some policy patches

some policy patches

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 208 bytes --]

Nothing really exciting in this patch.  Just some minor fixes and sorting out 
some of the distro-specific stuff.

-- 
US IT executives rate Red Hat #1 for value
http://www.redhat.com/promo/vendor/index.html

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 20520 bytes --]

diff -ru /usr/src/se/policy/domains/program/crond.te ./domains/program/crond.te
--- /usr/src/se/policy/domains/program/crond.te	2005-01-14 22:26:51.000000000 +1100
+++ ./domains/program/crond.te	2005-02-02 07:29:28.000000000 +1100
@@ -26,6 +26,7 @@
 
 crond_domain(system)
 
+allow system_crond_t proc_mdstat_t:file { getattr read };
 allow system_crond_t proc_t:lnk_file read;
 allow system_crond_t proc_t:filesystem getattr;
 allow system_crond_t usbdevfs_t:filesystem getattr;
@@ -160,7 +161,6 @@
 # /sbin/runlevel needs lock access however
 dontaudit system_crond_t initrc_var_run_t:file write;
 allow system_crond_t initrc_var_run_t:file { getattr read lock };
-allow initrc_t system_cron_spool_t:file { getattr read };
 
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
diff -ru /usr/src/se/policy/domains/program/getty.te ./domains/program/getty.te
--- /usr/src/se/policy/domains/program/getty.te	2005-01-30 06:23:21.000000000 +1100
+++ ./domains/program/getty.te	2005-01-30 13:09:22.000000000 +1100
@@ -58,4 +58,3 @@
 
 rw_dir_create_file(getty_t, var_lock_t)
 r_dir_file(getty_t, sysfs_t)
-allow getty_t initrc_devpts_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /usr/src/se/policy/domains/program/initrc.te	2005-01-30 06:23:22.000000000 +1100
+++ ./domains/program/initrc.te	2005-02-03 22:09:02.000000000 +1100
@@ -49,7 +56,7 @@
 allow initrc_t usbfs_t:file getattr;
 
 # allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld setsched setpgid setrlimit getsched };
+allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
 
 # Can create ptys for open_init_pty
 can_create_pty(initrc)
@@ -61,11 +68,13 @@
 allow initrc_t var_run_t:dir { create rmdir };
 
 ifdef(`distro_debian', `
-allow initrc_t etc_t:dir setattr;
+allow initrc_t { etc_t device_t }:dir setattr;
 
 # for storing state under /dev/shm
+allow initrc_t tmpfs_t:dir setattr;
 file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
-allow initrc_var_run_t tmpfs_t:filesystem associate;
+file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
 ')
 
 allow initrc_t framebuf_device_t:chr_file r_file_perms;
diff -ru /usr/src/se/policy/domains/program/ldconfig.te ./domains/program/ldconfig.te
--- /usr/src/se/policy/domains/program/ldconfig.te	2005-01-30 06:23:22.000000000 +1100
+++ ./domains/program/ldconfig.te	2004-12-23 19:24:00.000000000 +1100
@@ -26,6 +26,7 @@
 allow ldconfig_t lib_t:lnk_file create_lnk_perms;
 
 allow ldconfig_t userdomain:fd use;
+# unlink for when /etc/ld.so.cache is mislabeled
 allow ldconfig_t etc_t:file { getattr read unlink };
 allow ldconfig_t etc_t:lnk_file read;
 
@@ -37,12 +38,14 @@
 dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
 
+ifdef(`distro_suse', `
+# because of libraries in /var/lib/samba/bin
 allow ldconfig_t { var_t var_lib_t }:dir search;
+')
+
 allow ldconfig_t proc_t:file read;
+ifdef(`hide_broken_symptoms', `
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-');
-ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t) 
 ')
+')dnl end hide_broken_symptoms
diff -ru /usr/src/se/policy/domains/program/login.te ./domains/program/login.te
--- /usr/src/se/policy/domains/program/login.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/login.te	2005-02-03 22:15:23.000000000 +1100
@@ -73,7 +73,9 @@
 # Set exec context.
 can_setexec($1_login_t)
 
+ifdef(`automount.te', `
 allow $1_login_t autofs_t:dir { search read getattr };
+')
 allow $1_login_t mnt_t:dir r_dir_perms;
 
 if (use_nfs_home_dirs) {
@@ -188,10 +185,6 @@
 # Allow setting of attributes on power management devices.
 allow local_login_t power_device_t:chr_file { getattr setattr };
 
-ifdef(`hide_broken_symptoms', `
-dontaudit local_login_t init_t:fd use;
-')
-
 #################################
 #
 # Rules for the remote_login_t domain.
diff -ru /usr/src/se/policy/domains/program/logrotate.te ./domains/program/logrotate.te
--- /usr/src/se/policy/domains/program/logrotate.te	2005-01-14 22:26:53.000000000 +1100
+++ ./domains/program/logrotate.te	2005-02-03 15:57:46.000000000 +1100
@@ -21,12 +21,14 @@
 type logrotate_exec_t, file_type, sysadmfile, exec_type;
 
 system_crond_entry(logrotate_exec_t, logrotate_t)
+allow logrotate_t cron_spool_t:dir search;
 allow crond_t logrotate_var_lib_t:dir search;
 domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
 allow logrotate_t self:unix_stream_socket create_socket_perms;
 allow logrotate_t devtty_t:chr_file rw_file_perms;
 
 ifdef(`distro_debian', `
+allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
 # for savelog
 can_exec(logrotate_t, logrotate_exec_t)
 ')
@@ -49,7 +51,6 @@
 # Create temporary files.
 tmp_domain(logrotate)
 can_exec(logrotate_t, logrotate_tmp_t)
-allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };

 # Run helper programs.
 allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
diff -ru /usr/src/se/policy/domains/program/ssh.te ./domains/program/ssh.te
--- /usr/src/se/policy/domains/program/ssh.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/ssh.te	2005-02-03 22:21:53.000000000 +1100
@@ -73,7 +73,9 @@
 allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 if (use_nfs_home_dirs) {
+ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
+')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
 }
@@ -226,4 +228,3 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-dontaudit sshd_t sysadm_tty_device_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/sulogin.te ./domains/program/sulogin.te
--- /usr/src/se/policy/domains/program/sulogin.te	2004-12-13 09:55:22.000000000 +1100
+++ ./domains/program/sulogin.te	2005-02-03 16:01:51.000000000 +1100
@@ -16,9 +16,18 @@
 general_domain_access(sulogin_t)
 
 domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
+allow sulogin_t initrc_t:process getpgid;
 uses_shlib(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `
-# suse doesnt use pam with sulogin...
+define(`sulogin_no_pam', `')
+')
+ifdef(`distro_debian', `
+define(`sulogin_no_pam', `')
+')
+
+ifdef(`sulogin_no_pam', `
 domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
 allow sulogin_t init_t:process getpgid;
 allow sulogin_t self:capability sys_tty_config;
diff -ru /usr/src/se/policy/domains/program/tmpreaper.te ./domains/program/tmpreaper.te
--- /usr/src/se/policy/domains/program/tmpreaper.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/tmpreaper.te	2004-11-22 03:14:43.000000000 +1100
@@ -39,4 +37,4 @@
 allow tmpreaper_t catman_t:dir setattr;
 ')
 read_locale(tmpreaper_t)
-dontaudit tmpreaper_t init_t:fd use;
+
diff -ru /usr/src/se/policy/domains/program/unused/amanda.te ./domains/program/unused/amanda.te
--- /usr/src/se/policy/domains/program/unused/amanda.te	2005-01-14 22:26:57.000000000 +1100
+++ ./domains/program/unused/amanda.te	2004-12-03 19:56:13.000000000 +1100
@@ -241,6 +241,8 @@
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
 allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
 allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
+allow amanda_recover_t privfd:fd use;
+
 
 # amrecover network and process communication
 #############################################
diff -ru /usr/src/se/policy/domains/program/unused/asterisk.te ./domains/program/unused/asterisk.te
--- /usr/src/se/policy/domains/program/unused/asterisk.te	2004-12-03 19:49:22.000000000 +1100
+++ ./domains/program/unused/asterisk.te	2005-01-19 04:25:31.000000000 +1100
@@ -48,8 +48,8 @@
 allow asterisk_t self:sem create_sem_perms;
 allow asterisk_t self:shm create_shm_perms;
 
-# for /var/run/asterisk
-allow asterisk_t self:capability dac_override;
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
 
 # for shutdown
 dontaudit asterisk_t self:capability sys_tty_config;
diff -ru /usr/src/se/policy/domains/program/unused/backup.te ./domains/program/unused/backup.te
--- /usr/src/se/policy/domains/program/unused/backup.te	2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/backup.te	2005-01-03 01:15:13.000000000 +1100
@@ -26,7 +26,7 @@
 # for SSP
 allow backup_t urandom_device_t:chr_file read;
 
-can_network_server(backup_t)
+can_network_client(backup_t)
 can_ypbind(backup_t)
 uses_shlib(backup_t)
 
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te	2005-01-14 22:26:58.000000000 +1100
+++ ./domains/program/unused/bootloader.te	2005-02-03 15:56:03.000000000 +1100
@@ -10,7 +10,7 @@
 #
 # bootloader_exec_t is the type of the bootloader executable.
 #
-type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role');
+type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
 type bootloader_exec_t, file_type, sysadmfile, exec_type;
 etc_domain(bootloader)
 typealias bootloader_etc_t alias etc_bootloader_t;
@@ -28,8 +28,7 @@
 domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
 allow bootloader_t { initrc_t privfd }:fd use;
 
-tmp_domain(bootloader, `, device_type')
-allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms;
+tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
 
 read_locale(bootloader_t)
 
@@ -39,12 +38,33 @@
 # for /vmlinuz sym link
 allow bootloader_t root_t:lnk_file read;
 
+# lilo would need read access to get BIOS data
+allow bootloader_t proc_kcore_t:file getattr;
+
 allow bootloader_t { etc_t device_t }:dir r_dir_perms;
 allow bootloader_t etc_t:file r_file_perms;
 allow bootloader_t etc_t:lnk_file read;
+allow bootloader_t initctl_t:fifo_file getattr;
 uses_shlib(bootloader_t)
 
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+allow bootloader_t usr_t:lnk_file read;
+allow bootloader_t tmpfs_t:dir r_dir_perms;
+allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+allow bootloader_t var_lib_t:dir search;
+allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+allow bootloader_t dpkg_var_lib_t:file { getattr read };
+# for /usr/share/initrd-tools/scripts
+can_exec(bootloader_t, usr_t)
+')
+
 allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
 allow bootloader_t device_t:lnk_file { getattr read };
 
 # LVM2 / Device Mapper's /dev/mapper/control
@@ -52,6 +72,7 @@
 ifdef(`lvm.te', `
 allow bootloader_t lvm_control_t:chr_file rw_file_perms;
 domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+allow lvm_t bootloader_tmp_t:file rw_file_perms;
 r_dir_file(bootloader_t, lvm_etc_t)
 ')
 
diff -ru /usr/src/se/policy/domains/program/unused/ciped.te ./domains/program/unused/ciped.te
--- /usr/src/se/policy/domains/program/unused/ciped.te	2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/ciped.te	2005-01-03 01:27:19.000000000 +1100
@@ -7,7 +7,7 @@
 
 type cipe_port_t, port_type;
 
-can_network_server(ciped_t)
+can_network_udp(ciped_t)
 can_ypbind(ciped_t)
 allow ciped_t cipe_port_t:udp_socket name_bind;
 
diff -ru /usr/src/se/policy/domains/program/unused/cups.te ./domains/program/unused/cups.te
--- /usr/src/se/policy/domains/program/unused/cups.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/cups.te	2005-01-02 23:09:50.000000000 +1100
@@ -33,8 +33,10 @@
 # temporary solution, we need something better
 allow cupsd_t serial_device:chr_file rw_file_perms;
 
+ifdef(`usbmodules.te', `
 r_dir_file(cupsd_t, usbdevfs_t)
 r_dir_file(cupsd_t, usbfs_t)
+')
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
diff -ru /usr/src/se/policy/domains/program/unused/dpkg.te ./domains/program/unused/dpkg.te
--- /usr/src/se/policy/domains/program/unused/dpkg.te	2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/dpkg.te	2005-02-03 15:56:50.000000000 +1100
@@ -179,7 +179,7 @@
 typealias apt_etc_t alias etc_apt_t;
 type apt_rw_etc_t, file_type, sysadmfile;
 typealias apt_rw_etc_t alias etc_apt_rw_t;
-tmp_domain(apt)
+tmp_domain(apt, `', `{ dir file lnk_file }')
 can_exec(apt_t, apt_tmp_t)
 
 rw_dir_create_file(apt_t, apt_rw_etc_t)
diff -ru /usr/src/se/policy/domains/program/unused/ftpd.te ./domains/program/unused/ftpd.te
--- /usr/src/se/policy/domains/program/unused/ftpd.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/unused/ftpd.te	2004-12-01 14:35:19.000000000 +1100
@@ -34,7 +34,10 @@
 allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
-')
+ifdef(`logrotate.te', `
+can_exec(ftpd_t, logrotate_exec_t)
+')dnl end if logrotate.te
+')dnl end if crond.te
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
 allow ftpd_t port_t:tcp_socket name_bind;
@@ -87,7 +90,9 @@
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
 dontaudit ftpd_t selinux_config_t:dir search;
+ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir search;
+')
 allow ftpd_t self:file { getattr read };
 tmp_domain(ftpd)
 
diff -ru /usr/src/se/policy/domains/program/unused/hotplug.te ./domains/program/unused/hotplug.te
--- /usr/src/se/policy/domains/program/unused/hotplug.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/hotplug.te	2005-01-03 01:36:14.000000000 +1100
@@ -163,4 +163,4 @@
 unconfined_domain(hotplug_t) 
 ')
 
- allow kernel_t hotplug_etc_t:dir search;
+allow kernel_t hotplug_etc_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/inetd.te ./domains/program/unused/inetd.te
--- /usr/src/se/policy/domains/program/unused/inetd.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/inetd.te	2005-02-02 00:27:43.000000000 +1100
@@ -55,6 +58,8 @@
 
 
 inetd_child_domain(inetd_child)
+allow inetd_child_t proc_net_t:dir search;
+allow inetd_child_t proc_net_t:file { getattr read };
 
 ifdef(`unconfined.te', `
 domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
diff -ru /usr/src/se/policy/domains/program/unused/iptables.te ./domains/program/unused/iptables.te
--- /usr/src/se/policy/domains/program/unused/iptables.te	2005-01-14 22:26:59.000000000 +1100
+++ ./domains/program/unused/iptables.te	2005-01-03 01:11:29.000000000 +1100
@@ -36,7 +36,7 @@
 
 # for iptables -L
 allow iptables_t self:unix_stream_socket create_socket_perms;
-can_network_server(iptables_t)
+can_resolve(iptables_t)
 can_ypbind(iptables_t)
 
 allow iptables_t iptables_exec_t:file execute_no_trans;
diff -ru /usr/src/se/policy/domains/program/unused/lpd.te ./domains/program/unused/lpd.te
--- /usr/src/se/policy/domains/program/unused/lpd.te	2005-01-14 22:27:00.000000000 +1100
+++ ./domains/program/unused/lpd.te	2005-02-03 22:35:34.000000000 +1100
@@ -36,7 +36,7 @@
 type checkpc_t, domain, privlog;
 role system_r types checkpc_t;
 uses_shlib(checkpc_t)
-can_network_server(checkpc_t)
+can_network_client(checkpc_t)
 can_ypbind(checkpc_t)
 log_domain(checkpc)
 type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff -ru /usr/src/se/policy/domains/program/unused/mdadm.te ./domains/program/unused/mdadm.te
--- /usr/src/se/policy/domains/program/unused/mdadm.te	2004-11-13 03:56:02.000000000 +1100
+++ ./domains/program/unused/mdadm.te	2005-02-03 22:36:28.000000000 +1100
@@ -27,6 +27,7 @@
 
 # RAID block device access
 allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
+allow mdadm_t device_t:lnk_file { getattr read };
 
 # Ignore attempts to read every device file
 dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
diff -ru /usr/src/se/policy/domains/program/unused/mrtg.te ./domains/program/unused/mrtg.te
--- /usr/src/se/policy/domains/program/unused/mrtg.te	2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/mrtg.te	2005-01-31 22:36:33.000000000 +1100
@@ -31,7 +31,7 @@
 r_dir_file(mrtg_t, lib_t)
 
 # Use the network.
-can_network_server(mrtg_t)
+can_network_client(mrtg_t)
 can_ypbind(mrtg_t)
 
 allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -53,7 +53,8 @@
 r_dir_file(mrtg_t, snmpd_var_lib_t)
 ')
 
-allow mrtg_t proc_t:file { read getattr };
+allow mrtg_t proc_net_t:dir search;
+allow mrtg_t { proc_t proc_net_t }:file { read getattr };
 dontaudit mrtg_t proc_t:file ioctl;
 
 allow mrtg_t { var_lock_t var_lib_t }:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/named.te ./domains/program/unused/named.te
--- /usr/src/se/policy/domains/program/unused/named.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/named.te	2005-02-03 22:38:57.000000000 +1100
@@ -84,7 +84,7 @@
 allow named_t sysctl_kernel_t:dir r_dir_perms;
 allow named_t sysctl_kernel_t:file r_file_perms;
 
-# Read /proc/cpuinfo.
+# Read /proc/cpuinfo and /proc/net
 r_dir_file(named_t, proc_t)
 r_dir_file(named_t, proc_net_t)
 
@@ -109,6 +109,8 @@
 # for /etc/rndc.key
 ifdef(`distro_redhat', `
 allow { ndc_t initrc_t } named_conf_t:dir search;
+# Allow init script to cp localtime to named_conf_t
+allow initrc_t named_conf_t:file { setattr write };
 ')
 allow { ndc_t initrc_t } named_conf_t:file { getattr read };
 
@@ -153,5 +155,3 @@
 ')
 allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
-# Allow init script to cp localtime to named_conf_t
-allow initrc_t named_conf_t:file { write };
diff -ru /usr/src/se/policy/domains/program/unused/nessusd.te ./domains/program/unused/nessusd.te
--- /usr/src/se/policy/domains/program/unused/nessusd.te	2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/nessusd.te	2005-01-03 01:29:31.000000000 +1100
@@ -22,7 +22,7 @@
 #tmp_domain(nessusd)
 
 # Use the network.
-can_network_server(nessusd_t)
+can_network(nessusd_t)
 can_ypbind(nessusd_t)
 allow nessusd_t self:unix_stream_socket create_socket_perms;
 #allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff -ru /usr/src/se/policy/domains/program/unused/nscd.te ./domains/program/unused/nscd.te
--- /usr/src/se/policy/domains/program/unused/nscd.te	2005-01-14 22:27:00.000000000 +1100
+++ ./domains/program/unused/nscd.te	2005-01-30 12:47:20.000000000 +1100
@@ -56,6 +56,7 @@
 
 dontaudit nscd_t sysadm_home_dir_t:dir search;
 
+ifdef(`winbind.te', `
 #
 # Handle winbind for samba, Might only be needed for targeted policy
 #
@@ -63,6 +64,7 @@
 can_unix_connect(nscd_t, winbind_t)
 allow nscd_t samba_var_t:dir search;
 allow nscd_t winbind_var_run_t:dir { getattr search };
+')
 
 r_dir_file(nscd_t, selinux_config_t)
 can_getsecurity(nscd_t)
@@ -70,4 +72,4 @@
 allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
-allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+allow nscd_t urandom_device_t:chr_file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/nsd.te ./domains/program/unused/nsd.te
--- /usr/src/se/policy/domains/program/unused/nsd.te	2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/nsd.te	2005-01-03 01:26:19.000000000 +1100
@@ -19,7 +19,7 @@
 type nsd_crond_t, domain, privlog;
 role system_r types nsd_crond_t;
 uses_shlib(nsd_crond_t)
-can_network_server(nsd_crond_t)
+can_network_client(nsd_crond_t)
 can_ypbind(nsd_crond_t)
 allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
 allow nsd_crond_t self:process { fork signal_perms };

Re: some policy patches

[James Carter]

Merged.  

Except that a chunk in ssh.te and login.te reverted Dan's removal of
ifdef(`automount.te' statements.  Was there a reason for this?

On Thu, 2005-02-03 at 07:50, Russell Coker wrote:
> Nothing really exciting in this patch.  Just some minor fixes and sorting out 
> some of the distro-specific stuff.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: some policy patches

[Daniel J Walsh]

James Carter wrote:

>Merged.  
>
>Except that a chunk in ssh.te and login.te reverted Dan's removal of
>ifdef(`automount.te' statements.  Was there a reason for this?
>
>On Thu, 2005-02-03 at 07:50, Russell Coker wrote:
>  
>
>>Nothing really exciting in this patch.  Just some minor fixes and sorting out 
>>some of the distro-specific stuff.
>>    
>>
automount.te statements break targeted policy and autofs is defined 
outside of automount.te so they should not be there.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

More patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

Ivan has some more cleanup of x_client apps.
Also added execmod to httpd for php
Moved +r_dir_file(httpd_t, httpd_$1_content_t) outside boolean
so you should be able to serve pages with httpd with all booleans turned 
off.

You are missing NetworkManager from your latest pool, even though 
comment says it is there.

Dan

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 22774 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.8/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/apache.te	2005-04-06 07:32:56.000000000 -0400
@@ -119,6 +119,12 @@
 allow httpd_t port_type:tcp_socket name_connect;
 }
 
+##########################################
+# Legacy: remove when it's fixed         #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
 #########################################
 # Allow httpd to search users directories
 #########################################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.8/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/hald.te	2005-04-06 07:31:54.000000000 -0400
@@ -31,7 +31,6 @@
 allow hald_t usr_t:file { getattr read };
 
 allow hald_t bin_t:file getattr;
-allow hald_t self:netlink_socket create_socket_perms;
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.8/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/domains/program/unused/NetworkManager.te	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,78 @@
+#DESC NetworkManager - 
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon. 
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow NetworkManager_t named_t:process signal;
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.8/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/file_contexts/distros.fc	2005-04-06 07:32:56.000000000 -0400
@@ -69,7 +69,7 @@
 # Some of them should be fixed and removed from this list
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 /usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
@@ -123,6 +123,8 @@
 /usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
 /usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
 /usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.8/file_contexts/program/NetworkManager.fc
--- nsapolicy/file_contexts/program/NetworkManager.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/file_contexts/program/NetworkManager.fc	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,2 @@
+# NetworkManager 
+/usr/bin/NetworkManager	--	system_u:object_r:NetworkManager_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.8/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/base_user_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -282,6 +280,9 @@
 #
 dontaudit $1_t usr_t:file setattr;
 
+# Use X
+x_client_domain($1, $1)
+
 ifdef(`xserver.te', `
 # for /tmp/.ICE-unix
 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@@ -291,13 +292,7 @@
 ifdef(`xdm.te', `
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:file { getattr read };
-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_t xdm_xserver_tmp_t:dir search;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-# certain apps want to read xdm.pid file
+# certain apps want to read xdm.pid file 
 r_dir_file($1_t, xdm_var_run_t)
 allow $1_t xdm_var_lib_t:file { getattr read };
 allow xdm_t $1_home_dir_t:dir getattr;
@@ -305,9 +300,6 @@
 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
 ')
 
-# for shared memory
-allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
 ')dnl end ifdef xdm.te
 
 # Access the sound device.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.8/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/apache_macros.te	2005-04-06 07:31:54.000000000 -0400
@@ -136,8 +136,8 @@
 r_dir_file(httpd_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-r_dir_file(httpd_t, httpd_$1_content_t)
 }
+r_dir_file(httpd_t, httpd_$1_content_t)
 
 ')
 define(`apache_user_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.8/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/gift_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -18,7 +18,7 @@
 role $1_r types $1_gift_t;
 
 # X access, Home files 
-x_client_domain($1, gift)
+x_client_domain($1_gift, $1)
 home_domain($1, gift)
 
 uses_shlib($1_gift_t)
@@ -26,12 +26,15 @@
 read_sysctl($1_gift_t)
 access_terminal($1_gift_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_gift_t)
+allow $1_t $1_gift_t:process signal_perms;
+
 # Self permissions
 allow $1_gift_t self:process getsched;
 
 # Fonts, icons
 r_dir_file($1_gift_t, usr_t)
-r_dir_file($1_gift_t, fonts_t)
 
 # Launch gift daemon
 allow $1_gift_t bin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.8/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/java_macros.te	2005-04-06 07:37:13.000000000 -0400
@@ -32,7 +32,6 @@
 allow $1_javaplugin_t port_type:tcp_socket name_connect;
 can_ypbind($1_javaplugin_t)
 allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow $1_javaplugin_t self:fifo_file rw_file_perms;
 allow $1_javaplugin_t etc_runtime_t:file { getattr read };
 allow $1_javaplugin_t fs_t:filesystem getattr;
@@ -58,36 +57,9 @@
 if (allow_execmem) {
 allow $1_javaplugin_t self:process execmem;
 }
-# Allow connections to X server.
-ifdef(`xserver.te', `
 
-ifdef(`xdm.te', `
-# for when /tmp/.X11-unix is created by the system
-allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
-allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
-allow $1_javaplugin_t xdm_tmp_t:dir search;
-allow $1_javaplugin_t xdm_tmp_t:sock_file write;
-')
-
-ifdef(`startx.te', `
-# for when /tmp/.X11-unix is created by the X server
-allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
-
-# for /tmp/.X0-lock
-allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
-
-allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
-can_unix_connect($1_javaplugin_t, $2_xserver_t)
-')dnl end startx
-
-can_unix_connect($1_javaplugin_t, xdm_xserver_t)
-allow xdm_xserver_t $1_javaplugin_t:fd use;
-allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
-dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
-
-')dnl end xserver
-
-allow $1_javaplugin_t self:shm create_shm_perms;
+# Connect to X server
+x_client_domain($1_javaplugin, $2) 
 
 uses_shlib($1_javaplugin_t)
 read_locale($1_javaplugin_t)
@@ -121,4 +93,5 @@
 
 # Do not audit read/getattr of .fonts-cache-1
 dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.8/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/mozilla_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,7 +26,7 @@
 
 # X access, Home files
 home_domain($1, mozilla)
-x_client_domain($1, mozilla)
+x_client_domain($1_mozilla, $1)
 
 # Browse files
 file_browse_domain($1_mozilla_t)
@@ -43,6 +43,10 @@
 allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
 allow $1_mozilla_t $1_t:process signull;
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_t:process signal_perms;
+
 # Fork, set resource limits and scheduling info.
 allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.8/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.8/macros/program/mplayer_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -15,6 +15,10 @@
 # Read global config
 r_dir_file($1_$2_t, mplayer_etc_t)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_$2_t)
+allow $1_t $1_$2_t:process signal_perms;
+
 # Read data in /usr/share (fonts, icons..)
 r_dir_file($1_$2_t, usr_t)
 
@@ -72,7 +76,7 @@
 
 # Home access, X access, Browse files
 home_domain($1, mplayer)
-x_client_domain($1, mplayer)
+x_client_domain($1_mplayer, $1)
 file_browse_domain($1_mplayer_t)
 
 # Mplayer common stuff
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.8/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_agent_macros.te	2005-04-06 07:32:40.000000000 -0400
@@ -63,7 +63,7 @@
 allow $1_ssh_agent_t self:capability setgid;
 
 # access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
 # for ssh-add
 can_unix_connect($1_t, $1_ssh_agent_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.8/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -129,18 +129,8 @@
 # allow ps to show ssh
 can_ps($1_t, $1_ssh_t)
 
-ifdef(`xserver.te', `
-# Communicate with the X server.
-ifdef(`startx.te', `
-can_unix_connect($1_ssh_t, $1_xserver_t)
-allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_ssh_t $1_xserver_tmp_t:dir search;
-')dnl end if startx
-ifdef(`xdm.te', `
-allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
-allow $1_ssh_t { xdm_tmp_t }:sock_file write;
-')
-')dnl end if xserver
+# Connect to X server
+x_client_domain($1_ssh, $1)
 
 ifdef(`ssh-agent.te', `
 ssh_agent_domain($1)
@@ -167,16 +157,6 @@
 allow $1_ssh_keysign_t self:file { getattr read };
 allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
-ifdef(`xdm.te', `
-# should be able to remove these two later
-allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
-allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
-allow $1_ssh_t xdm_xserver_t:fd use;
-allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t xdm_t:fd use;
-')dnl end if xdm.te
 ')dnl end macro definition
 ', `
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.8/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/tvtime_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,13 +26,17 @@
 
 # X access, Home files
 home_domain($1, tvtime)
-x_client_domain($1, tvtime)
+x_client_domain($1_tvtime, $1)
 
 uses_shlib($1_tvtime_t)
 read_locale($1_tvtime_t)
 read_sysctl($1_tvtime_t)
 access_terminal($1_tvtime_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_tvtime_t)
+allow $1_t $1_tvtime_t:process signal_perms;
+
 # Read /etc/tvtime
 allow $1_tvtime_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.8/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/x_client_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -1,5 +1,5 @@
 #
-# Macros for X client programs ($2 etc)
+# Macros for X client programs 
 #
 
 #
@@ -8,6 +8,9 @@
 # and Timothy Fraser 
 #
 
+# Allows clients to write to the X server's shm 
+bool allow_write_xshm false;
+
 define(`xsession_domain', `
 
 # Connect to xserver
@@ -23,73 +26,73 @@
 # Signal Xserver
 allow $1_t $2_xserver_t:process signal;
 
-# Use file descriptors created by each other.
-allow $1_t $2_xserver_t:fd use;
+# Xserver read/write client shm
 allow $2_xserver_t $1_t:fd use;
-
-# Xserver read/write parent shm
 allow $2_xserver_t $1_t:shm rw_shm_perms;
 allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
 
-# Parent read xserver shm
+# Client read xserver shm
+allow $1_t $2_xserver_t:fd use;
 allow $1_t $2_xserver_t:shm r_shm_perms;
 allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+
+# Client write xserver shm
+if (allow_write_xshm) {
+allow $1_t $2_xserver_t:shm rw_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
+}
+
 ')
 
 #
-# x_client_domain(user, app)
+# x_client_domain(client, role)
 #
-# Defines common X access rules for the user_app_t domain
+# Defines common X access rules for the client domain
 #
 define(`x_client_domain',`
 
-allow $1_$2_t self:unix_dgram_socket create_socket_perms;
-allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
+# Create socket to communicate with X server
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
+# Read .Xauthority file
 ifdef(`xauth.te',`
-allow $1_$2_t $1_xauth_home_t:file { getattr read };
+allow $1_t home_root_t:dir { search getattr };
+allow $1_t $2_xauth_home_t:file { getattr read };
 ')
 
-# Allow the user domain to send any signal to the $2 process.
-can_ps($1_t, $1_$2_t)
-allow $1_t $1_$2_t:process signal_perms;
-
 # for .xsession-errors
-dontaudit $1_$2_t $1_home_t:file write;
+dontaudit $1_t $2_home_t:file write;
 
 # for X over a ssh tunnel
 ifdef(`ssh.te', `
-can_tcp_connect($1_$2_t, sshd_t)
+can_tcp_connect($1_t, sshd_t)
 ')
 
-# Read the home directory, e.g. for .Xauthority and to get to config files
-allow $1_$2_t home_root_t:dir { search getattr };
-
 # Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1_$2)
-
-allow $1_$2_t self:shm create_shm_perms;
+tmpfs_domain($1)
+allow $1_t self:shm create_shm_perms;
 
 # allow X client to read all font files
-r_dir_file($1_$2_t, fonts_t)
+r_dir_file($1_t, fonts_t)
 
 # Allow connections to X server.
 ifdef(`xserver.te', `
-allow $1_$2_t tmp_t:dir search;
+allow $1_t tmp_t:dir search;
 
 ifdef(`xdm.te', `
-xsession_domain($1_$2, xdm)
+xsession_domain($1, xdm)
 
 # for when /tmp/.X11-unix is created by the system
-allow $1_$2_t xdm_t:fifo_file rw_file_perms;
-allow $1_$2_t xdm_tmp_t:dir search;
-allow $1_$2_t xdm_tmp_t:sock_file { read write };
-allow $1_$2_t xdm_t:fd use;
-dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+allow $1_t xdm_t:fifo_file rw_file_perms;
+allow $1_t xdm_tmp_t:dir search;
+allow $1_t xdm_tmp_t:sock_file { read write };
+allow $1_t xdm_t:fd use;
+dontaudit $1_t xdm_t:tcp_socket { read write };
 ')
 
 ifdef(`startx.te', `
-xsession_domain($1_$2, $1)
+xsession_domain($1, $2)
 ')dnl end startx
 
 ')dnl end xserver
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.8/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8	2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.8/man/man8/httpd_selinux.8	2005-04-06 07:31:54.000000000 -0400
@@ -75,6 +75,21 @@
 setsebool -P httpd_unified 0
 
 .TP
+httpd can be configured to turn off internal scripting (PHP).  PHP and other
+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+.br
+
+setsebool -P httpd_builtin_scripting 0
+
+.TP
+httpd scripts by default are not allowed to connect out to the network.
+This would prevent a hacker from breaking into you httpd server and attacking 
+other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
+.br
+
+setsebool -P httpd_can_network_connect 1
+
+.TP
 You can disable SELinux protection for the httpd daemon by executing:
 .br
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.23.8/targeted/domains/program/modutil.te
--- nsapolicy/targeted/domains/program/modutil.te	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.8/targeted/domains/program/modutil.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
-# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
-# X-Debian-Packages: modutils
-#
-
-#################################
-#
-# Rules for the module utility domains.
-#
-type modules_dep_t, file_type, sysadmfile;
-type modules_conf_t, file_type, sysadmfile;
-type modules_object_t, file_type, sysadmfile;
-type depmod_exec_t, file_type, exec_type, sysadmfile;
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.8/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/distro.tun	2005-04-06 07:31:54.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.8/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/tunable.tun	2005-04-06 07:31:54.000000000 -0400
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: More patches

[James Carter]

On Wed, 2005-04-06 at 07:51 -0400, Daniel J Walsh wrote:
> Ivan has some more cleanup of x_client apps.
> Also added execmod to httpd for php
> Moved +r_dir_file(httpd_t, httpd_$1_content_t) outside boolean
> so you should be able to serve pages with httpd with all booleans turned 
> off.
> 
> You are missing NetworkManager from your latest pool, even though 
> comment says it is there.

Forgot to cvs add it on sourceforge.  It is committed now.


-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Daniel J Walsh]

James Carter wrote:

>On Wed, 2005-04-06 at 07:51 -0400, Daniel J Walsh wrote:
>  
>
>>Ivan has some more cleanup of x_client apps.
>>Also added execmod to httpd for php
>>Moved +r_dir_file(httpd_t, httpd_$1_content_t) outside boolean
>>so you should be able to serve pages with httpd with all booleans turned 
>>off.
>>
>>You are missing NetworkManager from your latest pool, even though 
>>comment says it is there.
>>    
>>
>
>Forgot to cvs add it on sourceforge.  It is committed now.
>
>
>  
>
Hold off on that patch.  Some of the x_client changes are not working 
correctly.  I will submit a fixed patch soon.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 46 bytes --]

Fixed the patches, so they will build.

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 24156 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.8/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/apache.te	2005-04-06 07:32:56.000000000 -0400
@@ -119,6 +119,12 @@
 allow httpd_t port_type:tcp_socket name_connect;
 }
 
+##########################################
+# Legacy: remove when it's fixed         #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
 #########################################
 # Allow httpd to search users directories
 #########################################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.8/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/hald.te	2005-04-06 07:31:54.000000000 -0400
@@ -31,7 +31,6 @@
 allow hald_t usr_t:file { getattr read };
 
 allow hald_t bin_t:file getattr;
-allow hald_t self:netlink_socket create_socket_perms;
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.8/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/domains/program/unused/NetworkManager.te	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,78 @@
+#DESC NetworkManager - 
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon. 
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow NetworkManager_t named_t:process signal;
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.8/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/file_contexts/distros.fc	2005-04-06 07:32:56.000000000 -0400
@@ -69,7 +69,7 @@
 # Some of them should be fixed and removed from this list
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 /usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
@@ -123,6 +123,8 @@
 /usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
 /usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
 /usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.8/file_contexts/program/NetworkManager.fc
--- nsapolicy/file_contexts/program/NetworkManager.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/file_contexts/program/NetworkManager.fc	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,2 @@
+# NetworkManager 
+/usr/bin/NetworkManager	--	system_u:object_r:NetworkManager_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.8/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/base_user_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -124,8 +124,6 @@
 # Use the type when relabeling pty devices.
 type_change $1_t server_pty:chr_file $1_devpts_t;
 
-tmpfs_domain($1)
-
 ifdef(`cardmgr.te', `
 # to allow monitoring of pcmcia status
 allow $1_t cardmgr_var_run_t:file { getattr read };
@@ -282,6 +280,9 @@
 #
 dontaudit $1_t usr_t:file setattr;
 
+# Use X
+x_client_domain($1, $1)
+
 ifdef(`xserver.te', `
 # for /tmp/.ICE-unix
 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@@ -291,13 +292,7 @@
 ifdef(`xdm.te', `
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:file { getattr read };
-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_t xdm_xserver_tmp_t:dir search;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-# certain apps want to read xdm.pid file
+# certain apps want to read xdm.pid file 
 r_dir_file($1_t, xdm_var_run_t)
 allow $1_t xdm_var_lib_t:file { getattr read };
 allow xdm_t $1_home_dir_t:dir getattr;
@@ -305,9 +300,6 @@
 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
 ')
 
-# for shared memory
-allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
 ')dnl end ifdef xdm.te
 
 # Access the sound device.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.8/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/global_macros.te	2005-04-06 08:25:01.000000000 -0400
@@ -433,11 +433,14 @@
 ')
 
 define(`tmpfs_domain', `
+ifdef(`$1_tmpfs_t_defined',`', `
+define(`$1_tmpfs_t_defined')
 type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
 # Use this type when creating tmpfs/shm objects.
 file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
 allow $1_tmpfs_t tmpfs_t:filesystem associate;
 ')
+')
 
 define(`var_lib_domain', `
 type $1_var_lib_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.8/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/apache_macros.te	2005-04-06 07:31:54.000000000 -0400
@@ -136,8 +136,8 @@
 r_dir_file(httpd_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-r_dir_file(httpd_t, httpd_$1_content_t)
 }
+r_dir_file(httpd_t, httpd_$1_content_t)
 
 ')
 define(`apache_user_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.8/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/games_domain.te	2005-04-06 08:32:36.000000000 -0400
@@ -20,7 +20,7 @@
 role $1_r types $1_games_t;
 
 # X access, /tmp files
-x_client_domain($1, games)
+x_client_domain($1_games, $1)
 tmp_domain($1_games)
 
 uses_shlib($1_games_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.8/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/gift_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -18,7 +18,7 @@
 role $1_r types $1_gift_t;
 
 # X access, Home files 
-x_client_domain($1, gift)
+x_client_domain($1_gift, $1)
 home_domain($1, gift)
 
 uses_shlib($1_gift_t)
@@ -26,12 +26,15 @@
 read_sysctl($1_gift_t)
 access_terminal($1_gift_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_gift_t)
+allow $1_t $1_gift_t:process signal_perms;
+
 # Self permissions
 allow $1_gift_t self:process getsched;
 
 # Fonts, icons
 r_dir_file($1_gift_t, usr_t)
-r_dir_file($1_gift_t, fonts_t)
 
 # Launch gift daemon
 allow $1_gift_t bin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.8/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/java_macros.te	2005-04-06 07:37:13.000000000 -0400
@@ -32,7 +32,6 @@
 allow $1_javaplugin_t port_type:tcp_socket name_connect;
 can_ypbind($1_javaplugin_t)
 allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow $1_javaplugin_t self:fifo_file rw_file_perms;
 allow $1_javaplugin_t etc_runtime_t:file { getattr read };
 allow $1_javaplugin_t fs_t:filesystem getattr;
@@ -58,36 +57,9 @@
 if (allow_execmem) {
 allow $1_javaplugin_t self:process execmem;
 }
-# Allow connections to X server.
-ifdef(`xserver.te', `
 
-ifdef(`xdm.te', `
-# for when /tmp/.X11-unix is created by the system
-allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
-allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
-allow $1_javaplugin_t xdm_tmp_t:dir search;
-allow $1_javaplugin_t xdm_tmp_t:sock_file write;
-')
-
-ifdef(`startx.te', `
-# for when /tmp/.X11-unix is created by the X server
-allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
-
-# for /tmp/.X0-lock
-allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
-
-allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
-can_unix_connect($1_javaplugin_t, $2_xserver_t)
-')dnl end startx
-
-can_unix_connect($1_javaplugin_t, xdm_xserver_t)
-allow xdm_xserver_t $1_javaplugin_t:fd use;
-allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
-dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
-
-')dnl end xserver
-
-allow $1_javaplugin_t self:shm create_shm_perms;
+# Connect to X server
+x_client_domain($1_javaplugin, $2) 
 
 uses_shlib($1_javaplugin_t)
 read_locale($1_javaplugin_t)
@@ -121,4 +93,5 @@
 
 # Do not audit read/getattr of .fonts-cache-1
 dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.8/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/mozilla_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,7 +26,7 @@
 
 # X access, Home files
 home_domain($1, mozilla)
-x_client_domain($1, mozilla)
+x_client_domain($1_mozilla, $1)
 
 # Browse files
 file_browse_domain($1_mozilla_t)
@@ -43,6 +43,10 @@
 allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
 allow $1_mozilla_t $1_t:process signull;
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_t:process signal_perms;
+
 # Fork, set resource limits and scheduling info.
 allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.8/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.8/macros/program/mplayer_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -15,6 +15,10 @@
 # Read global config
 r_dir_file($1_$2_t, mplayer_etc_t)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_$2_t)
+allow $1_t $1_$2_t:process signal_perms;
+
 # Read data in /usr/share (fonts, icons..)
 r_dir_file($1_$2_t, usr_t)
 
@@ -72,7 +76,7 @@
 
 # Home access, X access, Browse files
 home_domain($1, mplayer)
-x_client_domain($1, mplayer)
+x_client_domain($1_mplayer, $1)
 file_browse_domain($1_mplayer_t)
 
 # Mplayer common stuff
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.8/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_agent_macros.te	2005-04-06 07:32:40.000000000 -0400
@@ -63,7 +63,7 @@
 allow $1_ssh_agent_t self:capability setgid;
 
 # access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
 # for ssh-add
 can_unix_connect($1_t, $1_ssh_agent_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.8/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -129,18 +129,8 @@
 # allow ps to show ssh
 can_ps($1_t, $1_ssh_t)
 
-ifdef(`xserver.te', `
-# Communicate with the X server.
-ifdef(`startx.te', `
-can_unix_connect($1_ssh_t, $1_xserver_t)
-allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_ssh_t $1_xserver_tmp_t:dir search;
-')dnl end if startx
-ifdef(`xdm.te', `
-allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
-allow $1_ssh_t { xdm_tmp_t }:sock_file write;
-')
-')dnl end if xserver
+# Connect to X server
+x_client_domain($1_ssh, $1)
 
 ifdef(`ssh-agent.te', `
 ssh_agent_domain($1)
@@ -167,16 +157,6 @@
 allow $1_ssh_keysign_t self:file { getattr read };
 allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
-ifdef(`xdm.te', `
-# should be able to remove these two later
-allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
-allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
-allow $1_ssh_t xdm_xserver_t:fd use;
-allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t xdm_t:fd use;
-')dnl end if xdm.te
 ')dnl end macro definition
 ', `
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.8/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/tvtime_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,13 +26,17 @@
 
 # X access, Home files
 home_domain($1, tvtime)
-x_client_domain($1, tvtime)
+x_client_domain($1_tvtime, $1)
 
 uses_shlib($1_tvtime_t)
 read_locale($1_tvtime_t)
 read_sysctl($1_tvtime_t)
 access_terminal($1_tvtime_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_tvtime_t)
+allow $1_t $1_tvtime_t:process signal_perms;
+
 # Read /etc/tvtime
 allow $1_tvtime_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.8/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/x_client_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -1,5 +1,5 @@
 #
-# Macros for X client programs ($2 etc)
+# Macros for X client programs 
 #
 
 #
@@ -8,6 +8,9 @@
 # and Timothy Fraser 
 #
 
+# Allows clients to write to the X server's shm 
+bool allow_write_xshm false;
+
 define(`xsession_domain', `
 
 # Connect to xserver
@@ -23,73 +26,73 @@
 # Signal Xserver
 allow $1_t $2_xserver_t:process signal;
 
-# Use file descriptors created by each other.
-allow $1_t $2_xserver_t:fd use;
+# Xserver read/write client shm
 allow $2_xserver_t $1_t:fd use;
-
-# Xserver read/write parent shm
 allow $2_xserver_t $1_t:shm rw_shm_perms;
 allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
 
-# Parent read xserver shm
+# Client read xserver shm
+allow $1_t $2_xserver_t:fd use;
 allow $1_t $2_xserver_t:shm r_shm_perms;
 allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+
+# Client write xserver shm
+if (allow_write_xshm) {
+allow $1_t $2_xserver_t:shm rw_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
+}
+
 ')
 
 #
-# x_client_domain(user, app)
+# x_client_domain(client, role)
 #
-# Defines common X access rules for the user_app_t domain
+# Defines common X access rules for the client domain
 #
 define(`x_client_domain',`
 
-allow $1_$2_t self:unix_dgram_socket create_socket_perms;
-allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
+# Create socket to communicate with X server
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
+# Read .Xauthority file
 ifdef(`xauth.te',`
-allow $1_$2_t $1_xauth_home_t:file { getattr read };
+allow $1_t home_root_t:dir { search getattr };
+allow $1_t $2_xauth_home_t:file { getattr read };
 ')
 
-# Allow the user domain to send any signal to the $2 process.
-can_ps($1_t, $1_$2_t)
-allow $1_t $1_$2_t:process signal_perms;
-
 # for .xsession-errors
-dontaudit $1_$2_t $1_home_t:file write;
+dontaudit $1_t $2_home_t:file write;
 
 # for X over a ssh tunnel
 ifdef(`ssh.te', `
-can_tcp_connect($1_$2_t, sshd_t)
+can_tcp_connect($1_t, sshd_t)
 ')
 
-# Read the home directory, e.g. for .Xauthority and to get to config files
-allow $1_$2_t home_root_t:dir { search getattr };
-
 # Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1_$2)
-
-allow $1_$2_t self:shm create_shm_perms;
+tmpfs_domain($1)
+allow $1_t self:shm create_shm_perms;
 
 # allow X client to read all font files
-r_dir_file($1_$2_t, fonts_t)
+r_dir_file($1_t, fonts_t)
 
 # Allow connections to X server.
 ifdef(`xserver.te', `
-allow $1_$2_t tmp_t:dir search;
+allow $1_t tmp_t:dir search;
 
 ifdef(`xdm.te', `
-xsession_domain($1_$2, xdm)
+xsession_domain($1, xdm)
 
 # for when /tmp/.X11-unix is created by the system
-allow $1_$2_t xdm_t:fifo_file rw_file_perms;
-allow $1_$2_t xdm_tmp_t:dir search;
-allow $1_$2_t xdm_tmp_t:sock_file { read write };
-allow $1_$2_t xdm_t:fd use;
-dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+allow $1_t xdm_t:fifo_file rw_file_perms;
+allow $1_t xdm_tmp_t:dir search;
+allow $1_t xdm_tmp_t:sock_file { read write };
+allow $1_t xdm_t:fd use;
+dontaudit $1_t xdm_t:tcp_socket { read write };
 ')
 
 ifdef(`startx.te', `
-xsession_domain($1_$2, $1)
+xsession_domain($1, $2)
 ')dnl end startx
 
 ')dnl end xserver
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.8/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8	2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.8/man/man8/httpd_selinux.8	2005-04-06 07:31:54.000000000 -0400
@@ -75,6 +75,21 @@
 setsebool -P httpd_unified 0
 
 .TP
+httpd can be configured to turn off internal scripting (PHP).  PHP and other
+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+.br
+
+setsebool -P httpd_builtin_scripting 0
+
+.TP
+httpd scripts by default are not allowed to connect out to the network.
+This would prevent a hacker from breaking into you httpd server and attacking 
+other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
+.br
+
+setsebool -P httpd_can_network_connect 1
+
+.TP
 You can disable SELinux protection for the httpd daemon by executing:
 .br
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.23.8/targeted/domains/program/modutil.te
--- nsapolicy/targeted/domains/program/modutil.te	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.8/targeted/domains/program/modutil.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
-# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
-# X-Debian-Packages: modutils
-#
-
-#################################
-#
-# Rules for the module utility domains.
-#
-type modules_dep_t, file_type, sysadmfile;
-type modules_conf_t, file_type, sysadmfile;
-type modules_object_t, file_type, sysadmfile;
-type depmod_exec_t, file_type, exec_type, sysadmfile;
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.8/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/distro.tun	2005-04-06 07:31:54.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.8/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/tunable.tun	2005-04-06 07:31:54.000000000 -0400
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: More patches

[Ivan Gyurdiev]

>  allow hald_t bin_t:file getattr;
> -allow hald_t self:netlink_socket create_socket_perms;
>  allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow hald_t self:netlink_route_socket r_netlink_socket_perms;
>  allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };

Now I get one of these...

audit(1112809767.410:0): avc:  denied  { create } for  pid=7363
exe=/usr/sbin/hald scontext=root:system_r:hald_t
tcontext=root:system_r:hald_t tclass=netlink_socket

...and the console is flooded with those:

audit(1112809741.307:0): avc:  denied  { read } for  pid=2525
exe=/usr/sbin/hald scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:hald_t tclass=netlink_socket

Was this removed because of the kobject_uevent rule below it?
I can't remember if that rule was there to begin with, or if it 
was put in to address what I was debugging w/ Protocol 15 (?) being
denied. 

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>> allow hald_t bin_t:file getattr;
>>-allow hald_t self:netlink_socket create_socket_perms;
>> allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
>> allow hald_t self:netlink_route_socket r_netlink_socket_perms;
>> allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
>>    
>>
>
>Now I get one of these...
>
>audit(1112809767.410:0): avc:  denied  { create } for  pid=7363
>exe=/usr/sbin/hald scontext=root:system_r:hald_t
>tcontext=root:system_r:hald_t tclass=netlink_socket
>
>...and the console is flooded with those:
>
>audit(1112809741.307:0): avc:  denied  { read } for  pid=2525
>exe=/usr/sbin/hald scontext=system_u:system_r:hald_t
>tcontext=system_u:system_r:hald_t tclass=netlink_socket
>
>Was this removed because of the kobject_uevent rule below it?
>I can't remember if that rule was there to begin with, or if it 
>was put in to address what I was debugging w/ Protocol 15 (?) being
>denied. 
>
>  
>
My understanding was that

 netlink_kobject_uevent_socket was added so that we would not need the netlink_socket rule.

Either I am wrong or you might need an updated kernel.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Ivan Gyurdiev]

> My understanding was that
> 
>  netlink_kobject_uevent_socket was added so that we would not need the netlink_socket rule.
> 
> Either I am wrong or you might need an updated kernel.

Ok, I wasn't sure about that, since I didn't see when it was added.
Which kernel do I need? I am running 2.6.11-1.1226_FC4.

Strace still shows protocol 15... same behavior as previously reported.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]


> BTW have you done anything with dmidecode?

Now attached - small domain for dmidecode that allows
it to read /dev/mem and gives it rawio privileges.

Patch for hal to transition to this domain, 
as well as bringing back the netlink rule for backwards compatibility.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University

[-- Attachment #2: hal_dmidecode.diff --]
[-- Type: text/x-patch, Size: 1350 bytes --]

diff -aru policy.old/domains/program/hald.te policy/domains/program/hald.te
--- policy.old/domains/program/hald.te	2005-04-06 17:23:59.000000000 -0400
+++ policy/domains/program/hald.te	2005-04-06 17:30:22.000000000 -0400
@@ -29,8 +29,11 @@
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t usr_t:file { getattr read };
-
 allow hald_t bin_t:file getattr;
+
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
@@ -77,17 +80,14 @@
 allow hald_t mnt_t:dir search;
 r_dir_file(hald_t, proc_net_t)
 
-
-# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket
+# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
 ifdef(`apmd.te', `
 allow hald_t apmd_var_run_t:sock_file write;
 allow hald_t apmd_t:unix_stream_socket connectto;
 ')
 
-# For /usr/sbin/dmidecode
-# Violates assertion
-#allow hald_t memory_device_t:chr_file read;
-allow hald_t self:capability sys_rawio;
+# For /usr/libexec/hald-probe-smbios
+domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
 
 # ??
 ifdef(`lvm.te', `

[-- Attachment #3: dmidecode.fc --]
[-- Type: text/plain, Size: 193 bytes --]

# dmidecode 
/usr/sbin/dmidecode	--	   	system_u:object_r:dmidecode_exec_t
/usr/sbin/ownership	--		system_u:object_r:dmidecode_exec_t
/usr/sbin/vpddecode	--		system_u:object_r:dmidecode_exec_t

[-- Attachment #4: dmidecode.te --]
[-- Type: text/plain, Size: 572 bytes --]

#DESC dmidecode - decodes DMI data for x86/ia64 bioses 
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#

type dmidecode_t, domain, privmem;
type dmidecode_exec_t, file_type, exec_type, sysadmfile;

# Allow execution by the sysadm
role sysadm_r types dmidecode_t;
role system_r types dmidecode_t;
domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)

uses_shlib(dmidecode_t)

# Allow terminal access
access_terminal(dmidecode_t, sysadm)

# Allow dmidecode to read /dev/mem
allow dmidecode_t memory_device_t:chr_file read;

allow dmidecode_t self:capability sys_rawio;

Re: More patches

[James Carter]

Merged.

On Wed, 2005-04-06 at 17:39 -0400, Ivan Gyurdiev wrote:
> > BTW have you done anything with dmidecode?
> 
> Now attached - small domain for dmidecode that allows
> it to read /dev/mem and gives it rawio privileges.
> 
> Patch for hal to transition to this domain, 
> as well as bringing back the netlink rule for backwards compatibility.
> 
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[James Carter]

On Wed, 2005-04-06 at 14:48 -0400, Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
> 
> >> allow hald_t bin_t:file getattr;
> >>-allow hald_t self:netlink_socket create_socket_perms;
> >> allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
> >> allow hald_t self:netlink_route_socket r_netlink_socket_perms;
> >> allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
> >>    
> >>
> >

Steve had suggested to me to leave that line in for now for
compatibility with older kernels.


-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Stephen Smalley]

On Wed, 2005-04-06 at 14:48 -0400, Daniel J Walsh wrote:
> My understanding was that
> 
>  netlink_kobject_uevent_socket was added so that we would not need the netlink_socket rule.
> 
> Either I am wrong or you might need an updated kernel.

Ultimately, we can phase out the old rule, but we need to wait until the
kernel change makes its way into the Fedora kernels.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[James Carter]

Merged.

On Wed, 2005-04-06 at 08:36 -0400, Daniel J Walsh wrote:
> Fixed the patches, so they will build.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

some policy patches

[Tom]

[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]

I have attached three diff files for policy changes. These are against
Russell's default policy, though from the file comments at least one
(xdm) is unchanged from the upstream tree.

xdm.diff contains updates to the xdm, xserver and xfs domains. Together
with my patched wdm I can boot into a graphical login and work in X,
all in enforcing mode. Accomplishing this made me very happy. :)

apm.diff contains minor updates so that acpid works (they are very
similiar in requirements, and you don't usually have both running
anyway, so a shared domain for apmd and acpid should be ok).

games.diff enables what I believe to be better games support. I have a
notebook with SELinux now and during long train trips I might want to
get some entertainment. The major change is that I have added support
for the data games want to store in the user's home directory and
updated the file context definitions (I don't want Quake3, which has
known remote holes, to be able to write to the users home dir any more
than absolutely necessary).
Using this policy, I can play Majesty in enforcing mode. I've also
tried Uplink, but it's ugly, ugly (patches itself while running. No,
I'm not joking).

Anyway - here they are. Comments welcome. If you merge them, please
drop me a short note so I can update my webpage.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

[-- Attachment #2: xdm.diff --]
[-- Type: text/plain, Size: 7121 bytes --]

diff -ru default/domains/program/xdm.te current/domains/program/xdm.te
--- default/domains/program/xdm.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xdm.te	2003-05-24 13:08:34.000000000 +0200
@@ -3,7 +3,7 @@
 # Authors:  Mark Westerman mark.westerman@westcam.com
 # 
 # Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
-#
+# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
 
 #################################
 # 
@@ -11,19 +11,29 @@
 #
 # xdm_t is the domain of a X Display Manager process 
 # spawned by getty.
-# xdm_exec_t is the type of the [xgk]dm program
+# xdm_exec_t is the type of the [xgkw]dm program
 #
 daemon_domain(xdm, `, privuser, privrole, auth, privowner, privmem')
 
 # for running xdm from init
 domain_auto_trans(init_t, xdm_exec_t, xdm_t)
 
+# for xdmctl
+allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
+
 tmp_domain(xdm)
 var_lib_domain(xdm)
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
+# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+# Added write access, not sure if it is required (Tom)
+allow xdm_xserver_t xdm_var_lib_t:file { getattr read write };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 type xsession_exec_t, file_type, sysadmfile, exec_type;
+type etc_xdm_t, file_type, sysadmfile;
+
+# xdm_xserver_t needs to inherit the init file descriptors
+allow xdm_xserver_t initrc_t:fd { use };
+allow xdm_xserver_t initrc_t:fifo_file { read write };
 
 allow xdm_t default_context_t:file { read getattr };
 
@@ -35,13 +45,23 @@
 # for reboot
 allow xdm_t initctl_t:fifo_file write;
 
+# init script wants to check if it needs to update windowmanagerlist
+allow initrc_t etc_xdm_t:file { read };
+
 #
 # Use capabilities.
-allow xdm_t self:capability { setgid setuid sys_resource kill };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_rawio };
+
+# Use shared memory (with itself)
+allow xdm_t xdm_t:shm { create destroy read unix_read unix_write write };
 
 # Use /dev/mem.
 # Commented out by default.
 #allow xdm_t memory_device_t:chr_file { execute read write };
+# wdm just asks for read access
+allow xdm_t memory_device_t:chr_file { read };
+# but xdm_xserver wants to write, too
+allow xdm_xserver_t memory_device_t:chr_file { read write };
 
 allow xdm_t random_device_t:chr_file { getattr read };
 
@@ -67,7 +87,6 @@
 
 # Access xdm log files.
 file_type_auto_trans(xdm_t, var_log_t, xserver_var_log_t)
-
 allow xdm_t xserver_var_log_t:file create_file_perms;
 
 allow userdomain xdm_xserver_t:unix_stream_socket connectto;
@@ -88,7 +107,7 @@
 allow xdm_t lastlog_t:file rw_file_perms;
 
 # Ask the security server for SIDs for user sessions.
-allow xdm_t security_t:security { get_user_sids context_to_sid };
+allow xdm_t security_t:security { get_user_sids context_to_sid sid_to_context };
 
 # Access the shared memory pseudo file system.
 # Should really define a derived type for this.
@@ -111,6 +130,11 @@
 allow xdm_t etc_t:lnk_file read;
 allow xdm_t etc_runtime_t:file { getattr read };
 
+# wdm has its own config dir /etc/X11/wdm
+file_type_auto_trans(xdm_t, etc_t, etc_xdm_t);
+allow xdm_t etc_xdm_t:file create_file_perms;
+allow xdm_t etc_xdm_t:dir rw_file_perms;
+
 # Signal any user domain.
 allow xdm_t userdomain:process signal_perms;
 
@@ -143,10 +167,23 @@
 dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
 
 # Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_var_log_t:file append;
+dontaudit unpriv_userdomain xserver_var_log_t:file { write append };
+
 
 # Access sound device.
 allow xdm_t sound_device_t:chr_file { setattr getattr };
 
 # Run the X server in a derived domain.
 xserver_domain(xdm)
+
+
+#
+# When the user session comes up, it checks the wdm config dir
+# and the authfiles in /var/lib/wdm/authdir/authfiles/
+allow user_t etc_xdm_t:dir { search };
+allow user_t xdm_exec_t:file { entrypoint };
+allow user_t xdm_var_lib_t:file { read write };
+
+# Also, it inherits an fd
+allow xdm_xserver_t user_t:fd { use };
+
diff -ru default/domains/program/xfs.te current/domains/program/xfs.te
--- default/domains/program/xfs.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xfs.te	2003-05-24 10:46:46.000000000 +0200
@@ -13,7 +13,15 @@
 #
 daemon_domain(xfs)
 
-tmp_domain(xfs)
+# tmp_domain(xfs)
+# for /tmp/.font-unix/fs7100
+type xfs_tmp_t, file_type, sysadmfile, tmpfile;
+file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
+
+allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
+allow xfs_t proc_t:file { getattr read };
+
+allow xfs_t self:process setpgid;
 
 # Use capabilities.
 allow xfs_t xfs_t:capability { setgid setuid };
@@ -21,3 +29,5 @@
 # Bind to /tmp/.font-unix/fs-1.
 allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
 
+allow xfs_t tmp_t:dir { search };
+
diff -ru default/domains/program/xserver.te current/domains/program/xserver.te
--- default/domains/program/xserver.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/xserver.te	2003-05-24 11:04:36.000000000 +0200
@@ -34,3 +34,7 @@
 # Everything else is in the xserver_domain macro in
 # macros/program/xserver_macros.te.
 
+# XFree86-4 wants to check if kernel is tainted
+allow xdm_xserver_t sysctl_kernel_t:dir { search };
+allow xdm_xserver_t sysctl_kernel_t:file { getattr read };
+allow xdm_xserver_t sysctl_t:dir { search };
diff -ru default/file_contexts/program/xdm.fc current/file_contexts/program/xdm.fc
--- default/file_contexts/program/xdm.fc	2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/program/xdm.fc	2003-05-24 11:32:37.000000000 +0200
@@ -1,11 +1,19 @@
 # X Display Manager
-/usr/bin/[xgk]dm                system_u:object_r:xdm_exec_t
+/usr/bin/[xgkw]dm               system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/[xgkw]dm         system_u:object_r:xdm_exec_t
+/usr/X11R6/bin/wdmLogin         system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm                 system_u:object_r:xdm_exec_t
-/var/[xgk]dm(/.*)?              system_u:object_r:xserver_var_log_t
-/usr/var/[xgk]dm(/.*)?          system_u:object_r:xserver_var_log_t
-/var/log/kdm\.log		system_u:object_r:xserver_var_log_t
+/usr/sbin/update_wdm_wmlist     system_u:object_r:xdm_exec_t
+/var/[xgkw]dm(/.*)?             system_u:object_r:xserver_var_log_t
+/usr/var/[xgkw]dm(/.*)?         system_u:object_r:xserver_var_log_t
+/var/log/[xgkw]dm\.log		system_u:object_r:xserver_var_log_t
 /tmp/\.X11-unix(/.*)?		system_u:object_r:initrc_xserver_tmp_t
 /tmp/\.X0-lock			system_u:object_r:xdm_tmp_t
 /etc/X11/Xsession[^/]*	--	system_u:object_r:xsession_exec_t
+/etc/X11/wdm(/.*)?		system_u:object_r:etc_xdm_t
+/etc/X11/wdm/Xsetup(_0)?	system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xstartup(_0)?	system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xreset(_0)?	system_u:object_r:xdm_exec_t
+/etc/X11/wdm/Xsession		system_u:object_r:xdm_exec_t
 /var/run/xdmctl			system_u:object_r:xdm_var_run_t
 /var/lib/kdm(/.*)?		system_u:object_r:xdm_var_lib_t

[-- Attachment #3: apm.diff --]
[-- Type: text/plain, Size: 1053 bytes --]

diff -ru default/domains/program/apmd.te current/domains/program/apmd.te
--- default/domains/program/apmd.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/apmd.te	2003-05-24 11:44:40.000000000 +0200
@@ -34,6 +34,12 @@
 allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
 allow apmd_t etc_t:lnk_file read;
 
+# acpid wants a socket
+allow apmd_t var_run_t:sock_file create_file_perms;
+
+# acpid also has a logfile
+log_domain(apmd)
+
 # for id
 allow apmd_t security_t:security sid_to_context;
 
diff -ru default/file_contexts/program/apmd.fc current/file_contexts/program/apmd.fc
--- default/file_contexts/program/apmd.fc	2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/program/apmd.fc	2003-05-24 11:38:46.000000000 +0200
@@ -1,4 +1,7 @@
 # apmd
 /usr/sbin/apmd			system_u:object_r:apmd_exec_t
+/usr/sbin/acpid			system_u:object_r:apmd_exec_t
 /usr/bin/apm			system_u:object_r:apm_exec_t
 /var/run/apmd\.pid		system_u:object_r:apmd_var_run_t
+/var/run/.acpid.socket		system_u:object_r:apmd_var_run_t
+

[-- Attachment #4: games.diff --]
[-- Type: text/plain, Size: 3207 bytes --]

diff -ru default/domains/program/games.te current/domains/program/games.te
--- default/domains/program/games.te	2003-05-15 05:22:15.000000000 +0200
+++ current/domains/program/games.te	2003-05-24 13:32:04.000000000 +0200
@@ -2,6 +2,8 @@
 #
 # Author:  Russell Coker <russell@coker.com.au>
 #
+#          Changes by Tom Vogt <tom@lemuria.org>
+#
 
 # type for shared data from games
 type games_data_t, file_type, sysadmfile;
@@ -14,3 +16,28 @@
 
 # Everything else is in the x_client_domain macro in
 # macros/program/x_client_macros.te.
+
+# games_t also used for games installed on the system, run by the user,
+# so holes in them won't compromise the user session
+allow user_t games_data_t:file r_file_perms;
+allow user_t games_data_t:dir r_dir_perms;
+
+# Game data stored in user home dirs
+type games_usrdata_t, file_type, sysadmfile;
+allow user_games_t user_home_t:dir { search };
+file_type_auto_trans(user_games_t, user_home_t, games_usrdata_t);
+#
+# Allow users to read and write these files
+# If we want to prevent cheating, we could take away the write
+# permissions. :)
+allow user_t games_usrdata_t:file create_file_perms;
+allow user_t games_usrdata_t:dir create_dir_perms;
+
+# Various access attempts to devices. Many games work just fine without,
+# but if yours doesn't, try to comment these out and look for which ones
+# it needs:
+dontaudit user_games_t device_t:chr_file { getattr };
+dontaudit user_games_t fixed_disk_device_t:blk_file { getattr };
+dontaudit user_games_t removable_device_t:blk_file { getattr };
+dontaudit user_games_t removable_device_t:lnk_file { read };
+
diff -ru default/file_contexts/program/games.fc current/file_contexts/program/games.fc
--- default/file_contexts/program/games.fc	2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/program/games.fc	2003-05-24 13:32:12.000000000 +0200
@@ -1,5 +1,15 @@
-#  netscape/mozilla
-/usr/games/.*		system_u:object_r:games_exec_t
+#  games installed on the system
+# Most games installed in /usr/local/games don't follow FHS conventions and
+# drop the binaries in with the data - therefore, you must relabel the
+# binaries to system_u:object_r:games_exec_t manually!
+/usr/games(/.*)?	system_u:object_r:games_data_t
+/usr/local/games(/.*)?	system_u:object_r:games_data_t
 /usr/lib/games/.* --	system_u:object_r:games_exec_t
 /var/games(/.*)?	system_u:object_r:games_data_t
 /usr/bin/micq		system_u:object_r:games_exec_t
+#
+# Some examples
+# Majesty (Fantasy RTS)
+/usr/local/games/majesty/majesty		system_u:object_r:games_exec_t
+/usr/local/games/majesty/majx			system_u:object_r:games_exec_t
+/usr/local/games/majesty/netmodules/libtcp_ip.so	system_u:object_r:games_exec_t
diff -ru default/file_contexts/types.fc current/file_contexts/types.fc
--- default/file_contexts/types.fc	2003-05-15 05:22:15.000000000 +0200
+++ current/file_contexts/types.fc	2003-05-24 12:46:13.000000000 +0200
@@ -229,7 +229,7 @@
 /usr/lib/gconv/.*\.so		system_u:object_r:shlib_t
 /usr/share/guile/g-wrapped/.*\.so system_u:object_r:shlib_t
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
-/usr/games(/.*)?		system_u:object_r:bin_t
+#/usr/games(/.*)?		system_u:object_r:bin_t
 
 #
 # /usr/.*glibc.*-linux/lib

Re: some policy patches

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 3007 bytes --]

On Sun, 25 May 2003 02:07, Tom wrote:
> I have attached three diff files for policy changes. These are against
> Russell's default policy, though from the file comments at least one
> (xdm) is unchanged from the upstream tree.
>
> xdm.diff contains updates to the xdm, xserver and xfs domains. Together
> with my patched wdm I can boot into a graphical login and work in X,
> all in enforcing mode. Accomplishing this made me very happy. :)

> # Added write access, not sure if it is required (Tom)
> allow xdm_xserver_t xdm_var_lib_t:file { getattr read write };

Write access should not be required.  xdm should create the file and the 
xserver should just read from it.

> # xdm_xserver_t needs to inherit the init file descriptors
> allow xdm_xserver_t initrc_t:fd { use };
> allow xdm_xserver_t initrc_t:fifo_file { read write };

What happens when you put in a dontaudit rule for the file handle inheritance 
instead?

I suspect that wdm is just buggy and fails to correctly set the file handle to 
close-on-exec.

> -allow xdm_t self:capability { setgid setuid sys_resource kill };
> +allow xdm_t self:capability { setgid setuid sys_resource kill sys_rawio };

There's no good reason for it to need this.  What happens if you put in a 
dontaudit rule for sys_rawio?

> # wdm just asks for read access
> allow xdm_t memory_device_t:chr_file { read };

Bad.  XDM is not something that you want to allow reading all kernel memory.  
It should use /dev/random instead if you block /dev/mem.

> +# but xdm_xserver wants to write, too
> +allow xdm_xserver_t memory_device_t:chr_file { read write };

That is only if you are not using the frame-buffer.  See the below snippet 
from macros/program/xserver_macros.te (which is where you want to do this if 
you want to support "startx" as well as an xdm).

# memory_device_t access is needed if not using the frame buffer
dontaudit $1_xserver_t memory_device_t:chr_file read;
#allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };

> +allow user_t xdm_exec_t:file { entrypoint };

This is bad in several ways.  Firstly it's probably good style to use 
domain_trans() for such things, then people who read your policy can find 
what they expect to fine.  Secondly, why is an xdm_exec_t program being used?

Finally, you should not use user_t in any policy.  unpriv_userdomain is one 
option to use.  If you start hard-coding user_t in policy then it'll be very 
painful when you want to add multiple user roles!

I have attached a modified xdm.te based on your work along with the new 
global_macros.te file it depends on.  I didn't include much of your patch, 
about half of the rest may go in but we need to determine exactly what it's 
for and put some decent comments in.

X is nasty.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: xdm.te --]
[-- Type: text/plain, Size: 5482 bytes --]

#DESC XDM - X Display Manager
#
# Authors:  Mark Westerman mark.westerman@westcam.com
#           Russell Coker <russell@coker.com.au>
#
# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
# 
# Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
#

#################################
# 
# Rules for the xdm_t domain.
#
# xdm_t is the domain of a X Display Manager process 
# spawned by getty.
# xdm_exec_t is the type of the [xgkw]dm program
#
daemon_domain(xdm, `, privuser, privrole, auth, privowner, privmem')

# for running xdm from init
domain_auto_trans(init_t, xdm_exec_t, xdm_t)

# for xdmctl
allow xdm_t xdm_var_run_t:fifo_file create_file_perms;

tmp_domain(xdm)
var_lib_domain(xdm)
# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
type xsession_exec_t, file_type, sysadmfile, exec_type;
type etc_xdm_t, file_type, sysadmfile;

allow xdm_t default_context_t:file { read getattr };

can_network(xdm_t)
allow xdm_t self:unix_stream_socket create_stream_socket_perms;
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:fifo_file rw_file_perms;

# for reboot
allow xdm_t initctl_t:fifo_file write;

# init script wants to check if it needs to update windowmanagerlist
allow initrc_t etc_xdm_t:file { getattr read };

#
# Use capabilities.
allow xdm_t self:capability { setgid setuid sys_resource kill };

# Use /dev/mem.
# Commented out by default.
#allow xdm_t memory_device_t:chr_file { execute read write };

allow xdm_t random_device_t:chr_file { getattr read };

# Transition to user domains for user sessions.
domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)

# Label pid and temporary files with derived types.
rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;

# Run helper programs.
can_exec_any(xdm_t)

# Access devices.
allow xdm_t apm_bios_t:chr_file { read write };
allow xdm_t dri_device_t:chr_file create_file_perms;
allow xdm_t dri_device_t:dir rw_dir_perms;
allow xdm_t agp_device_t:chr_file rw_file_perms;
allow xdm_t misc_device_t:chr_file { setattr getattr };
allow xdm_t psaux_t:chr_file { ioctl read write getattr };
allow xdm_t mouse_device_t:chr_file { ioctl read write getattr };
allow xdm_t tty_device_t:chr_file { ioctl read write setattr };

# Access xdm log files.
file_type_auto_trans(xdm_t, var_log_t, xserver_var_log_t)

allow xdm_t xserver_var_log_t:file create_file_perms;

allow xdm_t self:shm create_shm_perms;
allow userdomain xdm_xserver_t:unix_stream_socket connectto;
allow userdomain xdm_xserver_t:shm r_shm_perms;
allow userdomain xdm_xserver_t:fd use;
allow userdomain xdm_xserver_tmpfs_t:file read;
allow xdm_xserver_t userdomain:shm { unix_read unix_write read write };

ifdef(`gpm.te',
`# Talk to the console mouse server.
allow xdm_t gpmctl_t:sock_file { getattr setattr };')

# Update utmp and wtmp.
allow xdm_t initrc_var_run_t: file { read write lock };
allow xdm_t wtmp_t:file { append };

# Update lastlog.
allow xdm_t lastlog_t:file rw_file_perms;

# Ask the security server for SIDs for user sessions.
allow xdm_t security_t:security { get_user_sids context_to_sid sid_to_context };

# Access the shared memory pseudo file system.
# Should really define a derived type for this.
allow xdm_t tmpfs_t:file { read write };

# Need to further investigate these permissions and
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
allow xdm_t var_lib_t:file { create write unlink };
allow xdm_t var_lock_t:dir { write search add_name remove_name };
allow xdm_t var_lock_t:file { create write unlink };

# Connect to xfs.
ifdef(`xfs.te', `
allow xdm_t xfs_tmp_t:dir { search };
allow xdm_t xfs_tmp_t:sock_file { write };
can_unix_connect(xdm_t, xfs_t)')

allow xdm_t self:process { setpgid setsched };
allow xdm_t etc_t:lnk_file read;
allow xdm_t etc_runtime_t:file { getattr read };

# wdm has its own config dir /etc/X11/wdm
file_type_auto_trans(xdm_t, etc_t, etc_xdm_t, file);

# Signal any user domain.
allow xdm_t userdomain:process signal_perms;

allow xdm_t proc_t:file { getattr read };

allow xdm_t sysctl_kernel_t:dir search;
allow xdm_t sysctl_kernel_t:file read;

# Search /proc for any user domain processes.
allow xdm_t userdomain:dir r_dir_perms;
allow xdm_t userdomain:{ file lnk_file } r_file_perms;

# Allow xdm access to the user domains
allow xdm_t home_root_t:dir search;

# Do not audit denied attempts to access devices.
dontaudit xdm_t fixed_disk_device_t:blk_file rw_file_perms;
dontaudit xdm_t removable_device_t:blk_file rw_file_perms;
dontaudit xdm_t device_t:file_class_set rw_file_perms;
dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;

# Do not audit denied probes of /proc.
dontaudit xdm_t domain:dir r_dir_perms;
dontaudit xdm_t domain:{ file lnk_file } r_file_perms;

# Do not audit attempts to write to index files under /usr
dontaudit xdm_t usr_t:file write;

# Do not audit access to /root
dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };

# Do not audit user access to the X log files due to file handle inheritance
dontaudit unpriv_userdomain xserver_var_log_t:file { write append };

# Access sound device.
allow xdm_t sound_device_t:chr_file { setattr getattr };

# Run the X server in a derived domain.
xserver_domain(xdm)

[-- Attachment #3: global_macros.te --]
[-- Type: text/plain, Size: 26558 bytes --]

##############################
#
# Global macros for the type enforcement (TE) configuration.
#

#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# Modified: Howard Holm (NSA), <hdholm@epoch.ncsc.mil>
#           System V IPC added
#

#################################
# 
# Macros for groups of classes and 
# groups of permissions.
#

#
# All directory and file classes
#
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')

#
# All non-directory file classes.
#
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')

#
# Non-device file classes.
#
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')

#
# Device file classes.
#
define(`devfile_class_set', `{ chr_file blk_file }')

#
# All socket classes.
#
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket }')

#
# Datagram socket classes.
# 
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')

#
# Stream socket classes.
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')

#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')


# 
# Permissions for getting file attributes.
#
define(`stat_file_perms', `{ getattr }')

# 
# Permissions for executing files.
#
define(`x_file_perms', `{ getattr execute }')

# 
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ read getattr lock ioctl }')

# 
# Permissions for reading and executing files.
#
define(`rx_file_perms', `{ read getattr lock execute ioctl }')

# 
# Permissions for reading and writing files and their attributes.
#
define(`rw_file_perms', `{ ioctl read getattr lock write append }')

# 
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ ioctl read getattr lock append }')

#
# Permissions for linking, unlinking and renaming files.
# 
define(`link_file_perms', `{ getattr link unlink rename }')

#
# Permissions for creating and using files.
# 
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')

# 
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ read getattr lock search ioctl }')

# 
# Permissions for reading and writing directories and their attributes.
#
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')

# 
# Permissions for reading and adding names to directories.
#
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')


#
# Permissions for creating and using directories.
# 
define(`create_dir_perms', `{ create read getattr lock setattr link unlink rename search add_name remove_name reparent write rmdir }')

#
# Permissions to mount and unmount file systems.
#
define(`mount_fs_perms', `{ mount remount unmount getattr }')

#
# Permissions for using sockets.
# 
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')

#
# Permissions for creating and using sockets.
# 
define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')

#
# Permissions for using stream sockets.
# 
define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')

#
# Permissions for creating and using stream sockets.
# 
define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')


#
# Permissions for sending all signals.
#
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')

#
# Permissions for sending and receiving network packets.
#
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')

#
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')

#################################
# 
# Macros for type transition rules and
# access vector rules.
#

#
# Simple combinations for reading and writing both
# directories and files.
# 
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

define(`rw_dir_file', `
allow $1 $2:dir rw_dir_perms;
allow $1 $2:{ file lnk_file } rw_file_perms;
')

define(`ra_dir_file', `
allow $1 $2:dir ra_dir_perms;
allow $1 $2:{ file lnk_file } ra_file_perms;
')

define(`rw_dir_create_file', `
allow $1 $2:dir rw_dir_perms;
allow $1 $2:{ file lnk_file } create_file_perms;
')

define(`create_dir_file', `
allow $1 $2:dir create_dir_perms;
allow $1 $2:{ file lnk_file } create_file_perms;
')

define(`create_dir_notdevfile', `
allow $1 $2:dir create_dir_perms;
allow $1 $2:notdevfile_class_set create_file_perms;
')

define(`create_append_log_file', `
allow $1 $2:dir { read getattr search add_name write };
allow $1 $2:file { create ioctl getattr setattr append link };
')

#################################
#
# domain_trans(parent_domain, program_type, child_domain)
#
# Permissions for transitioning to a new domain.
#

define(`domain_trans',`

#
# Allow the process to transition to the new domain.
#
allow $1 $3:process transition;

#
# Allow the process to execute the program.
# 
allow $1 $2:file x_file_perms;

#
# Allow the process to reap the new domain.
#
allow $3 $1:process sigchld;

#
# Allow the new domain to inherit and use file 
# descriptions from the creating process and vice versa.
#
allow $3 $1:fd use;
allow $1 $3:fd use;

#
# Allow the new domain to write back to the old domain via a pipe.
#
allow $3 $1:fifo_file rw_file_perms;

#
# Allow the new domain to read and execute the program.
#
allow $3 $2:file rx_file_perms;

#
# Allow the new domain to be entered via the program.
#
allow $3 $2:file entrypoint;
')

#################################
#
# domain_auto_trans(parent_domain, program_type, child_domain)
#
# Define a default domain transition and allow it.
#
define(`domain_auto_trans',`
domain_trans($1,$2,$3)
type_transition $1 $2:process $3;
')

define(`domain_auto_trans_read',`
domain_auto_trans($1, $2, $3)
allow $1 $2:file read;
')

#################################
#
# uses_shlib(domain)
#
# Permissions for using shared libraries.
#
define(`uses_shlib',`
allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
allow $1 ld_so_t:file rx_file_perms;
allow $1 ld_so_t:file execute_no_trans;
allow $1 ld_so_t:lnk_file r_file_perms;
allow $1 shlib_t:file rx_file_perms;
allow $1 shlib_t:lnk_file r_file_perms;
allow $1 ld_so_cache_t:file r_file_perms;
allow $1 lib_t:{ file lnk_file } r_file_perms;
allow $1 usr_t:{ file lnk_file } r_file_perms;
allow $1 device_t:dir search;
allow $1 null_device_t:chr_file rw_file_perms;
')

#################################
#
# can_ptrace(domain, domain)
#
# Permissions for running ptrace (strace or gdb) on another domain
#
define(`can_ptrace',`
allow $1 $2:process ptrace;
')

#################################
#
# can_exec(domain, type)
#
# Permissions for executing programs with
# a specified type without changing domains.
#
define(`can_exec',`
allow $1 $2:file { rx_file_perms execute_no_trans };
')

#################################
#
# can_exec_any(domain)
#
# Permissions for executing a variety
# of executable types.
#
define(`can_exec_any',`
allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
uses_shlib($1)
can_exec($1, etc_t)
can_exec($1, lib_t)
can_exec($1, bin_t)
can_exec($1, sbin_t)
can_exec($1, exec_type)
')


#################################
#
# file_type_trans(domain, dir_type, file_type)
#
# Permissions for transitioning to a new file type.
#

define(`file_type_trans',`

#
# Allow the process to modify the directory.
#
allow $1 $2:dir rw_dir_perms;

#
# Allow the process to create the file.
#
ifelse(`$4', `', `
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
', `
ifelse(`$4', `dir', `
allow $1 $3:$4 create_dir_perms;
', `
allow $1 $3:$4 create_file_perms;
')dnl end if dir
')dnl end if param 4 specified

')

#################################
#
# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
#
# the object class will default to notdevfile_class_set if not specified as
# the fourth parameter
#
# Define a default file type transition and allow it.
#
define(`file_type_auto_trans',`
ifelse(`$4', `', `
file_type_trans($1,$2,$3)
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
', `
file_type_trans($1,$2,$3,$4)
type_transition $1 $2:$4 $3;
')

')

#################################
#
# can_network(domain)
#
# Permissions for accessing the network.
# See types/network.te for the network types.
# See net_contexts for security contexts for network entities.
#
define(`can_network',`
#
# Allow the domain to create and use UDP and TCP sockets.
# Other kinds of sockets must be separately authorized for use.
allow $1 self:udp_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;

#
# Allow the domain to send UDP packets.
# Since the destination sockets type is unknown, the generic
# any_socket_t type is used as a placeholder.
#
allow $1 any_socket_t:udp_socket sendto;

#
# Allow the domain to send using any network interface.
# netif_type is a type attribute for all network interface types.
#
allow $1 netif_type:netif { tcp_send udp_send rawip_send };

#
# Allow packets sent by the domain to be received on any network interface.
#
allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };

#
# Allow the domain to receive packets from any network interface.
# netmsg_type is a type attribute for all default message types.
#
allow $1 netmsg_type:{ udp_socket tcp_socket rawip_socket } recvfrom;

#
# Allow the domain to initiate or accept TCP connections 
# on any network interface.
#
allow $1 netmsg_type:tcp_socket { connectto acceptfrom };

#
# Receive resets from the TCP reset socket.
# The TCP reset socket is labeled with the tcp_socket_t type.
#
allow $1 tcp_socket_t:tcp_socket recvfrom;

dontaudit $1 tcp_socket_t:tcp_socket connectto;

#
# Allow the domain to send to any node.
# node_type is a type attribute for all node types.
#
allow $1 node_type:node { tcp_send udp_send rawip_send };

#
# Allow packets sent by the domain to be received from any node.
#
allow $1 node_type:node { tcp_recv udp_recv rawip_recv };

#
# Allow the domain to send NFS client requests via the socket
# created by mount.
#
allow $1 mount_t:udp_socket rw_socket_perms;

#
# Bind to the default port type.
# Other port types must be separately authorized.
#
allow $1 port_t:udp_socket name_bind;
allow $1 port_t:tcp_socket name_bind;
')

#################################
#
# can_unix_connect(client, server)
#
# Permissions for establishing a Unix stream connection.
#
define(`can_unix_connect',`
allow $1 $2:unix_stream_socket connectto;
')

#################################
#
# can_unix_send(sender, receiver)
#
# Permissions for sending Unix datagrams.
#
define(`can_unix_send',`
allow $1 $2:unix_dgram_socket sendto;
')

#################################
#
# can_tcp_connect(client, server)
#
# Permissions for establishing a TCP connection.
#
define(`can_tcp_connect',`
allow $1 $2:tcp_socket { connectto recvfrom };
allow $2 $1:tcp_socket { acceptfrom recvfrom };
allow $2 tcp_socket_t:tcp_socket { recvfrom };
allow $1 tcp_socket_t:tcp_socket { recvfrom };
')

#################################
#
# can_udp_send(sender, receiver)
#
# Permissions for sending/receiving UDP datagrams.
#
define(`can_udp_send',`
allow $1 $2:udp_socket { sendto };
allow $2 $1:udp_socket { recvfrom };
')

#################################
#
# can_sysctl(domain)
#
# Permissions for modifying sysctl parameters.
#
define(`can_sysctl',`
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_t:file { setattr rw_file_perms };
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file { setattr rw_file_perms };
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file { setattr rw_file_perms };
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_net_t:file { setattr rw_file_perms };
allow $1 sysctl_net_unix_t:dir r_dir_perms;
allow $1 sysctl_net_unix_t:file { setattr rw_file_perms };
allow $1 sysctl_vm_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file { setattr rw_file_perms };
allow $1 sysctl_dev_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file { setattr rw_file_perms };
allow $1 sysctl_modprobe_t:file { setattr rw_file_perms };
')


##################################
#
# base_pty_perms(domain_prefix)
#
# Base permissions used for can_create_pty() and can_create_other_pty()
#
define(`base_pty_perms', `
# Access the pty master multiplexer.
allow $1_t ptmx_t:chr_file rw_file_perms;

ifdef(`devfsd.te', `
allow $1_t device_t:filesystem getattr;
')
allow $1_t devpts_t:filesystem getattr;

# allow searching /dev/pts
allow $1_t devpts_t:dir { getattr read search };
')

##################################
#
# can_create_pty(domain_prefix, attributes)
#
# Permissions for creating ptys.
#
define(`can_create_pty',`
base_pty_perms($1)
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;

# Allow the pty to be associated with the file system.
allow $1_devpts_t devpts_t:filesystem associate;

# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $1_devpts_t;

# Read and write my pty files.
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
')


##################################
#
# can_create_other_pty(domain_prefix,other_domain)
#
# Permissions for creating ptys for another domain.
#
define(`can_create_other_pty',`
base_pty_perms($1)
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $2_devpts_t;

# Read and write pty files.
allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
')



################################################
#
# The following macros are an attempt to start
# partitioning every_domain into finer-grained subsets
# that can be used by individual domains.
#

#
# general_domain_access(domain)
#
# Grant permissions within the domain.
# This includes permissions to processes, /proc/PID files,
# file descriptors, pipes, Unix sockets, and System V IPC objects
# labeled with the domain.
#
define(`general_domain_access',`
# Access other processes in the same domain.
allow $1 self:process *;

# Access /proc/PID files for processes in the same domain.
allow $1 self:dir r_dir_perms;
allow $1 self:notdevfile_class_set r_file_perms;

# Access file descriptions, pipes, and sockets
# created by processes in the same domain.
allow $1 self:fd *;
allow $1 self:fifo_file rw_file_perms;
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;

# Allow the domain to communicate with other processes in the same domain.
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;

# Access System V IPC objects created by processes in the same domain.
allow $1 self:sem  create_sem_perms;
allow $1 self:msg  { send receive };
allow $1 self:msgq create_msgq_perms;
allow $1 self:shm  create_shm_perms;
')

#
# general_proc_read_access(domain)
#
# Grant read/search permissions to most of /proc, excluding
# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
# The general_domain_access macro grants access to the domain /proc/PID
# directories, but not to other domains.  Only permissions to stat
# are granted for /proc/kmsg and /proc/kcore, since these files are more
# sensitive.
# 
define(`general_proc_read_access',`
# Read system information files in /proc.
allow $1 proc_t:dir r_dir_perms;
allow $1 proc_t:notdevfile_class_set r_file_perms;

# Stat /proc/kmsg and /proc/kcore.
allow $1 proc_kmsg_t:file stat_file_perms;
allow $1 proc_kcore_t:file stat_file_perms;

# Read system variables in /proc/sys.
allow $1 sysctl_modprobe_t:file r_file_perms;
allow $1 sysctl_t:file r_file_perms;
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_fs_t:file r_file_perms;
allow $1 sysctl_fs_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file r_file_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_net_t:file r_file_perms;
allow $1 sysctl_net_t:dir r_dir_perms;
allow $1 sysctl_vm_t:file r_file_perms;
allow $1 sysctl_vm_t:dir r_dir_perms;
allow $1 sysctl_dev_t:file r_file_perms;
allow $1 sysctl_dev_t:dir r_dir_perms;
')

#
# base_file_read_access(domain)
#
# Grant read/search permissions to a few system file types.
#
define(`base_file_read_access',`
# Read /.
allow $1 root_t:dir r_dir_perms;
allow $1 root_t:notdevfile_class_set r_file_perms;

# Read /home.
allow $1 home_root_t:dir r_dir_perms;

# Read /usr.
allow $1 usr_t:dir r_dir_perms;
allow $1 usr_t:notdevfile_class_set r_file_perms;

# Read bin and sbin directories.
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:notdevfile_class_set r_file_perms;
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:notdevfile_class_set r_file_perms;
')

#
# general_file_read_access(domain)
#
# Grant read/search permissions to many system file types.
#
define(`general_file_read_access',`
errprint(`m4: '__file__:__line__: `Warning:  general_file_read_access is deprecated.
')
# Get attributes of file systems.
allow $1 fs_type:filesystem getattr;

base_file_read_access($1)

# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
allow $1 readable_t:dir r_dir_perms;
allow $1 readable_t:notdevfile_class_set r_file_perms;

# Stat /...security and lost+found.
allow $1 file_labels_t:dir getattr;
allow $1 lost_found_t:dir getattr;

# Read the devpts root directory.  
allow $1 devpts_t:dir r_dir_perms;
ifdef(`sshd.te',
`allow $1 sshd_devpts_t:dir r_dir_perms;')

# Read the /tmp directory and any /tmp files with the base type.
# Temporary files created at runtime will typically use derived types.
allow $1 tmp_t:dir r_dir_perms;
allow $1 tmp_t:{ file lnk_file } r_file_perms;

# Read /var.
allow $1 var_t:dir r_dir_perms;
allow $1 var_t:notdevfile_class_set r_file_perms;

# Read /var/catman.
allow $1 catman_t:dir r_dir_perms;
allow $1 catman_t:{ file lnk_file } r_file_perms;

# Read /var/lib.
allow $1 var_lib_t:dir r_dir_perms;
allow $1 var_lib_t:notdevfile_class_set r_file_perms;
allow $1 var_lib_nfs_t:dir r_dir_perms;
allow $1 var_lib_nfs_t:notdevfile_class_set r_file_perms;
ifdef(`rpm.te',
`allow $1 var_lib_rpm_t:dir r_dir_perms;
allow $1 var_lib_rpm_t:{ file lnk_file} r_file_perms;')
r_dir_file($1, tetex_data_t)

# Read /var/yp.
allow $1 var_yp_t:dir r_dir_perms;
allow $1 var_yp_t:notdevfile_class_set r_file_perms;

# Read /var/spool.
allow $1 var_spool_t:dir r_dir_perms;
allow $1 var_spool_t:notdevfile_class_set r_file_perms;

# Read /var/run, /var/lock, /var/log.
allow $1 var_run_t:dir r_dir_perms;
allow $1 var_run_t:{ file lnk_file } r_file_perms;
allow $1 var_log_t:dir r_dir_perms;
#allow $1 var_log_t:{ file lnk_file } r_file_perms;
allow $1 var_log_sa_t:dir r_dir_perms;
allow $1 var_log_sa_t:{ file lnk_file } r_file_perms;
allow $1 var_log_ksyms_t:{ file lnk_file } r_file_perms;
ifdef(`rpm.te', `allow $1 var_log_rpm_t:{ file lnk_file } r_file_perms;')
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:{ file lnk_file } r_file_perms;

# Read /var/run/utmp and /var/log/wtmp.
allow $1 initrc_var_run_t:file r_file_perms;
allow $1 wtmp_t:file r_file_perms;

# Read /boot, /boot/System.map*, and /vmlinuz*
allow $1 boot_t:dir { search getattr };
allow $1 boot_t:file getattr;
allow $1 system_map_t:{ file lnk_file } r_file_perms;
ifdef(`rpm.te', `
allow $1 boot_runtime_t:{ file lnk_file } r_file_perms;
')
allow $1 boot_t:lnk_file read;

# Read /etc.
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_t:notdevfile_class_set r_file_perms;
allow $1 etc_runtime_t:{ file lnk_file } r_file_perms;
allow $1 etc_aliases_t:{ file lnk_file } r_file_perms;
allow $1 etc_mail_t:dir r_dir_perms;
allow $1 etc_mail_t:{ file lnk_file } r_file_perms;
allow $1 resolv_conf_t:{ file lnk_file } r_file_perms;
allow $1 ld_so_cache_t:file r_file_perms;

# Read /lib.
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:notdevfile_class_set r_file_perms;

# Read the linker, shared library, and executable types.
allow $1 ld_so_t:{ file lnk_file } r_file_perms;
allow $1 shlib_t:{ file lnk_file } r_file_perms;
allow $1 exec_type:{ file lnk_file } r_file_perms;

# Read man directories and files.
allow $1 man_t:dir r_dir_perms;
allow $1 man_t:notdevfile_class_set r_file_perms;

# Read /usr/src.
allow $1 src_t:dir r_dir_perms;
allow $1 src_t:notdevfile_class_set r_file_perms;

# Read module-related files.
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:{ file lnk_file } r_file_perms;
allow $1 modules_dep_t:{ file lnk_file } r_file_perms;
allow $1 modules_conf_t:{ file lnk_file} r_file_perms;

# Read /dev directories and any symbolic links.
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file r_file_perms;

# Read /dev/random and /dev/zero.
allow $1 random_device_t:chr_file r_file_perms;
allow $1 zero_device_t:chr_file r_file_perms;

# Read the root directory of a tmpfs filesytem and any symbolic links.
allow $1 tmpfs_t:dir r_dir_perms;
allow $1 tmpfs_t:lnk_file r_file_perms;

# Read any symbolic links on a devfs file system.
allow $1 device_t:lnk_file r_file_perms;

# Read the root directory of a usbdevfs filesystem, and
# the devices and drivers files.  Permit stating of the
# device nodes, but nothing else.
allow $1 usbdevfs_t:dir r_dir_perms;
allow $1 usbdevfs_t:{ file lnk_file } r_file_perms;
allow $1 usbdevfs_device_t:file getattr;
')

#######################
# daemon_base_domain(domain_prefix, attribs)
#
# Define a daemon domain with a base set of type declarations
# and permissions that are common to most daemons.
# attribs is the list of attributes which must start with `,' if it is not empty
#
# Author:  Russell Coker <russell@coker.com.au>
#
define(`daemon_base_domain', `
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;

role system_r types $1_t;

domain_auto_trans(initrc_t, $1_exec_t, $1_t)

# Inherit and use descriptors from init.
allow $1_t init_t:fd use;
allow $1_t init_t:process sigchld;
allow $1_t privfd:fd use;
ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
allow $1_t self:process { signal_perms fork };

uses_shlib($1_t)

allow $1_t { self proc_t }:dir r_dir_perms;
allow $1_t { self proc_t }:lnk_file read;

allow $1_t device_t:dir { getattr search };
allow $1_t null_device_t:chr_file rw_file_perms;
allow $1_t console_device_t:chr_file rw_file_perms;
allow $1_t initrc_devpts_t:chr_file rw_file_perms;
')dnl

# allow a domain to create its own files under /var/run and to create files
# in directories that are created for it.  For sock_file etc you need to add
# your own rules
define(`var_run_domain', `
type $1_var_run_t alias var_run_$1_t, file_type, sysadmfile, pidfile;
file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
allow $1_t $1_var_run_t:dir rw_dir_perms;
')

define(`daemon_domain', `
daemon_base_domain($1, `$2')
# Create pid file.
allow $1_t var_t:dir { getattr search };
var_run_domain($1)

allow $1_t devtty_t:chr_file rw_file_perms;

# for daemons that look at /root on startup
dontaudit $1_t sysadm_home_dir_t:dir search;

# for df
allow $1_t fs_type:filesystem getattr;

r_dir_file($1_t, locale_t)
')dnl

define(`uses_authbind',
`domain_auto_trans_read($1, authbind_exec_t, authbind_t)
allow authbind_t $1:process sigchld;
allow authbind_t $1:fd use;
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
')

# define a sub-domain, $1_t is the parent domain, $2 is the name
# of the sub-domain.
#
define(`daemon_sub_domain', `
# $1 is the parent domain (or domains), $2_t is the child domain,
# and $3 is any attributes to apply to the child
type $2_t, domain, privlog $3;
type $2_exec_t, file_type, sysadmfile, exec_type;

role system_r types $2_t;

domain_auto_trans($1, $2_exec_t, $2_t)

# Inherit and use descriptors from parent.
allow $2_t $1:fd use;
allow $2_t $1:process sigchld;

allow $2_t self:process signal_perms;

uses_shlib($2_t)

allow $2_t { self proc_t }:dir r_dir_perms;
allow $2_t { self proc_t }:lnk_file read;

allow $2_t device_t:dir getattr;
')


define(`tmp_domain', `
type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
file_type_auto_trans($1_t, tmp_t, $1_tmp_t)
')

define(`tmpfs_domain', `
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
# Use this type when creating tmpfs/shm objects.
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
allow $1_tmpfs_t tmpfs_t:filesystem associate;
')

define(`var_lib_domain', `
type $1_var_lib_t, file_type, sysadmfile;
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t)
')

define(`log_domain', `
type $1_log_t, file_type, sysadmfile, logfile;
file_type_auto_trans($1_t, var_log_t, $1_log_t)
')

define(`lock_domain', `
type $1_lock_t, file_type, sysadmfile, lockfile;
file_type_auto_trans($1_t, var_lock_t, $1_lock_t)
')

#######################
# application_domain(domain_prefix)
#
# Define a domain with a base set of type declarations
# and permissions that are common to simple applications.
#
# Author:  Russell Coker <russell@coker.com.au>
#
define(`application_domain', `
type $1_t, domain, privlog;
type $1_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types $1_t;
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
uses_shlib($1_t)
')

define(`user_application_domain', `
application_domain($1)
in_user_role($1_t)
domain_auto_trans(userdomain, $1_exec_t, $1_t)
')

define(`system_domain', `
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
role system_r types $1_t;
uses_shlib($1_t)
allow $1_t etc_t:dir r_dir_perms;
')

Re: some policy patches

[Tom]

On Sun, May 25, 2003 at 03:55:11AM +1000, Russell Coker wrote:
> > # Added write access, not sure if it is required (Tom)
> > allow xdm_xserver_t xdm_var_lib_t:file { getattr read write };
> 
> Write access should not be required.  xdm should create the file and the 
> xserver should just read from it.

Thanks for this and other comments. I will investigate them and post a
cleaned-up version. I also notice that I should probably use userdomain
instead of user_t in many places.


> > # wdm just asks for read access
> > allow xdm_t memory_device_t:chr_file { read };
> 
> Bad.  XDM is not something that you want to allow reading all kernel memory.  
> It should use /dev/random instead if you block /dev/mem.

It actually accesses /dev/mem, not /dev/kmem. Shouldn't /dev/kmem have
its own type?


> > +# but xdm_xserver wants to write, too
> > +allow xdm_xserver_t memory_device_t:chr_file { read write };
> 
> That is only if you are not using the frame-buffer.  See the below snippet 
> from macros/program/xserver_macros.te (which is where you want to do this if 
> you want to support "startx" as well as an xdm).

The framebuffer support for sis chipsets is, to put it friendly,
slightly buggy. I have not yet found a way to use it in any reasonable
way on this machine. (it works, but it's not useable)


> > +allow user_t xdm_exec_t:file { entrypoint };
> 
> This is bad in several ways.  Firstly it's probably good style to use 
> domain_trans() for such things, then people who read your policy can find 
> what they expect to fine.  Secondly, why is an xdm_exec_t program being used?

wdm has several startup files in /etc/X11/wdm/ - I've labelled them
xdm_exec_t. Should they get their own type? They are, for all I can
see, executed after the domain transition has taken place.


> Finally, you should not use user_t in any policy.  unpriv_userdomain is one 
> option to use.  If you start hard-coding user_t in policy then it'll be very 
> painful when you want to add multiple user roles!

Yes, I noticed. I will fix this.



> I have attached a modified xdm.te based on your work along with the new 
> global_macros.te file it depends on.  I didn't include much of your patch, 
> about half of the rest may go in but we need to determine exactly what it's 
> for and put some decent comments in.
> 
> X is nasty.

Absolutely. My goal was to get a working policy and a working graphical
login. I've done that.
Many people on this list know more about policy details, X and kernel 
internals than I do, so I treasure all corrections.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: some policy patches

[Russell Coker]

On Sun, 25 May 2003 07:16, Tom wrote:
> > Bad.  XDM is not something that you want to allow reading all kernel
> > memory. It should use /dev/random instead if you block /dev/mem.
>
> It actually accesses /dev/mem, not /dev/kmem. Shouldn't /dev/kmem have
> its own type?

Why?  Physical RAM and kernel virtual memory are equally dangerous and give 
access to the same stuff.

> > > +# but xdm_xserver wants to write, too
> > > +allow xdm_xserver_t memory_device_t:chr_file { read write };
> >
> > That is only if you are not using the frame-buffer.  See the below
> > snippet from macros/program/xserver_macros.te (which is where you want to
> > do this if you want to support "startx" as well as an xdm).
>
> The framebuffer support for sis chipsets is, to put it friendly,
> slightly buggy. I have not yet found a way to use it in any reasonable
> way on this machine. (it works, but it's not useable)

In that case you have to change the xserver_macros.te accordingly.  I don't 
think that should be the default however, people who are using the 
frame-buffer should be able to grant their X server minimal access.

> > This is bad in several ways.  Firstly it's probably good style to use
> > domain_trans() for such things, then people who read your policy can find
> > what they expect to fine.  Secondly, why is an xdm_exec_t program being
> > used?
>
> wdm has several startup files in /etc/X11/wdm/ - I've labelled them
> xdm_exec_t. Should they get their own type? They are, for all I can
> see, executed after the domain transition has taken place.

What about xsession_exec_t?

> Absolutely. My goal was to get a working policy and a working graphical
> login. I've done that.

That's a great start!  Now we just have to work out which types of access are 
really enabled, which aren't needed, which can be avoided by correct 
configuration, and which require changes to the applications.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: some policy patches

[Russell Coker]

On Sun, 25 May 2003 02:07, Tom wrote:
> I have attached three diff files for policy changes. These are against
> Russell's default policy, though from the file comments at least one
> (xdm) is unchanged from the upstream tree.

+# XFree86-4 wants to check if kernel is tainted
+allow xdm_xserver_t sysctl_kernel_t:dir { search };
+allow xdm_xserver_t sysctl_kernel_t:file { getattr read };
+allow xdm_xserver_t sysctl_t:dir { search };

Strange, it doesn't seem to do that on my system.  Maybe it's some module that 
you are using.  In any case this is pretty harmless and should go in, but not 
to xserver.te.  Putting it in xserver.te breaks policy compilation for 
everyone who doesn't use xdm.

I've added it to xserver_macros.te in my tree.

> apm.diff contains minor updates so that acpid works (they are very
> similiar in requirements, and you don't usually have both running
> anyway, so a shared domain for apmd and acpid should be ok).

Done that.

> games.diff enables what I believe to be better games support. I have a

Firstly, don't use an apostrophy in words such as dont.  It causes problems 
with m4.

For the games patch to be merged it will have to use the macros so that it can 
work from user roles other than user_r.

I have put an updated policy.tgz on my web page containing the patches 
discussed here and some other changes.  A new Debian package will be 
available in a day or two.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: some policy patches

[Tom]

On Sun, May 25, 2003 at 04:18:34AM +1000, Russell Coker wrote:
> Strange, it doesn't seem to do that on my system.  Maybe it's some module that 
> you are using.  In any case this is pretty harmless and should go in, but not 
> to xserver.te.  Putting it in xserver.te breaks policy compilation for 
> everyone who doesn't use xdm.
> 
> I've added it to xserver_macros.te in my tree.

I would've suggested putting #ifdef's around it, or adding it to xdm.te
(I'd assume that anyone running xdm is using X :) )


> > games.diff enables what I believe to be better games support. I have a
> 
> Firstly, don't use an apostrophy in words such as dont.  It causes problems 
> with m4.

Roger.


> For the games patch to be merged it will have to use the macros so that it can 
> work from user roles other than user_r.

Yes, I will fix that. I will post an updated version tomorrow.

I also have a policy for cdrom read and write access coming. I want to
use the cd-r/w writer in my notebook, too.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.