* new policy patch
@ 2002-09-27 21:42 Russell Coker
2002-10-01 16:51 ` Stephen Smalley
0 siblings, 1 reply; 16+ messages in thread
From: Russell Coker @ 2002-09-27 21:42 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 613 bytes --]
The attached patch has my latest changes. A minor dpkg patch, some qmail
changes that are particularly needed for mailman and other things that
require mail being piped, samba changes for /etc/samba/secrets.tdb, type
labelling for the suseradd program, a squid cron job policy change, and a
change that hopefully fixes the su gph problem Brian reported.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: new.diff --]
[-- Type: text/x-diff, Size: 6219 bytes --]
diff -ru /tmp/policy/domains/program/dpkg.te ./domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te 2002-09-27 22:27:37.000000000 +0200
+++ ./domains/program/dpkg.te 2002-09-27 17:39:34.000000000 +0200
@@ -59,7 +59,7 @@
')
# for apt
-type apt_t, domain, admin;
+type apt_t, domain, admin, privmail;
type apt_exec_t, file_type, sysadmfile, exec_type;
type var_lib_apt_t, file_type, sysadmfile;
type var_cache_apt_t, file_type, sysadmfile;
@@ -71,6 +71,7 @@
file_type_auto_trans(apt_t, tmp_t, tmp_apt_t)
dontaudit apt_t var_log_t:dir getattr;
+dontaudit apt_t var_run_t:dir search;
# for rc files such as ~/.less
r_dir_file(apt_t, sysadm_home_t)
diff -ru /tmp/policy/domains/program/qmail.te ./domains/program/qmail.te
--- /tmp/policy/domains/program/qmail.te 2002-09-27 22:27:38.000000000 +0200
+++ ./domains/program/qmail.te 2002-09-26 19:23:10.000000000 +0200
@@ -27,7 +27,7 @@
# qmail_$1_exec_t is the type of the qmail_$1 executables.
#
define(`qmail_daemon_domain', `
-daemon_sub_domain(qmail_start_t, qmail_$1)
+daemon_sub_domain(qmail_start_t, qmail_$1, `$2')
allow qmail_$1_t qmail_start_t:fifo_file { read write };
')dnl
@@ -36,7 +36,7 @@
allow qmail_start_t self:capability setgid;
-qmail_daemon_domain(lspawn)
+qmail_daemon_domain(lspawn, `, mta_delivery_agent')
allow qmail_lspawn_t self:fifo_file { read write };
allow qmail_lspawn_t self:capability { setuid setgid };
allow qmail_lspawn_t self:process fork;
@@ -95,10 +95,17 @@
allow qmail_local_t qmail_queue_exec_t:file read;
allow qmail_local_t etc_qmail_t:dir { getattr read search };
allow qmail_local_t etc_qmail_t:file { getattr read };
-allow qmail_local_t qmail_spool_t:file read;
+allow qmail_local_t qmail_spool_t:file { ioctl read };
allow qmail_local_t self:fifo_file write;
allow qmail_local_t sbin_t:dir search;
+# for piping mail to a command
+can_exec(qmail_local_t, shell_exec_t)
+allow qmail_local_t bin_t:dir search;
+allow qmail_local_t bin_t:lnk_file read;
+allow qmail_local_t devtty_t:chr_file rw_file_perms;
+allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
+
daemon_sub_domain(tcpd_t, qmail_tcp_env)
allow qmail_tcp_env_t inetd_t:fd use;
allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
diff -ru /tmp/policy/domains/program/samba.te ./domains/program/samba.te
--- /tmp/policy/domains/program/samba.te 2002-08-23 21:04:28.000000000 +0200
+++ ./domains/program/samba.te 2002-09-27 22:58:07.000000000 +0200
@@ -14,6 +14,7 @@
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
type samba_share_t, file_type, sysadmfile;
+type samba_secrets_t, file_type, sysadmfile;
#################################
#
@@ -35,9 +36,12 @@
can_network(smbd_t)
# Permissions for Samba files in /etc/samba
-#allow smbd_t samba_etc_t:file { write setattr getattr read lock };
+# either allow read access to the directory or allow the auto_trans rule to
+# allow creation of the secrets.tdb file
+#allow smbd_t samba_etc_t:dir { search getattr };
+file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
+
allow smbd_t samba_etc_t:file { getattr read };
-allow smbd_t samba_etc_t:dir { search getattr };
# Permissions for Samba cache files in /var/cache/samba
allow smbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
diff -ru /tmp/policy/domains/program/squid.te ./domains/program/squid.te
--- /tmp/policy/domains/program/squid.te 2002-08-23 21:04:28.000000000 +0200
+++ ./domains/program/squid.te 2002-09-22 22:39:19.000000000 +0200
@@ -50,6 +50,7 @@
allow squid_t var_log_squid_t:file create_file_perms;
ifdef(`logrotate.te',
`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
+ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
# Use the network
can_network(squid_t)
diff -ru /tmp/policy/file_contexts/program/passwd.fc ./file_contexts/program/passwd.fc
--- /tmp/policy/file_contexts/program/passwd.fc 2002-09-27 22:27:40.000000000 +0200
+++ ./file_contexts/program/passwd.fc 2002-08-22 21:49:40.000000000 +0200
@@ -3,9 +3,11 @@
/usr/local/selinux/bin/schsh system_u:object_r:passwd_exec_t
/usr/local/selinux/bin/schfn system_u:object_r:passwd_exec_t
/usr/local/selinux/bin/svipw system_u:object_r:admin_passwd_exec_t
+/usr/local/selinux/bin/suseradd system_u:object_r:admin_passwd_exec_t
/usr/local/selinux/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
/usr/bin/spasswd system_u:object_r:passwd_exec_t
/usr/bin/schsh system_u:object_r:passwd_exec_t
/usr/bin/schfn system_u:object_r:passwd_exec_t
/usr/bin/svipw system_u:object_r:admin_passwd_exec_t
+/usr/bin/suseradd system_u:object_r:admin_passwd_exec_t
/usr/bin/sadminpasswd system_u:object_r:admin_passwd_exec_t
diff -ru /tmp/policy/file_contexts/program/samba.fc ./file_contexts/program/samba.fc
--- /tmp/policy/file_contexts/program/samba.fc 2002-07-12 17:19:44.000000000 +0200
+++ ./file_contexts/program/samba.fc 2002-09-27 22:58:30.000000000 +0200
@@ -4,5 +4,4 @@
/etc/samba(/.*)? system_u:object_r:samba_etc_t
/var/log/samba(/.*)? system_u:object_r:samba_log_t
/var/cache/samba(/.*)? system_u:object_r:samba_var_t
-#/net/music(/.*)? system_u:object_r:samba_share_t
-#/net/pub(/.*)? system_u:object_r:samba_share_t
+/etc/samba/secrets.tdb system_u:object_r:samba_secrets_t
diff -ru /tmp/policy/macros/program/su_macros.te ./macros/program/su_macros.te
--- /tmp/policy/macros/program/su_macros.te 2002-09-27 22:27:44.000000000 +0200
+++ ./macros/program/su_macros.te 2002-09-27 12:52:43.000000000 +0200
@@ -34,11 +34,6 @@
# Revert to the user domain when a shell is executed.
domain_auto_trans($1_su_t, shell_exec_t, $1_t)
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te',
-`allow $1_su_t $1_gph_t:fd use;
-allow $1_t $1_gph_t:fd use;')
-
allow $1_su_t privfd:fd use;
# Write to utmp.
@@ -53,6 +48,11 @@
# Run chkpwd.
can_exec($1_su_t, chkpwd_exec_t)
+# Inherit and use descriptors from gnome-pty-helper.
+ifdef(`gnome-pty-helper.te', `
+allow { $1_su_t $1_t } $1_gph_t:fd use;
+')
+
# The user role is authorized for this domain.
role $1_r types $1_su_t;
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: new policy patch
2002-09-27 21:42 Russell Coker
@ 2002-10-01 16:51 ` Stephen Smalley
0 siblings, 0 replies; 16+ messages in thread
From: Stephen Smalley @ 2002-10-01 16:51 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux
On Fri, 27 Sep 2002, Russell Coker wrote:
> The attached patch has my latest changes. A minor dpkg patch, some qmail
> changes that are particularly needed for mailman and other things that
> require mail being piped, samba changes for /etc/samba/secrets.tdb, type
> labelling for the suseradd program, a squid cron job policy change, and a
> change that hopefully fixes the su gph problem Brian reported.
Thanks, merged except for the suseradd stuff, which has moved into
suseradd.fc.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* new policy patch
@ 2003-08-01 0:01 Russell Coker
0 siblings, 0 replies; 16+ messages in thread
From: Russell Coker @ 2003-08-01 0:01 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1321 bytes --]
This patch has some policy changes related to the change from
sysadm_home_dir_t to staff_home_dir_t for the /root directory (incidentally,
do we even need sysadm_home_dir_t any more?).
I've made significant changes to net_contexts and related files and made
can_network() not permit binding to port_t. I've got all the common daemons
working well with this, but there may be some I've missed.
I've fixed the ftpd.te problem as previously discussed.
The new version of rpc.statd has slightly different functionality, I changed
the policy to allow it to do what it needs to do.
I've made some changes to the rpm policy. The old version would not work very
well, my new version should be an improvement. It would be good if someone
could test this.
I've made a change to the watchdog policy that will allow it to work properly.
I've changed the file_contexts entries for postfix to deal with the Debian
package creating the chroot directories and the startup scripts searching
them and causing audit messages.
There are also many other minor changes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 31100 bytes --]
diff -ru /tmp/policy/domains/misc/kernel.te policy/domains/misc/kernel.te
--- /tmp/policy/domains/misc/kernel.te 2003-07-31 13:20:08.000000000 +1000
+++ policy/domains/misc/kernel.te 2003-07-11 20:55:13.000000000 +1000
@@ -17,6 +17,7 @@
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
+can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
diff -ru /tmp/policy/domains/program/checkpolicy.te policy/domains/program/checkpolicy.te
--- /tmp/policy/domains/program/checkpolicy.te 2003-03-14 02:14:31.000000000 +1100
+++ policy/domains/program/checkpolicy.te 2003-07-16 11:11:33.000000000 +1000
@@ -44,12 +44,14 @@
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr };
uses_shlib(checkpolicy_t)
allow checkpolicy_t self:capability dac_override;
allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
+allow checkpolicy_t fs_t:filesystem getattr;
+
##########################
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
diff -ru /tmp/policy/domains/program/initrc.te policy/domains/program/initrc.te
--- /tmp/policy/domains/program/initrc.te 2003-07-31 13:20:15.000000000 +1000
+++ policy/domains/program/initrc.te 2003-07-12 20:38:43.000000000 +1000
@@ -20,6 +20,9 @@
uses_shlib(initrc_t);
type initrc_exec_t, file_type, sysadmfile, exec_type;
+# for halt to down interfaces
+allow initrc_t self:udp_socket create_socket_perms;
+
# read files in /etc/init.d
allow initrc_t etc_t:lnk_file r_file_perms;
diff -ru /tmp/policy/domains/program/logrotate.te policy/domains/program/logrotate.te
--- /tmp/policy/domains/program/logrotate.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/logrotate.te 2003-08-01 08:48:02.000000000 +1000
@@ -28,7 +28,7 @@
allow logrotate_t etc_runtime_t:{ file lnk_file } r_file_perms;
# it should not require this
-allow logrotate_t sysadm_home_dir_t:dir { read getattr search };
+allow logrotate_t staff_home_dir_t:dir { read getattr search };
# create lock files
rw_dir_create_file(logrotate_t, var_lock_t)
diff -ru /tmp/policy/domains/program/modutil.te policy/domains/program/modutil.te
--- /tmp/policy/domains/program/modutil.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/modutil.te 2003-08-01 09:03:28.000000000 +1000
@@ -55,8 +55,8 @@
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
# Read System.map from home directories.
-allow depmod_t { home_root_t user_home_dir_type sysadm_home_dir_t }:dir r_dir_perms;
-r_dir_file(depmod_t, { user_home_type sysadm_home_t })
+allow depmod_t { home_root_t staff_home_dir_t }:dir r_dir_perms;
+r_dir_file(depmod_t, staff_home_t)
#################################
#
@@ -154,7 +154,7 @@
allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-dontaudit update_modules_t sysadm_home_dir_t:dir search;
+dontaudit update_modules_t staff_home_dir_t:dir search;
uses_shlib(update_modules_t)
allow update_modules_t self:process { fork sigchld };
diff -ru /tmp/policy/domains/program/mount.te policy/domains/program/mount.te
--- /tmp/policy/domains/program/mount.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/mount.te 2003-07-12 19:59:50.000000000 +1000
@@ -34,11 +34,12 @@
allow mount_t proc_t:dir mounton;
allow mount_t root_t:dir mounton;
allow mount_t home_root_t:dir mounton;
+allow mount_t tmp_t:dir mounton;
# On some RedHat systems, /boot is a mount point
allow mount_t boot_t:dir mounton;
allow mount_t device_t:dir mounton;
ifdef(`devfsd.te', `
-allow mount_t device_t:filesystem unmount;
+allow mount_t device_t:filesystem { mount unmount };
')
allow mount_t root_t:filesystem unmount;
diff -ru /tmp/policy/domains/program/ssh.te policy/domains/program/ssh.te
--- /tmp/policy/domains/program/ssh.te 2003-07-31 13:20:16.000000000 +1000
+++ policy/domains/program/ssh.te 2003-07-31 05:31:18.000000000 +1000
@@ -38,11 +38,6 @@
allow $1 etc_runtime_t:{ file lnk_file } r_file_perms;
allow $1 resolv_conf_t:{ file lnk_file } r_file_perms;
-# Read the linker, shared library, and executable types.
-allow $1 ld_so_t:{ file lnk_file } r_file_perms;
-allow $1 shlib_t:{ file lnk_file } r_file_perms;
-allow $1 exec_type:{ file lnk_file } r_file_perms;
-
# Read and write /dev/tty and /dev/null.
allow $1 devtty_t:chr_file rw_file_perms;
allow $1 { null_device_t zero_device_t }:chr_file rw_file_perms;
@@ -91,6 +86,10 @@
# sshd_key_t is the type of the ssh private key files
#
sshd_program_domain(sshd_t)
+
+# for X forwarding
+allow sshd_t port_t:tcp_socket name_bind;
+
type sshd_exec_t, file_type, exec_type, sysadmfile;
ifdef(`inetd.te', `
diff -ru /tmp/policy/domains/program/unused/bootloader.te policy/domains/program/unused/bootloader.te
--- /tmp/policy/domains/program/unused/bootloader.te 2003-07-31 13:20:21.000000000 +1000
+++ policy/domains/program/unused/bootloader.te 2003-07-12 22:22:41.000000000 +1000
@@ -83,9 +83,10 @@
allow bootloader_t fs_t:filesystem getattr;
-allow bootloader_t proc_t:dir r_dir_perms;
+allow bootloader_t proc_t:dir { getattr search };
allow bootloader_t proc_t:file r_file_perms;
allow bootloader_t proc_t:lnk_file read;
+allow bootloader_t self:dir { getattr search read };
allow bootloader_t sysctl_kernel_t:dir search;
allow bootloader_t sysctl_kernel_t:file { getattr read };
allow bootloader_t etc_runtime_t:file r_file_perms;
diff -ru /tmp/policy/domains/program/unused/cups.te policy/domains/program/unused/cups.te
--- /tmp/policy/domains/program/unused/cups.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/cups.te 2003-07-15 00:15:04.000000000 +1000
@@ -36,7 +36,7 @@
allow cupsd_t proc_t:file r_file_perms;
allow cupsd_t proc_t:dir r_dir_perms;
allow cupsd_t { sysctl_t sysctl_kernel_t sysctl_dev_t }:dir search;
-allow cupsd_t sysctl_kernel_t:file { getattr read };
+allow cupsd_t { sysctl_kernel_t sysctl_dev_t }:file { getattr read };
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -57,7 +57,7 @@
r_dir_file(cupsd_t, readable_t)
# Bind to the cups/ipp port (631).
-allow cupsd_t ipp_port_t:tcp_socket name_bind;
+allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
can_tcp_connect(web_client_domain, cupsd_t)
can_tcp_connect(cupsd_t, cupsd_t)
diff -ru /tmp/policy/domains/program/unused/devfsd.te policy/domains/program/unused/devfsd.te
--- /tmp/policy/domains/program/unused/devfsd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/devfsd.te 2003-07-11 00:03:18.000000000 +1000
@@ -9,7 +9,7 @@
#
type etc_devfsd_t, file_type, sysadmfile;
-allow kernel_t device_t:dir mounton;
+allow kernel_t { device_t root_t }:dir mounton;
daemon_domain(devfsd)
diff -ru /tmp/policy/domains/program/unused/dhcpc.te policy/domains/program/unused/dhcpc.te
--- /tmp/policy/domains/program/unused/dhcpc.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dhcpc.te 2003-07-26 01:34:09.000000000 +1000
@@ -14,6 +14,8 @@
# dhcpc_exec_t is the type of the dhcpcd executable.
# The dhcpc_t can be used for other DHCPC related files as well.
#
+type dhcpc_port_t, port_type;
+
daemon_domain(dhcpc)
can_network(dhcpc_t)
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
@@ -22,8 +24,14 @@
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
+allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
')
+ifdef(`hotplug.te', `
+domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
+allow hotplug_t dhcpc_t:process signal_perms;
+allow hotplug_t dhcpc_var_run_t:file { getattr read };
+')
# for the dhcp client to run ping to check IP addresses
ifdef(`ping.te', `
@@ -32,7 +40,13 @@
dontaudit ping_t dhcpc_state_t:file read;
dontaudit ping_t dhcpc_t:packet_socket { read write };
dontaudit ping_t dhcpc_t:udp_socket { read write };
-')
+ifdef(`hotplug.te', `
+allow ping_t hotplug_t:fd use;
+') dnl end if hotplug
+ifdef(`cardmgr.te', `
+allow ping_t cardmgr_t:fd use;
+') dnl end if cardmgr
+') dnl end if ping
ifdef(`dhcpd.te', `', `
type dhcp_state_t, file_type, sysadmfile;
@@ -49,6 +63,9 @@
# Use capabilities
allow dhcpc_t self:capability { net_admin net_raw net_bind_service };
+# for udp port 68
+allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
+
# Allow read/write to /etc/resolv.conf. Note that any files in /etc
# created by dhcpcd will be labelled resolv_conf_t. As of RH 7.2, no
# other files are accessed in the /etc dir, only in /etc/dhcpc dir.
diff -ru /tmp/policy/domains/program/unused/dhcpd.te policy/domains/program/unused/dhcpd.te
--- /tmp/policy/domains/program/unused/dhcpd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dhcpd.te 2003-07-31 05:23:46.000000000 +1000
@@ -16,6 +16,10 @@
#
daemon_domain(dhcpd)
+# for UDP port 67
+type dhcpd_port_t, port_type;
+allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
+
type etc_dhcp_t alias { etc_dhcpc_t etc_dhcpd_t }, file_type, sysadmfile;
# Use the network.
diff -ru /tmp/policy/domains/program/unused/dpkg.te policy/domains/program/unused/dpkg.te
--- /tmp/policy/domains/program/unused/dpkg.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/dpkg.te 2003-08-01 08:46:54.000000000 +1000
@@ -130,8 +130,8 @@
dontaudit apt_t var_run_t:dir search;
# for rc files such as ~/.less
-r_dir_file(apt_t, sysadm_home_t)
-allow apt_t sysadm_home_dir_t:dir { search getattr };
+r_dir_file(apt_t, staff_home_t)
+allow apt_t staff_home_dir_t:dir { search getattr };
allow apt_t bin_t:lnk_file r_file_perms;
@@ -293,7 +293,7 @@
type debian_menu_t, file_type, sysadmfile;
r_dir_file(userdomain, debian_menu_t)
-dontaudit install_menu_t sysadm_home_dir_t:dir search;
+dontaudit install_menu_t staff_home_dir_t:dir search;
allow install_menu_t debian_menu_t:dir create_dir_perms;
allow install_menu_t debian_menu_t:{ file lnk_file } create_file_perms;
allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
@@ -304,6 +304,9 @@
allow install_menu_t { bin_t sbin_t }:dir search;
allow install_menu_t bin_t:lnk_file read;
+# for menus
+allow install_menu_t usr_t:file r_file_perms;
+
# for /etc/kde3/debian/kde-update-menu.sh
can_exec(install_menu_t, etc_t)
diff -ru /tmp/policy/domains/program/unused/ftpd.te policy/domains/program/unused/ftpd.te
--- /tmp/policy/domains/program/unused/ftpd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/ftpd.te 2003-08-01 09:11:46.000000000 +1000
@@ -11,8 +11,6 @@
type ftp_port_t, port_type;
daemon_domain(ftpd, `, auth')
type etc_ftpd_t, file_type, sysadmfile;
-ifdef(`inetd.te', `domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)')
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
can_network(ftpd_t)
allow ftpd_t self:unix_dgram_socket create_socket_perms;
@@ -25,10 +23,19 @@
')
ifdef(`ftpd_daemon', `
+ifdef(`inetd.te', `', `
+define(`ftpd_is_daemon', `')
+') dnl end inetd.te
+') dnl end ftpd_daemon
+
+ifdef(`ftpd_is_daemon', `
rw_dir_create_file(ftpd_t, var_lock_t)
allow ftpd_t ftp_port_t:tcp_socket name_bind;
can_tcp_connect(userdomain, ftpd_t)
', `
+domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
+ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
+
# Use sockets inherited from inetd.
allow ftpd_t inetd_t:fd use;
allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
diff -ru /tmp/policy/domains/program/unused/hotplug.te policy/domains/program/unused/hotplug.te
--- /tmp/policy/domains/program/unused/hotplug.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/hotplug.te 2003-07-11 00:03:07.000000000 +1000
@@ -11,9 +11,6 @@
#
daemon_domain(hotplug)
-# allow kernel thread to run a shell to interpret the script
-allow kernel_t shell_exec_t:file execute;
-
type etc_hotplug_t, file_type, sysadmfile;
allow hotplug_t self:fifo_file { read write getattr ioctl };
diff -ru /tmp/policy/domains/program/unused/hwclock.te policy/domains/program/unused/hwclock.te
--- /tmp/policy/domains/program/unused/hwclock.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/hwclock.te 2003-08-01 08:47:17.000000000 +1000
@@ -22,6 +22,8 @@
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
')
+allow hwclock_t fs_t:filesystem getattr;
+
read_locale(hwclock_t)
# Give hwclock the capabilities it requires. dac_override is a surprise,
diff -ru /tmp/policy/domains/program/unused/inetd.te policy/domains/program/unused/inetd.te
--- /tmp/policy/domains/program/unused/inetd.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/inetd.te 2003-07-12 11:57:50.000000000 +1000
@@ -14,6 +14,8 @@
#
# Rules for the inetd_t domain.
#
+type inetd_port_t, port_type;
+
daemon_domain(inetd)
can_network(inetd_t)
@@ -45,6 +47,9 @@
ifdef(`rlogind.te', `allow inetd_t rlogin_port_t:tcp_socket name_bind;')
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
+# allow to bind to chargen, echo, etc
+allow inetd_t inetd_port_t:{ tcp_socket udp_socket } name_bind;
+
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
diff -ru /tmp/policy/domains/program/unused/ipsec.te policy/domains/program/unused/ipsec.te
--- /tmp/policy/domains/program/unused/ipsec.te 2003-07-31 13:20:22.000000000 +1000
+++ policy/domains/program/unused/ipsec.te 2003-08-01 08:56:50.000000000 +1000
@@ -200,7 +200,7 @@
allow ipsec_t self:fifo_file { read getattr };
# ideally it would not need this. It wants to write to /root/.rnd
-file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+file_type_auto_trans(ipsec_mgmt_t, staff_home_dir_t, staff_home_t, file)
allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
diff -ru /tmp/policy/domains/program/unused/named.te policy/domains/program/unused/named.te
--- /tmp/policy/domains/program/unused/named.te 2003-07-31 13:20:23.000000000 +1000
+++ policy/domains/program/unused/named.te 2003-08-01 08:48:48.000000000 +1000
@@ -128,5 +128,5 @@
allow ndc_t named_var_run_t:file getattr;
allow ndc_t named_zone_t:dir { read getattr };
allow ndc_t named_zone_t:file getattr;
-dontaudit ndc_t sysadm_home_t:dir { getattr search read };
+dontaudit ndc_t staff_home_t:dir { getattr search read };
')
diff -ru /tmp/policy/domains/program/unused/pamconsole.te policy/domains/program/unused/pamconsole.te
--- /tmp/policy/domains/program/unused/pamconsole.te 2003-03-05 01:57:16.000000000 +1100
+++ policy/domains/program/unused/pamconsole.te 2003-04-22 20:01:53.000000000 +1000
@@ -4,7 +4,7 @@
type pam_console_exec_t, file_type, sysadmfile, exec_type;
type pam_console_t, domain;
role system_r types pam_console_t;
-every_domain(pam_console_t)
+uses_shlib(pam_console_t)
domain_auto_trans(initrc_t, pam_console_exec_t, pam_console_t)
# Allow access to /dev/console through the fd:
diff -ru /tmp/policy/domains/program/unused/portmap.te policy/domains/program/unused/portmap.te
--- /tmp/policy/domains/program/unused/portmap.te 2003-07-31 13:20:25.000000000 +1000
+++ policy/domains/program/unused/portmap.te 2003-07-12 20:00:14.000000000 +1000
@@ -21,6 +21,9 @@
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+# portmap binds to arbitary ports
+allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
+
allow portmap_t etc_t:file { getattr read };
# Send to ypbind, initrc, rpc.statd, xinetd.
@@ -39,6 +42,8 @@
')
can_udp_send(portmap_t, kernel_t)
can_udp_send(kernel_t, portmap_t)
+can_udp_send(sysadm_t, portmap_t)
+can_udp_send(portmap_t, sysadm_t)
# Use capabilities
allow portmap_t self:capability { net_bind_service setuid setgid };
diff -ru /tmp/policy/domains/program/unused/radius.te policy/domains/program/unused/radius.te
--- /tmp/policy/domains/program/unused/radius.te 2003-07-31 13:20:27.000000000 +1000
+++ policy/domains/program/unused/radius.te 2003-07-12 12:04:24.000000000 +1000
@@ -51,6 +51,10 @@
can_network(radiusd_t)
allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
+
+# for RADIUS proxy port
+allow radiusd_t port_t:udp_socket name_bind;
+
ifdef(`snmpd.te', `
can_tcp_connect(radiusd_t, snmpd_t)
')
diff -ru /tmp/policy/domains/program/unused/rpcd.te policy/domains/program/unused/rpcd.te
--- /tmp/policy/domains/program/unused/rpcd.te 2003-07-31 13:20:27.000000000 +1000
+++ policy/domains/program/unused/rpcd.te 2003-07-31 10:59:05.000000000 +1000
@@ -11,7 +11,7 @@
# rpcd_t is the domain of rpc daemons.
# rpcd_exec_t is the type of rpc daemon programs.
#
-daemon_base_domain(rpcd)
+daemon_domain(rpcd)
can_network(rpcd_t)
allow rpcd_t resolv_conf_t:file { getattr read };
can_udp_send({ init_t initrc_t }, rpcd_t)
@@ -23,6 +23,7 @@
allow rpcd_t self:unix_dgram_socket create_socket_perms;
allow rpcd_t self:unix_stream_socket create_socket_perms;
+allow rpcd_t self:fifo_file rw_file_perms;
can_udp_send(rpcd_t, rpcd_t)
can_udp_send(mount_t, rpcd_t)
@@ -41,6 +42,9 @@
# Use capabilities.
allow rpcd_t self:capability { net_bind_service dac_override setgid setuid };
+# bind to arbitary unused ports
+allow rpcd_t port_t:{ tcp_socket udp_socket } name_bind;
+
# Access /var/lib/nfs.
allow rpcd_t { var_t var_lib_t }:dir search;
allow rpcd_t var_lib_nfs_t:dir rw_dir_perms;
diff -ru /tmp/policy/domains/program/unused/rpm.te policy/domains/program/unused/rpm.te
--- /tmp/policy/domains/program/unused/rpm.te 2003-03-05 01:57:20.000000000 +1100
+++ policy/domains/program/unused/rpm.te 2003-04-22 20:00:42.000000000 +1000
@@ -11,21 +11,21 @@
#
type rpm_t, domain, privlog;
role system_r types rpm_t;
-role sysadm_r types rpm_t;
-every_domain(rpm_t)
+uses_shlib(rpm_t)
type rpm_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(system_crond_t, rpm_exec_t, rpm_t)
+
+system_crond_entry(rpm_exec_t, rpm_t)
+#role sysadm_r types rpm_t;
#domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
type rpm_file_t, file_type, sysadmfile;
type var_lib_rpm_t, file_type, sysadmfile;
-type rpm_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(rpm_t, tmp_t, rpm_tmp_t)
+tmp_domain(rpm)
-type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t)
-allow rpm_tmpfs_t tmpfs_t:filesystem associate;
+#type rpm_tmpfs_t, file_type, sysadmfile, tmpfsfile;
+#file_type_auto_trans(rpm_t, tmpfs_t, rpm_tmpfs_t)
+#allow rpm_tmpfs_t tmpfs_t:filesystem associate;
type var_log_rpm_t, file_type, sysadmfile, logfile;
file_type_auto_trans(rpm_t, var_log_t, var_log_rpm_t)
@@ -34,7 +34,7 @@
can_exec_any(rpm_t)
# Capabilties needed by rpm utils
-allow rpm_t rpm_t:capability { dac_override dac_read_search chown setuid setgid };
+allow rpm_t self:capability { dac_override dac_read_search chown setuid setgid };
# Access /usr/lib files
allow rpm_t lib_t:dir r_dir_perms;
@@ -44,15 +44,10 @@
allow rpm_t var_lib_rpm_t:dir rw_dir_perms;
allow rpm_t var_lib_rpm_t:file create_file_perms;
-# When the RPM updates are run from cron, inherit cron descriptors and
-# read from the FIFO created by cron
-allow rpm_t crond_t:fd use;
-allow rpm_t crond_t:fifo_file r_file_perms;
-
# Access terminals.
-allow rpm_t sysadm_tty_device_t:chr_file rw_file_perms;
-allow rpm_t sysadm_devpts_t:chr_file rw_file_perms;
+allow rpm_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
+allow rpm_t privfd:fd use;
# Write to /usr/src.
#allow rpm_t src_t:dir create_dir_perms;
@@ -60,9 +55,3 @@
# Execute from /usr/src.
#can_exec(rpm_t, src_t)
-
-# Execute helper programs.
-#can_exec_any(rpm_t)
-
-# Execute temporary files.
-#can_exec(rpm_t, rpm_tmp_t)
diff -ru /tmp/policy/domains/program/unused/squid.te policy/domains/program/unused/squid.te
--- /tmp/policy/domains/program/unused/squid.te 2003-07-31 13:20:28.000000000 +1000
+++ policy/domains/program/unused/squid.te 2003-07-11 20:56:29.000000000 +1000
@@ -60,8 +60,9 @@
can_network(squid_t)
can_tcp_connect(web_client_domain, squid_t)
-# port 8080 is http_cache_port_t (see net_contexts)
+# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
allow squid_t http_cache_port_t:tcp_socket name_bind;
+allow squid_t http_cache_port_t:udp_socket name_bind;
# to allow running programs from /usr/lib/squid (IE unlinkd)
# also allow exec()ing itself
diff -ru /tmp/policy/domains/program/unused/sysstat.te policy/domains/program/unused/sysstat.te
--- /tmp/policy/domains/program/unused/sysstat.te 2003-07-31 13:20:28.000000000 +1000
+++ policy/domains/program/unused/sysstat.te 2003-08-01 08:49:27.000000000 +1000
@@ -29,7 +29,7 @@
# for fstab
allow sysstat_t etc_t:file { read getattr };
-dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
+dontaudit sysstat_t staff_home_dir_t:dir r_dir_perms;
allow sysstat_t self:fifo_file rw_file_perms;
diff -ru /tmp/policy/domains/program/unused/utempter.te policy/domains/program/unused/utempter.te
--- /tmp/policy/domains/program/unused/utempter.te 2003-03-05 01:57:27.000000000 +1100
+++ policy/domains/program/unused/utempter.te 2003-04-12 10:32:13.000000000 +1000
@@ -14,7 +14,7 @@
type utempter_t, domain;
in_user_role(utempter_t)
role sysadm_r types utempter_t;
-every_domain(utempter_t)
+uses_shlib(utempter_t)
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
diff -ru /tmp/policy/domains/program/unused/vmware.te policy/domains/program/unused/vmware.te
--- /tmp/policy/domains/program/unused/vmware.te 2003-07-31 13:20:29.000000000 +1000
+++ policy/domains/program/unused/vmware.te 2003-07-10 11:31:49.000000000 +1000
@@ -118,7 +118,7 @@
# Access /proc
r_dir_file(vmware_user_t, proc_t)
-# Access to some files in the home directory of the user
+# Access to some files in the user home directory
r_dir_file(vmware_user_t, user_home_t)
# Access to runtime files for user
diff -ru /tmp/policy/domains/program/unused/watchdog.te policy/domains/program/unused/watchdog.te
--- /tmp/policy/domains/program/unused/watchdog.te 2003-07-31 13:20:29.000000000 +1000
+++ policy/domains/program/unused/watchdog.te 2003-07-11 17:16:26.000000000 +1000
@@ -20,5 +20,13 @@
allow watchdog_t proc_t:file r_file_perms;
allow watchdog_t self:capability { ipc_lock sys_nice };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+can_network(watchdog_t)
+allow watchdog_t resolv_conf_t:file { getattr read };
+allow watchdog_t self:udp_socket create_socket_perms;
+allow watchdog_t bin_t:dir search;
+allow watchdog_t init_t:process signal;
+allow watchdog_t kernel_t:process sigstop;
allow watchdog_t watchdog_device_t:chr_file { getattr write };
diff -ru /tmp/policy/file_contexts/program/modutil.fc policy/file_contexts/program/modutil.fc
--- /tmp/policy/file_contexts/program/modutil.fc 2003-07-31 13:20:54.000000000 +1000
+++ policy/file_contexts/program/modutil.fc 2003-05-31 12:28:59.000000000 +1000
@@ -1,5 +1,6 @@
# module utilities
/etc/modules\.conf(.old)? system_u:object_r:modules_conf_t
+/lib/modules/modprobe.conf system_u:object_r:modules_conf_t
/lib/modules(/.*)? system_u:object_r:modules_object_t
/lib/modules/[^/]+/modules\..+ system_u:object_r:modules_dep_t
/lib/modules/modprobe\.conf.* system_u:object_r:modules_conf_t
diff -ru /tmp/policy/file_contexts/program/nsd.fc policy/file_contexts/program/nsd.fc
--- /tmp/policy/file_contexts/program/nsd.fc 2003-07-31 13:20:56.000000000 +1000
+++ policy/file_contexts/program/nsd.fc 2003-07-26 01:34:33.000000000 +1000
@@ -3,7 +3,9 @@
/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t
/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t
/etc/nsd/nsd.db system_u:object_r:nsd_zone_t
+/var/lib/nsd.db system_u:object_r:nsd_zone_t
/usr/sbin/nsd system_u:object_r:nsd_exec_t
/usr/sbin/nsdc system_u:object_r:nsd_exec_t
/usr/sbin/nsd-notify system_u:object_r:nsd_exec_t
+/usr/sbin/zonec system_u:object_r:nsd_exec_t
/var/run/nsd\.pid system_u:object_r:nsd_var_run_t
diff -ru /tmp/policy/file_contexts/program/postfix.fc policy/file_contexts/program/postfix.fc
--- /tmp/policy/file_contexts/program/postfix.fc 2003-07-31 13:20:57.000000000 +1000
+++ policy/file_contexts/program/postfix.fc 2003-08-01 08:50:14.000000000 +1000
@@ -37,9 +37,10 @@
/var/spool/postfix/defer(red)?(/.*)? system_u:object_r:postfix_spool_t
/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t
/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t
+/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t
/var/spool/postfix/lib(/.*)? system_u:object_r:lib_t
+/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t
/var/spool/postfix/lib/ld.*\.so.* system_u:object_r:ld_so_t
/var/spool/postfix/lib/lib.*\.so.* system_u:object_r:shlib_t
/var/spool/postfix/lib/[^/]*/lib.*\.so.* system_u:object_r:shlib_t
/var/spool/postfix/lib/devfsd/.*\.so.* system_u:object_r:shlib_t
-/var/spool/postfix/etc/services system_u:object_r:etc_t
diff -ru /tmp/policy/file_contexts/program/rpcd.fc policy/file_contexts/program/rpcd.fc
--- /tmp/policy/file_contexts/program/rpcd.fc 2002-07-04 06:26:22.000000000 +1000
+++ policy/file_contexts/program/rpcd.fc 2003-07-31 10:59:27.000000000 +1000
@@ -2,3 +2,4 @@
/sbin/rpc\..* system_u:object_r:rpcd_exec_t
/usr/sbin/rpc\..* system_u:object_r:rpcd_exec_t
/usr/sbin/exportfs system_u:object_r:rpcd_exec_t
+/var/run/rpc.statd.pid system_u:object_r:rpcd_var_run_t
diff -ru /tmp/policy/macros/global_macros.te policy/macros/global_macros.te
--- /tmp/policy/macros/global_macros.te 2003-07-31 13:21:04.000000000 +1000
+++ policy/macros/global_macros.te 2003-07-12 12:00:00.000000000 +1000
@@ -478,8 +481,8 @@
# Bind to the default port type.
# Other port types must be separately authorized.
#
-allow $1 port_t:udp_socket name_bind;
-allow $1 port_t:tcp_socket name_bind;
+#allow $1 port_t:udp_socket name_bind;
+#allow $1 port_t:tcp_socket name_bind;
')
#################################
diff -ru /tmp/policy/macros/program/mount_macros.te policy/macros/program/mount_macros.te
--- /tmp/policy/macros/program/mount_macros.te 2003-07-31 13:21:09.000000000 +1000
+++ policy/macros/program/mount_macros.te 2003-07-12 20:01:38.000000000 +1000
@@ -29,6 +29,7 @@
domain_auto_trans($1_t, mount_exec_t, $2_t)
allow $2_t proc_t:dir search;
+allow $2_t proc_t:file { getattr read };
tmp_domain($2)
diff -ru /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te 2003-07-31 13:21:04.000000000 +1000
+++ policy/macros/user_macros.te 2003-07-12 20:02:20.000000000 +1000
@@ -92,6 +103,9 @@
allow $1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
')dnl end of ssh section
+# for ifconfig which is run all the time
+dontaudit $1_t sysctl_t:dir search;
+
allow $1_t boot_t:dir { getattr search };
dontaudit $1_t boot_t:dir read;
dontaudit $1_t boot_t:lnk_file getattr;
@@ -172,8 +186,16 @@
# Access other miscellaneous devices.
allow $1_t misc_device_t:file_class_set rw_file_perms;
+ifdef(`apache.te', `
+ifelse(`$1', `sysadm', `', `
+dnl apache_domain($1)
+')
+')dnl end apache
+
# Use the network.
can_network($1_t)
+# allow port_t name binding for UDP because it is not very usable otherwise
+allow $1_t port_t:udp_socket name_bind;
allow $1_t resolv_conf_t:file { getattr read };
# for perl
dontaudit $1_t resolv_conf_t:file ioctl;
diff -ru /tmp/policy/net_contexts policy/net_contexts
--- /tmp/policy/net_contexts 2003-07-31 13:20:03.000000000 +1000
+++ policy/net_contexts 2003-07-31 05:23:03.000000000 +1000
@@ -17,6 +17,18 @@
# protocol number context
# protocol low-high context
#
+ifdef(`inetd.te', `
+portcon tcp 7 system_u:object_r:inetd_port_t
+portcon udp 7 system_u:object_r:inetd_port_t
+portcon tcp 9 system_u:object_r:inetd_port_t
+portcon udp 9 system_u:object_r:inetd_port_t
+portcon tcp 13 system_u:object_r:inetd_port_t
+portcon udp 13 system_u:object_r:inetd_port_t
+portcon tcp 37 system_u:object_r:inetd_port_t
+portcon udp 37 system_u:object_r:inetd_port_t
+portcon tcp 113 system_u:object_r:inetd_port_t
+portcon udp 517 system_u:object_r:inetd_port_t
+')
ifdef(`courier.te', `define(`use_pop')')
ifdef(`perdition.te', `define(`use_pop')')
ifdef(`ftpd.te', `portcon tcp 21 system_u:object_r:ftp_port_t')
@@ -25,6 +37,8 @@
ifdef(`mta.te', `portcon tcp 25 system_u:object_r:smtp_port_t')
ifdef(`named.te', `portcon udp 53 system_u:object_r:named_port_t
portcon tcp 53 system_u:object_r:named_port_t')
+ifdef(`dhcpd.te', `portcon udp 67 system_u:object_r:dhcpd_port_t')
+ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
ifdef(`apache.te', `portcon tcp 80 system_u:object_r:http_port_t')
@@ -37,7 +51,7 @@
portcon udp 111 system_u:object_r:portmap_port_t
portcon tcp 111 system_u:object_r:portmap_port_t
')
-ifdef(`ntp.te', `portcon udp 123 system_u:object_r:ntp_port_t')
+ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
ifdef(`samba.te', `
portcon tcp 137 system_u:object_r:smbd_port_t
portcon udp 137 system_u:object_r:nmbd_port_t
@@ -57,7 +71,10 @@
ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
-ifdef(`cups.te', `portcon tcp 631 system_u:object_r:ipp_port_t')
+ifdef(`cups.te', `
+portcon tcp 631 system_u:object_r:ipp_port_t
+portcon udp 631 system_u:object_r:ipp_port_t
+')
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
ifdef(`use_pop', `
portcon tcp 993 system_u:object_r:pop_port_t
@@ -75,9 +92,18 @@
portcon udp 5323 system_u:object_r:imaze_port_t
')
ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
+ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+ifdef(`sound-server.te', `
+portcon tcp 8000 system_u:object_r:soundd_port_t
+# 9433 is for YIFF
+portcon tcp 9433 system_u:object_r:soundd_port_t
+')
ifdef(`apache.te', `define(`use_http_cache')')
ifdef(`squid.te', `define(`use_http_cache')')
-ifdef(`use_http_cache', `portcon tcp 8080 system_u:object_r:http_cache_port_t')
+ifdef(`use_http_cache', `
+portcon tcp 8080 system_u:object_r:http_cache_port_t
+portcon udp 3130 system_u:object_r:http_cache_port_t
+')
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
# Network interfaces (default = initial SID "netif" and "netmsg")
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Fwd: New policy patch]
@ 2005-01-12 18:46 Daniel J Walsh
2005-01-21 20:36 ` James Carter
0 siblings, 1 reply; 16+ messages in thread
From: Daniel J Walsh @ 2005-01-12 18:46 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1 bytes --]
[-- Attachment #2: New policy patch --]
[-- Type: message/rfc822, Size: 39682 bytes --]
[-- Attachment #2.1.1: Type: text/plain, Size: 342 bytes --]
Add customizable types.
Add samba_home_dir support.
Fix postgresql to run on ypbind platform
Begin adding support for NFSV4 with Kerberos keys
Add execmod to users for ld_so_t
add execmem for mozilla
Add unrestricted attribute to indicate domains using unconfined_t.
Also began using typeattribute.
[-- Attachment #2.1.2: policy-20050112.patch --]
[-- Type: text/x-patch, Size: 38466 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.21.1/attrib.te
--- nsapolicy/attrib.te 2004-12-21 10:59:56.000000000 -0500
+++ policy-1.21.1/attrib.te 2005-01-12 09:19:59.141059592 -0500
@@ -393,3 +393,8 @@
# For labeling of domains whos transition can be disabled
attribute transitionbool;
+# For labeling of file_context domains which users can change files to rather
+# then the default file context. These file_context can survive a relabeling
+# of the file system.
+attribute customizable;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.21.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-01-12 08:14:47.039693689 -0500
+++ policy-1.21.1/domains/program/initrc.te 2005-01-12 09:18:27.139390056 -0500
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, unrestricted, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
role system_r types initrc_t;
uses_shlib(initrc_t);
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.21.1/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-01-12 08:14:47.017696186 -0500
+++ policy-1.21.1/domains/program/init.te 2005-01-12 09:18:27.140389944 -0500
@@ -14,7 +14,7 @@
# by init during initialization. This pipe is used
# to communicate with init.
#
-type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain ifdef(`targeted_policy', `, unrestricted');
+type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
@@ -141,3 +141,7 @@
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
+ifdef(`targeted_policy', `
+typeattribute init_t unrestricted;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-01-12 08:14:47.055691874 -0500
+++ policy-1.21.1/domains/program/ldconfig.te 2005-01-12 09:18:27.140389944 -0500
@@ -8,7 +8,7 @@
#
# Rules for the ldconfig_t domain.
#
-type ldconfig_t, domain, privlog, etc_writer ifdef(`targeted_policy', `, unrestricted' );
+type ldconfig_t, domain, privlog, etc_writer;
type ldconfig_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types ldconfig_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.21.1/domains/program/login.te
--- nsapolicy/domains/program/login.te 2004-12-11 06:31:18.000000000 -0500
+++ policy-1.21.1/domains/program/login.te 2005-01-12 09:18:27.141389832 -0500
@@ -84,6 +84,10 @@
r_dir_file($1_login_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_login_t, cifs_t)
+}
+
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process signull;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.21.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-01-12 08:14:47.086688356 -0500
+++ policy-1.21.1/domains/program/modutil.te 2005-01-12 09:18:27.142389719 -0500
@@ -69,7 +69,7 @@
# Rules for the insmod_t domain.
#
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule, unrestricted' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.21.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-01-12 08:14:47.150681092 -0500
+++ policy-1.21.1/domains/program/ssh.te 2005-01-12 09:18:27.143389607 -0500
@@ -80,6 +80,11 @@
allow $1_t nfs_t:file { getattr read };
}
+if (use_samba_home_dirs) {
+allow $1_t cifs_t:dir { search getattr };
+allow $1_t cifs_t:file { getattr read };
+}
+
# Set exec context.
can_setexec($1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unconfined.te policy-1.21.1/domains/program/unconfined.te
--- nsapolicy/domains/program/unconfined.te 2004-08-24 15:35:26.000000000 -0400
+++ policy-1.21.1/domains/program/unconfined.te 2005-01-12 09:18:27.144389495 -0500
@@ -6,7 +6,7 @@
# chcon -t unconfined_exec_t /usr/local/bin/appsrv
# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
-type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write, unrestricted;
+type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
type unconfined_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types unconfined_t;
domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.21.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2004-12-09 10:26:08.000000000 -0500
+++ policy-1.21.1/domains/program/unused/anaconda.te 2005-01-12 09:18:27.144389495 -0500
@@ -10,7 +10,7 @@
#
# anaconda_t is the domain of the installation program
#
-type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted;
+type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
role system_r types anaconda_t;
unconfined_domain(anaconda_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-01-12 08:14:47.372655899 -0500
+++ policy-1.21.1/domains/program/unused/apache.te 2005-01-12 09:18:27.145389382 -0500
@@ -19,6 +19,13 @@
# the user CGI scripts, then relabel rule for user_r should be removed.
#
###############################################################################
+
+define(`httpd_home_dirs', `
+r_dir_file(httpd_t, $1)
+r_dir_file(httpd_suexec_t, $1)
+can_exec(httpd_suexec_t, $1)
+')
+
type http_port_t, port_type, reserved_port_type;
bool httpd_unified false;
@@ -262,9 +269,10 @@
allow httpd_suexec_t autofs_t:dir { search getattr };
')
if (use_nfs_home_dirs && httpd_enable_homedirs) {
-r_dir_file(httpd_t, nfs_t)
-r_dir_file(httpd_suexec_t, nfs_t)
-can_exec(httpd_suexec_t, nfs_t)
+httpd_home_dirs(nfs_t)
+}
+if (use_samba_home_dirs && httpd_enable_homedirs) {
+httpd_home_dirs(cifs_t)
}
r_dir_file(httpd_t, fonts_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.21.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-01-12 08:14:47.490642507 -0500
+++ policy-1.21.1/domains/program/unused/cups.te 2005-01-12 09:18:27.146389270 -0500
@@ -248,3 +248,6 @@
allow cupsd_t initrc_t:dbus send_msg;
')
+ifdef(`targeted_policy', `
+allow cupsd_t unconfined_t:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.21.1/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te 2004-12-02 14:11:41.000000000 -0500
+++ policy-1.21.1/domains/program/unused/firstboot.te 2005-01-12 09:18:27.147389158 -0500
@@ -10,7 +10,7 @@
#
# firstboot_exec_t is the type of the firstboot executable.
#
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.21.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/ftpd.te 2005-01-12 09:18:27.148389046 -0500
@@ -100,14 +100,15 @@
# allow access to /home
allow ftpd_t home_root_t:dir { getattr search };
}
-
-if (ftp_home_dir && use_nfs_home_dirs) {
-allow ftpd_t nfs_t:dir r_dir_perms;
-allow ftpd_t nfs_t:file r_file_perms;
+if (use_nfs_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, nfs_t)
+}
+if (use_samba_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, cifs_t)
}
dontaudit ftpd_t selinux_config_t:dir search;
#
# Type for access to anon ftp
#
-type ftpd_anon_t, file_type, sysadmfile;
+type ftpd_anon_t, file_type, sysadmfile, customizable;
r_dir_file(ftpd_t,ftpd_anon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.21.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/hotplug.te 2005-01-12 09:18:27.149388933 -0500
@@ -11,7 +11,7 @@
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, unrestricted')
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
', `
daemon_domain(hotplug, `, privmodule')
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.21.1/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te 2005-01-12 08:14:47.700618675 -0500
+++ policy-1.21.1/domains/program/unused/inetd.te 2005-01-12 09:18:27.150388821 -0500
@@ -18,7 +18,7 @@
# Rules for the inetd_t domain.
#
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem, unrestricted')' )
+daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
can_network(inetd_t)
allow inetd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.21.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2004-11-09 13:35:12.000000000 -0500
+++ policy-1.21.1/domains/program/unused/pamconsole.te 2005-01-12 09:18:27.150388821 -0500
@@ -41,3 +41,4 @@
allow pam_console_t xdm_var_run_t:file { getattr read };
')
allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.21.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-01-12 08:14:47.980586899 -0500
+++ policy-1.21.1/domains/program/unused/postgresql.te 2005-01-12 09:18:27.151388709 -0500
@@ -53,6 +53,7 @@
# Use the network.
can_network_server(postgresql_t)
+can_ypbind(postgresql_t)
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(postgresql_t, self)
@@ -84,6 +85,7 @@
# Allow access to the postgresql databases
create_dir_file(postgresql_t, postgresql_db_t)
+file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
allow postgresql_t var_lib_t:dir { getattr search };
# because postgresql start scripts are broken and put the pid file in the DB
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.21.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2004-12-09 10:26:09.000000000 -0500
+++ policy-1.21.1/domains/program/unused/rpcd.te 2005-01-12 09:18:27.152388597 -0500
@@ -126,3 +126,15 @@
allow rpcd_t rpc_pipefs_t:sock_file { read write };
dontaudit rpcd_t selinux_config_t:dir { search };
allow rpcd_t proc_net_t:dir search;
+
+
+rpc_domain(gssd)
+can_kerberos(gssd_t)
+allow gssd_t krb5_keytab_t:file r_file_perms;
+allow gssd_t urandom_device_t:chr_file { getattr read };
+r_dir_file(gssd_t, tmp_t)
+tmp_domain(gssd)
+allow gssd_t self:fifo_file { read write };
+r_dir_file(gssd_t, proc_net_t)
+allow gssd_t rpc_pipefs_t:dir r_dir_perms;
+allow gssd_t rpc_pipefs_t:sock_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.21.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-01-12 08:14:48.024581906 -0500
+++ policy-1.21.1/domains/program/unused/rpm.te 2005-01-12 09:18:27.153388484 -0500
@@ -10,7 +10,7 @@
# var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
# var_lib_rpm_t is the type for rpm files in /var/lib
#
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
role system_r types rpm_t;
uses_shlib(rpm_t)
type rpm_exec_t, file_type, sysadmfile, exec_type;
@@ -115,7 +115,7 @@
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role ifdef(`unlimitedRPM', `, unrestricted, auth_write');
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
# policy for rpm scriptlet
role system_r types rpm_script_t;
uses_shlib(rpm_script_t)
@@ -249,7 +249,9 @@
allow initrc_t rpm_var_lib_t:file create_file_perms;
ifdef(`unlimitedRPM', `
+typeattribute rpm_t auth_write;
unconfined_domain(rpm_t)
+typeattribute rpm_script_t auth_write;
unconfined_domain(rpm_script_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2004-12-11 06:31:19.000000000 -0500
+++ policy-1.21.1/domains/program/unused/samba.te 2005-01-12 09:18:27.154388372 -0500
@@ -7,14 +7,14 @@
#################################
#
# Declarations for Samba
-#
+#n
daemon_domain(smbd, `, privhome, auth_chkpwd')
daemon_domain(nmbd)
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
-type samba_share_t, file_type, sysadmfile;
+type samba_share_t, file_type, sysadmfile, customizable;
type samba_secrets_t, file_type, sysadmfile;
typealias samba_var_t alias samba_spool_t;
@@ -73,8 +73,7 @@
allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
-allow smbd_t samba_share_t:dir create_dir_perms;
-allow smbd_t samba_share_t:file create_file_perms;
+create_dir_file(smbd_t, samba_share_t)
ifdef(`logrotate.te', `
# the application should be changed
@@ -117,3 +116,14 @@
')
# Needed for winbindd
allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
+
+# Support Samba sharing of home directories
+bool samba_enable_home_dirs false;
+
+if ( samba_enable_home_dirs ) {
+allow smbd_t home_root_t:dir { getattr search };
+allow smbd_t home_dir_type:dir { getattr search };
+allow smbd_t home_type:dir create_dir_perms;
+dontaudit smbd_t home_type:{ sock_file fifo_file chr_file blk_file } r_file_perms;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.21.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te 2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/domains/program/unused/spamd.te 2005-01-12 09:18:27.155388260 -0500
@@ -64,5 +64,10 @@
allow spamd_t nfs_t:file create_file_perms;
}
+if (use_samba_home_dirs) {
+allow spamd_t cifs_t:dir rw_dir_perms;
+allow spamd_t cifs_t:file create_file_perms;
+}
+
allow spamd_t home_root_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.21.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-01-05 14:37:26.000000000 -0500
+++ policy-1.21.1/domains/program/unused/xdm.te 2005-01-12 09:18:27.156388147 -0500
@@ -290,6 +290,12 @@
can_exec(xdm_t, nfs_t)
}
+if (use_samba_home_dirs) {
+allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
+allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
+can_exec(xdm_t, cifs_t)
+}
+
# for .dmrc
allow xdm_t user_home_dir_type:dir { getattr search };
allow xdm_t user_home_type:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.21.1/domains/user.te
--- nsapolicy/domains/user.te 2004-12-21 10:59:57.000000000 -0500
+++ policy-1.21.1/domains/user.te 2005-01-12 09:18:27.156388147 -0500
@@ -10,6 +10,9 @@
# Support NFS home directories
bool use_nfs_home_dirs false;
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.21.1/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc 2004-11-19 11:20:43.000000000 -0500
+++ policy-1.21.1/file_contexts/program/innd.fc 2005-01-12 09:18:27.157388035 -0500
@@ -1,5 +1,7 @@
# innd
/usr/sbin/innd.* -- system_u:object_r:innd_exec_t
+/usr/bin/rpost -- system_u:object_r:innd_exec_t
+/usr/bin/suck -- system_u:object_r:innd_exec_t
/var/run/innd(/.*)? system_u:object_r:innd_var_run_t
/etc/news(/.*)? system_u:object_r:innd_etc_t
/etc/news/boot -- system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mysqld.fc policy-1.21.1/file_contexts/program/mysqld.fc
--- nsapolicy/file_contexts/program/mysqld.fc 2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/mysqld.fc 2005-01-12 09:18:27.158387923 -0500
@@ -1,5 +1,5 @@
# mysql database server
-/usr/sbin/mysqld -- system_u:object_r:mysqld_exec_t
+/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t
/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t
/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t
/var/log/mysql.* -- system_u:object_r:mysqld_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.21.1/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc 2005-01-12 08:14:48.738500877 -0500
+++ policy-1.21.1/file_contexts/program/postgresql.fc 2005-01-12 09:18:27.159387811 -0500
@@ -13,8 +13,8 @@
/usr/bin/pg_id -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_restore -- system_u:object_r:postgresql_exec_t
-/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
-/var/lib/pgsql(/.*)? system_u:object_r:postgresql_db_t
+/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
+/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t
/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t
/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t
/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.21.1/file_contexts/program/rpcd.fc
--- nsapolicy/file_contexts/program/rpcd.fc 2004-11-19 11:20:44.000000000 -0500
+++ policy-1.21.1/file_contexts/program/rpcd.fc 2005-01-12 09:18:27.159387811 -0500
@@ -3,6 +3,8 @@
/usr/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t
/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t
+/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t
+/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t
/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t
/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t
/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.1/file_contexts/program/udev.fc
--- nsapolicy/file_contexts/program/udev.fc 2005-01-12 08:14:48.813492366 -0500
+++ policy-1.21.1/file_contexts/program/udev.fc 2005-01-12 09:18:27.204382758 -0500
@@ -8,5 +8,5 @@
/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
/dev/udev\.tbl -- system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb -- system_u:object_r:udev_tdb_t
+/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t
/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2004-12-09 10:26:10.000000000 -0500
+++ policy-1.21.1/macros/base_user_macros.te 2005-01-12 09:18:27.205382646 -0500
@@ -2,6 +2,12 @@
# Macros for all user login domains.
#
+define(`network_home_dir', `
+create_dir_file($1, $2)
+can_exec($1, $2)
+allow $1 $2:{ sock_file fifo_file } create_file_perms;
+')
+
#
# base_user_domain(domain_prefix)
#
@@ -38,6 +44,7 @@
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t shlib_t:file execmod;
+allow $1_t ld_so_t:file execmod;
#
# kdeinit wants this access
@@ -70,11 +77,15 @@
ifdef(`automount.te', `
allow $1_t autofs_t:dir { search getattr };
')dnl end if automount.te
+
if (use_nfs_home_dirs) {
-create_dir_file($1_t, nfs_t)
-can_exec($1_t, nfs_t)
-allow $1_t nfs_t:{ sock_file fifo_file } create_file_perms;
+network_home_dir($1_t, nfs_t)
}
+
+if (use_samba_home_dirs) {
+network_home_dir($1_t, cifs_t)
+}
+
if (user_rw_noexattrfile) {
create_dir_file($1_t, noexattrfile)
create_dir_file($1_t, removable_t)
@@ -167,6 +178,7 @@
ifdef(`screen.te', `screen_domain($1)')
ifdef(`tvtime.te', `tvtime_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`samba.te', `samba_domain($1)')
ifdef(`games.te', `games_domain($1)')
ifdef(`gpg.te', `gpg_domain($1)')
ifdef(`xauth.te', `xauth_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.21.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-01-12 08:14:48.985472846 -0500
+++ policy-1.21.1/macros/global_macros.te 2005-01-12 09:18:27.206382534 -0500
@@ -504,6 +504,8 @@
#
define(`unconfined_domain', `
+typeattribute $1 unrestricted;
+
# Mount/unmount any filesystem.
allow $1 fs_type:filesystem *;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.21.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-01-12 08:14:49.097460136 -0500
+++ policy-1.21.1/macros/program/apache_macros.te 2005-01-12 09:18:27.207382421 -0500
@@ -3,7 +3,7 @@
#This type is for webpages
#
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile;
+type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
ifelse($1, sys, `
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
')
@@ -14,7 +14,7 @@
# This type is used for executable scripts files
#
-type httpd_$1_script_exec_t, file_type, sysadmfile;
+type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
# Type that CGI scripts run as
type httpd_$1_script_t, domain, privmail, nscd_client_domain;
@@ -41,6 +41,7 @@
read_locale(httpd_$1_script_t)
allow httpd_$1_script_t fs_t:filesystem getattr;
allow httpd_$1_script_t self:unix_stream_socket create_socket_perms;
+allow httpd_$1_script_t httpd_t:unix_stream_socket { read write };
allow httpd_$1_script_t { self proc_t }:file { getattr read };
allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -57,9 +58,9 @@
# The following are the only areas that
# scripts can read, read/write, or append to
#
-type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile;
-type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile;
+type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
+type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
ifdef(`slocate.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.21.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2004-12-21 10:59:58.000000000 -0500
+++ policy-1.21.1/macros/program/cdrecord_macros.te 2005-01-12 09:18:27.208382309 -0500
@@ -35,6 +35,9 @@
if (use_nfs_home_dirs) {
r_dir_file($1_cdrecord_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_cdrecord_t, cifs_t)
+}
allow $1_cdrecord_t etc_t:file { getattr read };
# allow searching for cdrom-drive
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.21.1/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_agent_macros.te 2005-01-12 09:18:27.209382197 -0500
@@ -51,6 +51,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_gpg_agent_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_agent_t, cifs_t)
+}
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
allow $1_gpg_agent_t self:fifo_file { getattr read write };
@@ -111,6 +114,12 @@
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:file write;
}
+if (use_samba_home_dirs) {
+allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
+allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+dontaudit $1_gpg_pinentry_t cifs_t:file write;
+}
# read /etc/X11/qtrc
allow $1_gpg_pinentry_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2004-12-16 11:38:03.000000000 -0500
+++ policy-1.21.1/macros/program/gpg_macros.te 2005-01-12 09:18:27.210382085 -0500
@@ -79,6 +79,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_gpg_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_gpg_t, cifs_t)
+}
allow $1_gpg_t self:capability { ipc_lock setuid };
allow $1_gpg_t devtty_t:chr_file rw_file_perms;
@@ -111,6 +114,9 @@
if (use_nfs_home_dirs) {
dontaudit $1_gpg_helper_t nfs_t:file { read write };
}
+if (use_samba_home_dirs) {
+dontaudit $1_gpg_helper_t cifs_t:file { read write };
+}
# communicate with the user
allow $1_gpg_helper_t $1_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.21.1/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te 2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/lpr_macros.te 2005-01-12 09:18:27.210382085 -0500
@@ -81,6 +81,10 @@
r_dir_file($1_lpr_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_lpr_t, cifs_t)
+}
+
# Read and write shared files in the spool directory.
allow $1_lpr_t print_spool_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2004-12-21 10:59:59.000000000 -0500
+++ policy-1.21.1/macros/program/mozilla_macros.te 2005-01-12 09:18:27.211381972 -0500
@@ -25,7 +25,7 @@
allow $1_mozilla_t $1_t:process signull;
# Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+allow $1_mozilla_t self:process { execmem setrlimit setsched };
allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
allow $1_mozilla_t var_lib_t:file { getattr read };
@@ -40,6 +40,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_mozilla_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_mozilla_t, cifs_t)
+}
ifdef(`automount.te', `
allow $1_mozilla_t autofs_t:dir { search getattr };
')dnl end if automount
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.21.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/mta_macros.te 2005-01-12 09:18:27.212381860 -0500
@@ -99,8 +99,8 @@
# Create dead.letter in user home directories.
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-if (use_nfs_home_dirs) {
-rw_dir_create_file($1_mail_t, nfs_t)
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_mail_t, cifs_t)
}
# if you do not want to allow dead.letter then use the following instead
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.1/macros/program/samba_macros.te
--- nsapolicy/macros/program/samba_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.21.1/macros/program/samba_macros.te 2005-01-12 09:18:27.213381748 -0500
@@ -0,0 +1,28 @@
+#
+# Macros for samba domains.
+#
+
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+
+#
+# samba_domain(domain_prefix)
+#
+# Define a derived domain for the samba program when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/samba.te.
+#
+undefine(`samba_domain')
+ifdef(`samba.te', `
+define(`samba_domain',`
+if ( samba_enable_home_dirs ) {
+file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
+}
+')
+', `
+define(`samba_domain',`')
+
+')dnl end if samba.te
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.21.1/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te 2005-01-05 14:37:27.000000000 -0500
+++ policy-1.21.1/macros/program/screen_macros.te 2005-01-12 09:18:27.214381636 -0500
@@ -43,6 +43,9 @@
if (use_nfs_home_dirs) {
domain_auto_trans($1_screen_t, nfs_t, $1_t)
}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_screen_t, cifs_t, $1_t)
+}
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
@@ -53,6 +56,9 @@
if (use_nfs_home_dirs) {
r_dir_file($1_screen_t, nfs_t)
}
+if (use_samba_home_dirs) {
+r_dir_file($1_screen_t, cifs_t)
+}
allow $1_screen_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.21.1/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te 2004-11-09 13:35:13.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_agent_macros.te 2005-01-12 09:18:27.215381523 -0500
@@ -43,6 +43,9 @@
')
rw_dir_create_file($1_ssh_agent_t, nfs_t)
}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_ssh_agent_t, cifs_t)
+}
uses_shlib($1_ssh_agent_t)
read_locale($1_ssh_agent_t)
@@ -73,6 +76,9 @@
if (use_nfs_home_dirs) {
domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
}
+if (use_samba_home_dirs) {
+domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
+}
allow $1_ssh_agent_t bin_t:dir search;
# allow reading of /usr/bin/X11 (is a symlink)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.1/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te 2004-12-11 06:31:21.000000000 -0500
+++ policy-1.21.1/macros/program/ssh_macros.te 2005-01-12 09:18:27.216381411 -0500
@@ -30,6 +30,9 @@
if (use_nfs_home_dirs) {
create_dir_file($1_ssh_t, nfs_t)
}
+if (use_samba_home_dirs) {
+create_dir_file($1_ssh_t, cifs_t)
+}
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.21.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2004-11-18 08:13:59.000000000 -0500
+++ policy-1.21.1/macros/program/su_macros.te 2005-01-12 09:18:27.216381411 -0500
@@ -139,6 +139,9 @@
if (use_nfs_home_dirs) {
allow $1_su_t nfs_t:dir search;
}
+if (use_samba_home_dirs) {
+allow $1_su_t cifs_t:dir search;
+}
# Modify .Xauthority file (via xauth program).
ifdef(`xauth.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.21.1/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te 2004-12-02 14:11:43.000000000 -0500
+++ policy-1.21.1/macros/program/xauth_macros.te 2005-01-12 09:18:27.217381299 -0500
@@ -86,6 +86,12 @@
')
rw_dir_create_file($1_xauth_t, nfs_t)
}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
+if (use_samba_home_dirs) {
+rw_dir_create_file($1_xauth_t, cifs_t)
+}
')dnl end xauth_domain macro
', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.1/Makefile
--- nsapolicy/Makefile 2005-01-12 08:14:46.613742034 -0500
+++ policy-1.21.1/Makefile 2005-01-12 09:18:27.218381186 -0500
@@ -53,7 +53,7 @@
FCFILES=tmp/program_used_flags.te file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@@ -75,6 +75,7 @@
tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
@echo "Validating file_contexts ..."
$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+ @touch tmp/valid_fc
install: tmp/valid_fc
@@ -90,6 +91,11 @@
mkdir -p $(APPDIR)
install -m 644 $< $@
+$(APPDIR)/customizable_types: policy.conf
+ mkdir -p $(APPDIR)
+ @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+ install -m 644 tmp/customizable_types $@
+
$(APPDIR)/default_type: appconfig/default_type
mkdir -p $(APPDIR)
install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-01-12 08:14:49.606402372 -0500
+++ policy-1.21.1/targeted/domains/unconfined.te 2005-01-12 09:18:27.219381074 -0500
@@ -4,7 +4,7 @@
# is not explicitly confined. It has no restrictions.
# It needs to be carefully protected from the confined domains.
-type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem, unrestricted;
+type unconfined_t, domain, privuser, privrole, privowner, admin, auth_write, fs_domain, privmem;
role system_r types unconfined_t;
role user_r types unconfined_t;
role sysadm_r types unconfined_t;
@@ -20,8 +20,8 @@
type system_dbusd_var_run_t, file_type, sysadmfile;
# User home directory type.
-type user_home_t, file_type, sysadmfile;
-type user_home_dir_t, file_type, sysadmfile;
+type user_home_t, file_type, sysadmfile, home_type;
+type user_home_dir_t, file_type, sysadmfile, home_dir_type;
file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(unconfined_t, user_home_dir_t, user_home_t)
@@ -43,6 +43,11 @@
# Support NFS home directories
bool use_nfs_home_dirs false;
+# Support SAMBA home directories
+bool use_samba_home_dirs false;
+
+ifdef(`samba.te', `samba_domain(user)')
+
# Allow system to run with NIS
bool allow_ypbind false;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/types/apache.te policy-1.21.1/targeted/types/apache.te
--- nsapolicy/targeted/types/apache.te 2004-05-27 14:52:37.000000000 -0400
+++ policy-1.21.1/targeted/types/apache.te 1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-#
-# Rules required by apache for targeted policy
-#
-define(`admin_tty_type', `{ tty_device_t devpts_t }')
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
+++ policy-1.21.1/tunables/distro.tun 2005-01-12 09:18:27.220380962 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2004-12-11 06:31:22.000000000 -0500
+++ policy-1.21.1/tunables/tunable.tun 2005-01-12 09:18:27.221380850 -0500
@@ -1,27 +1,24 @@
-# Allow users to execute the mount command
-dnl define(`user_can_mount')
-
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [Fwd: New policy patch]
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
@ 2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
` (3 more replies)
0 siblings, 4 replies; 16+ messages in thread
From: James Carter @ 2005-01-21 20:36 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Finally merged. Some comments below.
On Wed, 2005-01-12 at 10:44, Daniel J Walsh wrote:
>
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/udev.fc policy-1.21.1/file_contexts/program/udev.fc
> --- nsapolicy/file_contexts/program/udev.fc 2005-01-12 08:14:48.813492366 -0500
> +++ policy-1.21.1/file_contexts/program/udev.fc 2005-01-12 09:18:27.204382758 -0500
> @@ -8,5 +8,5 @@
> /etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
> /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
> /dev/udev\.tbl -- system_u:object_r:udev_tbl_t
> -/dev/\.udev\.tdb -- system_u:object_r:udev_tdb_t
> +/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t
> /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
This is a directory on Rawhide but a file on FC3, so I would prefer to
keep it more general for now.
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.21.1/macros/base_user_macros.te
> --- nsapolicy/macros/base_user_macros.te 2004-12-09 10:26:10.000000000 -0500
> +++ policy-1.21.1/macros/base_user_macros.te 2005-01-12 09:18:27.205382646 -0500
> @@ -38,6 +44,7 @@
>
> # Allow text relocations on system shared libraries, e.g. libGL.
> allow $1_t shlib_t:file execmod;
> +allow $1_t ld_so_t:file execmod;
>
> #
> # kdeinit wants this access
We don't want to do this
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.1/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te 2004-12-21 10:59:59.000000000 -0500
> +++ policy-1.21.1/macros/program/mozilla_macros.te 2005-01-12 09:18:27.211381972 -0500
> @@ -25,7 +25,7 @@
> allow $1_mozilla_t $1_t:process signull;
>
> # Set resource limits and scheduling info.
> -allow $1_mozilla_t self:process { setrlimit setsched };
> +allow $1_mozilla_t self:process { execmem setrlimit setsched };
>
> allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
> allow $1_mozilla_t var_lib_t:file { getattr read };
We don't want to do this either.
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/samba_macros.te policy-1.21.1/macros/program/samba_macros.te
> --- nsapolicy/macros/program/samba_macros.te 1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.21.1/macros/program/samba_macros.te 2005-01-12 09:18:27.213381748 -0500
> @@ -0,0 +1,28 @@
> +#
> +# Macros for samba domains.
> +#
> +
> +#
> +# Authors: Dan Walsh <dwalsh@redhat.com>
> +#
> +
> +#
> +# samba_domain(domain_prefix)
> +#
> +# Define a derived domain for the samba program when executed
> +# by a user domain.
> +#
> +# The type declaration for the executable type for this program is
> +# provided separately in domains/program/samba.te.
> +#
> +undefine(`samba_domain')
> +ifdef(`samba.te', `
> +define(`samba_domain',`
> +if ( samba_enable_home_dirs ) {
> +file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
> +}
> +')
> +', `
> +define(`samba_domain',`')
> +
> +')dnl end if samba.te
The file_type_auto_trans rule conflicts with the following rule in the
user_domain macro in user_macros.te:
file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
There is a conflict because smbd_t has the privhome attribute.
For now I removed the privhome attribute from smbd_t. Does it really
need it? NFS doesn't have that attribute.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [Fwd: New policy patch]
2005-01-21 20:36 ` James Carter
@ 2005-01-22 23:37 ` Russell Coker
2005-02-17 23:09 ` Daniel J Walsh
` (2 subsequent siblings)
3 siblings, 0 replies; 16+ messages in thread
From: Russell Coker @ 2005-01-22 23:37 UTC (permalink / raw)
To: jwcart2; +Cc: Daniel J Walsh, SE Linux
On Saturday 22 January 2005 07:36, James Carter <jwcart2@epoch.ncsc.mil>
> > +# samba_domain(domain_prefix)
> > +#
> > +# Define a derived domain for the samba program when executed
> > +# by a user domain.
> > +#
> > +# The type declaration for the executable type for this program is
> > +# provided separately in domains/program/samba.te.
> > +#
> > +undefine(`samba_domain')
> > +ifdef(`samba.te', `
> > +define(`samba_domain',`
> > +if ( samba_enable_home_dirs ) {
> > +file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
> > +}
> > +')
> > +', `
> > +define(`samba_domain',`')
> > +
> > +')dnl end if samba.te
>
> The file_type_auto_trans rule conflicts with the following rule in the
> user_domain macro in user_macros.te:
> file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
> There is a conflict because smbd_t has the privhome attribute.
> For now I removed the privhome attribute from smbd_t. Does it really
> need it? NFS doesn't have that attribute.
The privhome attribute just does the same thing as that file_type_auto_trans,
so either will do.
If we are going to support exporting home directories for read/write by NFS
then it will need privhome too.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [Fwd: New policy patch]
2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
@ 2005-02-17 23:09 ` Daniel J Walsh
2005-02-24 19:10 ` James Carter
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
2005-04-04 18:50 ` New " Daniel J Walsh
3 siblings, 1 reply; 16+ messages in thread
From: Daniel J Walsh @ 2005-02-17 23:09 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 299 bytes --]
Ivan did a few more cleanups in x_client_macros and access_terminals.
Added a couple of ioctls back in.
Had to add back in a dontaudit for net_admin on cups.
Allow dovecot to search certs dir
Fixes for allow squirrelmail to spell check
Privoxy needs to run as a client as well as a server
[-- Attachment #2: policy-20050217.patch --]
[-- Type: text/plain, Size: 16319 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/ChangeLog policy-1.21.14/ChangeLog
--- nsapolicy/ChangeLog 2005-02-17 10:16:42.000000000 -0500
+++ policy-1.21.14/ChangeLog 2005-02-17 10:25:16.000000000 -0500
@@ -1,6 +1,6 @@
1.21 2005-02-07
* Added secure_file_type attribute from Dan Walsh
- * Added access_terminal() macro from Dan Walsh
+ * Added access_terminal() macro from Ivan Gyurdiev
* Updated capability access vector for audit capabilities.
* Added mlsconvert Makefile target to help generate MLS policies
(see selinux-doc/README.MLS for instructions).
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.21.14/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-02-10 14:48:38.000000000 -0500
+++ policy-1.21.14/domains/program/ldconfig.te 2005-02-17 10:24:21.000000000 -0500
@@ -38,14 +38,14 @@
dontaudit ldconfig_t httpd_modules_t:dir search;
')
-ifdef(`distro_suse', `
-# because of libraries in /var/lib/samba/bin
allow ldconfig_t { var_t var_lib_t }:dir search;
-')
-
allow ldconfig_t proc_t:file read;
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-')
+');
')dnl end hide_broken_symptoms
+ifdef(`targeted_policy', `
+allow ldconfig_t lib_t:file r_file_perms;
+unconfined_domain(ldconfig_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.14/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-02-17 10:16:43.000000000 -0500
+++ policy-1.21.14/domains/program/unused/apache.te 2005-02-17 14:15:21.000000000 -0500
@@ -307,6 +307,7 @@
#
typealias httpd_log_t alias httpd_runtime_t;
allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
+dontaudit httpd_t httpd_runtime_t:file ioctl;
') dnl distro_redhat
#
# Customer reported the following
@@ -323,8 +324,9 @@
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
# File Type of squirrelmail attachments
type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow httpd_t var_spool_t:dir { getattr search };
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
ifdef(`mta.te', `
dontaudit system_mail_t httpd_log_t:file { append getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.21.14/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-02-17 10:16:43.000000000 -0500
+++ policy-1.21.14/domains/program/unused/cups.te 2005-02-17 10:24:21.000000000 -0500
@@ -77,6 +77,7 @@
# Use capabilities.
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+dontaudit cupsd_t self:capability net_admin;
allow cupsd_t self:process setsched;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.21.14/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.14/domains/program/unused/dovecot.te 2005-02-17 13:33:02.000000000 -0500
@@ -26,6 +26,7 @@
allow dovecot_t pop_port_t:tcp_socket name_bind;
allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t cert_t:dir search;
allow dovecot_t dovecot_cert_t:file { getattr read };
allow dovecot_t { self proc_t }:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.21.14/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-02-10 14:48:39.000000000 -0500
+++ policy-1.21.14/domains/program/unused/nscd.te 2005-02-17 10:24:21.000000000 -0500
@@ -72,4 +72,4 @@
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
-allow nscd_t urandom_device_t:chr_file { getattr read };
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.21.14/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.14/domains/program/unused/ping.te 2005-02-17 10:24:21.000000000 -0500
@@ -11,7 +11,7 @@
# ping_t is the domain for the ping program.
# ping_exec_t is the type of the corresponding program.
#
-type ping_t, domain, privlog;
+type ping_t, domain, privlog, nscd_client_domain;
role sysadm_r types ping_t;
role system_r types ping_t;
in_user_role(ping_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.21.14/domains/program/unused/privoxy.te
--- nsapolicy/domains/program/unused/privoxy.te 2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.14/domains/program/unused/privoxy.te 2005-02-17 10:24:21.000000000 -0500
@@ -16,7 +16,7 @@
allow privoxy_t self:capability net_bind_service;
# Use the network.
-can_network_server(privoxy_t)
+can_network(privoxy_t)
allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.14/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-02-17 10:16:44.000000000 -0500
+++ policy-1.21.14/domains/program/unused/samba.te 2005-02-17 10:24:21.000000000 -0500
@@ -176,12 +176,7 @@
# Terminal
read_locale(smbmount_t)
-allow smbmount_t devtty_t:chr_file rw_file_perms;
-allow smbmount_t devpts_t:dir r_dir_perms;
-allow smbmount_t devpts_t:chr_file rw_file_perms;
-allow smbmount_t sysadm_tty_device_t:chr_file rw_file_perms;
-allow smbmount_t sysadm_devpts_t:chr_file rw_file_perms;
-#FIXME: what about user_tty_device_t, user_devpts_t?
+access_terminal(smbmount_t, sysadm)
allow smbmount_t userdomain:fd use;
allow smbmount_t local_login_t:fd use;
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.21.14/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te 2005-02-10 14:48:42.000000000 -0500
+++ policy-1.21.14/macros/program/games_domain.te 2005-02-17 10:24:21.000000000 -0500
@@ -30,7 +30,6 @@
allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
allow $1_games_t xdm_var_lib_t:file { getattr read };
-allow $1_games_t xdm_t:fifo_file rw_file_perms;
')dnl end if xdm.te
can_unix_connect($1_t, $1_games_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.21.14/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2005-02-17 10:16:46.000000000 -0500
+++ policy-1.21.14/macros/program/gpg_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -44,6 +44,7 @@
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
access_terminal($1_gpg_t, $1)
+allow $1_gpg_t { $1_devpts_t $1_tty_device_t }:chr_file ioctl;
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
# Inherit and use descriptors
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.21.14/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-02-17 10:16:46.000000000 -0500
+++ policy-1.21.14/macros/program/mozilla_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -123,12 +123,6 @@
allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
')dnl end if mplayer.te
-ifdef(`xdm.te', `
-allow $1_mozilla_t xdm_t:fifo_file { write read };
-allow $1_mozilla_t xdm_tmp_t:dir search;
-allow $1_mozilla_t xdm_tmp_t:file { getattr read };
-allow $1_mozilla_t xdm_tmp_t:sock_file write;
-')dnl end if xdm.te
if (allow_execmem) {
allow $1_mozilla_t self:process { execmem };
}
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.21.14/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te 2005-02-14 14:49:20.000000000 -0500
+++ policy-1.21.14/macros/program/mplayer_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -45,6 +45,7 @@
uses_shlib($1_$2_t)
read_locale($1_$2_t)
access_terminal($1_$2_t, $1)
+allow $1_$2_t { $1_devpts_t $1_tty_device_t }:chr_file ioctl;
# Required for win32 binary loader
allow $1_$2_t zero_device_t:chr_file { read write execute };
@@ -79,11 +80,6 @@
# Mplayer common stuff
mplayer_common($1, mplayer)
-# Additional rules for search /tmp/.X11-unix
-ifdef(`xdm.te', `
-allow $1_mplayer_t xdm_tmp_t:dir search;
-')dnl end if xdm.te
-
# Audio
allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.21.14/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te 2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.14/macros/program/tvtime_macros.te 2005-02-17 10:24:21.000000000 -0500
@@ -33,9 +33,6 @@
allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
allow $1_tvtime_t self:process setsched;
allow $1_tvtime_t usr_t:file { getattr read };
-ifdef(`xdm.te', `
-allow $1_tvtime_t xdm_tmp_t:dir search;
-')
')dnl end tvtime_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.14/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2005-02-17 10:16:46.000000000 -0500
+++ policy-1.21.14/macros/program/x_client_macros.te 2005-02-17 10:24:22.000000000 -0500
@@ -179,7 +179,7 @@
allow $1_$2_t xdm_xserver_tmpfs_t:file r_file_perms;
can_unix_connect($1_$2_t, xdm_xserver_t)
-allow $1_$2_t xdm_xserver_tmp_t:dir search;
+allow $1_$2_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
allow $1_$2_t { xdm_xserver_tmp_t xdm_tmp_t }:sock_file { read write };
allow $1_$2_t xdm_t:fd use;
dontaudit $1_$2_t xdm_t:tcp_socket { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.21.14/Makefile
--- nsapolicy/Makefile 2005-02-17 15:52:02.000000000 -0500
+++ policy-1.21.14/Makefile 2005-02-17 12:22:30.000000000 -0500
@@ -21,21 +21,25 @@
SBINDIR = $(PREFIX)/sbin
LOADPOLICY = $(SBINDIR)/load_policy
CHECKPOLICY = $(BINDIR)/checkpolicy
+GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
KERNVERS := $(shell cat /selinux/policyvers)
POLICYVER := policy.$(VERS)
+TOPDIR = $(DESTDIR)/etc/selinux
ifeq ($(MLS),y)
-INSTALLDIR = $(DESTDIR)/etc/selinux/mls
+TYPE=mls
else
-INSTALLDIR = $(DESTDIR)/etc/selinux/strict
+TYPE=strict
endif
+INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLICYVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
@@ -50,15 +54,18 @@
POLICYFILES += mls
CHECKPOLMLS += -M
endif
+DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
POLICYFILES += $(USER_FILES)
POLICYFILES += constraints
-POLICYFILES += initial_sid_contexts fs_use genfs_contexts net_contexts
-CONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
+POLICYFILES += $(DEFCONTEXTFILES)
+CONTEXTFILES = $(DEFCONTEXTFILES)
+POLICY_DIRS = domains/program domains/misc
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
+HOMEDIR_TEMPLATE = file_contexts/homedir_template
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
CONTEXTFILES += $(FCFILES)
@@ -169,9 +176,9 @@
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
-policy.conf: $(POLICYFILES)
+policy.conf: $(POLICYFILES) $(POLICY_DIRS)
mkdir -p tmp
- m4 $(M4PARAM) -Imacros -s $^ > $@.tmp
+ m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
mv $@.tmp $@
install-src:
@@ -203,14 +210,15 @@
$(FCPATH): $(FC)
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(FC) $(FCPATH)
+ install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+ @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file_contexts ..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
- @grep -v "^/root" $@.tmp > $@.root
- @/usr/sbin/genhomedircon . $@.root > $@
- @grep "^/root" $@.tmp >> $@
- @-rm $@.tmp $@.root
+ @grep -v -e HOME -e ROLE $@.tmp > $@
+ @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
+ @-rm $@.tmp
# Create a tags-file for the policy:
# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.21.14/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-02-09 15:01:45.000000000 -0500
+++ policy-1.21.14/targeted/domains/unconfined.te 2005-02-17 10:24:22.000000000 -0500
@@ -9,6 +9,8 @@
role user_r types unconfined_t;
role sysadm_r types unconfined_t;
unconfined_domain(unconfined_t)
+allow domain unconfined_t:fd use;
+allow domain unconfined_t:process sigchld;
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
@@ -37,6 +39,9 @@
user_typealias(sysadm)
user_typealias(staff)
user_typealias(user)
+attribute user_file_type;
+attribute staff_file_type;
+attribute sysadm_file_type;
allow unconfined_t unlabeled_t:filesystem *;
allow unlabeled_t self:filesystem associate;
@@ -45,14 +50,19 @@
bool use_nfs_home_dirs false;
# Allow execution of anonymous mappings, e.g. executable stack.
-bool allow_execmem false;
+bool allow_execmem true;
# Support Share libraries with Text Relocation
-bool allow_execmod false;
+bool allow_execmod true;
# Support SAMBA home directories
bool use_samba_home_dirs false;
+if (allow_execmod) {
+allow unconfined_t { ld_so_t shlib_t }:file execmod;
+allow unconfined_t { bin_t sbin_t exec_type }:file execmod;
+}
+
ifdef(`samba.te', `samba_domain(user)')
# Allow system to run with NIS
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.21.14/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.14/tunables/distro.tun 2005-02-17 10:24:22.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.14/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-09 15:01:31.000000000 -0500
+++ policy-1.21.14/tunables/tunable.tun 2005-02-17 10:24:22.000000000 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [Fwd: New policy patch]
2005-02-17 23:09 ` Daniel J Walsh
@ 2005-02-24 19:10 ` James Carter
0 siblings, 0 replies; 16+ messages in thread
From: James Carter @ 2005-02-24 19:10 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged.
On Thu, 2005-02-17 at 18:09 -0500, Daniel J Walsh wrote:
> Ivan did a few more cleanups in x_client_macros and access_terminals.
> Added a couple of ioctls back in.
>
> Had to add back in a dontaudit for net_admin on cups.
>
> Allow dovecot to search certs dir
>
> Fixes for allow squirrelmail to spell check
>
> Privoxy needs to run as a client as well as a server
>
>
> plain text document attachment (policy-20050217.patch)
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Policy Patch
2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
2005-02-17 23:09 ` Daniel J Walsh
@ 2005-03-29 16:47 ` Daniel J Walsh
2005-04-01 20:28 ` James Carter
2005-04-04 18:50 ` New " Daniel J Walsh
3 siblings, 1 reply; 16+ messages in thread
From: Daniel J Walsh @ 2005-03-29 16:47 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 464 bytes --]
Major cleanup of Makefile. Probably still needs some sanity checks to
it. Added better echo messages, made sure
customizable file gets replaced on make load.
Added policy ssh_keysign_exec_t for /usr/libexec/openssh/ssh-keysign
Better handling of syslog-ng
Whole bunch of changes from Ivan, for desktop apps.
Allow named and nscd to write logs to /var/log
Lots of name_connect fixes.
New bool for squid to connect to any port or just http ports.
--
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 39570 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.5/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/domains/program/ssh.te 2005-03-28 10:21:45.000000000 -0500
@@ -220,6 +220,7 @@
# Type for the ssh executable.
type ssh_exec_t, file_type, exec_type, sysadmfile;
+type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
# Everything else is in the ssh_domain macro in
# macros/program/ssh_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.5/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-03-21 22:32:18.000000000 -0500
+++ policy-1.23.5/domains/program/syslogd.te 2005-03-28 10:21:45.000000000 -0500
@@ -79,16 +79,10 @@
dontaudit syslogd_t initrc_var_run_t:file write;
allow syslogd_t ttyfile:chr_file { getattr write };
-ifdef(`klogd.te', `', `
-# Allow access to /proc/kmsg for syslog-ng
-allow syslogd_t proc_t:dir search;
-allow syslogd_t proc_kmsg_t:file { getattr read };
-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
-')
#
# Special case to handle crashes
#
-allow syslogd_t { device_t file_t }:sock_file unlink;
+allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
# Allow syslog to a terminal
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
@@ -111,6 +105,10 @@
bool use_syslogng false;
if (use_syslogng) {
-allow syslogd_t proc_kmsg_t:file write;
-allow syslogd_t self:capability { sys_admin chown };
+# Allow access to /proc/kmsg for syslog-ng
+allow syslogd_t proc_t:dir search;
+allow syslogd_t proc_kmsg_t:file { getattr read };
+allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+allow syslogd_t self:capability { sys_admin chown fsetid };
+allow syslogd_t var_log_t:dir { create setattr };
}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.5/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/domains/program/unused/apache.te 2005-03-28 10:21:45.000000000 -0500
@@ -152,7 +152,9 @@
allow httpd_t bin_t:lnk_file read;
can_network(httpd_t)
+if (httpd_can_network_connect) {
allow httpd_t port_type:tcp_socket name_connect;
+}
can_ypbind(httpd_t)
###################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.23.5/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/domains/program/unused/canna.te 2005-03-28 10:21:45.000000000 -0500
@@ -42,3 +42,5 @@
can_unix_connect(i18n_input_t, canna_t)
')
+dontaudit canna_t kernel_t:fd use;
+dontaudit canna_t root_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.5/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.5/domains/program/unused/cups.te 2005-03-28 10:21:45.000000000 -0500
@@ -143,8 +143,8 @@
# PTAL
daemon_domain(ptal)
etcdir_domain(ptal)
-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
+
+file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
allow ptal_t self:capability chown;
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.5/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.5/domains/program/unused/hald.te 2005-03-29 10:44:55.000000000 -0500
@@ -31,6 +31,7 @@
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;
+allow hald_t self:netlink_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
can_network_server(hald_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.23.5/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.5/domains/program/unused/mailman.te 2005-03-28 10:21:45.000000000 -0500
@@ -30,7 +30,7 @@
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
-allow mailman_$1_t port_type:tcp_socket name_connect;
+allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.5/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.5/domains/program/unused/mta.te 2005-03-28 10:21:45.000000000 -0500
@@ -13,8 +13,6 @@
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
')
-type smtp_port_t, port_type, reserved_port_type;
-
# create a system_mail_t domain for daemons, init scripts, etc when they run
# "mail user@domain"
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.5/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.5/domains/program/unused/named.te 2005-03-28 10:21:45.000000000 -0500
@@ -60,6 +60,7 @@
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
+log_domain(named)
# Bind to the named port.
allow named_t dns_port_t:udp_socket name_bind;
@@ -104,7 +105,7 @@
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
-allow ndc_t port_type:tcp_socket name_connect;
+allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.23.5/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/nscd.te 2005-03-28 10:21:45.000000000 -0500
@@ -73,3 +73,4 @@
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+log_domain(nscd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.5/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.5/domains/program/unused/pamconsole.te 2005-03-28 10:21:45.000000000 -0500
@@ -10,6 +10,12 @@
allow pam_console_t etc_t:file { getattr read ioctl };
allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
+# Read /etc/mtab
+allow pam_console_t etc_runtime_t:file { read getattr };
+
+# Read /proc/meminfo
+allow pam_console_t proc_t:file { read getattr };
+
allow pam_console_t self:capability { chown fowner fsetid };
# Allow access to /dev/console through the fd:
@@ -24,7 +30,7 @@
allow pam_console_t device_t:dir { getattr read };
allow pam_console_t device_t:lnk_file { getattr read };
# mouse_device_t is for joy sticks
-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
allow pam_console_t mnt_t:dir r_dir_perms;
@@ -36,7 +42,6 @@
dontaudit pam_console_t hotplug_etc_t:dir search;
allow pam_console_t hotplug_t:fd use;
')
-allow pam_console_t proc_t:file read;
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.5/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/samba.te 2005-03-28 10:21:45.000000000 -0500
@@ -41,7 +41,6 @@
general_domain_access(smbd_t)
general_proc_read_access(smbd_t)
-type smbd_port_t, port_type, reserved_port_type;
allow smbd_t smbd_port_t:tcp_socket name_bind;
# Use capabilities.
@@ -88,7 +87,6 @@
general_domain_access(nmbd_t)
general_proc_read_access(nmbd_t)
-type nmbd_port_t, port_type, reserved_port_type;
allow nmbd_t nmbd_port_t:udp_socket name_bind;
# Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.5/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/squid.te 2005-03-28 10:21:45.000000000 -0500
@@ -12,7 +12,7 @@
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
-
+bool squid_connect_any false;
daemon_domain(squid, `, web_client_domain, nscd_client_domain')
type squid_conf_t, file_type, sysadmfile;
general_domain_access(squid_t)
@@ -53,13 +53,16 @@
# Use the network
can_network(squid_t)
+if (squid_connect_any) {
allow squid_t port_type:tcp_socket name_connect;
+} else {
+allow squid_t { http_port_t http_cache_port_t }:tcp_socket name_connect;
+}
can_ypbind(squid_t)
can_tcp_connect(web_client_domain, squid_t)
# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t http_cache_port_t:tcp_socket name_bind;
-allow squid_t http_cache_port_t:udp_socket name_bind;
+allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
# to allow running programs from /usr/lib/squid (IE unlinkd)
# also allow exec()ing itself
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.5/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/domains/program/unused/udev.te 2005-03-28 10:21:45.000000000 -0500
@@ -29,7 +29,7 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin };
allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -71,6 +71,7 @@
allow udev_t kernel_t:fd use;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
+allow udev_t kernel_t:process signal;
allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.5/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/winbind.te 2005-03-28 10:21:45.000000000 -0500
@@ -13,7 +13,9 @@
allow winbind_t etc_t:file r_file_perms;
allow winbind_t etc_t:lnk_file read;
can_network(winbind_t)
-allow winbind_t port_type:tcp_socket name_connect;
+allow winbind_t smbd_port_t:tcp_socket name_connect;
+can_resolve(winbind_t)
+
ifdef(`samba.te', `', `
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
@@ -28,7 +30,6 @@
allow winbind_t urandom_device_t:chr_file { getattr read };
allow winbind_t self:fifo_file { read write };
rw_dir_create_file(winbind_t, samba_var_t)
-allow winbind_t krb5_conf_t:file { getattr read };
-dontaudit winbind_t krb5_conf_t:file { write };
+can_kerberos(winbind_t)
allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t winbind_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.5/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.5/domains/program/unused/xdm.te 2005-03-28 10:21:45.000000000 -0500
@@ -311,6 +311,7 @@
allow xdm_t pam_var_run_t:dir create_dir_perms;
allow xdm_t pam_var_run_t:file create_file_perms;
allow pam_t xdm_t:fifo_file { getattr ioctl write };
+can_exec(xdm_t, pam_console_exec_t)
can_exec(xdm_t, pam_exec_t)
# For pam_console
rw_dir_create_file(xdm_t, pam_var_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.5/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/file_contexts/distros.fc 2005-03-28 10:21:45.000000000 -0500
@@ -98,10 +98,10 @@
/usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/vgskin_none\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
# Fedora Extras packages: ladspa, imlib2, ocaml
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
@@ -140,6 +140,11 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
+
+/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
+/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.5/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/file_contexts/program/apache.fc 2005-03-29 09:07:33.000000000 -0500
@@ -44,3 +44,4 @@
/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.23.5/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/file_contexts/program/named.fc 2005-03-28 10:21:45.000000000 -0500
@@ -21,6 +21,8 @@
/var/run/bind(/.*)? system_u:object_r:named_var_run_t
/var/run/named(/.*)? system_u:object_r:named_var_run_t
/usr/sbin/lwresd -- system_u:object_r:named_exec_t
+/var/log/named.* -- system_u:object_r:named_log_t
+
ifdef(`distro_redhat', `
/var/named/named\.ca -- system_u:object_r:named_conf_t
/var/named/chroot(/.*)? system_u:object_r:named_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nscd.fc policy-1.23.5/file_contexts/program/nscd.fc
--- nsapolicy/file_contexts/program/nscd.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/file_contexts/program/nscd.fc 2005-03-28 10:21:45.000000000 -0500
@@ -4,3 +4,4 @@
/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
+/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ssh.fc policy-1.23.5/file_contexts/program/ssh.fc
--- nsapolicy/file_contexts/program/ssh.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.5/file_contexts/program/ssh.fc 2005-03-28 10:21:45.000000000 -0500
@@ -1,5 +1,6 @@
# ssh
/usr/bin/ssh -- system_u:object_r:ssh_exec_t
+/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t
/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t
# sshd
/etc/ssh/primes -- system_u:object_r:sshd_key_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.5/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/apache_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -3,10 +3,11 @@
#This type is for webpages
#
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
+type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
ifelse($1, sys, `
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
')
+ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;')
# This type is used for .htaccess files
#
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.5/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te 2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.5/macros/program/games_domain.te 2005-03-28 10:21:45.000000000 -0500
@@ -19,10 +19,18 @@
}
role $1_r types $1_games_t;
-# X access, Private tmp
+# X access, /tmp files
x_client_domain($1, games)
tmp_domain($1_games)
+uses_shlib($1_games_t)
+read_locale($1_games_t)
+read_sysctl($1_games_t)
+access_terminal($1_games_t, $1)
+
+# Fork
+allow $1_games_t self:process { fork signal_perms getsched };
+
# Games seem to need this
if (allow_execmem) {
allow $1_games_t self:process execmem;
@@ -37,7 +45,7 @@
# Access /home/user/.gnome2
create_dir_file($1_games_t, $1_home_t)
-allow $1_games_t $1_home_dir_t:dir search;
+allow $1_games_t $1_home_dir_t:dir { read getattr search };
allow $1_games_t $1_home_t:dir { read getattr };
create_dir_file($1_games_t, $1_tmp_t)
@@ -57,6 +65,7 @@
allow $1_games_t var_lib_t:dir search;
r_dir_file($1_games_t, man_t)
+allow $1_games_t proc_t:dir search;
allow $1_games_t proc_t:file { read getattr };
ifdef(`mozilla.te', `
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
@@ -64,10 +73,17 @@
allow $1_games_t event_device_t:chr_file getattr;
allow $1_games_t mouse_device_t:chr_file getattr;
allow $1_games_t self:file { getattr read };
+allow $1_games_t self:fifo_file rw_file_perms;
# kpat spews errors
dontaudit $1_games_t bin_t:dir getattr;
dontaudit $1_games_t var_run_t:dir search;
+# Allow games to read /etc/mtab and /etc/nsswitch.conf
+allow $1_games_t etc_t:file { getattr read };
+allow $1_games_t etc_runtime_t:file { getattr read };
+
+#
+
')dnl end macro definition
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.5/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/gift_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -17,10 +17,15 @@
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
role $1_r types $1_gift_t;
-# X access, Home access
+# X access, Home files
x_client_domain($1, gift)
home_domain($1, gift)
+uses_shlib($1_gift_t)
+read_locale($1_gift_t)
+read_sysctl($1_gift_t)
+access_terminal($1_gift_t, $1)
+
# Self permissions
allow $1_gift_t self:process getsched;
@@ -29,7 +34,8 @@
r_dir_file($1_gift_t, fonts_t)
# Launch gift daemon
-allow $1_gift_t self:process fork;
+allow $1_gift_t bin_t:dir search;
+allow $1_gift_t self:process { fork signal_perms getsched };
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
# Connect to gift daemon
@@ -40,6 +46,10 @@
allow $1_gift_t proc_t:dir search;
allow $1_gift_t proc_t:file { getattr read };
+# Read /etc/mtab, /etc/nsswitch.conf
+allow $1_gift_t etc_t:file { getattr read };
+allow $1_gift_t etc_runtime_t:file { getattr read };
+
# Tmp/ORBit
tmp_domain($1_gift)
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
@@ -78,6 +88,7 @@
read_sysctl($1_giftd_t)
read_locale($1_giftd_t)
uses_shlib($1_giftd_t)
+access_terminal($1_giftd_t, $1)
# Access home domain
home_domain_access($1_giftd_t, $1, gift)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.5/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.5/macros/program/mozilla_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -24,33 +24,52 @@
}
role $1_r types $1_mozilla_t;
+# X access, Home files
home_domain($1, mozilla)
x_client_domain($1, mozilla)
+
+# Browse files
file_browse_domain($1_mozilla_t)
+can_network($1_mozilla_t)
+uses_shlib($1_mozilla_t)
+read_locale($1_mozilla_t)
+read_sysctl($1_mozilla_t)
+access_terminal($1_mozilla_t, $1)
+
allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
# Unrestricted inheritance from the caller.
allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
allow $1_mozilla_t $1_t:process signull;
-# Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+# Fork, set resource limits and scheduling info.
+allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
allow $1_mozilla_t var_lib_t:file { getattr read };
allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
allow $1_mozilla_t self:socket create_socket_perms;
allow $1_mozilla_t self:file { getattr read };
+allow $1_mozilla_t self:fifo_file rw_file_perms;
-# for bash
+# for bash - old mozilla binary
+can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, bin_t)
+allow $1_mozilla_t bin_t:lnk_file read;
allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t devpts_t:dir r_dir_perms;
allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t proc_t:lnk_file read;
+allow $1_mozilla_t self:dir search;
+allow $1_mozilla_t self:lnk_file read;
r_dir_file($1_mozilla_t, proc_net_t)
allow $1_mozilla_t { var_t var_lib_t }:dir search;
+# Allow mozilla to read /etc/mtab, /etc/nsswitch.conf
+allow $1_mozilla_t etc_t:file { getattr read };
+allow $1_mozilla_t etc_runtime_t:file { getattr read };
+
# interacting with gstreamer
r_dir_file($1_mozilla_t, var_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.5/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/ssh_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -80,7 +80,7 @@
# Grant permissions needed to create TCP and UDP sockets and
# to access the network.
can_network_client_tcp($1_ssh_t)
-allow $1_ssh_t port_type:tcp_socket name_connect;
+allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
can_resolve($1_ssh_t)
can_ypbind($1_ssh_t)
can_kerberos($1_ssh_t)
@@ -153,6 +153,22 @@
allow $1_ssh_t mnt_t:dir search;
r_dir_file($1_ssh_t, removable_t)
+type $1_ssh_keysign_t, domain, nscd_client_domain;
+role $1_r types $1_ssh_keysign_t;
+domain_auto_trans($1_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+allow $1_ssh_keysign_t self:capability { setgid setuid };
+allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+uses_shlib($1_ssh_keysign_t)
+dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+allow $1_ssh_keysign_t usr_t:dir search;
+allow $1_ssh_keysign_t etc_t:file { getattr read };
+allow $1_ssh_keysign_t self:dir search;
+allow $1_ssh_keysign_t self:file { getattr read };
+allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
ifdef(`xdm.te', `
# should be able to remove these two later
allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
@@ -164,7 +180,6 @@
allow $1_ssh_t xdm_t:fd use;
')dnl end if xdm.te
')dnl end macro definition
-
', `
define(`ssh_domain',`')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.5/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te 2005-03-21 22:32:20.000000000 -0500
+++ policy-1.23.5/macros/program/tvtime_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -24,11 +24,21 @@
domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
role $1_r types $1_tvtime_t;
-# Home access, X access
+# X access, Home files
home_domain($1, tvtime)
-tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
x_client_domain($1, tvtime)
+uses_shlib($1_tvtime_t)
+read_locale($1_tvtime_t)
+read_sysctl($1_tvtime_t)
+access_terminal($1_tvtime_t, $1)
+
+# Read /etc/tvtime
+allow $1_tvtime_t etc_t:file { getattr read };
+
+# Tmp files
+tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
+
allow $1_tvtime_t urandom_device_t:chr_file read;
allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
allow $1_tvtime_t kernel_t:system ipc_info;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.5/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.5/macros/program/x_client_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -43,54 +43,17 @@
#
define(`x_client_domain',`
-# This domain is granted permissions common to most domains (including can_net)
-can_network($1_$2_t)
-allow $1_$2_t port_type:tcp_socket name_connect;
-can_ypbind($1_$2_t)
-allow $1_$2_t self:process { fork signal_perms getsched };
allow $1_$2_t self:unix_dgram_socket create_socket_perms;
allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow $1_$2_t self:fifo_file rw_file_perms;
-allow $1_$2_t etc_runtime_t:file { getattr read };
-allow $1_$2_t etc_t:lnk_file read;
-allow $1_$2_t fs_t:filesystem getattr;
-access_terminal($1_$2_t, $1)
-read_locale($1_$2_t)
-r_dir_file($1_$2_t, readable_t)
-allow $1_$2_t proc_t:dir search;
-allow $1_$2_t proc_t:lnk_file read;
-allow $1_$2_t self:dir search;
-allow $1_$2_t self:lnk_file read;
-read_sysctl($1_$2_t)
ifdef(`xauth.te',`
allow $1_$2_t $1_xauth_home_t:file { getattr read };
')
# Allow the user domain to send any signal to the $2 process.
+can_ps($1_t, $1_$2_t)
allow $1_t $1_$2_t:process signal_perms;
-# Allow the user domain to read the /proc/PID directory for
-# the $2 process.
-allow $1_t $1_$2_t:dir r_dir_perms;
-allow $1_t $1_$2_t:notdevfile_class_set r_file_perms;
-
-# Allow use of /dev/zero by ld.so.
-allow $1_$2_t device_t:dir search;
-allow $1_$2_t zero_device_t:chr_file rw_file_perms;
-allow $1_$2_t zero_device_t:chr_file x_file_perms;
-
-# allow using shared libraries and running programs
-uses_shlib($1_$2_t)
-allow $1_$2_t { bin_t sbin_t }:dir search;
-allow $1_$2_t bin_t:lnk_file read;
-can_exec($1_$2_t, { shell_exec_t bin_t })
-allow $1_$2_t etc_t:file { getattr read };
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;')
-allow $1_$2_t privfd:fd use;
-
# for .xsession-errors
dontaudit $1_$2_t $1_home_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.5/Makefile
--- nsapolicy/Makefile 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.5/Makefile 2005-03-29 11:37:15.000000000 -0500
@@ -77,12 +77,12 @@
all: policy
-tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
- @echo "Validating file_contexts ..."
- $(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+tmp/valid_fc: $(LOADPATH) $(FC)
+ @echo "Validating file contexts files ..."
+ $(SETFILES) -q -c $(LOADPATH) $(FC)
@touch tmp/valid_fc
-install: tmp/valid_fc $(USERPATH)/local.users
+install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@@ -91,56 +91,57 @@
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users
- m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+ @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
install -m 644 tmp/system.users $@
$(USERPATH)/local.users: local.users
@mkdir -p $(USERPATH)
- install -C -b -m 644 $< $@
+ install -b -m 644 $< $@
$(CONTEXTPATH)/files/media: appconfig/media
- mkdir -p $(CONTEXTPATH)/files/
+ @mkdir -p $(CONTEXTPATH)/files/
install -m 644 $< $@
$(APPDIR)/default_contexts: appconfig/default_contexts
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/removable_context: appconfig/removable_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
install -m 644 tmp/customizable_types $@
$(APPDIR)/default_type: appconfig/default_type
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/userhelper_context: appconfig/userhelper_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/failsafe_context: appconfig/failsafe_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/users/root: appconfig/root_default_contexts
- mkdir -p $(APPDIR)/users
+ @mkdir -p $(APPDIR)/users
install -m 644 $< $@
-$(LOADPATH): policy.conf $(CHECKPOLICY)
- mkdir -p $(POLICYPATH)
+$(LOADPATH): policy.conf $(CHECKPOLICY)
+ @echo "Compiling policy ..."
+ @mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
ifneq ($(VERS),18)
@@ -159,10 +160,11 @@
$(CHECKPOLICY) -c 18 -o policy.18 policy.conf
endif
endif
- @echo "Validating file_contexts ..."
+ @echo "Validating file contexts files ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
reload tmp/load: $(FCPATH) $(LOADPATH)
+ @echo "Loading Policy ..."
ifeq ($(VERS), $(KERNVERS))
$(LOADPOLICY) $(LOADPATH)
else
@@ -177,18 +179,19 @@
mv policy.audit policy.conf
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
- mkdir -p tmp
+ @echo "Building policy.conf ..."
+ @mkdir -p tmp
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
- mv $@.tmp $@
+ @mv $@.tmp $@
install-src:
rm -rf $(SRCPATH)/policy.old
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- mkdir -p $(SRCPATH)/policy
+ @mkdir -p $(SRCPATH)/policy
cp -R . $(SRCPATH)/policy
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
- mkdir -p tmp
+ @mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
@@ -205,17 +208,17 @@
$(SETFILES) $(FC) $(FILESYSTEMS)
file_contexts/misc:
- mkdir -p file_contexts/misc
-
+ @mkdir -p file_contexts/misc
-$(FCPATH): $(FC) $(USERPATH)/system.users
+$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types
+ @echo "Installing file contexts files..."
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(FC) $(FCPATH)
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
- @echo "Building file_contexts ..."
+ @echo "Building file contexts files..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
@grep -v -e HOME -e ROLE $@.tmp > $@
@grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.5/net_contexts
--- nsapolicy/net_contexts 2005-03-24 08:58:25.000000000 -0500
+++ policy-1.23.5/net_contexts 2005-03-28 10:21:45.000000000 -0500
@@ -44,11 +44,11 @@
')
ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
-ifdef(`mta.te', `
+
portcon tcp 25 system_u:object_r:smtp_port_t
portcon tcp 465 system_u:object_r:smtp_port_t
portcon tcp 587 system_u:object_r:smtp_port_t
-')
+
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
@@ -56,10 +56,10 @@
ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
-ifdef(`use_http', `
+
portcon tcp 80 system_u:object_r:http_port_t
portcon tcp 443 system_u:object_r:http_port_t
-')
+
ifdef(`use_pop', `
portcon tcp 106 system_u:object_r:pop_port_t
portcon tcp 109 system_u:object_r:pop_port_t
@@ -70,7 +70,7 @@
ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
-ifdef(`samba.te', `
+
portcon tcp 137 system_u:object_r:smbd_port_t
portcon udp 137 system_u:object_r:nmbd_port_t
portcon tcp 138 system_u:object_r:smbd_port_t
@@ -78,7 +78,7 @@
portcon tcp 139 system_u:object_r:smbd_port_t
portcon udp 139 system_u:object_r:nmbd_port_t
portcon tcp 445 system_u:object_r:smbd_port_t
-')
+
ifdef(`use_pop', `
portcon tcp 143 system_u:object_r:pop_port_t
portcon tcp 220 system_u:object_r:pop_port_t
@@ -208,11 +208,10 @@
# 9433 is for YIFF
portcon tcp 9433 system_u:object_r:soundd_port_t
')
-ifdef(`use_http_cache', `
portcon tcp 3128 system_u:object_r:http_cache_port_t
portcon tcp 8080 system_u:object_r:http_cache_port_t
portcon udp 3130 system_u:object_r:http_cache_port_t
-')
+
ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
ifdef(`amanda.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.23.5/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.5/targeted/domains/program/ssh.te 2005-03-29 11:16:20.000000000 -0500
@@ -13,6 +13,7 @@
type sshd_exec_t, file_type, sysadmfile, exec_type;
type ssh_exec_t, file_type, sysadmfile, exec_type;
type ssh_keygen_exec_t, file_type, sysadmfile, exec_type;
+type ssh_keysign_exec_t, file_type, sysadmfile, exec_type;
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
type ssh_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.5/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/tunables/distro.tun 2005-03-28 10:21:45.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.5/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.5/tunables/tunable.tun 2005-03-28 10:21:45.000000000 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.5/types/file.te
--- nsapolicy/types/file.te 2005-03-24 08:58:30.000000000 -0500
+++ policy-1.23.5/types/file.te 2005-03-28 10:21:45.000000000 -0500
@@ -277,8 +277,9 @@
type tmpfs_t, file_type, sysadmfile, fs_type;
allow { tmpfs_t tmpfile } tmpfs_t:filesystem associate;
+allow tmpfile tmp_t:filesystem associate;
ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
+allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
')
type autofs_t, fs_type, noexattrfile, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.5/types/network.te
--- nsapolicy/types/network.te 2005-03-24 08:58:30.000000000 -0500
+++ policy-1.23.5/types/network.te 2005-03-28 10:21:45.000000000 -0500
@@ -22,13 +22,11 @@
#
# Defines used by the te files need to be defined outside of net_constraints
#
-type dns_port_t, port_type;
-
-ifdef(`dhcpd.te', `define(`use_dhcpd')')
-ifdef(`dnsmasq.te', `define(`use_dhcpd')')
-ifdef(`use_dhcpd', `
-type dhcpd_port_t, port_type;
-')
+type dns_port_t, port_type, reserved_port_type;
+type smtp_port_t, port_type, reserved_port_type;
+type dhcpd_port_t, port_type, reserved_port_type;
+type smbd_port_t, port_type, reserved_port_type;
+type nmbd_port_t, port_type, reserved_port_type;
ifdef(`cyrus.te', `define(`use_pop')')
ifdef(`courier.te', `define(`use_pop')')
@@ -38,21 +36,13 @@
ifdef(`use_pop', `
type pop_port_t, port_type, reserved_port_type;
')
-ifdef(`apache.te', `
-define(`use_http_cache')
-define(`use_http')
-')
ifdef(`ftpd.te', `
define(`use_ftpd')
')
ifdef(`publicfile.te', `
-define(`use_http')
define(`use_ftpd')
')
-ifdef(`squid.te', `define(`use_http_cache')')
-ifdef(`use_http_cache', `
type http_cache_port_t, port_type;
-')
ifdef(`dhcpd.te', `define(`use_pxe')')
ifdef(`pxe.te', `define(`use_pxe')')
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Policy Patch
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
@ 2005-04-01 20:28 ` James Carter
0 siblings, 0 replies; 16+ messages in thread
From: James Carter @ 2005-04-01 20:28 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged.
On Tue, 2005-03-29 at 11:47 -0500, Daniel J Walsh wrote:
> Major cleanup of Makefile. Probably still needs some sanity checks to
> it. Added better echo messages, made sure
> customizable file gets replaced on make load.
>
> Added policy ssh_keysign_exec_t for /usr/libexec/openssh/ssh-keysign
>
> Better handling of syslog-ng
>
> Whole bunch of changes from Ivan, for desktop apps.
>
> Allow named and nscd to write logs to /var/log
>
> Lots of name_connect fixes.
>
> New bool for squid to connect to any port or just http ports.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* New Policy Patch
2005-01-21 20:36 ` James Carter
` (2 preceding siblings ...)
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
@ 2005-04-04 18:50 ` Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
3 siblings, 2 replies; 16+ messages in thread
From: Daniel J Walsh @ 2005-04-04 18:50 UTC (permalink / raw)
To: jwcart2; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 426 bytes --]
Major regrouping of apache_policy
Now use apache_domain and apache_user_domain
Added boolean httpd_builtin_scripting. Which when turned off only allows
running of external apache scripts, not built in modules like PHP.
Users can now create their own scripts using apache_domain(myscript)
More fixes of can_network and named_connect
Added NetworkManager policy.
A few fixes submitted from Ivan for hal, kudzu
--
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 34018 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.6/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.6/domains/program/ifconfig.te 2005-04-04 10:44:54.000000000 -0400
@@ -66,3 +66,4 @@
rhgb_domain(ifconfig_t)
allow ifconfig_t userdomain:fd use;
dontaudit ifconfig_t root_t:file read;
+r_dir_file(ifconfig_t, sysfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.23.6/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/logrotate.te 2005-04-04 10:44:54.000000000 -0400
@@ -141,5 +141,10 @@
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
+# Supress libselinux initialization denials
dontaudit logrotate_t selinux_config_t:dir search;
+dontaudit logrotate_t selinux_config_t:file { read getattr };
+# Allow selinux_getenforce
+allow logrotate_t security_t:dir search;
+allow logrotate_t security_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.6/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/unused/apache.te 2005-04-04 10:44:54.000000000 -0400
@@ -28,6 +28,9 @@
bool httpd_unified false;
+# Allow httpd to use built in scripting (usually php)
+bool httpd_builtin_scripting false;
+
# Allow httpd cgi support
bool httpd_enable_cgi false;
@@ -86,54 +89,6 @@
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec)
-allow httpd_t httpd_suexec_exec_t:file read;
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir search;
-allow httpd_suexec_t httpd_log_t:file { append getattr };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-if (httpd_can_network_connect) {
-can_network(httpd_suexec_t)
-allow httpd_suexec_t port_type:tcp_socket name_connect;
-}
-
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_t usr_t:lnk_file { getattr read };
@@ -149,15 +104,24 @@
can_exec(httpd_t, { bin_t sbin_t })
allow httpd_t bin_t:lnk_file read;
-can_network(httpd_t)
+########################################
+# Set up networking
+########################################
+
+can_network_server(httpd_t)
+can_kerberos(httpd_t)
+can_resolve(httpd_t)
+can_ypbind(httpd_t)
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+
if (httpd_can_network_connect) {
+can_network_client(httpd_t)
allow httpd_t port_type:tcp_socket name_connect;
}
-can_ypbind(httpd_t)
-###################
-# Allow httpd to search users diretories
-######################
+#########################################
+# Allow httpd to search users directories
+#########################################
allow httpd_t home_root_t:dir { getattr search };
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
@@ -171,7 +135,6 @@
# Allow the httpd_t to read the web servers config files
###################################################
r_dir_file(httpd_t, httpd_config_t)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
@@ -181,11 +144,6 @@
r_dir_file(initrc_t, httpd_config_t)
##################################################
-########################################
-# Allow httpd_t to bind to the HTTP port
-########################################
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-
###############################
# Allow httpd_t to put files in /var/cache/httpd etc
##############################
@@ -217,13 +175,14 @@
allow httpd_t etc_t:file { read getattr ioctl };
allow httpd_t etc_t:lnk_file { getattr read };
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
# Run SSI execs in system CGI script domain.
if (httpd_ssi_exec) {
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
}
-r_dir_file(httpd_t, httpd_sys_script_ro_t)
-create_dir_file(httpd_t, httpd_sys_script_rw_t)
-ra_dir_file(httpd_t, httpd_sys_script_ra_t)
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
##################################################
@@ -250,7 +209,6 @@
# access to /tmp
tmp_domain(httpd)
tmp_domain(httpd_php)
-tmp_domain(httpd_suexec)
# Creation of lock files for apache2
lock_domain(httpd)
@@ -269,11 +227,11 @@
allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
+r_dir_file(httpd_t, fonts_t)
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t autofs_t:dir { search getattr };
-allow httpd_suexec_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
@@ -281,23 +239,12 @@
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
-r_dir_file(httpd_t, fonts_t)
#
# Allow users to mount additional directories as http_source
#
allow httpd_t mnt_t:dir r_dir_perms;
-########################################
-# When the admin starts the server, the server wants to acess
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-##################################################
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-
-can_kerberos(httpd_t)
-
ifdef(`targeted_policy', `
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
@@ -308,6 +255,9 @@
}
') dnl targeted policy
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
ifdef(`distro_redhat', `
#
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
@@ -327,33 +277,27 @@
dontaudit httpd_t usr_t:dir write;
')
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
-
application_domain(httpd_helper)
role system_r types httpd_helper_t;
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file { append };
+########################################
+# When the admin starts the server, the server wants to acess
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+##################################################
+
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir { search };
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
')
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
read_sysctl(httpd_sys_script_t)
@@ -368,6 +312,64 @@
type httpd_unconfined_script_t, domain, nscd_client_domain;
role system_r types httpd_unconfined_script_t;
unconfined_domain(httpd_unconfined_script_t)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec)
+allow httpd_t httpd_suexec_exec_t:file read;
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir search;
+allow httpd_suexec_t httpd_log_t:file { append getattr };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+if (httpd_can_network_connect) {
+can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+allow httpd_suexec_t autofs_t:dir { search getattr };
+tmp_domain(httpd_suexec)
+
+ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+')
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+}
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+can_exec(httpd_t, httpdcontent )
+}
if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
@@ -375,3 +377,21 @@
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
}
+#
+# Types for squirrelmail
+#
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
+create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ifdef(`mta.te', `
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.6/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-03-24 08:58:26.000000000 -0500
+++ policy-1.23.6/domains/program/unused/dhcpc.te 2005-04-04 10:44:54.000000000 -0400
@@ -44,6 +44,8 @@
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.6/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.6/domains/program/unused/hald.te 2005-04-04 10:44:54.000000000 -0400
@@ -43,6 +43,9 @@
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
+allow hald_t mouse_device_t:chr_file r_file_perms;
+
+can_getsecurity(hald_t)
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
@@ -73,3 +76,20 @@
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
+
+
+# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/sbin/dmidecode
+# Violates assertion
+#allow hald_t memory_device_t:chr_file read;
+allow hald_t self:capability sys_rawio;
+
+# ??
+ifdef(`lvm.te', `
+allow hald_t lvm_control_t:chr_file r_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.6/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.6/domains/program/unused/kudzu.te 2005-04-04 10:44:54.000000000 -0400
@@ -100,3 +100,8 @@
allow kudzu_t xserver_exec_t:file getattr;
')
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.6/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.6/domains/program/unused/NetworkManager.te 2005-04-04 10:44:54.000000000 -0400
@@ -0,0 +1,76 @@
+#DESC NetworkManager -
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon.
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow NetworkManager_t named_t:process signal;
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+
+allow NetworkManager_t domain:dir search;
+allow NetworkManager_t domain:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.6/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.6/domains/program/unused/ntpd.te 2005-04-04 10:44:54.000000000 -0400
@@ -41,7 +41,7 @@
# Use the network.
can_network(ntpd_t)
-allow ntpd_t port_type:tcp_socket name_connect;
+allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.23.6/domains/program/unused/pam.te
--- nsapolicy/domains/program/unused/pam.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.6/domains/program/unused/pam.te 2005-04-04 10:44:54.000000000 -0400
@@ -37,4 +37,4 @@
allow initrc_t pam_var_run_t:dir rw_dir_perms;
allow initrc_t pam_var_run_t:file { getattr read unlink };
-dontaudit pam_t initrc_var_run_t:file { read write };
+dontaudit pam_t initrc_var_run_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.23.6/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/domains/program/unused/postgresql.te 2005-04-04 10:44:54.000000000 -0400
@@ -124,11 +124,15 @@
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir { search };
-allow postgresql_t initrc_su_t:process { sigchld };
+allow initrc_su_t postgresql_db_t:dir search;
+allow postgresql_t initrc_su_t:process sigchld;
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
dontaudit postgresql_t home_root_t:dir search;
can_kerberos(postgresql_t)
allow postgresql_t urandom_device_t:chr_file { getattr read };
+
+if (allow_execmem) {
+allow postgresql_t self:process execmem;
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/publicfile.te policy-1.23.6/domains/program/unused/publicfile.te
--- nsapolicy/domains/program/unused/publicfile.te 2005-03-15 12:54:54.000000000 -0500
+++ policy-1.23.6/domains/program/unused/publicfile.te 2005-04-04 10:46:35.000000000 -0400
@@ -12,11 +12,6 @@
type ftp_data_port_t, port_type, reserved_port_type;
')
-ifdef(`apache.te', `
-', `
-type http_port_t, port_type, reserved_port_type;
-')
-
daemon_domain(publicfile)
type publicfile_content_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.6/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.6/domains/program/unused/snmpd.te 2005-04-04 10:44:54.000000000 -0400
@@ -45,7 +45,9 @@
allow snmpd_t proc_t:dir search;
allow snmpd_t proc_t:file r_file_perms;
allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file { read write };
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t { bin_t sbin_t }:dir search;
+can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.6/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/file_contexts/distros.fc 2005-04-04 10:44:54.000000000 -0400
@@ -141,6 +141,10 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.6/file_contexts/program/NetworkManager.fc
--- nsapolicy/file_contexts/program/NetworkManager.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.6/file_contexts/program/NetworkManager.fc 2005-04-04 10:44:54.000000000 -0400
@@ -0,0 +1,2 @@
+# NetworkManager
+/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.6/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/apache_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -4,14 +4,11 @@
#This type is for webpages
#
type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
-ifelse($1, sys, `
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
-ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;')
# This type is used for .htaccess files
#
-type httpd_$1_htaccess_t, file_type, sysadmfile;
+type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
# This type is used for executable scripts files
#
@@ -68,13 +65,6 @@
type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
-
#########################################################
# Permissions for running child processes and scripts
##########################################################
@@ -117,20 +107,9 @@
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-ifelse($1, sys, `
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-can_exec(httpd_t, httpdcontent )
-', `
-can_exec(httpd_$1_script_t, httpdcontent )
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-')
create_dir_file(httpd_$1_script_t, httpdcontent)
}
-ifelse($1, sys, `
#
# If a user starts a script by hand it gets the proper context
#
@@ -138,7 +117,38 @@
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
role sysadm_r types httpd_$1_script_t;
-', `
+
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+# apache should set close-on-exec
+dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+if (httpd_builtin_scripting) {
+r_dir_file(httpd_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_t, httpd_$1_script_rw_t)
+ra_dir_file(httpd_t, httpd_$1_script_ra_t)
+r_dir_file(httpd_t, httpd_$1_content_t)
+}
+
+')
+define(`apache_user_domain', `
+
+apache_domain($1)
+
+typeattribute httpd_$1_content_t $1_file_type;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+}
if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
# If a user starts a script by hand it gets the proper context
@@ -151,11 +161,7 @@
#########################################
create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-create_dir_file($1_crond_t, httpd_$1_content_t)
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-ifdef(`mozilla.te', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
######################################################################
# Allow the user to create htaccess files
@@ -178,26 +184,8 @@
r_dir_file(httpd_$1_script_t, nfs_t)
')dnl end if nfs_home_dirs
}
-')dnl end ifelse sys
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-r_dir_file(httpd_t, httpd_$1_content_t)
-
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-r_dir_file(httpd_t, httpd_$1_script_rw_t)
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ifdef(`crond.te', `
+create_dir_file($1_crond_t, httpd_$1_content_t)
+')
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.6/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/gift_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -90,6 +90,13 @@
uses_shlib($1_giftd_t)
access_terminal($1_giftd_t, $1)
+# Read /proc/meminfo
+allow $1_giftd_t proc_t:dir search;
+allow $1_giftd_t proc_t:file read;
+
+# Read /etc/mtab
+allow $1_giftd_t etc_runtime_t:file { getattr read };
+
# Access home domain
home_domain_access($1_giftd_t, $1, gift)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.6/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te 2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.6/macros/program/java_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -31,7 +31,7 @@
can_network_client($1_javaplugin_t)
allow $1_javaplugin_t port_type:tcp_socket name_connect;
can_ypbind($1_javaplugin_t)
-allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
+allow $1_javaplugin_t self:process { execmem fork signal_perms getsched setsched };
allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t etc_runtime_t:file { getattr read };
@@ -42,6 +42,7 @@
allow $1_javaplugin_t self:file { getattr read };
read_sysctl($1_javaplugin_t)
+allow $1_javaplugin_t sysctl_vm_t:dir search;
tmp_domain($1_javaplugin)
r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
@@ -50,6 +51,11 @@
allow $1_javaplugin_t bin_t:dir search;
can_exec($1_javaplugin_t, java_exec_t)
+# libdeploy.so legacy
+if (allow_execmod) {
+allow $1_javaplugin_t texrel_shlib_t:file execmod;
+}
+
# Allow connections to X server.
ifdef(`xserver.te', `
@@ -111,4 +117,6 @@
dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
+# Do not audit read/getattr of .fonts-cache-1
+dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.6/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/program/mozilla_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -55,6 +55,7 @@
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, shell_exec_t)
can_exec($1_mozilla_t, bin_t)
allow $1_mozilla_t bin_t:lnk_file read;
allow $1_mozilla_t device_t:dir r_dir_perms;
@@ -155,6 +156,11 @@
allow $1_mozilla_t texrel_shlib_t:file execmod;
}
dbusd_client(system, $1_mozilla)
+ifdef(`apache.te', `
+ifelse($1, sysadm, `', `
+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
+')
+')
')dnl end mozilla macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.6/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/macros/program/ssh_agent_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -49,6 +49,7 @@
allow $1_ssh_agent_t proc_t:dir search;
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
+dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
read_sysctl($1_ssh_agent_t)
# Access the ssh temporary files. Should we have an own type here
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.6/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/macros/user_macros.te 2005-04-04 10:44:54.000000000 -0400
@@ -44,7 +44,9 @@
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
-ifdef(`apache.te', `apache_domain($1)')
+ifelse($1, sysadm, `',`
+ifdef(`apache.te', `apache_user_domain($1)')
+')
ifdef(`slocate.te', `locate_domain($1)')
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.6/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/tunables/distro.tun 2005-04-04 10:44:54.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.6/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.6/tunables/tunable.tun 2005-04-04 10:44:54.000000000 -0400
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.6/types/network.te
--- nsapolicy/types/network.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.6/types/network.te 2005-04-04 10:44:54.000000000 -0400
@@ -27,7 +27,7 @@
type dhcpd_port_t, port_type, reserved_port_type;
type smbd_port_t, port_type, reserved_port_type;
type nmbd_port_t, port_type, reserved_port_type;
-type http_cache_port_t, port_type;
+type http_cache_port_t, port_type, reserved_port_type;
type http_port_t, port_type, reserved_port_type;
ifdef(`cyrus.te', `define(`use_pop')')
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New Policy Patch
2005-04-04 18:50 ` New " Daniel J Walsh
@ 2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
2005-04-04 19:45 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
1 sibling, 2 replies; 16+ messages in thread
From: Ivan Gyurdiev @ 2005-04-04 19:38 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
> +can_getsecurity(hald_t)
check_context was sufficient for me.. does it
need the rest of the things in can_getsecurity?
+# For /usr/libexec/hald-add-selinux-mount-option
+allow hald_t security_t:dir search;
+allow hald_t security_t:file { read write };
+allow hald_t security_t:security check_context;
> +# For /usr/sbin/dmidecode
> +# Violates assertion
> +#allow hald_t memory_device_t:chr_file read;
> +allow hald_t self:capability sys_rawio;
Hold on - this should go into its own domain for dmidecode...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New Policy Patch
2005-04-04 19:38 ` Ivan Gyurdiev
@ 2005-04-04 19:40 ` Daniel J Walsh
2005-04-05 22:36 ` Ivan Gyurdiev
2005-04-04 19:45 ` Ivan Gyurdiev
1 sibling, 1 reply; 16+ messages in thread
From: Daniel J Walsh @ 2005-04-04 19:40 UTC (permalink / raw)
To: ivg2; +Cc: jwcart2, SE Linux
Ivan Gyurdiev wrote:
>>+can_getsecurity(hald_t)
>>
>>
>
>check_context was sufficient for me.. does it
>need the rest of the things in can_getsecurity?
>
>+# For /usr/libexec/hald-add-selinux-mount-option
>+allow hald_t security_t:dir search;
>+allow hald_t security_t:file { read write };
>+allow hald_t security_t:security check_context;
>
>
>
>>+# For /usr/sbin/dmidecode
>>+# Violates assertion
>>+#allow hald_t memory_device_t:chr_file read;
>>+allow hald_t self:capability sys_rawio;
>>
>>
>
>Hold on - this should go into its own domain for dmidecode...
>
>
>
Since we do not have that policy yet, we need this for strict to work,
correct?
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New Policy Patch
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
@ 2005-04-04 19:45 ` Ivan Gyurdiev
1 sibling, 0 replies; 16+ messages in thread
From: Ivan Gyurdiev @ 2005-04-04 19:45 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
Also, the java execmem addition does not respect the allow_execmem
boolean.
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New Policy Patch
2005-04-04 18:50 ` New " Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
@ 2005-04-05 20:20 ` James Carter
1 sibling, 0 replies; 16+ messages in thread
From: James Carter @ 2005-04-05 20:20 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Merged.
I did change the java_macros.te execmem usage to use the allow_execmem
boolean.
On Mon, 2005-04-04 at 14:50 -0400, Daniel J Walsh wrote:
> Major regrouping of apache_policy
>
> Now use apache_domain and apache_user_domain
> Added boolean httpd_builtin_scripting. Which when turned off only allows
> running of external apache scripts, not built in modules like PHP.
> Users can now create their own scripts using apache_domain(myscript)
>
> More fixes of can_network and named_connect
>
> Added NetworkManager policy.
>
> A few fixes submitted from Ivan for hal, kudzu
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: New Policy Patch
2005-04-04 19:40 ` Daniel J Walsh
@ 2005-04-05 22:36 ` Ivan Gyurdiev
0 siblings, 0 replies; 16+ messages in thread
From: Ivan Gyurdiev @ 2005-04-05 22:36 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, SE Linux
> Since we do not have that policy yet, we need this for strict to work,
> correct?
Well, I did get a denial, and that fixes the denial, but I'm not
sure if it should be merged, given that the memory_device_t read
isn't allowed yet...
--
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2005-04-05 22:32 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-12 18:46 [Fwd: New policy patch] Daniel J Walsh
2005-01-21 20:36 ` James Carter
2005-01-22 23:37 ` Russell Coker
2005-02-17 23:09 ` Daniel J Walsh
2005-02-24 19:10 ` James Carter
2005-03-29 16:47 ` Policy Patch Daniel J Walsh
2005-04-01 20:28 ` James Carter
2005-04-04 18:50 ` New " Daniel J Walsh
2005-04-04 19:38 ` Ivan Gyurdiev
2005-04-04 19:40 ` Daniel J Walsh
2005-04-05 22:36 ` Ivan Gyurdiev
2005-04-04 19:45 ` Ivan Gyurdiev
2005-04-05 20:20 ` James Carter
-- strict thread matches above, loose matches on Subject: below --
2003-08-01 0:01 new policy patch Russell Coker
2002-09-27 21:42 Russell Coker
2002-10-01 16:51 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.