some policy patches

some policy patches

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 208 bytes --]

Nothing really exciting in this patch.  Just some minor fixes and sorting out 
some of the distro-specific stuff.

-- 
US IT executives rate Red Hat #1 for value
http://www.redhat.com/promo/vendor/index.html

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 20520 bytes --]

diff -ru /usr/src/se/policy/domains/program/crond.te ./domains/program/crond.te
--- /usr/src/se/policy/domains/program/crond.te	2005-01-14 22:26:51.000000000 +1100
+++ ./domains/program/crond.te	2005-02-02 07:29:28.000000000 +1100
@@ -26,6 +26,7 @@
 
 crond_domain(system)
 
+allow system_crond_t proc_mdstat_t:file { getattr read };
 allow system_crond_t proc_t:lnk_file read;
 allow system_crond_t proc_t:filesystem getattr;
 allow system_crond_t usbdevfs_t:filesystem getattr;
@@ -160,7 +161,6 @@
 # /sbin/runlevel needs lock access however
 dontaudit system_crond_t initrc_var_run_t:file write;
 allow system_crond_t initrc_var_run_t:file { getattr read lock };
-allow initrc_t system_cron_spool_t:file { getattr read };
 
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
diff -ru /usr/src/se/policy/domains/program/getty.te ./domains/program/getty.te
--- /usr/src/se/policy/domains/program/getty.te	2005-01-30 06:23:21.000000000 +1100
+++ ./domains/program/getty.te	2005-01-30 13:09:22.000000000 +1100
@@ -58,4 +58,3 @@
 
 rw_dir_create_file(getty_t, var_lock_t)
 r_dir_file(getty_t, sysfs_t)
-allow getty_t initrc_devpts_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/initrc.te ./domains/program/initrc.te
--- /usr/src/se/policy/domains/program/initrc.te	2005-01-30 06:23:22.000000000 +1100
+++ ./domains/program/initrc.te	2005-02-03 22:09:02.000000000 +1100
@@ -49,7 +56,7 @@
 allow initrc_t usbfs_t:file getattr;
 
 # allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld setsched setpgid setrlimit getsched };
+allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
 
 # Can create ptys for open_init_pty
 can_create_pty(initrc)
@@ -61,11 +68,13 @@
 allow initrc_t var_run_t:dir { create rmdir };
 
 ifdef(`distro_debian', `
-allow initrc_t etc_t:dir setattr;
+allow initrc_t { etc_t device_t }:dir setattr;
 
 # for storing state under /dev/shm
+allow initrc_t tmpfs_t:dir setattr;
 file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
-allow initrc_var_run_t tmpfs_t:filesystem associate;
+file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
 ')
 
 allow initrc_t framebuf_device_t:chr_file r_file_perms;
diff -ru /usr/src/se/policy/domains/program/ldconfig.te ./domains/program/ldconfig.te
--- /usr/src/se/policy/domains/program/ldconfig.te	2005-01-30 06:23:22.000000000 +1100
+++ ./domains/program/ldconfig.te	2004-12-23 19:24:00.000000000 +1100
@@ -26,6 +26,7 @@
 allow ldconfig_t lib_t:lnk_file create_lnk_perms;
 
 allow ldconfig_t userdomain:fd use;
+# unlink for when /etc/ld.so.cache is mislabeled
 allow ldconfig_t etc_t:file { getattr read unlink };
 allow ldconfig_t etc_t:lnk_file read;
 
@@ -37,12 +38,14 @@
 dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
 
+ifdef(`distro_suse', `
+# because of libraries in /var/lib/samba/bin
 allow ldconfig_t { var_t var_lib_t }:dir search;
+')
+
 allow ldconfig_t proc_t:file read;
+ifdef(`hide_broken_symptoms', `
 ifdef(`unconfined.te',`
 dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-');
-ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t) 
 ')
+')dnl end hide_broken_symptoms
diff -ru /usr/src/se/policy/domains/program/login.te ./domains/program/login.te
--- /usr/src/se/policy/domains/program/login.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/login.te	2005-02-03 22:15:23.000000000 +1100
@@ -73,7 +73,9 @@
 # Set exec context.
 can_setexec($1_login_t)
 
+ifdef(`automount.te', `
 allow $1_login_t autofs_t:dir { search read getattr };
+')
 allow $1_login_t mnt_t:dir r_dir_perms;
 
 if (use_nfs_home_dirs) {
@@ -188,10 +185,6 @@
 # Allow setting of attributes on power management devices.
 allow local_login_t power_device_t:chr_file { getattr setattr };
 
-ifdef(`hide_broken_symptoms', `
-dontaudit local_login_t init_t:fd use;
-')
-
 #################################
 #
 # Rules for the remote_login_t domain.
diff -ru /usr/src/se/policy/domains/program/logrotate.te ./domains/program/logrotate.te
--- /usr/src/se/policy/domains/program/logrotate.te	2005-01-14 22:26:53.000000000 +1100
+++ ./domains/program/logrotate.te	2005-02-03 15:57:46.000000000 +1100
@@ -21,12 +21,14 @@
 type logrotate_exec_t, file_type, sysadmfile, exec_type;
 
 system_crond_entry(logrotate_exec_t, logrotate_t)
+allow logrotate_t cron_spool_t:dir search;
 allow crond_t logrotate_var_lib_t:dir search;
 domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
 allow logrotate_t self:unix_stream_socket create_socket_perms;
 allow logrotate_t devtty_t:chr_file rw_file_perms;
 
 ifdef(`distro_debian', `
+allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
 # for savelog
 can_exec(logrotate_t, logrotate_exec_t)
 ')
@@ -49,7 +51,6 @@
 # Create temporary files.
 tmp_domain(logrotate)
 can_exec(logrotate_t, logrotate_tmp_t)
-allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };

 # Run helper programs.
 allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
diff -ru /usr/src/se/policy/domains/program/ssh.te ./domains/program/ssh.te
--- /usr/src/se/policy/domains/program/ssh.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/ssh.te	2005-02-03 22:21:53.000000000 +1100
@@ -73,7 +73,9 @@
 allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
 if (use_nfs_home_dirs) {
+ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
+')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
 }
@@ -226,4 +228,3 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-dontaudit sshd_t sysadm_tty_device_t:chr_file { read write };
diff -ru /usr/src/se/policy/domains/program/sulogin.te ./domains/program/sulogin.te
--- /usr/src/se/policy/domains/program/sulogin.te	2004-12-13 09:55:22.000000000 +1100
+++ ./domains/program/sulogin.te	2005-02-03 16:01:51.000000000 +1100
@@ -16,9 +16,18 @@
 general_domain_access(sulogin_t)
 
 domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
+allow sulogin_t initrc_t:process getpgid;
 uses_shlib(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `
-# suse doesnt use pam with sulogin...
+define(`sulogin_no_pam', `')
+')
+ifdef(`distro_debian', `
+define(`sulogin_no_pam', `')
+')
+
+ifdef(`sulogin_no_pam', `
 domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
 allow sulogin_t init_t:process getpgid;
 allow sulogin_t self:capability sys_tty_config;
diff -ru /usr/src/se/policy/domains/program/tmpreaper.te ./domains/program/tmpreaper.te
--- /usr/src/se/policy/domains/program/tmpreaper.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/tmpreaper.te	2004-11-22 03:14:43.000000000 +1100
@@ -39,4 +37,4 @@
 allow tmpreaper_t catman_t:dir setattr;
 ')
 read_locale(tmpreaper_t)
-dontaudit tmpreaper_t init_t:fd use;
+
diff -ru /usr/src/se/policy/domains/program/unused/amanda.te ./domains/program/unused/amanda.te
--- /usr/src/se/policy/domains/program/unused/amanda.te	2005-01-14 22:26:57.000000000 +1100
+++ ./domains/program/unused/amanda.te	2004-12-03 19:56:13.000000000 +1100
@@ -241,6 +241,8 @@
 allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
 allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
 allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
+allow amanda_recover_t privfd:fd use;
+
 
 # amrecover network and process communication
 #############################################
diff -ru /usr/src/se/policy/domains/program/unused/asterisk.te ./domains/program/unused/asterisk.te
--- /usr/src/se/policy/domains/program/unused/asterisk.te	2004-12-03 19:49:22.000000000 +1100
+++ ./domains/program/unused/asterisk.te	2005-01-19 04:25:31.000000000 +1100
@@ -48,8 +48,8 @@
 allow asterisk_t self:sem create_sem_perms;
 allow asterisk_t self:shm create_shm_perms;
 
-# for /var/run/asterisk
-allow asterisk_t self:capability dac_override;
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
 
 # for shutdown
 dontaudit asterisk_t self:capability sys_tty_config;
diff -ru /usr/src/se/policy/domains/program/unused/backup.te ./domains/program/unused/backup.te
--- /usr/src/se/policy/domains/program/unused/backup.te	2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/backup.te	2005-01-03 01:15:13.000000000 +1100
@@ -26,7 +26,7 @@
 # for SSP
 allow backup_t urandom_device_t:chr_file read;
 
-can_network_server(backup_t)
+can_network_client(backup_t)
 can_ypbind(backup_t)
 uses_shlib(backup_t)
 
diff -ru /usr/src/se/policy/domains/program/unused/bootloader.te ./domains/program/unused/bootloader.te
--- /usr/src/se/policy/domains/program/unused/bootloader.te	2005-01-14 22:26:58.000000000 +1100
+++ ./domains/program/unused/bootloader.te	2005-02-03 15:56:03.000000000 +1100
@@ -10,7 +10,7 @@
 #
 # bootloader_exec_t is the type of the bootloader executable.
 #
-type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role');
+type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
 type bootloader_exec_t, file_type, sysadmfile, exec_type;
 etc_domain(bootloader)
 typealias bootloader_etc_t alias etc_bootloader_t;
@@ -28,8 +28,7 @@
 domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
 allow bootloader_t { initrc_t privfd }:fd use;
 
-tmp_domain(bootloader, `, device_type')
-allow bootloader_t bootloader_tmp_t:{ devfile_class_set lnk_file } create_file_perms;
+tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
 
 read_locale(bootloader_t)
 
@@ -39,12 +38,33 @@
 # for /vmlinuz sym link
 allow bootloader_t root_t:lnk_file read;
 
+# lilo would need read access to get BIOS data
+allow bootloader_t proc_kcore_t:file getattr;
+
 allow bootloader_t { etc_t device_t }:dir r_dir_perms;
 allow bootloader_t etc_t:file r_file_perms;
 allow bootloader_t etc_t:lnk_file read;
+allow bootloader_t initctl_t:fifo_file getattr;
 uses_shlib(bootloader_t)
 
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+allow bootloader_t usr_t:lnk_file read;
+allow bootloader_t tmpfs_t:dir r_dir_perms;
+allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+allow bootloader_t var_lib_t:dir search;
+allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+allow bootloader_t dpkg_var_lib_t:file { getattr read };
+# for /usr/share/initrd-tools/scripts
+can_exec(bootloader_t, usr_t)
+')
+
 allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
+dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
 allow bootloader_t device_t:lnk_file { getattr read };
 
 # LVM2 / Device Mapper's /dev/mapper/control
@@ -52,6 +72,7 @@
 ifdef(`lvm.te', `
 allow bootloader_t lvm_control_t:chr_file rw_file_perms;
 domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+allow lvm_t bootloader_tmp_t:file rw_file_perms;
 r_dir_file(bootloader_t, lvm_etc_t)
 ')
 
diff -ru /usr/src/se/policy/domains/program/unused/ciped.te ./domains/program/unused/ciped.te
--- /usr/src/se/policy/domains/program/unused/ciped.te	2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/ciped.te	2005-01-03 01:27:19.000000000 +1100
@@ -7,7 +7,7 @@
 
 type cipe_port_t, port_type;
 
-can_network_server(ciped_t)
+can_network_udp(ciped_t)
 can_ypbind(ciped_t)
 allow ciped_t cipe_port_t:udp_socket name_bind;
 
diff -ru /usr/src/se/policy/domains/program/unused/cups.te ./domains/program/unused/cups.te
--- /usr/src/se/policy/domains/program/unused/cups.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/cups.te	2005-01-02 23:09:50.000000000 +1100
@@ -33,8 +33,10 @@
 # temporary solution, we need something better
 allow cupsd_t serial_device:chr_file rw_file_perms;
 
+ifdef(`usbmodules.te', `
 r_dir_file(cupsd_t, usbdevfs_t)
 r_dir_file(cupsd_t, usbfs_t)
+')
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
diff -ru /usr/src/se/policy/domains/program/unused/dpkg.te ./domains/program/unused/dpkg.te
--- /usr/src/se/policy/domains/program/unused/dpkg.te	2004-12-03 19:49:23.000000000 +1100
+++ ./domains/program/unused/dpkg.te	2005-02-03 15:56:50.000000000 +1100
@@ -179,7 +179,7 @@
 typealias apt_etc_t alias etc_apt_t;
 type apt_rw_etc_t, file_type, sysadmfile;
 typealias apt_rw_etc_t alias etc_apt_rw_t;
-tmp_domain(apt)
+tmp_domain(apt, `', `{ dir file lnk_file }')
 can_exec(apt_t, apt_tmp_t)
 
 rw_dir_create_file(apt_t, apt_rw_etc_t)
diff -ru /usr/src/se/policy/domains/program/unused/ftpd.te ./domains/program/unused/ftpd.te
--- /usr/src/se/policy/domains/program/unused/ftpd.te	2005-02-03 17:58:25.000000000 +1100
+++ ./domains/program/unused/ftpd.te	2004-12-01 14:35:19.000000000 +1100
@@ -34,7 +34,10 @@
 allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
-')
+ifdef(`logrotate.te', `
+can_exec(ftpd_t, logrotate_exec_t)
+')dnl end if logrotate.te
+')dnl end if crond.te
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
 allow ftpd_t port_t:tcp_socket name_bind;
@@ -87,7 +90,9 @@
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
 dontaudit ftpd_t selinux_config_t:dir search;
+ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir search;
+')
 allow ftpd_t self:file { getattr read };
 tmp_domain(ftpd)
 
diff -ru /usr/src/se/policy/domains/program/unused/hotplug.te ./domains/program/unused/hotplug.te
--- /usr/src/se/policy/domains/program/unused/hotplug.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/hotplug.te	2005-01-03 01:36:14.000000000 +1100
@@ -163,4 +163,4 @@
 unconfined_domain(hotplug_t) 
 ')
 
- allow kernel_t hotplug_etc_t:dir search;
+allow kernel_t hotplug_etc_t:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/inetd.te ./domains/program/unused/inetd.te
--- /usr/src/se/policy/domains/program/unused/inetd.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/inetd.te	2005-02-02 00:27:43.000000000 +1100
@@ -55,6 +58,8 @@
 
 
 inetd_child_domain(inetd_child)
+allow inetd_child_t proc_net_t:dir search;
+allow inetd_child_t proc_net_t:file { getattr read };
 
 ifdef(`unconfined.te', `
 domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
diff -ru /usr/src/se/policy/domains/program/unused/iptables.te ./domains/program/unused/iptables.te
--- /usr/src/se/policy/domains/program/unused/iptables.te	2005-01-14 22:26:59.000000000 +1100
+++ ./domains/program/unused/iptables.te	2005-01-03 01:11:29.000000000 +1100
@@ -36,7 +36,7 @@
 
 # for iptables -L
 allow iptables_t self:unix_stream_socket create_socket_perms;
-can_network_server(iptables_t)
+can_resolve(iptables_t)
 can_ypbind(iptables_t)
 
 allow iptables_t iptables_exec_t:file execute_no_trans;
diff -ru /usr/src/se/policy/domains/program/unused/lpd.te ./domains/program/unused/lpd.te
--- /usr/src/se/policy/domains/program/unused/lpd.te	2005-01-14 22:27:00.000000000 +1100
+++ ./domains/program/unused/lpd.te	2005-02-03 22:35:34.000000000 +1100
@@ -36,7 +36,7 @@
 type checkpc_t, domain, privlog;
 role system_r types checkpc_t;
 uses_shlib(checkpc_t)
-can_network_server(checkpc_t)
+can_network_client(checkpc_t)
 can_ypbind(checkpc_t)
 log_domain(checkpc)
 type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff -ru /usr/src/se/policy/domains/program/unused/mdadm.te ./domains/program/unused/mdadm.te
--- /usr/src/se/policy/domains/program/unused/mdadm.te	2004-11-13 03:56:02.000000000 +1100
+++ ./domains/program/unused/mdadm.te	2005-02-03 22:36:28.000000000 +1100
@@ -27,6 +27,7 @@
 
 # RAID block device access
 allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
+allow mdadm_t device_t:lnk_file { getattr read };
 
 # Ignore attempts to read every device file
 dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
diff -ru /usr/src/se/policy/domains/program/unused/mrtg.te ./domains/program/unused/mrtg.te
--- /usr/src/se/policy/domains/program/unused/mrtg.te	2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/mrtg.te	2005-01-31 22:36:33.000000000 +1100
@@ -31,7 +31,7 @@
 r_dir_file(mrtg_t, lib_t)
 
 # Use the network.
-can_network_server(mrtg_t)
+can_network_client(mrtg_t)
 can_ypbind(mrtg_t)
 
 allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -53,7 +53,8 @@
 r_dir_file(mrtg_t, snmpd_var_lib_t)
 ')
 
-allow mrtg_t proc_t:file { read getattr };
+allow mrtg_t proc_net_t:dir search;
+allow mrtg_t { proc_t proc_net_t }:file { read getattr };
 dontaudit mrtg_t proc_t:file ioctl;
 
 allow mrtg_t { var_lock_t var_lib_t }:dir search;
diff -ru /usr/src/se/policy/domains/program/unused/named.te ./domains/program/unused/named.te
--- /usr/src/se/policy/domains/program/unused/named.te	2005-01-30 06:23:23.000000000 +1100
+++ ./domains/program/unused/named.te	2005-02-03 22:38:57.000000000 +1100
@@ -84,7 +84,7 @@
 allow named_t sysctl_kernel_t:dir r_dir_perms;
 allow named_t sysctl_kernel_t:file r_file_perms;
 
-# Read /proc/cpuinfo.
+# Read /proc/cpuinfo and /proc/net
 r_dir_file(named_t, proc_t)
 r_dir_file(named_t, proc_net_t)
 
@@ -109,6 +109,8 @@
 # for /etc/rndc.key
 ifdef(`distro_redhat', `
 allow { ndc_t initrc_t } named_conf_t:dir search;
+# Allow init script to cp localtime to named_conf_t
+allow initrc_t named_conf_t:file { setattr write };
 ')
 allow { ndc_t initrc_t } named_conf_t:file { getattr read };
 
@@ -153,5 +155,3 @@
 ')
 allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
-# Allow init script to cp localtime to named_conf_t
-allow initrc_t named_conf_t:file { write };
diff -ru /usr/src/se/policy/domains/program/unused/nessusd.te ./domains/program/unused/nessusd.te
--- /usr/src/se/policy/domains/program/unused/nessusd.te	2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/nessusd.te	2005-01-03 01:29:31.000000000 +1100
@@ -22,7 +22,7 @@
 #tmp_domain(nessusd)
 
 # Use the network.
-can_network_server(nessusd_t)
+can_network(nessusd_t)
 can_ypbind(nessusd_t)
 allow nessusd_t self:unix_stream_socket create_socket_perms;
 #allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff -ru /usr/src/se/policy/domains/program/unused/nscd.te ./domains/program/unused/nscd.te
--- /usr/src/se/policy/domains/program/unused/nscd.te	2005-01-14 22:27:00.000000000 +1100
+++ ./domains/program/unused/nscd.te	2005-01-30 12:47:20.000000000 +1100
@@ -56,6 +56,7 @@
 
 dontaudit nscd_t sysadm_home_dir_t:dir search;
 
+ifdef(`winbind.te', `
 #
 # Handle winbind for samba, Might only be needed for targeted policy
 #
@@ -63,6 +64,7 @@
 can_unix_connect(nscd_t, winbind_t)
 allow nscd_t samba_var_t:dir search;
 allow nscd_t winbind_var_run_t:dir { getattr search };
+')
 
 r_dir_file(nscd_t, selinux_config_t)
 can_getsecurity(nscd_t)
@@ -70,4 +72,4 @@
 allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
-allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+allow nscd_t urandom_device_t:chr_file { getattr read };
diff -ru /usr/src/se/policy/domains/program/unused/nsd.te ./domains/program/unused/nsd.te
--- /usr/src/se/policy/domains/program/unused/nsd.te	2004-12-03 19:49:24.000000000 +1100
+++ ./domains/program/unused/nsd.te	2005-01-03 01:26:19.000000000 +1100
@@ -19,7 +19,7 @@
 type nsd_crond_t, domain, privlog;
 role system_r types nsd_crond_t;
 uses_shlib(nsd_crond_t)
-can_network_server(nsd_crond_t)
+can_network_client(nsd_crond_t)
 can_ypbind(nsd_crond_t)
 allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
 allow nsd_crond_t self:process { fork signal_perms };

Re: some policy patches

[James Carter]

Merged.  

Except that a chunk in ssh.te and login.te reverted Dan's removal of
ifdef(`automount.te' statements.  Was there a reason for this?

On Thu, 2005-02-03 at 07:50, Russell Coker wrote:
> Nothing really exciting in this patch.  Just some minor fixes and sorting out 
> some of the distro-specific stuff.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: some policy patches

[Daniel J Walsh]

James Carter wrote:

>Merged.  
>
>Except that a chunk in ssh.te and login.te reverted Dan's removal of
>ifdef(`automount.te' statements.  Was there a reason for this?
>
>On Thu, 2005-02-03 at 07:50, Russell Coker wrote:
>  
>
>>Nothing really exciting in this patch.  Just some minor fixes and sorting out 
>>some of the distro-specific stuff.
>>    
>>
automount.te statements break targeted policy and autofs is defined 
outside of automount.te so they should not be there.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

More patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

Ivan has some more cleanup of x_client apps.
Also added execmod to httpd for php
Moved +r_dir_file(httpd_t, httpd_$1_content_t) outside boolean
so you should be able to serve pages with httpd with all booleans turned 
off.

You are missing NetworkManager from your latest pool, even though 
comment says it is there.

Dan

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 22774 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.8/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/apache.te	2005-04-06 07:32:56.000000000 -0400
@@ -119,6 +119,12 @@
 allow httpd_t port_type:tcp_socket name_connect;
 }
 
+##########################################
+# Legacy: remove when it's fixed         #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
 #########################################
 # Allow httpd to search users directories
 #########################################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.8/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/hald.te	2005-04-06 07:31:54.000000000 -0400
@@ -31,7 +31,6 @@
 allow hald_t usr_t:file { getattr read };
 
 allow hald_t bin_t:file getattr;
-allow hald_t self:netlink_socket create_socket_perms;
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.8/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/domains/program/unused/NetworkManager.te	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,78 @@
+#DESC NetworkManager - 
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon. 
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow NetworkManager_t named_t:process signal;
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.8/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/file_contexts/distros.fc	2005-04-06 07:32:56.000000000 -0400
@@ -69,7 +69,7 @@
 # Some of them should be fixed and removed from this list
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 /usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
@@ -123,6 +123,8 @@
 /usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
 /usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
 /usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.8/file_contexts/program/NetworkManager.fc
--- nsapolicy/file_contexts/program/NetworkManager.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/file_contexts/program/NetworkManager.fc	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,2 @@
+# NetworkManager 
+/usr/bin/NetworkManager	--	system_u:object_r:NetworkManager_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.8/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/base_user_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -282,6 +280,9 @@
 #
 dontaudit $1_t usr_t:file setattr;
 
+# Use X
+x_client_domain($1, $1)
+
 ifdef(`xserver.te', `
 # for /tmp/.ICE-unix
 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@@ -291,13 +292,7 @@
 ifdef(`xdm.te', `
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:file { getattr read };
-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_t xdm_xserver_tmp_t:dir search;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-# certain apps want to read xdm.pid file
+# certain apps want to read xdm.pid file 
 r_dir_file($1_t, xdm_var_run_t)
 allow $1_t xdm_var_lib_t:file { getattr read };
 allow xdm_t $1_home_dir_t:dir getattr;
@@ -305,9 +300,6 @@
 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
 ')
 
-# for shared memory
-allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
 ')dnl end ifdef xdm.te
 
 # Access the sound device.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.8/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/apache_macros.te	2005-04-06 07:31:54.000000000 -0400
@@ -136,8 +136,8 @@
 r_dir_file(httpd_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-r_dir_file(httpd_t, httpd_$1_content_t)
 }
+r_dir_file(httpd_t, httpd_$1_content_t)
 
 ')
 define(`apache_user_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.8/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/gift_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -18,7 +18,7 @@
 role $1_r types $1_gift_t;
 
 # X access, Home files 
-x_client_domain($1, gift)
+x_client_domain($1_gift, $1)
 home_domain($1, gift)
 
 uses_shlib($1_gift_t)
@@ -26,12 +26,15 @@
 read_sysctl($1_gift_t)
 access_terminal($1_gift_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_gift_t)
+allow $1_t $1_gift_t:process signal_perms;
+
 # Self permissions
 allow $1_gift_t self:process getsched;
 
 # Fonts, icons
 r_dir_file($1_gift_t, usr_t)
-r_dir_file($1_gift_t, fonts_t)
 
 # Launch gift daemon
 allow $1_gift_t bin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.8/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/java_macros.te	2005-04-06 07:37:13.000000000 -0400
@@ -32,7 +32,6 @@
 allow $1_javaplugin_t port_type:tcp_socket name_connect;
 can_ypbind($1_javaplugin_t)
 allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow $1_javaplugin_t self:fifo_file rw_file_perms;
 allow $1_javaplugin_t etc_runtime_t:file { getattr read };
 allow $1_javaplugin_t fs_t:filesystem getattr;
@@ -58,36 +57,9 @@
 if (allow_execmem) {
 allow $1_javaplugin_t self:process execmem;
 }
-# Allow connections to X server.
-ifdef(`xserver.te', `
 
-ifdef(`xdm.te', `
-# for when /tmp/.X11-unix is created by the system
-allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
-allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
-allow $1_javaplugin_t xdm_tmp_t:dir search;
-allow $1_javaplugin_t xdm_tmp_t:sock_file write;
-')
-
-ifdef(`startx.te', `
-# for when /tmp/.X11-unix is created by the X server
-allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
-
-# for /tmp/.X0-lock
-allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
-
-allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
-can_unix_connect($1_javaplugin_t, $2_xserver_t)
-')dnl end startx
-
-can_unix_connect($1_javaplugin_t, xdm_xserver_t)
-allow xdm_xserver_t $1_javaplugin_t:fd use;
-allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
-dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
-
-')dnl end xserver
-
-allow $1_javaplugin_t self:shm create_shm_perms;
+# Connect to X server
+x_client_domain($1_javaplugin, $2) 
 
 uses_shlib($1_javaplugin_t)
 read_locale($1_javaplugin_t)
@@ -121,4 +93,5 @@
 
 # Do not audit read/getattr of .fonts-cache-1
 dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.8/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/mozilla_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,7 +26,7 @@
 
 # X access, Home files
 home_domain($1, mozilla)
-x_client_domain($1, mozilla)
+x_client_domain($1_mozilla, $1)
 
 # Browse files
 file_browse_domain($1_mozilla_t)
@@ -43,6 +43,10 @@
 allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
 allow $1_mozilla_t $1_t:process signull;
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_t:process signal_perms;
+
 # Fork, set resource limits and scheduling info.
 allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.8/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.8/macros/program/mplayer_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -15,6 +15,10 @@
 # Read global config
 r_dir_file($1_$2_t, mplayer_etc_t)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_$2_t)
+allow $1_t $1_$2_t:process signal_perms;
+
 # Read data in /usr/share (fonts, icons..)
 r_dir_file($1_$2_t, usr_t)
 
@@ -72,7 +76,7 @@
 
 # Home access, X access, Browse files
 home_domain($1, mplayer)
-x_client_domain($1, mplayer)
+x_client_domain($1_mplayer, $1)
 file_browse_domain($1_mplayer_t)
 
 # Mplayer common stuff
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.8/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_agent_macros.te	2005-04-06 07:32:40.000000000 -0400
@@ -63,7 +63,7 @@
 allow $1_ssh_agent_t self:capability setgid;
 
 # access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
 # for ssh-add
 can_unix_connect($1_t, $1_ssh_agent_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.8/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -129,18 +129,8 @@
 # allow ps to show ssh
 can_ps($1_t, $1_ssh_t)
 
-ifdef(`xserver.te', `
-# Communicate with the X server.
-ifdef(`startx.te', `
-can_unix_connect($1_ssh_t, $1_xserver_t)
-allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_ssh_t $1_xserver_tmp_t:dir search;
-')dnl end if startx
-ifdef(`xdm.te', `
-allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
-allow $1_ssh_t { xdm_tmp_t }:sock_file write;
-')
-')dnl end if xserver
+# Connect to X server
+x_client_domain($1_ssh, $1)
 
 ifdef(`ssh-agent.te', `
 ssh_agent_domain($1)
@@ -167,16 +157,6 @@
 allow $1_ssh_keysign_t self:file { getattr read };
 allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
-ifdef(`xdm.te', `
-# should be able to remove these two later
-allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
-allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
-allow $1_ssh_t xdm_xserver_t:fd use;
-allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t xdm_t:fd use;
-')dnl end if xdm.te
 ')dnl end macro definition
 ', `
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.8/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/tvtime_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,13 +26,17 @@
 
 # X access, Home files
 home_domain($1, tvtime)
-x_client_domain($1, tvtime)
+x_client_domain($1_tvtime, $1)
 
 uses_shlib($1_tvtime_t)
 read_locale($1_tvtime_t)
 read_sysctl($1_tvtime_t)
 access_terminal($1_tvtime_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_tvtime_t)
+allow $1_t $1_tvtime_t:process signal_perms;
+
 # Read /etc/tvtime
 allow $1_tvtime_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.8/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/x_client_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -1,5 +1,5 @@
 #
-# Macros for X client programs ($2 etc)
+# Macros for X client programs 
 #
 
 #
@@ -8,6 +8,9 @@
 # and Timothy Fraser 
 #
 
+# Allows clients to write to the X server's shm 
+bool allow_write_xshm false;
+
 define(`xsession_domain', `
 
 # Connect to xserver
@@ -23,73 +26,73 @@
 # Signal Xserver
 allow $1_t $2_xserver_t:process signal;
 
-# Use file descriptors created by each other.
-allow $1_t $2_xserver_t:fd use;
+# Xserver read/write client shm
 allow $2_xserver_t $1_t:fd use;
-
-# Xserver read/write parent shm
 allow $2_xserver_t $1_t:shm rw_shm_perms;
 allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
 
-# Parent read xserver shm
+# Client read xserver shm
+allow $1_t $2_xserver_t:fd use;
 allow $1_t $2_xserver_t:shm r_shm_perms;
 allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+
+# Client write xserver shm
+if (allow_write_xshm) {
+allow $1_t $2_xserver_t:shm rw_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
+}
+
 ')
 
 #
-# x_client_domain(user, app)
+# x_client_domain(client, role)
 #
-# Defines common X access rules for the user_app_t domain
+# Defines common X access rules for the client domain
 #
 define(`x_client_domain',`
 
-allow $1_$2_t self:unix_dgram_socket create_socket_perms;
-allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
+# Create socket to communicate with X server
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
+# Read .Xauthority file
 ifdef(`xauth.te',`
-allow $1_$2_t $1_xauth_home_t:file { getattr read };
+allow $1_t home_root_t:dir { search getattr };
+allow $1_t $2_xauth_home_t:file { getattr read };
 ')
 
-# Allow the user domain to send any signal to the $2 process.
-can_ps($1_t, $1_$2_t)
-allow $1_t $1_$2_t:process signal_perms;
-
 # for .xsession-errors
-dontaudit $1_$2_t $1_home_t:file write;
+dontaudit $1_t $2_home_t:file write;
 
 # for X over a ssh tunnel
 ifdef(`ssh.te', `
-can_tcp_connect($1_$2_t, sshd_t)
+can_tcp_connect($1_t, sshd_t)
 ')
 
-# Read the home directory, e.g. for .Xauthority and to get to config files
-allow $1_$2_t home_root_t:dir { search getattr };
-
 # Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1_$2)
-
-allow $1_$2_t self:shm create_shm_perms;
+tmpfs_domain($1)
+allow $1_t self:shm create_shm_perms;
 
 # allow X client to read all font files
-r_dir_file($1_$2_t, fonts_t)
+r_dir_file($1_t, fonts_t)
 
 # Allow connections to X server.
 ifdef(`xserver.te', `
-allow $1_$2_t tmp_t:dir search;
+allow $1_t tmp_t:dir search;
 
 ifdef(`xdm.te', `
-xsession_domain($1_$2, xdm)
+xsession_domain($1, xdm)
 
 # for when /tmp/.X11-unix is created by the system
-allow $1_$2_t xdm_t:fifo_file rw_file_perms;
-allow $1_$2_t xdm_tmp_t:dir search;
-allow $1_$2_t xdm_tmp_t:sock_file { read write };
-allow $1_$2_t xdm_t:fd use;
-dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+allow $1_t xdm_t:fifo_file rw_file_perms;
+allow $1_t xdm_tmp_t:dir search;
+allow $1_t xdm_tmp_t:sock_file { read write };
+allow $1_t xdm_t:fd use;
+dontaudit $1_t xdm_t:tcp_socket { read write };
 ')
 
 ifdef(`startx.te', `
-xsession_domain($1_$2, $1)
+xsession_domain($1, $2)
 ')dnl end startx
 
 ')dnl end xserver
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.8/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8	2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.8/man/man8/httpd_selinux.8	2005-04-06 07:31:54.000000000 -0400
@@ -75,6 +75,21 @@
 setsebool -P httpd_unified 0
 
 .TP
+httpd can be configured to turn off internal scripting (PHP).  PHP and other
+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+.br
+
+setsebool -P httpd_builtin_scripting 0
+
+.TP
+httpd scripts by default are not allowed to connect out to the network.
+This would prevent a hacker from breaking into you httpd server and attacking 
+other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
+.br
+
+setsebool -P httpd_can_network_connect 1
+
+.TP
 You can disable SELinux protection for the httpd daemon by executing:
 .br
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.23.8/targeted/domains/program/modutil.te
--- nsapolicy/targeted/domains/program/modutil.te	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.8/targeted/domains/program/modutil.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
-# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
-# X-Debian-Packages: modutils
-#
-
-#################################
-#
-# Rules for the module utility domains.
-#
-type modules_dep_t, file_type, sysadmfile;
-type modules_conf_t, file_type, sysadmfile;
-type modules_object_t, file_type, sysadmfile;
-type depmod_exec_t, file_type, exec_type, sysadmfile;
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.8/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/distro.tun	2005-04-06 07:31:54.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.8/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/tunable.tun	2005-04-06 07:31:54.000000000 -0400
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: More patches

[James Carter]

On Wed, 2005-04-06 at 07:51 -0400, Daniel J Walsh wrote:
> Ivan has some more cleanup of x_client apps.
> Also added execmod to httpd for php
> Moved +r_dir_file(httpd_t, httpd_$1_content_t) outside boolean
> so you should be able to serve pages with httpd with all booleans turned 
> off.
> 
> You are missing NetworkManager from your latest pool, even though 
> comment says it is there.

Forgot to cvs add it on sourceforge.  It is committed now.


-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Daniel J Walsh]

James Carter wrote:

>On Wed, 2005-04-06 at 07:51 -0400, Daniel J Walsh wrote:
>  
>
>>Ivan has some more cleanup of x_client apps.
>>Also added execmod to httpd for php
>>Moved +r_dir_file(httpd_t, httpd_$1_content_t) outside boolean
>>so you should be able to serve pages with httpd with all booleans turned 
>>off.
>>
>>You are missing NetworkManager from your latest pool, even though 
>>comment says it is there.
>>    
>>
>
>Forgot to cvs add it on sourceforge.  It is committed now.
>
>
>  
>
Hold off on that patch.  Some of the x_client changes are not working 
correctly.  I will submit a fixed patch soon.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 46 bytes --]

Fixed the patches, so they will build.

-- 



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 24156 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.8/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/apache.te	2005-04-06 07:32:56.000000000 -0400
@@ -119,6 +119,12 @@
 allow httpd_t port_type:tcp_socket name_connect;
 }
 
+##########################################
+# Legacy: remove when it's fixed         #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
 #########################################
 # Allow httpd to search users directories
 #########################################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.8/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/domains/program/unused/hald.te	2005-04-06 07:31:54.000000000 -0400
@@ -31,7 +31,6 @@
 allow hald_t usr_t:file { getattr read };
 
 allow hald_t bin_t:file getattr;
-allow hald_t self:netlink_socket create_socket_perms;
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.8/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/domains/program/unused/NetworkManager.te	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,78 @@
+#DESC NetworkManager - 
+#
+# Authors: Dan Walsh <dwalsh@redhat.com>
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon. 
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service };
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow NetworkManager_t named_t:process signal;
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.8/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/file_contexts/distros.fc	2005-04-06 07:32:56.000000000 -0400
@@ -69,7 +69,7 @@
 # Some of them should be fixed and removed from this list
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 /usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
 /usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
@@ -123,6 +123,8 @@
 /usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
 /usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
 /usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.8/file_contexts/program/NetworkManager.fc
--- nsapolicy/file_contexts/program/NetworkManager.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.8/file_contexts/program/NetworkManager.fc	2005-04-06 07:31:54.000000000 -0400
@@ -0,0 +1,2 @@
+# NetworkManager 
+/usr/bin/NetworkManager	--	system_u:object_r:NetworkManager_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.8/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/base_user_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -124,8 +124,6 @@
 # Use the type when relabeling pty devices.
 type_change $1_t server_pty:chr_file $1_devpts_t;
 
-tmpfs_domain($1)
-
 ifdef(`cardmgr.te', `
 # to allow monitoring of pcmcia status
 allow $1_t cardmgr_var_run_t:file { getattr read };
@@ -282,6 +280,9 @@
 #
 dontaudit $1_t usr_t:file setattr;
 
+# Use X
+x_client_domain($1, $1)
+
 ifdef(`xserver.te', `
 # for /tmp/.ICE-unix
 file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@@ -291,13 +292,7 @@
 ifdef(`xdm.te', `
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:file { getattr read };
-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_t xdm_xserver_tmp_t:dir search;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-# certain apps want to read xdm.pid file
+# certain apps want to read xdm.pid file 
 r_dir_file($1_t, xdm_var_run_t)
 allow $1_t xdm_var_lib_t:file { getattr read };
 allow xdm_t $1_home_dir_t:dir getattr;
@@ -305,9 +300,6 @@
 file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
 ')
 
-# for shared memory
-allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
 ')dnl end ifdef xdm.te
 
 # Access the sound device.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.8/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/global_macros.te	2005-04-06 08:25:01.000000000 -0400
@@ -433,11 +433,14 @@
 ')
 
 define(`tmpfs_domain', `
+ifdef(`$1_tmpfs_t_defined',`', `
+define(`$1_tmpfs_t_defined')
 type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
 # Use this type when creating tmpfs/shm objects.
 file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
 allow $1_tmpfs_t tmpfs_t:filesystem associate;
 ')
+')
 
 define(`var_lib_domain', `
 type $1_var_lib_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.8/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/apache_macros.te	2005-04-06 07:31:54.000000000 -0400
@@ -136,8 +136,8 @@
 r_dir_file(httpd_t, httpd_$1_script_ro_t)
 create_dir_file(httpd_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-r_dir_file(httpd_t, httpd_$1_content_t)
 }
+r_dir_file(httpd_t, httpd_$1_content_t)
 
 ')
 define(`apache_user_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.8/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/games_domain.te	2005-04-06 08:32:36.000000000 -0400
@@ -20,7 +20,7 @@
 role $1_r types $1_games_t;
 
 # X access, /tmp files
-x_client_domain($1, games)
+x_client_domain($1_games, $1)
 tmp_domain($1_games)
 
 uses_shlib($1_games_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.8/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/gift_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -18,7 +18,7 @@
 role $1_r types $1_gift_t;
 
 # X access, Home files 
-x_client_domain($1, gift)
+x_client_domain($1_gift, $1)
 home_domain($1, gift)
 
 uses_shlib($1_gift_t)
@@ -26,12 +26,15 @@
 read_sysctl($1_gift_t)
 access_terminal($1_gift_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_gift_t)
+allow $1_t $1_gift_t:process signal_perms;
+
 # Self permissions
 allow $1_gift_t self:process getsched;
 
 # Fonts, icons
 r_dir_file($1_gift_t, usr_t)
-r_dir_file($1_gift_t, fonts_t)
 
 # Launch gift daemon
 allow $1_gift_t bin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.8/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/java_macros.te	2005-04-06 07:37:13.000000000 -0400
@@ -32,7 +32,6 @@
 allow $1_javaplugin_t port_type:tcp_socket name_connect;
 can_ypbind($1_javaplugin_t)
 allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow $1_javaplugin_t self:fifo_file rw_file_perms;
 allow $1_javaplugin_t etc_runtime_t:file { getattr read };
 allow $1_javaplugin_t fs_t:filesystem getattr;
@@ -58,36 +57,9 @@
 if (allow_execmem) {
 allow $1_javaplugin_t self:process execmem;
 }
-# Allow connections to X server.
-ifdef(`xserver.te', `
 
-ifdef(`xdm.te', `
-# for when /tmp/.X11-unix is created by the system
-allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
-allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
-allow $1_javaplugin_t xdm_tmp_t:dir search;
-allow $1_javaplugin_t xdm_tmp_t:sock_file write;
-')
-
-ifdef(`startx.te', `
-# for when /tmp/.X11-unix is created by the X server
-allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
-
-# for /tmp/.X0-lock
-allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
-
-allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
-can_unix_connect($1_javaplugin_t, $2_xserver_t)
-')dnl end startx
-
-can_unix_connect($1_javaplugin_t, xdm_xserver_t)
-allow xdm_xserver_t $1_javaplugin_t:fd use;
-allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
-dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
-
-')dnl end xserver
-
-allow $1_javaplugin_t self:shm create_shm_perms;
+# Connect to X server
+x_client_domain($1_javaplugin, $2) 
 
 uses_shlib($1_javaplugin_t)
 read_locale($1_javaplugin_t)
@@ -121,4 +93,5 @@
 
 # Do not audit read/getattr of .fonts-cache-1
 dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.8/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/mozilla_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,7 +26,7 @@
 
 # X access, Home files
 home_domain($1, mozilla)
-x_client_domain($1, mozilla)
+x_client_domain($1_mozilla, $1)
 
 # Browse files
 file_browse_domain($1_mozilla_t)
@@ -43,6 +43,10 @@
 allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
 allow $1_mozilla_t $1_t:process signull;
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_t:process signal_perms;
+
 # Fork, set resource limits and scheduling info.
 allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.8/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-03-21 22:32:19.000000000 -0500
+++ policy-1.23.8/macros/program/mplayer_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -15,6 +15,10 @@
 # Read global config
 r_dir_file($1_$2_t, mplayer_etc_t)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_$2_t)
+allow $1_t $1_$2_t:process signal_perms;
+
 # Read data in /usr/share (fonts, icons..)
 r_dir_file($1_$2_t, usr_t)
 
@@ -72,7 +76,7 @@
 
 # Home access, X access, Browse files
 home_domain($1, mplayer)
-x_client_domain($1, mplayer)
+x_client_domain($1_mplayer, $1)
 file_browse_domain($1_mplayer_t)
 
 # Mplayer common stuff
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.8/macros/program/ssh_agent_macros.te
--- nsapolicy/macros/program/ssh_agent_macros.te	2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_agent_macros.te	2005-04-06 07:32:40.000000000 -0400
@@ -63,7 +63,7 @@
 allow $1_ssh_agent_t self:capability setgid;
 
 # access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
 
 # for ssh-add
 can_unix_connect($1_t, $1_ssh_agent_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.8/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/ssh_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -129,18 +129,8 @@
 # allow ps to show ssh
 can_ps($1_t, $1_ssh_t)
 
-ifdef(`xserver.te', `
-# Communicate with the X server.
-ifdef(`startx.te', `
-can_unix_connect($1_ssh_t, $1_xserver_t)
-allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_ssh_t $1_xserver_tmp_t:dir search;
-')dnl end if startx
-ifdef(`xdm.te', `
-allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
-allow $1_ssh_t { xdm_tmp_t }:sock_file write;
-')
-')dnl end if xserver
+# Connect to X server
+x_client_domain($1_ssh, $1)
 
 ifdef(`ssh-agent.te', `
 ssh_agent_domain($1)
@@ -167,16 +157,6 @@
 allow $1_ssh_keysign_t self:file { getattr read };
 allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
-ifdef(`xdm.te', `
-# should be able to remove these two later
-allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
-allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
-allow $1_ssh_t xdm_xserver_t:fd use;
-allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t xdm_t:fd use;
-')dnl end if xdm.te
 ')dnl end macro definition
 ', `
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.8/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/tvtime_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -26,13 +26,17 @@
 
 # X access, Home files
 home_domain($1, tvtime)
-x_client_domain($1, tvtime)
+x_client_domain($1_tvtime, $1)
 
 uses_shlib($1_tvtime_t)
 read_locale($1_tvtime_t)
 read_sysctl($1_tvtime_t)
 access_terminal($1_tvtime_t, $1)
 
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_tvtime_t)
+allow $1_t $1_tvtime_t:process signal_perms;
+
 # Read /etc/tvtime
 allow $1_tvtime_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.8/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.8/macros/program/x_client_macros.te	2005-04-06 07:32:06.000000000 -0400
@@ -1,5 +1,5 @@
 #
-# Macros for X client programs ($2 etc)
+# Macros for X client programs 
 #
 
 #
@@ -8,6 +8,9 @@
 # and Timothy Fraser 
 #
 
+# Allows clients to write to the X server's shm 
+bool allow_write_xshm false;
+
 define(`xsession_domain', `
 
 # Connect to xserver
@@ -23,73 +26,73 @@
 # Signal Xserver
 allow $1_t $2_xserver_t:process signal;
 
-# Use file descriptors created by each other.
-allow $1_t $2_xserver_t:fd use;
+# Xserver read/write client shm
 allow $2_xserver_t $1_t:fd use;
-
-# Xserver read/write parent shm
 allow $2_xserver_t $1_t:shm rw_shm_perms;
 allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
 
-# Parent read xserver shm
+# Client read xserver shm
+allow $1_t $2_xserver_t:fd use;
 allow $1_t $2_xserver_t:shm r_shm_perms;
 allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+
+# Client write xserver shm
+if (allow_write_xshm) {
+allow $1_t $2_xserver_t:shm rw_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
+}
+
 ')
 
 #
-# x_client_domain(user, app)
+# x_client_domain(client, role)
 #
-# Defines common X access rules for the user_app_t domain
+# Defines common X access rules for the client domain
 #
 define(`x_client_domain',`
 
-allow $1_$2_t self:unix_dgram_socket create_socket_perms;
-allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
+# Create socket to communicate with X server
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
+# Read .Xauthority file
 ifdef(`xauth.te',`
-allow $1_$2_t $1_xauth_home_t:file { getattr read };
+allow $1_t home_root_t:dir { search getattr };
+allow $1_t $2_xauth_home_t:file { getattr read };
 ')
 
-# Allow the user domain to send any signal to the $2 process.
-can_ps($1_t, $1_$2_t)
-allow $1_t $1_$2_t:process signal_perms;
-
 # for .xsession-errors
-dontaudit $1_$2_t $1_home_t:file write;
+dontaudit $1_t $2_home_t:file write;
 
 # for X over a ssh tunnel
 ifdef(`ssh.te', `
-can_tcp_connect($1_$2_t, sshd_t)
+can_tcp_connect($1_t, sshd_t)
 ')
 
-# Read the home directory, e.g. for .Xauthority and to get to config files
-allow $1_$2_t home_root_t:dir { search getattr };
-
 # Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1_$2)
-
-allow $1_$2_t self:shm create_shm_perms;
+tmpfs_domain($1)
+allow $1_t self:shm create_shm_perms;
 
 # allow X client to read all font files
-r_dir_file($1_$2_t, fonts_t)
+r_dir_file($1_t, fonts_t)
 
 # Allow connections to X server.
 ifdef(`xserver.te', `
-allow $1_$2_t tmp_t:dir search;
+allow $1_t tmp_t:dir search;
 
 ifdef(`xdm.te', `
-xsession_domain($1_$2, xdm)
+xsession_domain($1, xdm)
 
 # for when /tmp/.X11-unix is created by the system
-allow $1_$2_t xdm_t:fifo_file rw_file_perms;
-allow $1_$2_t xdm_tmp_t:dir search;
-allow $1_$2_t xdm_tmp_t:sock_file { read write };
-allow $1_$2_t xdm_t:fd use;
-dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+allow $1_t xdm_t:fifo_file rw_file_perms;
+allow $1_t xdm_tmp_t:dir search;
+allow $1_t xdm_tmp_t:sock_file { read write };
+allow $1_t xdm_t:fd use;
+dontaudit $1_t xdm_t:tcp_socket { read write };
 ')
 
 ifdef(`startx.te', `
-xsession_domain($1_$2, $1)
+xsession_domain($1, $2)
 ')dnl end startx
 
 ')dnl end xserver
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.8/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8	2005-03-24 08:58:29.000000000 -0500
+++ policy-1.23.8/man/man8/httpd_selinux.8	2005-04-06 07:31:54.000000000 -0400
@@ -75,6 +75,21 @@
 setsebool -P httpd_unified 0
 
 .TP
+httpd can be configured to turn off internal scripting (PHP).  PHP and other
+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+.br
+
+setsebool -P httpd_builtin_scripting 0
+
+.TP
+httpd scripts by default are not allowed to connect out to the network.
+This would prevent a hacker from breaking into you httpd server and attacking 
+other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
+.br
+
+setsebool -P httpd_can_network_connect 1
+
+.TP
 You can disable SELinux protection for the httpd daemon by executing:
 .br
 
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.23.8/targeted/domains/program/modutil.te
--- nsapolicy/targeted/domains/program/modutil.te	2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.8/targeted/domains/program/modutil.te	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
-# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
-# X-Debian-Packages: modutils
-#
-
-#################################
-#
-# Rules for the module utility domains.
-#
-type modules_dep_t, file_type, sysadmfile;
-type modules_conf_t, file_type, sysadmfile;
-type modules_object_t, file_type, sysadmfile;
-type depmod_exec_t, file_type, exec_type, sysadmfile;
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.8/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/distro.tun	2005-04-06 07:31:54.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.8/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.8/tunables/tunable.tun	2005-04-06 07:31:54.000000000 -0400
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: More patches

[Ivan Gyurdiev]

>  allow hald_t bin_t:file getattr;
> -allow hald_t self:netlink_socket create_socket_perms;
>  allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow hald_t self:netlink_route_socket r_netlink_socket_perms;
>  allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };

Now I get one of these...

audit(1112809767.410:0): avc:  denied  { create } for  pid=7363
exe=/usr/sbin/hald scontext=root:system_r:hald_t
tcontext=root:system_r:hald_t tclass=netlink_socket

...and the console is flooded with those:

audit(1112809741.307:0): avc:  denied  { read } for  pid=2525
exe=/usr/sbin/hald scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:hald_t tclass=netlink_socket

Was this removed because of the kobject_uevent rule below it?
I can't remember if that rule was there to begin with, or if it 
was put in to address what I was debugging w/ Protocol 15 (?) being
denied. 

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>> allow hald_t bin_t:file getattr;
>>-allow hald_t self:netlink_socket create_socket_perms;
>> allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
>> allow hald_t self:netlink_route_socket r_netlink_socket_perms;
>> allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
>>    
>>
>
>Now I get one of these...
>
>audit(1112809767.410:0): avc:  denied  { create } for  pid=7363
>exe=/usr/sbin/hald scontext=root:system_r:hald_t
>tcontext=root:system_r:hald_t tclass=netlink_socket
>
>...and the console is flooded with those:
>
>audit(1112809741.307:0): avc:  denied  { read } for  pid=2525
>exe=/usr/sbin/hald scontext=system_u:system_r:hald_t
>tcontext=system_u:system_r:hald_t tclass=netlink_socket
>
>Was this removed because of the kobject_uevent rule below it?
>I can't remember if that rule was there to begin with, or if it 
>was put in to address what I was debugging w/ Protocol 15 (?) being
>denied. 
>
>  
>
My understanding was that

 netlink_kobject_uevent_socket was added so that we would not need the netlink_socket rule.

Either I am wrong or you might need an updated kernel.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Ivan Gyurdiev]

> My understanding was that
> 
>  netlink_kobject_uevent_socket was added so that we would not need the netlink_socket rule.
> 
> Either I am wrong or you might need an updated kernel.

Ok, I wasn't sure about that, since I didn't see when it was added.
Which kernel do I need? I am running 2.6.11-1.1226_FC4.

Strace still shows protocol 15... same behavior as previously reported.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]


> BTW have you done anything with dmidecode?

Now attached - small domain for dmidecode that allows
it to read /dev/mem and gives it rawio privileges.

Patch for hal to transition to this domain, 
as well as bringing back the netlink rule for backwards compatibility.

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University

[-- Attachment #2: hal_dmidecode.diff --]
[-- Type: text/x-patch, Size: 1350 bytes --]

diff -aru policy.old/domains/program/hald.te policy/domains/program/hald.te
--- policy.old/domains/program/hald.te	2005-04-06 17:23:59.000000000 -0400
+++ policy/domains/program/hald.te	2005-04-06 17:30:22.000000000 -0400
@@ -29,8 +29,11 @@
 allow hald_t { bin_t sbin_t }:dir search;
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t usr_t:file { getattr read };
-
 allow hald_t bin_t:file getattr;
+
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
@@ -77,17 +80,14 @@
 allow hald_t mnt_t:dir search;
 r_dir_file(hald_t, proc_net_t)
 
-
-# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket
+# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
 ifdef(`apmd.te', `
 allow hald_t apmd_var_run_t:sock_file write;
 allow hald_t apmd_t:unix_stream_socket connectto;
 ')
 
-# For /usr/sbin/dmidecode
-# Violates assertion
-#allow hald_t memory_device_t:chr_file read;
-allow hald_t self:capability sys_rawio;
+# For /usr/libexec/hald-probe-smbios
+domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
 
 # ??
 ifdef(`lvm.te', `

[-- Attachment #3: dmidecode.fc --]
[-- Type: text/plain, Size: 193 bytes --]

# dmidecode 
/usr/sbin/dmidecode	--	   	system_u:object_r:dmidecode_exec_t
/usr/sbin/ownership	--		system_u:object_r:dmidecode_exec_t
/usr/sbin/vpddecode	--		system_u:object_r:dmidecode_exec_t

[-- Attachment #4: dmidecode.te --]
[-- Type: text/plain, Size: 572 bytes --]

#DESC dmidecode - decodes DMI data for x86/ia64 bioses 
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#

type dmidecode_t, domain, privmem;
type dmidecode_exec_t, file_type, exec_type, sysadmfile;

# Allow execution by the sysadm
role sysadm_r types dmidecode_t;
role system_r types dmidecode_t;
domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)

uses_shlib(dmidecode_t)

# Allow terminal access
access_terminal(dmidecode_t, sysadm)

# Allow dmidecode to read /dev/mem
allow dmidecode_t memory_device_t:chr_file read;

allow dmidecode_t self:capability sys_rawio;

Re: More patches

[James Carter]

Merged.

On Wed, 2005-04-06 at 17:39 -0400, Ivan Gyurdiev wrote:
> > BTW have you done anything with dmidecode?
> 
> Now attached - small domain for dmidecode that allows
> it to read /dev/mem and gives it rawio privileges.
> 
> Patch for hal to transition to this domain, 
> as well as bringing back the netlink rule for backwards compatibility.
> 
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[James Carter]

On Wed, 2005-04-06 at 14:48 -0400, Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
> 
> >> allow hald_t bin_t:file getattr;
> >>-allow hald_t self:netlink_socket create_socket_perms;
> >> allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
> >> allow hald_t self:netlink_route_socket r_netlink_socket_perms;
> >> allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
> >>    
> >>
> >

Steve had suggested to me to leave that line in for now for
compatibility with older kernels.


-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Stephen Smalley]

On Wed, 2005-04-06 at 14:48 -0400, Daniel J Walsh wrote:
> My understanding was that
> 
>  netlink_kobject_uevent_socket was added so that we would not need the netlink_socket rule.
> 
> Either I am wrong or you might need an updated kernel.

Ultimately, we can phase out the old rule, but we need to wait until the
kernel change makes its way into the Fedora kernels.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[James Carter]

Merged.

On Wed, 2005-04-06 at 08:36 -0400, Daniel J Walsh wrote:
> Fixed the patches, so they will build.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

More patches

[Sascha Hauer]

Hi all,

Here are some more patches, most notably the the possibility to merge
the default environment together from different directories. We can then
introduce a generic default environment which can be used from multiple
boards. Each board can make specific additions to this default environment.

Also, maybe this is controversal, the network stack now generates a random
MAC address if now valid address is found.

Sascha

The following changes since commit 52f760cd61e3f6ca6deb8e5c47eef168b598a674:

  dhcp: do not call net_unregister if net_udp_new failed (2010-06-14 09:39:29 +0200)

are available in the git repository at:
  git://git.pengutronix.de/git/barebox.git pu

Sascha Hauer (11):
      pcm037: Add MMU support
      bootu: Allow passing in devices as parameter
      Allow to merge default environment from more than one directory
      include support for a simple pseudo number generator
      net: implement random_ether_addr
      net: use a random mac address if the current device does not have one
      add a generic default environment
      pcm038: use generic default env
      pcm043: use generic default env
      pcm037: use generic default env
      pca100: use generic default env

 Makefile                                           |   15 ---
 arch/arm/configs/pca100_defconfig                  |    2 +-
 arch/arm/configs/pcm037_defconfig                  |    2 +-
 arch/arm/configs/pcm038_defconfig                  |    2 +-
 arch/arm/configs/pcm043_defconfig                  |    2 +-
 arch/arm/lib/armlinux.c                            |   10 ++-
 arch/arm/mach-imx/Kconfig                          |    2 +
 board/pcm037/env/bin/boot                          |   47 ---------
 board/pcm037/env/bin/init                          |   37 -------
 board/pcm037/env/bin/update_root                   |   16 ---
 board/pcm037/env/config                            |   62 ++++++++---
 board/pcm037/pcm037.c                              |   31 ++++++
 board/pcm038/env/bin/_update                       |   36 -------
 board/pcm038/env/bin/boot                          |   47 ---------
 board/pcm038/env/bin/hush_hack                     |    1 -
 board/pcm038/env/bin/init                          |   37 -------
 board/pcm038/env/bin/update_kernel                 |   15 ---
 board/pcm038/env/bin/update_root                   |   16 ---
 board/pcm038/env/config                            |   62 ++++++++---
 board/pcm043/env/bin/_update                       |   36 -------
 board/pcm043/env/bin/boot                          |   47 ---------
 board/pcm043/env/bin/hush_hack                     |    1 -
 board/pcm043/env/bin/update_kernel                 |   15 ---
 board/pcm043/env/config                            |   65 +++++++++---
 board/phycard-i.MX27/env/bin/_update               |   36 -------
 board/phycard-i.MX27/env/bin/boot                  |   40 -------
 board/phycard-i.MX27/env/bin/hush_hack             |    1 -
 board/phycard-i.MX27/env/bin/init                  |   37 -------
 board/phycard-i.MX27/env/bin/update_kernel         |   15 ---
 board/phycard-i.MX27/env/bin/update_root           |   16 ---
 board/phycard-i.MX27/env/config                    |   57 ++++++++---
 common/Kconfig                                     |    4 +-
 common/Makefile                                    |    6 +-
 {board/pcm037/env => defaultenv}/bin/_update       |    5 +-
 defaultenv/bin/boot                                |  110 ++++++++++++++++++++
 {board/pcm037/env => defaultenv}/bin/hush_hack     |    0
 {board/pcm043/env => defaultenv}/bin/init          |   11 +--
 {board/pcm037/env => defaultenv}/bin/update_kernel |    2 +-
 .../update_root => defaultenv/bin/update_rootfs    |    4 +-
 include/net.h                                      |   17 +++
 include/random.h                                   |    7 ++
 lib/Makefile                                       |    1 +
 lib/random.c                                       |   22 ++++
 net/net.c                                          |   11 ++-
 scripts/genenv                                     |   17 +++
 45 files changed, 424 insertions(+), 601 deletions(-)
 delete mode 100644 board/pcm037/env/bin/boot
 delete mode 100644 board/pcm037/env/bin/init
 delete mode 100644 board/pcm037/env/bin/update_root
 delete mode 100644 board/pcm038/env/bin/_update
 delete mode 100644 board/pcm038/env/bin/boot
 delete mode 100644 board/pcm038/env/bin/hush_hack
 delete mode 100644 board/pcm038/env/bin/init
 delete mode 100644 board/pcm038/env/bin/update_kernel
 delete mode 100644 board/pcm038/env/bin/update_root
 delete mode 100644 board/pcm043/env/bin/_update
 delete mode 100644 board/pcm043/env/bin/boot
 delete mode 100644 board/pcm043/env/bin/hush_hack
 delete mode 100644 board/pcm043/env/bin/update_kernel
 delete mode 100644 board/phycard-i.MX27/env/bin/_update
 delete mode 100644 board/phycard-i.MX27/env/bin/boot
 delete mode 100644 board/phycard-i.MX27/env/bin/hush_hack
 delete mode 100644 board/phycard-i.MX27/env/bin/init
 delete mode 100644 board/phycard-i.MX27/env/bin/update_kernel
 delete mode 100644 board/phycard-i.MX27/env/bin/update_root
 rename {board/pcm037/env => defaultenv}/bin/_update (86%)
 create mode 100644 defaultenv/bin/boot
 rename {board/pcm037/env => defaultenv}/bin/hush_hack (100%)
 rename {board/pcm043/env => defaultenv}/bin/init (59%)
 rename {board/pcm037/env => defaultenv}/bin/update_kernel (91%)
 rename board/pcm043/env/bin/update_root => defaultenv/bin/update_rootfs (91%)
 create mode 100644 include/random.h
 create mode 100644 lib/random.c
 create mode 100755 scripts/genenv

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

More patches

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 461 bytes --]

The following patch removes the utilities
genpolusers and genpolbools from libsepol:

libsepol-0-remove_genutils.diff

They are of limited value, and mostly superseded by load_policy.
In the future they will be superseded by a new utility called
gen policy.


The following patch makes restorecon use standard output 
for displaying status information, which will make it
easier to handle failure in our startup script.

policycoreutils-restorecon-stdout.diff


[-- Attachment #2: libsepol-0-remove_genutils.diff --]
[-- Type: text/x-patch, Size: 3971 bytes --]

diff -aru libsepol.work/utils/genpolbools.c libsepol-0-remove_genutils/utils/genpolbools.c
--- libsepol.work/utils/genpolbools.c	2005-07-07 06:50:51.000000000 -0400
+++ libsepol-0-remove_genutils/utils/genpolbools.c	2005-07-12 19:50:14.000000000 -0400
@@ -1,76 +0,0 @@
-/*
- * genpolbools old-policy booleans new-policy
- *
- * Given an existing binary policy and a boolean configuration, generate a 
- * new binary policy with the specified initial boolean values and rules
- * enabled based on a re-evaluation of the new boolean values.
- */ 
-
-#include <sepol/policydb.h>
-#include <sepol/services.h>
-#include <sepol/conditional.h>
-#include <sepol/sepol.h>
-#include <getopt.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/mman.h>
-
-void usage(char *progname)
-{
-	printf("usage:  %s old-policy booleans new-policy\n", progname);
-	exit(1);
-}
-
-int main(int argc, char **argv)
-{
-	struct stat sb;
-	FILE *outfp;
-	int fd, rc;
-	void *map;
-
-	if (argc != 4) 
-		usage(argv[0]);
-
-	fd = open(argv[1], O_RDONLY);
-	if (fd < 0) {
-		fprintf(stderr, "Can't open '%s':  %s\n",
-			argv[1], strerror(errno));
-		exit(1);
-	}
-	if (fstat(fd, &sb) < 0) {
-		fprintf(stderr, "Can't stat '%s':  %s\n",
-			argv[1], strerror(errno));
-		exit(1);
-	}
-	map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-	if (map == MAP_FAILED) {
-		fprintf(stderr, "Can't map '%s':  %s\n",
-			argv[1], strerror(errno));
-		exit(1);
-	}
-
-	if (sepol_genbools(map, sb.st_size, argv[2]) < 0) {
-		fprintf(stderr, "Error while processing %s:  %s\n",
-			argv[2], strerror(errno));
-		exit(1);
-	}
-
-	outfp = fopen(argv[3], "w");
-	if (!outfp) {
-		perror(argv[3]);
-		exit(1);
-	}
-	rc = fwrite(map, sb.st_size, 1, outfp);
-	if (rc != 1) {
-		fprintf(stderr, "%s:  error writing %s\n",
-			argv[0], argv[3]);
-		exit(1);
-	}
-	fclose(outfp);
-	exit(0);
-}
diff -aru libsepol.work/utils/genpolusers.c libsepol-0-remove_genutils/utils/genpolusers.c
--- libsepol.work/utils/genpolusers.c	2005-07-07 06:50:51.000000000 -0400
+++ libsepol-0-remove_genutils/utils/genpolusers.c	2005-07-12 19:50:11.000000000 -0400
@@ -1,78 +0,0 @@
-/*
- * genpolusers in-policy usersdir out-policy
- *
- * Given an existing binary policy, generate a new binary policy with 
- * an updated user configuration based on any system.users and local.users
- * files in the specified usersdir.
- */ 
-
-#include <sepol/policydb.h>
-#include <sepol/services.h>
-#include <sepol/conditional.h>
-#include <sepol/sepol.h>
-#include <getopt.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/mman.h>
-
-void usage(char *progname)
-{
-	printf("usage:  %s inpolicy usersdir outpolicy\n", progname);
-	exit(1);
-}
-
-int main(int argc, char **argv)
-{
-	struct stat sb;
-	FILE *outfp;
-	int fd, rc;
-	void *map;
-	void *data;
-	unsigned len;
-
-	if (argc != 4) 
-		usage(argv[0]);
-
-	fd = open(argv[1], O_RDONLY);
-	if (fd < 0) {
-		fprintf(stderr, "Can't open '%s':  %s\n",
-			argv[1], strerror(errno));
-		exit(1);
-	}
-	if (fstat(fd, &sb) < 0) {
-		fprintf(stderr, "Can't stat '%s':  %s\n",
-			argv[1], strerror(errno));
-		exit(1);
-	}
-	map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-	if (map == MAP_FAILED) {
-		fprintf(stderr, "Can't map '%s':  %s\n",
-			argv[1], strerror(errno));
-		exit(1);
-	}
-
-	if (sepol_genusers(map, sb.st_size, argv[2], &data, &len) < 0) {
-		fprintf(stderr, "Error while processing users from %s:  %s\n",
-			argv[2], strerror(errno));
-		exit(1);
-	}
-
-	outfp = fopen(argv[3], "w");
-	if (!outfp) {
-		perror(argv[3]);
-		exit(1);
-	}
-	rc = fwrite(data, len, 1, outfp);
-	if (rc != 1) {
-		fprintf(stderr, "Can't write '%s':  %s\n",
-			argv[3], strerror(errno));
-		exit(1);
-	}
-	fclose(outfp);
-	exit(0);
-}

[-- Attachment #3: policycoreutils-restorecon-stdout.diff --]
[-- Type: text/x-patch, Size: 832 bytes --]

diff -aru policycoreutils.work/restorecon/restorecon.c policycoreutils-restorecon-stdout/restorecon/restorecon.c
--- policycoreutils.work/restorecon/restorecon.c	2005-06-29 16:09:47.000000000 -0400
+++ policycoreutils-restorecon-stdout/restorecon/restorecon.c	2005-07-15 15:25:05.000000000 -0400
@@ -211,11 +211,11 @@
       } else 	
 	      if (verbose && 
 		  (verbose > 1 || !user_only_changed))
-		      fprintf(stderr,"%s reset %s context %s->%s\n",
+		      fprintf(stdout,"%s reset %s context %s->%s\n",
 			      progname, filename, (retcontext >= 0 ? prev_context : ""), scontext);
     }
     if (verbose > 1 && customizable>0) {
-	    fprintf(stderr,"%s: %s not reset customized by admin to %s\n",
+	    fprintf(stdout,"%s: %s not reset customized by admin to %s\n",
 		      progname, filename, prev_context);
     }
 

Re: More patches

[Stephen Smalley]

On Fri, 2005-07-15 at 15:31 -0400, Ivan Gyurdiev wrote:
> The following patch removes the utilities
> genpolusers and genpolbools from libsepol:
> 
> libsepol-0-remove_genutils.diff
> 
> They are of limited value, and mostly superseded by load_policy.
> In the future they will be superseded by a new utility called
> gen policy.

Merged.

> The following patch makes restorecon use standard output 
> for displaying status information, which will make it
> easier to handle failure in our startup script.
> 
> policycoreutils-restorecon-stdout.diff

Hmm...why not just use printf then?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More patches

[Ivan Gyurdiev]

> > The following patch makes restorecon use standard output 
> > for displaying status information, which will make it
> > easier to handle failure in our startup script.
> > 
> > policycoreutils-restorecon-stdout.diff
> 
> Hmm...why not just use printf then?

...okay.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

More patches

[Daniel Barkalow]

Here are the things I was saving for after the previous set:

 1: Report the actual contents of trees
 2: Add functions for scanning history by date
 3: Add http-pull, a program to fetch the objects you need by HTTP
 4: Change merge-base to find the most recent common ancestor

1 and 2 are core extensions. 3 might be best for the pasky tree. 4 is
mostly a demo of 2 and because Linus thought it was a better algorithm.

	-Daniel
*This .sig left intentionally blank*

more patches

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1063 bytes --]

For user.te I added the following:

# lots of user programs accidentally search /root, and also the admin often
# logs in as UID=0 domain=user_t...
dontaudit unpriv_userdomain sysadm_home_dir_t:dir { getattr search };

# "ps aux" and "ls -l /dev/pts" make too much noise without this
dontaudit unpriv_userdomain ptyfile:chr_file getattr;

Without that there's too much noise in the syslog and the admin will tend to 
ignore it all...

I've attached a patch port.diff to add port contexts to everything else that 
needs them, and also a patch to mrtg.te.

I've attached a patch triv2.diff which has a few other trivial things, and a 
patch for postgresql (it still doesn't work but it's a better starting point 
for other people to work on than the current version).

I've also attached a patch for user macros which mainly improves support for 
XDM.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

[-- Attachment #2: port.diff --]
[-- Type: text/x-diff, Size: 7593 bytes --]

diff -wruN /tmp/policy/domains/program/courier.te policy/domains/program/courier.te
--- /tmp/policy/domains/program/courier.te	2002-08-21 20:22:44.000000000 +0200
+++ policy/domains/program/courier.te	2002-08-27 05:20:08.000000000 +0200
@@ -14,6 +14,8 @@
 type courier_exec_t, file_type, sysadmfile, exec_type;
 type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type;
 
+type pop_port_t, port_type;
+
 define(`courier_domain', `
 #################################
 #
@@ -76,6 +78,7 @@
 
 courier_domain(tcpd)
 allow courier_tcpd_t self:capability net_bind_service;
+allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
 allow courier_tcpd_t sbin_t:dir search;
 # for TLS
 allow courier_tcpd_t random_device_t:chr_file read;
diff -wruN /tmp/policy/domains/program/mrtg.te policy/domains/program/mrtg.te
--- /tmp/policy/domains/program/mrtg.te	2002-08-27 19:30:06.000000000 +0200
+++ policy/domains/program/mrtg.te	2002-08-27 17:50:47.000000000 +0200
@@ -41,10 +41,6 @@
 can_udp_send(snmpd_t, mrtg_t)
 ')
 
-# Use capabilities  should not need kill...
-#allow mrtg_t self:capability { net_raw net_bind_service kill };
-#allow mrtg_t self:process setsched;
-
 allow mrtg_t proc_t:file { read getattr };
 
 allow mrtg_t { var_lock_t var_lib_t }:dir search;
@@ -59,7 +55,9 @@
 allow mrtg_t sysctl_kernel_t:file read;
 
 # for uptime
-dontaudit mrtg_t initrc_var_run_t:file { read write lock };
-dontaudit mrtg_t etc_runtime_t:file { getattr read };
+allow mrtg_t initrc_var_run_t:file read;
+dontaudit mrtg_t initrc_var_run_t:file { write lock };
+allow mrtg_t etc_runtime_t:file { getattr read };
 
-dontaudit mrtg_t sysadm_home_dir_t:dir search;
+# should not need this!
+allow mrtg_t sysadm_home_dir_t:dir { search read };
diff -wruN /tmp/policy/domains/program/ntpd.te policy/domains/program/ntpd.te
--- /tmp/policy/domains/program/ntpd.te	2002-08-21 20:22:45.000000000 +0200
+++ policy/domains/program/ntpd.te	2002-08-27 05:27:30.000000000 +0200
@@ -11,6 +11,7 @@
 type var_lib_ntp_t, file_type, sysadmfile;
 type var_log_ntp_t, file_type, sysadmfile, logfile;
 type etc_ntp_t, file_type, sysadmfile;
+type ntp_port_t, port_type;
 
 file_type_auto_trans(ntpd_t, var_log_t, var_log_ntp_t)
 
@@ -31,6 +32,7 @@
 
 # Use the network.
 can_network(ntpd_t)
+allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t domain:packet_socket recvfrom;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
diff -wruN /tmp/policy/domains/program/portmap.te policy/domains/program/portmap.te
--- /tmp/policy/domains/program/portmap.te	2002-06-18 19:40:39.000000000 +0200
+++ policy/domains/program/portmap.te	2002-08-27 05:30:08.000000000 +0200
@@ -15,6 +15,8 @@
 domain_auto_trans(initrc_t, portmap_exec_t, portmap_t)
 type_transition init_t portmap_exec_t:process portmap_t;
 
+type portmap_port_t, port_type;
+
 type portmap_tmp_t, file_type, sysadmfile, tmpfile;
 file_type_auto_trans(portmap_t, tmp_t, portmap_tmp_t)
 
@@ -23,6 +25,7 @@
 
 # Use the network.
 can_network(portmap_t)
+allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
 
 # Send to ypbind, initrc, rpc.statd, xinetd.
 ifdef(`ypbind.te',
diff -wruN /tmp/policy/domains/program/ssh.te policy/domains/program/ssh.te
--- /tmp/policy/domains/program/ssh.te	2002-08-27 19:30:06.000000000 +0200
+++ policy/domains/program/ssh.te	2002-08-27 05:23:08.000000000 +0200
@@ -3,6 +3,8 @@
 # Modified by: Russell Coker <russell@coker.com.au>
 #
 
+type ssh_port_t, port_type;
+
 define(`sshd_program_domain', `
 type $1, domain, privuser, privrole, privlog, privowner, privfd;
 role system_r types $1;
@@ -48,6 +50,7 @@
 # sshd_key_t is the type of the ssh private key files
 #
 sshd_program_domain(sshd_t)
+allow sshd_t ssh_port_t:tcp_socket name_bind;
 sshd_program_domain(sshd_login_t)
 undefine(`sshd_program_domain')
 type sshd_exec_t, file_type, exec_type, sysadmfile;
diff -wruN /tmp/policy/domains/program/tftpd.te policy/domains/program/tftpd.te
--- /tmp/policy/domains/program/tftpd.te	2002-08-21 20:22:46.000000000 +0200
+++ policy/domains/program/tftpd.te	2002-08-27 05:33:26.000000000 +0200
@@ -11,10 +11,13 @@
 #
 daemon_domain(tftpd)
 
+type tftp_port_t, port_type;
+
 domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
 
 # Use the network.
 can_network(tftpd_t)
+allow tftpd_t tftp_port_t:udp_socket name_bind;
 allow tftpd_t self:unix_dgram_socket create_socket_perms;
 allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
 
diff -wruN /tmp/policy/net_contexts policy/net_contexts
--- /tmp/policy/net_contexts	2002-08-27 19:30:06.000000000 +0200
+++ policy/net_contexts	2002-08-27 17:56:57.000000000 +0200
@@ -17,13 +17,26 @@
 # protocol number context
 # protocol low-high context
 #
+ifdef(`courier.te', define(`use_pop'))
 ifdef(`ftpd.te', `portcon tcp 21 system_u:object_r:ftp_port_t')
+ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
 ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnet_port_t')
 ifdef(`mta.te', `portcon tcp 25 system_u:object_r:smtp_port_t')
 ifdef(`named.te', `portcon udp 53 system_u:object_r:named_port_t
 portcon tcp 53 system_u:object_r:named_port_t')
+ifdef(`tftpd.te', `portcon udp 69  system_u:object_r:tftp_port_t')
 ifdef(`fingerd.te', `portcon tcp 79  system_u:object_r:fingerd_port_t')
 ifdef(`apache.te', `portcon tcp 80  system_u:object_r:http_port_t')
+ifdef(use_pop, `
+portcon tcp 106 system_u:object_r:pop_port_t
+portcon tcp 109 system_u:object_r:pop_port_t
+portcon tcp 110 system_u:object_r:pop_port_t
+')
+ifdef(`portmap.te', `
+portcon udp 111 system_u:object_r:portmap_port_t
+portcon tcp 111 system_u:object_r:portmap_port_t
+')
+ifdef(`ntp.te', `portcon udp 123 system_u:object_r:ntp_port_t')
 ifdef(`samba.te', `
 portcon tcp 137 system_u:object_r:smbd_port_t
 portcon udp 137 system_u:object_r:nmbd_port_t
@@ -32,24 +45,32 @@
 portcon tcp 139 system_u:object_r:smbd_port_t
 portcon udp 139 system_u:object_r:nmbd_port_t
 ')
+ifdef(use_pop, `portcon tcp 143 system_u:object_r:pop_port_t')
 ifdef(`snmpd.te', `
 portcon udp 161 system_u:object_r:snmp_port_t
 portcon udp 162 system_u:object_r:snmp_port_t
 portcon tcp 199 system_u:object_r:snmp_port_t
 ')
+ifdef(use_pop, `portcon tcp 220 system_u:object_r:pop_port_t')
 ifdef(`slapd.te', `portcon tcp 389 system_u:object_r:ldap_port_t')
 ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
 ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
 ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
 ifdef(`cups.te', `portcon tcp 631 system_u:object_r:ipp_port_t')
-ifdef(`apache.te', `portcon tcp 8080  system_u:object_r:http_cache_port_t',
-`ifdef(`squid.te', `portcon tcp 8080  system_u:object_r:http_cache_port_t')')
+ifdef(use_pop, `
+portcon tcp 993 system_u:object_r:pop_port_t
+portcon tcp 995 system_u:object_r:pop_port_t
+portcon tcp 1109 system_u:object_r:pop_port_t
+')
 ifdef(`radius.te', `portcon udp 1645 system_u:object_r:radius_port_t
 portcon udp 1646 system_u:object_r:radacct_port_t
 portcon udp 1812 system_u:object_r:radius_port_t
 portcon udp 1813 system_u:object_r:radacct_port_t')
 ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
 ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
+ifdef(`apache.te', define(`use_http_cache'))
+ifdef(`squid.te', define(`use_http_cache'))
+ifdef(use_http_cache, `portcon tcp 8080  system_u:object_r:http_cache_port_t')
 ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
 
 # Network interfaces (default = initial SID 'netif' and 'netmsg')

[-- Attachment #3: triv2.diff --]
[-- Type: text/x-diff, Size: 5856 bytes --]

diff -wruN /tmp/policy/domains/program/dpkg.te policy/domains/program/dpkg.te
--- /tmp/policy/domains/program/dpkg.te	2002-08-27 19:30:06.000000000 +0200
+++ policy/domains/program/dpkg.te	2002-08-27 17:43:35.000000000 +0200
@@ -116,6 +116,7 @@
 
 # Inherit and use descriptors from any domain.
 allow { apt_t dpkg_t } privfd:fd use;
+allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
 allow { apt_t dpkg_t install_menu_t } { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
 
 allow ifconfig_t dpkg_t:fd use;
diff -wruN /tmp/policy/domains/program/ipsec.te policy/domains/program/ipsec.te
--- /tmp/policy/domains/program/ipsec.te	2002-08-27 19:30:06.000000000 +0200
+++ policy/domains/program/ipsec.te	2002-08-27 01:08:05.000000000 +0200
@@ -43,7 +43,7 @@
 allow ipsec_mgmt_t console_device_t:chr_file rw_file_perms;
 allow ipsec_t console_device_t:chr_file rw_file_perms;
 allow ipsec_t init_t:fd use;
-allow ipsec_mgmt_t init_t:fd use;
+allow ipsec_mgmt_t { init_t privfd }:fd use;
 # do we really need this?
 allow ipsec_t initrc_t:fd use;
 allow ipsec_mgmt_t initrc_t:fd use;
diff -wruN /tmp/policy/domains/program/postgresql.te policy/domains/program/postgresql.te
--- /tmp/policy/domains/program/postgresql.te	2002-08-22 16:21:26.000000000 +0200
+++ policy/domains/program/postgresql.te	2002-08-25 18:12:12.000000000 +0200
@@ -11,6 +11,13 @@
 #
 daemon_domain(postgresql)
 
+ifdef(`dpkg.te', `
+# gross hack
+domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
+')
+# a grosser hack
+allow postgresql_t etc_t:file setattr;
+
 dontaudit postgresql_t { sysadm_home_dir_t var_spool_t }:dir search;
 
 allow postgresql_t self:capability { dac_override dac_read_search chown fowner fsetid setuid setgid };
@@ -21,14 +28,22 @@
 
 file_type_auto_trans(postgresql_t, var_log_t, postgresql_log_t)
 
+allow postgresql_t system_crond_script_t:file { getattr read };
+
 tmp_domain(postgresql);
+file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
+
+can_exec(postgresql_t, dpkg_exec_t)
 
 # Use the network.
 can_network(postgresql_t)
 allow postgresql_t self:fifo_file { getattr read write ioctl };
-allow postgresql_t self:unix_stream_socket create_socket_perms;
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
-# allow any user domain to connect to the server
+
+allow postgresql_t self:shm rw_shm_perms;
+
+# allow any user domain to connect to the database server
 can_tcp_connect(userdomain, postgresql_t)
 
 allow postgresql_t proc_t:file { getattr read };
@@ -55,7 +70,7 @@
 allow postgresql_t bin_t:lnk_file read;
 allow postgresql_t postgresql_exec_t:lnk_file read;
 
-allow postgresql_t initrc_var_run_t:file { read };
+allow postgresql_t initrc_var_run_t:file { read write lock };
 
 allow postgresql_t self:sem rw_sem_perms;
 
diff -wruN /tmp/policy/domains/program/pppd.te policy/domains/program/pppd.te
--- /tmp/policy/domains/program/pppd.te	2002-08-27 19:30:06.000000000 +0200
+++ policy/domains/program/pppd.te	2002-08-27 17:44:56.000000000 +0200
@@ -47,6 +47,7 @@
 
 # Access /dev/ppp.
 allow pppd_t ppp_device_t:chr_file rw_file_perms;
+allow pppd_t devtty_t:chr_file { read write };
 
 allow pppd_t self:unix_dgram_socket create_socket_perms;
 allow pppd_t self:unix_stream_socket create_socket_perms;
diff -wruN /tmp/policy/domains/program/run_init.te policy/domains/program/run_init.te
--- /tmp/policy/domains/program/run_init.te	2002-08-21 20:22:45.000000000 +0200
+++ policy/domains/program/run_init.te	2002-08-24 22:01:22.000000000 +0200
@@ -36,6 +36,9 @@
 allow run_init_t sysadm_tty_device_t:chr_file rw_file_perms;
 allow run_init_t sysadm_devpts_t:chr_file rw_file_perms;
 
+# for when it is run from a directory with restrictive perms
+dontaudit run_init_t file_type:dir search;
+
 # for some PAM modules
 dontaudit run_init_t { sysadm_home_dir_t user_home_dir_type }:dir search;
 # for utmp
diff -wruN /tmp/policy/domains/program/transproxy.te policy/domains/program/transproxy.te
--- /tmp/policy/domains/program/transproxy.te	2002-08-22 16:21:26.000000000 +0200
+++ policy/domains/program/transproxy.te	2002-08-24 22:33:12.000000000 +0200
@@ -16,12 +16,11 @@
 # Use the network.
 can_network(transproxy_t)
 allow transproxy_t transproxy_port_t:tcp_socket name_bind;
+#allow transproxy_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read write };
 
 #allow transproxy_t self:fifo_file { read write };
 allow transproxy_t self:unix_stream_socket create_socket_perms;
 allow transproxy_t self:unix_dgram_socket create_socket_perms;
-# allow any user domain to connect to the server
-can_tcp_connect(userdomain, transproxy_t)
 
 # Use capabilities
 allow transproxy_t self:capability { setgid setuid };
diff -wruN /tmp/policy/domains/program/xfs.te policy/domains/program/xfs.te
--- /tmp/policy/domains/program/xfs.te	2002-06-18 19:40:40.000000000 +0200
+++ policy/domains/program/xfs.te	2002-08-24 22:22:30.000000000 +0200
@@ -1,3 +1,4 @@
+#DESC X Font Server
 #
 # Authors:  Stephen Smalley <sds@tislabs.com> and Timothy Fraser <tfraser@tislabs.com> (NAI Labs) 
 #
diff -wruN /tmp/policy/file_contexts/program/sendmail.fc policy/file_contexts/program/sendmail.fc
--- /tmp/policy/file_contexts/program/sendmail.fc	2002-07-10 19:14:03.000000000 +0200
+++ policy/file_contexts/program/sendmail.fc	2002-08-24 22:56:48.000000000 +0200
@@ -1,9 +1,5 @@
 # sendmail
-/etc/aliases			system_u:object_r:etc_aliases_t
-/etc/aliases.db			system_u:object_r:etc_aliases_t
 /etc/mail(/.*)?			system_u:object_r:etc_mail_t
-/usr/sbin/sendmail		system_u:object_r:sendmail_exec_t
-/usr/sbin/sendmail.sendmail	system_u:object_r:sendmail_exec_t
 /var/spool/mail(/.*)?		system_u:object_r:mail_spool_t
 /var/spool/mqueue(/.*)?		system_u:object_r:mqueue_spool_t
 /var/log/sendmail.st		system_u:object_r:sendmail_var_log_t

[-- Attachment #4: user_macros.diff --]
[-- Type: text/x-diff, Size: 1479 bytes --]

diff -wruN /tmp/policy/macros/user_macros.te policy/macros/user_macros.te
--- /tmp/policy/macros/user_macros.te	2002-08-27 19:30:06.000000000 +0200
+++ policy/macros/user_macros.te	2002-08-26 20:03:46.000000000 +0200
@@ -199,18 +199,35 @@
 # correctly without it.  Do not audit write denials to utmp.
 dontaudit $1_t initrc_var_run_t:file { read write };
 
-ifdef(`xdm.te',
-`# Connect to the X server run by the X Display Manager.
+# do not audit getattr on tmpfile, otherwise ls -l /tmp fills the logs
+dontaudit $1_t tmpfile:dir_file_class_set getattr;
+
+ifdef(`xdm.te', `
+# Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)
 allow $1_t xdm_tmp_t:sock_file rw_file_perms;
 allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
 allow $1_t xdm_xserver_tmp_t:sock_file { read write };
 allow $1_t xdm_xserver_tmp_t:dir search;
+
+# gross hack - should not need this
+file_type_auto_trans(xdm_t, $1_home_dir_t, $1_home_t, file)
 ')
 
 # Access the sound device.
-allow $1_t sound_device_t:chr_file { read write ioctl };
+allow $1_t sound_device_t:chr_file { getattr read write ioctl };
+
+# Allow reading dpkg origins file
+ifdef(`dpkg.te', `
+r_dir_file($1_t, etc_dpkg_t)
+')
+
+ifdef(`ftpd.te', `
+# uncomment the following for FTP access to all home directories
+# or you can just enable FTP access for certain user domains in the ftpd.te
+# file
+#file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
+')
 
 ')