think that putting the conditional rule in uses_shlib() is likely
not what you want, as it means that if you allow execmod at all to
texrel_shlib_t, you essentially allow it for all domains.  In practice,
I think you will only want to allow it where needed, and especially not
for daemon domains.  Hence, I would recommend removing it from
uses_shlib() and instead add it selectively to domains that have a
legitimate need, as has already been done for a few cases as well as the
user domains.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Wed, 2005-02-02 at 08:08, Stephen Smalley wrote:
> BTW, I think that putting the conditional rule in uses_shlib() is likely
> not what you want, as it means that if you allow execmod at all to
> texrel_shlib_t, you essentially allow it for all domains.  In practice,
> I think you will only want to allow it where needed, and especially not
> for daemon domains.  Hence, I would recommend removing it from
> uses_shlib() and instead add it selectively to domains that have a
> legitimate need, as has already been done for a few cases as well as the
> user domains.

Patch below committed.  We can add such conditional rules to individual
domain .te files as needed.  unconfined_t is already exempt.  daemon
domains should likely never have such permission.

Index: policy/macros/global_macros.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/macros/global_macros.te,v
retrieving revision 1.75
diff -u -r1.75 global_macros.te
--- policy/macros/global_macros.te	1 Feb 2005 18:39:52 -0000	1.75
+++ policy/macros/global_macros.te	2 Feb 2005 13:13:06 -0000
@@ -106,9 +106,6 @@
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
-if (allow_execmod) {
-allow $1 texrel_shlib_t:file execmod;
-}
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 159 bytes --]

Added mplayer policy

Switched /u?dev back to /dev since this is no longer needed.

more fixes for smbmount.

Made some of the changes Stephen suggested.

Dan

[-- Attachment #2: policy-20050201.patch --]
[-- Type: text/x-patch, Size: 29816 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.21.7/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-02-01 15:08:35.000000000 -0500
+++ policy-1.21.7/domains/program/mount.te	2005-02-02 08:27:37.000000000 -0500
@@ -49,7 +49,6 @@
 allow mount_t devpts_t:dir mounton;
 allow mount_t usbdevfs_t:dir mounton;
 allow mount_t sysfs_t:dir mounton;
-allow mount_t binfmt_misc_fs_t:dir mounton;
 allow mount_t nfs_t:dir mounton;
 allow mount_t nfs_t:dir search;
 # nfsv4 has a filesystem to mount for its userspace daemons
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.7/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-02-01 15:08:36.000000000 -0500
+++ policy-1.21.7/domains/program/unused/apache.te	2005-02-02 08:27:37.000000000 -0500
@@ -349,3 +349,4 @@
 read_sysctl(httpd_sys_script_t)
 allow httpd_sys_script_t var_lib_t:dir search;
 dontaudit httpd_t selinux_config_t:dir search;
+r_dir_file(httpd_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.21.7/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te	2005-01-31 10:02:05.000000000 -0500
+++ policy-1.21.7/domains/program/unused/i18n_input.te	2005-02-02 08:27:37.000000000 -0500
@@ -25,4 +25,5 @@
 allow i18n_input_t etc_t:file r_file_perms;
 allow i18n_input_t self:unix_dgram_socket create_socket_perms;
 allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
 allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mplayer.te policy-1.21.7/domains/program/unused/mplayer.te
--- nsapolicy/domains/program/unused/mplayer.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.7/domains/program/unused/mplayer.te	2005-02-02 08:27:37.000000000 -0500
@@ -0,0 +1,12 @@
+#DESC mplayer - media player 
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+# Type for the mplayer executable.
+type mplayer_exec_t, file_type, exec_type, sysadmfile;
+type mencoder_exec_t, file_type, exec_type, sysadmfile;
+type mplayer_etc_t, file_type, sysadmfile;
+
+# Everything else is in the mplayer_domain macro in
+# macros/program/mplayer_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.7/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-02-01 15:08:38.000000000 -0500
+++ policy-1.21.7/domains/program/unused/samba.te	2005-02-02 08:27:37.000000000 -0500
@@ -124,32 +124,65 @@
 #
 # Domain for running smbmount
 #
-application_domain(smbmount, `, fs_domain, nscd_client_domain');
+
+# Derive from app. domain. Transition from mount.
+application_domain(smbmount, `, fs_domain, nscd_client_domain')
+domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+
+# Capabilities
+# FIXME: is all of this really necessary?
+allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+# Access samba config
+allow smbmount_t samba_etc_t:file r_file_perms;
+allow smbmount_t samba_etc_t:dir r_dir_perms;
+
+# Write samba log
+allow smbmount_t samba_log_t:file create_file_perms;
+allow smbmount_t samba_log_t:dir r_dir_perms; 
+
+# Write stuff in var
+allow smbmount_t var_log_t:dir r_dir_perms;
+rw_dir_create_file(smbmount_t, samba_var_t)
+
+# Access mtab
+file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
+
+# Read nsswitch.conf
+allow smbmount_t etc_t:file r_file_perms;
+
+# Networking
 can_network(smbmount_t)
 can_ypbind(smbmount_t)
-allow smbmount_t cifs_t:dir r_dir_perms;
 allow smbmount_t self:unix_dgram_socket create_socket_perms;
-allow smbmount_t samba_etc_t:file r_file_perms;
-allow smbmount_t samba_log_t:dir r_dir_perms;
-allow smbmount_t samba_log_t:file ra_file_perms;
-rw_dir_create_file(smbmount_t, samba_var_t)
-domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+allow kernel_t smbmount_t:tcp_socket { read write };
+allow userdomain smbmount_t:tcp_socket write;
+
+# Proc
+# FIXME: is this necessary?
 r_dir_file(smbmount_t, proc_t)
-allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
+
+# Fork smbmnt 
+# FIXME: label bin_t as more restricted type?
+allow smbmount_t bin_t:dir r_dir_perms;
+can_exec(smbmount_t,bin_t)
 allow smbmount_t self:process { fork signal_perms };
-file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
-allow smbmount_t cifs_t:dir mounton;
-allow smbmount_t cifs_t:dir search;
+
+# Mount 
+allow smbmount_t cifs_t:filesystem mount_fs_perms;
+allow smbmount_t cifs_t:dir r_dir_perms;
+allow smbmount_t mnt_t:dir r_dir_perms;
 allow smbmount_t mnt_t:dir mounton;
-read_locale(smbmount_t)
+
+# Terminal
+read_locale(smbmount_t) 
+allow smbmount_t devtty_t:chr_file rw_file_perms;
+allow smbmount_t devpts_t:dir r_dir_perms;
+allow smbmount_t devpts_t:chr_file rw_file_perms;
+allow smbmount_t sysadm_tty_device_t:chr_file rw_file_perms;
+allow smbmount_t sysadm_devpts_t:chr_file rw_file_perms;
+#FIXME: what about user_tty_device_t, user_devpts_t?
 allow smbmount_t userdomain:fd use;
-allow smbmount_t self:unix_stream_socket create_socket_perms;
-can_exec(smbmount_t, bin_t)
-allow kernel_t smbmount_t:tcp_socket { read write };
-allow smbmount_t file_type:filesystem { unmount mount relabelto };
 allow smbmount_t local_login_t:fd use;
-allow smbmount_t mnt_t:dir { search getattr };
-allow smbmount_t samba_etc_t:dir search;
-allow smbmount_t sysadm_tty_device_t:chr_file { read write };
-allow smbmount_t etc_t:file { getattr read };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mplayer.fc policy-1.21.7/file_contexts/program/mplayer.fc
--- nsapolicy/file_contexts/program/mplayer.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.7/file_contexts/program/mplayer.fc	2005-02-02 08:27:37.000000000 -0500
@@ -0,0 +1,6 @@
+# mplayer
+/usr/bin/mplayer	--	   	system_u:object_r:mplayer_exec_t
+/usr/bin/mencoder	--	   	system_u:object_r:mencoder_exec_t
+
+/etc/mplayer(/.*)?		system_u:object_r:mplayer_etc_t
+HOME_DIR/\.mplayer(/.*)?        system_u:object_r:ROLE_mplayer_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.21.7/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-02-02 08:11:42.000000000 -0500
+++ policy-1.21.7/file_contexts/types.fc	2005-02-02 08:27:37.000000000 -0500
@@ -115,34 +115,34 @@
 #
 # /dev
 #
-/u?dev(/.*)?			system_u:object_r:device_t
-/u?dev/pts(/.*)?		<<none>>
-/u?dev/cpu/.*		-c	system_u:object_r:cpu_device_t
-/u?dev/microcode	-c	system_u:object_r:cpu_device_t
-/u?dev/MAKEDEV		--	system_u:object_r:sbin_t
-/u?dev/null		-c	system_u:object_r:null_device_t
-/u?dev/full		-c	system_u:object_r:null_device_t
-/u?dev/zero		-c	system_u:object_r:zero_device_t
-/u?dev/console		-c	system_u:object_r:console_device_t
-/u?dev/xconsole		-p	system_u:object_r:xconsole_device_t
-/u?dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
-/u?dev/nvram		-c	system_u:object_r:memory_device_t
-/u?dev/random		-c	system_u:object_r:random_device_t
-/u?dev/urandom		-c	system_u:object_r:urandom_device_t
-/u?dev/capi.*		-c	system_u:object_r:tty_device_t
-/u?dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
-/u?dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
-/u?dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
-/u?dev/isdn.*		-c	system_u:object_r:tty_device_t
-/u?dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
-/u?dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
-/u?dev/cu.*		-c	system_u:object_r:tty_device_t
-/u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
-/u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
-/u?dev/hvc.*		-c	system_u:object_r:tty_device_t
-/u?dev/hvsi.*		-c	system_u:object_r:tty_device_t
-/u?dev/ttySG.*		-c	system_u:object_r:tty_device_t
-/u?dev/tty		-c	system_u:object_r:devtty_t
+/dev(/.*)?			system_u:object_r:device_t
+/dev/pts(/.*)?		<<none>>
+/dev/cpu/.*		-c	system_u:object_r:cpu_device_t
+/dev/microcode	-c	system_u:object_r:cpu_device_t
+/dev/MAKEDEV		--	system_u:object_r:sbin_t
+/dev/null		-c	system_u:object_r:null_device_t
+/dev/full		-c	system_u:object_r:null_device_t
+/dev/zero		-c	system_u:object_r:zero_device_t
+/dev/console		-c	system_u:object_r:console_device_t
+/dev/xconsole		-p	system_u:object_r:xconsole_device_t
+/dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
+/dev/nvram		-c	system_u:object_r:memory_device_t
+/dev/random		-c	system_u:object_r:random_device_t
+/dev/urandom		-c	system_u:object_r:urandom_device_t
+/dev/capi.*		-c	system_u:object_r:tty_device_t
+/dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
+/dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
+/dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
+/dev/isdn.*		-c	system_u:object_r:tty_device_t
+/dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
+/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
+/dev/cu.*		-c	system_u:object_r:tty_device_t
+/dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
+/dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
+/dev/hvc.*		-c	system_u:object_r:tty_device_t
+/dev/hvsi.*		-c	system_u:object_r:tty_device_t
+/dev/ttySG.*		-c	system_u:object_r:tty_device_t
+/dev/tty		-c	system_u:object_r:devtty_t
 /dev/lp.*		-c	system_u:object_r:printer_device_t
 /dev/par.*		-c	system_u:object_r:printer_device_t
 /dev/usb/lp.*		-c	system_u:object_r:printer_device_t
@@ -150,103 +150,103 @@
 ifdef(`distro_redhat', `
 /dev/root		-b	system_u:object_r:fixed_disk_device_t
 ')
-/u?dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/dm-[0-9]+	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
-/u?dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/net/.*		-c	system_u:object_r:tun_tap_device_t
-/u?dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
-/u?dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
-/u?dev/scramdisk/.*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/initrd		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/js.*		-c	system_u:object_r:mouse_device_t
-/u?dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
-/u?dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
-/u?dev/usb/rio500	-c	system_u:object_r:removable_device_t
-/u?dev/fd[^/]+		-b	system_u:object_r:removable_device_t
+/dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/dm-[0-9]+	-b	system_u:object_r:fixed_disk_device_t
+/dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
+/dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
+/dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
+/dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
+/dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
+/dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
+/dev/net/.*		-c	system_u:object_r:tun_tap_device_t
+/dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
+/dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
+/dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
+/dev/scramdisk/.*	-b	system_u:object_r:fixed_disk_device_t
+/dev/initrd		-b	system_u:object_r:fixed_disk_device_t
+/dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
+/dev/js.*		-c	system_u:object_r:mouse_device_t
+/dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
+/dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
+/dev/usb/rio500	-c	system_u:object_r:removable_device_t
+/dev/fd[^/]+		-b	system_u:object_r:removable_device_t
 # I think a parallel port disk is a removable device...
-/u?dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
-/u?dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
-/u?dev/aztcd		-b	system_u:object_r:removable_device_t
-/u?dev/bpcd		-b	system_u:object_r:removable_device_t
-/u?dev/gscd		-b	system_u:object_r:removable_device_t
-/u?dev/hitcd		-b	system_u:object_r:removable_device_t
-/u?dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
-/u?dev/mcdx?		-b	system_u:object_r:removable_device_t
-/u?dev/cdu.*		-b	system_u:object_r:removable_device_t
-/u?dev/cm20.*		-b	system_u:object_r:removable_device_t
-/u?dev/optcd		-b	system_u:object_r:removable_device_t
-/u?dev/sbpcd.*		-b	system_u:object_r:removable_device_t
-/u?dev/sjcd		-b	system_u:object_r:removable_device_t
-/u?dev/sonycd		-b	system_u:object_r:removable_device_t
+/dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
+/dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
+/dev/aztcd		-b	system_u:object_r:removable_device_t
+/dev/bpcd		-b	system_u:object_r:removable_device_t
+/dev/gscd		-b	system_u:object_r:removable_device_t
+/dev/hitcd		-b	system_u:object_r:removable_device_t
+/dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
+/dev/mcdx?		-b	system_u:object_r:removable_device_t
+/dev/cdu.*		-b	system_u:object_r:removable_device_t
+/dev/cm20.*		-b	system_u:object_r:removable_device_t
+/dev/optcd		-b	system_u:object_r:removable_device_t
+/dev/sbpcd.*		-b	system_u:object_r:removable_device_t
+/dev/sjcd		-b	system_u:object_r:removable_device_t
+/dev/sonycd		-b	system_u:object_r:removable_device_t
 # parallel port ATAPI generic device
-/u?dev/pg[0-3]		-c	system_u:object_r:removable_device_t
-/u?dev/rtc		-c	system_u:object_r:clock_device_t
-/u?dev/psaux		-c	system_u:object_r:mouse_device_t
-/u?dev/atibm		-c	system_u:object_r:mouse_device_t
-/u?dev/logibm		-c	system_u:object_r:mouse_device_t
-/u?dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
-/u?dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
-/u?dev/input/event.*	-c	system_u:object_r:event_device_t
-/u?dev/input/mice	-c	system_u:object_r:mouse_device_t
-/u?dev/input/js.*	-c	system_u:object_r:mouse_device_t
-/u?dev/ptmx		-c	system_u:object_r:ptmx_t
-/u?dev/sequencer	-c	system_u:object_r:misc_device_t
-/u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
-/u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
-/u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
-/u?dev/pmu		-c	system_u:object_r:power_device_t
-/u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
-/u?dev/winradio.	-c	system_u:object_r:v4l_device_t
-/u?dev/vttuner		-c	system_u:object_r:v4l_device_t
-/u?dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
-/u?dev/adsp		-c	system_u:object_r:sound_device_t
-/u?dev/mixer.*		-c	system_u:object_r:sound_device_t
-/u?dev/dsp.*		-c	system_u:object_r:sound_device_t
-/u?dev/audio.*		-c	system_u:object_r:sound_device_t
-/u?dev/r?midi.*		-c	system_u:object_r:sound_device_t
-/u?dev/sequencer2	-c	system_u:object_r:sound_device_t
-/u?dev/smpte.*		-c	system_u:object_r:sound_device_t
-/u?dev/sndstat		-c	system_u:object_r:sound_device_t
-/u?dev/beep		-c	system_u:object_r:sound_device_t
-/u?dev/patmgr[01]	-c	system_u:object_r:sound_device_t
-/u?dev/mpu401.*		-c	system_u:object_r:sound_device_t
-/u?dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
-/u?dev/aload.*		-c	system_u:object_r:sound_device_t
-/u?dev/amidi.*		-c	system_u:object_r:sound_device_t
-/u?dev/amixer.*		-c	system_u:object_r:sound_device_t
-/u?dev/snd/.*		-c	system_u:object_r:sound_device_t
-/u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
-/u?dev/n?(raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
-/u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
-/u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
-/u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
-/u?dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
-/u?dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
-/u?dev/tape.*		-c	system_u:object_r:tape_device_t
+/dev/pg[0-3]		-c	system_u:object_r:removable_device_t
+/dev/rtc		-c	system_u:object_r:clock_device_t
+/dev/psaux		-c	system_u:object_r:mouse_device_t
+/dev/atibm		-c	system_u:object_r:mouse_device_t
+/dev/logibm		-c	system_u:object_r:mouse_device_t
+/dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
+/dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
+/dev/input/event.*	-c	system_u:object_r:event_device_t
+/dev/input/mice	-c	system_u:object_r:mouse_device_t
+/dev/input/js.*	-c	system_u:object_r:mouse_device_t
+/dev/ptmx		-c	system_u:object_r:ptmx_t
+/dev/sequencer	-c	system_u:object_r:misc_device_t
+/dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
+/dev/apm_bios		-c	system_u:object_r:apm_bios_t
+/dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
+/dev/pmu		-c	system_u:object_r:power_device_t
+/dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
+/dev/winradio.	-c	system_u:object_r:v4l_device_t
+/dev/vttuner		-c	system_u:object_r:v4l_device_t
+/dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
+/dev/adsp		-c	system_u:object_r:sound_device_t
+/dev/mixer.*		-c	system_u:object_r:sound_device_t
+/dev/dsp.*		-c	system_u:object_r:sound_device_t
+/dev/audio.*		-c	system_u:object_r:sound_device_t
+/dev/r?midi.*		-c	system_u:object_r:sound_device_t
+/dev/sequencer2	-c	system_u:object_r:sound_device_t
+/dev/smpte.*		-c	system_u:object_r:sound_device_t
+/dev/sndstat		-c	system_u:object_r:sound_device_t
+/dev/beep		-c	system_u:object_r:sound_device_t
+/dev/patmgr[01]	-c	system_u:object_r:sound_device_t
+/dev/mpu401.*		-c	system_u:object_r:sound_device_t
+/dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
+/dev/aload.*		-c	system_u:object_r:sound_device_t
+/dev/amidi.*		-c	system_u:object_r:sound_device_t
+/dev/amixer.*		-c	system_u:object_r:sound_device_t
+/dev/snd/.*		-c	system_u:object_r:sound_device_t
+/dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
+/dev/n?(raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
+/dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
+/dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
+/dev/ht[0-1]		-b	system_u:object_r:tape_device_t
+/dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
+/dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
+/dev/tape.*		-c	system_u:object_r:tape_device_t
 ifdef(`distro_suse', `
-/u?dev/usbscanner	-c	system_u:object_r:scanner_device_t
+/dev/usbscanner	-c	system_u:object_r:scanner_device_t
 ')
-/u?dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
-/u?dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
-/u?dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
-/u?dev/dri/.+		-c	system_u:object_r:dri_device_t
-/u?dev/radeon		-c	system_u:object_r:dri_device_t
-/u?dev/agpgart		-c	system_u:object_r:agp_device_t
+/dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
+/dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
+/dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
+/dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
+/dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
+/dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
+/dev/dri/.+		-c	system_u:object_r:dri_device_t
+/dev/radeon		-c	system_u:object_r:dri_device_t
+/dev/agpgart		-c	system_u:object_r:agp_device_t
 
 #
 # Misc
@@ -333,10 +333,11 @@
 /usr(/.*)?			system_u:object_r:usr_t
 /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr/lib/win32/.*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:texrel_shlib_t
 /usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
 /usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	system_u:object_r:texrel_shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
@@ -356,9 +357,6 @@
 /usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t
 
-# libGL
-/usr/X11R6/lib/libGL\.so.* 	-- system_u:object_r:texrel_shlib_t
-
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.7/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-02-02 08:11:43.000000000 -0500
+++ policy-1.21.7/macros/base_user_macros.te	2005-02-02 08:27:37.000000000 -0500
@@ -187,6 +187,10 @@
 ifdef(`using_spamassassin', `spamassassin_domain($1)')
 ifdef(`uml.te', `uml_domain($1)')
 ifdef(`cdrecord.te', `cdrecord_domain($1)')
+ifdef(`mplayer.te', `
+mplayer_domain($1)
+mencoder_domain($1)
+')
 
 # Instantiate a derived domain for user cron jobs.
 ifdef(`crond.te', `crond_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.7/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-02-01 15:08:42.000000000 -0500
+++ policy-1.21.7/macros/global_macros.te	2005-02-02 08:27:37.000000000 -0500
@@ -106,9 +106,6 @@
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
-if (allow_execmod) {
-allow $1 texrel_shlib_t:file execmod;
-}
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.21.7/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/macros/program/games_domain.te	2005-02-02 08:27:37.000000000 -0500
@@ -39,7 +39,6 @@
 allow $1_games_t var_lib_t:dir search;
 r_dir_file($1_games_t, man_t)
 allow $1_games_t proc_t:file { read getattr };
-dontaudit $1_games_t devpts_t:dir search;
 ifdef(`mozilla.te', ` 
 dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.21.7/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.7/macros/program/mplayer_macros.te	2005-02-02 08:28:15.000000000 -0500
@@ -0,0 +1,117 @@
+#
+# Macros for mplayer
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+#
+# mplayer_domain(domain_prefix)
+# mencoder_domain(domain_prefix)
+
+################################################
+#    mplayer_common(prefix, mplayer domain)    #
+################################################
+
+define(`mplayer_common',`
+
+# Home directory stuff
+if (use_nfs_home_dirs) {
+create_dir_file($1_$2_t, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1_$2_t, cifs_t)
+}
+allow $1_$2_t autofs_t:dir { search getattr };
+
+# Read local config
+r_dir_file($1_$2_t, $1_mplayer_rw_t)
+
+# Read global config
+r_dir_file($1_$2_t, mplayer_etc_t)
+
+# Read data in /usr/share (fonts, icons..)
+r_dir_file($1_$2_t, usr_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+allow $1_$2_t proc_t:dir search;
+allow $1_$2_t proc_t:file { getattr read };
+
+# Sysctl on kernel version 
+allow $1_$2_t sysctl_kernel_t:dir search;
+allow $1_$2_t sysctl_kernel_t:file { getattr read };
+
+# allow ps
+can_ps($1_t, $1_$2_t)
+
+# uses shared libraries
+uses_shlib($1_$2_t)
+
+# localization
+read_locale($1_$2_t)
+
+# Access the terminal.
+allow $1_$2_t devpts_t:dir { search };
+allow $1_$2_t $1_tty_device_t:chr_file rw_file_perms;
+allow $1_$2_t $1_devpts_t:chr_file rw_file_perms;
+
+# Required for win32 binary loader 
+allow $1_$2_t zero_device_t:chr_file { read write execute };
+if (allow_execmem) {
+allow $1_$2_t self:process { execmem };
+}
+
+# Access to DVD/CD/V4L
+allow $1_$2_t device_t:dir r_dir_perms;
+allow $1_$2_t device_t:lnk_file { getattr read };
+allow $1_$2_t removable_device_t:blk_file { getattr read };
+allow $1_$2_t v4l_device_t:chr_file { getattr read };
+')
+
+##############################
+#  mplayer_domain(prefix)    #
+##############################
+
+define(`mplayer_domain',`
+
+# Derive from X client domain
+x_client_domain($1, `mplayer', `')
+
+# Mplayer common stuff
+mplayer_common($1, mplayer)
+
+# Additional rules for search /tmp/.X11-unix
+ifdef(`xdm.te', `
+allow $1_mplayer_t xdm_tmp_t:dir search;
+')dnl end if xdm.te
+
+# Prevent getattr denials on restricted types when browsing with gmplayer
+dontaudit $1_mplayer_t file_type:dir_file_class_set { getattr };
+
+# Audio
+allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+
+# RTC clock 
+allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
+
+# Read home directory content
+r_dir_file($1_mplayer_t, $1_home_t);
+') dnl end mplayer_domain
+
+##############################
+#  mencoder_domain(prefix)   #
+##############################
+
+define(`mencoder_domain',`
+
+# Privhome type transitions to $1_home_t in home dir.
+type $1_mencoder_t, domain, privhome;
+
+# Transition
+domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
+can_exec($1_mencoder_t, mencoder_exec_t)
+role $1_r types $1_mencoder_t;
+
+# Mplayer common stuff
+mplayer_common($1, mencoder)
+
+') dnl end mencoder_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.7/macros/program/samba_macros.te
--- nsapolicy/macros/program/samba_macros.te	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/macros/program/samba_macros.te	2005-02-02 08:27:37.000000000 -0500
@@ -19,6 +19,7 @@
 ifdef(`samba.te', `
 define(`samba_domain',`
 if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir r_dir_perms;
 file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
 }
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.21.7/targeted/appconfig/default_contexts
--- nsapolicy/targeted/appconfig/default_contexts	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/targeted/appconfig/default_contexts	2005-02-02 08:27:37.000000000 -0500
@@ -2,3 +2,4 @@
 system_r:initrc_t	system_r:unconfined_t
 system_r:remote_login_t system_r:unconfined_t
 system_r:rshd_t		system_r:unconfined_t
+system_r:crond_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.21.7/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-02-01 15:08:45.000000000 -0500
+++ policy-1.21.7/targeted/domains/program/crond.te	2005-02-02 08:27:37.000000000 -0500
@@ -11,7 +11,7 @@
 # This domain is defined just for targeted policy.
 #
 type crond_exec_t, file_type, sysadmfile, exec_type;
-type crond_t, domain;
+type crond_t, domain, privuser, privrole, privowner;
 typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
 type system_crond_tmp_t, file_type, sysadmfile;
@@ -19,7 +19,7 @@
 type sysadm_cron_spool_t, file_type, sysadmfile;
 type crond_log_t, file_type, sysadmfile;
 type crond_var_run_t, file_type, sysadmfile;
-role system_r types system_crond_t;
+role system_r types crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
 unconfined_domain(crond_t)
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.7/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/tunables/distro.tun	2005-02-02 08:27:37.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.7/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-01-31 10:02:06.000000000 -0500
+++ policy-1.21.7/tunables/tunable.tun	2005-02-02 08:27:37.000000000 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest diffs

[Ivan Gyurdiev]

On Wed, 2005-02-02 at 08:32 -0500, Daniel J Walsh wrote:
> -if (allow_execmod) {
> -allow $1 texrel_shlib_t:file execmod;
> -}

... X needs execmod, and this change breaks it:

audit(1107469036.956:0): avc:  denied  { execmod } for  pid=3383 comm=X
path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=519237
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:texrel_shlib_t tclass=file

Also, mozilla needs execmem. What's going on with this - I've
seen it sent twice and rejected twice... 

audit(1107476807.924:0): avc:  denied  { execmem } for  pid=3828
comm=firefox-bin scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:user_r:user_mozilla_t tclass=process

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Thu, 2005-02-03 at 19:58, Ivan Gyurdiev wrote:
> On Wed, 2005-02-02 at 08:32 -0500, Daniel J Walsh wrote:
> > -if (allow_execmod) {
> > -allow $1 texrel_shlib_t:file execmod;
> > -}
> 
> ... X needs execmod, and this change breaks it:
> 
> audit(1107469036.956:0): avc:  denied  { execmod } for  pid=3383 comm=X
> path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=519237
> scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:object_r:texrel_shlib_t tclass=file

To be precise, X needs execmod when using nvidia, right?  Not everyone
using X needs it (I don't).  In any event, we want the execmod rules to
be added to the individual domain .te files, not put in a global macro
used by everything, and only allowed as needed.  Further, I'd ultimately
like to have separate booleans for different sets of execmem/execmod
permissions so that we can allow certain programs to have them while
preventing others.

> Also, mozilla needs execmem. What's going on with this - I've
> seen it sent twice and rejected twice... 
> 
> audit(1107476807.924:0): avc:  denied  { execmem } for  pid=3828
> comm=firefox-bin scontext=user_u:user_r:user_mozilla_t
> tcontext=user_u:user_r:user_mozilla_t tclass=process

Think hard about whether you want to expose your browser in this
manner.  Not sure why you are getting execmem in firefox itself; I would
have expected it only in plugins like java (which should be moved into
their own domain).  Even if this is _truly_ needed, it should definitely
be under a separate boolean of its own, as this is clearly a
network-exposed app that is highly at risk to malicious input.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

> To be precise, X needs execmod when using nvidia, right?  Not everyone
> using X needs it (I don't).  In any event, we want the execmod rules to
> be added to the individual domain .te files, not put in a global macro
> used by everything, and only allowed as needed.

Right. I was suggesting it be added to x_server_domain, not global.
I think it's only needed for nvidia.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Fri, 2005-02-04 at 07:42, Ivan Gyurdiev wrote:
> > To be precise, X needs execmod when using nvidia, right?  Not everyone
> > using X needs it (I don't).  In any event, we want the execmod rules to
> > be added to the individual domain .te files, not put in a global macro
> > used by everything, and only allowed as needed.
> 
> Right. I was suggesting it be added to x_server_domain, not global.
> I think it's only needed for nvidia.

Yes, adding it to the xserver_domain macro would be reasonable, under a
boolean as usual.  Might be a candidate for its own boolean as well, as
it can also be exposed remotely and subversion of X is fatal.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>On Wed, 2005-02-02 at 08:32 -0500, Daniel J Walsh wrote:
>  
>
>>-if (allow_execmod) {
>>-allow $1 texrel_shlib_t:file execmod;
>>-}
>>    
>>
>
>... X needs execmod, and this change breaks it:
>
>audit(1107469036.956:0): avc:  denied  { execmod } for  pid=3383 comm=X
>path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=519237
>scontext=system_u:system_r:xdm_xserver_t
>tcontext=system_u:object_r:texrel_shlib_t tclass=file
>
>Also, mozilla needs execmem. What's going on with this - I've
>seen it sent twice and rejected twice... 
>
>audit(1107476807.924:0): avc:  denied  { execmem } for  pid=3828
>comm=firefox-bin scontext=user_u:user_r:user_mozilla_t
>tcontext=user_u:user_r:user_mozilla_t tclass=process
>
>  
>
You need to set the boolean

setsebool -P allow_execmod 1
 On fresh installs this will be in there. 

Why should we have the boolean if we know that X will require it always?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
> You need to set the boolean
> 
> setsebool -P allow_execmod 1
>  On fresh installs this will be in there. 
> 
> Why should we have the boolean if we know that X will require it always?

- It is only needed for certain drivers, e.g. nvidia, and not others (I
don't need it for my machine), and
- It represents a security risk to allow it, especially since X is
highly privileged.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

On Fri, 2005-02-04 at 09:10 -0500, Stephen Smalley wrote:
> On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
> > You need to set the boolean
> > 
> > setsebool -P allow_execmod 1
> >  On fresh installs this will be in there. 

Right, but the boolean is for user_t, and not for X.
For X the whole execmod rule was removed, which is why I get denials.


-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Ivan Gyurdiev]

On Fri, 2005-02-04 at 10:28 -0500, Ivan Gyurdiev wrote:
> On Fri, 2005-02-04 at 09:10 -0500, Stephen Smalley wrote:
> > On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
> > > You need to set the boolean
> > > 
> > > setsebool -P allow_execmod 1
> > >  On fresh installs this will be in there. 
> 
> Right, but the boolean is for user_t, and not for X.
> For X the whole execmod rule was removed, which is why I get denials.

And now execmod denials for user_mozilla_t and flash are back again.
Those in addition to the mozilla execmem denials I posted about earlier.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Richard Hally]

Stephen Smalley wrote:

>On Fri, 2005-02-04 at 08:59, Daniel J Walsh wrote:
>  
>
>>You need to set the boolean
>>
>>setsebool -P allow_execmod 1
>> On fresh installs this will be in there. 
>>
>>Why should we have the boolean if we know that X will require it always?
>>    
>>
>
>- It is only needed for certain drivers, e.g. nvidia, and not others (I
>don't need it for my machine), and
>- It represents a security risk to allow it, especially since X is
>highly privileged.
>
>  
>
FWIW, It looks to me that the problem with X not starting is not just 
with "legacy" (or third party) drivers or "old toolchains". I am 
running  current rawhide(as of 2/5/05) with no other addons(like nvidia) 
and X does not start  in enforcing(current strict policy1.21.8-4). If 
it's an "old toolchain" problem then it is a Red Hat (Fedora) toolchain 
that needs to be updated...
Richard Hally


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[Stephen Smalley]

On Mon, 2005-02-07 at 14:33, Richard Hally wrote:
> FWIW, It looks to me that the problem with X not starting is not just 
> with "legacy" (or third party) drivers or "old toolchains". I am 
> running  current rawhide(as of 2/5/05) with no other addons(like nvidia) 
> and X does not start  in enforcing(current strict policy1.21.8-4). If 
> it's an "old toolchain" problem then it is a Red Hat (Fedora) toolchain 
> that needs to be updated...

I think you misunderstood.  The particular execmod rule in question had
to do with the nvidia driver, and isn't always needed.  In any event,
you may need to enable the allow_execmem boolean for X to work, and you
will likely need to enable the allow_execmod boolean as well for the
desktop due to dependencies on libGL by many desktop applications.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest diffs

[James Carter]

Merged.

On Wed, 2005-02-02 at 08:32, Daniel J Walsh wrote:
> Added mplayer policy
> 
> Switched /u?dev back to /dev since this is no longer needed.
> 
> more fixes for smbmount.
> 
> Made some of the changes Stephen suggested.
> 
> Dan

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

New patch for fixfiles sed script

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 1703 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.9/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2005-01-31 09:49:15.000000000 -0500
+++ policycoreutils-1.21.9/scripts/fixfiles	2005-02-01 14:06:56.000000000 -0500
@@ -60,12 +60,26 @@
 if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
 	TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
 	test -z "$TEMPFILE" && exit
-	/usr/bin/diff $PREFC $FC | egrep '^[<>]'|cut -c3-| grep ^/ | \
-        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
-            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
-        while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
+	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
+	sed -r -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
+	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
+               -e 's|\?.*|*|g' \
+	       -e 's|\(.*|*|g' \
+	       -e 's|\[.*|*|g' \
+               -e 's|\.\*|*|g' \
+               -e 's|\.\+|*|g' \
+	sort -u | \
+        while read pattern ; \
+	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
+                  echo "$pattern"; \
+                  case "$pattern" in *"*") \
+	               echo "$pattern" | sed 's,\*$,,g' >> ${TEMPFILE};;  
+                  esac; \
+               fi; \
+            done | \
+	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
-	${RESTORECON} $2 -v -f -R - 
+	${RESTORECON} -R $2 -v -f - 
 	rm -f ${TEMPFILE}
 fi
 }

Re: New patch for fixfiles sed script

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 2794 bytes --]

On Wed, 2005-02-02 at 08:58, Daniel J Walsh wrote:
> +	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
> +	sed -r -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
> +	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
> +               -e 's|\?.*|*|g' \
> +	       -e 's|\(.*|*|g' \
> +	       -e 's|\[.*|*|g' \
> +               -e 's|\.\*|*|g' \
> +               -e 's|\.\+|*|g' \
> +	sort -u | \
> +        while read pattern ; \
> +	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
> +                  echo "$pattern"; \
> +                  case "$pattern" in *"*") \
> +	               echo "$pattern" | sed 's,\*$,,g' >> ${TEMPFILE};;  
> +                  esac; \
> +               fi; \
> +            done | \
> +	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
>  	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
> -	${RESTORECON} $2 -v -f -R - 
> +	${RESTORECON} -R $2 -v -f - 
>  	rm -f ${TEMPFILE}
>  fi
>  }

I tried splitting this again and looking at the incremental diffs for
each stage of the pipeline as applied to a diff of two file_contexts
that differ on every line.  Notes:
1) You removed the s,[[:blank:]].*,,g sed substitution.  An oversight? 
Otherwise, you are left with the type field (e.g. --, -d) and context
fields on some lines that are ultimately fed to the find command,
yielding errors (but silenced by your redirection of stderr).

2) The find command can still produce entries that you filtered out
earlier (e.g. /home, /tmp) and can yield duplicate entries again due to
wildcard expansion at that point.  Filtering out entries that end in *
via the sed filters would help, as would moving the grep filter for
special directories to the end of the pipeline.

3) The filter to avoid overlaps doesn't seem correct, especially since
restorecon is being applied recursively; you want to see whether there
are any prefixes of the path already specified, not whether there is a
match of the path itself (e.g. /bin is subsumed by any prior / entry,
but a grep of /bin against a file containing / will fail).  I don't
think that this filter is serving any purpose presently.  

Also, restorecon won't currently cross filesystem boundaries (FTW_MOUNT
flag to nftw, inherited from the setfiles code), so doing this kind of
overlap filtering is a problem unless we change restorecon. Having
restorecon -R cross filesystem boundaries seems sensible for its usage,
whereas setfiles is oriented toward labeling specific filesystems, which
is why it only labels the ones you specify and doesn't cross boundaries.

The attached patch relative to yours makes changes along the lines
described above, and simply removes the overlap filter for now.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: policycoreutils-nsa.patch --]
[-- Type: text/x-patch, Size: 2320 bytes --]

Index: policycoreutils/restorecon/restorecon.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/restorecon/restorecon.c,v
retrieving revision 1.23
diff -u -p -r1.23 restorecon.c
--- policycoreutils/restorecon/restorecon.c	28 Jan 2005 20:05:41 -0000	1.23
+++ policycoreutils/restorecon/restorecon.c	2 Feb 2005 16:07:59 -0000
@@ -184,7 +184,7 @@ static int apply_spec(const char *file,
 void process(char *buf) {
       if (recurse) {
 	if (nftw
-	    (buf, apply_spec, 1024, FTW_PHYS | FTW_MOUNT)) {
+	    (buf, apply_spec, 1024, FTW_PHYS)) {
 	  fprintf(stderr,
 		  "%s:  error while labeling files under %s\n",
 		  progname, buf);
Index: policycoreutils/scripts/fixfiles
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/scripts/fixfiles,v
retrieving revision 1.17
diff -u -p -r1.17 fixfiles
--- policycoreutils/scripts/fixfiles	2 Feb 2005 14:49:40 -0000	1.17
+++ policycoreutils/scripts/fixfiles	2 Feb 2005 16:09:15 -0000
@@ -58,29 +58,20 @@ fi
 #
 diff_filecontext() {
 if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
-	TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
-	test -z "$TEMPFILE" && exit
 	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
 	sed -r -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
 	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
+	       -e 's,[[:blank:]].*,,g' \
                -e 's|\?.*|*|g' \
 	       -e 's|\(.*|*|g' \
 	       -e 's|\[.*|*|g' \
                -e 's|\.\*|*|g' \
                -e 's|\.\+|*|g' \
+	       -e 's|\*$||g' | \
 	sort -u | \
-        while read pattern ; \
-	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
-                  echo "$pattern"; \
-                  case "$pattern" in *"*") \
-	               echo "$pattern" | sed 's,\*$,,g' >> ${TEMPFILE};;  
-                  esac; \
-               fi; \
-            done | \
-	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
-	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
-	${RESTORECON} -R $2 -v -f - 
-	rm -f ${TEMPFILE}
+ 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
+	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | 
+	xargs ${RESTORECON} -R $2 -v
 fi
 }
 #

Re: New patch for fixfiles sed script

[Daniel J Walsh]

Stephen Smalley wrote:

>On Wed, 2005-02-02 at 08:58, Daniel J Walsh wrote:
>  
>
>>+	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
>>+	sed -r -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
>>+	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
>>+               -e 's|\?.*|*|g' \
>>+	       -e 's|\(.*|*|g' \
>>+	       -e 's|\[.*|*|g' \
>>+               -e 's|\.\*|*|g' \
>>+               -e 's|\.\+|*|g' \
>>+	sort -u | \
>>+        while read pattern ; \
>>+	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
>>+                  echo "$pattern"; \
>>+                  case "$pattern" in *"*") \
>>+	               echo "$pattern" | sed 's,\*$,,g' >> ${TEMPFILE};;  
>>+                  esac; \
>>+               fi; \
>>+            done | \
>>+	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
>> 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
>>-	${RESTORECON} $2 -v -f -R - 
>>+	${RESTORECON} -R $2 -v -f - 
>> 	rm -f ${TEMPFILE}
>> fi
>> }
>>    
>>
>
>I tried splitting this again and looking at the incremental diffs for
>each stage of the pipeline as applied to a diff of two file_contexts
>that differ on every line.  Notes:
>1) You removed the s,[[:blank:]].*,,g sed substitution.  An oversight? 
>Otherwise, you are left with the type field (e.g. --, -d) and context
>fields on some lines that are ultimately fed to the find command,
>yielding errors (but silenced by your redirection of stderr).
>
>  
>
Yes blank should go back in.

>2) The find command can still produce entries that you filtered out
>earlier (e.g. /home, /tmp) and can yield duplicate entries again due to
>wildcard expansion at that point.  Filtering out entries that end in *
>via the sed filters would help, as would moving the grep filter for
>special directories to the end of the pipeline.
>
>  
>
I guess this is a best attempt also, since if we end of doing a
restorecon /  We end up with these anyways  No matter how we filter.  
The real solution is to put in the
--exclude that is in setfiles.

>3) The filter to avoid overlaps doesn't seem correct, especially since
>restorecon is being applied recursively; you want to see whether there
>are any prefixes of the path already specified, not whether there is a
>match of the path itself (e.g. /bin is subsumed by any prior / entry,
>but a grep of /bin against a file containing / will fail).  I don't
>think that this filter is serving any purpose presently.  
>
>  
>
Yes because you are reading it wrong.  It is doing a grep "/" in "/bin".

Basically the stuff in the TMPFILE are all the ones we will be 
restoreing.  So

echo "/bin" | grep -q -f TEMPFILE will succeed if / is in TEMPFILE

>Also, restorecon won't currently cross filesystem boundaries (FTW_MOUNT
>flag to nftw, inherited from the setfiles code), so doing this kind of
>overlap filtering is a problem unless we change restorecon. Having
>restorecon -R cross filesystem boundaries seems sensible for its usage,
>whereas setfiles is oriented toward labeling specific filesystems, which
>is why it only labels the ones you specify and doesn't cross boundaries.
>
>  
>
Good we need that change.

>The attached patch relative to yours makes changes along the lines
>described above, and simply removes the overlap filter for now.
>
>  
>
>------------------------------------------------------------------------
>
>Index: policycoreutils/restorecon/restorecon.c
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/restorecon/restorecon.c,v
>retrieving revision 1.23
>diff -u -p -r1.23 restorecon.c
>--- policycoreutils/restorecon/restorecon.c	28 Jan 2005 20:05:41 -0000	1.23
>+++ policycoreutils/restorecon/restorecon.c	2 Feb 2005 16:07:59 -0000
>@@ -184,7 +184,7 @@ static int apply_spec(const char *file,
> void process(char *buf) {
>       if (recurse) {
> 	if (nftw
>-	    (buf, apply_spec, 1024, FTW_PHYS | FTW_MOUNT)) {
>+	    (buf, apply_spec, 1024, FTW_PHYS)) {
> 	  fprintf(stderr,
> 		  "%s:  error while labeling files under %s\n",
> 		  progname, buf);
>Index: policycoreutils/scripts/fixfiles
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/scripts/fixfiles,v
>retrieving revision 1.17
>diff -u -p -r1.17 fixfiles
>--- policycoreutils/scripts/fixfiles	2 Feb 2005 14:49:40 -0000	1.17
>+++ policycoreutils/scripts/fixfiles	2 Feb 2005 16:09:15 -0000
>@@ -58,29 +58,20 @@ fi
> #
> diff_filecontext() {
> if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
>-	TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
>-	test -z "$TEMPFILE" && exit
> 	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
> 	sed -r -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
> 	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
>+	       -e 's,[[:blank:]].*,,g' \
>                -e 's|\?.*|*|g' \
> 	       -e 's|\(.*|*|g' \
> 	       -e 's|\[.*|*|g' \
>                -e 's|\.\*|*|g' \
>                -e 's|\.\+|*|g' \
>+	       -e 's|\*$||g' | \
>  
>
No you want to leave in
/usr/sbin/in\.*
Yours would change this to
/usr/sbin/in\.  Which will match nothing.

> 	sort -u | \
>-        while read pattern ; \
>-	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
>-                  echo "$pattern"; \
>-                  case "$pattern" in *"*") \
>-	               echo "$pattern" | sed 's,\*$,,g' >> ${TEMPFILE};;  
>-                  esac; \
>-               fi; \
>-            done | \
>-	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
>-	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
>-	${RESTORECON} -R $2 -v -f - 
>-	rm -f ${TEMPFILE}
>+ 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
>+	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | 
>+	xargs ${RESTORECON} -R $2 -v
> fi
> }
> #
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New patch for fixfiles sed script

[Stephen Smalley]

On Wed, 2005-02-02 at 11:34, Daniel J Walsh wrote:
> Yes because you are reading it wrong.  It is doing a grep "/" in "/bin".
> 
> Basically the stuff in the TMPFILE are all the ones we will be 
> restoreing.  So
> 
> echo "/bin" | grep -q -f TEMPFILE will succeed if / is in TEMPFILE

Ah, my mistake.  This patch relative to yours (not mine) just restores
the blank filter, fixes a missing pipe, and moves the tmp filter after
the find, leaving everything else unchanged.

Index: policycoreutils/scripts/fixfiles
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/scripts/fixfiles,v
retrieving revision 1.17
diff -u -r1.17 fixfiles
--- policycoreutils/scripts/fixfiles	2 Feb 2005 14:49:40 -0000	1.17
+++ policycoreutils/scripts/fixfiles	2 Feb 2005 16:40:37 -0000
@@ -63,11 +63,12 @@
 	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
 	sed -r -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
 	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
+	       -e 's,[[:blank:]].*,,g' \
                -e 's|\?.*|*|g' \
 	       -e 's|\(.*|*|g' \
 	       -e 's|\[.*|*|g' \
                -e 's|\.\*|*|g' \
-               -e 's|\.\+|*|g' \
+               -e 's|\.\+|*|g' |
 	sort -u | \
         while read pattern ; \
 	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
@@ -77,8 +78,8 @@
                   esac; \
                fi; \
             done | \
-	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
+	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
 	${RESTORECON} -R $2 -v -f - 
 	rm -f ${TEMPFILE}
 fi

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New patch for fixfiles sed script

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 57 bytes --]

Ok how about this patch.

Added -e flag for restorecon



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 8485 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.21.10/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8	2005-01-20 15:59:21.000000000 -0500
+++ policycoreutils-1.21.10/restorecon/restorecon.8	2005-02-02 12:16:06.000000000 -0500
@@ -4,10 +4,10 @@
 
 .SH "SYNOPSIS"
 .B restorecon
-.I [\-o outfilename ] [\-R] [\-n] [\-v] pathname...
+.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] [\-F]
+.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F]
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -26,6 +26,9 @@
 .B \-f infilename
 infilename contains a list of files to be processed by application. Use \- for stdin.
 .TP 
+.B \-e directory
+directory to exclude (repeat option for more than one directory.)
+.TP 
 .B \-R
 change files and directories file labels recursively
 .TP 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.10/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2005-01-31 09:49:15.000000000 -0500
+++ policycoreutils-1.21.10/restorecon/restorecon.c	2005-02-02 12:16:49.000000000 -0500
@@ -10,6 +10,7 @@
  * USAGE:
  * restorecon [-Rnv] pathname...
  * 
+ * -e   Specify directory to exclude
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
  * -o filename save list of files with incorrect context
@@ -45,6 +46,54 @@
 static int recurse=0;
 static int force=0;
 
+#define MAX_EXCLUDES 100
+static int excludeCtr=0;
+struct edir {
+	char *directory;
+        int size;
+};
+static struct edir excludeArray[MAX_EXCLUDES];
+static int add_exclude(const char *directory) {
+  struct stat sb;
+  if(directory == NULL || directory[0] != '/') {
+    fprintf(stderr, "Full path required for exclude: %s.\n", 
+	    directory);
+    return 1;
+  }
+  if(lstat(directory, &sb)) {
+    fprintf(stderr, "Directory \"%s\" not found.\n", directory);
+    return 1;
+  }
+  if ((sb.st_mode & S_IFDIR) == 0 ) {
+    fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
+    return 1;
+  }
+   excludeArray[excludeCtr].directory = strdup(directory);
+  if (!excludeArray[excludeCtr].directory) {
+    fprintf(stderr, "Out of memory.\n");
+    return 1;
+  }
+  excludeArray[excludeCtr++].size = strlen(directory);
+
+  if (excludeCtr > MAX_EXCLUDES) {
+    fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
+    return 1;
+  }
+  return 0;
+}
+static int exclude(const char *file) {
+	int i=0;
+	for(i=0; i < excludeCtr; i++) { 
+		if (strncmp(file,excludeArray[i].directory,excludeArray[i].size)==0) {
+			if (file[excludeArray[i].size]==0 || 
+			    file[excludeArray[i].size]=='/') {
+				return 1;
+			}
+		}
+	}
+	return 0;
+}
+
 /* Compare two contexts to see if their differences are "significant",
  * or whether the only difference is in the user. */
 static int only_changed_user(const char *a, const char *b)
@@ -61,7 +110,7 @@
 void usage(const char * const name)
 {	
   fprintf(stderr,
-	  "usage:  %s [-Rnv] [-f filename | pathname... ]\n",  name);
+	  "usage:  %s [-Rnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",  name);
   exit(1);
 }
 int restore(char *filename) {
@@ -79,6 +128,9 @@
   if (len > 0 && filename[len-1]=='/' && (strcmp(filename,"/") != 0)) {
     filename[len-1]=0;
   }
+  if (excludeCtr > 0 && exclude(filename)) {
+      return 1;
+  }
   if (lstat(filename, &st)!=0) {
     fprintf(stderr,"lstat(%s) failed: %s\n", filename,strerror(errno));
     return 1;
@@ -184,7 +236,7 @@
 void process(char *buf) {
       if (recurse) {
 	if (nftw
-	    (buf, apply_spec, 1024, FTW_PHYS | FTW_MOUNT)) {
+	    (buf, apply_spec, 1024, FTW_PHYS)) {
 	  fprintf(stderr,
 		  "%s:  error while labeling files under %s\n",
 		  progname, buf);
@@ -202,13 +254,15 @@
   int opt;
   char buf[PATH_MAX];
 
+  memset(excludeArray,0, sizeof(excludeArray));
+
   progname=argv[0];
   if (is_selinux_enabled() <= 0 )
     exit(0);
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "FRnvf:o:e:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -219,6 +273,9 @@
     case 'F':
       force = 1;
       break;
+    case 'e':
+      if ( add_exclude(optarg) ) exit(1);
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.10/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2005-01-31 09:49:15.000000000 -0500
+++ policycoreutils-1.21.10/scripts/fixfiles	2005-02-02 12:16:06.000000000 -0500
@@ -60,12 +60,26 @@
 if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
 	TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
 	test -z "$TEMPFILE" && exit
-	/usr/bin/diff $PREFC $FC | egrep '^[<>]'|cut -c3-| grep ^/ | \
-        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
-            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
-        while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
+	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
+	sed -r -e 's,[[:blank:]].*,,g' \
+               -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
+	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
+               -e 's|\?.*|*|g' \
+	       -e 's|\(.*|*|g' \
+	       -e 's|\[.*|*|g' \
+               -e 's|\.\*|*|g' \
+               -e 's|\.\+|*|g' | \
+	sort -u | \
+        while read pattern ; \
+	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
+                  echo "$pattern"; \
+                  case "$pattern" in *"*") \
+	               echo "$pattern" | sed 's,\*$,,g' >> ${TEMPFILE};;  
+                  esac; \
+               fi; \
+            done | \
 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
-	${RESTORECON} $2 -v -f -R - 
+	${RESTORECON} -R $2 -v -e /root -e /home -e /tmp -e /var/tmp -f - 
 	rm -f ${TEMPFILE}
 fi
 }
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.21.10/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2005-01-31 09:49:15.000000000 -0500
+++ policycoreutils-1.21.10/setfiles/setfiles.c	2005-02-02 12:16:16.000000000 -0500
@@ -116,6 +116,35 @@
 	va_end(ap);
 }
 
+static int add_exclude(const char *directory) {
+        struct stat sb;
+	if(directory == NULL || directory[0] != '/') {
+	        fprintf(stderr, "Full path required for exclude: %s.\n", 
+		        directory);
+		return 1;
+	}
+	if(lstat(directory, &sb)) {
+	        fprintf(stderr, "Directory \"%s\" not found.\n", directory);
+	        return 1;
+	}
+	if ((sb.st_mode & S_IFDIR) == 0 ) {
+	        fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
+	        return 1;
+	}
+	excludeArray[excludeCtr].directory = strdup(directory);
+	if (!excludeArray[excludeCtr].directory) {
+	        fprintf(stderr, "Out of memory.\n");
+	        return 1;
+	}
+	excludeArray[excludeCtr++].size = strlen(directory);
+	
+	if (excludeCtr > MAX_EXCLUDES) {
+	        fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
+	        return 1;
+	}
+	return 0;
+}
+
 static int exclude(const char *file) {
 	int i=0;
 	for(i=0; i < excludeCtr; i++) { 
@@ -402,36 +431,8 @@
 			break;
 		}
 		case 'e':
-		{
-			int len;
-			struct stat sb;
-			if(optarg[0] != '/') {
-				fprintf(stderr, "Full path required for exclude: %s.\n", 
-					optarg);
-				exit(1);
-			}
-			if(lstat(optarg, &sb)) {
-				fprintf(stderr, "Directory \"%s\" not found.\n", optarg);
-				exit(1);
-			}
-			if ((sb.st_mode & S_IFDIR) == 0 ) {
-				fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", optarg,sb.st_mode);
-				exit(1);
-			}
-			len=strlen(optarg);
-			excludeArray[excludeCtr].directory = strdup(optarg);
-			if (!excludeArray[excludeCtr].directory) {
-				fprintf(stderr, "Out of memory.\n");
-				exit(1);
-			}
-			excludeArray[excludeCtr++].size = len;
-			if (excludeCtr > MAX_EXCLUDES) {
-				fprintf(stderr, "Maximum excludes %d exceeded.\n", 
-					MAX_EXCLUDES);
-				exit(1);
-			}
+		        if ( add_exclude(optarg) ) exit(1);
 			break;
-		}
 			
 		case 'd':
 			debug = 1;

Re: New patch for fixfiles sed script

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 248 bytes --]

On Wed, 2005-02-02 at 12:46, Daniel J Walsh wrote:
> Ok how about this patch.
> 
> Added -e flag for restorecon

Merged along with the attached patch as of policycoreutils 1.21.11.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: policycoreutils-nsa.patch --]
[-- Type: text/x-patch, Size: 2700 bytes --]

Index: policycoreutils/restorecon/restorecon.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/restorecon/restorecon.c,v
retrieving revision 1.25
diff -u -p -r1.25 restorecon.c
--- policycoreutils/restorecon/restorecon.c	2 Feb 2005 18:09:33 -0000	1.25
+++ policycoreutils/restorecon/restorecon.c	2 Feb 2005 18:19:16 -0000
@@ -50,7 +50,7 @@ static int force=0;
 static int excludeCtr=0;
 struct edir {
 	char *directory;
-        int size;
+        size_t size;
 };
 static struct edir excludeArray[MAX_EXCLUDES];
 static int add_exclude(const char *directory) {
@@ -68,6 +68,12 @@ static int add_exclude(const char *direc
     fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
     return 1;
   }
+
+  if (excludeCtr == MAX_EXCLUDES) {
+    fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
+    return 1;
+  }
+
    excludeArray[excludeCtr].directory = strdup(directory);
   if (!excludeArray[excludeCtr].directory) {
     fprintf(stderr, "Out of memory.\n");
@@ -75,10 +81,6 @@ static int add_exclude(const char *direc
   }
   excludeArray[excludeCtr++].size = strlen(directory);
 
-  if (excludeCtr > MAX_EXCLUDES) {
-    fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
-    return 1;
-  }
   return 0;
 }
 static int exclude(const char *file) {
Index: policycoreutils/setfiles/setfiles.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/setfiles/setfiles.c,v
retrieving revision 1.30
diff -u -p -r1.30 setfiles.c
--- policycoreutils/setfiles/setfiles.c	2 Feb 2005 18:09:37 -0000	1.30
+++ policycoreutils/setfiles/setfiles.c	2 Feb 2005 18:20:18 -0000
@@ -83,7 +83,7 @@ static int force=0;
 static int excludeCtr=0;
 struct edir {
 	char *directory;
-        int size;
+        size_t size;
 };
 static struct edir excludeArray[MAX_EXCLUDES];
 
@@ -131,6 +131,12 @@ static int add_exclude(const char *direc
 	        fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
 	        return 1;
 	}
+
+	if (excludeCtr == MAX_EXCLUDES) {
+	        fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
+	        return 1;
+	}
+
 	excludeArray[excludeCtr].directory = strdup(directory);
 	if (!excludeArray[excludeCtr].directory) {
 	        fprintf(stderr, "Out of memory.\n");
@@ -138,10 +144,6 @@ static int add_exclude(const char *direc
 	}
 	excludeArray[excludeCtr++].size = strlen(directory);
 	
-	if (excludeCtr > MAX_EXCLUDES) {
-	        fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
-	        return 1;
-	}
 	return 0;
 }
 

Re: New patch for fixfiles sed script

[Stephen Smalley]

On Wed, 2005-02-02 at 13:28, Stephen Smalley wrote:
> On Wed, 2005-02-02 at 12:46, Daniel J Walsh wrote:
> > Ok how about this patch.
> > 
> > Added -e flag for restorecon
> 
> Merged along with the attached patch as of policycoreutils 1.21.11.

Naturally, I noticed two other issues after committing:
1) restorecon/setfiles should just warn about non-existing directories
for -e, not bail out, as their absence just guarantees the exclusion and
use by scripts like fixfiles -C could very easily occur on a system that
was missing one of the typical directories.
2) restorecon was calling exclude() on the filename before realpath()
was applied, and was also incrementing the error count upon an exclude.

Patch below should fix.

Index: policycoreutils/restorecon/restorecon.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/restorecon/restorecon.c,v
retrieving revision 1.26
diff -u -r1.26 restorecon.c
--- policycoreutils/restorecon/restorecon.c	2 Feb 2005 18:26:21 -0000	1.26
+++ policycoreutils/restorecon/restorecon.c	2 Feb 2005 18:37:04 -0000
@@ -61,12 +61,12 @@
     return 1;
   }
   if(lstat(directory, &sb)) {
-    fprintf(stderr, "Directory \"%s\" not found.\n", directory);
-    return 1;
+    fprintf(stderr, "Directory \"%s\" not found, ignoring.\n", directory);
+    return 0;
   }
   if ((sb.st_mode & S_IFDIR) == 0 ) {
-    fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
-    return 1;
+    fprintf(stderr, "\"%s\" is not a Directory: mode %o, ignoring\n", directory,sb.st_mode);
+    return 0;
   }
 
   if (excludeCtr == MAX_EXCLUDES) {
@@ -130,9 +130,6 @@
   if (len > 0 && filename[len-1]=='/' && (strcmp(filename,"/") != 0)) {
     filename[len-1]=0;
   }
-  if (excludeCtr > 0 && exclude(filename)) {
-      return 1;
-  }
   if (lstat(filename, &st)!=0) {
     fprintf(stderr,"lstat(%s) failed: %s\n", filename,strerror(errno));
     return 1;
@@ -170,6 +167,9 @@
     }
     filename = p;
   }
+  if (excludeCtr > 0 && exclude(filename)) {
+      return 0;
+  }
   retval = matchpathcon(filename, st.st_mode, &scontext);
   if (retval < 0) {
     if (errno == ENOENT)
Index: policycoreutils/setfiles/setfiles.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/setfiles/setfiles.c,v
retrieving revision 1.31
diff -u -r1.31 setfiles.c
--- policycoreutils/setfiles/setfiles.c	2 Feb 2005 18:26:24 -0000	1.31
+++ policycoreutils/setfiles/setfiles.c	2 Feb 2005 18:37:48 -0000
@@ -124,12 +124,12 @@
 		return 1;
 	}
 	if(lstat(directory, &sb)) {
-	        fprintf(stderr, "Directory \"%s\" not found.\n", directory);
-	        return 1;
+	        fprintf(stderr, "Directory \"%s\" not found, ignoring.\n", directory);
+	        return 0;
 	}
 	if ((sb.st_mode & S_IFDIR) == 0 ) {
-	        fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
-	        return 1;
+	        fprintf(stderr, "\"%s\" is not a Directory: mode %o, ignoring\n", directory,sb.st_mode);
+	        return 0;
 	}
 
 	if (excludeCtr == MAX_EXCLUDES) {


-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New patch for fixfiles sed script

[Daniel J Walsh]

One more fix to sed script

 +++ policycoreutils-1.21.10/scripts/fixfiles  2005-02-02 
13:37:23.000000000 -0500
166,168c166,168
< +               -e 's|\.\*|*|g' \
< +               -e 's|\.\+|*|g' | \
< +     sort -u | \
---
 > +               -e 's|\.\*.*|*|g' \
 > +               -e 's|\.\+.*|*|g' | \
 > +     sort -d -u | \
179c179
< +     ${RESTORECON} -R $2 -v -e /root -e /home -e /tmp -e /var/tmp -f -
---
 > +      ${RESTORECON} -R $2 -v -e /root -e /home -e /tmp -e /var/tmp 
-e /dev -f -
185c185


Stephen Smalley wrote:

>On Wed, 2005-02-02 at 12:46, Daniel J Walsh wrote:
>  
>
>>Ok how about this patch.
>>
>>Added -e flag for restorecon
>>    
>>
>
>Merged along with the attached patch as of policycoreutils 1.21.11.
>
>  
>
>------------------------------------------------------------------------
>
>Index: policycoreutils/restorecon/restorecon.c
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/restorecon/restorecon.c,v
>retrieving revision 1.25
>diff -u -p -r1.25 restorecon.c
>--- policycoreutils/restorecon/restorecon.c	2 Feb 2005 18:09:33 -0000	1.25
>+++ policycoreutils/restorecon/restorecon.c	2 Feb 2005 18:19:16 -0000
>@@ -50,7 +50,7 @@ static int force=0;
> static int excludeCtr=0;
> struct edir {
> 	char *directory;
>-        int size;
>+        size_t size;
> };
> static struct edir excludeArray[MAX_EXCLUDES];
> static int add_exclude(const char *directory) {
>@@ -68,6 +68,12 @@ static int add_exclude(const char *direc
>     fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
>     return 1;
>   }
>+
>+  if (excludeCtr == MAX_EXCLUDES) {
>+    fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
>+    return 1;
>+  }
>+
>    excludeArray[excludeCtr].directory = strdup(directory);
>   if (!excludeArray[excludeCtr].directory) {
>     fprintf(stderr, "Out of memory.\n");
>@@ -75,10 +81,6 @@ static int add_exclude(const char *direc
>   }
>   excludeArray[excludeCtr++].size = strlen(directory);
> 
>-  if (excludeCtr > MAX_EXCLUDES) {
>-    fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
>-    return 1;
>-  }
>   return 0;
> }
> static int exclude(const char *file) {
>Index: policycoreutils/setfiles/setfiles.c
>===================================================================
>RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/setfiles/setfiles.c,v
>retrieving revision 1.30
>diff -u -p -r1.30 setfiles.c
>--- policycoreutils/setfiles/setfiles.c	2 Feb 2005 18:09:37 -0000	1.30
>+++ policycoreutils/setfiles/setfiles.c	2 Feb 2005 18:20:18 -0000
>@@ -83,7 +83,7 @@ static int force=0;
> static int excludeCtr=0;
> struct edir {
> 	char *directory;
>-        int size;
>+        size_t size;
> };
> static struct edir excludeArray[MAX_EXCLUDES];
> 
>@@ -131,6 +131,12 @@ static int add_exclude(const char *direc
> 	        fprintf(stderr, "\"%s\" is not a Directory: mode %o\n", directory,sb.st_mode);
> 	        return 1;
> 	}
>+
>+	if (excludeCtr == MAX_EXCLUDES) {
>+	        fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
>+	        return 1;
>+	}
>+
> 	excludeArray[excludeCtr].directory = strdup(directory);
> 	if (!excludeArray[excludeCtr].directory) {
> 	        fprintf(stderr, "Out of memory.\n");
>@@ -138,10 +144,6 @@ static int add_exclude(const char *direc
> 	}
> 	excludeArray[excludeCtr++].size = strlen(directory);
> 	
>-	if (excludeCtr > MAX_EXCLUDES) {
>-	        fprintf(stderr, "Maximum excludes %d exceeded.\n", MAX_EXCLUDES);
>-	        return 1;
>-	}
> 	return 0;
> }
> 
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.