diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.6/domains/program/ifconfig.te --- nsapolicy/domains/program/ifconfig.te 2005-03-15 08:02:23.000000000 -0500 +++ policy-1.23.6/domains/program/ifconfig.te 2005-04-04 10:44:54.000000000 -0400 @@ -66,3 +66,4 @@ rhgb_domain(ifconfig_t) allow ifconfig_t userdomain:fd use; dontaudit ifconfig_t root_t:file read; +r_dir_file(ifconfig_t, sysfs_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.23.6/domains/program/logrotate.te --- nsapolicy/domains/program/logrotate.te 2005-04-04 10:21:10.000000000 -0400 +++ policy-1.23.6/domains/program/logrotate.te 2005-04-04 10:44:54.000000000 -0400 @@ -141,5 +141,10 @@ domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) +# Supress libselinux initialization denials dontaudit logrotate_t selinux_config_t:dir search; +dontaudit logrotate_t selinux_config_t:file { read getattr }; +# Allow selinux_getenforce +allow logrotate_t security_t:dir search; +allow logrotate_t security_t:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.6/domains/program/unused/apache.te --- nsapolicy/domains/program/unused/apache.te 2005-04-04 10:21:10.000000000 -0400 +++ policy-1.23.6/domains/program/unused/apache.te 2005-04-04 10:44:54.000000000 -0400 @@ -28,6 +28,9 @@ bool httpd_unified false; +# Allow httpd to use built in scripting (usually php) +bool httpd_builtin_scripting false; + # Allow httpd cgi support bool httpd_enable_cgi false; @@ -86,54 +89,6 @@ # for modules that want to access /etc/mtab and /proc/meminfo allow httpd_t { proc_t etc_runtime_t }:file { getattr read }; -# setup the system domain for system CGI scripts -apache_domain(sys) - -# The following are types for SUEXEC,which runs user scripts as their -# own user ID -# -daemon_sub_domain(httpd_t, httpd_suexec) -allow httpd_t httpd_suexec_exec_t:file read; - -######################################################### -# Permissions for running child processes and scripts -########################################################## - -allow httpd_suexec_t self:capability { setuid setgid }; - -dontaudit httpd_suexec_t var_run_t:dir search; -allow httpd_suexec_t { var_t var_log_t }:dir search; -allow httpd_suexec_t home_root_t:dir search; - -allow httpd_suexec_t httpd_log_t:dir search; -allow httpd_suexec_t httpd_log_t:file { append getattr }; -allow httpd_suexec_t httpd_t:fifo_file getattr; -allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; - -allow httpd_suexec_t etc_t:file { getattr read }; -read_locale(httpd_suexec_t) -read_sysctl(httpd_suexec_t) -allow httpd_suexec_t urandom_device_t:chr_file { getattr read }; - -# for shell scripts -allow httpd_suexec_t bin_t:dir search; -allow httpd_suexec_t bin_t:lnk_file read; -can_exec(httpd_suexec_t, { bin_t shell_exec_t }) - -if (httpd_can_network_connect) { -can_network(httpd_suexec_t) -allow httpd_suexec_t port_type:tcp_socket name_connect; -} - -can_ypbind(httpd_suexec_t) -allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; - -ifdef(`mta.te', ` -# apache should set close-on-exec -dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; -dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; -') - uses_shlib(httpd_t) allow httpd_t { usr_t lib_t }:file { getattr read ioctl }; allow httpd_t usr_t:lnk_file { getattr read }; @@ -149,15 +104,24 @@ can_exec(httpd_t, { bin_t sbin_t }) allow httpd_t bin_t:lnk_file read; -can_network(httpd_t) +######################################## +# Set up networking +######################################## + +can_network_server(httpd_t) +can_kerberos(httpd_t) +can_resolve(httpd_t) +can_ypbind(httpd_t) +allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; + if (httpd_can_network_connect) { +can_network_client(httpd_t) allow httpd_t port_type:tcp_socket name_connect; } -can_ypbind(httpd_t) -################### -# Allow httpd to search users diretories -###################### +######################################### +# Allow httpd to search users directories +######################################### allow httpd_t home_root_t:dir { getattr search }; dontaudit httpd_t sysadm_home_dir_t:dir getattr; @@ -171,7 +135,6 @@ # Allow the httpd_t to read the web servers config files ################################################### r_dir_file(httpd_t, httpd_config_t) -dontaudit httpd_sys_script_t httpd_config_t:dir search; # allow logrotate to read the config files for restart ifdef(`logrotate.te', ` r_dir_file(logrotate_t, httpd_config_t) @@ -181,11 +144,6 @@ r_dir_file(initrc_t, httpd_config_t) ################################################## -######################################## -# Allow httpd_t to bind to the HTTP port -######################################## -allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind; - ############################### # Allow httpd_t to put files in /var/cache/httpd etc ############################## @@ -217,13 +175,14 @@ allow httpd_t etc_t:file { read getattr ioctl }; allow httpd_t etc_t:lnk_file { getattr read }; +# setup the system domain for system CGI scripts +apache_domain(sys) +dontaudit httpd_sys_script_t httpd_config_t:dir search; + # Run SSI execs in system CGI script domain. if (httpd_ssi_exec) { domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t) } -r_dir_file(httpd_t, httpd_sys_script_ro_t) -create_dir_file(httpd_t, httpd_sys_script_rw_t) -ra_dir_file(httpd_t, httpd_sys_script_ra_t) allow httpd_sys_script_t httpd_t:tcp_socket { read write }; ################################################## @@ -250,7 +209,6 @@ # access to /tmp tmp_domain(httpd) tmp_domain(httpd_php) -tmp_domain(httpd_suexec) # Creation of lock files for apache2 lock_domain(httpd) @@ -269,11 +227,11 @@ allow httpd_t bin_t:dir search; allow httpd_t sbin_t:dir search; allow httpd_t httpd_log_t:dir remove_name; +r_dir_file(httpd_t, fonts_t) allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow httpd_t autofs_t:dir { search getattr }; -allow httpd_suexec_t autofs_t:dir { search getattr }; if (use_nfs_home_dirs && httpd_enable_homedirs) { httpd_home_dirs(nfs_t) @@ -281,23 +239,12 @@ if (use_samba_home_dirs && httpd_enable_homedirs) { httpd_home_dirs(cifs_t) } -r_dir_file(httpd_t, fonts_t) # # Allow users to mount additional directories as http_source # allow httpd_t mnt_t:dir r_dir_perms; -######################################## -# When the admin starts the server, the server wants to acess -# the TTY or PTY associated with the session. The httpd appears -# to run correctly without this permission, so the permission -# are dontaudited here. -################################################## -dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; - -can_kerberos(httpd_t) - ifdef(`targeted_policy', ` typealias httpd_sys_content_t alias httpd_user_content_t; typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; @@ -308,6 +255,9 @@ } ') dnl targeted policy +# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context +typealias httpd_sys_content_t alias httpd_sysadm_content_t; + ifdef(`distro_redhat', ` # # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat @@ -327,33 +277,27 @@ dontaudit httpd_t usr_t:dir write; ') -type httpd_squirrelmail_t, file_type, sysadmfile; -create_dir_file(httpd_t, httpd_squirrelmail_t) -allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; -# File Type of squirrelmail attachments -type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; -allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; -create_dir_file(httpd_t, squirrelmail_spool_t) -r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) - -ifdef(`mta.te', ` -dontaudit system_mail_t httpd_log_t:file { append getattr }; -allow system_mail_t httpd_squirrelmail_t:file { append read }; -dontaudit system_mail_t httpd_t:tcp_socket { read write }; -') - application_domain(httpd_helper) role system_r types httpd_helper_t; domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t) allow httpd_helper_t httpd_config_t:file { getattr read }; allow httpd_helper_t httpd_log_t:file { append }; +######################################## +# When the admin starts the server, the server wants to acess +# the TTY or PTY associated with the session. The httpd appears +# to run correctly without this permission, so the permission +# are dontaudited here. +################################################## + if (httpd_tty_comm) { allow { httpd_t httpd_helper_t } devpts_t:dir { search }; ifdef(`targeted_policy', ` allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write }; ') allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write }; +} else { +dontaudit httpd_t admin_tty_type:chr_file rw_file_perms; } read_sysctl(httpd_sys_script_t) @@ -368,6 +312,64 @@ type httpd_unconfined_script_t, domain, nscd_client_domain; role system_r types httpd_unconfined_script_t; unconfined_domain(httpd_unconfined_script_t) + +# The following are types for SUEXEC,which runs user scripts as their +# own user ID +# +daemon_sub_domain(httpd_t, httpd_suexec) +allow httpd_t httpd_suexec_exec_t:file read; + +######################################################### +# Permissions for running child processes and scripts +########################################################## + +allow httpd_suexec_t self:capability { setuid setgid }; + +dontaudit httpd_suexec_t var_run_t:dir search; +allow httpd_suexec_t { var_t var_log_t }:dir search; +allow httpd_suexec_t home_root_t:dir search; + +allow httpd_suexec_t httpd_log_t:dir search; +allow httpd_suexec_t httpd_log_t:file { append getattr }; +allow httpd_suexec_t httpd_t:fifo_file getattr; +allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + +allow httpd_suexec_t etc_t:file { getattr read }; +read_locale(httpd_suexec_t) +read_sysctl(httpd_suexec_t) +allow httpd_suexec_t urandom_device_t:chr_file { getattr read }; + +# for shell scripts +allow httpd_suexec_t bin_t:dir search; +allow httpd_suexec_t bin_t:lnk_file read; +can_exec(httpd_suexec_t, { bin_t shell_exec_t }) + +if (httpd_can_network_connect) { +can_network(httpd_suexec_t) +allow httpd_suexec_t port_type:tcp_socket name_connect; +} + +can_ypbind(httpd_suexec_t) +allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl }; + +allow httpd_suexec_t autofs_t:dir { search getattr }; +tmp_domain(httpd_suexec) + +ifdef(`mta.te', ` +# apache should set close-on-exec +dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; +dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write }; +') + +if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) +domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) +} +if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) +create_dir_file(httpd_t, httpdcontent) +can_exec(httpd_t, httpdcontent ) +} if (httpd_enable_cgi) { domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) @@ -375,3 +377,21 @@ allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms; } +# +# Types for squirrelmail +# +type httpd_squirrelmail_t, file_type, sysadmfile; +create_dir_file(httpd_t, httpd_squirrelmail_t) +allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; +# File Type of squirrelmail attachments +type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; +allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; +create_dir_file(httpd_t, squirrelmail_spool_t) +r_dir_file(httpd_sys_script_t, squirrelmail_spool_t) + +ifdef(`mta.te', ` +dontaudit system_mail_t httpd_log_t:file { append getattr }; +allow system_mail_t httpd_squirrelmail_t:file { append read }; +dontaudit system_mail_t httpd_t:tcp_socket { read write }; +') + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.6/domains/program/unused/dhcpc.te --- nsapolicy/domains/program/unused/dhcpc.te 2005-03-24 08:58:26.000000000 -0500 +++ policy-1.23.6/domains/program/unused/dhcpc.te 2005-04-04 10:44:54.000000000 -0400 @@ -44,6 +44,8 @@ domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) allow cardmgr_t dhcpc_var_run_t:file { getattr read }; allow cardmgr_t dhcpc_t:process signal_perms; +allow cardmgr_t dhcpc_var_run_t:file unlink; +allow dhcpc_t cardmgr_dev_t:chr_file { read write }; ') ifdef(`hotplug.te', ` domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.6/domains/program/unused/hald.te --- nsapolicy/domains/program/unused/hald.te 2005-04-04 10:21:10.000000000 -0400 +++ policy-1.23.6/domains/program/unused/hald.te 2005-04-04 10:44:54.000000000 -0400 @@ -43,6 +43,9 @@ allow hald_t event_device_t:chr_file { getattr read ioctl }; allow hald_t printer_device_t:chr_file rw_file_perms; allow hald_t urandom_device_t:chr_file read; +allow hald_t mouse_device_t:chr_file r_file_perms; + +can_getsecurity(hald_t) ifdef(`updfstab.te', ` domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) @@ -73,3 +76,20 @@ tmp_domain(hald) allow hald_t mnt_t:dir search; r_dir_file(hald_t, proc_net_t) + + +# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket +ifdef(`apmd.te', ` +allow hald_t apmd_var_run_t:sock_file write; +allow hald_t apmd_t:unix_stream_socket connectto; +') + +# For /usr/sbin/dmidecode +# Violates assertion +#allow hald_t memory_device_t:chr_file read; +allow hald_t self:capability sys_rawio; + +# ?? +ifdef(`lvm.te', ` +allow hald_t lvm_control_t:chr_file r_file_perms; +') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.6/domains/program/unused/kudzu.te --- nsapolicy/domains/program/unused/kudzu.te 2005-03-11 15:31:06.000000000 -0500 +++ policy-1.23.6/domains/program/unused/kudzu.te 2005-04-04 10:44:54.000000000 -0400 @@ -100,3 +100,8 @@ allow kudzu_t xserver_exec_t:file getattr; ') +ifdef(`userhelper.te', ` +role system_r types sysadm_userhelper_t; +domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) +') + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.6/domains/program/unused/NetworkManager.te --- nsapolicy/domains/program/unused/NetworkManager.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.23.6/domains/program/unused/NetworkManager.te 2005-04-04 10:44:54.000000000 -0400 @@ -0,0 +1,76 @@ +#DESC NetworkManager - +# +# Authors: Dan Walsh +# +# + +################################# +# +# Rules for the NetworkManager_t domain. +# +# NetworkManager_t is the domain for the NetworkManager daemon. +# NetworkManager_exec_t is the type of the NetworkManager executable. +# +daemon_domain(NetworkManager, `, nscd_client_domain' ) + +can_network(NetworkManager_t) +allow NetworkManager_t port_type:tcp_socket name_connect; +allow NetworkManager_t dhcpc_port_t:udp_socket name_bind; +allow NetworkManager_t dhcpc_t:process signal; + +can_ypbind(NetworkManager_t) +uses_shlib(NetworkManager_t) +allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service }; + +allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read }; + +allow NetworkManager_t self:process { setcap getsched }; +allow NetworkManager_t self:fifo_file rw_file_perms; +allow NetworkManager_t self:unix_dgram_socket create_socket_perms; +allow NetworkManager_t self:file { getattr read }; +allow NetworkManager_t self:packet_socket create_socket_perms; +allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; + + +# +# Communicate with Caching Name Server +# +allow NetworkManager_t named_zone_t:dir search; +rw_dir_create_file(NetworkManager_t, named_cache_t) +domain_auto_trans(NetworkManager_t, named_exec_t, named_t) +allow named_t NetworkManager_t:udp_socket { read write }; +allow NetworkManager_t named_t:process signal; + +allow NetworkManager_t selinux_config_t:dir search; +allow NetworkManager_t selinux_config_t:file { getattr read }; + +ifdef(`dbusd.te', ` +dbusd_client(system, NetworkManager) +allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow NetworkManager_t hald_t:dbus send_msg; +allow hald_t NetworkManager_t:dbus send_msg; +') + +allow NetworkManager_t usr_t:file { getattr read }; + +ifdef(`ifconfig.te', ` +domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t) +')dnl end if def ifconfig + +allow NetworkManager_t { sbin_t bin_t }:dir search; +allow NetworkManager_t bin_t:lnk_file read; +can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t }) + +# in /etc created by NetworkManager will be labelled net_conf_t. +file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file) + +allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read }; +allow NetworkManager_t proc_t:file { getattr read }; + +allow NetworkManager_t domain:dir search; +allow NetworkManager_t domain:file { getattr read }; + +allow NetworkManager_t howl_t:process signal; +allow NetworkManager_t initrc_var_run_t:file { getattr read }; + +domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.6/domains/program/unused/ntpd.te --- nsapolicy/domains/program/unused/ntpd.te 2005-03-24 08:58:27.000000000 -0500 +++ policy-1.23.6/domains/program/unused/ntpd.te 2005-04-04 10:44:54.000000000 -0400 @@ -41,7 +41,7 @@ # Use the network. can_network(ntpd_t) -allow ntpd_t port_type:tcp_socket name_connect; +allow ntpd_t ntp_port_t:tcp_socket name_connect; can_ypbind(ntpd_t) allow ntpd_t ntp_port_t:udp_socket name_bind; allow ntpd_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.23.6/domains/program/unused/pam.te --- nsapolicy/domains/program/unused/pam.te 2005-03-15 08:02:23.000000000 -0500 +++ policy-1.23.6/domains/program/unused/pam.te 2005-04-04 10:44:54.000000000 -0400 @@ -37,4 +37,4 @@ allow initrc_t pam_var_run_t:dir rw_dir_perms; allow initrc_t pam_var_run_t:file { getattr read unlink }; -dontaudit pam_t initrc_var_run_t:file { read write }; +dontaudit pam_t initrc_var_run_t:file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.23.6/domains/program/unused/postgresql.te --- nsapolicy/domains/program/unused/postgresql.te 2005-04-04 10:21:11.000000000 -0400 +++ policy-1.23.6/domains/program/unused/postgresql.te 2005-04-04 10:44:54.000000000 -0400 @@ -124,11 +124,15 @@ ifdef(`distro_gentoo', ` # "su - postgres ..." is called from initrc_t -allow initrc_su_t postgresql_db_t:dir { search }; -allow postgresql_t initrc_su_t:process { sigchld }; +allow initrc_su_t postgresql_db_t:dir search; +allow postgresql_t initrc_su_t:process sigchld; dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; ') dontaudit postgresql_t home_root_t:dir search; can_kerberos(postgresql_t) allow postgresql_t urandom_device_t:chr_file { getattr read }; + +if (allow_execmem) { +allow postgresql_t self:process execmem; +} diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/publicfile.te policy-1.23.6/domains/program/unused/publicfile.te --- nsapolicy/domains/program/unused/publicfile.te 2005-03-15 12:54:54.000000000 -0500 +++ policy-1.23.6/domains/program/unused/publicfile.te 2005-04-04 10:46:35.000000000 -0400 @@ -12,11 +12,6 @@ type ftp_data_port_t, port_type, reserved_port_type; ') -ifdef(`apache.te', ` -', ` -type http_port_t, port_type, reserved_port_type; -') - daemon_domain(publicfile) type publicfile_content_t, file_type, sysadmfile; domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.6/domains/program/unused/snmpd.te --- nsapolicy/domains/program/unused/snmpd.te 2005-03-11 15:31:06.000000000 -0500 +++ policy-1.23.6/domains/program/unused/snmpd.te 2005-04-04 10:44:54.000000000 -0400 @@ -45,7 +45,9 @@ allow snmpd_t proc_t:dir search; allow snmpd_t proc_t:file r_file_perms; allow snmpd_t self:file { getattr read }; -allow snmpd_t self:fifo_file { read write }; +allow snmpd_t self:fifo_file rw_file_perms; +allow snmpd_t { bin_t sbin_t }:dir search; +can_exec(snmpd_t, { bin_t sbin_t shell_exec_t }) ifdef(`distro_redhat', ` ifdef(`rpm.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.6/file_contexts/distros.fc --- nsapolicy/file_contexts/distros.fc 2005-04-04 10:21:11.000000000 -0400 +++ policy-1.23.6/file_contexts/distros.fc 2005-04-04 10:44:54.000000000 -0400 @@ -141,6 +141,10 @@ # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t /usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t +/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t + +# Java, Sun Microsystems (JPackage SRPM) +/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t /usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t /usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.6/file_contexts/program/NetworkManager.fc --- nsapolicy/file_contexts/program/NetworkManager.fc 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.23.6/file_contexts/program/NetworkManager.fc 2005-04-04 10:44:54.000000000 -0400 @@ -0,0 +1,2 @@ +# NetworkManager +/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.6/macros/program/apache_macros.te --- nsapolicy/macros/program/apache_macros.te 2005-04-04 10:21:11.000000000 -0400 +++ policy-1.23.6/macros/program/apache_macros.te 2005-04-04 10:44:54.000000000 -0400 @@ -4,14 +4,11 @@ #This type is for webpages # type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable; -ifelse($1, sys, ` -typealias httpd_sys_content_t alias httpd_sysadm_content_t; -') -ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;') # This type is used for .htaccess files # -type httpd_$1_htaccess_t, file_type, sysadmfile; +type httpd_$1_htaccess_t, file_type, sysadmfile, customizable; +allow httpd_t httpd_$1_htaccess_t: file r_file_perms; # This type is used for executable scripts files # @@ -68,13 +65,6 @@ type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable; file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t) -ifdef(`slocate.te', ` -ifelse($1, `sys', `', ` -allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search }; -allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read }; -')dnl end ifelse -')dnl end slocate.te - ######################################################### # Permissions for running child processes and scripts ########################################################## @@ -117,20 +107,9 @@ ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { -ifelse($1, sys, ` -domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) -domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) -create_dir_file(httpd_t, httpdcontent) -can_exec(httpd_t, httpdcontent ) -', ` -can_exec(httpd_$1_script_t, httpdcontent ) -domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) -') create_dir_file(httpd_$1_script_t, httpdcontent) } -ifelse($1, sys, ` # # If a user starts a script by hand it gets the proper context # @@ -138,7 +117,38 @@ domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t) } role sysadm_r types httpd_$1_script_t; -', ` + +dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; +dontaudit httpd_$1_script_t sysctl_t:dir search; + +############################################ +# Allow scripts to append to http logs +######################################### +allow httpd_$1_script_t httpd_log_t:file { getattr append }; + +# apache should set close-on-exec +dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; + +################################################################ +# Allow the web server to run scripts and serve pages +############################################################## +if (httpd_builtin_scripting) { +r_dir_file(httpd_t, httpd_$1_script_ro_t) +create_dir_file(httpd_t, httpd_$1_script_rw_t) +ra_dir_file(httpd_t, httpd_$1_script_ra_t) +r_dir_file(httpd_t, httpd_$1_content_t) +} + +') +define(`apache_user_domain', ` + +apache_domain($1) + +typeattribute httpd_$1_content_t $1_file_type; + +if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { +domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) +} if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { # If a user starts a script by hand it gets the proper context @@ -151,11 +161,7 @@ ######################################### create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t }) -create_dir_file($1_crond_t, httpd_$1_content_t) allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom }; -ifdef(`mozilla.te', ` -r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) -') ###################################################################### # Allow the user to create htaccess files @@ -178,26 +184,8 @@ r_dir_file(httpd_$1_script_t, nfs_t) ')dnl end if nfs_home_dirs } -')dnl end ifelse sys - -dontaudit httpd_$1_script_t sysctl_kernel_t:dir search; -dontaudit httpd_$1_script_t sysctl_t:dir search; - -################################################################ -# Allow the web server to run scripts and serve pages -############################################################## -r_dir_file(httpd_t, httpd_$1_content_t) - -allow httpd_t httpd_$1_htaccess_t: file r_file_perms; - -r_dir_file(httpd_t, httpd_$1_script_rw_t) - -############################################ -# Allow scripts to append to http logs -######################################### -allow httpd_$1_script_t httpd_log_t:file { getattr append }; - -# apache should set close-on-exec -dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; +ifdef(`crond.te', ` +create_dir_file($1_crond_t, httpd_$1_content_t) +') ') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.6/macros/program/gift_macros.te --- nsapolicy/macros/program/gift_macros.te 2005-04-04 10:21:11.000000000 -0400 +++ policy-1.23.6/macros/program/gift_macros.te 2005-04-04 10:44:54.000000000 -0400 @@ -90,6 +90,13 @@ uses_shlib($1_giftd_t) access_terminal($1_giftd_t, $1) +# Read /proc/meminfo +allow $1_giftd_t proc_t:dir search; +allow $1_giftd_t proc_t:file read; + +# Read /etc/mtab +allow $1_giftd_t etc_runtime_t:file { getattr read }; + # Access home domain home_domain_access($1_giftd_t, $1, gift) diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.6/macros/program/java_macros.te --- nsapolicy/macros/program/java_macros.te 2005-03-24 08:58:29.000000000 -0500 +++ policy-1.23.6/macros/program/java_macros.te 2005-04-04 10:44:54.000000000 -0400 @@ -31,7 +31,7 @@ can_network_client($1_javaplugin_t) allow $1_javaplugin_t port_type:tcp_socket name_connect; can_ypbind($1_javaplugin_t) -allow $1_javaplugin_t self:process { fork signal_perms getsched setsched }; +allow $1_javaplugin_t self:process { execmem fork signal_perms getsched setsched }; allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow $1_javaplugin_t self:fifo_file rw_file_perms; allow $1_javaplugin_t etc_runtime_t:file { getattr read }; @@ -42,6 +42,7 @@ allow $1_javaplugin_t self:file { getattr read }; read_sysctl($1_javaplugin_t) +allow $1_javaplugin_t sysctl_vm_t:dir search; tmp_domain($1_javaplugin) r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t }) @@ -50,6 +51,11 @@ allow $1_javaplugin_t bin_t:dir search; can_exec($1_javaplugin_t, java_exec_t) +# libdeploy.so legacy +if (allow_execmod) { +allow $1_javaplugin_t texrel_shlib_t:file execmod; +} + # Allow connections to X server. ifdef(`xserver.te', ` @@ -111,4 +117,6 @@ dontaudit $1_javaplugin_t tmpfs_t:file { execute read write }; dontaudit $1_javaplugin_t $1_home_t:file { execute setattr }; +# Do not audit read/getattr of .fonts-cache-1 +dontaudit $1_javaplugin_t $1_home_t:file { read getattr }; ') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.6/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2005-04-04 10:21:11.000000000 -0400 +++ policy-1.23.6/macros/program/mozilla_macros.te 2005-04-04 10:44:54.000000000 -0400 @@ -55,6 +55,7 @@ # for bash - old mozilla binary can_exec($1_mozilla_t, mozilla_exec_t) +can_exec($1_mozilla_t, shell_exec_t) can_exec($1_mozilla_t, bin_t) allow $1_mozilla_t bin_t:lnk_file read; allow $1_mozilla_t device_t:dir r_dir_perms; @@ -155,6 +156,11 @@ allow $1_mozilla_t texrel_shlib_t:file execmod; } dbusd_client(system, $1_mozilla) +ifdef(`apache.te', ` +ifelse($1, sysadm, `', ` +r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) +') +') ')dnl end mozilla macro diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.6/macros/program/ssh_agent_macros.te --- nsapolicy/macros/program/ssh_agent_macros.te 2005-02-24 14:51:09.000000000 -0500 +++ policy-1.23.6/macros/program/ssh_agent_macros.te 2005-04-04 10:44:54.000000000 -0400 @@ -49,6 +49,7 @@ allow $1_ssh_agent_t proc_t:dir search; dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; dontaudit $1_ssh_agent_t selinux_config_t:dir search; +dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr }; read_sysctl($1_ssh_agent_t) # Access the ssh temporary files. Should we have an own type here diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.6/macros/user_macros.te --- nsapolicy/macros/user_macros.te 2005-04-04 10:21:11.000000000 -0400 +++ policy-1.23.6/macros/user_macros.te 2005-04-04 10:44:54.000000000 -0400 @@ -44,7 +44,9 @@ # user domain and the program, and allow us to maintain separation # between different instances of the program being run by different # user domains. -ifdef(`apache.te', `apache_domain($1)') +ifelse($1, sysadm, `',` +ifdef(`apache.te', `apache_user_domain($1)') +') ifdef(`slocate.te', `locate_domain($1)') ifdef(`lockdev.te', `lockdev_domain($1)') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.6/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500 +++ policy-1.23.6/tunables/distro.tun 2005-04-04 10:44:54.000000000 -0400 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.6/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500 +++ policy-1.23.6/tunables/tunable.tun 2005-04-04 10:44:54.000000000 -0400 @@ -1,27 +1,27 @@ # Allow users to execute the mount command -dnl define(`user_can_mount') +define(`user_can_mount') # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.6/types/network.te --- nsapolicy/types/network.te 2005-04-04 10:21:11.000000000 -0400 +++ policy-1.23.6/types/network.te 2005-04-04 10:44:54.000000000 -0400 @@ -27,7 +27,7 @@ type dhcpd_port_t, port_type, reserved_port_type; type smbd_port_t, port_type, reserved_port_type; type nmbd_port_t, port_type, reserved_port_type; -type http_cache_port_t, port_type; +type http_cache_port_t, port_type, reserved_port_type; type http_port_t, port_type, reserved_port_type; ifdef(`cyrus.te', `define(`use_pop')')