gentoo diffs

gentoo diffs

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 467 bytes --]


Hi,

here is the short version of the gentoo policy patches:

* named: changed one file label
* daemontools: policy cleanup, added support for 2 more services
* dante: policy tweaks needed for latest versions
* gnupg: support for gnupg-1.9.x
* kerberos: gentoo file locations
* postfix: gentoo file locations for 64bit systems
* ucspi-tcp: patch from Andy Dustman to support rblsmtp

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: selinux-bind.diff --]
[-- Type: text/plain, Size: 619 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/named.fc	2005-04-17 00:36:16.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/bind/named.fc	2005-05-07 10:47:59.000000000 +0300
@@ -43,7 +43,7 @@
 ifdef(`distro_gentoo', `
 /etc/bind(/.*)?         system_u:object_r:named_zone_t
 /etc/bind/named\.conf   --  system_u:object_r:named_conf_t
-/etc/bind/rndc\.key    --  system_u:object_r:named_conf_t
+/etc/bind/rndc\.key    --  system_u:object_r:dnssec_t
 /var/bind(/.*)?             system_u:object_r:named_cache_t
 /var/bind/pri(/.*)?         system_u:object_r:named_zone_t
 ') dnl distro_gentoo

[-- Attachment #1.3: selinux-daemontools.diff --]
[-- Type: text/plain, Size: 3391 bytes --]

--- /root/public_html/policy/nsa/macros/program/daemontools_macros.te	2005-03-15 19:54:55.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/daemontools/daemontools_macros.te	2005-03-16 20:33:50.000000000 +0200
@@ -1,10 +1,10 @@
 ifdef(`daemontools.te', `
 
 define(`svc_ipc_domain',`
-allow $1 svc_start_t:process { sigchld };
-allow $1 svc_start_t:fd { use };
-allow $1 svc_start_t:fifo_file { read write };
-allow svc_start_t $1:process { signal }; 
+allow $1 svc_start_t:process sigchld;
+allow $1 svc_start_t:fd use;
+allow $1 svc_start_t:fifo_file { read write getattr };
+allow svc_start_t $1:process signal; 
 ')
 
 ') dnl ifdef daemontools
--- /root/public_html/policy/nsa/file_contexts/program/daemontools.fc	2005-03-15 19:54:54.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/daemontools/daemontools.fc	2005-03-16 20:08:01.000000000 +0200
@@ -22,7 +22,6 @@
 /usr/bin/svscan		--	system_u:object_r:svc_start_exec_t
 /usr/bin/svscanboot	--	system_u:object_r:svc_start_exec_t
 /usr/bin/svok		--	system_u:object_r:svc_start_exec_t
-#/usr/bin/svstat		--	system_u:object_r:svc_start_exec_t
 /usr/bin/supervise	--	system_u:object_r:svc_start_exec_t
 
 # starting scripts
--- /root/public_html/policy/nsa/domains/program/unused/daemontools.te	2005-03-15 19:54:54.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/daemontools/daemontools.te	2005-03-16 20:39:52.000000000 +0200
@@ -27,18 +27,16 @@
 file_type_auto_trans($1, svc_svc_t, svc_svc_t);
 ')
 
-define(`svc_base_domain', `
-daemon_base_domain($1)
-svc_filedir_domain(`$1_t')
-')
-
 ##############################################################
 # the domains
+daemon_base_domain(svc_script)
+svc_filedir_domain(svc_script_t)
 
 # part started by initrc_t
-svc_base_domain(svc_start)
+daemon_base_domain(svc_start)
+domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
+svc_filedir_domain(svc_start_t)
 
-svc_base_domain(svc_script)
 # also get here from svc_script_t
 domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
 
@@ -65,12 +63,18 @@
 # svc_start_t
 allow svc_start_t self:fifo_file rw_file_perms;
 allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
 allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
 allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
 allow svc_start_t { var_t var_run_t }:dir search;
+can_exec(svc_start_t, bin_t)
 can_exec(svc_start_t, shell_exec_t)
 allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
 allow svc_start_t svc_run_t:process signal;
+dontaudit svc_start_t proc_t:file r_file_perms;
+dontaudit svc_start_t devtty_t:chr_file { read write };
 
 # svc script
 allow svc_script_t self:capability sys_admin;
@@ -140,6 +144,11 @@
 dontaudit httpd_t svc_svc_t:dir { search };
 ')
 
+ifdef(`clamav.te', `
+domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
+svc_ipc_domain(clamd_t)
+')
+
 ifdef(`clockspeed.te', `
 domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
 svc_ipc_domain(clockspeed_t)
@@ -171,6 +180,11 @@
 svc_ipc_domain(rsyncd_t)
 ')
 
+ifdef(`spamd.te', `
+domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
+svc_ipc_domain(spamd_t)
+')
+
 ifdef(`ssh.te', `
 domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
 svc_ipc_domain(sshd_t)

[-- Attachment #1.4: selinux-dante.diff --]
[-- Type: text/plain, Size: 783 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/dante.te	2004-12-06 21:01:25.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dante/dante.te	2005-03-08 12:59:22.000000000 +0200
@@ -10,11 +10,16 @@
 can_network_server(dante_t)
 
 allow dante_t self:fifo_file { read write };
-allow dante_t self:capability { setuid };
+allow dante_t self:capability { setuid setgid };
 allow dante_t self:unix_dgram_socket { connect create write };
 allow dante_t self:unix_stream_socket { connect create read setopt write };
+allow dante_t self:tcp_socket connect;
 
 allow dante_t socks_port_t:tcp_socket name_bind;
 
 allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
 r_dir_file(dante_t, dante_conf_t)
+
+allow dante_t initrc_var_run_t:file { getattr write };
+

[-- Attachment #1.5: selinux-gnupg.diff --]
[-- Type: text/plain, Size: 612 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/gpg.fc	2005-01-26 09:01:01.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/gnupg/gpg.fc	2005-04-08 12:24:21.000000000 +0300
@@ -1,5 +1,7 @@
 # gpg
 HOME_DIR/\.gnupg(/.+)?	system_u:object_r:ROLE_gpg_secret_t
-/usr/bin/gpg		--	system_u:object_r:gpg_exec_t
+/usr/bin/gpg(2)?		--	system_u:object_r:gpg_exec_t
 /usr/bin/kgpg		--	system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/gpgkeys.*	--	system_u:object_r:gpg_helper_exec_t
+/usr/lib/gnupg/.*	--	system_u:object_r:gpg_exec_t
+/usr/lib/gnupg/gpgkeys.*	--  system_u:object_r:gpg_helper_exec_t
+

[-- Attachment #1.6: selinux-kerberos.diff --]
[-- Type: text/plain, Size: 784 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/kerberos.fc	2005-01-12 20:52:11.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/kerberos/kerberos.fc	2005-02-26 22:59:34.000000000 +0200
@@ -9,3 +9,12 @@
 /var/log/krb5kdc\.log			system_u:object_r:krb5kdc_log_t
 /var/log/kadmind\.log			system_u:object_r:kadmind_log_t
 /usr(/local)?/bin/ksu		--	system_u:object_r:su_exec_t
+
+# gentoo file locations
+/usr/sbin/krb5kdc			--	system_u:object_r:krb5kdc_exec_t
+/usr/sbin/kadmind			--	system_u:object_r:kadmind_exec_t
+/etc/krb5kdc(/.*)?				system_u:object_r:krb5kdc_conf_t
+/etc/krb5kdc/principal.*		system_u:object_r:krb5kdc_principal_t
+/etc/krb5kdc/kadm5.keytab 	--	system_u:object_r:krb5_keytab_t
+/var/log/kadmin.log			--	system_u:object_r:kadmind_log_t
+

[-- Attachment #1.7: selinux-postfix.diff --]
[-- Type: text/plain, Size: 2208 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/postfix.fc	2005-02-17 13:58:35.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/postfix/postfix.fc	2005-04-17 00:34:20.000000000 +0300
@@ -5,17 +5,17 @@
 ')
 /etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t
 /etc/postfix/prng_exch	--	system_u:object_r:postfix_prng_t
-/usr/lib(exec)?/postfix/.*	--	system_u:object_r:postfix_exec_t
-/usr/lib(exec)?/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
-/usr/lib(exec)?/postfix/local	--	system_u:object_r:postfix_local_exec_t
-/usr/lib(exec)?/postfix/master	--	system_u:object_r:postfix_master_exec_t
-/usr/lib(exec)?/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
-/usr/lib(exec)?/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
-/usr/lib(exec)?/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
-/usr/lib(exec)?/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
-/usr/lib(exec)?/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
-/usr/lib(exec)?/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
-/usr/lib(exec)?/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
+/usr/lib(exec)?(64)?/postfix/.*	--	system_u:object_r:postfix_exec_t
+/usr/lib(exec)?(64)?/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
+/usr/lib(exec)?(64)?/postfix/local	--	system_u:object_r:postfix_local_exec_t
+/usr/lib(exec)?(64)?/postfix/master	--	system_u:object_r:postfix_master_exec_t
+/usr/lib(exec)?(64)?/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
+/usr/lib(exec)?(64)?/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
+/usr/lib(exec)?(64)?/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
+/usr/lib(exec)?(64)?/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/lib(exec)?(64)?/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
+/usr/lib(exec)?(64)?/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
+/usr/lib(exec)?(64)?/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
 /usr/sbin/postalias	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postcat	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postdrop	--	system_u:object_r:postfix_postdrop_exec_t

[-- Attachment #1.8: selinux-ucspi-tcp.diff --]
[-- Type: text/plain, Size: 2214 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/ucspi-tcp.fc	2005-03-15 19:54:54.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ucspi-tcp/ucspi-tcp.fc	2005-03-16 19:57:48.000000000 +0200
@@ -1,2 +1,3 @@
 #ucspi-tcp
 /usr/bin/tcpserver	--	system_u:object_r:utcpserver_exec_t
+/usr/bin/rblsmtpd	--	system_u:object_r:rblsmtpd_exec_t
--- /root/public_html/policy/nsa/domains/program/unused/ucspi-tcp.te	2005-04-17 00:36:16.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ucspi-tcp/ucspi-tcp.te	2005-05-07 12:41:02.000000000 +0300
@@ -1,6 +1,7 @@
 #DESC ucspi-tcp - TCP Server and Client Tools
 #
 # Author Petre Rodan <kaiowas@gentoo.org>
+#			Andy Dustman (rblsmtp-related policy)
 #
 
 # http://cr.yp.to/ucspi-tcp.html
@@ -9,18 +10,16 @@
 
 daemon_base_domain(utcpserver)
 can_network(utcpserver_t)
-allow utcpserver_t port_type:tcp_socket name_connect;
 
-#reads /etc/nsswitch.conf and resolv.conf
-allow utcpserver_t etc_t:file { getattr read };
-allow utcpserver_t net_conf_t:file { read };
-
-allow utcpserver_t { bin_t var_t }:dir { search };
+allow utcpserver_t etc_t:file r_file_perms;
+allow utcpserver_t { bin_t sbin_t var_t }:dir search;
 
 allow utcpserver_t self:capability { net_bind_service setgid setuid };
 allow utcpserver_t self:fifo_file { read write };
 allow utcpserver_t self:process { fork sigchld };
 
+allow utcpserver_t port_t:udp_socket name_bind;
+
 ifdef(`qmail.te', `
 domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
 allow utcpserver_t smtp_port_t:tcp_socket name_bind;
@@ -29,3 +28,24 @@
 allow utcpserver_t qmail_etc_t:file r_file_perms;
 ')
 
+daemon_base_domain(rblsmtpd)
+can_network(rblsmtpd_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+allow rblsmtpd_t etc_t:file r_file_perms;
+allow rblsmtpd_t { bin_t var_t }:dir search;
+allow rblsmtpd_t port_t:udp_socket name_bind;
+allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr };
+
+ifdef(`qmail.te', `
+domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow qmail_queue_t rblsmtpd_t:fd use;
+')
+
+ifdef(`daemontools.te', `
+svc_ipc_domain(rblsmtpd_t)
+')
+
+domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t)
+

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

Re: gentoo diffs

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1810 bytes --]

On Saturday 07 May 2005 22:55, petre rodan <kaiowas@gentoo.org> wrote:
> * named: changed one file label

I've attached a patch to apply after that one, it does the same thing for 
Debian and also changes a "." to "\.".

> * daemontools: policy cleanup, added support for 2 more services

+daemon_base_domain(svc_start)
+domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)

Is this for daemons that may be started either from /etc/inittab 
or /etc/init.d scripts?

> * kerberos: gentoo file locations

Those should have ifdef(`distro_gentoo' around them.  Ideally we want as many 
ifdef(`distro_... rules in the file contexts as possible.  The more stuff 
that can be removed because of being applicable to distributions other than 
the one you use the better.  setfiles still has performance issues...

> * postfix: gentoo file locations for 64bit systems

Are you seriously planning to have both 32bit and 64bit versions of Postfix 
installed on the same system at the same time?  If not then you shouldn't be 
using special names for 64bit versions.  If you are then I suspect you are 
doing something vastly different from what everyone else is doing and 
ifdef(`distro_gentoo' would be appropriate.

We should probably have ifdef(`distro_redhat' and ifdef(`distro_debian' in any 
case.

Also I'm quite certain that you are not using all four combinations 
of /usr/lib(exec)?(64)?/postfix/.

I plan to extend the stem compression support in setfiles to two levels, 
taking full advantage of that means removing such conditionals from the 
policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: named.diff --]
[-- Type: text/x-diff, Size: 807 bytes --]

--- file_contexts/program/named.fc.orig	2005-05-09 03:34:48.000000000 +1000
+++ file_contexts/program/named.fc	2005-05-09 03:35:35.000000000 +1000
@@ -9,12 +9,12 @@
 ifdef(`distro_debian', `
 /etc/bind(/.*)?			system_u:object_r:named_zone_t
 /etc/bind/named\.conf	--	system_u:object_r:named_conf_t
-/etc/bind/rndc\.key	--	system_u:object_r:named_conf_t
+/etc/bind/rndc\.key	--	system_u:object_r:dnssec_t
 /var/cache/bind(/.*)?		system_u:object_r:named_cache_t
 ') dnl distro_debian
 
 /etc/rndc.*		--	system_u:object_r:named_conf_t
-/etc/rndc.key  		-- 	system_u:object_r:dnssec_t
+/etc/rndc\.key		-- 	system_u:object_r:dnssec_t
 /usr/sbin/named      	--	system_u:object_r:named_exec_t
 /usr/sbin/named-checkconf --	system_u:object_r:named_checkconf_exec_t
 /usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t

Re: gentoo diffs

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 2010 bytes --]


Hi,

Russell Coker wrote:

[snip]

> +daemon_base_domain(svc_start)
> +domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
> 
> Is this for daemons that may be started either from /etc/inittab 
> or /etc/init.d scripts?

yes, basicaly it's about svscanboot that acording to the documentation is started from inittab.
gentoo's default is to start svscan from an init script, but some users asked for the other way arround.
these two binaries are somewhat equivalent and both have a svc_start_exec_t label.

>>* kerberos: gentoo file locations
> 
> Those should have ifdef(`distro_gentoo' around them.  Ideally we want as many 
> ifdef(`distro_... rules in the file contexts as possible.  The more stuff 
> that can be removed because of being applicable to distributions other than 
> the one you use the better.  setfiles still has performance issues...

ok, I'll keep that in mind.

>>* postfix: gentoo file locations for 64bit systems
> 
> Are you seriously planning to have both 32bit and 64bit versions of Postfix 
> installed on the same system at the same time
>  If not then you shouldn't be using special names for 64bit versions. 
> If you are then I suspect you are
> doing something vastly different from what everyone else is doing and 
> ifdef(`distro_gentoo' would be appropriate.
>
> We should probably have ifdef(`distro_redhat' and ifdef(`distro_debian' in any 
> case.
> 
> Also I'm quite certain that you are not using all four combinations 
> of /usr/lib(exec)?(64)?/postfix/.

http://bugs.gentoo.org/show_bug.cgi?id=89321

we have /usr/lib/postfix and /usr/lib64/postfix depending on the profile under which it was compiled.
having it like lib(exec)?(64)? means that it's very easy to maintain, but if that's not possible, no problem.

> I plan to extend the stem compression support in setfiles to two levels, 
> taking full advantage of that means removing such conditionals from the 
> policy.

thanks,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

Re: gentoo diffs

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1940 bytes --]

On Monday 09 May 2005 04:58, petre rodan <kaiowas@gentoo.org> wrote:
> > Also I'm quite certain that you are not using all four combinations
> > of /usr/lib(exec)?(64)?/postfix/.
>
> http://bugs.gentoo.org/show_bug.cgi?id=89321
>
> we have /usr/lib/postfix and /usr/lib64/postfix depending on the profile
> under which it was compiled. having it like lib(exec)?(64)? means that it's
> very easy to maintain, but if that's not possible, no problem.

Why do you want /usr/lib64/postfix?

The point of /usr/lib64 is for files where you have both 32bit and 64bit 
versions installed at the same time.  This is when you have shared objects 
which could be used by either 32bit or 64bit programs.

/usr/libexec/postfix on Red Hat systems contains no shared objects, only 
executables, on ia32_64 the same locations are used.  I can't work out any 
reason for having both 32bit and 64bit versions of those executables (there 
is no good support for having Postfix call 32bit programs for some operations 
and 64bit for others so any attempt to make use of functionality that this 
would provide would be painful).

Debian uses /usr/lib/postfix for the same files but also has some shared 
object in the same directory.  However those shared objects are only for the 
use of Postfix so they have not bothered using /usr/lib64/postfix for the 
amd64 packages.

In summary, /usr/lib64/postfix causes needless differences between 32bit and 
64bit systems for no benefit.  Incidentally this will prevent a main.cf file 
from Debian working on Gentoo AMD64.  Not sure whether main.cf files can be 
shared between 32bit and 64bit Gentoo machines, this is something you 
probably want to investigate.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 2933 bytes --]

--- ./file_contexts/program/postfix.fc.orig	2005-05-09 15:13:40.000000000 +1000
+++ ./file_contexts/program/postfix.fc	2005-05-09 15:15:27.000000000 +1000
@@ -2,20 +2,32 @@
 /etc/postfix(/.*)?		system_u:object_r:postfix_etc_t
 ifdef(`distro_redhat', `
 /etc/postfix/aliases.*		system_u:object_r:etc_aliases_t
+/usr/libexec/postfix/.*	--	system_u:object_r:postfix_exec_t
+/usr/libexec/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
+/usr/libexec/postfix/local	--	system_u:object_r:postfix_local_exec_t
+/usr/libexec/postfix/master	--	system_u:object_r:postfix_master_exec_t
+/usr/libexec/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
+/usr/libexec/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
+/usr/libexec/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
+/usr/libexec/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/libexec/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
+/usr/libexec/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
+/usr/libexec/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
+', `
+/usr/lib/postfix/.*	--	system_u:object_r:postfix_exec_t
+/usr/lib/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
+/usr/lib/postfix/local	--	system_u:object_r:postfix_local_exec_t
+/usr/lib/postfix/master	--	system_u:object_r:postfix_master_exec_t
+/usr/lib/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
+/usr/lib/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
+/usr/lib/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
+/usr/lib/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/lib/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
+/usr/lib/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
+/usr/lib/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
 ')
 /etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t
 /etc/postfix/prng_exch	--	system_u:object_r:postfix_prng_t
-/usr/lib(exec)?/postfix/.*	--	system_u:object_r:postfix_exec_t
-/usr/lib(exec)?/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
-/usr/lib(exec)?/postfix/local	--	system_u:object_r:postfix_local_exec_t
-/usr/lib(exec)?/postfix/master	--	system_u:object_r:postfix_master_exec_t
-/usr/lib(exec)?/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
-/usr/lib(exec)?/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
-/usr/lib(exec)?/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
-/usr/lib(exec)?/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
-/usr/lib(exec)?/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
-/usr/lib(exec)?/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
-/usr/lib(exec)?/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
 /usr/sbin/postalias	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postcat	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postdrop	--	system_u:object_r:postfix_postdrop_exec_t

Gentoo diffs

[Petre Rodan]

[-- Attachment #1.1: Type: text/plain, Size: 592 bytes --]


Hi,

Attached you'll find the latest diffs between the sample policy and the current Gentoo policy.

ChangeLog

daemontools.te: added support to supervise ftpd, openvpn
ftpd.fc: added support for PureFTPd
openvpn.te openvpn.fc: added log_domain and var_lib_domain
publicfile.te: minor fix
saslauthd.fc: added gentoo path
slapd.te slapd.fc: added gentoo paths and support for openldap-2.2.28
spamd.te spamd.fc: added var_lib_domain and new capabilities needed by spamassassin 3.1.0

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #1.2: daemontools.te.diff --]
[-- Type: text/plain, Size: 1017 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/daemontools.te	2005-05-25 13:04:36.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/daemontools.te	2005-11-26 19:49:40.000000000 +0200
@@ -150,17 +150,27 @@
 ')
 
 ifdef(`clockspeed.te', `
-domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
+domain_auto_trans(svc_run_t, clockspeed_exec_t, clockspeed_t)
 svc_ipc_domain(clockspeed_t)
 r_dir_file(svc_run_t, clockspeed_var_lib_t)
 allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
 ')
 
 ifdef(`dante.te', `
-domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
+domain_auto_trans(svc_run_t, dante_exec_t, dante_t);
 svc_ipc_domain(dante_t)
 ')
 
+ifdef(`ftpd.te', `
+domain_auto_trans(svc_run_t, ftpd_exec_t, ftpd_t);
+svc_ipc_domain(ftpd_t)
+')
+
+ifdef(`openvpn.te', `
+domain_auto_trans(svc_run_t, openvpn_exec_t, openvpn_t);
+svc_ipc_domain(openvpn_t)
+')
+
 ifdef(`publicfile.te', `
 svc_ipc_domain(publicfile_t)
 ')

[-- Attachment #1.3: ftpd.fc.diff --]
[-- Type: text/plain, Size: 626 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/ftpd.fc	2005-11-18 13:29:41.000000000 +0200
+++ /etc/security/selinux/src/policy/file_contexts/program/ftpd.fc	2005-11-18 15:41:55.000000000 +0200
@@ -5,6 +5,7 @@
 /usr/sbin/ftpwho	--	system_u:object_r:ftpd_exec_t
 /usr/kerberos/sbin/ftpd	--	system_u:object_r:ftpd_exec_t
 /usr/sbin/vsftpd	--	system_u:object_r:ftpd_exec_t
+/usr/sbin/pure-ftpd	--	system_u:object_r:ftpd_exec_t
 /etc/proftpd\.conf	--	system_u:object_r:ftpd_etc_t
 /var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t
 /var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t

[-- Attachment #1.4: openvpn.fc.diff --]
[-- Type: text/plain, Size: 472 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/openvpn.fc	2005-04-17 00:36:17.000000000 +0300
+++ /etc/security/selinux/src/policy/file_contexts/program/openvpn.fc	2005-06-18 10:40:06.000000000 +0300
@@ -2,3 +2,6 @@
 
 /etc/openvpn/.*	--	system_u:object_r:openvpn_etc_t
 /usr/sbin/openvpn	--	system_u:object_r:openvpn_exec_t
+/var/log/openvpn-status\.log    -- system_u:object_r:openvpn_log_t
+/var/lib/openvpn(/.*)?	system_u:object_r:openvpn_var_lib_t
+

[-- Attachment #1.5: openvpn.te.diff --]
[-- Type: text/plain, Size: 752 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/openvpn.te	2005-07-06 22:58:17.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/openvpn.te	2005-06-18 10:40:15.000000000 +0300
@@ -7,6 +7,10 @@
 
 daemon_domain(openvpn)
 etcdir_domain(openvpn)
+log_domain(openvpn)
+var_lib_domain(openvpn)
 
 allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
 
@@ -14,6 +18,7 @@
 allow openvpn_t devpts_t:dir { search getattr };
 allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
 allow openvpn_t proc_t:file { getattr read };
+r_dir_file(openvpn_t, proc_net_t)
 
 allow openvpn_t self:unix_dgram_socket create_socket_perms;
 allow openvpn_t self:unix_stream_socket create_stream_socket_perms;

[-- Attachment #1.6: publicfile.te.diff --]
[-- Type: text/plain, Size: 738 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/publicfile.te	2005-04-21 15:53:02.000000000 +0300
+++ /etc/security/selinux/src/policy/domains/program/publicfile.te	2005-11-24 11:42:33.000000000 +0200
@@ -6,13 +6,24 @@
 # this policy depends on ucspi-tcp
 #
 
 daemon_domain(publicfile)
 type publicfile_content_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
 
 ifdef(`ucspi-tcp.te', `
 domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t)
-allow publicfile_t utcpserver_t:tcp_socket { read write };
+allow publicfile_t utcpserver_t:tcp_socket { read write shutdown };
 allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind;
 ')
 

[-- Attachment #1.7: saslauth.fc.diff --]
[-- Type: text/plain, Size: 442 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/saslauthd.fc	2004-09-23 05:08:21.000000000 +0300
+++ /etc/security/selinux/src/policy/file_contexts/program/saslauthd.fc	2005-02-27 19:25:37.000000000 +0200
@@ -1,3 +1,6 @@
 # saslauthd 
 /usr/sbin/saslauthd		--	system_u:object_r:saslauthd_exec_t
 /var/run/saslauthd(/.*)?		system_u:object_r:saslauthd_var_run_t
+
+/var/lib/sasl2(/.*)?			system_u:object_r:saslauthd_var_run_t
+

[-- Attachment #1.8: slapd.fc.diff --]
[-- Type: text/plain, Size: 883 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/slapd.fc	2005-11-18 13:29:41.000000000 +0200
+++ /etc/security/selinux/src/policy/file_contexts/program/slapd.fc	2005-11-18 15:50:29.000000000 +0200
@@ -17,3 +17,14 @@
 /opt/(fedora|redhat)-ds/slapd-[^/]+/stop-slapd system_u:object_r:initrc_exec_t
 /opt/(fedora|redhat)-ds/alias(/.*)? system_u:object_r:slapd_cert_t
 /opt/(fedora|redhat)-ds/alias/[^/]+so.* system_u:object_r:shlib_t
+
+# gentoo file locations
+/usr/lib/openldap/slapd --	system_u:object_r:slapd_exec_t
+/etc/openldap/slapd\.conf -- system_u:object_r:slapd_etc_t
+/etc/openldap/ssl/.*		-- system_u:object_r:slapd_cert_t
+/var/run/openldap(/.*)?		system_u:object_r:slapd_var_run_t
+/var/lib/openldap-data(/.*)?	system_u:object_r:slapd_db_t
+/var/lib/openldap-ldbm(/.*)?	system_u:object_r:slapd_db_t
+/var/lib/openldap-slurp(/.*)?	system_u:object_r:slapd_db_t
+
+

[-- Attachment #1.9: slapd.te.diff --]
[-- Type: text/plain, Size: 513 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/slapd.te	2005-11-18 13:29:41.000000000 +0200
+++ /etc/security/selinux/src/policy/domains/program/slapd.te	2005-11-18 15:48:27.000000000 +0200
@@ -61,18 +62,22 @@
 allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
 r_dir_file(slapd_t, cert_t)
 
+# gentoo related
+#allow slapd_t slapd_t:capability dac_override;
+allow slapd_t slapd_t:unix_stream_socket listen;
+allow slapd_t slapd_var_run_t:sock_file { create setattr unlink };
 

[-- Attachment #1.10: spamd.fc.diff --]
[-- Type: text/plain, Size: 506 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/spamd.fc	2004-02-02 18:58:19.000000000 +0200
+++ /etc/security/selinux/src/policy/file_contexts/program/spamd.fc	2005-05-02 11:01:38.000000000 +0300
@@ -1,3 +1,7 @@
 /usr/sbin/spamd		--	system_u:object_r:spamd_exec_t
 /usr/bin/spamd		--	system_u:object_r:spamd_exec_t
 /usr/bin/sa-learn	--	system_u:object_r:spamd_exec_t
+
+/var/run/spamd(/.*)?	system_u:object_r:spamd_var_run_t		
+/var/lib/spamd(/.*)?	system_u:object_r:spamd_var_lib_t		
+

[-- Attachment #1.11: spamd.te.diff --]
[-- Type: text/plain, Size: 1040 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/spamd.te	2005-11-18 13:29:41.000000000 +0200
+++ /etc/security/selinux/src/policy/domains/program/spamd.te	2005-11-24 11:43:54.000000000 +0200
@@ -9,9 +9,14 @@
 
 tmp_domain(spamd)
 
 general_domain_access(spamd_t)
 uses_shlib(spamd_t)
 read_sysctl(spamd_t)
+var_lib_domain(spamd)
 
 # Various Perl bits
 allow spamd_t lib_t:file rx_file_perms;
@@ -32,10 +37,12 @@
 # Spamassassin, when run as root and using per-user config files,
 # setuids to the user running spamc.  Comment this if you are not
 # using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { setuid setgid chown fowner dac_override kill sys_tty_config };
 
 allow spamd_t { bin_t sbin_t }:dir { getattr search };
 can_exec(spamd_t, bin_t)
+allow spamd_t bin_t:lnk_file read;
+allow spamd_t spamd_var_run_t:sock_file create_file_perms;
 
 ifdef(`sendmail.te', `
 allow spamd_t etc_mail_t:dir { getattr read search };

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]