[refpolicy-patch 00/23] Cherry-picks from Fedora SELinux patch

[refpolicy-patch 00/23] Cherry-picks from Fedora SELinux patch

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 501 bytes --]

Here's a series of 23 patches which are all minor cherry-picks from
RedHat's refpolicy diff...please review and commit. If successful
I'll try to pick out more patches so that the really non-obvious
stuff stands out more and can be argued over by the real pros.

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 01/23] slocate policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 768 bytes --]

Trivial change (see http://marc.info/?l=selinux&m=121623491423847&w=2)

Index: refpolicy/policy/modules/apps/slocate.te
===================================================================
--- refpolicy.orig/policy/modules/apps/slocate.te	2008-07-19 19:15:35.000000000 +0200
+++ refpolicy/policy/modules/apps/slocate.te	2008-07-19 19:19:41.000000000 +0200
@@ -47,6 +47,7 @@
 fs_getattr_all_fs(locate_t)
 fs_getattr_all_files(locate_t)
 fs_list_all(locate_t)
+fs_list_inotifyfs(locate_t)
 
 # getpwnam
 auth_use_nsswitch(locate_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 02/23] anaconda policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

Anaconda is a RH installation program, RH should know their own program and
the changes are quite trivial

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.0/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/admin/anaconda.te	2008-07-15 14:05:12.000000000 -0400
@@ -31,16 +31,11 @@
 modutils_domtrans_insmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
-
-unconfined_domain(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
 
 unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
-	dmesg_domtrans(anaconda_t)
-')
-
-optional_policy(`
 	kudzu_domtrans(anaconda_t)
 ')
 
@@ -58,5 +53,9 @@
 ')
 
 optional_policy(`
+	unconfined_domain(anaconda_t)
+')
+
+optional_policy(`
 	usermanage_domtrans_admin_passwd(anaconda_t)
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 03/23] unconfined_u policy updates

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1203 bytes --]

These seem uncontroversial (and match the default contexts for staff_u
pretty well).

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.0/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.0/config/appconfig-mcs/unconfined_u_default_contexts	2008-07-15 14:05:12.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 04/23] kismet policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 832 bytes --]

This is needed by /usr/bin/kismet_server

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.0/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te	2008-06-12 23:25:08.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/admin/kismet.te	2008-07-15 14:05:12.000000000 -0400
@@ -26,6 +26,7 @@
 #
 
 allow kismet_t self:capability { net_admin setuid setgid };
+allow kismet_t self:packet_socket create_socket_perms;
 
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 05/23] kudzu policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2478 bytes --]

kudzu is RedHat's hw management app, none of the changes seem
controversial.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.5.0/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/admin/kudzu.te	2008-07-15 14:05:12.000000000 -0400
@@ -21,8 +21,8 @@
 # Local policy
 #
 
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
 allow kudzu_t self:process { signal_perms execmem };
 allow kudzu_t self:fifo_file rw_fifo_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -68,6 +68,7 @@
 modutils_read_module_deps(kudzu_t)
 modutils_read_module_config(kudzu_t)
 modutils_rename_module_config(kudzu_t)
+modutils_unlink_module_config(kudzu_t)
 
 storage_read_scsi_generic(kudzu_t)
 storage_read_tape(kudzu_t)
@@ -103,6 +104,8 @@
 init_use_fds(kudzu_t)
 init_use_script_ptys(kudzu_t)
 init_stream_connect_script(kudzu_t)
+init_read_init_state(kudzu_t)
+init_ptrace_init_domain(kudzu_t)
 # kudzu will telinit to make init re-read
 # the inittab after configuring serial consoles
 init_telinit(kudzu_t)
@@ -143,28 +146,6 @@
 ')
 
 optional_policy(`
-	# cjp: this was originally in the else block
-	# of ifdef userhelper.te, but it seems to
-	# make more sense here.  also, require
-	# blocks curently do not work in the
-	# else block of optionals
+	unconfined_domtrans(kudzu_t)
 	unconfined_domain(kudzu_t)
 ')
-
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`
-	allow kudzu_t printconf_t:file { getattr read };
-')
-optional_policy(`
-	allow kudzu_t xserver_exec_t:file getattr;
-')
-optional_policy(`
-	allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-optional_policy(`
-	role system_r types sysadm_userhelper_t;
-	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
-')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 06/23] logrotate policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1217 bytes --]

No controversial changes

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.0/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/admin/logrotate.te	2008-07-15 14:05:12.000000000 -0400
@@ -71,6 +71,7 @@
 
 fs_search_auto_mountpoints(logrotate_t)
 fs_getattr_xattr_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
 
 mls_file_read_all_levels(logrotate_t)
 mls_file_write_all_levels(logrotate_t)
@@ -96,9 +97,11 @@
 files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
 # Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
+files_getattr_generic_locks(logrotate_t)
 
 # cjp: why is this needed?
 init_domtrans_script(logrotate_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 07/23] corenetwork policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4805 bytes --]

This patch should be a no-brainer, additional network port names only...

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.0/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-06-12 23:25:03.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/kernel/corenetwork.te.in	2008-07-15 14:05:12.000000000 -0400
@@ -75,6 +75,7 @@
 network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -82,6 +83,7 @@
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
 network_port(comsat, udp,512,s0)
+network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dbskkd, tcp,1178,s0)
@@ -91,6 +93,7 @@
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,1935,s0, udp,1935,s0)
 network_port(ftp_data, tcp,20,s0)
 network_port(ftp, tcp,21,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -109,11 +112,13 @@
 network_port(ircd, tcp,6667,s0)
 network_port(isakmp, udp,500,s0)
 network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 network_port(jabber_interserver, tcp,5269,s0)
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(kprop, tcp,754,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -122,6 +127,8 @@
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
+network_port(mythtv, tcp,6543,s0, udp,6543,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
@@ -133,10 +140,13 @@
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(postfix_policyd, tcp,10031,s0)
+network_port(pulseaudio, tcp,4713,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
 network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pxe, udp,4011,s0)
@@ -148,11 +158,11 @@
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0)
+network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(rwho, udp,513,s0)
-network_port(smbd, tcp,139,s0, tcp,445,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
 network_port(spamd, tcp,783,s0)
@@ -170,7 +180,12 @@
 network_port(transproxy, tcp,8081,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+
 network_port(vnc, tcp,5900,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0)
+network_port(whois, tcp,43,s0, udp,43,s0)
 network_port(wccp, udp,2048,s0)
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 08/23] secadm policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 867 bytes --]

If auditd is not running, secadm needs dmesg to get the avc messages.
If auditd is running the same info is available through auditd
anyway.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.5.0/policy/modules/roles/secadm.te
--- nsaserefpolicy/policy/modules/roles/secadm.te	2008-06-12 23:25:06.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/roles/secadm.te	2008-07-15 14:05:12.000000000 -0400
@@ -48,6 +48,10 @@
 ')
 
 optional_policy(`
+	dmesg_exec(secadm_t)
+')
+
+optional_policy(`
 	netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
 ')
 

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 09/23] apm policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 811 bytes --]

apmd knows nothing of dbus but powersaved is also in domain apmd_t and 
powersaved is HAL-aware.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.5.0/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/apm.te	2008-07-15 14:05:12.000000000 -0400
@@ -191,6 +191,10 @@
 	dbus_stub(apmd_t)
 
 	optional_policy(`
+		consolekit_dbus_chat(apmd_t)
+	')
+
+	optional_policy(`
 		networkmanager_dbus_chat(apmd_t)
 	')
 ')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 10/23] courier policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 4157 bytes --]

Adds a separate context for courier spooling dirs/files and a few
new interfaces.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.0/policy/modules/services/courier.fc
--- nsaserefpolicy/policy/modules/services/courier.fc	2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/courier.fc	2008-07-15 14:05:12.000000000 -0400
@@ -19,3 +19,5 @@
 /var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
 
 /var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
+
+/var/spool/courier(/.*)?		gen_context(system_u:object_r:courier_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.5.0/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if	2008-06-12 23:25:06.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/courier.if	2008-07-15 14:05:12.000000000 -0400
@@ -123,3 +123,77 @@
 
 	domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
 ')
+
+
+########################################
+## <summary>
+##	Allow domain to read courier config files
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_read_config',`
+	gen_require(`
+		type courier_etc_t;
+	')
+
+	read_files_pattern($1, courier_etc_t, courier_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage courier spool directories
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_dirs',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage courier spool files
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_manage_spool_files',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	manage_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+##	Allow attempts to read and write to
+##	courier unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`courier_rw_pipes',`
+	gen_require(`
+		type courier_spool_t;
+	')
+
+	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; 
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.0/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/courier.te	2008-07-15 14:05:12.000000000 -0400
@@ -9,7 +9,10 @@
 courier_domain_template(authdaemon)
 
 type courier_etc_t;
-files_type(courier_etc_t)
+files_config_file(courier_etc_t)
+
+type courier_spool_t;
+files_type(courier_spool_t)
 
 courier_domain_template(pcp)
 
@@ -25,6 +28,7 @@
 
 type courier_exec_t;
 files_type(courier_exec_t)
+mta_mailclient(courier_exec_t)
 
 courier_domain_template(sqwebmail)
 typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
@@ -97,12 +101,12 @@
 courier_domtrans_authdaemon(courier_pop_t)
 
 # do the actual work (read the Maildir)
-userdom_manage_unpriv_users_home_content_files(courier_pop_t)
+unprivuser_manage_home_content_files(courier_pop_t)
 # cjp: the fact that this is different for pop vs imap means that
 # there should probably be a courier_pop_t and courier_imap_t
 # this should also probably be a separate type too instead of
 # the regular home dir
-userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
+unprivuser_manage_home_content_dirs(courier_pop_t)
 
 ########################################
 #

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 11/23] cpucontrol policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 863 bytes --]

Only documentation changes...

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.if serefpolicy-3.5.0/policy/modules/services/cpucontrol.if
--- nsaserefpolicy/policy/modules/services/cpucontrol.if	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/cpucontrol.if	2008-07-15 14:05:12.000000000 -0400
@@ -4,9 +4,9 @@
 ## <summary>
 ##	CPUcontrol stub interface.  No access allowed.
 ## </summary>
-## <param name="domain" unused="true">
+## <param name="domain" optional="true">
 ##	<summary>
-##	Domain allowed access.
+##	N/A
 ##	</summary>
 ## </param>
 #

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 12/23] openca policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 757 bytes --]

Trivial patch

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openca.te serefpolicy-3.5.0/policy/modules/services/openca.te
--- nsaserefpolicy/policy/modules/services/openca.te	2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/openca.te	2008-07-15 14:05:13.000000000 -0400
@@ -18,7 +18,7 @@
 
 # /etc/openca standard files
 type openca_etc_t;
-files_type(openca_etc_t)
+files_config_file(openca_etc_t)
 
 # /etc/openca template files
 type openca_etc_in_t;

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 13/23] portslave policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

Trivial patch

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.5.0/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te	2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/portslave.te	2008-07-15 14:05:13.000000000 -0400
@@ -12,7 +12,7 @@
 init_daemon_domain(portslave_t,portslave_exec_t)
 
 type portslave_etc_t;
-files_type(portslave_etc_t)
+files_config_file(portslave_etc_t)
 
 type portslave_lock_t;
 files_lock_file(portslave_lock_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 14/23] rhgb policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1288 bytes --]

rhgb (RedHat Graphical Boot) is RH specific so this should be uncontroversial...

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.5.0/policy/modules/services/rhgb.if
--- nsaserefpolicy/policy/modules/services/rhgb.if	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/rhgb.if	2008-07-15 14:05:13.000000000 -0400
@@ -4,7 +4,7 @@
 ## <summary>
 ##	RHGB stub interface.  No access allowed.
 ## </summary>
-## <param name="domain" unused="true">
+## <param name="domain">
 ##	<summary>
 ##	N/A
 ##	</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.5.0/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/rhgb.te	2008-07-15 14:05:13.000000000 -0400
@@ -92,6 +92,7 @@
 term_getattr_pty_fs(rhgb_t)
 
 init_write_initctl(rhgb_t)
+init_chat(rhgb_t)
 
 libs_use_ld_so(rhgb_t)
 libs_use_shared_libs(rhgb_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 15/23] soundserver policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 5708 bytes --]

This policy was written by Ken Yang and reviewed by Dan Walsh:
http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
and here:
https://bugzilla.redhat.com/show_bug.cgi?id=250453

I updated the .fc changes to also work with Debian paths.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.5.0/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc	2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/soundserver.fc	2008-07-15 14:05:13.000000000 -0400
@@ -7,4 +7,8 @@
 /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 
 /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/nasd(/.*)?  	gen_context(system_u:object_r:soundd_var_run_t,s0)
+
 /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
+
+/etc/(rc.d/)?init.d/nas(d)?	--	gen_context(system_u:object_r:soundd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.0/policy/modules/services/soundserver.if
--- nsaserefpolicy/policy/modules/services/soundserver.if	2008-06-12 23:25:05.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/soundserver.if	2008-07-15 14:05:13.000000000 -0400
@@ -13,3 +13,74 @@
 interface(`soundserver_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	Execute soundd server in the soundd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`soundserver_script_domtrans',`
+	gen_require(`
+		type soundd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,soundd_script_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an soundd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the soundd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`soundserver_admin',`
+	gen_require(`
+		type soundd_t;
+		type soundd_script_exec_t;
+		type soundd_etc_t;
+		type soundd_tmp_t;
+		type soundd_var_run_t;
+	')
+
+	allow $1 soundd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, soundd_t, soundd_t)
+	        
+	# Allow soundd_t to restart the apache service
+	soundserver_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 soundd_script_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+        manage_all_pattern($1,soundd_tmp_t)
+
+	files_list_etc($1)
+        manage_all_pattern($1,soundd_etc_t)
+
+	files_list_pids($1)
+        manage_all_pattern($1,soundd_var_run_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.0/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/services/soundserver.te	2008-07-15 14:05:13.000000000 -0400
@@ -10,9 +10,6 @@
 type soundd_exec_t;
 init_daemon_domain(soundd_t,soundd_exec_t)
 
-type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
-
 type soundd_state_t;
 files_type(soundd_state_t)
 
@@ -26,21 +23,30 @@
 type soundd_var_run_t;
 files_pid_file(soundd_var_run_t)
 
+type soundd_etc_t;
+files_config_file(soundd_etc_t)
+
+type soundd_script_exec_t;
+init_script_type(soundd_script_exec_t)
+
 ########################################
 #
-# Declarations
+# sound server local policy
 #
 
+allow soundd_t self:capability dac_override;
 dontaudit soundd_t self:capability sys_tty_config;
 allow soundd_t self:process { setpgid signal_perms };
 allow soundd_t self:tcp_socket create_stream_socket_perms;
 allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+fs_getattr_all_fs(soundd_t)
+
 # for yiff
 allow soundd_t self:shm create_shm_perms;
 
-allow soundd_t soundd_etc_t:dir list_dir_perms;
-allow soundd_t soundd_etc_t:file read_file_perms;
-allow soundd_t soundd_etc_t:lnk_file { getattr read };
+read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t)
 
 manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
 manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
@@ -55,8 +61,10 @@
 manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
 fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
+manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
 manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
-files_pid_filetrans(soundd_t,soundd_var_run_t,file)
+manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
 
 kernel_read_kernel_sysctls(soundd_t)
 kernel_list_proc(soundd_t)
@@ -96,10 +104,13 @@
 sysnet_read_config(soundd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-
 sysadm_dontaudit_search_home_dirs(soundd_t)
 
 optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(soundd_t)
 ')
 

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 16/23] w3c policy addition

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2678 bytes --]

This is a new module not present upstream, contains nothing that
looks controversial.

I've added one Debian path, perhaps it should be in a
conditional block...(/usr/lib/cgi-bin/check)

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.5.0/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.0/policy/modules/services/w3c.fc	2008-07-15 14:05:13.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/share/w3c-markup-validator(/.*)?		gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+/usr/lib/cgi-bin/check				gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.5.0/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.0/policy/modules/services/w3c.if	2008-07-15 14:05:13.000000000 -0400
@@ -0,0 +1,20 @@
+## <summary>W3C</summary>
+
+########################################
+## <summary>
+##	Execute w3c server in the w3c domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`w3c_script_domtrans',`
+	gen_require(`
+		type w3c_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,w3c_script_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.5.0/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.0/policy/modules/services/w3c.te	2008-07-15 14:05:13.000000000 -0400
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
+apache_content_template(w3c_validator)
+
+sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 17/23] logging policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 15896 bytes --]

Most changes here seem uncontroversial. Note that the logging_admin_audit
and logging_admin_syslog interfaces are not currently used in the
refpolicy so changing their signature shouldn't be a problem.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.0/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc	2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/logging.fc	2008-07-15 14:05:13.000000000 -0400
@@ -4,6 +4,8 @@
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 
+/sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
+/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -20,6 +22,7 @@
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 
 ifdef(`distro_suse', `
@@ -37,7 +40,7 @@
 /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-/var/log/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 
 ifndef(`distro_gentoo',`
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -48,7 +51,7 @@
 ')
 
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
@@ -59,3 +62,8 @@
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+
+/etc/rc\.d/init\.d/rsyslog	--	gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd	--	gen_context(system_u:object_r:auditd_script_exec_t,s0)
+
+/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.0/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if	2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/logging.if	2008-07-15 14:05:13.000000000 -0400
@@ -213,12 +213,7 @@
 ## </param>
 #
 interface(`logging_stream_connect_auditd',`
-	gen_require(`
-		type auditd_t, auditd_var_run_t;
-	')
-
-	files_search_pids($1)
-	stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+	logging_stream_connect_audisp($1)
 ')
 
 ########################################
@@ -530,8 +525,27 @@
 	')
 
 	files_search_var($1)
-	allow $1 var_log_t:dir list_dir_perms;
-	allow $1 logfile:file { getattr append };
+	append_files_pattern($1, var_log_t, logfile)
+')
+
+########################################
+## <summary>
+##	read/write to all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_rw_all_logs',`
+	gen_require(`
+		attribute logfile;
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	rw_files_pattern($1, var_log_t, logfile)
 ')
 
 ########################################
@@ -596,6 +610,8 @@
 	files_search_var($1)
 	manage_files_pattern($1,logfile,logfile)
 	read_lnk_files_pattern($1,logfile,logfile)
+	allow $1 logfile:dir  { relabelfrom relabelto };
+	allow $1 logfile:file  { relabelfrom relabelto };
 ')
 
 ########################################
@@ -641,6 +657,25 @@
 
 ########################################
 ## <summary>
+##	Dontaudit Write generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_write_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	dontaudit $1 var_log_t:file write;
+')
+
+########################################
+## <summary>
 ##	Read and write generic log files.
 ## </summary>
 ## <param name="domain">
@@ -695,6 +730,7 @@
 interface(`logging_admin_audit',`
 	gen_require(`
 		type auditd_t, auditd_etc_t, auditd_log_t;
+		type auditd_script_exec_t;
 		type auditd_var_run_t;
 	')
 
@@ -709,6 +745,15 @@
 
 	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
 	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+	logging_run_auditctl($1, $2, $3)
+
+	# Allow $1 to restart the audit service
+	logging_audit_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 auditd_script_exec_t system_r;
+	allow $2 system_r;
+
 ')
 
 ########################################
@@ -729,6 +774,7 @@
 		type syslogd_tmp_t, syslogd_var_lib_t;
 		type syslogd_var_run_t, klogd_var_run_t;
 		type klogd_tmp_t, var_log_t;
+		type syslogd_script_exec_t;
 	')
 
 	allow $1 syslogd_t:process { ptrace signal_perms };
@@ -756,6 +802,12 @@
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
+
+	# Allow $1 to restart the syslog service
+	logging_syslog_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 syslogd_script_exec_t system_r;
+	allow $2 system_r;
 ')
 
 ########################################
@@ -771,6 +823,132 @@
 ## <rolecap/>
 #
 interface(`logging_admin',`
-	logging_admin_audit($1)
-	logging_admin_syslog($1)
+	logging_admin_audit($1, $2, $3)
+	logging_admin_syslog($1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Execute syslog server in the syslogd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`logging_syslog_script_domtrans',`
+	gen_require(`
+		type syslogd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,syslogd_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute audit server in the auditd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`logging_audit_script_domtrans',`
+	gen_require(`
+		type auditd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,auditd_script_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run audisp.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_audisp',`
+	gen_require(`
+		type audisp_t;
+                type audisp_exec_t;
+	')
+
+	domtrans_pattern($1,audisp_exec_t,audisp_t)
+')
+
+########################################
+## <summary>
+##	Signal the audisp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_audisp_signal',`
+	gen_require(`
+		type audisp_t;
+	')
+
+	allow $1 audisp_t:process signal;
+')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by the system audisp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`logging_audisp_system_domain',`
+	gen_require(`
+		type audisp_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1,$2)
+
+	role system_r types $1;
+
+	domtrans_pattern(audisp_t,$2,$1)
+	allow $1 audisp_t:process signal;
+
+	allow audisp_t $2:file getattr;
+	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Connect to auditdstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_stream_connect_audisp',`
+	gen_require(`
+		type audisp_t, audisp_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.0/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/logging.te	2008-07-15 14:05:13.000000000 -0400
@@ -61,10 +61,29 @@
 logging_log_file(var_log_t)
 files_mountpoint(var_log_t)
 
+type auditd_script_exec_t;
+init_script_type(auditd_script_exec_t)
+
+type syslogd_script_exec_t;
+init_script_type(syslogd_script_exec_t)
+
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+	init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh)
 ')
 
+type audisp_t;
+type audisp_exec_t;
+init_system_domain(audisp_t, audisp_exec_t)
+
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
+type audisp_remote_t;
+type audisp_remote_exec_t;
+domain_type(audisp_remote_t)
+domain_entry_file(audisp_remote_t, audisp_remote_exec_t)
+
 ########################################
 #
 # Auditctl local policy
@@ -84,6 +103,7 @@
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 
+
 domain_read_all_domains_state(auditctl_t)
 domain_use_interactive_fds(auditctl_t)
 
@@ -158,11 +178,13 @@
 
 mls_file_read_all_levels(auditd_t)
 mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+mls_fd_use_all_levels(auditd_t)
 
 seutil_dontaudit_read_config(auditd_t)
 
-userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+sysnet_dns_name_resolve(auditd_t)
 
+userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 sysadm_dontaudit_search_home_dirs(auditd_t)
 
 ifdef(`distro_ubuntu',`
@@ -172,6 +194,10 @@
 ')
 
 optional_policy(`
+	mta_send_mail(auditd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(auditd_t)
 ')
 
@@ -209,6 +235,7 @@
 
 fs_getattr_all_fs(klogd_t)
 fs_search_auto_mountpoints(klogd_t)
+fs_search_tmpfs(klogd_t)
 
 domain_use_interactive_fds(klogd_t)
 
@@ -253,7 +280,6 @@
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 allow syslogd_t self:process { signal_perms setpgid };
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -263,7 +289,7 @@
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
-
+ 
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t,devlog_t,sock_file)
@@ -275,6 +301,9 @@
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 
+mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+mls_fd_use_all_levels(syslogd_t)
+
 # manage temporary files
 manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
 manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
@@ -290,12 +319,14 @@
 manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
 
+kernel_read_system_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
 kernel_read_messages(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+files_read_kernel_symbol_table(syslogd_t)
 
 dev_filetrans(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
@@ -328,6 +359,8 @@
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
 corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
 
 # syslog-ng can send or receive logs
 corenet_sendrecv_syslogd_client_packets(syslogd_t)
@@ -340,23 +373,23 @@
 domain_use_interactive_fds(syslogd_t)
 
 files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
 files_read_var_files(syslogd_t)
 files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 
+auth_use_nsswitch(syslogd_t)
+
 libs_use_ld_so(syslogd_t)
 libs_use_shared_libs(syslogd_t)
 
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
 
-sysnet_read_config(syslogd_t)
-
 miscfiles_read_localization(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-
 sysadm_dontaudit_search_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
@@ -382,15 +415,11 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(syslogd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(syslogd_t)
+	seutil_sigchld_newrole(syslogd_t)
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(syslogd_t)
+	postgresql_stream_connect(syslogd_t)
 ')
 
 optional_policy(`
@@ -401,3 +430,67 @@
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
+
+########################################
+#
+# audisp local policy
+#
+
+# Init script handling
+domain_use_interactive_fds(audisp_t)
+
+allow audisp_t self:capability sys_nice;
+allow audisp_t self:process setsched;
+
+## internal communication is often done using fifo and unix sockets.
+allow audisp_t self:fifo_file rw_file_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+
+files_read_etc_files(audisp_t)
+
+libs_use_ld_so(audisp_t)
+libs_use_shared_libs(audisp_t)
+
+logging_send_syslog_msg(audisp_t)
+
+miscfiles_read_localization(audisp_t)
+
+mls_file_write_all_levels(audisp_t) 
+
+corecmd_search_bin(audisp_t)
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+logging_domtrans_audisp(auditd_t)
+logging_audisp_signal(auditd_t)
+
+########################################
+#
+# audisp_remote local policy
+#
+
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
+
+allow audisp_remote_t self:tcp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
+corenet_all_recvfrom_netlabel(audisp_remote_t)
+corenet_tcp_sendrecv_all_if(audisp_remote_t)
+corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+corenet_tcp_connect_audit_port(audisp_remote_t)
+
+files_read_etc_files(audisp_remote_t)
+
+libs_use_ld_so(audisp_remote_t)
+libs_use_shared_libs(audisp_remote_t)
+
+logging_send_syslog_msg(audisp_remote_t)
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
+
+miscfiles_read_localization(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
+

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 18/23] miscfiles policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

Trivial change (perhaps RH specific path?)...

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.5.0/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc	2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/miscfiles.fc	2008-07-15 14:05:13.000000000 -0400
@@ -11,6 +11,7 @@
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
 
 #
 # /opt

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 19/23] netlabel policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 783 bytes --]

Trivial patch

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.5.0/policy/modules/system/netlabel.te
--- nsaserefpolicy/policy/modules/system/netlabel.te	2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/netlabel.te	2008-07-15 14:05:13.000000000 -0400
@@ -9,6 +9,7 @@
 type netlabel_mgmt_t;
 type netlabel_mgmt_exec_t;
 application_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t)
+role system_r types netlabel_mgmt_t;
 
 ########################################
 #

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 20/23] pcmcia policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

Documentation changes only...

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.if serefpolicy-3.5.0/policy/modules/system/pcmcia.if
--- nsaserefpolicy/policy/modules/system/pcmcia.if	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/pcmcia.if	2008-07-15 14:05:13.000000000 -0400
@@ -4,9 +4,9 @@
 ## <summary>
 ##	PCMCIA stub interface.  No access allowed.
 ## </summary>
-## <param name="domain" unused="true">
+## <param name="domain" optional="true">
 ##	<summary>
-##	Domain allowed access.
+##	N/A
 ##	</summary>
 ## </param>
 #

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 21/23] raid policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1223 bytes --]

The original patch also added dev_read_realtime_clock(mdadm_t)
which I removed since I couldn't find a version of mdadm in
Debian or RedHat which actually read /dev/rtc (and likewise
for /sbin/mdmpd on RH).

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.0/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/raid.te	2008-07-15 14:05:13.000000000 -0400
@@ -19,7 +19,7 @@
 # Local policy
 #
 
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+allow mdadm_t self:capability { dac_override mknod sys_admin ipc_lock };
 dontaudit mdadm_t self:capability sys_tty_config;
 allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
 allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -86,3 +86,7 @@
 optional_policy(`
 	udev_read_db(mdadm_t)
 ')
+
+optional_policy(`
+	unconfined_domain(mdadm_t)
+')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 22/23] xen policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 9792 bytes --]

Mostly uncontroversial fixes and cleanups, also adds the xen_rw_image_files
interface which is needed for the qemu patch.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.0/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc	2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/xen.fc	2008-07-15 14:05:13.000000000 -0400
@@ -20,6 +20,7 @@
 /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.0/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if	2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/xen.if	2008-07-15 14:05:13.000000000 -0400
@@ -167,11 +167,14 @@
 #
 interface(`xen_stream_connect',`
 	gen_require(`
-		type xend_t, xend_var_run_t;
+		type xend_t, xend_var_run_t,  xend_var_lib_t;
 	')
 
 	files_search_pids($1)
 	stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t)
+
+	files_search_var_lib($1)
+	stream_connect_pattern($1,xend_var_lib_t,xend_var_lib_t,xend_t)
 ')
 
 ########################################
@@ -191,3 +194,24 @@
 
 	domtrans_pattern($1,xm_exec_t,xm_t)
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+	gen_require(`
+		type xen_image_t, xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	allow $1 xend_var_lib_t:dir search_dir_perms;
+	rw_files_pattern($1,xen_image_t,xen_image_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.0/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2008-07-10 11:38:46.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/system/xen.te	2008-07-15 14:05:13.000000000 -0400
@@ -6,6 +6,13 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow xen to manage nfs files
+## </p>
+## </desc>
+gen_tunable(xen_use_nfs,false)
+
 # console ptys
 type xen_devpts_t;
 term_pty(xen_devpts_t);
@@ -42,25 +49,31 @@
 # pid files
 type xend_var_run_t;
 files_pid_file(xend_var_run_t)
+files_mountpoint(xend_var_run_t)
 
 type xenstored_t;
 type xenstored_exec_t;
-domain_type(xenstored_t)
-domain_entry_file(xenstored_t,xenstored_exec_t)
-role system_r types xenstored_t;
+init_daemon_domain(xenstored_t,xenstored_exec_t)
+
+# tmp files
+type xenstored_tmp_t;
+files_tmp_file(xenstored_tmp_t)
 
 # var/lib files
 type xenstored_var_lib_t;
 files_type(xenstored_var_lib_t)
 
+# log files
+type xenstored_var_log_t;
+logging_log_file(xenstored_var_log_t)
+
 # pid files
 type xenstored_var_run_t;
 files_pid_file(xenstored_var_run_t)
 
 type xenconsoled_t;
 type xenconsoled_exec_t;
-domain_type(xenconsoled_t)
-domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
+init_daemon_domain(xenconsoled_t,xenconsoled_exec_t)
 role system_r types xenconsoled_t;
 
 # pid files
@@ -95,7 +108,7 @@
 read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
 rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
 
-allow xend_t xenctl_t:fifo_file manage_file_perms;
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(xend_t, xenctl_t, fifo_file)
 
 manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
@@ -103,14 +116,14 @@
 files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
 
 # pid file
-allow xend_t xend_var_run_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_run_t,xend_var_run_t)
 manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
 manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
 manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file dir })
 
 # log files
-allow xend_t xend_var_log_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_log_t,xend_var_log_t)
 manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
 manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
 logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
@@ -122,15 +135,13 @@
 manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
 files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
 
+init_stream_connect_script(xend_t)
+
 # transition to store
-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-allow xenstored_t xend_t:fd use;
-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
 
 # transition to console
-domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-allow xenconsoled_t xend_t:fd use;
+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
 
 kernel_read_kernel_sysctls(xend_t)
 kernel_read_system_state(xend_t)
@@ -176,6 +187,7 @@
 files_manage_etc_runtime_files(xend_t)
 files_etc_filetrans_etc_runtime(xend_t,file)
 files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
 storage_raw_write_fixed_disk(xend_t)
@@ -207,11 +219,15 @@
 sysnet_read_dhcpc_pid(xend_t)
 sysnet_rw_dhcp_config(xend_t)
 
+sysadm_dontaudit_search_home_dirs(xend_t)
+
 xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)
 
-sysadm_dontaudit_search_home_dirs(xend_t)
+optional_policy(`
+	brctl_domtrans(xend_t)
+')
 
 optional_policy(`
 	consoletype_exec(xend_t)
@@ -224,7 +240,7 @@
 
 allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file  rw_fifo_file_perms;
 
 allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
 
@@ -245,6 +261,8 @@
 
 files_read_usr_files(xenconsoled_t)
 
+fs_list_tmpfs(xenconsoled_t)
+
 term_create_pty(xenconsoled_t,xen_devpts_t);
 term_use_generic_ptys(xenconsoled_t)
 term_use_console(xenconsoled_t)
@@ -257,7 +275,7 @@
 
 miscfiles_read_localization(xenconsoled_t)
 
-xen_append_log(xenconsoled_t)
+xen_manage_log(xenconsoled_t)
 xen_stream_connect_xenstore(xenconsoled_t)
 
 ########################################
@@ -265,15 +283,25 @@
 # Xen store local policy
 #
 
-allow xenstored_t self:capability { dac_override mknod ipc_lock };
+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
 allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
+manage_files_pattern(xenstored_t,xenstored_tmp_t,xenstored_tmp_t)
+manage_dirs_pattern(xenstored_t,xenstored_tmp_t,xenstored_tmp_t)
+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
+
 # pid file
 manage_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t)
 manage_sock_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t)
 files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
 
+# log files
+manage_dirs_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t)
+manage_files_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t)
+manage_sock_files_pattern(xenstored_t,xenstored_var_log_t,xenstored_var_log_t)
+logging_log_filetrans(xenstored_t,xenstored_var_log_t,{ sock_file file dir })
+
 # var/lib files for xenstored
 manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
 manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
@@ -318,12 +346,13 @@
 allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
 
 # internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file  rw_fifo_file_perms;
 allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xm_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
 manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
+manage_sock_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
 files_search_var_lib(xm_t)
 
 allow xm_t xen_image_t:dir rw_dir_perms;
@@ -336,6 +365,7 @@
 kernel_write_xen_state(xm_t)
 
 corecmd_exec_bin(xm_t)
+corecmd_exec_shell(xm_t)
 
 corenet_tcp_sendrecv_generic_if(xm_t)
 corenet_tcp_sendrecv_all_nodes(xm_t)
@@ -351,8 +381,11 @@
 
 storage_raw_read_fixed_disk(xm_t)
 
+fs_getattr_all_fs(xm_t)
+
 term_use_all_terms(xm_t)
 
+init_stream_connect_script(xm_t)
 init_rw_script_stream_sockets(xm_t)
 init_use_fds(xm_t)
 
@@ -363,6 +396,23 @@
 
 sysnet_read_config(xm_t)
 
+sysadm_dontaudit_search_home_dirs(xm_t)
+
 xen_append_log(xm_t)
 xen_stream_connect(xm_t)
 xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
+
+tunable_policy(`xen_use_nfs',`
+	fs_manage_nfs_files(xend_t)
+	fs_read_nfs_symlinks(xend_t)
+')
+
+optional_policy(`
+	unconfined_domain(xend_t)
+')

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy-patch 23/23] qemu policy update

[david]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 6214 bytes --]

None of these changes seem controversial, mostly a couple of new
interfaces, note that this patch relies on the xen patch.

diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.0/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if	2008-07-10 14:13:44.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/apps/qemu.if	2008-07-15 14:05:12.000000000 -0400
@@ -104,7 +104,71 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run qemu unconfined.
+##	Execute qemu programs in the qemu domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the PAM domain to use.
+##	</summary>
+## </param>
+#
+interface(`qemu_runas',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	qemu_domtrans($1)
+	allow qemu_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute qemu programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+#
+interface(`qemu_role',`
+	gen_require(`
+		type qemu_t;
+	')
+	role $1 types qemu_t;
+')
+
+########################################
+## <summary>
+##	Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+#
+interface(`qemu_unconfined_role',`
+	gen_require(`
+		type qemu_unconfined_t;
+	')
+	role $1 types qemu_unconfined_t;
+')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run qemu.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -122,6 +186,36 @@
 
 ########################################
 ## <summary>
+##	Execute qemu programs in the qemu unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the PAM domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the PAM domain to use.
+##	</summary>
+## </param>
+#
+interface(`qemu_runas_unconfined',`
+	gen_require(`
+		type qemu_unconfined_t;
+	')
+
+	qemu_domtrans_unconfined($1)
+	allow qemu_unconfined_t $3:chr_file rw_file_perms;
+')
+
+
+########################################
+## <summary>
 ##	Creates types and rules for a basic
 ##	qemu process domain.
 ## </summary>
@@ -133,24 +227,23 @@
 #
 template(`qemu_domain_template',`
 
-	##############################
-	#
-	# Local Policy
-	#
-
 	type $1_t;
 	domain_type($1_t)
 
 	type $1_tmp_t;
 	files_tmp_file($1_tmp_t)
 
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
 	##############################
 	#
 	# Local Policy
 	#
 
 	allow $1_t self:capability { dac_read_search dac_override };
-	allow $1_t self:process { execstack execmem signal getsched };
+	allow $1_t self:process { execstack execmem signal getsched signull };
+
 	allow $1_t self:fifo_file rw_file_perms;
 	allow $1_t self:shm create_shm_perms;
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -160,6 +253,11 @@
 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
 	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
 
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
 	kernel_read_system_state($1_t)
 
 	corenet_all_recvfrom_unlabeled($1_t)
@@ -171,7 +269,10 @@
 	corenet_tcp_bind_vnc_port($1_t)
 	corenet_rw_tun_tap_dev($1_t)
 
-#	dev_rw_kvm($1_t)
+	dev_read_sound($1_t)
+	dev_write_sound($1_t)
+	dev_rw_kvm($1_t)
+	dev_rw_qemu($1_t)
 
 	domain_use_interactive_fds($1_t)
 
@@ -191,6 +292,8 @@
 	term_getattr_pty_fs($1_t)
 	term_use_generic_ptys($1_t)
 
+	auth_use_nsswitch($1_t)
+
 	libs_use_ld_so($1_t)
 	libs_use_shared_libs($1_t)
 
@@ -198,9 +301,9 @@
 
 	sysnet_read_config($1_t)
 
-#	optional_policy(`
-#		samba_domtrans_smb($1_t)
-#	')
+	optional_policy(`
+		samba_domtrans_smb($1_t)
+	')
 
 	optional_policy(`
 		virt_manage_images($1_t)
@@ -212,6 +315,24 @@
 		xserver_stream_connect_xdm_xserver($1_t)
 		xserver_read_xdm_tmp_files($1_t)
 		xserver_read_xdm_pid($1_t)
-#		xserver_xdm_rw_shm($1_t)
+		xserver_xdm_rw_shm($1_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_setsched',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	allow $1 qemu_t:process setsched;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.0/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te	2008-07-10 11:38:45.000000000 -0400
+++ serefpolicy-3.5.0/policy/modules/apps/qemu.te	2008-07-15 14:05:12.000000000 -0400
@@ -13,6 +13,20 @@
 ## </desc>
 gen_tunable(qemu_full_network, false)
 
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
 type qemu_exec_t;
 qemu_domain_template(qemu)
 application_domain(qemu_t, qemu_exec_t)
@@ -35,6 +49,22 @@
 	corenet_tcp_connect_all_ports(qemu_t)
 ')
 
+tunable_policy(`qemu_use_nfs',`
+	fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+	fs_manage_cifs_dirs(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
 ########################################
 #
 # qemu_unconfined local policy

-- 
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy-patch 02/23] anaconda policy update

[Russell Coker]

On Sunday 20 July 2008 06:50, david@hardeman.nu wrote:
> Anaconda is a RH installation program, RH should know their own program and
> the changes are quite trivial

Might it be better to leave the Anaconda and dpkg policy in the distribution 
trees?  It doesn't seem to provide much benefit to non Red Hat users to have 
Anaconda policy.

Does Red Hat actually do anything useful with the Anaconda policy?  Last time 
I checked the installation was run in permissive mode (there doesn't really 
seem to be a benefit in enforcing mode) so it's not as if anaconda.te is 
needed to permit the install to operation.  Even so there is unconfined_t 
which could be used for an enforcing-mode install (last time I checked it was 
not possible to directly install a Red Hat distribution with strict policy).

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy-patch 02/23] anaconda policy update

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

david@hardeman.nu wrote:
> Anaconda is a RH installation program, RH should know their own program and
> the changes are quite trivial
> 
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.0/policy/modules/admin/anaconda.te
> --- nsaserefpolicy/policy/modules/admin/anaconda.te	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/admin/anaconda.te	2008-07-15 14:05:12.000000000 -0400
> @@ -31,16 +31,11 @@
>  modutils_domtrans_insmod(anaconda_t)
>  
>  seutil_domtrans_semanage(anaconda_t)
> -
> -unconfined_domain(anaconda_t)
> +seutil_domtrans_setsebool(anaconda_t)
>  
>  unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
>  
>  optional_policy(`
> -	dmesg_domtrans(anaconda_t)
> -')
> -
> -optional_policy(`
>  	kudzu_domtrans(anaconda_t)
>  ')
>  
> @@ -58,5 +53,9 @@
>  ')
>  
>  optional_policy(`
> +	unconfined_domain(anaconda_t)
> +')
> +
> +optional_policy(`
>  	usermanage_domtrans_admin_passwd(anaconda_t)
>  ')
> 
The main goal of this patch was to get anaconda AVC messages out of the
log files.  Anaconda has to run the installation in permissive mode so
we need to avoid avc messages by making it unconfined and avoid
transitions where ever possible. The goal is to have /root/anaconda.log
without any SELinux errors.  As for Russells comments we might want to
make this more of a generic installer policy?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiFs5kACgkQrlYvE4MpobPyfgCgm2z8rAQUfh2OGMKVjeInIWtV
nJUAn35LGrkmmxctLPKDEqvQ2g78+BpC
=qC6x
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy-patch 07/23] corenetwork policy update

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

david@hardeman.nu wrote:
> This patch should be a no-brainer, additional network port names only...
> 
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.0/policy/modules/kernel/corenetwork.te.in
> --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-06-12 23:25:03.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/kernel/corenetwork.te.in	2008-07-15 14:05:12.000000000 -0400
> @@ -75,6 +75,7 @@
>  network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
>  network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
>  network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
> +network_port(audit, tcp,60,s0)
>  network_port(auth, tcp,113,s0)
>  network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
>  type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
> @@ -82,6 +83,7 @@
>  network_port(clockspeed, udp,4041,s0)
>  network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
>  network_port(comsat, udp,512,s0)
> +network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
>  network_port(cvs, tcp,2401,s0, udp,2401,s0)
>  network_port(dcc, udp,6276,s0, udp,6277,s0)
>  network_port(dbskkd, tcp,1178,s0)
> @@ -91,6 +93,7 @@
>  network_port(distccd, tcp,3632,s0)
>  network_port(dns, udp,53,s0, tcp,53,s0)
>  network_port(fingerd, tcp,79,s0)
> +network_port(flash, tcp,1935,s0, udp,1935,s0)
>  network_port(ftp_data, tcp,20,s0)
>  network_port(ftp, tcp,21,s0)
>  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
> @@ -109,11 +112,13 @@
>  network_port(ircd, tcp,6667,s0)
>  network_port(isakmp, udp,500,s0)
>  network_port(iscsi, tcp,3260,s0)
> +network_port(isns, tcp,3205,s0, udp,3205,s0)
>  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
>  network_port(jabber_interserver, tcp,5269,s0)
>  network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
>  network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
>  network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
> +network_port(kprop, tcp,754,s0)
>  network_port(ktalkd, udp,517,s0, udp,518,s0)
>  network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
>  type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
> @@ -122,6 +127,8 @@
>  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
>  network_port(monopd, tcp,1234,s0)
>  network_port(msnp, tcp,1863,s0, udp,1863,s0)
> +network_port(munin, tcp,4949,s0, udp,4949,s0)
> +network_port(mythtv, tcp,6543,s0, udp,6543,s0)
>  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
>  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
>  network_port(nessus, tcp,1241,s0)
> @@ -133,10 +140,13 @@
>  network_port(pegasus_http, tcp,5988,s0)
>  network_port(pegasus_https, tcp,5989,s0)
>  network_port(postfix_policyd, tcp,10031,s0)
> +network_port(pulseaudio, tcp,4713,s0)
> +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
>  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
>  network_port(portmap, udp,111,s0, tcp,111,s0)
>  network_port(postgresql, tcp,5432,s0)
>  network_port(postgrey, tcp,60000,s0)
> +network_port(prelude, tcp,4690,s0, udp,4690,s0)
>  network_port(printer, tcp,515,s0)
>  network_port(ptal, tcp,5703,s0)
>  network_port(pxe, udp,4011,s0)
> @@ -148,11 +158,11 @@
>  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
>  network_port(rlogind, tcp,513,s0)
>  network_port(rndc, tcp,953,s0)
> -network_port(router, udp,520,s0)
> +network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
>  network_port(rsh, tcp,514,s0)
>  network_port(rsync, tcp,873,s0, udp,873,s0)
>  network_port(rwho, udp,513,s0)
> -network_port(smbd, tcp,139,s0, tcp,445,s0)
> +network_port(smbd, tcp,137-139,s0, tcp,445,s0)
>  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
>  network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
>  network_port(spamd, tcp,783,s0)
> @@ -170,7 +180,12 @@
>  network_port(transproxy, tcp,8081,s0)
>  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
>  network_port(uucpd, tcp,540,s0)
> +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
> +
>  network_port(vnc, tcp,5900,s0)
> +# Reserve 100 ports for vnc/virt machines
> +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0)
> +network_port(whois, tcp,43,s0, udp,43,s0)
>  network_port(wccp, udp,2048,s0)
>  network_port(xdmcp, udp,177,s0, tcp,177,s0)
>  network_port(xen, tcp,8002,s0)
> 
Port 60 for audit should not be added as this is not a registered port
and it could change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiFs+oACgkQrlYvE4MpobPU9QCfblEAulhdQhTUyiQF12BtHV9Y
CNkAnRdQr73Wcl1O2/dZjy9pRDJNBNvg
=AIAm
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy-patch 11/23] cpucontrol policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1079 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment
> (policy_modules_services_cpucontrol.patch)
> Only documentation changes...

This reverses an upstream change.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.if serefpolicy-3.5.0/policy/modules/services/cpucontrol.if
> --- nsaserefpolicy/policy/modules/services/cpucontrol.if	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/cpucontrol.if	2008-07-15 14:05:12.000000000 -0400
> @@ -4,9 +4,9 @@
>  ## <summary>
>  ##	CPUcontrol stub interface.  No access allowed.
>  ## </summary>
> -## <param name="domain" unused="true">
> +## <param name="domain" optional="true">
>  ##	<summary>
> -##	Domain allowed access.
> +##	N/A
>  ##	</summary>
>  ## </param>
>  #

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 14/23] rhgb policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1556 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_rhgb.patch)
> rhgb (RedHat Graphical Boot) is RH specific so this should be uncontroversial...
> 
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.5.0/policy/modules/services/rhgb.if
> --- nsaserefpolicy/policy/modules/services/rhgb.if	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.if	2008-07-15 14:05:13.000000000 -0400
> @@ -4,7 +4,7 @@
>  ## <summary>
>  ##	RHGB stub interface.  No access allowed.
>  ## </summary>
> -## <param name="domain" unused="true">
> +## <param name="domain">
>  ##	<summary>
>  ##	N/A
>  ##	</summary>

This reverses an upstream change.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.5.0/policy/modules/services/rhgb.te
> --- nsaserefpolicy/policy/modules/services/rhgb.te	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.te	2008-07-15 14:05:13.000000000 -0400
> @@ -92,6 +92,7 @@
>  term_getattr_pty_fs(rhgb_t)
>  
>  init_write_initctl(rhgb_t)
> +init_chat(rhgb_t)
>  
>  libs_use_ld_so(rhgb_t)
>  libs_use_shared_libs(rhgb_t)

This interface doesn't exist.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 20/23] pcmcia policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_pcmcia.patch)
> Documentation changes only...
> 
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.if serefpolicy-3.5.0/policy/modules/system/pcmcia.if
> --- nsaserefpolicy/policy/modules/system/pcmcia.if	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/system/pcmcia.if	2008-07-15 14:05:13.000000000 -0400
> @@ -4,9 +4,9 @@
>  ## <summary>
>  ##	PCMCIA stub interface.  No access allowed.
>  ## </summary>
> -## <param name="domain" unused="true">
> +## <param name="domain" optional="true">
>  ##	<summary>
> -##	Domain allowed access.
> +##	N/A
>  ##	</summary>
>  ## </param>
>  #
> 
Reverses an upstream change.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 02/23] anaconda policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 2092 bytes --]

On Tue, 2008-07-22 at 06:16 -0400, Daniel J Walsh wrote:
> david@hardeman.nu wrote:
> > Anaconda is a RH installation program, RH should know their own program and
> > the changes are quite trivial
> > 
> > diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.0/policy/modules/admin/anaconda.te
> > --- nsaserefpolicy/policy/modules/admin/anaconda.te	2008-07-10 11:38:46.000000000 -0400
> > +++ serefpolicy-3.5.0/policy/modules/admin/anaconda.te	2008-07-15 14:05:12.000000000 -0400
> > @@ -31,16 +31,11 @@
> >  modutils_domtrans_insmod(anaconda_t)
> >  
> >  seutil_domtrans_semanage(anaconda_t)
> > -
> > -unconfined_domain(anaconda_t)
> > +seutil_domtrans_setsebool(anaconda_t)
> >  
> >  unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
> >  
> >  optional_policy(`
> > -	dmesg_domtrans(anaconda_t)
> > -')
> > -
> > -optional_policy(`
> >  	kudzu_domtrans(anaconda_t)
> >  ')
> >  
> > @@ -58,5 +53,9 @@
> >  ')
> >  
> >  optional_policy(`
> > +	unconfined_domain(anaconda_t)
> > +')
> > +
> > +optional_policy(`
> >  	usermanage_domtrans_admin_passwd(anaconda_t)
> >  ')
> > 
> The main goal of this patch was to get anaconda AVC messages out of the
> log files.  Anaconda has to run the installation in permissive mode so
> we need to avoid avc messages by making it unconfined and avoid
> transitions where ever possible. The goal is to have /root/anaconda.log
> without any SELinux errors.  As for Russells comments we might want to
> make this more of a generic installer policy?

At the moment, I'm not overly concerned about having anaconda in the
tree, since its unconfined, and rarely gets updates.  Is there even
another installer that runs with SELinux enabled, like anaconda during a
RH/Fedora install?

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 14/23] rhgb policy update

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris PeBenito wrote:
> On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
>> plain text document attachment (policy_modules_services_rhgb.patch)
>> rhgb (RedHat Graphical Boot) is RH specific so this should be uncontroversial...
>>
>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.5.0/policy/modules/services/rhgb.if
>> --- nsaserefpolicy/policy/modules/services/rhgb.if	2008-07-10 11:38:46.000000000 -0400
>> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.if	2008-07-15 14:05:13.000000000 -0400
>> @@ -4,7 +4,7 @@
>>  ## <summary>
>>  ##	RHGB stub interface.  No access allowed.
>>  ## </summary>
>> -## <param name="domain" unused="true">
>> +## <param name="domain">
>>  ##	<summary>
>>  ##	N/A
>>  ##	</summary>
> 
> This reverses an upstream change.
> 
>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.5.0/policy/modules/services/rhgb.te
>> --- nsaserefpolicy/policy/modules/services/rhgb.te	2008-07-10 11:38:46.000000000 -0400
>> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.te	2008-07-15 14:05:13.000000000 -0400
>> @@ -92,6 +92,7 @@
>>  term_getattr_pty_fs(rhgb_t)
>>  
>>  init_write_initctl(rhgb_t)
>> +init_chat(rhgb_t)
>>  
>>  libs_use_ld_so(rhgb_t)
>>  libs_use_shared_libs(rhgb_t)
> 
> This interface doesn't exist.
> 
Here is the patch I sent you a couple of weeks ago with the init_chat
patch.  This patch also includes the critical change to using labeled
initrc scripts.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiHy6gACgkQrlYvE4MpobNo2gCgnDQuCMROpY8tO5+kJpKjgu2t
0hMAoIEKVK9/jQ8k+PM5sfAOxtNoHgCe
=Jiew
-----END PGP SIGNATURE-----

[-- Attachment #2: system_init.patch --]
[-- Type: text/plain, Size: 13510 bytes --]

--- nsaserefpolicy/policy/modules/system/init.fc	2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/init.fc	2008-07-23 20:17:11.000000000 -0400
@@ -4,8 +4,7 @@
 /etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.sysinit	--	gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.local	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
 /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
--- nsaserefpolicy/policy/modules/system/init.if	2008-07-16 10:26:25.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/init.if	2008-07-23 20:17:11.000000000 -0400
@@ -211,6 +211,19 @@
 			kernel_dontaudit_use_fds($1)
 		')
 	')
+
+	sysadm_dontaudit_search_home_dirs($1)
+
+	tunable_policy(`allow_daemons_use_tty',`
+	   term_use_all_user_ttys($1)
+	   term_use_all_user_ptys($1)
+	', `
+	   term_dontaudit_use_all_user_ttys($1)
+	   term_dontaudit_use_all_user_ptys($1)
+	 ')
+
+	 # these apps are often redirect output to random log files
+	 logging_rw_all_logs($1)
 ')
 
 ########################################
@@ -550,18 +563,19 @@
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
-		type initrc_t, initrc_exec_t;
+		type initrc_t;
+		attribute initscript;
 	')
 
 	files_list_etc($1)
-	spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
+	spec_domtrans_pattern($1,initscript,initrc_t)
 
 	ifdef(`enable_mcs',`
-		range_transition $1 initrc_exec_t:process s0;
+		range_transition $1 initscript:process s0;
 	')
 
 	ifdef(`enable_mls',`
-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+		range_transition $1 initscript:process s0 - mls_systemhigh;
 	')
 ')
 
@@ -577,19 +591,66 @@
 #
 interface(`init_domtrans_script',`
 	gen_require(`
-		type initrc_t, initrc_exec_t;
+		type initrc_t;
+		attribute initscript;
+	')
+
+	files_list_etc($1)
+	domtrans_pattern($1,initscript,initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 initscript:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 initscript:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute init a specific script with an automatic domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_script_domtrans_spec',`
+	gen_require(`
+		type initrc_t;
 	')
 
 	files_list_etc($1)
-	domtrans_pattern($1,initrc_exec_t,initrc_t)
+	domtrans_pattern($1,$2,initrc_t)
 
 	ifdef(`enable_mcs',`
-		range_transition $1 initrc_exec_t:process s0;
+		range_transition $1 $2:process s0;
 	')
 
 	ifdef(`enable_mls',`
-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+		range_transition $1 $2:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute a file in a bin directory
+##	in the initrc_t domain 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+	gen_require(`
+		type initrc_t;
 	')
+
+	corecmd_bin_domtrans($1, initrc_t)
 ')
 
 ########################################
@@ -619,11 +680,11 @@
 # cjp: added for gentoo integrated run_init
 interface(`init_script_file_domtrans',`
 	gen_require(`
-		type initrc_exec_t;
+		attribute initscript;
 	')
 
 	files_list_etc($1)
-	domain_auto_trans($1,initrc_exec_t,$2)
+	domain_auto_trans($1,initscript,$2)
 ')
 
 ########################################
@@ -694,11 +755,11 @@
 #
 interface(`init_getattr_script_files',`
 	gen_require(`
-		type initrc_exec_t;
+		attribute initscript;
 	')
 
 	files_list_etc($1)
-	allow $1 initrc_exec_t:file getattr;
+	allow $1 initscript:file getattr;
 ')
 
 ########################################
@@ -713,11 +774,11 @@
 #
 interface(`init_exec_script_files',`
 	gen_require(`
-		type initrc_exec_t;
+		attribute initscript;
 	')
 
 	files_list_etc($1)
-	can_exec($1,initrc_exec_t)
+	can_exec($1,initscript)
 ')
 
 ########################################
@@ -941,6 +1002,7 @@
 
 	dontaudit $1 initrc_t:unix_stream_socket connectto;
 ')
+
 ########################################
 ## <summary>
 ##	Send messages to init scripts over dbus.
@@ -1040,11 +1102,11 @@
 #
 interface(`init_read_script_files',`
 	gen_require(`
-		type initrc_exec_t;
+		attribute initscript;
 	')
 
 	files_search_etc($1)
-	allow $1 initrc_exec_t:file read_file_perms;
+	allow $1 initscript:file read_file_perms;
 ')
 
 ########################################
@@ -1107,6 +1169,25 @@
 
 ########################################
 ## <summary>
+##	Read init script temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
+')
+
+########################################
+## <summary>
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
@@ -1262,7 +1343,7 @@
 		type initrc_var_run_t;
 	')
 
-	dontaudit $1 initrc_var_run_t:file { getattr read write append };
+	dontaudit $1 initrc_var_run_t:file rw_file_perms;
 ')
 
 ########################################
@@ -1283,3 +1364,113 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_init_state',`
+	gen_require(`
+		attribute init_t;
+	')
+
+	allow $1 init_t:dir search_dir_perms;
+	allow $1 init_t:file read_file_perms;
+	allow $1 init_t:lnk_file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Ptrace init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace_init_domain',`
+	gen_require(`
+		attribute init_t;
+	')
+
+	allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for initscripts
+##	in a filesystem.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`init_script_type',`
+	gen_require(`
+		type initrc_t;
+		attribute initscript;
+	')
+
+	typeattribute $1 initscript;
+	domain_entry_file(initrc_t,$1)
+
+')
+
+########################################
+## <summary>
+##	Transition to system_r when execute an init script
+## </summary>
+## <desc>
+##      <p>
+##	Execute a init script in a specified role
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_role">
+##	<summary>
+##	Role to transition from.
+##	</summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_role_transition',`
+	gen_require(`
+		attribute initscript;
+	')
+
+	role_transition $1 initscript system_r;
+')
+
+########################################
+## <summary>
+##	Send and receive unix_stream_messages with 
+##	init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_chat',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_dgram_socket sendto;
+	allow init_t $1:unix_dgram_socket sendto;
+')
+
--- nsaserefpolicy/policy/modules/system/init.te	2008-07-16 10:33:56.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/init.te	2008-07-23 20:17:11.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
 
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty,false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core,false)
+
 # used for direct running of init scripts
 # by admin domains
 attribute direct_run_init;
@@ -26,6 +40,8 @@
 # Mark process types as daemons
 attribute daemon;
 
+attribute initscript;
+
 #
 # init_t is the domain of the init process.
 #
@@ -52,7 +68,7 @@
 mls_trusted_object(initctl_t)
 
 type initrc_t;
-type initrc_exec_t;
+type initrc_exec_t, initscript;
 domain_type(initrc_t)
 domain_entry_file(initrc_t,initrc_exec_t)
 role system_r types initrc_t;
@@ -84,7 +100,7 @@
 #
 
 # Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
 # is ~sys_module really needed? observed: 
 # sys_boot
 # sys_tty_config
@@ -97,7 +113,7 @@
 # Re-exec itself
 can_exec(init_t,init_exec_t)
 
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
 # For /var/run/shutdown.pid.
 allow init_t init_var_run_t:file manage_file_perms;
@@ -113,6 +129,8 @@
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 
+fs_list_inotifyfs(init_t)
+
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
@@ -165,6 +183,8 @@
 
 miscfiles_read_localization(init_t)
 
+allow init_t self:process setsched;
+
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
 ')
@@ -187,6 +207,14 @@
 ')
 
 optional_policy(`
+	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+	# the directory. But we do not want to allow this.
+	# The master process of dovecot will manage this file.
+	dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
+optional_policy(`
 	nscd_socket_use(init_t)
 ')
 
@@ -200,7 +228,7 @@
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 
@@ -214,10 +242,10 @@
 allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
 term_create_pty(initrc_t,initrc_devpts_t)
 
-# Going to single user mode
-init_exec(initrc_t)
+init_telinit(initrc_t)
+init_chat(initrc_t)
 
-can_exec(initrc_t,initrc_exec_t)
+can_exec(initrc_t,initscript)
 
 manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
 manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
@@ -270,7 +298,7 @@
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
-dev_read_lvm_control(initrc_t)
+dev_rw_lvm_control(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
@@ -515,6 +543,31 @@
 	')
 ')
 
+domain_dontaudit_use_interactive_fds(daemon)
+
+sysadm_dontaudit_search_home_dirs(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+	term_use_unallocated_ttys(daemon)
+	term_use_generic_ptys(daemon)
+	term_use_all_user_ttys(daemon)
+	term_use_all_user_ptys(daemon)
+', `
+	term_dontaudit_use_unallocated_ttys(daemon)
+	term_dontaudit_use_generic_ptys(daemon)
+	term_dontaudit_use_all_user_ttys(daemon)
+	term_dontaudit_use_all_user_ptys(daemon)
+ ')
+ 
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+	files_dump_core(daemon)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(daemon)
+')
+ 
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
@@ -573,6 +626,10 @@
 	dbus_read_config(initrc_t)
 
 	optional_policy(`
+		consolekit_dbus_chat(initrc_t)
+	')
+
+	optional_policy(`
 		networkmanager_dbus_chat(initrc_t)
 	')
 ')
@@ -658,12 +715,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
-# cjp: require doesnt work in the else of optionals :\
-# this also would result in a type transition
-# conflict if sendmail is enabled
-#optional_policy(`',`
-#	mta_send_mail(initrc_t)
-#')
 
 optional_policy(`
 	ifdef(`distro_redhat',`
@@ -724,6 +775,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
+	# Allow SELinux aware applications to request rpm_script_t execution
+	rpm_transition_script(initrc_t)
+
 ')
 
 optional_policy(`
@@ -736,9 +790,11 @@
 	squid_manage_logs(initrc_t)
 ')
 
-optional_policy(`
-	# allow init scripts to su
-	su_restricted_domain_template(initrc,initrc_t,system_r)
+ifndef(`targeted_policy',`
+	optional_policy(`
+		# allow init scripts to su
+		su_restricted_domain_template(initrc,initrc_t,system_r)
+	')
 ')
 
 optional_policy(`
@@ -757,6 +813,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
 
+# Cron jobs used to start and stop services
+optional_policy(`
+	cron_rw_pipes(daemon)
+')
+
 optional_policy(`
 	unconfined_domain(initrc_t)
 
@@ -771,6 +832,10 @@
 ')
 
 optional_policy(`
+	rpm_dontaudit_rw_pipes(daemon)
+')
+
+optional_policy(`
 	vmware_read_system_config(initrc_t)
 	vmware_append_system_config(initrc_t)
 ')
@@ -793,3 +858,8 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
+
+unprivuser_append_home_content_files(daemon)
+unprivuser_write_tmp_files(daemon)
+logging_append_all_logs(daemon)
+

[-- Attachment #3: system_init.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]

Re: [refpolicy-patch 11/23] cpucontrol policy update

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

david@hardeman.nu wrote:
> Only documentation changes...
> 
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.if serefpolicy-3.5.0/policy/modules/services/cpucontrol.if
> --- nsaserefpolicy/policy/modules/services/cpucontrol.if	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/cpucontrol.if	2008-07-15 14:05:12.000000000 -0400
> @@ -4,9 +4,9 @@
>  ## <summary>
>  ##	CPUcontrol stub interface.  No access allowed.
>  ## </summary>
> -## <param name="domain" unused="true">
> +## <param name="domain" optional="true">
>  ##	<summary>
> -##	Domain allowed access.
> +##	N/A
>  ##	</summary>
>  ## </param>
>  #
> 
This is a reversal of upstream I have removed from latest rawhide policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiIdC4ACgkQrlYvE4MpobPWvQCgouVlsFb+DJX8Q1hTuYTWNCh3
xIYAoNSMlNXHdd5ExC+w1Bjxc7ds/M7W
=eizO
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy-patch 14/23] rhgb policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1795 bytes --]

On Tue, 2008-07-22 at 16:29 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> > plain text document attachment (policy_modules_services_rhgb.patch)
> > rhgb (RedHat Graphical Boot) is RH specific so this should be uncontroversial...
> > 
> > diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.5.0/policy/modules/services/rhgb.if
> > --- nsaserefpolicy/policy/modules/services/rhgb.if	2008-07-10 11:38:46.000000000 -0400
> > +++ serefpolicy-3.5.0/policy/modules/services/rhgb.if	2008-07-15 14:05:13.000000000 -0400
> > @@ -4,7 +4,7 @@
> >  ## <summary>
> >  ##	RHGB stub interface.  No access allowed.
> >  ## </summary>
> > -## <param name="domain" unused="true">
> > +## <param name="domain">
> >  ##	<summary>
> >  ##	N/A
> >  ##	</summary>
> 
> This reverses an upstream change.
> 
> > diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.5.0/policy/modules/services/rhgb.te
> > --- nsaserefpolicy/policy/modules/services/rhgb.te	2008-07-10 11:38:46.000000000 -0400
> > +++ serefpolicy-3.5.0/policy/modules/services/rhgb.te	2008-07-15 14:05:13.000000000 -0400
> > @@ -92,6 +92,7 @@
> >  term_getattr_pty_fs(rhgb_t)
> >  
> >  init_write_initctl(rhgb_t)
> > +init_chat(rhgb_t)
> >  
> >  libs_use_ld_so(rhgb_t)
> >  libs_use_shared_libs(rhgb_t)
> 
> This interface doesn't exist.

This is more towards Dan, but how much do we care about this policy, now
that rhgb has been removed from Fedora?

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 13/23] portslave policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_portslave.patch)
> Trivial patch

Merged.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.5.0/policy/modules/services/portslave.te
> --- nsaserefpolicy/policy/modules/services/portslave.te	2008-06-12 23:25:05.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/portslave.te	2008-07-15 14:05:13.000000000 -0400
> @@ -12,7 +12,7 @@
>  init_daemon_domain(portslave_t,portslave_exec_t)
>  
>  type portslave_etc_t;
> -files_type(portslave_etc_t)
> +files_config_file(portslave_etc_t)
>  
>  type portslave_lock_t;
>  files_lock_file(portslave_lock_t)

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 14/23] rhgb policy update

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris PeBenito wrote:
> On Tue, 2008-07-22 at 16:29 -0400, Chris PeBenito wrote:
>> On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
>>> plain text document attachment (policy_modules_services_rhgb.patch)
>>> rhgb (RedHat Graphical Boot) is RH specific so this should be uncontroversial...
>>>
>>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.5.0/policy/modules/services/rhgb.if
>>> --- nsaserefpolicy/policy/modules/services/rhgb.if	2008-07-10 11:38:46.000000000 -0400
>>> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.if	2008-07-15 14:05:13.000000000 -0400
>>> @@ -4,7 +4,7 @@
>>>  ## <summary>
>>>  ##	RHGB stub interface.  No access allowed.
>>>  ## </summary>
>>> -## <param name="domain" unused="true">
>>> +## <param name="domain">
>>>  ##	<summary>
>>>  ##	N/A
>>>  ##	</summary>
>> This reverses an upstream change.
>>
>>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.5.0/policy/modules/services/rhgb.te
>>> --- nsaserefpolicy/policy/modules/services/rhgb.te	2008-07-10 11:38:46.000000000 -0400
>>> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.te	2008-07-15 14:05:13.000000000 -0400
>>> @@ -92,6 +92,7 @@
>>>  term_getattr_pty_fs(rhgb_t)
>>>  
>>>  init_write_initctl(rhgb_t)
>>> +init_chat(rhgb_t)
>>>  
>>>  libs_use_ld_so(rhgb_t)
>>>  libs_use_shared_libs(rhgb_t)
>> This interface doesn't exist.
> 
> This is more towards Dan, but how much do we care about this policy, now
> that rhgb has been removed from Fedora?
> 
Probably not for Fedora, but it is still in RHEL5.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiJK3MACgkQrlYvE4MpobMsMACbB+ue533Sh87qH1rSiMdu3Id7
xswAn0WA8q9ROfxj1yWTOZEthMPQFztm
=jlwQ
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy-patch 21/23] raid policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1566 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_raid.patch)
> The original patch also added dev_read_realtime_clock(mdadm_t)
> which I removed since I couldn't find a version of mdadm in
> Debian or RedHat which actually read /dev/rtc (and likewise
> for /sbin/mdmpd on RH).

Partial merge (see below)

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.0/policy/modules/system/raid.te
> --- nsaserefpolicy/policy/modules/system/raid.te	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/system/raid.te	2008-07-15 14:05:13.000000000 -0400
> @@ -19,7 +19,7 @@
>  # Local policy
>  #
>  
> -allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
> +allow mdadm_t self:capability { dac_override mknod sys_admin ipc_lock };
>  dontaudit mdadm_t self:capability sys_tty_config;
>  allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
>  allow mdadm_t self:fifo_file rw_fifo_file_perms;

An explicit mknod isn't needed because storage_manage_fixed_disk()
provides the capability.

> @@ -86,3 +86,7 @@
>  optional_policy(`
>  	udev_read_db(mdadm_t)
>  ')
> +
> +optional_policy(`
> +	unconfined_domain(mdadm_t)
> +')

This part is merged.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 18/23] miscfiles policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1098 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_miscfiles.patch)
> Trivial change (perhaps RH specific path?)...

Merged; in distro_redhat block.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.5.0/policy/modules/system/miscfiles.fc
> --- nsaserefpolicy/policy/modules/system/miscfiles.fc	2008-06-12 23:25:07.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/system/miscfiles.fc	2008-07-15 14:05:13.000000000 -0400
> @@ -11,6 +11,7 @@
>  /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
>  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
>  
>  #
>  # /opt

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 19/23] netlabel policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 954 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_system_netlabel.patch)
> Trivial patch

Merged.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.5.0/policy/modules/system/netlabel.te
> --- nsaserefpolicy/policy/modules/system/netlabel.te	2008-06-12 23:25:07.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/system/netlabel.te	2008-07-15 14:05:13.000000000 -0400
> @@ -9,6 +9,7 @@
>  type netlabel_mgmt_t;
>  type netlabel_mgmt_exec_t;
>  application_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t)
> +role system_r types netlabel_mgmt_t;
>  
>  ########################################
>  #

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 15/23] soundserver policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 6377 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_services_soundserver.patch)
> This policy was written by Ken Yang and reviewed by Dan Walsh:
> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
> and here:
> https://bugzilla.redhat.com/show_bug.cgi?id=250453
> 
> I updated the .fc changes to also work with Debian paths.

Does not apply cleanly.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.5.0/policy/modules/services/soundserver.fc
> --- nsaserefpolicy/policy/modules/services/soundserver.fc	2008-06-12 23:25:05.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/soundserver.fc	2008-07-15 14:05:13.000000000 -0400
> @@ -7,4 +7,8 @@
>  /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
>  
>  /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
> +/var/run/nasd(/.*)?  	gen_context(system_u:object_r:soundd_var_run_t,s0)
> +
>  /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
> +
> +/etc/(rc.d/)?init.d/nas(d)?	--	gen_context(system_u:object_r:soundd_script_exec_t,s0)
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.0/policy/modules/services/soundserver.if
> --- nsaserefpolicy/policy/modules/services/soundserver.if	2008-06-12 23:25:05.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/soundserver.if	2008-07-15 14:05:13.000000000 -0400
> @@ -13,3 +13,74 @@
>  interface(`soundserver_tcp_connect',`
>  	refpolicywarn(`$0($*) has been deprecated.')
>  ')
> +
> +########################################
> +## <summary>
> +##	Execute soundd server in the soundd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +#
> +interface(`soundserver_script_domtrans',`
> +	gen_require(`
> +		type soundd_script_exec_t;
> +	')
> +
> +	init_script_domtrans_spec($1,soundd_script_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate 
> +##	an soundd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the soundd domain.
> +##	</summary>
> +## </param>
> +## <param name="terminal">
> +##	<summary>
> +##	The type of the user terminal.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`soundserver_admin',`
> +	gen_require(`
> +		type soundd_t;
> +		type soundd_script_exec_t;
> +		type soundd_etc_t;
> +		type soundd_tmp_t;
> +		type soundd_var_run_t;
> +	')
> +
> +	allow $1 soundd_t:process { ptrace signal_perms getattr };
> +	read_files_pattern($1, soundd_t, soundd_t)
> +	        
> +	# Allow soundd_t to restart the apache service
> +	soundserver_script_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 soundd_script_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_list_tmp($1)
> +        manage_all_pattern($1,soundd_tmp_t)
> +
> +	files_list_etc($1)
> +        manage_all_pattern($1,soundd_etc_t)
> +
> +	files_list_pids($1)
> +        manage_all_pattern($1,soundd_var_run_t)
> +')
> +
> +
> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.0/policy/modules/services/soundserver.te
> --- nsaserefpolicy/policy/modules/services/soundserver.te	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/services/soundserver.te	2008-07-15 14:05:13.000000000 -0400
> @@ -10,9 +10,6 @@
>  type soundd_exec_t;
>  init_daemon_domain(soundd_t,soundd_exec_t)
>  
> -type soundd_etc_t alias etc_soundd_t;
> -files_type(soundd_etc_t)
> -
>  type soundd_state_t;
>  files_type(soundd_state_t)
>  
> @@ -26,21 +23,30 @@
>  type soundd_var_run_t;
>  files_pid_file(soundd_var_run_t)
>  
> +type soundd_etc_t;
> +files_config_file(soundd_etc_t)
> +
> +type soundd_script_exec_t;
> +init_script_type(soundd_script_exec_t)
> +
>  ########################################
>  #
> -# Declarations
> +# sound server local policy
>  #
>  
> +allow soundd_t self:capability dac_override;
>  dontaudit soundd_t self:capability sys_tty_config;
>  allow soundd_t self:process { setpgid signal_perms };
>  allow soundd_t self:tcp_socket create_stream_socket_perms;
>  allow soundd_t self:udp_socket create_socket_perms;
> +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
> +
> +fs_getattr_all_fs(soundd_t)
> +
>  # for yiff
>  allow soundd_t self:shm create_shm_perms;
>  
> -allow soundd_t soundd_etc_t:dir list_dir_perms;
> -allow soundd_t soundd_etc_t:file read_file_perms;
> -allow soundd_t soundd_etc_t:lnk_file { getattr read };
> +read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t)
>  
>  manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
>  manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
> @@ -55,8 +61,10 @@
>  manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
>  fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
>  
> +manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
>  manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
> -files_pid_filetrans(soundd_t,soundd_var_run_t,file)
> +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
> +files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
>  
>  kernel_read_kernel_sysctls(soundd_t)
>  kernel_list_proc(soundd_t)
> @@ -96,10 +104,13 @@
>  sysnet_read_config(soundd_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(soundd_t)
> -
>  sysadm_dontaudit_search_home_dirs(soundd_t)
>  
>  optional_policy(`
> +	alsa_domtrans(soundd_t)
> +')
> +
> +optional_policy(`
>  	seutil_sigchld_newrole(soundd_t)
>  ')
>  

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 06/23] logrotate policy update

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1513 bytes --]

On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
> plain text document attachment (policy_modules_admin_logrotate.patch)
> No controversial changes

I merged the uncontroversial changes.  The second one, however, is
controversial in my opinion.

> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.0/policy/modules/admin/logrotate.te
> --- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-07-10 11:38:46.000000000 -0400
> +++ serefpolicy-3.5.0/policy/modules/admin/logrotate.te	2008-07-15 14:05:12.000000000 -0400
> @@ -71,6 +71,7 @@
>  
>  fs_search_auto_mountpoints(logrotate_t)
>  fs_getattr_xattr_fs(logrotate_t)
> +fs_list_inotifyfs(logrotate_t)
>  
>  mls_file_read_all_levels(logrotate_t)
>  mls_file_write_all_levels(logrotate_t)
> @@ -96,9 +97,11 @@
>  files_read_etc_files(logrotate_t)
>  files_read_etc_runtime_files(logrotate_t)
>  files_read_all_pids(logrotate_t)
> +files_search_all(logrotate_t)
>  # Write to /var/spool/slrnpull - should be moved into its own type.
>  files_manage_generic_spool(logrotate_t)
>  files_manage_generic_spool_dirs(logrotate_t)
> +files_getattr_generic_locks(logrotate_t)
>  
>  # cjp: why is this needed?
>  init_domtrans_script(logrotate_t)

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [refpolicy-patch 06/23] logrotate policy update

[Daniel J Walsh]

Chris PeBenito wrote:
> On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
>> plain text document attachment (policy_modules_admin_logrotate.patch)
>> No controversial changes
> 
> I merged the uncontroversial changes.  The second one, however, is
> controversial in my opinion.
> 
>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.0/policy/modules/admin/logrotate.te
>> --- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-07-10 11:38:46.000000000 -0400
>> +++ serefpolicy-3.5.0/policy/modules/admin/logrotate.te	2008-07-15 14:05:12.000000000 -0400
>> @@ -71,6 +71,7 @@
>>  
>>  fs_search_auto_mountpoints(logrotate_t)
>>  fs_getattr_xattr_fs(logrotate_t)
>> +fs_list_inotifyfs(logrotate_t)
>>  
>>  mls_file_read_all_levels(logrotate_t)
>>  mls_file_write_all_levels(logrotate_t)
>> @@ -96,9 +97,11 @@
>>  files_read_etc_files(logrotate_t)
>>  files_read_etc_runtime_files(logrotate_t)
>>  files_read_all_pids(logrotate_t)
>> +files_search_all(logrotate_t)
Log rotate rotates files in arbitrary directories.  So the ability to
search all directories is required in order to not break on several
installations.
>>  # Write to /var/spool/slrnpull - should be moved into its own type.
>>  files_manage_generic_spool(logrotate_t)
>>  files_manage_generic_spool_dirs(logrotate_t)
>> +files_getattr_generic_locks(logrotate_t)
logrotate rotates log files and then signals random domains that it has
changed the log files.  Usually doing a service DOMAIN reload or service
DOMAIN restart.  This is what is probably causing the avc.
>>  
>>  # cjp: why is this needed?
>>  init_domtrans_script(logrotate_t)
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.