From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Latest updates
Date: Fri, 01 Sep 2006 15:45:24 -0400 [thread overview]
Message-ID: <44F88DD4.6020804@redhat.com> (raw)
In-Reply-To: <1157125888.3199.157.camel@sgc.columbia.tresys.com>
[-- Attachment #1: Type: text/plain, Size: 5324 bytes --]
Christopher J. PeBenito wrote:
> On Thu, 2006-08-31 at 15:16 -0400, Daniel J Walsh wrote:
>
>> Amanda changes, not sure why you didn't take them last time
>>
>
> Sorry about that, forgot to send an email about that last patch. As for
> this bit, I'm hesitant to remove the contexts. This policy seems to be
> overengineered, and since we intend to fix it, the unused types should
> be removed too. Otherwise we start getting dead policy, and more mess
> in general.
>
>
Removed Types
>> Fixing some labels to march what actually ends up on disk see /boot/grub
>>
>
> These say /boot/grup; I assume this is a typo. Also they should be in
> the files module.
>
>
Fixed and placed in correct fc files.
>> Change firstboot to create etc_runtime_t instead of firstboot_rw_t.
>>
>
>
> The type should be removed too, see above comments on
> amanda. /usr/share/firstboot is also labeled firstboot_rw_t, so that
> should be resolved too.
>
>
Removed Types
>> Please change /opt java line to match what IBM ships
>>
>
> I'm concerned this is too broad. Can we get additional, more specific
> regexes?
>
>
I went looking for this, and I believe it was placed in a IBM directory,
but can not find it right now.
Also not sure where BEA places there java.
>> In corecommands prelink also creates lnk_file, when it recreates
>> executables.
>>
>
>
> I assume this refers to the hunk in corecommands.if? I don't agree with
> this change. Only the executables should be specially labeled, not the
> symlinks.
>
>
Changed to bin_t and sbin_t only.
>> gfs supports xattr
>>
>
> IIRC, last time the question was if this was widely avaiable?
>
>
Could swear I got email telling me to do this, but can not find now so
removing.
>> Lots of domains need term_dontaudit_use_unallocated_ttys for startup
>> from a tty.
>>
>
> Can you clarify this? I don't know what you mean by "startup from a
> tty".
>
>
Log in to console terminals
ctrl-alt-f1
restart daemons, generated lots of avc messages when daemons try to talk
to tty_device_t.
you will see this same pattern on almost all daemons.
>> Apache uses ldap
>>
>
> This reverts my change; this access is handled by auth_use_nsswitch().
>
>
Removed.
>> bluetooth_helper started for startx needs some more privs
>>
>
> This corenet addition seems out of place, since it doesn't have complete
> networking perms. Fixed the xserver_stream_connect_xdm() interface
> instead of the xdm addition.
>
>
Changed to use your stuff.
>> crontab changes for setting MLS values.
>>
>
> The userdomain sending a sigchld to crontab doesn't make sense to me.
> Also $1_tmp_t can't be referenced directly by this template, it needs to
> use the userdomain interfaces. Besides that, I think it would probably
> be best for crontab to have its own $1_crontab_tmp_t type anyway, unless
> there is a compelling reason for it to write the user's tmp files.
>
>
Changed to $1_crontab_tmp_t, removed the other stuff and will retest on mls.
> Why does system_crond_t need to create crond pid files?
>
>
Saw an AVC but I am removing this code for now.
>> dovecot wants to read some files labeled var_t.
>>
>
> Moved rule down.
>
>
>> ldap uses a socket to communicate
>>
>
> Generic socket doesn't make sense here.
>
>
Should be a sock_file
>> NetworkManager wants to ptrace itself
>>
>
> I can't reproduce this on my notebook. Can you look more into this? It
> seems highly irregular.
>
>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204161
>> stunnel reads route table
>> and connects to smtp
>>
>
> Is this an explicit requirement, or should it really be tcp connect to
> all ports?
>
Probably.
>
>> X No longer needs execstack, execheap, execmem
>>
>
> I am setting this to !distro_redhat, as this is not necessarily the case
> for other distros (incl RHEL4).
>
>
Fine
>> Changes to semanage
>>
>
> Can't use these templates here. The netlink addition is handled by
> auth_use_nsswitch().
>
>
Ok I removed some other netlink_route for same reason
>> /usr/lib/ia32el/ia32x_loader needs to run unconfined_execmem_t if we
>> have any hope of turning off allow_execmem
>>
>
> Out of curiosity, what is this program?
>
See eric's email
> The ntp change shouldn't be needed, since net_bind_service is allowed by
> corenet_udp_bind_ntp_port(ntpd_t).
>
>
Removed
> The procmail change shouldn't be needed since udp bind to inaddr_any is
> allowed by corenet_udp_bind_all_nodes(procmail_t).
>
>
Removed
> The rpc change shouldn't be needed since all domains have self:file
> { getattr read };
>
>
Removed
> The unconfined change should not be needed since it can do * to all
> domains keys (see domain.te).
>
Removed
> Holding off on the other new policies since you said they're still WiP.
>
> Why are the following needed?
>
> fsadm exec a shell
>
>
I am not sure, I removed until I find it.
> initrc write locale_t
>
> lvm_t net_admin (!)
>
Removed, might be some network file system? iscsi maybe, just guessing.
> depmod using terms other than the ones it gets from it's run interface
>
>
Removed.
> udev transition to dhcpc
>
>
>
It does when networks are plugged in, I believe.
> The remainder is merged.
>
>
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 82661 bytes --]
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-2.3.11/policy/modules/admin/amanda.fc
--- nsaserefpolicy/policy/modules/admin/amanda.fc 2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/amanda.fc 2006-09-01 15:41:44.000000000 -0400
@@ -11,61 +11,11 @@
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
-/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
-/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0)
-/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0)
-
-/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
-/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
-
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
-/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
-/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.3.11/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/amanda.te 2006-09-01 15:41:44.000000000 -0400
@@ -33,18 +33,6 @@
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
-# type for user startable files
-type amanda_user_exec_t;
-corecmd_executable_file(amanda_user_exec_t)
-
-# type for same awk and other scripts
-type amanda_script_exec_t;
-corecmd_executable_file(amanda_script_exec_t)
-
-# type for the shell configuration files
-type amanda_shellconfig_t;
-files_type(amanda_shellconfig_t)
-
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.11/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2006-09-01 14:10:19.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/anaconda.te 2006-09-01 15:41:44.000000000 -0400
@@ -64,3 +64,9 @@
optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
')
+
+
+# The following is just to quiet the anaconda complaining during the install
+domain_dontaudit_getattr_all_stream_sockets(anaconda_t)
+dontaudit domain anaconda_t:fd use;
+domain_dontaudit_use_interactive_fds(anaconda_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.11/policy/modules/admin/bootloader.fc
--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/bootloader.fc 2006-09-01 15:41:44.000000000 -0400
@@ -10,3 +10,4 @@
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/boot/grub/.* -- gen_context(system_u:object_r:boot_runtime_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.11/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/bootloader.te 2006-09-01 15:41:44.000000000 -0400
@@ -161,7 +161,7 @@
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+ allow bootloader_t boot_runtime_t:file { rw_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.11/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/consoletype.te 2006-09-01 15:41:44.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-2.3.11/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2006-08-29 09:00:30.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/firstboot.te 2006-09-01 15:41:44.000000000 -0400
@@ -20,9 +20,6 @@
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
-type firstboot_rw_t;
-files_type(firstboot_rw_t)
-
########################################
#
# Local policy
@@ -38,9 +35,8 @@
allow firstboot_t firstboot_etc_t:file { getattr read };
-allow firstboot_t firstboot_rw_t:dir create_dir_perms;
-allow firstboot_t firstboot_rw_t:file create_file_perms;
-files_etc_filetrans(firstboot_t,firstboot_rw_t,file)
+files_manage_etc_runtime_files(firstboot_t)
+files_etc_filetrans_etc_runtime(firstboot_t, { file dir })
# The big hammer
unconfined_domain(firstboot_t)
@@ -124,6 +120,11 @@
usermanage_domtrans_useradd(firstboot_t)
')
+optional_policy(`
+ usermanage_domtrans_admin_passwd(firstboot_t)
+')
+
+
ifdef(`TODO',`
allow firstboot_t proc_t:file write;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.11/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/rpm.fc 2006-09-01 15:41:44.000000000 -0400
@@ -19,6 +19,8 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.11/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/admin/rpm.if 2006-09-01 15:41:44.000000000 -0400
@@ -75,12 +75,13 @@
')
rpm_domtrans($1)
- role $2 types rpm_t;
- role $2 types rpm_script_t;
- seutil_run_loadpolicy(rpm_script_t,$2,$3)
- seutil_run_semanage(rpm_script_t,$2,$3)
- seutil_run_setfiles(rpm_script_t,$2,$3)
- seutil_run_restorecon(rpm_script_t,$2,$3)
+ #role $2 types rpm_t;
+ #role $2 types rpm_script_t;
+ role_transition $2 rpm_exec_t system_r;
+ seutil_run_loadpolicy(rpm_script_t,system_r,$3)
+ seutil_run_semanage(rpm_script_t,system_r,$3)
+ seutil_run_setfiles(rpm_script_t,system_r,$3)
+ seutil_run_restorecon(rpm_script_t,system_r,$3)
allow rpm_t $3:chr_file rw_term_perms;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.11/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-08-29 09:00:26.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/apps/java.fc 2006-09-01 15:41:44.000000000 -0400
@@ -1,7 +1,7 @@
#
# /opt
#
-/opt/(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/(.*/)?java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.3.11/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-08-02 10:34:05.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/kernel/corecommands.if 2006-09-01 15:41:44.000000000 -0400
@@ -950,6 +950,7 @@
allow $1 exec_type:file manage_file_perms;
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
+ allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.11/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-01 14:10:17.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/kernel/corenetwork.te.in 2006-09-01 15:41:44.000000000 -0400
@@ -67,6 +67,7 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(comsat, udp,512,s0)
+network_port(cluster, tcp,40040,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
@@ -121,12 +122,13 @@
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(razor, tcp,2703,s0)
+network_port(ricci, tcp,11111,s0, udp,11111,s0)
+network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(setroubleshoot, tcp,3267,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.11/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-09-01 14:10:17.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/kernel/files.fc 2006-09-01 15:41:44.000000000 -0400
@@ -32,6 +32,7 @@
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/boot/lost\+found/.* <<none>>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+/boot/grub/slapsh.xpm.gz -- gen_context(system_u:object_r:boot_t,s0)
#
# /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.11/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-08-29 09:00:26.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/kernel/terminal.if 2006-09-01 15:41:44.000000000 -0400
@@ -886,7 +886,7 @@
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file { read write };
+ dontaudit $1 tty_device_t:chr_file rw_file_perms;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.11/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2006-08-29 09:00:27.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/amavis.te 2006-09-01 15:41:44.000000000 -0400
@@ -155,6 +155,7 @@
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(amavis_t)
+ term_dontaudit_use_unallocated_ttys(amavis_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.11/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/apache.te 2006-09-01 15:41:44.000000000 -0400
@@ -141,7 +141,6 @@
allow httpd_t self:msg { send receive };
allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -713,4 +712,5 @@
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+ term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.11/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/bluetooth.te 2006-09-01 15:41:44.000000000 -0400
@@ -217,14 +217,16 @@
fs_rw_tmpfs_files(bluetooth_helper_t)
term_dontaudit_use_generic_ptys(bluetooth_helper_t)
+ term_dontaudit_use_unallocated_ttys(bluetooth_helper_t)
unconfined_stream_connect(bluetooth_helper_t)
userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
+ corenet_non_ipsec_sendrecv(bluetooth_helper_t)
+
optional_policy(`
corenet_tcp_connect_xserver_port(bluetooth_helper_t)
-
xserver_stream_connect_xdm(bluetooth_helper_t)
xserver_use_xdm_fds(bluetooth_helper_t)
xserver_rw_xdm_pipes(bluetooth_helper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.11/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/ccs.fc 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,8 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
+/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.11/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/ccs.if 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,65 @@
+## <summary>policy for ccs</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ccs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ccs_domtrans',`
+ gen_require(`
+ type ccs_t, ccs_exec_t;
+ ')
+
+ domain_auto_trans($1,ccs_exec_t,ccs_t)
+
+ allow $1 ccs_t:fd use;
+ allow ccs_t $1:fd use;
+ allow ccs_t $1:fifo_file rw_file_perms;
+ allow ccs_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Connect to ccs over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ccs_stream_connect',`
+ gen_require(`
+ type ccs_t, ccs_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ccs_var_run_t:dir r_dir_perms;
+ allow $1 ccs_var_run_t:sock_file write;
+ allow $1 ccs_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read cluster configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ccs_read_config',`
+ gen_require(`
+ type cluster_conf_t;
+ ')
+
+ allow $1 cluster_conf_t:dir search_dir_perms;
+ allow $1 cluster_conf_t:file { getattr read };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.11/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/ccs.te 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,87 @@
+policy_module(ccs,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ccs_t;
+type ccs_exec_t;
+domain_type(ccs_t)
+init_daemon_domain(ccs_t, ccs_exec_t)
+
+# pid files
+type ccs_var_run_t;
+files_pid_file(ccs_var_run_t)
+
+# pid files
+type cluster_conf_t;
+files_type(cluster_conf_t)
+
+# log files
+type ccs_var_log_t;
+logging_log_file(ccs_var_log_t)
+
+########################################
+#
+# ccs local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+allow ccs_t self:process signal;
+
+allow ccs_t self:socket create_socket_perms;
+allow ccs_t self:tcp_socket create_stream_socket_perms;
+allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg };
+allow ccs_t self:unix_dgram_socket create_socket_perms;
+allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(ccs_t)
+corenet_tcp_sendrecv_all_if(ccs_t)
+corenet_tcp_sendrecv_all_nodes(ccs_t)
+corenet_tcp_sendrecv_all_ports(ccs_t)
+corenet_udp_sendrecv_all_ports(ccs_t)
+corenet_non_ipsec_sendrecv(ccs_t)
+corenet_tcp_bind_all_nodes(ccs_t)
+corenet_udp_bind_all_nodes(ccs_t)
+# Wants to connect to 40040
+corenet_tcp_connect_all_ports(ccs_t)
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(ccs_t)
+libs_use_ld_so(ccs_t)
+libs_use_shared_libs(ccs_t)
+miscfiles_read_localization(ccs_t)
+## internal communication is often done using fifo and unix sockets.
+allow ccs_t self:fifo_file { read write };
+allow ccs_t self:unix_stream_socket create_stream_socket_perms;
+
+# pid file
+allow ccs_t ccs_var_run_t:file manage_file_perms;
+allow ccs_t ccs_var_run_t:sock_file manage_file_perms;
+allow ccs_t ccs_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ccs_t,ccs_var_run_t, { file sock_file })
+
+# log files
+allow ccs_t ccs_var_log_t:file create_file_perms;
+allow ccs_t ccs_var_log_t:sock_file create_file_perms;
+allow ccs_t ccs_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir })
+
+logging_send_syslog_msg(ccs_t)
+
+files_read_etc_runtime_files(ccs_t)
+
+kernel_read_kernel_sysctls(ccs_t)
+
+sysnet_dns_name_resolve(ccs_t)
+
+unconfined_use_fds(ccs_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_generic_ptys(ccs_t)
+ term_dontaudit_use_unallocated_ttys(ccs_t)
+')
+
+allow ccs_t cluster_conf_t:dir r_dir_perms;
+allow ccs_t cluster_conf_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.3.11/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/clamav.te 2006-09-01 15:41:44.000000000 -0400
@@ -121,6 +121,7 @@
cron_rw_pipes(clamd_t)
ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(clamd_t)
term_dontaudit_use_generic_ptys(clamd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.3.11/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/cron.if 2006-09-01 15:41:44.000000000 -0400
@@ -54,6 +54,11 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
+ type $1_crontab_tmp_t;
+ files_tmp_file($1_crontab_tmp_t)
+
+
+
##############################
#
# $1_crond_t local policy
@@ -193,6 +198,10 @@
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file create_file_perms;
+ allow $1_crontab_t tmp_t:dir rw_dir_perms;
+ allow $1_crontab_t $1_crontab_tmp_t:file create_file_perms;
+ type_transition $1_crontab_t tmp_t:file $1_crontab_tmp_t;
+
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.11/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/cron.te 2006-09-01 15:41:44.000000000 -0400
@@ -36,6 +36,9 @@
type crontab_exec_t;
corecmd_executable_file(crontab_exec_t)
+type crontab_tmp_t;
+files_tmp_file(crontab_tmp_t)
+
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -175,6 +178,7 @@
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+ files_pid_filetrans(system_crond_t,crond_var_run_t,file)
')
tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.3.11/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/cyrus.te 2006-09-01 15:41:44.000000000 -0400
@@ -93,6 +93,7 @@
files_list_var_lib(cyrus_t)
files_read_etc_files(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
+files_read_usr_files(cyrus_t)
init_use_fds(cyrus_t)
init_use_script_ptys(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.11/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/dbus.if 2006-09-01 15:41:44.000000000 -0400
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
corecmd_list_bin($1_dbusd_t)
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.3.11/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/dbus.te 2006-09-01 15:41:44.000000000 -0400
@@ -38,7 +38,6 @@
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.11/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/dovecot.te 2006-09-01 15:41:44.000000000 -0400
@@ -46,8 +46,6 @@
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
-
domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_auth_t:fd use;
allow dovecot_auth_t dovecot_t:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.3.11/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-08-23 12:14:53.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/ftp.te 2006-09-01 15:41:44.000000000 -0400
@@ -50,7 +50,6 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
-allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
allow ftpd_t ftpd_etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.3.11/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/hal.te 2006-09-01 15:41:44.000000000 -0400
@@ -28,7 +28,6 @@
allow hald_t self:fifo_file rw_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
-allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
@@ -78,6 +77,7 @@
dev_rw_sysfs(hald_t)
domain_use_interactive_fds(hald_t)
+domain_read_all_domains_state(hald_t)
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-2.3.11/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2006-08-16 08:46:30.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/ldap.te 2006-09-01 15:41:44.000000000 -0400
@@ -72,7 +72,7 @@
allow slapd_t slapd_var_run_t:file create_file_perms;
allow slapd_t slapd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slapd_t,slapd_var_run_t,file)
+files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.11/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/networkmanager.te 2006-09-01 15:41:44.000000000 -0400
@@ -18,9 +18,9 @@
# Local policy
#
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock};
dontaudit NetworkManager_t self:capability sys_tty_config;
-allow NetworkManager_t self:process { setcap getsched signal_perms };
+allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.3.11/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-08-23 12:14:54.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/ntp.te 2006-09-01 15:41:44.000000000 -0400
@@ -38,7 +38,6 @@
allow ntpd_t self:fifo_file { read write getattr };
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
-allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
allow ntpd_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.11/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/oddjob.fc 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,8 @@
+# oddjob executable will have:
+# label: system_u:object_r:oddjob_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+/var/run/oddjobd.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/usr/lib/oddjobd gen_context(system_u:object_r:oddjob_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.11/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/oddjob.if 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,76 @@
+## <summary>policy for oddjob</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans',`
+ gen_require(`
+ type oddjob_t, oddjob_exec_t;
+ ')
+
+ domain_auto_trans($1,oddjob_exec_t,oddjob_t)
+
+ allow $1 oddjob_t:fd use;
+ allow oddjob_t $1:fd use;
+ allow oddjob_t $1:fifo_file rw_file_perms;
+ allow oddjob_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Make the specified program domain accessable
+## from the oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to transition to.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type of the file used as an entrypoint to this domain.
+## </summary>
+## </param>
+#
+interface(`oddjob_system_entry',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ domain_auto_trans(oddjob_t, $2, $1)
+
+ allow oddjob_t $1:fd use;
+ allow $1 oddjob_t:fd use;
+ allow $1 oddjob_t:fifo_file rw_file_perms;
+ allow $1 oddjob_t:process sigchld;
+
+')
+
+
+########################################
+## <summary>
+## Send and receive messages from
+## oddjob over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oddjob_dbus_chat',`
+ gen_require(`
+ type oddjob_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 oddjob_t:dbus send_msg;
+ allow oddjob_t $1:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc serefpolicy-2.3.11/policy/modules/services/oddjob_mkhomedir.fc
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/oddjob_mkhomedir.fc 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,6 @@
+# oddjob_mkhomedir executable will have:
+# label: system_u:object_r:oddjob_mkhomedir_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if serefpolicy-2.3.11/policy/modules/services/oddjob_mkhomedir.if
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/oddjob_mkhomedir.if 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>policy for oddjob_mkhomedir</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_mkhomedir_domtrans',`
+ gen_require(`
+ type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+ ')
+
+ domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+
+ allow $1 oddjob_mkhomedir_t:fd use;
+ allow oddjob_mkhomedir_t $1:fd use;
+ allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
+ allow oddjob_mkhomedir_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te serefpolicy-2.3.11/policy/modules/services/oddjob_mkhomedir.te
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/oddjob_mkhomedir.te 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,29 @@
+policy_module(oddjob_mkhomedir,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_type(oddjob_mkhomedir_t)
+init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+########################################
+#
+# oddjob_mkhomedir local policy
+#
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(oddjob_mkhomedir_t)
+libs_use_ld_so(oddjob_mkhomedir_t)
+libs_use_shared_libs(oddjob_mkhomedir_t)
+miscfiles_read_localization(oddjob_mkhomedir_t)
+## internal communication is often done using fifo and unix sockets.
+allow oddjob_mkhomedir_t self:fifo_file { read write };
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_auto_trans(unconfined_t,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.11/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/oddjob.te 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,73 @@
+policy_module(oddjob,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_t;
+type oddjob_exec_t;
+domain_type(oddjob_t)
+init_daemon_domain(oddjob_t, oddjob_exec_t)
+
+# pid files
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
+# var/lib files
+type oddjob_var_lib_t;
+files_type(oddjob_var_lib_t)
+
+########################################
+#
+# oddjob local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(oddjob_t)
+libs_use_ld_so(oddjob_t)
+libs_use_shared_libs(oddjob_t)
+miscfiles_read_localization(oddjob_t)
+## internal communication is often done using fifo and unix sockets.
+allow oddjob_t self:fifo_file { read write };
+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
+# pid file
+allow oddjob_t oddjob_var_run_t:file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms;
+allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
+
+# var/lib files for oddjob
+allow oddjob_t oddjob_var_lib_t:file create_file_perms;
+allow oddjob_t oddjob_var_lib_t:sock_file create_file_perms;
+allow oddjob_t oddjob_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(oddjob_t,oddjob_var_lib_t, { file dir sock_file })
+
+init_dontaudit_use_fds(oddjob_t)
+allow oddjob_t self:capability { audit_write setgid } ;
+allow oddjob_t self:process setexec;
+
+locallogin_dontaudit_use_fds(oddjob_t)
+
+optional_policy(`
+ dbus_system_bus_client_template(oddjob,oddjob_t)
+ dbus_send_system_bus(oddjob_t)
+ dbus_connect_system_bus(oddjob_t)
+')
+
+corecmd_search_sbin(oddjob_t)
+corecmd_exec_shell(oddjob_t)
+
+selinux_compute_create_context(oddjob_t)
+
+kernel_read_system_state(oddjob_t)
+
+unconfined_domtrans(oddjob_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_generic_ptys(oddjob_t)
+ term_dontaudit_use_unallocated_ttys(oddjob_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.11/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/pegasus.if 2006-09-01 15:41:44.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+ gen_require(`
+ type pegasus_t, pegasus_exec_t;
+ ')
+
+ ifdef(`targeted_policy',`
+ if(pegasus_disable_trans) {
+ can_exec($1,pegasus_exec_t)
+ } else {
+ domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+ }
+ ', `
+ domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+ ')
+
+ allow $1 pegasus_t:fd use;
+ allow pegasus_t $1:fd use;
+ allow pegasus_t $1:fifo_file rw_file_perms;
+ allow pegasus_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.11/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-08-23 12:14:54.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/pegasus.te 2006-09-01 15:41:44.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.11/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-08-29 09:00:28.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/postfix.te 2006-09-01 15:41:44.000000000 -0400
@@ -171,6 +171,11 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(postfix_master_t)
+ term_dontaudit_use_generic_ptys(postfix_master_t)
+')
+
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
@@ -361,6 +366,7 @@
sysnet_read_config(postfix_map_t)
ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(postfix_map_t)
term_dontaudit_use_generic_ptys(postfix_map_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.11/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/ricci.fc 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
+/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0)
+
+/usr/sbin/ricci-modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/var/run/ricci-modclusterd.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/log/clumond.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
+
+/usr/sbin/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
+/usr/sbin/ricci-modlog_ro -- gen_context(system_u:object_r:ricci_modlog_ro_exec_t,s0)
+
+/usr/sbin/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+/usr/sbin/ricci-modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
+/usr/sbin/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/sbin/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.11/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/ricci.if 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans',`
+ gen_require(`
+ type ricci_t, ricci_exec_t;
+ ')
+
+ domain_auto_trans($1,ricci_exec_t,ricci_t)
+
+ allow $1 ricci_t:fd use;
+ allow ricci_t $1:fd use;
+ allow ricci_t $1:fifo_file rw_file_perms;
+ allow ricci_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modlog.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modlog_domtrans',`
+ gen_require(`
+ type ricci_modlog_t, ricci_modlog_exec_t;
+ ')
+
+ domain_auto_trans($1,ricci_modlog_exec_t,ricci_modlog_t)
+
+ allow $1 ricci_modlog_t:fd use;
+ allow ricci_modlog_t $1:fd use;
+ allow ricci_modlog_t $1:fifo_file rw_file_perms;
+ allow ricci_modlog_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modlog_ro.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modlog_ro_domtrans',`
+ gen_require(`
+ type ricci_modlog_ro_t, ricci_modlog_ro_exec_t;
+ ')
+
+ domain_auto_trans($1,ricci_modlog_ro_exec_t,ricci_modlog_ro_t)
+
+ allow $1 ricci_modlog_ro_t:fd use;
+ allow ricci_modlog_ro_t $1:fd use;
+ allow ricci_modlog_ro_t $1:fifo_file rw_file_perms;
+ allow ricci_modlog_ro_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modrpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modrpm_domtrans',`
+ gen_require(`
+ type ricci_modrpm_t, ricci_modrpm_exec_t;
+ ')
+
+ domain_auto_trans($1,ricci_modrpm_exec_t,ricci_modrpm_t)
+
+ allow $1 ricci_modrpm_t:fd use;
+ allow ricci_modrpm_t $1:fd use;
+ allow ricci_modrpm_t $1:fifo_file rw_file_perms;
+ allow ricci_modrpm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modservice.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modservice_domtrans',`
+ gen_require(`
+ type ricci_modservice_t, ricci_modservice_exec_t;
+ ')
+
+ domain_auto_trans($1,ricci_modservice_exec_t,ricci_modservice_t)
+
+ allow $1 ricci_modservice_t:fd use;
+ allow ricci_modservice_t $1:fd use;
+ allow ricci_modservice_t $1:fifo_file rw_file_perms;
+ allow ricci_modservice_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modcluster.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modcluster_domtrans',`
+ gen_require(`
+ type ricci_modcluster_t, ricci_modcluster_exec_t;
+ ')
+
+ domain_auto_trans($1,ricci_modcluster_exec_t,ricci_modcluster_t)
+
+ allow $1 ricci_modcluster_t:fd use;
+ allow ricci_modcluster_t $1:fd use;
+ allow ricci_modcluster_t $1:fifo_file rw_file_perms;
+ allow ricci_modcluster_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modstorage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_modstorage_domtrans',`
+ gen_require(`
+ type ricci_modstorage_t, ricci_modstorage_exec_t;
+ ')
+
+ domain_auto_trans($1,ricci_modstorage_exec_t,ricci_modstorage_t)
+
+ allow $1 ricci_modstorage_t:fd use;
+ allow ricci_modstorage_t $1:fd use;
+ allow ricci_modstorage_t $1:fifo_file rw_file_perms;
+ allow ricci_modstorage_t $1:process sigchld;
+')
+
+
+
+########################################
+## <summary>
+## Connect to ricci_modclusterd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_modclusterd_stream_connect',`
+ gen_require(`
+ type ricci_modclusterd_t, ricci_modcluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ricci_modcluster_var_run_t:sock_file write;
+ allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.11/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.3.11/policy/modules/services/ricci.te 2006-09-01 15:41:44.000000000 -0400
@@ -0,0 +1,386 @@
+policy_module(ricci,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ricci_t;
+type ricci_exec_t;
+domain_type(ricci_t)
+init_daemon_domain(ricci_t, ricci_exec_t)
+
+# pid files
+type ricci_var_run_t;
+files_pid_file(ricci_var_run_t)
+
+# tmp files
+type ricci_tmp_t;
+files_tmp_file(ricci_tmp_t)
+
+# var/lib files
+type ricci_var_lib_t;
+files_type(ricci_var_lib_t)
+
+# log files
+type ricci_var_log_t;
+logging_log_file(ricci_var_log_t)
+
+type ricci_modclusterd_t;
+type ricci_modclusterd_exec_t;
+domain_type(ricci_modclusterd_t)
+init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
+type ricci_modlog_t;
+type ricci_modlog_exec_t;
+domain_type(ricci_modlog_t)
+domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
+role system_r types ricci_modlog_t;
+
+type ricci_modlog_ro_t;
+type ricci_modlog_ro_exec_t;
+domain_type(ricci_modlog_ro_t)
+domain_entry_file(ricci_modlog_ro_t, ricci_modlog_ro_exec_t)
+role system_r types ricci_modlog_ro_t;
+
+type ricci_modrpm_t;
+type ricci_modrpm_exec_t;
+domain_type(ricci_modrpm_t)
+domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
+role system_r types ricci_modrpm_t;
+
+type ricci_modservice_t;
+type ricci_modservice_exec_t;
+domain_type(ricci_modservice_t)
+domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
+role system_r types ricci_modservice_t;
+
+type ricci_modstorage_t;
+type ricci_modstorage_exec_t;
+domain_type(ricci_modstorage_t)
+domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
+role system_r types ricci_modstorage_t;
+
+type ricci_modcluster_t;
+type ricci_modcluster_exec_t;
+domain_type(ricci_modcluster_t)
+domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
+role system_r types ricci_modcluster_t;
+
+# pid files
+type ricci_modcluster_var_run_t;
+files_pid_file(ricci_modcluster_var_run_t)
+
+# var/lib files
+type ricci_modcluster_var_lib_t;
+files_type(ricci_modcluster_var_lib_t)
+
+# log files
+type ricci_modcluster_var_log_t;
+logging_log_file(ricci_modcluster_var_log_t)
+
+########################################
+#
+# ricci local policy
+#
+allow ricci_t self:capability { setuid sys_nice };
+allow ricci_t self:process setsched;
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(ricci_t)
+files_read_etc_runtime_files(ricci_t)
+
+libs_use_ld_so(ricci_t)
+libs_use_shared_libs(ricci_t)
+miscfiles_read_localization(ricci_t)
+## internal communication is often done using fifo and unix sockets.
+allow ricci_t self:fifo_file { read write };
+allow ricci_t self:unix_stream_socket create_stream_socket_perms;
+
+# pid file
+allow ricci_t ricci_var_run_t:file manage_file_perms;
+allow ricci_t ricci_var_run_t:sock_file manage_file_perms;
+allow ricci_t ricci_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ricci_t,ricci_var_run_t, { file sock_file })
+
+# tmp file
+allow ricci_t ricci_tmp_t:dir create_dir_perms;
+allow ricci_t ricci_tmp_t:file create_file_perms;
+files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
+
+# log files
+allow ricci_t ricci_var_log_t:file create_file_perms;
+allow ricci_t ricci_var_log_t:sock_file create_file_perms;
+allow ricci_t ricci_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(ricci_t,ricci_var_log_t,{ sock_file file dir })
+
+init_dontaudit_use_fds(ricci_t)
+
+kernel_read_kernel_sysctls(ricci_t)
+
+optional_policy(`
+ dbus_system_bus_client_template(ricci,ricci_t)
+ dbus_send_system_bus(ricci_t)
+ oddjob_dbus_chat(ricci_t)
+')
+
+# var/lib files for ricci
+allow ricci_t ricci_var_lib_t:file create_file_perms;
+allow ricci_t ricci_var_lib_t:sock_file create_file_perms;
+allow ricci_t ricci_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(ricci_t,ricci_var_lib_t, { file dir sock_file })
+
+auth_domtrans_chk_passwd(ricci_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_generic_ptys(ricci_t)
+ term_dontaudit_use_unallocated_ttys(ricci_t)
+')
+
+locallogin_dontaudit_use_fds(ricci_t)
+
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(ricci_t)
+corenet_tcp_sendrecv_all_if(ricci_t)
+corenet_tcp_sendrecv_all_nodes(ricci_t)
+corenet_tcp_sendrecv_all_ports(ricci_t)
+corenet_non_ipsec_sendrecv(ricci_t)
+corenet_tcp_connect_http_port(ricci_t)
+#corenet_tcp_connect_all_ports(ricci_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(ricci_t)
+#corenet_tcp_bind_all_nodes(ricci_t)
+allow ricci_t self:tcp_socket { listen accept };
+
+# ricci wants to bind to 11111
+corenet_udp_bind_ricci_port(ricci_t)
+corenet_tcp_bind_ricci_port(ricci_t)
+corenet_tcp_bind_inaddr_any_node(ricci_t)
+
+corecmd_exec_sbin(ricci_t)
+
+dev_read_urand(ricci_t)
+
+unconfined_use_fds(ricci_t)
+
+optional_policy(`
+ ccs_read_config(ricci_t)
+')
+
+########################################
+#
+# ricci_modclusterd local policy
+#
+allow ricci_modclusterd_t self:capability sys_nice;
+allow ricci_modclusterd_t self:process { signal sigkill setsched };
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(ricci_modclusterd_t)
+libs_use_ld_so(ricci_modclusterd_t)
+libs_use_shared_libs(ricci_modclusterd_t)
+miscfiles_read_localization(ricci_modclusterd_t)
+## internal communication is often done using fifo and unix sockets.
+allow ricci_modclusterd_t self:fifo_file rw_file_perms;
+allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
+allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
+allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
+
+corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
+corenet_tcp_bind_inaddr_any_node(ricci_modclusterd_t)
+corenet_tcp_bind_all_nodes(ricci_modclusterd_t)
+allow ricci_modclusterd_t self:tcp_socket create_socket_perms;
+allow ricci_modclusterd_t self:socket create_socket_perms;
+files_read_etc_runtime_files(ricci_modclusterd_t)
+
+corecmd_exec_bin(ricci_modclusterd_t)
+corecmd_exec_sbin(ricci_modclusterd_t)
+
+# pid file
+allow ricci_modclusterd_t ricci_modcluster_var_run_t:file manage_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_run_t:sock_file manage_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(ricci_modclusterd_t,ricci_modcluster_var_run_t, { file sock_file })
+
+# log files
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:file create_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:sock_file create_file_perms;
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(ricci_modclusterd_t,ricci_modcluster_var_log_t,{ sock_file file dir })
+
+init_dontaudit_use_fds(ricci_modclusterd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_generic_ptys(ricci_modclusterd_t)
+ term_dontaudit_use_unallocated_ttys(ricci_modclusterd_t)
+')
+
+locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+
+fs_getattr_xattr_fs(ricci_modclusterd_t)
+
+kernel_read_kernel_sysctls(ricci_modclusterd_t)
+kernel_read_system_state(ricci_modclusterd_t)
+
+sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+sysnet_dns_name_resolve(ricci_modclusterd_t)
+
+unconfined_use_fds(ricci_modclusterd_t)
+
+optional_policy(`
+ ccs_stream_connect(ricci_modclusterd_t)
+ ccs_read_config(ricci_modclusterd_t)
+')
+
+########################################
+#
+# ricci_modlog local policy
+#
+
+oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
+domain_auto_trans(ricci_t,ricci_modlog_exec_t,ricci_modlog_t)
+
+########################################
+#
+# ricci_modlog_ro local policy
+#
+
+oddjob_system_entry(ricci_modlog_ro_t, ricci_modlog_ro_exec_t)
+domain_auto_trans(ricci_t,ricci_modlog_ro_exec_t,ricci_modlog_ro_t)
+files_read_etc_files(ricci_modlog_t)
+
+libs_use_ld_so(ricci_modlog_t)
+libs_use_shared_libs(ricci_modlog_t)
+miscfiles_read_localization(ricci_modlog_t)
+
+nscd_dontaudit_search_pid(ricci_modlog_t)
+
+allow ricci_modlog_t self:capability sys_nice;
+allow ricci_modlog_t self:process setsched;
+
+corecmd_exec_bin(ricci_modlog_t)
+corecmd_exec_sbin(ricci_modlog_t)
+
+kernel_read_kernel_sysctls(ricci_modlog_t)
+kernel_read_system_state(ricci_modlog_t)
+
+files_search_usr(ricci_modlog_t)
+logging_read_generic_logs(ricci_modlog_t)
+
+domain_read_all_domains_state(ricci_modlog_t)
+
+########################################
+#
+# ricci_modrpm local policy
+#
+
+oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
+domain_auto_trans(ricci_t,ricci_modrpm_exec_t,ricci_modrpm_t)
+
+########################################
+#
+# ricci_modservice local policy
+#
+
+oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
+domain_auto_trans(ricci_t,ricci_modservice_exec_t,ricci_modservice_t)
+
+consoletype_exec(ricci_modservice_t)
+
+files_read_etc_runtime_files(ricci_modservice_t)
+
+init_domtrans_script(ricci_modservice_t)
+
+libs_use_ld_so(ricci_modservice_t)
+libs_use_shared_libs(ricci_modservice_t)
+miscfiles_read_localization(ricci_modservice_t)
+
+nscd_dontaudit_search_pid(ricci_modservice_t)
+
+allow ricci_modservice_t self:capability { dac_override sys_nice };
+allow ricci_modservice_t self:fifo_file { getattr read write };
+allow ricci_modservice_t self:process setsched;
+
+corecmd_exec_sbin(ricci_modservice_t)
+corecmd_exec_bin(ricci_modservice_t)
+corecmd_exec_shell(ricci_modservice_t)
+
+kernel_read_kernel_sysctls(ricci_modservice_t)
+kernel_read_system_state(ricci_modservice_t)
+
+files_search_usr(ricci_modservice_t)
+
+optional_policy(`
+ ccs_read_config(ricci_modservice_t)
+')
+
+########################################
+#
+# ricci_modstorage local policy
+#
+
+oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
+domain_auto_trans(ricci_t,ricci_modstorage_exec_t,ricci_modstorage_t)
+
+allow ricci_modstorage_t self:process setsched;
+allow ricci_modstorage_t self:capability { mknod sys_nice };
+allow ricci_modstorage_t self:fifo_file rw_file_perms;
+
+corecmd_exec_bin(ricci_modstorage_t)
+corecmd_exec_sbin(ricci_modstorage_t)
+
+files_read_etc_files(ricci_modstorage_t)
+files_read_etc_runtime_files(ricci_modstorage_t)
+
+fstools_domtrans(ricci_modstorage_t)
+
+libs_use_ld_so(ricci_modstorage_t)
+libs_use_shared_libs(ricci_modstorage_t)
+miscfiles_read_localization(ricci_modstorage_t)
+
+lvm_domtrans(ricci_modstorage_t)
+
+kernel_read_kernel_sysctls(ricci_modstorage_t)
+dev_read_sysfs(ricci_modstorage_t)
+dev_read_urand(ricci_modstorage_t)
+
+files_read_usr_files(ricci_modstorage_t)
+
+########################################
+#
+# ricci_modcluster local policy
+#
+
+oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
+domain_auto_trans(ricci_t,ricci_modcluster_exec_t,ricci_modcluster_t)
+
+files_read_etc_runtime_files(ricci_modcluster_t)
+files_read_etc_files(ricci_modcluster_t)
+
+libs_use_ld_so(ricci_modcluster_t)
+libs_use_shared_libs(ricci_modcluster_t)
+
+miscfiles_read_localization(ricci_modcluster_t)
+
+nscd_socket_use(ricci_modcluster_t)
+
+allow ricci_modcluster_t self:capability sys_nice;
+allow ricci_modcluster_t self:process setsched;
+
+corecmd_exec_sbin(ricci_modcluster_t)
+corecmd_exec_bin(ricci_modcluster_t)
+
+kernel_read_kernel_sysctls(ricci_modcluster_t)
+kernel_read_system_state(ricci_modcluster_t)
+
+files_search_usr(ricci_modcluster_t)
+
+ricci_modclusterd_stream_connect(ricci_modcluster_t)
+
+optional_policy(`
+ ccs_read_config(ricci_modcluster_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-2.3.11/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/stunnel.te 2006-09-01 15:41:44.000000000 -0400
@@ -38,6 +38,7 @@
allow stunnel_t self:fifo_file rw_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
allow stunnel_t self:udp_socket create_socket_perms;
+allow stunnel_t self:netlink_route_socket r_netlink_socket_perms;
allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
@@ -63,7 +64,7 @@
corenet_tcp_sendrecv_all_ports(stunnel_t)
corenet_udp_sendrecv_all_ports(stunnel_t)
corenet_tcp_bind_all_nodes(stunnel_t)
-#corenet_tcp_bind_stunnel_port(stunnel_t)
+corenet_tcp_connect_all_ports(stunnel_t)
fs_getattr_all_fs(stunnel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.11/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/services/xserver.if 2006-09-01 15:41:44.000000000 -0400
@@ -1133,3 +1133,25 @@
allow $1 xdm_xserver_tmp_t:sock_file write;
allow $1 xdm_xserver_t:unix_stream_socket connectto;
')
+
+
+########################################
+## <summary>
+## Create a named socket in a ice
+## temporary directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_ice_tmp_sockets',`
+ gen_require(`
+ type ice_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 ice_tmp_t:dir ra_dir_perms;
+ allow $1 ice_tmp_t:sock_file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.11/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-08-29 09:00:29.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/system/hostname.te 2006-09-01 15:41:44.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
role system_r types hostname_t;
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.11/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-08-28 16:22:32.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/system/init.te 2006-09-01 15:41:44.000000000 -0400
@@ -361,7 +361,8 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
-miscfiles_read_localization(initrc_t)
+miscfiles_rw_localization(initrc_t)
+
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.3.11/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/system/selinuxutil.fc 2006-09-01 15:41:44.000000000 -0400
@@ -36,6 +36,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.11/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/system/selinuxutil.te 2006-09-01 15:41:44.000000000 -0400
@@ -450,6 +450,7 @@
selinux_compute_user_contexts(restorecond_t)
term_dontaudit_use_generic_ptys(restorecond_t)
+term_dontaudit_use_unallocated_ttys(restorecond_t)
auth_relabel_all_files_except_shadow(restorecond_t )
auth_read_all_files_except_shadow(restorecond_t)
@@ -621,6 +622,12 @@
# Handle pp files created in homedir and /tmp
files_read_generic_tmp_files(semanage_t)
userdom_read_generic_user_home_content_files(semanage_t)
+',`
+ ifdef(`enable_mls',`
+ userdom_read_user_tmp_files(secadm, semanage_t)
+ ',`
+ userdom_read_user_tmp_files(sysadm, semanage_t)
+ ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.11/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-08-16 08:46:31.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/system/userdomain.if 2006-09-01 15:41:44.000000000 -0400
@@ -8,11 +8,10 @@
## <desc>
## <p>
## This template creates a user domain, types, and
-## rules for the user's tty, pty, home directories,
-## tmp, and tmpfs files.
+## rules for the user's tty, pty, tmp, and tmpfs files.
## </p>
## <p>
-## This generally should not be used, rather the
+## This should only be used for new non login user roles, rather the
## unpriv_user_template or admin_user_template should
## be used.
## </p>
@@ -25,7 +24,9 @@
## </param>
#
template(`base_user_template',`
-
+ gen_require(`
+ attribute userdomain, unpriv_userdomain;
+ ')
attribute $1_file_type;
type $1_t, userdomain;
@@ -42,44 +43,17 @@
term_user_pty($1_t,$1_devpts_t)
files_type($1_devpts_t)
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
-
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
- # types for network-obtained content
- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
- files_type($1_untrusted_content_t)
- files_poly_member($1_untrusted_content_t)
-
- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
- files_tmp_file($1_untrusted_content_tmp_t)
-
type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t)
##############################
#
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- ##############################
- #
# User domain Local policy
#
@@ -103,19 +77,6 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
- # execute files in the home directory
- can_exec($1_t,$1_home_t)
-
- # full control of the home directory
- allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
- allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
- allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
- allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
- type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
- files_search_home($1_t)
-
can_exec($1_t,$1_tmp_t)
# user temporary files
@@ -138,15 +99,16 @@
fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
- # Allow user to relabel untrusted content
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+ allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
+ term_create_pty($1_t,$1_devpts_t)
allow $1_t unpriv_userdomain:fd use;
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
kernel_read_kernel_sysctls($1_t)
kernel_read_net_sysctls($1_t)
+ kernel_read_fs_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -165,8 +127,10 @@
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
+ corenet_raw_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
@@ -193,6 +157,7 @@
fs_getattr_all_fs($1_t)
fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
+ fs_list_inotifyfs($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
@@ -234,6 +199,11 @@
files_dontaudit_getattr_non_security_sockets($1_t)
files_dontaudit_getattr_non_security_blk_files($1_t)
files_dontaudit_getattr_non_security_chr_files($1_t)
+ files_read_var_files($1_t)
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_read_usr_files($1_t)
+ files_exec_usr_files($1_t)
# Caused by su - init scripts
init_dontaudit_use_script_ptys($1_t)
@@ -254,16 +224,88 @@
seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
+ sysnet_dns_name_resolve($1_t)
+
+')
+#######################################
+## <summary>
+## The template containing rules common to unprivileged
+## users and administrative users.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user home directories,
+## </p>
+## <p>
+## This generally should not be used, rather the
+## unpriv_user_template or admin_user_template should
+## be used.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`base_login_user_template',`
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1_t self:process execstack;
+ gen_require(`
+ attribute $1_file_type;
+ attribute home_dir_type, home_type;
+ attribute untrusted_content_type;
')
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
+ files_type($1_home_t)
+ files_associate_tmp($1_home_t)
+ fs_associate_tmpfs($1_home_t)
+
+ # type of home directory
+ type $1_home_dir_t, home_dir_type, home_type;
+ files_type($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
+
+ # types for network-obtained content
+ type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+ files_type($1_untrusted_content_t)
+ files_poly_member($1_untrusted_content_t)
+
+ type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+ files_tmp_file($1_untrusted_content_tmp_t)
+
+ ##############################
+ #
+ # User home directory file rules
+ #
+
+ allow $1_file_type $1_home_t:filesystem associate;
+
+ ##############################
+ #
+ # User domain Local policy
+ #
+
+ # execute files in the home directory
+ can_exec($1_t,$1_home_t)
+
+ # full control of the home directory
+ allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
+ allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
+ type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+ files_search_home($1_t)
+
+ # Allow user to relabel untrusted content
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
tunable_policy(`read_default_t',`
files_list_default($1_t)
files_read_default_files($1_t)
@@ -322,6 +364,10 @@
')
optional_policy(`
+ alsa_read_rw_config($1_t)
+ ')
+
+ optional_policy(`
canna_stream_connect($1_t)
')
@@ -426,8 +472,10 @@
xserver_stream_connect_xdm($1_t)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($1_t)
+ xserver_read_xdm_tmp_files($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
+ xserver_create_ice_tmp_sockets($1_t)
')
')
@@ -457,6 +505,7 @@
# Inherit rules for ordinary users.
base_user_template($1)
+ base_login_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -477,9 +526,6 @@
# Local policy
#
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
# Rules used to associate a homedir as a mountpoint
allow $1_home_t self:filesystem associate;
allow $1_file_type $1_home_t:filesystem associate;
@@ -491,10 +537,6 @@
allow privhome $1_home_t:sock_file create_file_perms;
allow privhome $1_home_t:fifo_file create_file_perms;
type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
-
dev_read_sysfs($1_t)
corecmd_exec_all_executables($1_t)
@@ -502,11 +544,8 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
+
files_list_home($1_t)
- files_read_usr_files($1_t)
- files_exec_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
@@ -514,8 +553,6 @@
files_read_world_readable_symlinks($1_t)
files_read_world_readable_pipes($1_t)
files_read_world_readable_sockets($1_t)
- # cjp: why?
- files_read_kernel_symbol_table($1_t)
init_read_utmp($1_t)
# The library functions always try to open read-write first,
@@ -621,6 +658,8 @@
# do not audit read on disk devices
dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
+ dontaudit $1_t sysadm_home_t:file { read append };
+ userdom_dontaudit_append_sysadm_home_content_files($1_t)
ifdef(`xdm.te', `
allow xdm_t $1_home_t:lnk_file read;
@@ -657,8 +696,6 @@
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
- dontaudit $1_t sysadm_home_t:file { read append };
-
allow $1_t initrc_t:fifo_file write;
') dnl end TODO
')
@@ -704,6 +741,7 @@
# Inherit rules for ordinary users.
base_user_template($1)
+ base_login_user_template($1)
typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
@@ -736,11 +774,6 @@
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -806,6 +839,7 @@
domain_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
+ files_create_boot_flag($1_t)
init_rw_initctl($1_t)
@@ -3359,6 +3393,25 @@
########################################
## <summary>
+## Do not audit attempts to append to the sysadm
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_sysadm_home_content_files',`
+ gen_require(`
+ type sysadm_home_t;
+ ')
+
+ dontaudit $1 sysadm_home_t:file ra_file_perms;
+')
+
+########################################
+## <summary>
## Read files in the staff users home directory.
## </summary>
## <param name="domain">
@@ -4079,7 +4132,7 @@
gen_require(`
type user_home_dir_t;
')
-
+ allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -4164,7 +4217,7 @@
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:dir rw_dir_perms;
allow $1 user_home_t:dir create_dir_perms;
')
@@ -4206,7 +4259,7 @@
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:dir rw_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:file create_file_perms;
')
@@ -4228,7 +4281,7 @@
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:dir rw_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:lnk_file create_lnk_perms;
')
@@ -4250,7 +4303,7 @@
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:dir rw_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:fifo_file create_file_perms;
')
@@ -4272,7 +4325,7 @@
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:dir rw_dir_perms;
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:sock_file create_file_perms;
')
@@ -4740,3 +4793,34 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
+
+########################################
+## <summary>
+## The template containing rules for changing from one role to another
+## </summary>
+## <desc>
+## <p>
+## This should only be used for new non login user roles, rather the
+## unpriv_user_template or admin_user_template should
+## be used.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## userdomain changing from
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## userdomain changing to
+## </summary>
+## </param>
+#
+template(`role_change_template',`
+ allow $1_r $2_r;
+ type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+ type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+ # avoid annoying messages on terminal hangup
+ dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.11/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-08-16 08:46:31.000000000 -0400
+++ serefpolicy-2.3.11/policy/modules/system/userdomain.te 2006-09-01 15:41:44.000000000 -0400
@@ -56,14 +56,6 @@
# Local policy
#
-define(`role_change',`
- allow $1_r $2_r;
- type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
- type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
- # avoid annoying messages on terminal hangup
- dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
@@ -124,34 +116,34 @@
# user role change rules:
# sysadm_r can change to user roles
- role_change(sysadm, user)
- role_change(sysadm, staff)
+ role_change_template(sysadm, user)
+ role_change_template(sysadm, staff)
# only staff_r can change to sysadm_r
- role_change(staff, sysadm)
+ role_change_template(staff, sysadm)
ifdef(`enable_mls',`
unpriv_user_template(secadm)
unpriv_user_template(auditadm)
- role_change(staff,auditadm)
- role_change(staff,secadm)
+ role_change_template(staff,auditadm)
+ role_change_template(staff,secadm)
- role_change(sysadm,secadm)
- role_change(sysadm,auditadm)
+ role_change_template(sysadm,secadm)
+ role_change_template(sysadm,auditadm)
- role_change(auditadm,secadm)
- role_change(auditadm,sysadm)
+ role_change_template(auditadm,secadm)
+ role_change_template(auditadm,sysadm)
- role_change(secadm,auditadm)
- role_change(secadm,sysadm)
+ role_change_template(secadm,auditadm)
+ role_change_template(secadm,sysadm)
')
# this should be tunable_policy, but
# currently type_change and RBAC allow
# do not work in conditionals
ifdef(`user_canbe_sysadm',`
- role_change(user,sysadm)
+ role_change_template(user,sysadm)
')
allow privhome home_root_t:dir { getattr search };
@@ -172,6 +164,8 @@
mls_process_read_up(sysadm_t)
+ term_getattr_all_user_ttys(sysadm_t)
+
init_exec(sysadm_t)
ifdef(`direct_sysadm_daemon',`
@@ -210,7 +204,9 @@
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
logging_read_generic_logs(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ userdom_dontaudit_append_sysadm_home_content_files(secadm_t)
+ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
', `
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
@@ -439,11 +435,11 @@
selinux_set_parameters(secadm_t)
seutil_manage_bin_policy(secadm_t)
- seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
- seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
- seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
- seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
+ seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
', `
selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t)
next prev parent reply other threads:[~2006-09-01 19:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-31 19:16 Latest updates Daniel J Walsh
2006-09-01 15:51 ` Christopher J. PeBenito
2006-09-01 17:32 ` Eric Paris
2006-09-01 19:45 ` Daniel J Walsh [this message]
2006-09-04 15:15 ` Christopher J. PeBenito
2006-09-04 22:59 ` Russell Coker
2006-09-05 20:57 ` Daniel J Walsh
2006-09-11 9:49 ` Erich Schubert
2006-09-11 14:11 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2006-04-11 13:25 Latest Updates Daniel J Walsh
2006-04-12 17:01 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44F88DD4.6020804@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.