Latest patches

Latest patches

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 728 bytes --]

Somewhere in recent times my Debian packages of SE Linux stopped becoming 
buildable.  I think it may have been at the last official SE Linux release, 
but it may have been one of the patches since then.

The problem is the function security_mls(), which is called from the library 
code in selinux-small but which is not provided.

I have attached a file to go into selinux-small/libsecure/src to address this.

NB I've never tested this under MLS as I don't use MLS.  It makes it compile 
and work for non-MLS...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

[-- Attachment #2: security_mls.c --]
[-- Type: text/x-c, Size: 92 bytes --]

#include <ss.h>

int security_mls(void)
{
	return lsm(SELINUX_MAGIC, SELINUXCALL_MLS, 0);
}

Re: Latest patches

[Russell Coker]

On Tue, 25 Jun 2002 14:43, you wrote:
> This is already in the upstream distribution.  But it was added by the
> last public release, so maybe you didn't pick it up from the new
> archive.

I must have made a mistake when merging patches.

Thanks for the information.

BTW  I'm CCing the list so that everyone knows the issue has already been 
resolved.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest Patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 207 bytes --]

Include some stuff from Russell,
Critical patch for tmpfs to get udev on tmpfs working

You sent me a note saying some patches conflict with other changes, 
please point those out so I can remove them.

Dan

[-- Attachment #2: policy-20040902.patch --]
[-- Type: text/plain, Size: 30068 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.17.9/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/fsadm.te	2004-09-02 08:15:02.734588923 -0400
@@ -29,6 +29,9 @@
 allow fsadm_t sysctl_kernel_t:file r_file_perms;
 allow fsadm_t sysctl_kernel_t:dir r_dir_perms;
 
+# for /dev/shm
+allow fsadm_t tmpfs_t:dir { getattr search };
+
 base_file_read_access(fsadm_t)
 
 # Read /etc.
@@ -81,6 +84,7 @@
 # Access disk devices.
 allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
 allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
+allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
 
 # Access lost+found.
 allow fsadm_t lost_found_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
@@ -12,12 +12,14 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
 ifdef(`sendmail.te', `
+# do not use privmail for sendmail as it creates a type transition conflict
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
 allow system_mail_t initrc_t:fd use;
 allow system_mail_t initrc_t:fifo_file write;
+', `
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
 ')
-
 role system_r types initrc_t;
 uses_shlib(initrc_t);
 can_ypbind(initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.17.9/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/logrotate.te	2004-09-02 08:15:02.735588811 -0400
@@ -41,7 +41,8 @@
 allow logrotate_t etc_runtime_t:file r_file_perms;
 
 # it should not require this
-dontaudit logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { read getattr search };
+allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+dontaudit logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { read };
 
 # create lock files
 rw_dir_create_file(logrotate_t, var_lock_t)
@@ -140,10 +141,5 @@
 
 domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
 
-r_dir_file(logrotate_t, selinux_config_t)
+dontaudit logrotate_t selinux_config_t:dir search;
 
-#from " logrotate -f /etc/logrotate.conf" while root(sysadm_r)
-allow logrotate_t devpts_t:dir { search };
-allow logrotate_t initrc_t:process { transition };
-dontaudit logrotate_t {sysadm_home_dir_t staff_home_dir_t}:dir { read search };
-allow logrotate_t var_t:file { getattr  read }; 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.17.9/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/setfiles.te	2004-09-02 08:15:02.736588699 -0400
@@ -40,8 +44,7 @@
 allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
 allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
 allow setfiles_t unlabeled_t:dir read;
-allow setfiles_t device_type:{ chr_file blk_file } relabelto;
-allow setfiles_t device_t:{ chr_file blk_file } { getattr relabelfrom read };
+allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
 allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
 
 allow setfiles_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
@@ -41,6 +41,7 @@
 append_logdir_domain(httpd)
 #can read /etc/httpd/logs
 allow httpd_t httpd_log_t:lnk_file { read };
+allow httpd_t httpd_log_t:dir { remove_name };
 
 # For /etc/init.d/apache2 reload
 can_tcp_connect(httpd_t, httpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
@@ -157,5 +157,6 @@
 allow cupsd_t ptal_var_run_t:dir { search };
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
+allow cupsd_t printer_device_t:fifo_file rw_file_perms;
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.17.9/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.9/domains/program/unused/dovecot.te	2004-09-02 08:15:02.738588475 -0400
@@ -11,7 +11,7 @@
 
 type dovecot_cert_t, file_type, sysadmfile;
 
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown net_bind_service setgid setuid sys_chroot dac_override dac_read_search };
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.9/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/ipsec.te	2004-09-02 08:15:02.739588362 -0400
@@ -127,7 +127,7 @@
 ########## The following rules were added by cvance@tislabs.com ##########
 
 # allow pluto and startup scripts to access /dev/urandom
-allow { ipsec_t ipsec_mgmt_t } random_device_t:chr_file r_file_perms;
+allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
 
 # allow pluto to access /proc/net/ipsec_eroute;
 general_proc_read_access(ipsec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
@@ -113,7 +113,6 @@
 allow ndc_t self:unix_stream_socket create_stream_socket_perms;
 allow ndc_t self:unix_stream_socket connect;
 allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t var_t:dir search;
 allow ndc_t var_run_t:dir search;
 allow ndc_t named_var_run_t:sock_file rw_file_perms;
 allow ndc_t named_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
@@ -33,11 +33,6 @@
 allow insmod_t ramfs_t:file write;
 allow insmod_t rhgb_t:fd use;
 
-allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t root_t:dir { mounton };
-allow rhgb_t rhgb_t:capability { sys_admin };
-dontaudit rhgb_t var_run_t:dir { search };
-
 can_network(rhgb_t)
 can_ypbind(rhgb_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.9/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.9/domains/program/unused/rpm.te	2004-09-02 08:15:02.740588250 -0400
@@ -19,10 +19,6 @@
 system_crond_entry(rpm_exec_t, rpm_t)
 role sysadm_r types rpm_t;
 domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
-ifdef(`unlimitedUsers', `
-role staff_r types rpm_t;
-domain_auto_trans(staff_t, rpm_exec_t, rpm_t)
-')
 
 type rpm_file_t, file_type, sysadmfile;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamassassin.te policy-1.17.9/domains/program/unused/spamassassin.te
--- nsapolicy/domains/program/unused/spamassassin.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/domains/program/unused/spamassassin.te	2004-09-02 08:15:02.741588138 -0400
@@ -6,4 +6,6 @@
 
 type spamassassin_exec_t, file_type, sysadmfile, exec_type;
 
+bool spamassasin_can_network false;
+
 # Everything else is in spamassassin_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
@@ -43,7 +43,8 @@
 allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
 	
 # to read the file_contexts file
-r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
+allow udev_t { selinux_config_t default_context_t }:dir search;
+allow udev_t file_context_t:file { getattr read };
 
 allow udev_t policy_config_t:dir { search };
 allow udev_t proc_t:file { read };
@@ -82,11 +83,6 @@
 ifdef(`consoletype.te', `
 can_exec(udev_t, consoletype_exec_t)
 ')
-ifdef(`pamconsole.te', `
-allow udev_t pam_var_console_t:dir search;
-')
-allow udev_t var_lock_t:dir search;
-allow udev_t var_lock_t:file getattr;
 domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
 ifdef(`hide_broken_symptoms', `
 dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.17.9/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/file_contexts/program/ipsec.fc	2004-09-02 08:15:02.743587913 -0400
@@ -5,12 +5,16 @@
 /etc/ipsec\.d(/.*)?		system_u:object_r:ipsec_key_file_t
 /usr/lib(64)?/ipsec/.*	--	system_u:object_r:ipsec_mgmt_exec_t
 /usr/local/lib(64)?/ipsec/.*	--	system_u:object_r:ipsec_mgmt_exec_t
+/usr/libexec/ipsec/eroute	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/eroute	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/eroute --	system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/klipsdebug	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/klipsdebug --	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/pluto	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/pluto	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/pluto --	system_u:object_r:ipsec_exec_t
+/usr/libexec/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/lib(64)?/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/spi --	system_u:object_r:ipsec_exec_t
 /usr/sbin/ipsec		--	system_u:object_r:ipsec_mgmt_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
--- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
@@ -8,6 +8,7 @@
 fs_use_xattr ext3 system_u:object_r:fs_t;
 fs_use_xattr xfs system_u:object_r:fs_t;
 fs_use_xattr reiserfs system_u:object_r:fs_t;
+fs_use_xattr tmpfs system_u:object_r:fs_t;
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
@@ -23,7 +24,6 @@
 # This is appropriate for pseudo filesystems like devpts and tmpfs
 # where we want to label objects with a derived type.
 fs_use_trans devpts system_u:object_r:devpts_t;
-fs_use_trans tmpfs system_u:object_r:tmpfs_t;
 fs_use_trans shm system_u:object_r:tmpfs_t;
 
 # The separate genfs_contexts configuration can be used for filesystem 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.17.9/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/admin_macros.te	2004-09-02 08:15:02.744587801 -0400
@@ -73,7 +73,8 @@
 can_sysctl($1_t)
 
 # Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:notdevfile_class_set create_file_perms;
+allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
+allow $1_t sysadmfile:lnk_file create_lnk_perms;
 allow $1_t sysadmfile:dir create_dir_perms;
 
 # Set an exec context, e.g. for runcon.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.9/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.9/macros/base_user_macros.te	2004-09-02 08:15:02.745587689 -0400
@@ -223,6 +223,11 @@
 dontaudit $1_t domain:notdevfile_class_set r_file_perms;
 dontaudit $1_t domain:process { getattr getsession };
 
+ifdef(`xserver.te', `
+# for /tmp/.ICE-unix
+file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+')
+
 ifdef(`xdm.te', `
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
@@ -287,11 +292,6 @@
 allow $1_t default_t:notdevfile_class_set r_file_perms;
 }
 
-ifdef(`unlimitedUsers', `
-allow $1_t unlabeled_t:dir r_dir_perms;
-allow $1_t unlabeled_t:notdevfile_class_set r_file_perms;
-')
-
 allow $1_t sysctl_kernel_t:dir search;
 allow $1_t sysctl_kernel_t:file { getattr read };
 allow $1_t sysctl_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.17.9/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/apache_macros.te	2004-09-02 08:15:02.746587577 -0400
@@ -21,6 +21,9 @@
 #This type is for webpages
 #
 type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
+ifelse($1, sys, `
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+')
 
 # This type is used for .htaccess files
 #
@@ -43,11 +46,13 @@
 uses_shlib(httpd_$1_script_t)
 can_network(httpd_$1_script_t)
 can_ypbind(httpd_$1_script_t)
-allow httpd_$1_script_t { usr_t lib_t }:file { getattr read };
+allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
+allow httpd_$1_script_t usr_t:lnk_file { getattr read };
 
 allow httpd_$1_script_t self:process { fork signal_perms };
 
 allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
+allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
 allow httpd_$1_script_t etc_runtime_t:file { getattr read };
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
@@ -59,7 +64,6 @@
 
 allow httpd_$1_script_t device_t:dir { getattr search };
 allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
-
 }
 
 # The following are the only areas that 
@@ -90,11 +94,8 @@
 
 allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
 
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_kernel_t:file read;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-dontaudit httpd_$1_script_t var_run_t:dir search;
-allow httpd_$1_script_t var_t:dir { search };
+# for nscd
+dontaudit httpd_$1_script_t var_t:dir search;
 
 ###########################################################################
 # Allow the script interpreters to run the scripts.  So
@@ -111,7 +112,6 @@
 allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
 allow httpd_$1_script_t home_root_t:dir { getattr search };
 allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
-allow httpd_$1_script_t httpd_$1_content_t:file r_file_perms;
 
 #############################################################################
 # Allow the scripts to read, read/write, append to the specified directories
@@ -149,7 +149,7 @@
 # Allow the user to create htaccess files
 #####################################################################
 
-allow $1_t httpd_$1_htaccess_t:{ file lnk_file } { create_file_perms relabelto relabelfrom };
+allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
 
 #########################################################################
 # Allow user to create files or directories 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crond_macros.te policy-1.17.9/macros/program/crond_macros.te
--- nsapolicy/macros/program/crond_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/crond_macros.te	2004-09-02 08:15:02.746587577 -0400
@@ -75,7 +75,7 @@
 allow $1_crond_t etc_runtime_t:file { getattr read };
 allow $1_crond_t self:process { fork signal_perms setsched };
 allow $1_crond_t proc_t:dir r_dir_perms;
-allow $1_crond_t proc_t:file { getattr read };
+allow $1_crond_t proc_t:file { getattr read ioctl };
 read_locale($1_crond_t)
 allow $1_crond_t { sysctl_t sysctl_kernel_t }:dir search;
 allow $1_crond_t sysctl_kernel_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.9/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/mozilla_macros.te	2004-09-02 08:27:27.514998489 -0400
@@ -78,7 +78,6 @@
 #
 if (mozilla_readhome || mozilla_writehome) {
 r_dir_file($1_mozilla_t, $1_home_t)
-r_dir_file($1_mozilla_t, $1_home_dir_t)
 
 ifdef(`gpg.te', `
 dontaudit $1_mozilla_t $1_gpg_secret_t:dir { getattr };
@@ -99,15 +98,7 @@
 file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_rw_t)
 allow $1_mozilla_t $1_home_t:dir setattr;
 allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
-}
-
-#
-# Reading /usr/tmp
-#
-allow $1_mozilla_t tmp_t:lnk_file { read };
-#
-# Unlinking .fonts.cache-1
-dontaudit $1_mozilla_t $1_home_t:file { unlink };
+} 
 
 allow $1_mozilla_t $1_t:unix_stream_socket { connectto };
 allow $1_mozilla_t sysctl_net_t:dir { search };
@@ -119,7 +110,6 @@
 allow $1_mozilla_t $1_t:tcp_socket { read write };
 
 dontaudit $1_mozilla_t port_type:tcp_socket { name_bind };
-dontaudit $1_mozilla_t device_t:dir r_dir_perms;
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
 
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/slocate_macros.te policy-1.17.9/macros/program/slocate_macros.te
--- nsapolicy/macros/program/slocate_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/slocate_macros.te	2004-09-02 08:15:02.748587352 -0400
@@ -57,12 +57,7 @@
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
-ifdef(`unlimitedUsers', `
-allow $1_locate_t { root_dir_type file_type }:dir r_dir_perms;
-allow $1_locate_t { root_dir_type file_type -shadow_t}:file { getattr };
-', `
 dontaudit $1_locate_t { root_dir_type file_type }:dir r_dir_perms;
-')
 dontaudit $1_locate_t { root_dir_type file_type -shadow_t}:file { getattr read };
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.17.9/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/spamassassin_macros.te	2004-09-02 08:15:02.748587352 -0400
@@ -88,10 +88,10 @@
 spamassassin_agent_privs($1_spamassassin_t, $1)
 
 # set tunable if you have spamassassin do DNS lookups
-ifdef(`spamassasin_can_network', `
+if (spamassasin_can_network) {
 can_network($1_spamassassin_t)
 can_ypbind($1_spamassassin_t)
-')
+}
 
 ###
 # Define the domain for /usr/bin/spamc
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.17.9/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/ssh_agent_macros.te	2004-09-02 08:15:02.749587240 -0400
@@ -86,7 +86,10 @@
 
 ifdef(`xdm.te', `
 allow $1_ssh_agent_t xdm_t:fd { use };
-allow $1_ssh_agent_t xdm_t:fifo_file { write };
+allow $1_ssh_agent_t xdm_t:fifo_file { read write };
+
+# kdm: sigchld
+allow $1_ssh_agent_t xdm_t:process sigchld;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
@@ -89,6 +89,14 @@
 can_network($1_ssh_t)
 can_ypbind($1_ssh_t)
 
+if (user_tcp_server) {
+# for sshing to a ssh tunnel
+can_tcp_connect($1_ssh_t, $1_ssh_t)
+
+# for other connections to a ssh tunnel
+can_tcp_connect($1_t, $1_ssh_t)
+}
+
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
 
@@ -118,10 +126,21 @@
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
 dontaudit $1_ssh_t proc_t:file { getattr read };
+can_exec($1_ssh_t, shell_exec_t)
 
 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
 
+# Connect to sshd.
+ifdef(`inetd.te', `
+ifdef(`run_ssh_inetd', `
+can_tcp_connect($1_ssh_t, inetd_t)
+', `
+can_tcp_connect($1_ssh_t, sshd_t)
+')', `
+can_tcp_connect($1_ssh_t, sshd_t)
+')
+
 # Write to the user domain tty.
 allow $1_ssh_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_ssh_t $1_devpts_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.17.9/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-09-01 14:00:03.000000000 -0400
+++ policy-1.17.9/macros/program/su_macros.te	2004-09-02 08:15:02.750587128 -0400
@@ -45,7 +45,7 @@
 allow $1_su_t proc_t:lnk_file read;
 r_dir_file($1_su_t, self)
 allow $1_su_t proc_t:file read;
-allow $1_su_t self:process setsched;
+allow $1_su_t self:process { setsched setrlimit };
 allow $1_su_t device_t:dir search;
 allow $1_su_t self:process { fork sigchld };
 can_ypbind($1_su_t)
@@ -102,7 +102,6 @@
 # Relabel ttys and ptys.
 allow $1_su_t { device_t devpts_t }:dir { getattr read search };
 allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-allow $1_su_t console_device_t:chr_file { relabelfrom relabelto };
 
 # Close and re-open ttys and ptys to get the fd into the correct domain.
 allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
@@ -17,7 +17,7 @@
 ifdef(`single_userdomain', `
 typealias $1_t alias $1_userhelper_t;
 ', `
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
 
 in_user_role($1_userhelper_t)
 role sysadm_r types $1_userhelper_t;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.17.9/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/macros/program/x_client_macros.te	2004-09-02 08:15:02.752586903 -0400
@@ -72,7 +72,8 @@
 # allow $1_t to create dirs and files in the rw type (the auto_trans rule above
 # does it for $1_$2_t)
 allow $1_t $1_$2_rw_t:dir create_dir_perms;
-allow $1_t $1_$2_rw_t:{ file lnk_file } create_file_perms;
+allow $1_t $1_$2_rw_t:file create_file_perms;
+allow $1_t $1_$2_rw_t:lnk_file create_lnk_perms;
 
 r_dir_file($1_$2_t, $1_$2_ro_t)
 allow $1_$2_t $1_$2_ro_t:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.9/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-09-02 08:03:27.267644661 -0400
+++ policy-1.17.9/macros/program/xserver_macros.te	2004-09-02 08:16:31.894582051 -0400
@@ -47,6 +47,7 @@
 ', `
 domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
 ')dnl end ifelse xdm
+can_exec($1_xserver_t, xserver_exec_t)
 
 uses_shlib($1_xserver_t)
 can_network($1_xserver_t)
@@ -95,6 +96,8 @@
 ')dnl end ifdef userhelper
 ')dnl end ifelse xdm
 
+allow $1_xserver_t self:process setsched;
+
 allow $1_xserver_t fs_t:filesystem getattr;
 
 # Xorg wants to check if kernel is tainted
@@ -127,7 +130,9 @@
 allow $1_xserver_t mtrr_device_t:file rw_file_perms;
 allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
 allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
+ifdef(`redhat', `
 allow $1_xserver_t device_t:lnk_file { getattr read };
+')
 allow $1_xserver_t devtty_t:chr_file rw_file_perms;
 allow $1_xserver_t devtty_t:lnk_file read;
 
@@ -205,7 +210,7 @@
 
 # Run helper programs in $1_xserver_t.
 allow $1_xserver_t { bin_t sbin_t }:dir search;
-allow $1_xserver_t etc_t:file { getattr read };
+allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
 allow $1_xserver_t bin_t:lnk_file read;
 can_exec($1_xserver_t, { bin_t shell_exec_t })
 
@@ -226,7 +231,7 @@
 ifelse($1, xdm, `
 ifdef(`xdm.te', `
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-rw_dir_file(xdm_xserver_t, xdm_tmpfs_t)
+allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 ', `
 allow $1_xserver_t $1_t:shm rw_shm_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.17.9/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-09-01 14:00:03.000000000 -0400
+++ policy-1.17.9/macros/user_macros.te	2004-09-02 08:15:02.753586791 -0400
@@ -28,7 +28,7 @@
 allow $1_t device_t:dir { getattr };
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, user_home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
 type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
 
 tmp_domain($1, `, user_tmpfile')
@@ -145,9 +145,7 @@
 define(`full_user_role', `
 
 # user_t/$1_t is an unprivileged users domain.
-type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, privfd, nscd_client_domain
-ifdef(`unlimitedUsers', `,privhome, etc_writer, privmodule, privlog, privowner, admin, fs_domain, privmem, privowner, sysctl_kernel_writer, auth, auth_write')
-;
+type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain;
 
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
@@ -251,9 +249,6 @@
 #
 allow $1_home_t $1_home_t:filesystem associate;
 allow homedirfile $1_home_t:filesystem associate;
-ifdef(`unlimitedUsers', `
-unconfined_domain($1_t) 
-')
 ')
 
 undefine(`in_user_role')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
--- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
+++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
@@ -147,6 +147,7 @@
 	@grep -v "^/root" $@.tmp > $@.root
 	@/usr/sbin/genhomedircon . $@.root  > $@
 	@grep "^/root" $@.tmp >> $@
+	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
 	@-rm $@.tmp $@.root
 
 clean:
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.9/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/tunables/distro.tun	2004-09-02 08:15:02.755586567 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.9/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.9/tunables/tunable.tun	2004-09-02 08:15:02.755586567 -0400
@@ -5,50 +5,47 @@
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
-
-# Allow users to unrestricted access
-dnl define(`unlimitedUsers')
+define(`nfs_export_all_rw')
 
 # Allow the reading on any NFS file system
 dnl define(`nfs_export_all_ro')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
> Include some stuff from Russell,
> Critical patch for tmpfs to get udev on tmpfs working

You can't change fs_use in that manner; it will break the kernel's
internal usage of tmpfs for shared memory.  The situation is similar to
devpts; fs_use_trans will govern the initial setting of the inode
context, then programs can explicitly set and get the context.  

________________________________________________________________________
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
> --- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
> @@ -12,12 +12,14 @@
>  # initrc_exec_t is the type of the init program.
>  #
>  # do not use privmail for sendmail as it creates a type transition conflict
> -type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
>  ifdef(`sendmail.te', `
> +# do not use privmail for sendmail as it creates a type transition conflict
> +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
>  allow system_mail_t initrc_t:fd use;
>  allow system_mail_t initrc_t:fifo_file write;
> +', `
> +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
>  ')
> -

This reverts a patch from Russell to merge the two initrc_t type
declarations together (using an ifdef embedded in the attribute list for
the sendmail issue) to ease maintenance.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
> @@ -41,6 +41,7 @@
>  append_logdir_domain(httpd)
>  #can read /etc/httpd/logs
>  allow httpd_t httpd_log_t:lnk_file { read };
> +allow httpd_t httpd_log_t:dir { remove_name };
>  
>  # For /etc/init.d/apache2 reload
>  can_tcp_connect(httpd_t, httpd_t)

As before, do you want apache removing log files?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
> @@ -157,5 +157,6 @@
>  allow cupsd_t ptal_var_run_t:dir { search };
>  dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
>  
> +allow cupsd_t printer_device_t:fifo_file rw_file_perms;
>  dontaudit cupsd_t selinux_config_t:dir search;
>  dontaudit cupsd_t selinux_config_t:file { getattr read };

Does this fifo still exist?  Russell removed this rule earlier.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
> --- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
> @@ -113,7 +113,6 @@
>  allow ndc_t self:unix_stream_socket create_stream_socket_perms;
>  allow ndc_t self:unix_stream_socket connect;
>  allow ndc_t self:capability { dac_override net_admin };
> -allow ndc_t var_t:dir search;
>  allow ndc_t var_run_t:dir search;
>  allow ndc_t named_var_run_t:sock_file rw_file_perms;
>  allow ndc_t named_t:unix_stream_socket connectto;

You can't reach /var/run if you can't search /var.

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
> --- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
> @@ -33,11 +33,6 @@
>  allow insmod_t ramfs_t:file write;
>  allow insmod_t rhgb_t:fd use;
>  
> -allow rhgb_t ramfs_t:filesystem { mount unmount };
> -allow rhgb_t root_t:dir { mounton };
> -allow rhgb_t rhgb_t:capability { sys_admin };
> -dontaudit rhgb_t var_run_t:dir { search };
> -
>  can_network(rhgb_t)
>  can_ypbind(rhgb_t)

Why is it safe to remove these rules?  Change in mkinitrd?  Does rhgb
still work as expected with strict/enforcing?

> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
> --- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
> +++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
> @@ -43,7 +43,8 @@
>  allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
>  	
>  # to read the file_contexts file
> -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
> +allow udev_t { selinux_config_t default_context_t }:dir search;
> +allow udev_t file_context_t:file { getattr read };

To access the file_contexts file, udev must be able to read
/etc/selinux/config (requires search to selinux_config_t:dir and read to
selinux_config_t:file) and
/etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
to default_context_t:dir and file_context_t:dir and read to
file_context_t:file).  Simpler to just express this using the single
r_dir_file() line that is in our policy, even it is a bit more
permissive than strictly necessary (your rules aren't sufficient).

> @@ -82,11 +83,6 @@
>  ifdef(`consoletype.te', `
>  can_exec(udev_t, consoletype_exec_t)
>  ')
> -ifdef(`pamconsole.te', `
> -allow udev_t pam_var_console_t:dir search;
> -')
> -allow udev_t var_lock_t:dir search;
> -allow udev_t var_lock_t:file getattr;
>  domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
>  ifdef(`hide_broken_symptoms', `
>  dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };

These were just added by Russell, I think.

> diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
> --- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
> @@ -8,6 +8,7 @@
>  fs_use_xattr ext3 system_u:object_r:fs_t;
>  fs_use_xattr xfs system_u:object_r:fs_t;
>  fs_use_xattr reiserfs system_u:object_r:fs_t;
> +fs_use_xattr tmpfs system_u:object_r:fs_t;
>  
>  # Use the allocating task SID to label inodes in the following filesystem
>  # types, and label the filesystem itself with the specified context.
> @@ -23,7 +24,6 @@
>  # This is appropriate for pseudo filesystems like devpts and tmpfs
>  # where we want to label objects with a derived type.
>  fs_use_trans devpts system_u:object_r:devpts_t;
> -fs_use_trans tmpfs system_u:object_r:tmpfs_t;
>  fs_use_trans shm system_u:object_r:tmpfs_t;
>  
>  # The separate genfs_contexts configuration can be used for filesystem 

Definitely wrong.  tmpfs needs to stay fs_use_trans even with the xattr
handlers, like devpts.


> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
> --- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
> @@ -89,6 +89,14 @@
>  can_network($1_ssh_t)
>  can_ypbind($1_ssh_t)
>  
> +if (user_tcp_server) {
> +# for sshing to a ssh tunnel
> +can_tcp_connect($1_ssh_t, $1_ssh_t)
> +
> +# for other connections to a ssh tunnel
> +can_tcp_connect($1_t, $1_ssh_t)
> +}
> +
>  # Use capabilities.
>  allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };

Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
the present policy; it was only applicable to the pre-2.6 SELinux with
labeled network buffers.

> +# Connect to sshd.
> +ifdef(`inetd.te', `
> +ifdef(`run_ssh_inetd', `
> +can_tcp_connect($1_ssh_t, inetd_t)
> +', `
> +can_tcp_connect($1_ssh_t, sshd_t)
> +')', `
> +can_tcp_connect($1_ssh_t, sshd_t)
> +')
> +

Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.

> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
> --- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
> @@ -17,7 +17,7 @@
>  ifdef(`single_userdomain', `
>  typealias $1_t alias $1_userhelper_t;
>  ', `
> -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
> +type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
>  
>  in_user_role($1_userhelper_t)
>  role sysadm_r types $1_userhelper_t;

No, this is a reversion (where are these diffs coming from?).  privuser
is always needed by userhelper with the current code (always switches to
"root").

> @@ -127,7 +130,9 @@
>  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
>  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
>  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> +ifdef(`redhat', `
>  allow $1_xserver_t device_t:lnk_file { getattr read };
> +')
>  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
>  allow $1_xserver_t devtty_t:lnk_file read;
>  

Wrapping such a trivial rule with a distro-specific ifdef is pointless,
IMHO, and makes maintenance a pain.

> diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
> --- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
> +++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
> @@ -147,6 +147,7 @@
>  	@grep -v "^/root" $@.tmp > $@.root
>  	@/usr/sbin/genhomedircon . $@.root  > $@
>  	@grep "^/root" $@.tmp >> $@
> +	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
>  	@-rm $@.tmp $@.root
>  
>  clean:

Requires that the policy be rebuilt on every machine, as it depends on
local /proc information.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Russell Coker]

On Thu, 2 Sep 2004 22:46, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Include some stuff from Russell,
> Critical patch for tmpfs to get udev on tmpfs working
>
> You sent me a note saying some patches conflict with other changes,
> please point those out so I can remove them.

The initrc patch removes my change to clean up the initrc_t definition.  
Having two definitions leads to bugs when people update only one of them (as 
was done with the unrestricted attribute change).

There should never be a printer_device_t:fifo_file entry, I removed it because 
there is no way for such a node to be created in enforcing mode.

The dovecot patch reverts my change to put the capabilities in numerical 
order.  I put them in order to improve readability.

In xserver_macros.te there's a ifdef(`redhat' when distro_redhat should be 
used.

We should probably avoid putting distro.tun into patch files that are 
distributed outside a distribution.  Leave all options commented for the CVS 
version.

Also the patch for tunable.tun is not something we want in the CVS.  I think 
that we want the CVS policy to have fairly restrictive settings for tunables.  
Apart from use_games I think that all the tunable changes in your patch 
should not be in the CVS.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Russell Coker]

On Thu, 2 Sep 2004 23:10, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > diff --exclude-from=exclude -N -u -r
> > nsapolicy/domains/program/unused/named.te
> > policy-1.17.9/domains/program/unused/named.te ---
> > nsapolicy/domains/program/unused/named.te 2004-08-27 14:44:11.000000000
> > -0400 +++ policy-1.17.9/domains/program/unused/named.te 2004-09-02
> > 08:15:02.739588362 -0400 @@ -113,7 +113,6 @@
> >  allow ndc_t self:unix_stream_socket create_stream_socket_perms;
> >  allow ndc_t self:unix_stream_socket connect;
> >  allow ndc_t self:capability { dac_override net_admin };
> > -allow ndc_t var_t:dir search;
> >  allow ndc_t var_run_t:dir search;
> >  allow ndc_t named_var_run_t:sock_file rw_file_perms;
> >  allow ndc_t named_t:unix_stream_socket connectto;
>
> You can't reach /var/run if you can't search /var.

The mistake here was removing the occurrence of that rule at line 116 instead 
of at line 145.  The rule is included twice if you enable ndc_shell_script.

> > diff --exclude-from=exclude -N -u -r
> > nsapolicy/domains/program/unused/udev.te
> > policy-1.17.9/domains/program/unused/udev.te ---
> > nsapolicy/domains/program/unused/udev.te 2004-09-01 14:00:02.000000000
> > -0400 +++ policy-1.17.9/domains/program/unused/udev.te 2004-09-02
> > 08:15:02.742588026 -0400 @@ -43,7 +43,8 @@
> >  allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom
> > relabelto create_file_perms };
> >
> >  # to read the file_contexts file
> > -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t }
> > ) +allow udev_t { selinux_config_t default_context_t }:dir search; +allow
> > udev_t file_context_t:file { getattr read };
>
> To access the file_contexts file, udev must be able to read
> /etc/selinux/config (requires search to selinux_config_t:dir and read to
> selinux_config_t:file) and
> /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
> to default_context_t:dir and file_context_t:dir and read to
> file_context_t:file).  Simpler to just express this using the single
> r_dir_file() line that is in our policy, even it is a bit more
> permissive than strictly necessary (your rules aren't sufficient).

My most recent patch for this is sufficient.  It seems that Dan merged in an 
earlier patch that was in a development stage.

> > diff --exclude-from=exclude -N -u -r
> > nsapolicy/macros/program/ssh_macros.te
> > policy-1.17.9/macros/program/ssh_macros.te ---
> > nsapolicy/macros/program/ssh_macros.te 2004-08-27 14:44:11.000000000
> > -0400 +++ policy-1.17.9/macros/program/ssh_macros.te 2004-09-02
> > 08:22:53.013807132 -0400 @@ -89,6 +89,14 @@
> >  can_network($1_ssh_t)
> >  can_ypbind($1_ssh_t)
> >
> > +if (user_tcp_server) {
> > +# for sshing to a ssh tunnel
> > +can_tcp_connect($1_ssh_t, $1_ssh_t)
> > +
> > +# for other connections to a ssh tunnel
> > +can_tcp_connect($1_t, $1_ssh_t)
> > +}
> > +
> >  # Use capabilities.
> >  allow $1_ssh_t self:capability { setuid setgid dac_override
> > dac_read_search };
>
> Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
> the present policy; it was only applicable to the pre-2.6 SELinux with
> labeled network buffers.

It was in my tree.  When the tunables were converted to booleans I just made 
equivalent changes to the policy in my tree.

> > +# Connect to sshd.
> > +ifdef(`inetd.te', `
> > +ifdef(`run_ssh_inetd', `
> > +can_tcp_connect($1_ssh_t, inetd_t)
> > +', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')
> > +
>
> Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.

I've removed both of them from my tree to avoid further confusion.

 > diff --exclude-from=exclude -N -u -r
> > nsapolicy/macros/program/userhelper_macros.te
> > policy-1.17.9/macros/program/userhelper_macros.te ---
> > nsapolicy/macros/program/userhelper_macros.te 2004-08-27
> > 14:44:11.000000000 -0400 +++
> > policy-1.17.9/macros/program/userhelper_macros.te 2004-09-02
> > 08:15:02.751587016 -0400 @@ -17,7 +17,7 @@
> >  ifdef(`single_userdomain', `
> >  typealias $1_t alias $1_userhelper_t;
> >  ', `
> > -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole,
> > privowner, auth_chkpwd, privfd, privuser; +type $1_userhelper_t, domain,
> > userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd
> > ifdef(`user_canbe_sysadm', `, privuser');
> >
> >  in_user_role($1_userhelper_t)
> >  role sysadm_r types $1_userhelper_t;
>
> No, this is a reversion (where are these diffs coming from?).  privuser
> is always needed by userhelper with the current code (always switches to
> "root").

Probably from my tree.  There's a bunch of differences between my tree and the 
CVS which are because of my tree being outdated.  I am fairly careful about 
what I push, and also about what I accept for my tree.

There are some things in the CVS that I have not yet put in my tree because I 
suspect that there is a better way of achieving the same goal.  There are 
other things in the CVS that aren't in my tree because I haven't had time to 
consider the policy in question.

> > @@ -127,7 +130,9 @@
> >  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
> >  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
> >  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> > +ifdef(`redhat', `
> >  allow $1_xserver_t device_t:lnk_file { getattr read };
> > +')
> >  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
> >  allow $1_xserver_t devtty_t:lnk_file read;
>
> Wrapping such a trivial rule with a distro-specific ifdef is pointless,
> IMHO, and makes maintenance a pain.

OK, I'll remove that from my tree.

> > diff --exclude-from=exclude -N -u -r nsapolicy/Makefile
> > policy-1.17.9/Makefile --- nsapolicy/Makefile 2004-09-02
> > 08:03:26.130772258 -0400
> > +++ policy-1.17.9/Makefile 2004-09-02 08:15:02.754586679 -0400
> > @@ -147,6 +147,7 @@
> >   @grep -v "^/root" $@.tmp > $@.root
> >   @/usr/sbin/genhomedircon . $@.root  > $@
> >   @grep "^/root" $@.tmp >> $@
> > + @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk
> > -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >>
> > $@ || true; done @-rm $@.tmp $@.root
> >
> >  clean:
>
> Requires that the policy be rebuilt on every machine, as it depends on
> local /proc information.

True.  The general consensus seems to be that Colin Walters has the best idea 
of how to solve this.  But until his solution gets implemented this seems 
like a good work-around.

Also something to note is that we really don't want to use this when producing 
a file_contexts file for distributing to other machines.  It would be likely 
to grant inappropriate access to block devices.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 09:38, Russell Coker wrote:
> Also something to note is that we really don't want to use this when producing 
> a file_contexts file for distributing to other machines.  It would be likely 
> to grant inappropriate access to block devices.

But with the current Makefile patch, this is precisely what will happen
for anyone who does not have policy sources installed, right?  And last
I checked, policy sources are only installed by explicit request, not by
default.  Seems to require separate Makefile targets for local build vs.
rpm build.
  
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
>  
>
>>Include some stuff from Russell,
>>Critical patch for tmpfs to get udev on tmpfs working
>>    
>>
>
>You can't change fs_use in that manner; it will break the kernel's
>internal usage of tmpfs for shared memory.  The situation is similar to
>devpts; fs_use_trans will govern the initial setting of the inode
>context, then programs can explicitly set and get the context.  
>
>________________________________________________________________________
>  
>
We get a discretionary Access control error "Permission Denied" message 
on on a restorecon /dev without making this change
on bootup.  Everything seemed to be working ok Well at least to the 
point of booting the machine and logging in.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
>>--- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
>>@@ -12,12 +12,14 @@
>> # initrc_exec_t is the type of the init program.
>> #
>> # do not use privmail for sendmail as it creates a type transition conflict
>>-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
>> ifdef(`sendmail.te', `
>>+# do not use privmail for sendmail as it creates a type transition conflict
>>+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
>> allow system_mail_t initrc_t:fd use;
>> allow system_mail_t initrc_t:fifo_file write;
>>+', `
>>+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
>> ')
>>-
>>    
>>
>
>This reverts a patch from Russell to merge the two initrc_t type
>declarations together (using an ifdef embedded in the attribute list for
>the sendmail issue) to ease maintenance.
>
>  
>
Removed

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
>>--- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
>>@@ -41,6 +41,7 @@
>> append_logdir_domain(httpd)
>> #can read /etc/httpd/logs
>> allow httpd_t httpd_log_t:lnk_file { read };
>>+allow httpd_t httpd_log_t:dir { remove_name };
>> 
>> # For /etc/init.d/apache2 reload
>> can_tcp_connect(httpd_t, httpd_t)
>>    
>>
>
>As before, do you want apache removing log files?
>  
>
Russell added it I believe,  I will remove it for now.

>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
>>--- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
>>@@ -157,5 +157,6 @@
>> allow cupsd_t ptal_var_run_t:dir { search };
>> dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
>> 
>>+allow cupsd_t printer_device_t:fifo_file rw_file_perms;
>> dontaudit cupsd_t selinux_config_t:dir search;
>> dontaudit cupsd_t selinux_config_t:file { getattr read };
>>    
>>
>
>Does this fifo still exist?  Russell removed this rule earlier.
>
>  
>
Ok I will remove it til we see the avc message again.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
>>--- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
>>@@ -113,7 +113,6 @@
>> allow ndc_t self:unix_stream_socket create_stream_socket_perms;
>> allow ndc_t self:unix_stream_socket connect;
>> allow ndc_t self:capability { dac_override net_admin };
>>-allow ndc_t var_t:dir search;
>> allow ndc_t var_run_t:dir search;
>> allow ndc_t named_var_run_t:sock_file rw_file_perms;
>> allow ndc_t named_t:unix_stream_socket connectto;
>>    
>>
>
>You can't reach /var/run if you can't search /var.
>
>  
>
Ok I will remove.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
>>--- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
>>@@ -33,11 +33,6 @@
>> allow insmod_t ramfs_t:file write;
>> allow insmod_t rhgb_t:fd use;
>> 
>>-allow rhgb_t ramfs_t:filesystem { mount unmount };
>>-allow rhgb_t root_t:dir { mounton };
>>-allow rhgb_t rhgb_t:capability { sys_admin };
>>-dontaudit rhgb_t var_run_t:dir { search };
>>-
>> can_network(rhgb_t)
>> can_ypbind(rhgb_t)
>>    
>>
>
>Why is it safe to remove these rules?  Change in mkinitrd?  Does rhgb
>still work as expected with strict/enforcing?
>
>  
>
 From Russell's Policy.  I will try it out.

>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
>>--- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
>>+++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
>>@@ -43,7 +43,8 @@
>> allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
>> 	
>> # to read the file_contexts file
>>-r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
>>+allow udev_t { selinux_config_t default_context_t }:dir search;
>>+allow udev_t file_context_t:file { getattr read };
>>    
>>
>
>To access the file_contexts file, udev must be able to read
>/etc/selinux/config (requires search to selinux_config_t:dir and read to
>selinux_config_t:file) and
>/etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
>to default_context_t:dir and file_context_t:dir and read to
>file_context_t:file).  Simpler to just express this using the single
>r_dir_file() line that is in our policy, even it is a bit more
>permissive than strictly necessary (your rules aren't sufficient).
>
>  
>
Removed

>>@@ -82,11 +83,6 @@
>> ifdef(`consoletype.te', `
>> can_exec(udev_t, consoletype_exec_t)
>> ')
>>-ifdef(`pamconsole.te', `
>>-allow udev_t pam_var_console_t:dir search;
>>-')
>>-allow udev_t var_lock_t:dir search;
>>-allow udev_t var_lock_t:file getattr;
>> domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
>> ifdef(`hide_broken_symptoms', `
>> dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
>>    
>>
>
>These were just added by Russell, I think.
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
>>--- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
>>@@ -8,6 +8,7 @@
>> fs_use_xattr ext3 system_u:object_r:fs_t;
>> fs_use_xattr xfs system_u:object_r:fs_t;
>> fs_use_xattr reiserfs system_u:object_r:fs_t;
>>+fs_use_xattr tmpfs system_u:object_r:fs_t;
>> 
>> # Use the allocating task SID to label inodes in the following filesystem
>> # types, and label the filesystem itself with the specified context.
>>@@ -23,7 +24,6 @@
>> # This is appropriate for pseudo filesystems like devpts and tmpfs
>> # where we want to label objects with a derived type.
>> fs_use_trans devpts system_u:object_r:devpts_t;
>>-fs_use_trans tmpfs system_u:object_r:tmpfs_t;
>> fs_use_trans shm system_u:object_r:tmpfs_t;
>> 
>> # The separate genfs_contexts configuration can be used for filesystem 
>>    
>>
>
>Definitely wrong.  tmpfs needs to stay fs_use_trans even with the xattr
>handlers, like devpts.
>
>
>  
>
Other Email talks about this.

>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
>>--- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
>>@@ -89,6 +89,14 @@
>> can_network($1_ssh_t)
>> can_ypbind($1_ssh_t)
>> 
>>+if (user_tcp_server) {
>>+# for sshing to a ssh tunnel
>>+can_tcp_connect($1_ssh_t, $1_ssh_t)
>>+
>>+# for other connections to a ssh tunnel
>>+can_tcp_connect($1_t, $1_ssh_t)
>>+}
>>+
>> # Use capabilities.
>> allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
>>    
>>
>
>Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
>the present policy; it was only applicable to the pre-2.6 SELinux with
>labeled network buffers
>
Policy had a commented this out with a comment saying uncomment if you 
want to allow it.  So I
added the boolean code.    Since it has no effect I will leave it, for 
when controls added back ???

>.
>
>  
>
>>+# Connect to sshd.
>>+ifdef(`inetd.te', `
>>+ifdef(`run_ssh_inetd', `
>>+can_tcp_connect($1_ssh_t, inetd_t)
>>+', `
>>+can_tcp_connect($1_ssh_t, sshd_t)
>>+')', `
>>+can_tcp_connect($1_ssh_t, sshd_t)
>>+')
>>+
>>    
>>
>
>Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.
>
>  
>
Changed to boolean

>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
>>--- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
>>+++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
>>@@ -17,7 +17,7 @@
>> ifdef(`single_userdomain', `
>> typealias $1_t alias $1_userhelper_t;
>> ', `
>>-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
>>+type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
>> 
>> in_user_role($1_userhelper_t)
>> role sysadm_r types $1_userhelper_t;
>>    
>>
>
>No, this is a reversion (where are these diffs coming from?).  privuser
>is always needed by userhelper with the current code (always switches to
>"root").
>  
>
Added back, This is from Russell's Policy

>  
>
>>@@ -127,7 +130,9 @@
>> allow $1_xserver_t mtrr_device_t:file rw_file_perms;
>> allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
>> allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
>>+ifdef(`redhat', `
>> allow $1_xserver_t device_t:lnk_file { getattr read };
>>+')
>> allow $1_xserver_t devtty_t:chr_file rw_file_perms;
>> allow $1_xserver_t devtty_t:lnk_file read;
>> 
>>    
>>
>
>Wrapping such a trivial rule with a distro-specific ifdef is pointless,
>IMHO, and makes maintenance a pain.
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
>>--- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
>>+++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
>>@@ -147,6 +147,7 @@
>> 	@grep -v "^/root" $@.tmp > $@.root
>> 	@/usr/sbin/genhomedircon . $@.root  > $@
>> 	@grep "^/root" $@.tmp >> $@
>>+	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
>> 	@-rm $@.tmp $@.root
>> 
>> clean:
>>    
>>
>
>Requires that the policy be rebuilt on every machine, as it depends on
>local /proc information.
>
>  
>
But if gives a default of /dev/hdc being removable, for initial 
install.  I want to propose a new hardware context file
in a nother email that would help fix this.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 11:23, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> >You can't change fs_use in that manner; it will break the kernel's
> >internal usage of tmpfs for shared memory.  The situation is similar to
> >devpts; fs_use_trans will govern the initial setting of the inode
> >context, then programs can explicitly set and get the context.  
>
> We get a discretionary Access control error "Permission Denied" message 
> on on a restorecon /dev without making this change
> on bootup.  Everything seemed to be working ok Well at least to the 
> point of booting the machine and logging in.

That doesn't make it correct.  You can't just change the existing
labeling behavior and superblock type for the tmpfs internal mount for
shmem.  As per prior discussions on this list with Luke, you want to:
- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
sent Arjan the necessary patch for that along with the xattr handler
based on the earlier patches by Luke)
- adjust the policy accordingly, including the necessary filesystem
associate permissions between device_type and device_t:filesystem.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-09-02 at 11:23, Daniel J Walsh wrote:
>  
>
>>Stephen Smalley wrote:
>>    
>>
>>>You can't change fs_use in that manner; it will break the kernel's
>>>internal usage of tmpfs for shared memory.  The situation is similar to
>>>devpts; fs_use_trans will govern the initial setting of the inode
>>>context, then programs can explicitly set and get the context.  
>>>      
>>>
>>We get a discretionary Access control error "Permission Denied" message 
>>on on a restorecon /dev without making this change
>>on bootup.  Everything seemed to be working ok Well at least to the 
>>point of booting the machine and logging in.
>>    
>>
>
>That doesn't make it correct.  You can't just change the existing
>labeling behavior and superblock type for the tmpfs internal mount for
>shmem.  As per prior discussions on this list with Luke, you want to:
>- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
>sent Arjan the necessary patch for that along with the xattr handler
>based on the earlier patches by Luke)
>  
>
We can't do that because the file system is mounted in the initrd before 
context is loaded
We tried to do a remount with the correct context but that is not allowed.

>- adjust the policy accordingly, including the necessary filesystem
>associate permissions between device_type and device_t:filesystem.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Joshua Brindle]

Daniel J Walsh wrote:

> Include some stuff from Russell,
> Critical patch for tmpfs to get udev on tmpfs working
> 
> You sent me a note saying some patches conflict with other changes, 
> please point those out so I can remove them.
> 
> Dan
> 

Why are you submitting a patch to the list that turns on all these 
tunables? These should definately not be turned on in the sample policy!

Joshua Brindle

> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.9/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.9/tunables/tunable.tun	2004-09-02 08:15:02.755586567 -0400
> @@ -5,50 +5,47 @@
>  dnl define(`user_net_control')
>  
>  # Allow users to execute the mount command
> -dnl define(`user_can_mount')
> +define(`user_can_mount')
>  
>  # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>  
>  # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>  
>  # Support NFS home directories
> -dnl define(`nfs_home_dirs')
> +define(`nfs_home_dirs')
>  
>  # Allow users to run games
> -dnl define(`use_games')
> +define(`use_games')
>  
>  # Allow ypbind to run with NIS
> -dnl define(`allow_ypbind')
> +define(`allow_ypbind')
>  
>  # Allow rc scripts to run unconfined, including any daemon
>  # started by an rc script that does not have a domain transition
>  # explicitly defined.
> -dnl define(`unlimitedRC')
> +define(`unlimitedRC')
>  
>  # Allow sysadm_t to directly start daemons
>  define(`direct_sysadm_daemon')
>  
>  # Do not audit things that we know to be broken but which
>  # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>  
>  # Allow sysadm_t to do almost everything
>  dnl define(`unrestricted_admin')
>  
>  # Allow the read/write/create on any NFS file system
> -dnl define(`nfs_export_all_rw')
> -
> -# Allow users to unrestricted access
> -dnl define(`unlimitedUsers')
> +define(`nfs_export_all_rw')
>  
>  # Allow the reading on any NFS file system
>  dnl define(`nfs_export_all_ro')
>  
>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>  # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>  
>  # Allow xinetd to run unconfined, including any services it starts
>  # that do not have a domain transition explicitly defined.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 12:30, Joshua Brindle wrote:
> Why are you submitting a patch to the list that turns on all these 
> tunables? These should definately not be turned on in the sample policy!

Not an issue; we always omit diffs to tunables from merging.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 11:53, Daniel J Walsh wrote:
> We can't do that because the file system is mounted in the initrd before 
> context is loaded
> We tried to do a remount with the correct context but that is not allowed.

Pity.  Ok, then you have to make the policy work with tmpfs_t as the
initial type on /dev.  You _cannot_ change the fs_use rule for tmpfs; it
will break all users of shared anonymous mappings and System V shared
memory (leaves their inodes as unlabeled_t rather than computing them
based on type_transition rules).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Stephen Smalley]

On Thu, 2004-09-02 at 12:48, Stephen Smalley wrote:
> On Thu, 2004-09-02 at 11:53, Daniel J Walsh wrote:
> > We can't do that because the file system is mounted in the initrd before 
> > context is loaded
> > We tried to do a remount with the correct context but that is not allowed.
> 
> Pity.  Ok, then you have to make the policy work with tmpfs_t as the
> initial type on /dev.  You _cannot_ change the fs_use rule for tmpfs; it
> will break all users of shared anonymous mappings and System V shared
> memory (leaves their inodes as unlabeled_t rather than computing them
> based on type_transition rules).

Also requires allowing associate between device_type (and any other
types you want under /dev) and tmpfs_t:filesystem.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 09:10:07AM -0400, Stephen Smalley wrote:

> > @@ -127,7 +130,9 @@
> >  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
> >  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
> >  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> > +ifdef(`redhat', `
> >  allow $1_xserver_t device_t:lnk_file { getattr read };
> > +')
> >  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
> >  allow $1_xserver_t devtty_t:lnk_file read;
> >  
> 
> Wrapping such a trivial rule with a distro-specific ifdef is pointless,
> IMHO, and makes maintenance a pain.

 it's also, istrc, needed for debian.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Joshua Brindle wrote:

> Daniel J Walsh wrote:
>
>> Include some stuff from Russell,
>> Critical patch for tmpfs to get udev on tmpfs working
>>
>> You sent me a note saying some patches conflict with other changes, 
>> please point those out so I can remove them.
>>
>> Dan
>>
>
> Why are you submitting a patch to the list that turns on all these 
> tunables? These should definately not be turned on in the sample policy!
>
> Joshua Brindle
>
I am just submitting the patch that is currently being applied to the 
Fedora package.  The tunables were always ignored in the past.
I suppose I could edit them but up to now they have not been a problem 
to ignore them.

Dan

>> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun 
>> policy-1.17.9/tunables/tunable.tun
>> --- nsapolicy/tunables/tunable.tun    2004-08-27 14:44:11.000000000 
>> -0400
>> +++ policy-1.17.9/tunables/tunable.tun    2004-09-02 
>> 08:15:02.755586567 -0400
>> @@ -5,50 +5,47 @@
>>  dnl define(`user_net_control')
>>  
>>  # Allow users to execute the mount command
>> -dnl define(`user_can_mount')
>> +define(`user_can_mount')
>>  
>>  # Allow rpm to run unconfined.
>> -dnl define(`unlimitedRPM')
>> +define(`unlimitedRPM')
>>  
>>  # Allow privileged utilities like hotplug and insmod to run unconfined.
>> -dnl define(`unlimitedUtils')
>> +define(`unlimitedUtils')
>>  
>>  # Support NFS home directories
>> -dnl define(`nfs_home_dirs')
>> +define(`nfs_home_dirs')
>>  
>>  # Allow users to run games
>> -dnl define(`use_games')
>> +define(`use_games')
>>  
>>  # Allow ypbind to run with NIS
>> -dnl define(`allow_ypbind')
>> +define(`allow_ypbind')
>>  
>>  # Allow rc scripts to run unconfined, including any daemon
>>  # started by an rc script that does not have a domain transition
>>  # explicitly defined.
>> -dnl define(`unlimitedRC')
>> +define(`unlimitedRC')
>>  
>>  # Allow sysadm_t to directly start daemons
>>  define(`direct_sysadm_daemon')
>>  
>>  # Do not audit things that we know to be broken but which
>>  # are not security risks
>> -dnl define(`hide_broken_symptoms')
>> +define(`hide_broken_symptoms')
>>  
>>  # Allow sysadm_t to do almost everything
>>  dnl define(`unrestricted_admin')
>>  
>>  # Allow the read/write/create on any NFS file system
>> -dnl define(`nfs_export_all_rw')
>> -
>> -# Allow users to unrestricted access
>> -dnl define(`unlimitedUsers')
>> +define(`nfs_export_all_rw')
>>  
>>  # Allow the reading on any NFS file system
>>  dnl define(`nfs_export_all_ro')
>>  
>>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>>  # Otherwise, only staff_r can do so.
>> -dnl define(`user_canbe_sysadm')
>> +define(`user_canbe_sysadm')
>>  
>>  # Allow xinetd to run unconfined, including any services it starts
>>  # that do not have a domain transition explicitly defined.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[James Carter]

Merged everything other then the hunks Steve mentions here, and, of
course, the tunables.  

It doesn't matter to me if the tunables are there, they're ignored.

On Thu, 2004-09-02 at 09:10, Stephen Smalley wrote:
> On Thu, 2004-09-02 at 08:46, Daniel J Walsh wrote:
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.9/domains/program/initrc.te
> > --- nsapolicy/domains/program/initrc.te	2004-08-30 09:49:15.000000000 -0400
> > +++ policy-1.17.9/domains/program/initrc.te	2004-09-02 08:15:02.734588923 -0400
> > @@ -12,12 +12,14 @@
> >  # initrc_exec_t is the type of the init program.
> >  #
> >  # do not use privmail for sendmail as it creates a type transition conflict
> > -type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') sysctl_kernel_writer;
> >  ifdef(`sendmail.te', `
> > +# do not use privmail for sendmail as it creates a type transition conflict
> > +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
> >  allow system_mail_t initrc_t:fd use;
> >  allow system_mail_t initrc_t:fifo_file write;
> > +', `
> > +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, unrestricted, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
> >  ')
> > -
> 
> This reverts a patch from Russell to merge the two initrc_t type
> declarations together (using an ifdef embedded in the attribute list for
> the sendmail issue) to ease maintenance.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.9/domains/program/unused/apache.te
> > --- nsapolicy/domains/program/unused/apache.te	2004-08-30 09:49:15.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/apache.te	2004-09-02 08:15:02.737588587 -0400
> > @@ -41,6 +41,7 @@
> >  append_logdir_domain(httpd)
> >  #can read /etc/httpd/logs
> >  allow httpd_t httpd_log_t:lnk_file { read };
> > +allow httpd_t httpd_log_t:dir { remove_name };
> >  
> >  # For /etc/init.d/apache2 reload
> >  can_tcp_connect(httpd_t, httpd_t)
> 
> As before, do you want apache removing log files?
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.9/domains/program/unused/cups.te
> > --- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/cups.te	2004-09-02 08:15:02.737588587 -0400
> > @@ -157,5 +157,6 @@
> >  allow cupsd_t ptal_var_run_t:dir { search };
> >  dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
> >  
> > +allow cupsd_t printer_device_t:fifo_file rw_file_perms;
> >  dontaudit cupsd_t selinux_config_t:dir search;
> >  dontaudit cupsd_t selinux_config_t:file { getattr read };
> 
> Does this fifo still exist?  Russell removed this rule earlier.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.9/domains/program/unused/named.te
> > --- nsapolicy/domains/program/unused/named.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/named.te	2004-09-02 08:15:02.739588362 -0400
> > @@ -113,7 +113,6 @@
> >  allow ndc_t self:unix_stream_socket create_stream_socket_perms;
> >  allow ndc_t self:unix_stream_socket connect;
> >  allow ndc_t self:capability { dac_override net_admin };
> > -allow ndc_t var_t:dir search;
> >  allow ndc_t var_run_t:dir search;
> >  allow ndc_t named_var_run_t:sock_file rw_file_perms;
> >  allow ndc_t named_t:unix_stream_socket connectto;
> 
> You can't reach /var/run if you can't search /var.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.17.9/domains/program/unused/rhgb.te
> > --- nsapolicy/domains/program/unused/rhgb.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/rhgb.te	2004-09-02 08:15:02.740588250 -0400
> > @@ -33,11 +33,6 @@
> >  allow insmod_t ramfs_t:file write;
> >  allow insmod_t rhgb_t:fd use;
> >  
> > -allow rhgb_t ramfs_t:filesystem { mount unmount };
> > -allow rhgb_t root_t:dir { mounton };
> > -allow rhgb_t rhgb_t:capability { sys_admin };
> > -dontaudit rhgb_t var_run_t:dir { search };
> > -
> >  can_network(rhgb_t)
> >  can_ypbind(rhgb_t)
> 
> Why is it safe to remove these rules?  Change in mkinitrd?  Does rhgb
> still work as expected with strict/enforcing?
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.9/domains/program/unused/udev.te
> > --- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
> > +++ policy-1.17.9/domains/program/unused/udev.te	2004-09-02 08:15:02.742588026 -0400
> > @@ -43,7 +43,8 @@
> >  allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
> >  	
> >  # to read the file_contexts file
> > -r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
> > +allow udev_t { selinux_config_t default_context_t }:dir search;
> > +allow udev_t file_context_t:file { getattr read };
> 
> To access the file_contexts file, udev must be able to read
> /etc/selinux/config (requires search to selinux_config_t:dir and read to
> selinux_config_t:file) and
> /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts (requires search
> to default_context_t:dir and file_context_t:dir and read to
> file_context_t:file).  Simpler to just express this using the single
> r_dir_file() line that is in our policy, even it is a bit more
> permissive than strictly necessary (your rules aren't sufficient).
> 
> > @@ -82,11 +83,6 @@
> >  ifdef(`consoletype.te', `
> >  can_exec(udev_t, consoletype_exec_t)
> >  ')
> > -ifdef(`pamconsole.te', `
> > -allow udev_t pam_var_console_t:dir search;
> > -')
> > -allow udev_t var_lock_t:dir search;
> > -allow udev_t var_lock_t:file getattr;
> >  domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
> >  ifdef(`hide_broken_symptoms', `
> >  dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
> 
> These were just added by Russell, I think.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.17.9/fs_use
> > --- nsapolicy/fs_use	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/fs_use	2004-09-02 08:15:02.743587913 -0400
> > @@ -8,6 +8,7 @@
> >  fs_use_xattr ext3 system_u:object_r:fs_t;
> >  fs_use_xattr xfs system_u:object_r:fs_t;
> >  fs_use_xattr reiserfs system_u:object_r:fs_t;
> > +fs_use_xattr tmpfs system_u:object_r:fs_t;
> >  
> >  # Use the allocating task SID to label inodes in the following filesystem
> >  # types, and label the filesystem itself with the specified context.
> > @@ -23,7 +24,6 @@
> >  # This is appropriate for pseudo filesystems like devpts and tmpfs
> >  # where we want to label objects with a derived type.
> >  fs_use_trans devpts system_u:object_r:devpts_t;
> > -fs_use_trans tmpfs system_u:object_r:tmpfs_t;
> >  fs_use_trans shm system_u:object_r:tmpfs_t;
> >  
> >  # The separate genfs_contexts configuration can be used for filesystem 
> 
> Definitely wrong.  tmpfs needs to stay fs_use_trans even with the xattr
> handlers, like devpts.
> 
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.17.9/macros/program/ssh_macros.te
> > --- nsapolicy/macros/program/ssh_macros.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/macros/program/ssh_macros.te	2004-09-02 08:22:53.013807132 -0400
> > @@ -89,6 +89,14 @@
> >  can_network($1_ssh_t)
> >  can_ypbind($1_ssh_t)
> >  
> > +if (user_tcp_server) {
> > +# for sshing to a ssh tunnel
> > +can_tcp_connect($1_ssh_t, $1_ssh_t)
> > +
> > +# for other connections to a ssh tunnel
> > +can_tcp_connect($1_t, $1_ssh_t)
> > +}
> > +
> >  # Use capabilities.
> >  allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
> 
> Where is this diff coming from?  can_tcp_connect expands to _nothing_ in
> the present policy; it was only applicable to the pre-2.6 SELinux with
> labeled network buffers.
> 
> > +# Connect to sshd.
> > +ifdef(`inetd.te', `
> > +ifdef(`run_ssh_inetd', `
> > +can_tcp_connect($1_ssh_t, inetd_t)
> > +', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')', `
> > +can_tcp_connect($1_ssh_t, sshd_t)
> > +')
> > +
> 
> Ditto, and run_ssh_inetd is no longer a tunable; it is a boolean.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.9/macros/program/userhelper_macros.te
> > --- nsapolicy/macros/program/userhelper_macros.te	2004-08-27 14:44:11.000000000 -0400
> > +++ policy-1.17.9/macros/program/userhelper_macros.te	2004-09-02 08:15:02.751587016 -0400
> > @@ -17,7 +17,7 @@
> >  ifdef(`single_userdomain', `
> >  typealias $1_t alias $1_userhelper_t;
> >  ', `
> > -type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser;
> > +type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd ifdef(`user_canbe_sysadm', `, privuser');
> >  
> >  in_user_role($1_userhelper_t)
> >  role sysadm_r types $1_userhelper_t;
> 
> No, this is a reversion (where are these diffs coming from?).  privuser
> is always needed by userhelper with the current code (always switches to
> "root").
> 
> > @@ -127,7 +130,9 @@
> >  allow $1_xserver_t mtrr_device_t:file rw_file_perms;
> >  allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
> >  allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
> > +ifdef(`redhat', `
> >  allow $1_xserver_t device_t:lnk_file { getattr read };
> > +')
> >  allow $1_xserver_t devtty_t:chr_file rw_file_perms;
> >  allow $1_xserver_t devtty_t:lnk_file read;
> >  
> 
> Wrapping such a trivial rule with a distro-specific ifdef is pointless,
> IMHO, and makes maintenance a pain.
> 
> > diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.17.9/Makefile
> > --- nsapolicy/Makefile	2004-09-02 08:03:26.130772258 -0400
> > +++ policy-1.17.9/Makefile	2004-09-02 08:15:02.754586679 -0400
> > @@ -147,6 +147,7 @@
> >  	@grep -v "^/root" $@.tmp > $@.root
> >  	@/usr/sbin/genhomedircon . $@.root  > $@
> >  	@grep "^/root" $@.tmp >> $@
> > +	@for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ || true; done 
> >  	@-rm $@.tmp $@.root
> >  
> >  clean:
> 
> Requires that the policy be rebuilt on every machine, as it depends on
> local /proc information.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Daniel J Walsh]

Luke Kenneth Casson Leighton wrote:

>On Thu, Sep 02, 2004 at 11:53:36AM -0400, Daniel J Walsh wrote:
>
>  
>
>>>That doesn't make it correct.  You can't just change the existing
>>>labeling behavior and superblock type for the tmpfs internal mount for
>>>shmem.  As per prior discussions on this list with Luke, you want to:
>>>- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
>>>sent Arjan the necessary patch for that along with the xattr handler
>>>based on the earlier patches by Luke)
>>>
>>>
>>>      
>>>
>>We can't do that because the file system is mounted in the initrd before 
>>context is loaded
>>    
>>
>
> um.  why?  *curious*.
>
> i mean, why mount the /dev filesystem in the initrd ?
>
> and, also, why before running /sbin/init? [hope i'm right about that]
> 
> l.
>
>  
>
I am guessing certain devices are required before /sbin/init is started.
Devices required to mount the / file system?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 11:53:36AM -0400, Daniel J Walsh wrote:

> >That doesn't make it correct.  You can't just change the existing
> >labeling behavior and superblock type for the tmpfs internal mount for
> >shmem.  As per prior discussions on this list with Luke, you want to:
> >- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
> >sent Arjan the necessary patch for that along with the xattr handler
> >based on the earlier patches by Luke)
> > 
> >
> We can't do that because the file system is mounted in the initrd before 
> context is loaded

 um.  why?  *curious*.

 i mean, why mount the /dev filesystem in the initrd ?

 and, also, why before running /sbin/init? [hope i'm right about that]
 
 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Patches

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 03:42:43PM -0400, Daniel J Walsh wrote:
> Luke Kenneth Casson Leighton wrote:
> 
> >On Thu, Sep 02, 2004 at 11:53:36AM -0400, Daniel J Walsh wrote:
> >
> > 
> >
> >>>That doesn't make it correct.  You can't just change the existing
> >>>labeling behavior and superblock type for the tmpfs internal mount for
> >>>shmem.  As per prior discussions on this list with Luke, you want to:
> >>>- mount tmpfs on /dev with fscontext=system_u:object_r:device_t (James
> >>>sent Arjan the necessary patch for that along with the xattr handler
> >>>based on the earlier patches by Luke)
> >>>
> >>>
> >>>     
> >>>
> >>We can't do that because the file system is mounted in the initrd before 
> >>context is loaded
> >>   
> >>
> >
> >um.  why?  *curious*.
> >
> >i mean, why mount the /dev filesystem in the initrd ?
> >
> >and, also, why before running /sbin/init? [hope i'm right about that]
> >
> >l.
> >
> > 
> >
> I am guessing certain devices are required before /sbin/init is started.
> Devices required to mount the / file system?
 
 i'm sure debian's initrd doesn't do that.

 i mean, it _does_ mount /dev, detects what the rootfs _is_, and
 then unmounts /dev.

 yeh.  and it mounts and then unmounts /proc.

 the script linuxrc communicates where the real root device is
 by reading /proc/sys/kernel/real-root-dev.

 it's all quite hairy but it looks like herbert's initrd init script
 mounts devfs twice - _and_ unmounts it twice:

mount_root() {
	mount -nt proc proc proc
	mount -nt ramfs ramfs dev2
	mount -nt devfs devfs devfs
	get_device
	mount_device
	umount -n devfs
	umount -n dev2
	umount -n proc
}


i must be missing something here.

two people (myself and mr lbsd) both have selinux working under debian
with zero modifications to initrd, a few modifications to udev.te and
init.te ...

?

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 395 bytes --]

Cleaned up initrc.te file by moving ifdef(`XYZ.te', ... ) to the XYZ file.

A few changes to add additional policies to targeted policy.

Added some dontaudit for reserved_port_type.

Add general_domain_type for squid

Fixed for new version of udev

Fixes for winbind

Added /emul for ia32 platform

Cleaned up file context to put definitions in proper fc file to match te 
file definition.





[-- Attachment #2: policy-20041221.patch --]
[-- Type: text/x-patch, Size: 37978 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.15/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.15/domains/program/crond.te	2004-12-22 11:18:14.000000000 -0500
@@ -160,6 +160,7 @@
 # /sbin/runlevel needs lock access however
 dontaudit system_crond_t initrc_var_run_t:file write;
 allow system_crond_t initrc_var_run_t:file { getattr read lock };
+allow initrc_t system_cron_spool_t:file { getattr read };
 
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.15/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/initrc.te	2004-12-22 11:18:14.000000000 -0500
@@ -13,10 +13,6 @@
 #
 # do not use privmail for sendmail as it creates a type transition conflict
 type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
-ifdef(`sendmail.te', `
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-')
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);
@@ -115,14 +111,6 @@
 # Communicate with the init process.
 allow initrc_t initctl_t:fifo_file rw_file_perms;
 
-# Send messages to portmap and ypbind.
-ifdef(`portmap.te', `
-can_udp_send(initrc_t, portmap_t)
-')
-ifdef(`ypbind.te', `
-can_udp_send(initrc_t, ypbind_t)
-')
-
 # Read /proc/PID directories for all domains.
 r_dir_file(initrc_t, domain)
 allow initrc_t domain:process { getattr getsession };
@@ -137,15 +125,6 @@
 # Update /etc/ld.so.cache.
 allow initrc_t ld_so_cache_t:file rw_file_perms;
 
-ifdef(`xfs.te', `
-# Unlink the xfs socket.
-allow initrc_t xfs_tmp_t:dir rw_dir_perms;
-allow initrc_t xfs_tmp_t:dir rmdir;
-allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
-allow initrc_t fonts_t:dir create_dir_perms;
-allow initrc_t fonts_t:file create_file_perms;
-')
-
 # Update /var/log/wtmp and /var/log/dmesg.
 allow initrc_t wtmp_t:file { setattr rw_file_perms };
 allow initrc_t var_log_t:dir rw_dir_perms;
@@ -222,38 +201,14 @@
 # readahead asks for these
 #
 allow initrc_t etc_aliases_t:file { getattr read };
-allow initrc_t system_cron_spool_t:file { getattr read };
 allow initrc_t var_lib_nfs_t:file { getattr read };
 
 # for /halt /.autofsck and other flag files
 file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
 
-ifdef(`rpm.te', `
-# Access /var/lib/rpm.
-allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
-allow initrc_t rpm_var_lib_t:file create_file_perms;
-')
 ')dnl end distro_redhat
 
-ifdef(`distro_gentoo', `
-ifdef(`arpwatch.te', `
-allow initrc_t arpwatch_data_t:dir { add_name write };
-allow initrc_t arpwatch_data_t:file create;
-')
-')dnl end distro_gentoo
-
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-
-ifdef(`rhgb.te', `
-allow initrc_t ramfs_t:dir search;
-allow initrc_t ramfs_t:sock_file write;
-allow initrc_t rhgb_t:unix_stream_socket { read write };
-')
-
-ifdef(`gpm.te', `
-allow initrc_t gpmctl_t:sock_file setattr;
-')
-
 allow initrc_t var_spool_t:file rw_file_perms;
 
 # Allow access to the sysadm TTYs. Note that this will give access to the 
@@ -263,20 +218,6 @@
 
 # Access sound device and files.
 allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
-ifdef(`sound.te', `
-allow initrc_t sound_file_t:file { setattr write };
-')
-
-ifdef(`apmd.te',
-`# Access /dev/apm_bios.
-allow initrc_t apm_bios_t:chr_file { setattr getattr read };
-')
-
-ifdef(`lpd.te',
-`# Read printconf files.
-allow initrc_t printconf_t:dir r_dir_perms;
-allow initrc_t printconf_t:file r_file_perms;
-')
 
 # Read user home directories.
 allow initrc_t { home_root_t home_type }:dir r_dir_perms;
@@ -299,7 +240,12 @@
 #
 # Rules for the run_init_t domain.
 #
+ifdef(`targeted_policy', `
+type run_init_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+', `
 run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
+')
 allow initrc_t privfd:fd use;
 
 # Transition to system_r:initrc_t upon executing init scripts.
@@ -323,10 +269,6 @@
 allow initrc_t device_type:chr_file setattr;
 allow initrc_t binfmt_misc_fs_t:dir { getattr search };
 allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
-ifdef(`pam.te', `
-allow initrc_t pam_var_run_t:dir rw_dir_perms;
-allow initrc_t pam_var_run_t:file { getattr read unlink };
-')
 
 # for lsof in shutdown scripts
 can_kerberos(initrc_t)
@@ -351,9 +293,6 @@
 #
 allow initrc_t security_t:dir { getattr search };
 allow initrc_t security_t:file { getattr read };
-ifdef(`dbusd.te', `
-allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
-')
 
 # init script state
 type initrc_state_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.15/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2004-12-11 06:31:18.000000000 -0500
+++ policy-1.19.15/domains/program/ldconfig.te	2004-12-22 11:18:14.000000000 -0500
@@ -24,6 +24,7 @@
 file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
 allow ldconfig_t lib_t:dir rw_dir_perms;
 allow ldconfig_t lib_t:lnk_file create_lnk_perms;
+allow ldconfig_t lib_t:file r_file_perms;
 
 allow ldconfig_t userdomain:fd use;
 # unlink for when /etc/ld.so.cache is mislabeled
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.19.15/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.15/domains/program/unused/amanda.te	2004-12-22 11:18:14.000000000 -0500
@@ -241,8 +241,6 @@
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
 allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
 allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
-allow amanda_recover_t local_login_t:fd use;
-
 
 # amrecover network and process communication
 #############################################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.15/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/unused/apache.te	2004-12-22 11:18:14.000000000 -0500
@@ -156,6 +156,7 @@
 # Allow the httpd_t to read the web servers config files
 ###################################################
 r_dir_file(httpd_t, httpd_config_t)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
 # allow logrotate to read the config files for restart
 ifdef(`logrotate.te', `
 r_dir_file(logrotate_t, httpd_config_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.15/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2004-12-09 10:26:08.000000000 -0500
+++ policy-1.19.15/domains/program/unused/apmd.te	2004-12-22 11:18:14.000000000 -0500
@@ -131,3 +131,5 @@
 dontaudit apmd_t tmpfs_t:dir r_dir_perms;
 dontaudit apmd_t selinux_config_t:dir search;
 allow apmd_t user_tty_type:chr_file rw_file_perms;
+# Access /dev/apm_bios.
+allow initrc_t apm_bios_t:chr_file { setattr getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.15/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-12-02 14:11:41.000000000 -0500
+++ policy-1.19.15/domains/program/unused/arpwatch.te	2004-12-22 11:18:14.000000000 -0500
@@ -35,3 +35,8 @@
 allow arpwatch_t bin_t:dir search;
 ')
 
+ifdef(`distro_gentoo', `
+allow initrc_t arpwatch_data_t:dir { add_name write };
+allow initrc_t arpwatch_data_t:file create;
+')dnl end distro_gentoo
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.15/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2004-12-03 14:42:06.000000000 -0500
+++ policy-1.19.15/domains/program/unused/bootloader.te	2004-12-22 11:18:14.000000000 -0500
@@ -29,7 +29,7 @@
 allow bootloader_t { initrc_t privfd }:fd use;
 
 tmp_domain(bootloader, `, device_type')
-allow bootloader_t bootloader_tmp_t:devfile_class_set create_file_perms;
+allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms;
 
 read_locale(bootloader_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.15/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/cups.te	2004-12-22 11:18:14.000000000 -0500
@@ -33,10 +33,8 @@
 # temporary solution, we need something better
 allow cupsd_t serial_device:chr_file rw_file_perms;
 
-ifdef(`usbmodules.te', `
 r_dir_file(cupsd_t, usbdevfs_t)
 r_dir_file(cupsd_t, usbfs_t)
-')
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
@@ -166,6 +164,8 @@
 
 allow cupsd_t printconf_t:file { getattr read };
 
+dbusd_client(system, cupsd)
+
 ifdef(`hald.te', `
 
 # CUPS configuration daemon
@@ -201,7 +201,6 @@
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 ifdef(`dbusd.te', `
-dbusd_client(system, cupsd)
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
 allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
@@ -243,3 +242,8 @@
 # Alternatives asks for this
 allow cupsd_config_t initrc_exec_t:file getattr;
 ') dnl end if hald.te
+ifdef(`targeted_policy', `
+can_unix_connect(cupsd_t, unconfined_t)
+allow cupsd_t unconfined_t:dbus send_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.19.15/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.15/domains/program/unused/dbusd.te	2004-12-22 11:18:14.000000000 -0500
@@ -16,3 +16,5 @@
 
 # I expect we need more than this
 
+allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gpm.te policy-1.19.15/domains/program/unused/gpm.te
--- nsapolicy/domains/program/unused/gpm.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.15/domains/program/unused/gpm.te	2004-12-22 11:18:14.000000000 -0500
@@ -40,3 +40,6 @@
 allow gpm_t device_t:lnk_file { getattr read };
 
 read_locale(gpm_t)
+
+allow initrc_t gpmctl_t:sock_file setattr;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.19.15/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.15/domains/program/unused/inetd.te	2004-12-22 11:18:14.000000000 -0500
@@ -18,7 +18,7 @@
 # Rules for the inetd_t domain.
 #
 
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' )
 
 can_network(inetd_t)
 allow inetd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.15/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.15/domains/program/unused/innd.te	2004-12-22 11:18:14.000000000 -0500
@@ -76,6 +76,5 @@
 
 allow innd_t self:file { getattr read };
 dontaudit innd_t selinux_config_t:dir { search };
-allow system_crond_t innd_etc_t:file { getattr read };
 allow innd_t bin_t:lnk_file { read };
 allow innd_t sbin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.15/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/kerberos.te	2004-12-22 12:43:28.000000000 -0500
@@ -44,11 +44,10 @@
 can_tcp_connect(kerberos_admin_port_t, kadmind_t)
 
 # Bind to the kerberos, kerberos-adm ports.
-allow krb5kdc_t kerberos_port_t:udp_socket name_bind;
-allow krb5kdc_t kerberos_port_t:tcp_socket name_bind;
+allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
 allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
 allow kadmind_t reserved_port_t:tcp_socket name_bind;
+dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
 
 #
 # Rules for Kerberos5 KDC daemon
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.19.15/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te	2004-12-02 14:11:42.000000000 -0500
+++ policy-1.19.15/domains/program/unused/lpd.te	2004-12-22 11:18:14.000000000 -0500
@@ -154,3 +154,8 @@
 # checkpc needs similar permissions.
 allow checkpc_t printconf_t:file getattr;
 allow checkpc_t printconf_t:dir { getattr search read };
+
+# Read printconf files.
+allow initrc_t printconf_t:dir r_dir_perms;
+allow initrc_t printconf_t:file r_file_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.15/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/mta.te	2004-12-22 11:18:14.000000000 -0500
@@ -76,3 +76,4 @@
 create_dir_file( system_mail_t, mqueue_spool_t)
 ')
 allow system_mail_t etc_runtime_t:file { getattr read };
+allow system_mail_t urandom_device_t:chr_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.15/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/unused/nscd.te	2004-12-22 11:18:14.000000000 -0500
@@ -70,4 +70,4 @@
 allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
-allow nscd_t urandom_device_t:chr_file { getattr read };
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.19.15/domains/program/unused/pam.te
--- nsapolicy/domains/program/unused/pam.te	2004-09-10 11:01:02.000000000 -0400
+++ policy-1.19.15/domains/program/unused/pam.te	2004-12-22 11:18:14.000000000 -0500
@@ -34,3 +34,6 @@
 
 allow pam_t local_login_t:fd use;
 dontaudit pam_t self:capability sys_tty_config;
+
+allow initrc_t pam_var_run_t:dir rw_dir_perms;
+allow initrc_t pam_var_run_t:file { getattr read unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.19.15/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/portmap.te	2004-12-22 12:39:16.000000000 -0500
@@ -23,7 +23,7 @@
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
+dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
@@ -55,8 +55,10 @@
 allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
 
 application_domain(portmap_helper)
+role system_r types portmap_helper_t;
 domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
 dontaudit portmap_helper_t self:capability { net_admin };
+allow portmap_helper_t self:capability { net_bind_service };
 allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 can_network(portmap_helper_t)
@@ -64,4 +66,5 @@
 dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
 allow portmap_helper_t etc_t:file { getattr read };
 dontaudit portmap_helper_t userdomain:fd use;
-allow portmap_helper_t reserved_port_t:udp_socket name_bind;
+allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.15/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/postgresql.te	2004-12-22 11:18:14.000000000 -0500
@@ -112,7 +112,7 @@
 dontaudit postgresql_t selinux_config_t:dir { search };
 allow postgresql_t mail_spool_t:dir { search };
 rw_dir_create_file(postgresql_t, var_lock_t)
-can_exec(postgresql_t, { shell_exec_t bin_t } )
+can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
 ifdef(`apache.te', `
 # 
 # Allow httpd to work with postgresql
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.19.15/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/rhgb.te	2004-12-22 11:18:14.000000000 -0500
@@ -93,3 +93,8 @@
 ')
 allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
 dontaudit rhgb_t default_t:file read;
+
+allow initrc_t ramfs_t:dir search;
+allow initrc_t ramfs_t:sock_file write;
+allow initrc_t rhgb_t:unix_stream_socket { read write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.19.15/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.15/domains/program/unused/rpm.te	2004-12-22 11:18:14.000000000 -0500
@@ -244,6 +244,10 @@
 
 allow rpm_script_t domain:process { signal signull };
 
+# Access /var/lib/rpm.
+allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
+allow initrc_t rpm_var_lib_t:file create_file_perms;
+
 ifdef(`unlimitedRPM', `
 unconfined_domain(rpm_t)
 unconfined_domain(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.19.15/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/domains/program/unused/sendmail.te	2004-12-22 12:48:29.000000000 -0500
@@ -53,6 +53,8 @@
 # for the start script to run make -C /etc/mail
 allow initrc_t etc_mail_t:dir rw_dir_perms;
 allow initrc_t etc_mail_t:file create_file_perms;
+allow system_mail_t initrc_t:fd use;
+allow system_mail_t initrc_t:fifo_file write;
 
 # Write to /var/spool/mail and /var/spool/mqueue.
 allow sendmail_t var_spool_t:dir { getattr search };
@@ -97,9 +99,12 @@
 allow system_mail_t mqueue_spool_t:file create_file_perms;
 
 allow system_mail_t sysctl_kernel_t:file read;
+ifdef(`crond.te', `
 dontaudit system_mail_t system_crond_tmp_t:file append;
+')
 dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
 
 # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
 allow sendmail_t initrc_var_run_t:file { getattr read };
 dontaudit sendmail_t initrc_var_run_t:file { lock write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sound.te policy-1.19.15/domains/program/unused/sound.te
--- nsapolicy/domains/program/unused/sound.te	2004-03-23 15:58:08.000000000 -0500
+++ policy-1.19.15/domains/program/unused/sound.te	2004-12-22 11:18:14.000000000 -0500
@@ -23,3 +23,4 @@
 # Read and write ttys.
 allow sound_t sysadm_tty_device_t:chr_file rw_file_perms;
 read_locale(sound_t)
+allow initrc_t sound_file_t:file { setattr write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.15/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/squid.te	2004-12-22 11:18:14.000000000 -0500
@@ -15,7 +15,7 @@
 
 daemon_domain(squid, `, web_client_domain, nscd_client_domain')
 type squid_conf_t, file_type, sysadmfile;
-
+general_domain_access(squid_t)
 allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
 allow squid_t squid_conf_t:dir r_dir_perms;
 allow squid_t squid_conf_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.19.15/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-12-01 16:51:43.000000000 -0500
+++ policy-1.19.15/domains/program/unused/udev.te	2004-12-22 11:18:14.000000000 -0500
@@ -24,8 +24,9 @@
 #
 # Rules used for udev
 #
-type udev_tbl_t, file_type, sysadmfile, dev_fs;
-file_type_auto_trans(udev_t, device_t, udev_tbl_t, file)
+type udev_tdb_t, file_type, sysadmfile, dev_fs;
+typealias udev_tdb_t alias udev_tbl_t;
+file_type_auto_trans(udev_t, device_t, udev_tdb_t, { file dir })
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
 allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.19.15/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2004-12-20 16:27:44.000000000 -0500
+++ policy-1.19.15/domains/program/unused/winbind.te	2004-12-22 11:18:14.000000000 -0500
@@ -21,13 +21,13 @@
 type samba_secrets_t, file_type, sysadmfile;
 ')
 rw_dir_file(winbind_t, samba_etc_t)
-rw_dir_file(winbind_t, samba_log_t)
+rw_dir_create_file(winbind_t, samba_log_t)
 allow winbind_t samba_secrets_t:file rw_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
 allow winbind_t urandom_device_t:chr_file { getattr read };
 allow winbind_t self:fifo_file { read write };
-rw_dir_file(winbind_t, samba_var_t)
+rw_dir_create_file(winbind_t, samba_var_t)
 allow winbind_t krb5_conf_t:file { getattr read };
 dontaudit winbind_t krb5_conf_t:file { write };
 allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.19.15/domains/program/unused/xfs.te
--- nsapolicy/domains/program/unused/xfs.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/xfs.te	2004-12-22 11:18:14.000000000 -0500
@@ -40,3 +40,11 @@
 # Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
 allow xfs_t fonts_t:dir search;
 allow xfs_t fonts_t:file { getattr read };
+
+# Unlink the xfs socket.
+allow initrc_t xfs_tmp_t:dir rw_dir_perms;
+allow initrc_t xfs_tmp_t:dir rmdir;
+allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
+allow initrc_t fonts_t:dir create_dir_perms;
+allow initrc_t fonts_t:file create_file_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.19.15/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-12-11 06:31:19.000000000 -0500
+++ policy-1.19.15/domains/program/unused/ypbind.te	2004-12-22 12:40:26.000000000 -0500
@@ -37,6 +37,7 @@
 allow ypbind_t etc_t:file { getattr read };
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:tcp_socket name_bind;
-allow ypbind_t reserved_port_t:udp_socket name_bind;
-dontaudit ypbind_t reserved_port_type:udp_socket name_bind;
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_udp_send(initrc_t, ypbind_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.15/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2004-12-21 10:59:57.000000000 -0500
+++ policy-1.19.15/file_contexts/distros.fc	2004-12-22 11:18:14.000000000 -0500
@@ -35,6 +35,33 @@
 /usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
 /usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
 /usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
+#
+# /emul/ia32-linux/usr
+#
+/emul(/.*)?				system_u:object_r:usr_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?		system_u:object_r:lib_t
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/emul/ia32-linux/usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
+/emul/ia32-linux/usr/libexec(/.*)?		system_u:object_r:bin_t
+# /emul/ia32-linux/lib
+/emul/ia32-linux/lib(/.*)?					system_u:object_r:lib_t
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
+# /emul/ia32-linux/bin
+/emul/ia32-linux/bin(/.*)?			system_u:object_r:bin_t
+# /emul/ia32-linux/sbin
+/emul/ia32-linux/sbin(/.*)?			system_u:object_r:sbin_t
+
+ifdef(`dbusd.te', `', `
+/var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t
+')
+
 ')
 
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.15/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2004-11-24 07:00:50.000000000 -0500
+++ policy-1.19.15/file_contexts/program/cups.fc	2004-12-22 11:18:14.000000000 -0500
@@ -29,9 +29,6 @@
 /var/run/cups/printcap	--	system_u:object_r:cupsd_var_run_t
 /usr/lib(64)?/cups/filter/.*	--	system_u:object_r:bin_t
 /usr/lib(64)?/cups/cgi-bin/.* --	system_u:object_r:bin_t
-/usr/bin/lpr\.cups	--	system_u:object_r:lpr_exec_t
-/usr/bin/lpq\.cups	--	system_u:object_r:lpr_exec_t
-/usr/bin/lprm\.cups	--	system_u:object_r:lpr_exec_t
 /usr/sbin/ptal-printd	--	system_u:object_r:ptal_exec_t
 /usr/sbin/ptal-mlcd	--	system_u:object_r:ptal_exec_t
 /var/run/ptal-printd(/.*)?	system_u:object_r:ptal_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kerberos.fc policy-1.19.15/file_contexts/program/kerberos.fc
--- nsapolicy/file_contexts/program/kerberos.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.15/file_contexts/program/kerberos.fc	2004-12-22 11:18:14.000000000 -0500
@@ -9,4 +9,3 @@
 /var/log/krb5kdc\.log			system_u:object_r:krb5kdc_log_t
 /var/log/kadmind\.log			system_u:object_r:kadmind_log_t
 /usr(/local)?/bin/ksu		--	system_u:object_r:su_exec_t
-/usr/kerberos/sbin/login\.krb5	--	system_u:object_r:login_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/login.fc policy-1.19.15/file_contexts/program/login.fc
--- nsapolicy/file_contexts/program/login.fc	2003-11-26 13:01:07.000000000 -0500
+++ policy-1.19.15/file_contexts/program/login.fc	2004-12-22 11:18:14.000000000 -0500
@@ -1,2 +1,3 @@
 # login
 /bin/login		--	system_u:object_r:login_exec_t
+/usr/kerberos/sbin/login\.krb5	--	system_u:object_r:login_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lpr.fc policy-1.19.15/file_contexts/program/lpr.fc
--- nsapolicy/file_contexts/program/lpr.fc	2003-11-26 13:01:07.000000000 -0500
+++ policy-1.19.15/file_contexts/program/lpr.fc	2004-12-22 11:18:14.000000000 -0500
@@ -1,4 +1,4 @@
 # lp utilities.
-/usr/bin/lpr		--	system_u:object_r:lpr_exec_t
-/usr/bin/lpq		--	system_u:object_r:lpr_exec_t
-/usr/bin/lprm		--	system_u:object_r:lpr_exec_t
+/usr/bin/lpr(\.cups)?	--	system_u:object_r:lpr_exec_t
+/usr/bin/lpq(\.cups)?	--	system_u:object_r:lpr_exec_t
+/usr/bin/lprm(\.cups)?	--	system_u:object_r:lpr_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.19.15/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.15/file_contexts/program/postgresql.fc	2004-12-22 11:18:14.000000000 -0500
@@ -4,6 +4,7 @@
 /usr/bin/pg_dump	--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_dumpall	--	system_u:object_r:postgresql_exec_t
 /usr/bin/pg_resetxlog	--	system_u:object_r:postgresql_exec_t
+/usr/bin/initdb		--	system_u:object_r:postgresql_exec_t
 
 # not sure whether the following binaries need labelling
 /usr/bin/createlang	--	system_u:object_r:postgresql_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.19.15/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.15/file_contexts/program/udev.fc	2004-12-22 11:18:14.000000000 -0500
@@ -8,5 +8,5 @@
 /etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
 /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
 /dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
+/dev/\.udev\.tdb(/.*)?	system_u:object_r:udev_tdb_t
 /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.15/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-12-21 10:59:58.000000000 -0500
+++ policy-1.19.15/macros/global_macros.te	2004-12-22 12:56:43.883461279 -0500
@@ -233,8 +233,8 @@
 role system_r types $1_t;
 
 # Inherit and use descriptors from init.
-allow $1_t init_t:fd use;
-allow $1_t init_t:process sigchld;
+allow $1_t { unconfined_t init_t }:fd use;
+allow $1_t { unconfined_t init_t }:process sigchld;
 allow $1_t self:process { signal_perms fork };
 
 uses_shlib($1_t)
@@ -242,7 +242,7 @@
 allow $1_t { self proc_t }:dir r_dir_perms;
 allow $1_t { self proc_t }:lnk_file read;
 
-allow $1_t device_t:dir { getattr search };
+r_dir_file($1_t, device_t)
 allow $1_t null_device_t:chr_file rw_file_perms;
 dontaudit $1_t console_device_t:chr_file rw_file_perms;
 dontaudit $1_t unpriv_userdomain:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.15/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	2004-11-24 14:44:37.000000000 -0500
+++ policy-1.19.15/macros/network_macros.te	2004-12-22 11:18:14.000000000 -0500
@@ -144,11 +144,13 @@
 can_network_tcp($1, `$2')
 can_network_udp($1, `$2')
 
+ifdef(`mount.te', `
 #
 # Allow the domain to send NFS client requests via the socket
 # created by mount.
 #
 allow $1 mount_t:udp_socket rw_socket_perms;
+')
 
 ')dnl end can_network definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.19.15/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.15/macros/program/dbusd_macros.te	2004-12-22 11:18:14.000000000 -0500
@@ -54,25 +54,25 @@
 #
 # Define a new derived domain for connecting to dbus_type
 # from domain_prefix_t. 
-define(`dbusd_client',`')
-ifdef(`dbusd.te',`
 undefine(`dbusd_client')
 define(`dbusd_client',`
 
+ifdef(`dbusd.te',`
 # Derived type used for connection
 type $2_dbusd_$1_t;
 type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
 
+# SE-DBus specific permissions
+allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+
 # For connecting to the bus
 allow $2_t $1_dbusd_t:unix_stream_socket connectto;
+
+') dnl endif dbusd.te
 ifelse(`system', `$1', `
 allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
 allow { $2_t } system_dbusd_var_run_t:sock_file write;
-',`
-') dnl endif system
-# SE-DBus specific permissions
-allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-') dnl endif dbusd.te
+',`') dnl endif system
 ')
 
 # can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.19.15/targeted/assert.te
--- nsapolicy/targeted/assert.te	2004-11-30 16:05:23.000000000 -0500
+++ policy-1.19.15/targeted/assert.te	2004-12-22 11:18:14.000000000 -0500
@@ -22,10 +22,10 @@
 
 # Confined domains must never touch an unconfined domain except to
 # send SIGCHLD for child termination notifications.
-neverallow { domain - unconfined_t } unconfined_t:process ~sigchld;
+neverallow { domain -unconfined_t -unrestricted } unconfined_t:process ~sigchld;
 
 # Confined domains must never see unconfined domain's /proc/pid entries.
-neverallow { domain - unconfined_t } unconfined_t:dir { getattr search };
+neverallow { domain -unconfined_t -unrestricted } unconfined_t:dir { getattr search };
 
 #
 # Verify that every type that can be entered by
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/initrc.te policy-1.19.15/targeted/domains/program/initrc.te
--- nsapolicy/targeted/domains/program/initrc.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.15/targeted/domains/program/initrc.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,16 +0,0 @@
-#DESC Initrc - System initialization scripts
-#
-# Authors:  Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the initrc_t domain.
-#
-# initrc_exec_t is the type of the rc.sysinit and other programs.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.  
-#
-type initrc_exec_t, file_type, sysadmfile, exec_type;
-type run_init_exec_t, file_type, sysadmfile, exec_type;
-typealias var_run_t alias initrc_var_run_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/init.te policy-1.19.15/targeted/domains/program/init.te
--- nsapolicy/targeted/domains/program/init.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.19.15/targeted/domains/program/init.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,18 +0,0 @@
-#DESC Init - Process initialization
-#
-# Authors:  Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the init_t domain.
-#
-# init_exec_t is the type of the init program.
-# initctl_t is the type of the named pipe created 
-# by init during initialization.  This pipe is used
-# to communicate with init.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.  /sbin/init will get this policy.
-#
-type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/udev.te policy-1.19.15/targeted/domains/program/udev.te
--- nsapolicy/targeted/domains/program/udev.te	2004-09-20 15:41:01.000000000 -0400
+++ policy-1.19.15/targeted/domains/program/udev.te	2004-12-22 11:18:14.000000000 -0500
@@ -13,4 +13,5 @@
 #
 type udev_exec_t, file_type, sysadmfile, exec_type;
 type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-type udev_tbl_t, file_type, sysadmfile, dev_fs;
+type udev_tdb_t, file_type, sysadmfile, dev_fs;
+typealias udev_tdb_t alias udev_tbl_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.15/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-11-20 22:29:10.000000000 -0500
+++ policy-1.19.15/targeted/domains/unconfined.te	2004-12-22 11:18:14.000000000 -0500
@@ -13,11 +13,12 @@
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
 typealias bin_t alias su_exec_t;
-typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t };
-type mount_t, domain;
-type initrc_devpts_t, ptyfile;
+typealias unconfined_t alias { kernel_t sysadm_t rpm_t rpm_script_t logrotate_t };
 define(`admin_tty_type', `{ tty_device_t devpts_t }')
 
+#type of rundir to communicate with dbus
+type system_dbusd_var_run_t, file_type, sysadmfile;
+
 # User home directory type.
 type user_home_t, file_type, sysadmfile;
 type user_home_dir_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.15/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.15/tunables/distro.tun	2004-12-22 11:18:14.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.15/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-12-11 06:31:22.000000000 -0500
+++ policy-1.19.15/tunables/tunable.tun	2004-12-22 11:18:14.000000000 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Latest patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 239 bytes --]

Fixed to Makefile to better handle local.users

Ivan's Gift policy

Fixes to expand targeted policy.  (Adding dhcpc, ifconfig, hostname, 
consoletype)

Fixes to fs_daemon

Added a bunch of dontaudit of net_admin for many policies.


-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 14523 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.1/domains/program/ifconfig.te	2005-03-11 21:18:59.923282416 -0500
@@ -65,3 +65,4 @@
 
 rhgb_domain(ifconfig_t)
 allow ifconfig_t userdomain:fd use;
+dontaudit ifconfig_t root_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.1/domains/program/initrc.te	2005-03-11 21:18:59.923282416 -0500
@@ -244,6 +244,7 @@
 #
 ifdef(`targeted_policy', `
 type run_init_exec_t, file_type, sysadmfile, exec_type;
+type run_init_t, domain;
 domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
 allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.1/domains/program/login.te	2005-03-11 21:18:59.924282264 -0500
@@ -187,6 +187,7 @@
 
 # Allow setting of attributes on power management devices.
 allow local_login_t power_device_t:chr_file { getattr setattr };
+dontaudit local_login_t init_t:fd use;
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.1/domains/program/unused/apache.te	2005-03-11 21:18:59.925282112 -0500
@@ -157,6 +157,7 @@
 # Allow the httpd_t the capability to bind to a port and various other stuff
 ############################################################################
 allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+dontaudit httpd_t self:capability net_admin;
 
 #################################################
 # Allow the httpd_t to read the web servers config files
@@ -206,7 +207,7 @@
 # need ioctl for php
 ###############################################
 allow httpd_t etc_t:file { read getattr ioctl };
-allow httpd_t etc_t:lnk_file read;
+allow httpd_t etc_t:lnk_file { getattr read };
 
 # Run SSI execs in system CGI script domain.
 if (httpd_ssi_exec) {
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.1/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.1/domains/program/unused/consoletype.te	2005-03-11 21:18:59.925282112 -0500
@@ -8,7 +8,7 @@
 #
 # Rules for the consoletype_t domain.
 #
-# consoletype_t is the domain for the ifconfig program.
+# consoletype_t is the domain for the consoletype program.
 # consoletype_exec_t is the type of the corresponding program.
 #
 type consoletype_t, domain;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fs_daemon.te policy-1.23.1/domains/program/unused/fs_daemon.te
--- nsapolicy/domains/program/unused/fs_daemon.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.1/domains/program/unused/fs_daemon.te	2005-03-11 21:18:59.925282112 -0500
@@ -3,13 +3,24 @@
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: smartmontools
 
-daemon_domain(fsdaemon, `, fs_domain')
+daemon_domain(fsdaemon, `, fs_domain, privmail')
 allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
+allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
 
 # for config
 allow fsdaemon_t etc_t:file { getattr read };
 
 allow fsdaemon_t device_t:dir read;
 allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
-allow fsdaemon_t self:capability { sys_rawio sys_admin };
+allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
 allow fsdaemon_t etc_runtime_t:file { getattr read };
+
+can_exec_any(fsdaemon_t)
+allow fsdaemon_t self:fifo_file rw_file_perms;
+can_network_udp(fsdaemon_t)
+tmp_domain(fsdaemon)
+allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
+
+dontaudit fsdaemon_t devpts_t:dir search;
+allow fsdaemon_t proc_t:file { getattr read };
+dontaudit system_mail_t fixed_disk_device_t:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gift.te policy-1.23.1/domains/program/unused/gift.te
--- nsapolicy/domains/program/unused/gift.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.1/domains/program/unused/gift.te	2005-03-11 21:18:59.926281960 -0500
@@ -0,0 +1,9 @@
+# DESC - giFT file sharing tool
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+
+type gift_exec_t, file_type, exec_type, sysadmfile;
+type giftd_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/gift_macros.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.23.1/domains/program/unused/pam.te
--- nsapolicy/domains/program/unused/pam.te	2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.1/domains/program/unused/pam.te	2005-03-11 21:18:59.926281960 -0500
@@ -37,3 +37,4 @@
 
 allow initrc_t pam_var_run_t:dir rw_dir_perms;
 allow initrc_t pam_var_run_t:file { getattr read unlink };
+dontaudit pam_t initrc_var_run_t:file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.1/domains/program/unused/rpcd.te	2005-03-11 21:18:59.926281960 -0500
@@ -17,6 +17,7 @@
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
+dontaudit $1_t self:capability net_admin;
 
 allow $1_t var_t:dir { getattr search };
 allow $1_t var_lib_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.23.1/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.1/domains/program/unused/ypbind.te	2005-03-11 21:18:59.927281808 -0500
@@ -16,6 +16,7 @@
 
 # Use capabilities.
 allow ypbind_t self:capability { net_bind_service };
+dontaudit ypbind_t self:capability net_admin;
 
 # Use the network.
 can_network(ypbind_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dbusd.fc policy-1.23.1/file_contexts/program/dbusd.fc
--- nsapolicy/file_contexts/program/dbusd.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.1/file_contexts/program/dbusd.fc	2005-03-11 21:18:59.927281808 -0500
@@ -1,3 +1,3 @@
-/usr/bin/dbus-daemon-1	--	system_u:object_r:system_dbusd_exec_t
+/usr/bin/dbus-daemon(-1)?	--	system_u:object_r:system_dbusd_exec_t
 /etc/dbus-1(/.*)?		system_u:object_r:etc_dbusd_t
 /var/run/dbus(/.*)?		system_u:object_r:system_dbusd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gift.fc policy-1.23.1/file_contexts/program/gift.fc
--- nsapolicy/file_contexts/program/gift.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.1/file_contexts/program/gift.fc	2005-03-11 21:18:59.927281808 -0500
@@ -0,0 +1,5 @@
+/usr/(local/)?bin/giftd	--	system_u:object_r:giftd_exec_t
+/usr/(local/)?bin/giftui	-- 	system_u:object_r:gift_exec_t
+/usr/(local/)?bin/giFToxic	--	system_u:object_r:gift_exec_t
+/usr/(local/)?bin/apollon	-- 	system_u:object_r:gift_exec_t
+HOME_DIR/\.giFT(/.*)?		system_u:object_r:ROLE_gift_home_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.1/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.1/macros/program/gift_macros.te	2005-03-11 21:18:59.928281656 -0500
@@ -0,0 +1,113 @@
+#
+# Macros for giFT
+#
+# Author: Ivan Gyurdiev <ivg2@cornell.edu>
+#
+# gift_domains(domain_prefix)
+# declares a domain for giftui and giftd
+
+#########################
+#  gift_domain(user)    #
+#########################
+
+define(`gift_domain', `
+
+# Connect to X
+x_client_domain($1, gift, `')	
+
+# Transition
+domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
+can_exec($1_gift_t, gift_exec_t)
+role $1_r types $1_gift_t;
+
+# Self permissions
+allow $1_gift_t self:process getsched;
+
+# Home files
+home_domain($1, gift)
+
+# Fonts, icons
+r_dir_file($1_gift_t, usr_t)
+r_dir_file($1_gift_t, fonts_t)
+
+# Launch gift daemon
+allow $1_gift_t self:process fork;
+domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
+
+# Connect to gift daemon
+can_network($1_gift_t)
+
+# Read /proc/meminfo
+allow $1_gift_t proc_t:dir search;
+allow $1_gift_t proc_t:file { getattr read };
+
+# Tmp/ORBit
+tmp_domain($1_gift)
+file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
+can_unix_connect($1_t, $1_gift_t)
+can_unix_connect($1_gift_t, $1_t)
+allow $1_t $1_gift_tmp_t:sock_file write;
+allow $1_gift_t $1_tmp_t:file { getattr read write lock };
+allow $1_gift_t $1_tmp_t:sock_file { read write };
+dontaudit $1_gift_t $1_tmp_t:dir setattr;
+
+# Access random device
+allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl };
+
+# giftui looks in .icons, .themes, .fonts-cache.
+dontaudit $1_gift_t $1_home_t:dir { getattr read search };
+dontaudit $1_gift_t $1_home_t:file { getattr read };
+
+') dnl gift_domain
+
+##########################
+#  giftd_domain(user)    #
+##########################
+
+define(`giftd_domain', `
+
+type $1_giftd_t, domain;
+
+# Transition from user type
+domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
+role $1_r types $1_giftd_t;
+
+# Self permissions, allow fork
+allow $1_giftd_t self:process { fork signal sigchld setsched };
+allow $1_giftd_t self:unix_stream_socket create_socket_perms;
+
+read_sysctl($1_giftd_t)
+read_locale($1_giftd_t)
+uses_shlib($1_giftd_t)
+
+# Access home domain
+home_domain_access($1_giftd_t, $1, gift)
+	
+# Allow networking
+allow $1_giftd_t port_t:tcp_socket name_bind;
+allow $1_giftd_t port_t:udp_socket name_bind;
+can_network_server($1_giftd_t)
+can_network_client($1_giftd_t)
+
+# FIXME: ???
+dontaudit $1_giftd_t self:udp_socket listen;
+
+# Plugins
+r_dir_file($1_giftd_t, usr_t)
+
+# Connect to xdm
+ifdef(`xdm.te', `
+allow $1_giftd_t xdm_t:fd use;
+allow $1_giftd_t xdm_t:fifo_file write;
+') 
+
+') dnl giftd_domain
+
+##########################
+#  gift_domains(user)    #
+##########################
+
+define(`gift_domains', `
+gift_domain($1)
+giftd_domain($1)
+') dnl gift_domains
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.1/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.1/macros/program/mplayer_macros.te	2005-03-11 21:18:59.928281656 -0500
@@ -85,6 +85,11 @@
 # Read home directory content
 r_dir_file($1_mplayer_t, $1_home_t);
 
+# Legacy domain issues
+if (allow_mplayer_execstack) {
+allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
+}
+
 ') dnl end mplayer_domain
 
 ############################
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.1/Makefile
--- nsapolicy/Makefile	2005-03-11 15:31:05.000000000 -0500
+++ policy-1.23.1/Makefile	2005-03-11 21:22:06.839866776 -0500
@@ -77,12 +77,12 @@
 
 all:  policy
 
-tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
+tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) 
 	@echo "Validating file_contexts ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
 	@touch tmp/valid_fc
 
-install: tmp/valid_fc
+install: tmp/valid_fc $(USERPATH)/local.users
 
 $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
 	@mkdir -p $(USERPATH)
@@ -96,7 +96,7 @@
 
 $(USERPATH)/local.users: local.users
 	@mkdir -p $(USERPATH)
-	install -m 644 $< $@
+	install -C -b -m 644 $< $@
 
 $(CONTEXTPATH)/files/media: appconfig/media
 	mkdir -p $(CONTEXTPATH)/files/
@@ -207,7 +207,8 @@
 file_contexts/misc:
 	mkdir -p file_contexts/misc
 
-$(FCPATH): $(FC) 
+
+$(FCPATH): $(FC) $(USERPATH)/system.users 
 	@mkdir -p $(CONTEXTPATH)/files
 	install -m 644 $(FC) $(FCPATH)
 	install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.23.1/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.1/targeted/domains/program/xdm.te	2005-03-11 21:18:59.929281504 -0500
@@ -18,4 +18,5 @@
 type xdm_rw_etc_t, file_type, sysadmfile;
 type xdm_var_run_t, file_type, sysadmfile;
 type xdm_var_lib_t, file_type, sysadmfile;
+type xdm_tmp_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.1/tunables/distro.tun	2005-03-11 21:18:59.929281504 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.1/tunables/tunable.tun	2005-03-11 21:18:59.930281352 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest patches

[James Carter]

Merged.

Also:
- Made sysadm_r the first role for root, so root's home will be labled
as sysadm_home_dir_t instead of staff_home_dir_t.
- Modified fs_use and Makefile to reflect jfs now supporting security
xattrs.
- Added an ifdef to nrpe.fc to prevent duplicate nagios and netsaint
rules.

On Fri, 2005-03-11 at 21:29 -0500, Daniel J Walsh wrote:
> Fixed to Makefile to better handle local.users
> 
> Ivan's Gift policy
> 
> Fixes to expand targeted policy.  (Adding dhcpc, ifconfig, hostname, 
> consoletype)
> 
> Fixes to fs_daemon
> 
> Added a bunch of dontaudit of net_admin for many policies.


-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest patches

[Stephen Smalley]

On Fri, 2005-03-11 at 21:29 -0500, Daniel J Walsh wrote:
> Fixed to Makefile to better handle local.users

Why is system.users a dependency of $(FCPATH) while local.users is a
dependency of install?

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest patches

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2005-03-11 at 21:29 -0500, Daniel J Walsh wrote:
>  
>
>>Fixed to Makefile to better handle local.users
>>    
>>
>
>Why is system.users a dependency of $(FCPATH) while local.users is a
>dependency of install?
>
>  
>
We don't want to replace local.users on a make reload, since it is admin 
customizable.

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest patches.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 819 bytes --]

This is a combination of a patch from Russell and Me.

Comments added to explain MCS constraint decisions

Fixes for amanda to run as tcp

bootloader needs to read SystemHigh

make system-install-packages run as rpm

Changes to make stem compression algorithm work better.  Also some 
changes to file_context to fix sort problems.  Mainly make sure 
textrel_shlib_t always comes after shlib_t definition.

Allow usermanage to create staff user accounts

defind java as a entry_point

allow mono and unconfined_t to dbus_chat with programs running as 
initrc_t/network_manager

Fixes to allow xen to work.

mailman interaction with postfix

Fix nfs booleans to actually work

fix samba to be able to create directories in users home dirs.

fix samba to work on nfs...

Allow usermanage to create the homedir













[-- Attachment #2: policy-20060411.patch --]
[-- Type: text/x-patch, Size: 39545 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.2.31/policy/mcs
--- nsaserefpolicy/policy/mcs	2006-03-29 11:23:41.000000000 -0500
+++ serefpolicy-2.2.31/policy/mcs	2006-04-13 12:53:30.000000000 -0400
@@ -134,14 +134,18 @@
 # the high range of the file.  We use the high range of the process so
 # that processes can always simply run at s0.
 #
-# Only files are constrained by MCS at this stage.
+# Note that getattr on files is always permitted.
 #
 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	( h1 dom h2 );
 
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+# At this time we do not restrict "ps" type operations via MCS.  This
+# will probably change in future.
 mlsconstrain file { read }
 	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.2.31/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te	2006-03-24 11:15:40.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/admin/amanda.te	2006-04-13 12:53:30.000000000 -0400
@@ -9,6 +9,7 @@
 type amanda_t;
 type amanda_inetd_exec_t;
 inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+inetd_tcp_service_domain(amanda_t,amanda_inetd_exec_t)
 role system_r types amanda_t;
 
 type amanda_exec_t;
@@ -183,13 +184,15 @@
 
 optional_policy(`
 	nscd_socket_use(amanda_t)
+	nscd_socket_use(amanda_recover_t)
 ')
 
 ########################################
 #
 # Amanda recover local policy
 
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+corenet_tcp_bind_reserved_port(amanda_recover_t)
 allow amanda_recover_t self:process { sigkill sigstop signal };
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.2.31/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te	2006-04-04 18:06:37.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/admin/bootloader.te	2006-04-13 12:53:30.000000000 -0400
@@ -84,6 +84,7 @@
 dev_read_sysfs(bootloader_t)
 # for reading BIOS data
 dev_read_raw_memory(bootloader_t)
+mls_file_read_up(bootloader_t)
 
 fs_getattr_xattr_fs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.2.31/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-04-04 18:06:37.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/admin/rpm.fc	2006-04-13 12:53:30.000000000 -0400
@@ -10,6 +10,7 @@
 /usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 ifdef(`distro_redhat', `
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.fc serefpolicy-2.2.31/policy/modules/admin/su.fc
--- nsaserefpolicy/policy/modules/admin/su.fc	2006-03-23 14:33:29.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/admin/su.fc	2006-04-13 12:53:30.000000000 -0400
@@ -1,5 +1,5 @@
 
 /bin/su			--	gen_context(system_u:object_r:su_exec_t,s0)
 
-/usr(/local)?/bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
+/usr/(local/)?bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.31/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/admin/usermanage.te	2006-04-13 12:53:30.000000000 -0400
@@ -514,6 +514,7 @@
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_staff_home_dir(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.31/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/apps/java.fc	2006-04-13 16:12:57.000000000 -0400
@@ -1,11 +1,8 @@
 #
-# /opt
-#
-/opt(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
-
-#
 # /usr
 #
-/usr(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib(.*/)?bin/java([^/]*)? 	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)
+/opt/(.*/)?bin/java([^/]*)? 	--	gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.31/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/apps/java.te	2006-04-13 15:36:02.000000000 -0400
@@ -10,6 +10,7 @@
 domain_type(java_t)
 
 type java_exec_t;
+init_system_domain(java_t,java_exec_t)
 files_type(java_exec_t)
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.31/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/apps/mono.te	2006-04-13 16:32:05.000000000 -0400
@@ -22,6 +22,8 @@
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
 
+	init_dbus_chat_script(mono_t)
+
 	optional_policy(`
 		avahi_dbus_chat(mono_t)
 	')
@@ -29,4 +31,8 @@
 	optional_policy(`
 		hal_dbus_chat(mono_t)
 	')
+	optional_policy(`
+		networkmanager_dbus_chat(mono_t)
+	')
+
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.31/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-04-10 17:05:08.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/kernel/corecommands.fc	2006-04-13 14:39:12.000000000 -0400
@@ -2,7 +2,8 @@
 #
 # /bin
 #
-/bin(/.*)?				gen_context(system_u:object_r:bin_t,s0)
+/bin				-d	gen_context(system_u:object_r:bin_t,s0)
+/bin/.*					gen_context(system_u:object_r:bin_t,s0)
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -86,27 +87,30 @@
 #
 # /sbin
 #
-/sbin(/.*)?				gen_context(system_u:object_r:sbin_t,s0)
+/sbin				-d	gen_context(system_u:object_r:sbin_t,s0)
+/sbin/.*				gen_context(system_u:object_r:sbin_t,s0)
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:sbin_t,s0)
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:sbin_t,s0)
 
 #
 # /opt
 #
-/opt(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/opt/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/opt(/.*)?/libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/opt/(.*/)?libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
-/opt(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+/opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
 
 #
 # /usr
 #
-/usr(/.*)?/Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/usr(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/usr(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+/usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
 
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.31/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/kernel/devices.fc	2006-04-13 12:53:30.000000000 -0400
@@ -1,5 +1,6 @@
 
-/dev(/.*)?			gen_context(system_u:object_r:device_t,s0)
+/dev			-d	gen_context(system_u:object_r:device_t,s0)
+/dev/.*				gen_context(system_u:object_r:device_t,s0)
 
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/adsp		-c	gen_context(system_u:object_r:sound_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.31/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/kernel/devices.if	2006-04-13 12:53:30.000000000 -0400
@@ -2701,7 +2701,7 @@
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -2720,7 +2720,7 @@
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file manage_file_perms;
 ')
 
 ########################################
@@ -2874,3 +2874,23 @@
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Dontaudit getattr on all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_device_nodes',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_t:dir_file_class_set getattr;
+	dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.2.31/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc	2006-03-23 14:33:29.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/kernel/files.fc	2006-04-13 12:53:30.000000000 -0400
@@ -25,7 +25,8 @@
 #
 # /boot
 #
-/boot(/.*)?			gen_context(system_u:object_r:boot_t,s0)
+/boot			-d	gen_context(system_u:object_r:boot_t,s0)
+/boot/.*			gen_context(system_u:object_r:boot_t,s0)
 /boot/\.journal			<<none>>
 /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
 /boot/lost\+found/.*		<<none>>
@@ -36,13 +37,15 @@
 #
 
 ifdef(`distro_redhat',`
-/emul(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/emul			-d	gen_context(system_u:object_r:usr_t,s0)
+/emul/.*			gen_context(system_u:object_r:usr_t,s0)
 ')
 
 #
 # /etc
 #
-/etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
+/etc			-d	gen_context(system_u:object_r:etc_t,s0)
+/etc/.*				gen_context(system_u:object_r:etc_t,s0)
 /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/asound\.state	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -104,7 +107,8 @@
 #
 # /lib(64)?
 #
-/lib(64)?/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
+/lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
+/lib64/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
 
 #
 # /lost+found
@@ -139,29 +143,34 @@
 #
 # /opt
 #
-/opt(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/opt			-d	gen_context(system_u:object_r:usr_t,s0)
+/opt/.*				gen_context(system_u:object_r:usr_t,s0)
 
-/opt(/.*)?/var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
+/opt/(.*/)?var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
 
 #
 # /proc
 #
-/proc(/.*)?                     <<none>>
+/proc			-d	<<none>>
+/proc/.*			<<none>>
 
 #
 # /selinux
 #
-/selinux(/.*)?                  <<none>>
+/selinux		-d	<<none>>
+/selinux/.*			<<none>>
 
 #
 # /srv
 #
-/srv(/.*)?			gen_context(system_u:object_r:var_t,s0)
+/srv			-d	gen_context(system_u:object_r:var_t,s0)
+/srv/.*				gen_context(system_u:object_r:var_t,s0)
 
 #
 # /sys
 #
-/sys(/.*)?                      <<none>>
+/sys			-d	<<none>>
+/sys/.*				<<none>>
 
 #
 # /tmp
@@ -176,7 +185,8 @@
 #
 # /usr
 #
-/usr(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/usr			-d	gen_context(system_u:object_r:usr_t,s0)
+/usr/.*				gen_context(system_u:object_r:usr_t,s0)
 /usr/\.journal			<<none>>
 
 /usr/doc(/.*)?/lib(/.*)?		gen_context(system_u:object_r:usr_t,s0)
@@ -200,7 +210,7 @@
 /usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
-/usr/src(/.*)?/lib(/.*)?		gen_context(system_u:object_r:usr_t,s0)
+/usr/src/kernels/.+/lib(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
 /usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
 /usr/tmp/.*			<<none>>
@@ -208,7 +218,8 @@
 #
 # /var
 #
-/var(/.*)?			gen_context(system_u:object_r:var_t,s0)
+/var			-d	gen_context(system_u:object_r:var_t,s0)
+/var/.*				gen_context(system_u:object_r:var_t,s0)
 /var/\.journal			<<none>>
 
 /var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.31/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-04-10 17:05:10.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/kernel/files.if	2006-04-13 12:53:30.000000000 -0400
@@ -948,6 +948,18 @@
 
 ########################################
 #
+# files_stat_all_mountpoints(domain)
+#
+interface(`files_stat_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir { getattr };
+')
+
+########################################
+#
 # files_list_root(domain)
 #
 interface(`files_list_root',`
@@ -1661,6 +1673,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.31/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-04-10 17:05:10.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/kernel/kernel.if	2006-04-13 15:25:54.000000000 -0400
@@ -1148,7 +1148,8 @@
 
 	allow $1 proc_t:dir search;
 	allow $1 sysctl_t:dir r_dir_perms;
-	allow $1 sysctl_vm_t:dir list_dir_perms;
+#hal needs allow hald_t sysctl_vm_t:dir write;
+	allow $1 sysctl_vm_t:dir rw_dir_perms;
 	allow $1 sysctl_vm_t:file rw_file_perms;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-2.2.31/policy/modules/kernel/mcs.te
--- nsaserefpolicy/policy/modules/kernel/mcs.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/kernel/mcs.te	2006-04-13 12:53:30.000000000 -0400
@@ -32,6 +32,10 @@
 type xdm_exec_t;
 
 ifdef(`enable_mcs',`
+# The eventual plan is to have a range_transition to s0 for the daemon by
+# default and have the daemons which need to run with all categories be
+# exceptions.  But while range_transitions have to be in the base module
+# this is not possible.
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
 range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.31/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-03-07 10:31:09.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/kernel/mls.te	2006-04-13 12:53:30.000000000 -0400
@@ -60,6 +60,7 @@
 
 ifdef(`enable_mls',`
 range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition secadm_t auditctl_exec_t s15:c0.c255;
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.2.31/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/services/avahi.te	2006-04-13 16:17:29.000000000 -0400
@@ -92,6 +92,7 @@
 	dbus_system_bus_client_template(avahi,avahi_t)
 	dbus_connect_system_bus(avahi_t)
 	dbus_send_system_bus(avahi_t)
+	init_dbus_chat_script(avahi_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-2.2.31/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc	2006-01-16 17:04:24.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/services/bind.fc	2006-04-13 12:53:30.000000000 -0400
@@ -29,6 +29,7 @@
 
 ifdef(`distro_redhat',`
 /etc/named\.conf		--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf		--	gen_context(system_u:object_r:named_conf_t,s0)
 /var/named(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
 /var/named/slaves(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/data(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.31/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-04-12 13:44:37.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/services/hal.te	2006-04-13 12:53:30.000000000 -0400
@@ -103,6 +103,7 @@
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
 fs_list_auto_mountpoints(hald_t)
+files_stat_all_mountpoints(hald_t)
 
 mls_file_read_up(hald_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-2.2.31/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc	2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/services/kerberos.fc	2006-04-13 12:53:30.000000000 -0400
@@ -5,8 +5,8 @@
 /etc/krb5kdc/kadm5.keytab 	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
 /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
-/usr(/local)?(/kerberos)?/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr(/local)?(/kerberos)?/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
 
 /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-2.2.31/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/services/mailman.if	2006-04-13 12:53:30.000000000 -0400
@@ -200,6 +200,44 @@
 
 #######################################
 ## <summary>
+##	Allow domain to to create mailman data files and write the directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_create_data_file',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir rw_dir_perms;
+	allow $1 mailman_data_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to to read mailman data files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_data_file',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir search_dir_perms;
+	allow $1 mailman_data_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
 ##	List the contents of mailman data directories.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.31/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/services/postfix.te	2006-04-13 12:53:30.000000000 -0400
@@ -408,6 +408,9 @@
 
 optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
+#	for postalias
+	mailman_create_data_file(postfix_master_t)
+	mailman_read_data_file(postfix_local_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.31/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/services/rpc.te	2006-04-13 12:53:30.000000000 -0400
@@ -110,13 +110,13 @@
 portmap_udp_chat(nfsd_t)
 
 tunable_policy(`nfs_export_all_rw',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_manage_all_files_except_shadow(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_read_all_files_except_shadow(nfsd_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.2.31/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if	2006-02-21 14:35:36.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/services/samba.if	2006-04-13 12:53:30.000000000 -0400
@@ -33,6 +33,7 @@
 	')
 
 	tunable_policy(`samba_enable_home_dirs',`
+		userdom_manage_user_home_content_dirs($1,smbd_t)
 		userdom_manage_user_home_content_files($1,smbd_t)
 		userdom_manage_user_home_content_symlinks($1,smbd_t)
 		userdom_manage_user_home_content_sockets($1,smbd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.31/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2006-04-12 13:44:37.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/services/samba.te	2006-04-13 12:53:30.000000000 -0400
@@ -333,6 +333,13 @@
 ')
 allow smbd_t mtrr_device_t:file getattr;
 
+# Support Samba sharing of NFS mount points
+bool samba_share_nfs false;
+if (samba_share_nfs) {
+fs_manage_nfs_dirs(smbd_t)
+fs_manage_nfs_files(smbd_t)
+}
+
 ########################################
 #
 # nmbd Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-2.2.31/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc	2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/services/tftp.fc	2006-04-13 12:53:30.000000000 -0400
@@ -2,4 +2,5 @@
 /usr/sbin/atftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
 /usr/sbin/in\.tftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
 
-/tftpboot(/.*)?			gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot		-d	gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.*			gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.31/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-04-06 15:31:54.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/services/xserver.if	2006-04-13 12:53:30.000000000 -0400
@@ -1070,3 +1070,24 @@
 
 	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Allow read and write to
+##	a XDM X server socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_sockets',`
+	gen_require(`
+		type xdm_xserver_tmp_t;
+	')
+
+	allow $1 xdm_xserver_tmp_t:dir search;
+	allow $1 xdm_xserver_tmp_t:sock_file { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-2.2.31/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc	2006-01-19 17:48:34.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/system/authlogin.fc	2006-04-13 12:53:30.000000000 -0400
@@ -7,7 +7,8 @@
 /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 
-/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
 
 /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.fc serefpolicy-2.2.31/policy/modules/system/daemontools.fc
--- nsaserefpolicy/policy/modules/system/daemontools.fc	2006-04-05 11:35:09.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/daemontools.fc	2006-04-13 12:53:30.000000000 -0400
@@ -2,7 +2,8 @@
 # /service
 #
 
-/service(/.*)?			gen_context(system_u:object_r:svc_svc_t,s0)
+/service		-d	gen_context(system_u:object_r:svc_svc_t,s0)
+/service/.*			gen_context(system_u:object_r:svc_svc_t,s0)
 
 #
 # /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.31/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/fstools.te	2006-04-13 12:53:30.000000000 -0400
@@ -77,6 +77,7 @@
 dev_getattr_usbfs_dirs(fsadm_t)
 # Access to /dev/mapper/control
 dev_rw_lvm_control(fsadm_t)
+dev_dontaudit_getattr_all_device_nodes(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.31/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-04-06 15:32:43.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/init.te	2006-04-13 12:53:30.000000000 -0400
@@ -352,6 +352,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.31/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-04-12 13:44:38.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/libraries.fc	2006-04-13 16:25:13.000000000 -0400
@@ -24,17 +24,22 @@
 #
 # /lib(64)?
 #
-/lib(64)?(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib64(/.*)?					gen_context(system_u:object_r:lib_t,s0)
 /lib(64)?/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
 
 #
 # /opt
 #
-/opt(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
-/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
-/opt/.*/jre.*/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/.*/jre.*/libjvm.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib64(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 #
 # /sbin
@@ -44,18 +49,22 @@
 #
 # /usr
 #
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/java/.*\.jar			--	gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/java/.*\.jsa			--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?java/.*\.jar			--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.*\.jsa			--	gen_context(system_u:object_r:shlib_t,s0)
+
+/usr/(.*/)?lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib64(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
-/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
 
-/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-
-/usr(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib(64)?/pgsql/test/regress/.*\.so	--	gen_context(system_u:object_r:shlib_t,s0)
 
@@ -64,7 +73,7 @@
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -74,9 +83,9 @@
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware(.*/)?/VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib(64)?/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 
@@ -127,7 +136,7 @@
 /usr/lib(64)?/.*/program/libsvx680li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libsoffice\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib(64)?/firefox.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/mozilla.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -182,13 +191,13 @@
 /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre.*/libdeploy.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/.*/jre.*/libjvm.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr(/.*)?/intellinux/nppdf\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/lib/\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?intellinux/nppdf\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/lib/\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
 
 ifdef(`distro_suse',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.2.31/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc	2005-10-27 14:57:47.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/miscfiles.fc	2006-04-13 12:53:30.000000000 -0400
@@ -7,7 +7,7 @@
 #
 # /opt
 #
-/opt(/.*)?/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/opt/(.*/)?man(/.*)?		gen_context(system_u:object_r:man_t,s0)
 
 #
 # /srv
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-2.2.31/policy/modules/system/modutils.fc
--- nsaserefpolicy/policy/modules/system/modutils.fc	2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/modutils.fc	2006-04-13 12:53:30.000000000 -0400
@@ -2,9 +2,11 @@
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 
-/lib(64)?/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
 
-/lib(64)?/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
 
 /sbin/depmod.*		--	gen_context(system_u:object_r:depmod_exec_t,s0)
 /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.31/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if	2006-03-29 14:18:17.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/system/selinuxutil.if	2006-04-13 15:29:28.000000000 -0400
@@ -623,7 +623,8 @@
 	')
 
 	files_search_etc($1)
-	allow $1 selinux_config_t:dir rw_dir_perms;
+	# semanage wants to rmdir 
+	allow $1 selinux_config_t:dir { rmdir rw_dir_perms };
 	allow $1 selinux_config_t:file manage_file_perms;
 	allow $1 selinux_config_t:lnk_file { getattr read };
 ')
@@ -697,8 +698,8 @@
 
 	files_search_etc($1)
 	allow $1 selinux_config_t:dir search;
-	allow $1 file_context_t:dir r_dir_perms;
-	allow $1 file_context_t:file rw_file_perms;
+	allow $1 file_context_t:dir rw_dir_perms;
+	allow $1 file_context_t:file create_file_perms;
 	allow $1 file_context_t:lnk_file { getattr read };
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.31/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-04-12 13:44:38.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/unconfined.te	2006-04-13 15:21:35.000000000 -0400
@@ -64,6 +64,8 @@
 	optional_policy(`
 		dbus_stub(unconfined_t)
 
+		init_dbus_chat_script(unconfined_t)
+
 		optional_policy(`
 			avahi_dbus_chat(unconfined_t)
 		')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.31/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-04-11 16:58:42.000000000 -0400
+++ serefpolicy-2.2.31/policy/modules/system/userdomain.if	2006-04-13 12:53:30.000000000 -0400
@@ -4132,11 +4132,31 @@
 		type user_home_dir_t;
 	')
 
+	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
 
 ########################################
 ## <summary>
+##	Create staff home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_staff_home_dir',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	allow $1 staff_home_dir_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Search generic user home directories.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.31/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-03-23 14:33:30.000000000 -0500
+++ serefpolicy-2.2.31/policy/modules/system/xen.te	2006-04-13 12:53:30.000000000 -0400
@@ -19,6 +19,8 @@
 # var/lib files
 type xend_var_lib_t;
 files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
 
 # log files
 type xend_var_log_t;
@@ -67,6 +69,8 @@
 allow xend_t self:tcp_socket create_stream_socket_perms;
 allow xend_t self:packet_socket create_socket_perms;
 
+files_read_kernel_symbol_table(xend_t)
+
 # pid file
 allow xend_t xend_var_run_t:file manage_file_perms;
 allow xend_t xend_var_run_t:sock_file manage_file_perms;
@@ -210,6 +214,7 @@
 dev_filetrans_xen(xenstored_t)
 
 term_dontaudit_use_generic_ptys(xenstored_t)
+dev_rw_xen(xenstored_t)
 
 init_use_fds(xenstored_t)
 

Re: Latest patches.

[Russell Coker]

On Fri, 2006-04-14 at 08:08 -0400, Daniel J Walsh wrote:
> mailman interaction with postfix

One thing to note is that I'm not certain that mailman will actually
work with this policy.

The suggested configuration (according to mailman documentation and
default config files) fails to work correctly in some situations due to
Unix permissions (can't deliver to the dead-mail store).  It is quite
possible that if this Unix permission issue is solved then other SE
Linux policy issues will be revealed.

But all the most obvious issues with Mailman and Postfix are fixed, it
will probably work for many people now.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest patches.

[Christopher J. PeBenito]

Merged.

On Fri, 2006-04-14 at 08:08 -0400, Daniel J Walsh wrote:
> This is a combination of a patch from Russell and Me.
> 
> Comments added to explain MCS constraint decisions
> 
> Fixes for amanda to run as tcp
> 
> bootloader needs to read SystemHigh
> 
> make system-install-packages run as rpm
> 
> Changes to make stem compression algorithm work better.  Also some 
> changes to file_context to fix sort problems.  Mainly make sure 
> textrel_shlib_t always comes after shlib_t definition.
> 
> Allow usermanage to create staff user accounts
> 
> defind java as a entry_point
> 
> allow mono and unconfined_t to dbus_chat with programs running as 
> initrc_t/network_manager
> 
> Fixes to allow xen to work.
> 
> mailman interaction with postfix
> 
> Fix nfs booleans to actually work
> 
> fix samba to be able to create directories in users home dirs.
> 
> fix samba to work on nfs...
> 
> Allow usermanage to create the homedir

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.