diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
--- nsaserefpolicy/Rules.modular 2008-06-12 23:37:58.000000000 -0400
+++ serefpolicy-3.0.8/Rules.modular 2008-06-12 23:38:00.000000000 -0400
@@ -96,6 +96,9 @@
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
$(base_mod): $(base_conf)
@echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@
@@ -144,6 +147,7 @@
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
$(call parse-rolemap,base,$@)
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.0.8/Rules.monolithic
--- nsaserefpolicy/Rules.monolithic 2008-06-12 23:37:58.000000000 -0400
+++ serefpolicy-3.0.8/Rules.monolithic 2008-06-12 23:37:59.000000000 -0400
@@ -63,6 +63,9 @@
#
# Build a binary policy locally
#
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
$(polver): $(policy_conf)
@echo "Compiling $(NAME) $(polver)"
ifneq ($(pv),$(kv))
@@ -76,6 +79,9 @@
#
# Install a binary policy
#
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
$(loadpath): $(policy_conf)
@mkdir -p $(policypath)
@echo "Compiling and installing $(NAME) $(loadpath)"
@@ -127,6 +133,7 @@
@echo "divert" >> $@
$(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
$(call parse-rolemap,base,$@)
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.0.8/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mcs/default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -1,15 +1,9 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 system_r:unconfined_t:s0
+system_r:initrc_t:s0 system_r:unconfined_t:s0
+system_r:local_login_t:s0 system_r:unconfined_t:s0
+system_r:remote_login_t:s0 system_r:unconfined_t:s0
+system_r:rshd_t:s0 system_r:unconfined_t:s0
+system_r:sshd_t:s0 system_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_type serefpolicy-3.0.8/config/appconfig-mcs/default_type
--- nsaserefpolicy/config/appconfig-mcs/default_type 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mcs/default_type 2008-06-12 23:37:59.000000000 -0400
@@ -1,4 +1,4 @@
+system_r:unconfined_t
sysadm_r:sysadm_t
staff_r:staff_t
-unconfined_r:unconfined_t
user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.0.8/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mcs/failsafe_context 2008-06-12 23:37:59.000000000 -0400
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mcs/guest_u_default_contexts 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mcs/root_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -1,11 +1,10 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
+system_r:local_login_t:s0 system_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 system_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+staff_r:staff_su_t:s0 system_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 system_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 system_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.0.8/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mcs/seusers 2008-06-12 23:37:59.000000000 -0400
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+__default__:system_u:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mcs/staff_u_default_contexts 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 system_r:unconfined_t:s0 user_r:user_crond_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context 2008-06-12 23:37:59.000000000 -0400
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_crond_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.0.8/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mls/default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -1,15 +1,12 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mls/guest_u_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.0.8/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-06-12 23:37:54.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mls/root_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -1,11 +1,9 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.0.8/config/appconfig-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mls/staff_u_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-mls/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mls/user_u_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-standard/guest_u_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+system_r:crond_t guest_r:guest_crond_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-standard/staff_u_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:remote_login_t staff_r:staff_t
+system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
+system_r:xdm_t staff_r:staff_t
+staff_r:staff_su_t staff_r:staff_t
+staff_r:staff_sudo_t staff_r:staff_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-standard/user_u_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t system_r:unconfined_t user_r:user_t
+system_r:remote_login_t system_r:unconfined_t user_r:user_t
+system_r:sshd_t system_r:unconfined_t user_r:user_t
+system_r:crond_t system_r:unconfined_t user_r:user_crond_t
+system_r:xdm_t system_r:unconfined_t user_r:user_t
+user_r:user_su_t system_r:unconfined_t user_r:user_t
+user_r:user_sudo_t system_r:unconfined_t user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-standard/xguest_u_default_contexts 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.0.8/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/man/man8/ftpd_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -12,7 +12,7 @@
.TP
chcon -R -t public_content_t /var/ftp
.TP
-If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
+If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.0.8/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/man/man8/httpd_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -30,7 +30,7 @@
.EX
httpd_sys_script_ro_t
.EE
-- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
+- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
.EX
httpd_sys_script_rw_t
.EE
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.0.8/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/man/man8/samba_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -1,50 +1,83 @@
-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.TH "samba_selinux" "8" "9 Nov 2007" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
.SH "NAME"
-samba_selinux \- Security Enhanced Linux Policy for Samba
+samba_selinux \- Securing Samba with SELinux
.SH "DESCRIPTION"
Security-Enhanced Linux secures the Samba server via flexible mandatory access
-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-If you want to share files other than home directories, those files must be
-labeled samba_share_t. So if you created a special directory /var/eng, you
-would need to label the directory with the chcon tool.
-.TP
-chcon -t samba_share_t /var/eng
-.TP
-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
-.TP
-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
-/var/eng(/.*)? system_u:object_r:samba_share_t
+control. SELinux Samba policy defaults to least privilege access. Several Booleans and file contexts are available to customize the way Samba SELinux works.
.SH SHARING FILES
-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+SELinux requires files be labeled with an extended attribute to define the file type.
+Policy governs the access daemons have to these files. When sharing files with Samba you have many options on how to label the files.
+If you want to share files/directories other than home directories or standard directory. You should label these files/directories as samba_share_t. For example if you created the directory /var/eng, you can label the directory and its contents with the chcon tool.
+
+# chcon -R -t samba_share_t /var/eng
+
+This label will not survive a relabel. A better solution to make the change permanent, you must tell the SELinux system about the label customization. The semanage command can customize the default file contexts on your machine. restorecon will read the file_context and apply it to the files and directories..
+
+# semange fcontext -a -t samba_share_t '/var/eng(/.*)?'
+.br
+# restorecon -R -v /var/eng
+
-setsebool -P allow_smbd_anon_write=1
+.SH SHARING HOME DIRECTORIES
-.SH BOOLEANS
-.br
-SELinux policy is customizable based on least access required. So by
-default SElinux policy turns off SELinux sharing of home directories and
-the use of Samba shares from a remote machine as a home directory.
-.TP
+By default SELinux policy turns off SELinux sharing of home directories
If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
+
+# setsebool -P samba_enable_home_dirs 1
+
+.SH SHARING PUBLIC FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+
+# semange fcontext -a -t public_content_rw_t '/var/eng(/.*)?'
+.br
+# restorecon -R -v /var/eng
.br
+# setsebool -P allow_smbd_anon_write 1
+
+.SH SHARING FILES SYSTEM FILES
+Note: You should not do the above for standard directories or home directories! For example directories owned by an RPM. If you wanted to share /usr via Samba, changing its context and all of the sub directories to samba_share_t would be a bad idea. Other confined domains would no longer be able to read /usr and this would cause havoc on the machine. There are two booleans that you can set to allow the sharing of standard directories. If you want to share any standard directory read/only you can set the boolean samba_export_all_ro.
+
+# setsebool -P samba_export_all_ro 1
+
+This boolean will allow Samba to read every file on the system.Similarly if you want to share all files and directories via Samba, you set the samba_export_all_rw
+
+# setsebool -P samba_export_all_rw 1
+
+This boolean would allow Samba to read and write every file on your system. So a compromised Samba server would be very dangerous.
+
+.SH SHARING PUBLIC NFS FILES
+SELinux prevents the Samba daemons from reading/writing nfs shares by default. If you are using samba to share NFS file systems you need to turn on the samba_share_nfs boolean
+
+# setsebool -P samba_share_nfs 1
+
+.SH USING CIFS/SAMBA HOME DIRECTORIES
+Samba SELinux policy will not allow any confined applications to access remote
+samba shares mounted on your machine. If you want to use a remote Samba server
+for the home directories on this machine, you must set the use_samba_home_dirs
+boolean.
+
+# setsebool -P use_samba_home_dirs 1
+
+.SH SAMBA Scripts
+Samba can be setup to run user defined scripts, by default if you install these scripts /var/lib/samba/scripts they will be labeled samba_unconfined_script_exec_t. Since these scripts can do just about anything on the system you can run them as unconfined. But you need to turn on the samba_run_unconfined boolean
+
+# setsebool -P samba_run_unconfined 1
+
+If you are willing to write policy an interface exists in samba.if called samba_helper_template(APP). This interface will create a file context of samba_APP_script_exec_t, and a domain of samba_APP_script_t. Samba will transition scripts labeled samba_app_script_exec_t to samba_APP_script_t, you can then user audit2allow to write policy to confine your script.
+
+.SH USING SAMBA AS A DOMAIN CONTROLLER
+If you want to run samba as a domain controller, IE Add machines to the passwd
+file on a Linux box, you need to turn on the samba_domain_controller boolean.
+This allows the Samba daemon to run and transition to the passwd, useradd, and
+groupadd utilities. These tools can manipulate the passwd database.
-setsebool -P samba_enable_home_dirs 1
-.TP
-If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
-.br
-
-setsebool -P use_samba_home_dirs 1
-.TP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH GUI system-config-selinux
+system-config-selinux is a GUI tool available to customize all of the SELinux booleans and file context described above.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
-selinux(8), samba(7), chcon(1), setsebool(8)
+selinux(8), semanage(8), samba(7), chcon(1), setsebool(8), restorecon(8),
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/ftpd_selinux.8 serefpolicy-3.0.8/man/ru/man8/ftpd_selinux.8
--- nsaserefpolicy/man/ru/man8/ftpd_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/ftpd_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,57 @@
+.TH "ftpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+ftpd_selinux \- Политика Security Enhanced Linux для демона ftp
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера ftpd при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам. Если вы хотите организовать анонимный
+доступ к файлам, вы должны присвоить этим файлам и директориям контекст public_content_t.
+Таким образом, если вы создаете специальную директорию /var/ftp, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -R -t public_content_t /var/ftp
+.TP
+Если вы хотите задать директорию, в которую вы собираетесь загружать файлы, то вы должны
+установить контекст ftpd_anon_rw_t. Таким образом, если вы создаете специальную директорию /var/ftp/incoming, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t public_content_rw_t /var/ftp/incoming
+.TP
+Вы также должны включить переключатель allow_ftpd_anon_write.
+.TP
+setsebool -P allow_ftpd_anon_write=1
+.TP
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/ftp(/.*)? system_u:object_r:public_content_t
+/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux для демона ftp настроена исходя из принципа наименьших привелегий. Таким
+образом, по умолчанию политика SELinux не позволяет пользователям заходить на сервер и
+читать содержимое их домашних директорий.
+.br
+Если вы настраиваете данную машину как ftpd-сервер и хотите, чтобы пользователи могли получать
+доступ к своим домашним директориям, то вам необходимо установить переключатель ftp_home_dir.
+.TP
+setsebool -P ftp_home_dir 1
+.TP
+ftpd может функционировать как самостоятельный демон, а также как часть домена xinetd. Если вы
+хотите, чтобы ftpd работал как демон, вы должны установить переключатель ftpd_is_daemon.
+.TP
+setsebool -P ftpd_is_daemon 1
+.br
+service vsftpd restart
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), ftpd(8), chcon(1), setsebool(8)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/httpd_selinux.8 serefpolicy-3.0.8/man/ru/man8/httpd_selinux.8
--- nsaserefpolicy/man/ru/man8/httpd_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/httpd_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,137 @@
+.TH "httpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+httpd_selinux \- Политика Security Enhanced Linux для демона httpd
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера httpd при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам.
+Политика SELinux для демона httpd позволяет пользователям настроить web-службы максимально безопасным методом с высокой степенью гибкости.
+.PP
+Для httpd определены следующие контексты файлов:
+.EX
+httpd_sys_content_t
+.EE
+- Установите контекст httpd_sys_content_t для содержимого, которое должно быть доступно для всех скриптов httpd и для самого демона.
+.EX
+httpd_sys_script_exec_t
+.EE
+- Установите контекст httpd_sys_script_exec_t для cgi-скриптов, чтобы разрешить им доступ ко всем sys-типам.
+.EX
+httpd_sys_script_ro_t
+.EE
+- Установите на файлы контекст httpd_sys_script_ro_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_sys_script_rw_t
+.EE
+- Установите на файлы контекст httpd_sys_script_rw_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и писать данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_sys_script_ra_t
+.EE
+- Установите на файлы контекст httpd_sys_script_ra_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и добавлять данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_unconfined_script_exec_t
+.EE
+- Установите на cgi-скрипты контекст httpd_unconfined_script_exec_t если вы хотите разрешить
+им исполняться без какой-либо защиты SELinux. Такой способ должен использоваться только для
+скриптов с очень комплексными требованиями, и только в случае, если все остальные варианты настройки не дали результата. Лучше использовать скрипты с контекстом httpd_unconfined_script_exec_t, чем выключать защиту SELinux для httpd.
+
+.SH ЗАМЕЧАНИЕ
+Вместе с некоторыми политиками, вы можете определить дополнительные контексты файлов, основанные
+на ролях, таких как user или staff. Может быть определен контекст httpd_user_script_exec_t, который будет иметь доступ только к "пользовательским" контекстам.
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для httpd вы должны выполнить команду:
+
+.EX
+setsebool -P allow_httpd_anon_write=1
+.EE
+
+или
+
+.EX
+setsebool -P allow_httpd_sys_script_anon_write=1
+.EE
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настроена исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию SELinux препятствует работе некоторых http-скриптов. Политика httpd весьма
+гибка, и существующие переключатели управляют политикой, позволяя httpd выполняться
+с наименее возможными правами доступа.
+.PP
+Если вы хотите, чтобы httpd мог исполнять cgi-скрипты, установите переключатель httpd_enable_cgi
+.EX
+setsebool -P httpd_enable_cgi 1
+.EE
+
+.PP
+По умолчанию демону httpd не разрешен доступ в домашние дерикториии пользователей. Если вы хотите разрешить доступ, вам необходимо установить переключатель httpd_enable_homedirs и изменить контекст
+тех файлов в домашних директориях пользователей, к которым должен быть разрешен доступ.
+
+.EX
+setsebool -P httpd_enable_homedirs 1
+chcon -R -t httpd_sys_content_t ~user/public_html
+.EE
+
+.PP
+По умолчанию демон httpd не имеет доступ к управляющему терминалу. В большинстве случаев такое
+поведение является предпочтительным. Это связанно с тем, что злоумышленник может попытаться
+использовать доступ к терминалу для получения привилегий. Однако, в некоторых ситуациях демон
+httpd должен выводить запрос пароля для открытия файла сертификата и в таких случаях нужен доступ
+к терминалу. Для того, чтобы разрешить доступ к терминалу, установите переключатель httpd_tty_comm.
+.EX
+setsebool -P httpd_tty_comm 1
+.EE
+
+.PP
+httpd может быть настроен так, чтобы не разграничивать тип доступа к файлу на основании контекста.
+Иными словами, ко всем файлам, имеющим контекст httpd разрешен доступ на чтение/запись/исполнение.
+Установка этого переключателя в false, позволяет настроить политику безопасности таким образом,
+что одина служба httpd не конфликтует с другой.
+.EX
+setsebool -P httpd_unified 0
+.EE
+
+.PP
+Имеется возможность настроить httpd таким образом, чтобы отключить встроенную поддержку
+скриптов (PHP). PHP и другие загружаемые модули работают в том же контексте, что и httpd.
+Таким образом, если используются только внешние cgi-скрипты, некоторые из правил политики
+разрешают httpd больший доступ к системе, чем необходимо.
+
+.EX
+setsebool -P httpd_builtin_scripting 0
+.EE
+
+.PP
+По умолчанию httpd-скриптам запрещено устанавливать внешние сетевые подключения.
+Это не позволит хакеру, взломавшему ваш httpd-сервер, атаковать другие машины.
+Если вашим скриптам необходимо иметь возможность подключения, установите переключатель
+httpd_can_network_connect
+
+.EX
+setsebool -P httpd_can_network_connect 1
+.EE
+
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), httpd(8), chcon(1), setsebool(8)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/kerberos_selinux.8 serefpolicy-3.0.8/man/ru/man8/kerberos_selinux.8
--- nsaserefpolicy/man/ru/man8/kerberos_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/kerberos_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,30 @@
+.TH "kerberos_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+kerberos_selinux \- Политика Security Enhanced Linux для Kerberos.
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию Kerberos запрещен, поскольку требуется функционирование демонов,
+которым предоставляется слишком обширный доступ к сети и некоторым чувствительным в плане безопасности файлам.
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.PP
+Для того, чтобы система могла корректно работать в окружении Kerberos, вы должны установить переключатель allow_kerberos.
+.EX
+setsebool -P allow_kerberos 1
+.EE
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/named_selinux.8 serefpolicy-3.0.8/man/ru/man8/named_selinux.8
--- nsaserefpolicy/man/ru/man8/named_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/named_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,31 @@
+.TH "named_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+named_selinux \- Политика Security Enhanced Linux для демона Internet Name server (named)
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера named при помощи гибко настраиваемого мандатного контроля доступа.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию политика SELinux не позволяет демону named осуществлять изменения файлов мастер-зоны.
+Если вам необходимо, чтобы named мог обновлять файлы мастер-зоны, вы должны установить переключатель named_write_master_zones boolean.
+.EX
+setsebool -P named_write_master_zones 1
+.EE
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), named(8), chcon(1), setsebool(8)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/nfs_selinux.8 serefpolicy-3.0.8/man/ru/man8/nfs_selinux.8
--- nsaserefpolicy/man/ru/man8/nfs_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/nfs_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,33 @@
+.TH "nfs_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+nfs_selinux \- Политика Security Enhanced Linux для NFS
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает сервер nfs при помощи гибко настраиваемого мандатного контроля доступа.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию политика SELinux не позволяет предоставлять доступ к файлам по nfs. Если вы хотите
+разрешить доступ только на чтение к файлам этой машины по nfs, вы должны установить переключатель
+nfs_export_all_ro.
+
+.TP
+setsebool -P nfs_export_all_ro 1
+.TP
+Если вы хотите разрешить доступ на чтение/запись, вы должны установить переключатель nfs_export_all_rw.
+.TP
+setsebool -P nfs_export_all_rw 1
+
+.TP
+Если вы хотите использовать удаленный NFS сервер для хранения домашних директорий этой машины,
+то вы должны установить переключатель use_nfs_home_dir boolean.
+.TP
+setsebool -P use_nfs_home_dirs 1
+.TP
+Для управления настройками SELinux существует графическая утилита
+system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/rsync_selinux.8 serefpolicy-3.0.8/man/ru/man8/rsync_selinux.8
--- nsaserefpolicy/man/ru/man8/rsync_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/rsync_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,50 @@
+.TH "rsync_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+rsync_selinux \- Политика Security Enhanced Linux для демона rsync
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера rsync при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам. Если вы хотите предоставить доступ к файлам
+при помощи демона rsync, вы должны присвоить этим файлам и директориям контекст
+public_content_t. Таким образом, если вы создаете специальную директорию /var/rsync, то вам
+необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t public_content_t /var/rsync
+.TP
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.EX
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+/var/rsync(/.*)? system_u:object_r:public_content_t
+.EE
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для rsync вы должны выполнить команду:
+
+.EX
+setsebool -P allow_rsync_anon_write=1
+.EE
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), rsync(1), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/samba_selinux.8 serefpolicy-3.0.8/man/ru/man8/samba_selinux.8
--- nsaserefpolicy/man/ru/man8/samba_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/samba_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,60 @@
+.TH "samba_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+samba_selinux \- Политика Security Enhanced Linux для Samba
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера Samba при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам.
+Если вы хотите предоставить доступ к файлам вовне домашних директорий, этим файлам необходимо
+присвоить контекст samba_share_t.
+Таким образом, если вы создаете специальную директорию /var/eng, то вам необходимо
+установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t samba_share_t /var/eng
+.TP
+
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/eng(/.*)? system_u:object_r:samba_share_t
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для samba вы должны выполнить команду:
+
+setsebool -P allow_smbd_anon_write=1
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.br
+Политика SELinux настраивается исходя из принципа наименьших привилегий.
+Таким образом, по умолчанию политика SELinux не позволяет предоставлять удаленный доступ
+к домашним директориям и не позволяет использовать удаленный сервер Samba для хранения
+домашних директорий.
+.TP
+Если вы настроили эту машину как сервер Samba и желаете предоставить доступ к домашним
+директориям, вы должны установить переключатель samba_enable_home_dirs.
+.br
+
+setsebool -P samba_enable_home_dirs 1
+.TP
+Если вы хотите для хранения домашних директорий пользователей этой машины использовать удаленный
+сервер Samba, вы должны установить переключатель use_samba_home_dirs.
+.br
+
+setsebool -P use_samba_home_dirs 1
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), samba(7), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/ypbind_selinux.8 serefpolicy-3.0.8/man/ru/man8/ypbind_selinux.8
--- nsaserefpolicy/man/ru/man8/ypbind_selinux.8 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/man/ru/man8/ypbind_selinux.8 2008-06-12 23:38:00.000000000 -0400
@@ -0,0 +1,19 @@
+.TH "ypbind_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+ypbind_selinux \- Политика Security Enhanced Linux для NIS.
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию работа NIS запрещена. Это является следствием того, что демоны NIS требуют слишком обширного доступа к сети.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.TP
+Для того, чтобы система могла работать в окружении NIS, вы должны установить переключатель allow_ypbind.
+.TP
+setsebool -P allow_ypbind 1
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.8/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/flask/access_vectors 2008-06-12 23:37:58.000000000 -0400
@@ -639,6 +639,8 @@
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-06-12 23:37:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/global_tunables 2008-06-12 23:37:59.000000000 -0400
@@ -133,3 +133,18 @@
## </desc>
gen_tunable(write_untrusted_content,false)
+## <desc>
+## <p>
+## Allow users to connect to console (s390)
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
+
+## <desc>
+## <p>
+## Allow xen to manage nfs files
+## </p>
+## </desc>
+gen_tunable(xen_use_nfs,false)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,4 +1,11 @@
+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.0.8/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.if 2008-06-12 23:37:59.000000000 -0400
@@ -74,3 +74,39 @@
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
')
+
+########################################
+## <summary>
+## search alsa lib config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_search_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ allow $1 alsa_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read alsa lib config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2008-06-12 23:37:59.000000000 -0400
@@ -8,31 +8,47 @@
type alsa_t;
type alsa_exec_t;
-application_domain(alsa_t, alsa_exec_t)
+init_system_domain(alsa_t, alsa_exec_t)
role system_r types alsa_t;
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
+type alsa_var_lib_t;
+files_type(alsa_var_lib_t)
+
########################################
#
# Local policy
#
-allow alsa_t self:capability { setgid setuid ipc_owner };
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
+dev_read_sound(alsa_t)
+dev_write_sound(alsa_t)
+
+files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
+files_search_var_lib(alsa_t)
+manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+
+corecmd_exec_bin(alsa_t)
+can_exec(alsa_t, alsa_exec_t)
+
+files_search_home(alsa_t)
files_read_etc_files(alsa_t)
-term_use_generic_ptys(alsa_t)
-term_dontaudit_use_unallocated_ttys(alsa_t)
+init_dontaudit_use_fds(alsa_t)
+
+kernel_read_system_state(alsa_t)
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
@@ -43,7 +59,14 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
+userdom_search_generic_user_home_dirs(alsa_t)
+userdom_dontaudit_search_sysadm_home_dirs(alsa_t)
optional_policy(`
nscd_socket_use(alsa_t)
')
+
+optional_policy(`
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.0.8/policy/modules/admin/amanda.fc
--- nsaserefpolicy/policy/modules/admin/amanda.fc 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/amanda.fc 2008-06-22 06:34:09.000000000 -0400
@@ -3,6 +3,7 @@
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+/etc/amanda/.*/index(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.8/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/amanda.if 2008-06-12 23:37:59.000000000 -0400
@@ -71,6 +71,26 @@
########################################
## <summary>
+## Search amanda var library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`amanda_search_var_lib',`
+ gen_require(`
+ type amanda_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 amanda_var_lib_t:dir search_dir_perms;
+
+')
+
+########################################
+## <summary>
## Do not audit attempts to read /etc/dumpdates.
## </summary>
## <param name="domain">
@@ -141,3 +161,4 @@
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.0.8/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/amanda.te 2008-06-12 23:37:59.000000000 -0400
@@ -74,7 +74,6 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
-allow amanda_t self:netlink_route_socket r_netlink_socket_perms;
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
@@ -108,6 +107,8 @@
manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+auth_use_nsswitch(amanda_t)
+
kernel_read_system_state(amanda_t)
kernel_read_kernel_sysctls(amanda_t)
kernel_dontaudit_getattr_unlabeled_files(amanda_t)
@@ -154,8 +155,6 @@
libs_use_ld_so(amanda_t)
libs_use_shared_libs(amanda_t)
-sysnet_read_config(amanda_t)
-
optional_policy(`
auth_read_shadow(amanda_t)
')
@@ -164,14 +163,6 @@
logging_send_syslog_msg(amanda_t)
')
-optional_policy(`
- nis_use_ypbind(amanda_t)
-')
-
-optional_policy(`
- nscd_socket_use(amanda_t)
-')
-
########################################
#
# Amanda recover local policy
@@ -201,6 +192,8 @@
manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
+auth_use_nsswitch(amanda_recover_t)
+
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
@@ -237,14 +230,4 @@
miscfiles_read_localization(amanda_recover_t)
-sysnet_read_config(amanda_recover_t)
-
userdom_search_sysadm_home_content_dirs(amanda_recover_t)
-
-optional_policy(`
- nis_use_ypbind(amanda_recover_t)
-')
-
-optional_policy(`
- nscd_socket_use(amanda_recover_t)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.8/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/anaconda.te 2008-06-12 23:37:59.000000000 -0400
@@ -31,16 +31,13 @@
modutils_domtrans_insmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
unconfined_domain(anaconda_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
optional_policy(`
- dmesg_domtrans(anaconda_t)
-')
-
-optional_policy(`
kudzu_domtrans(anaconda_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2008-06-12 23:37:59.000000000 -0400
@@ -215,3 +215,7 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
')
+
+optional_policy(`
+ unconfined_domain(bootloader_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.0.8/policy/modules/admin/brctl.if
--- nsaserefpolicy/policy/modules/admin/brctl.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/brctl.if 2008-06-12 23:37:59.000000000 -0400
@@ -17,3 +17,21 @@
domtrans_pattern($1,brctl_exec_t,brctl_t)
')
+
+########################################
+## <summary>
+## Get attributes brctl executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brctl_getattr',`
+ gen_require(`
+ type brctl_exec_t;
+ ')
+
+ allow $1 brctl_exec_t:file getattr;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.0.8/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/brctl.te 2008-06-12 23:37:59.000000000 -0400
@@ -25,6 +25,7 @@
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
+dev_write_sysfs_dirs(brctl_t)
dev_rw_sysfs(brctl_t)
# Init script handling
@@ -44,4 +45,5 @@
optional_policy(`
xen_append_log(brctl_t)
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2008-06-12 23:37:59.000000000 -0400
@@ -8,9 +8,11 @@
type consoletype_t;
type consoletype_exec_t;
-application_executable_file(consoletype_exec_t)
-init_domain(consoletype_t,consoletype_exec_t)
-init_system_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+#init_system_domain(consoletype_t,consoletype_exec_t)
+application_domain(consoletype_t, consoletype_exec_t)
+
role system_r types consoletype_t;
########################################
@@ -43,12 +45,12 @@
mls_file_write_all_levels(consoletype_t)
term_use_console(consoletype_t)
-term_use_unallocated_ttys(consoletype_t)
+term_use_all_terms(consoletype_t)
init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
-init_write_script_pipes(consoletype_t)
+init_rw_script_pipes(consoletype_t)
domain_use_interactive_fds(consoletype_t)
@@ -88,6 +90,10 @@
')
optional_policy(`
+ hotplug_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
logrotate_dontaudit_use_fds(consoletype_t)
')
@@ -115,3 +121,8 @@
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
xen_dontaudit_use_fds(consoletype_t)
')
+
+optional_policy(`
+ unconfined_use_terminals(consoletype_t)
+ unconfined_dontaudit_rw_pipes(consoletype_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.8/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/dmidecode.te 2008-06-12 23:37:59.000000000 -0400
@@ -20,6 +20,7 @@
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
+dev_read_sysfs(dmidecode_t)
mls_file_read_all_levels(dmidecode_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.0.8/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/firstboot.te 2008-06-12 23:37:59.000000000 -0400
@@ -120,6 +120,10 @@
usermanage_domtrans_admin_passwd(firstboot_t)
')
+optional_policy(`
+ xserver_xdm_rw_shm(firstboot_t)
+')
+
ifdef(`TODO',`
allow firstboot_t proc_t:file write;
@@ -132,7 +136,4 @@
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
')
-ifdef(`xserver.te', `
- domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.0.8/policy/modules/admin/kismet.fc
--- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/admin/kismet.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,5 @@
+
+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
+/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.0.8/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/admin/kismet.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,277 @@
+
+## <summary>policy for kismet</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run kismet.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kismet_domtrans',`
+ gen_require(`
+ type kismet_t;
+ type kismet_exec_t;
+ ')
+
+ domtrans_pattern($1,kismet_exec_t,kismet_t)
+')
+
+
+########################################
+## <summary>
+## Read kismet PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_read_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 kismet_var_run_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Manage kismet var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_var_run',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,kismet_var_run_t,kismet_var_run_t)
+ manage_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
+ manage_lnk_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Search kismet lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_search_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read kismet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_read_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:file r_file_perms;
+ allow $1 kismet_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## kismet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:file manage_file_perms;
+ allow $1 kismet_var_lib_t:dir rw_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage kismet var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_var_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
+ manage_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
+ manage_lnk_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Allow the specified domain to read kismet's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_read_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 kismet_log_t:dir r_dir_perms;
+ allow $1 kismet_log_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## kismet log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kismet_append_log',`
+ gen_require(`
+ type var_log_t, kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 kismet_log_t:dir r_dir_perms;
+ allow $1 kismet_log_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Allow domain to manage kismet log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1,kismet_log_t,kismet_log_t)
+ manage_files_pattern($1,kismet_log_t,kismet_log_t)
+ manage_lnk_files_pattern($1,kismet_log_t,kismet_log_t)
+')
+
+########################################
+## <summary>
+## Execute kismet in the kismet domain, and
+## allow the specified role the kismet domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the kismet domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`kismet_run',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ kismet_domtrans($1)
+ role $2 types kismet_t;
+ allow kismet_t $3:chr_file rw_term_perms;
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate an kismet environment
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the kismet domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_admin',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ allow $2 kismet_t:process { ptrace signal_perms getattr };
+ read_files_pattern($2, kismet_t, kismet_t)
+
+
+ kismet_manage_var_run($2)
+
+ kismet_manage_var_lib($2)
+
+ kismet_manage_log($2)
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(kismet,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kismet_t;
+type kismet_exec_t;
+application_domain(kismet_t, kismet_exec_t)
+role system_r types kismet_t;
+
+
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
+
+type kismet_var_lib_t;
+files_type(kismet_var_lib_t)
+
+type kismet_log_t;
+logging_log_file(kismet_log_t)
+
+########################################
+#
+# kismet local policy
+#
+
+allow kismet_t self:capability { net_admin setuid setgid };
+
+corecmd_exec_bin(kismet_t)
+
+auth_use_nsswitch(kismet_t)
+
+allow kismet_t self:fifo_file rw_file_perms;
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(kismet_t)
+
+kernel_load_module(kismet_t)
+
+libs_use_ld_so(kismet_t)
+libs_use_shared_libs(kismet_t)
+
+miscfiles_read_localization(kismet_t)
+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir })
+
+allow kismet_t kismet_var_lib_t:file manage_file_perms;
+allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
+files_var_lib_filetrans(kismet_t,kismet_var_lib_t, { file dir })
+
+allow kismet_t kismet_log_t:file manage_file_perms;
+allow kismet_t kismet_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(kismet_t,kismet_log_t,{ file dir })
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.8/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te 2008-06-12 23:37:59.000000000 -0400
@@ -21,8 +21,8 @@
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -68,6 +68,7 @@
modutils_read_module_deps(kudzu_t)
modutils_read_module_config(kudzu_t)
modutils_rename_module_config(kudzu_t)
+modutils_unlink_module_config(kudzu_t)
storage_read_scsi_generic(kudzu_t)
storage_read_tape(kudzu_t)
@@ -103,6 +104,8 @@
init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
init_stream_connect_script(kudzu_t)
+init_read_init_state(kudzu_t)
+init_ptrace_init_domain(kudzu_t)
# kudzu will telinit to make init re-read
# the inittab after configuring serial consoles
init_telinit(kudzu_t)
@@ -134,36 +137,18 @@
')
optional_policy(`
- seutil_sigchld_newrole(kudzu_t)
+ rhgb_use_ptys(kudzu_t)
')
optional_policy(`
- udev_read_db(kudzu_t)
+ seutil_sigchld_newrole(kudzu_t)
')
optional_policy(`
- # cjp: this was originally in the else block
- # of ifdef userhelper.te, but it seems to
- # make more sense here. also, require
- # blocks curently do not work in the
- # else block of optionals
- unconfined_domain(kudzu_t)
+ udev_read_db(kudzu_t)
')
-ifdef(`TODO',`
-allow kudzu_t modules_conf_t:file unlink;
-optional_policy(`
- allow kudzu_t printconf_t:file { getattr read };
-')
optional_policy(`
- allow kudzu_t xserver_exec_t:file getattr;
-')
-optional_policy(`
- allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-optional_policy(`
- role system_r types sysadm_userhelper_t;
- domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+ unconfined_domtrans(kudzu_t)
+ unconfined_domain(kudzu_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.8/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/logrotate.te 2008-06-12 23:37:59.000000000 -0400
@@ -96,6 +96,7 @@
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/logwatch.te 2008-06-12 23:37:59.000000000 -0400
@@ -48,7 +48,7 @@
corecmd_exec_shell(logwatch_t)
dev_read_urand(logwatch_t)
-dev_search_sysfs(logwatch_t)
+dev_read_sysfs(logwatch_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
@@ -59,10 +59,8 @@
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-files_dontaudit_search_home(logwatch_t)
-files_dontaudit_search_boot(logwatch_t)
# Execs df and if file system mounted with a context avc raised
-files_dontaudit_search_all_dirs(logwatch_t)
+files_search_all(logwatch_t)
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
@@ -88,9 +86,6 @@
sysnet_dns_name_resolve(logwatch_t)
-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-
mta_send_mail(logwatch_t)
optional_policy(`
@@ -132,4 +127,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.0.8/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/mrtg.te 2008-06-12 23:37:59.000000000 -0400
@@ -78,6 +78,7 @@
dev_read_urand(mrtg_t)
domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2008-06-12 23:37:59.000000000 -0400
@@ -40,7 +40,7 @@
allow netutils_t self:capability { net_admin net_raw setuid setgid };
dontaudit netutils_t self:capability sys_tty_config;
allow netutils_t self:process { sigkill sigstop signull signal };
-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow netutils_t self:netlink_route_socket rw_netlink_socket_perms;
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
@@ -94,9 +94,22 @@
')
optional_policy(`
+ rhgb_use_ptys(netutils_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_use_terminals(netutils_t)
+')
+
+optional_policy(`
+ vmware_append_log(netutils_t)
+')
+
+optional_policy(`
xen_append_log(netutils_t)
')
+
########################################
#
# Ping local policy
@@ -107,12 +120,14 @@
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:netlink_route_socket r_netlink_socket_perms;
corenet_all_recvfrom_unlabeled(ping_t)
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
+corenet_raw_bind_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
@@ -143,6 +158,10 @@
')
optional_policy(`
+ munin_append_log(ping_t)
+')
+
+optional_policy(`
nis_use_ypbind(ping_t)
')
@@ -151,6 +170,10 @@
')
optional_policy(`
+ munin_append_logs(ping_t)
+')
+
+optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
@@ -166,7 +189,7 @@
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow traceroute_t self:netlink_route_socket rw_netlink_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.8/policy/modules/admin/portage.if
--- nsaserefpolicy/policy/modules/admin/portage.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/portage.if 2008-06-12 23:37:59.000000000 -0400
@@ -324,6 +324,7 @@
seutil_domtrans_setfiles($1)
# run semodule
seutil_domtrans_semanage($1)
+ seutil_domtrans_setsebool($1)
portage_domtrans_gcc_config($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/prelink.te 2008-06-12 23:37:59.000000000 -0400
@@ -26,7 +26,7 @@
# Local policy
#
-allow prelink_t self:capability { chown dac_override fowner fsetid };
+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
@@ -40,7 +40,7 @@
read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
@@ -49,8 +49,7 @@
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
kernel_read_system_state(prelink_t)
-kernel_dontaudit_search_kernel_sysctl(prelink_t)
-kernel_dontaudit_search_sysctl(prelink_t)
+kernel_read_kernel_sysctls(prelink_t)
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
@@ -65,6 +64,10 @@
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
+files_manage_kernel_modules(prelink_t)
+files_relabel_kernel_modules(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -81,6 +84,11 @@
miscfiles_read_localization(prelink_t)
+# prelink executables in the user homedir
+userdom_manage_unpriv_users_home_content_files(prelink_t)
+userdom_mmap_unpriv_user_home_content_files(prelink_t)
+userdom_dontaudit_relabel_unpriv_user_home_content_files(prelink_t)
+
optional_policy(`
amanda_manage_lib(prelink_t)
')
@@ -88,3 +96,7 @@
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
+
+optional_policy(`
+ unconfined_domain(prelink_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/rpm.fc 2008-06-12 23:37:59.000000000 -0400
@@ -11,6 +11,7 @@
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -21,6 +22,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -29,6 +33,7 @@
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
# SuSE
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2008-06-12 23:37:59.000000000 -0400
@@ -152,6 +152,45 @@
########################################
## <summary>
+## dontaudit read and write an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## rpm_script over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+ gen_require(`
+ type rpm_script_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_script_t:dbus send_msg;
+ allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
@@ -210,6 +249,24 @@
########################################
## <summary>
+## dontaudit and use file descriptors from RPM scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_use_script_fds',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ dontaudit $1 rpm_script_t:fd use;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
@@ -225,7 +282,30 @@
')
files_search_tmp($1)
+ manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+ manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+## read, RPM
+## script temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+ read_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
')
########################################
@@ -289,3 +369,130 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
+
+########################################
+## <summary>
+## Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_transition_script',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:process transition;
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write RPM tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 rpm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## write RPM tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## write RPM shm
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_shm',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read/write rpm tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read/write rpm tmpfs files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_tmpfs_files',`
+ gen_require(`
+ type rpm_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 rpm_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+ read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write, and delete the
+## RPM var run files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_write_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ dontaudit $1 rpm_var_run_t:file write_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2008-06-12 23:37:59.000000000 -0400
@@ -31,6 +31,9 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
@@ -89,6 +92,9 @@
manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t)
files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
+manage_files_pattern(rpm_t,rpm_var_run_t,rpm_var_run_t)
+files_pid_filetrans(rpm_t,rpm_var_run_t, file)
+
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
@@ -139,6 +145,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
+auth_use_nsswitch(rpm_t)
# transition to rpm script:
rpm_domtrans_script(rpm_t)
@@ -180,11 +187,18 @@
')
optional_policy(`
- hal_dbus_chat(rpm_t)
-')
+ optional_policy(`
+ hal_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ dbus_system_domain(rpm_t,rpm_exec_t)
+ ')
-optional_policy(`
- nis_use_ypbind(rpm_t)
')
optional_policy(`
@@ -195,6 +209,7 @@
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
')
ifdef(`TODO',`
@@ -321,6 +336,7 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.0.8/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/su.if 2008-06-12 23:37:59.000000000 -0400
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
# Transition from the user domain to this domain.
@@ -75,6 +74,7 @@
selinux_compute_access_vector($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
+ auth_domtrans_upd_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
@@ -89,6 +89,7 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
+ logging_send_audit_msgs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
@@ -172,13 +173,12 @@
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
- allow $2 $1_su_t:process signal;
+ allow $2 $1_su_t:process { getsched signal };
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
- allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:process { getsched setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
@@ -188,7 +188,7 @@
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
+ allow $2 $1_su_t:process { getsched signal };
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -203,15 +203,18 @@
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
- auth_domtrans_user_chk_passwd($1,$1_su_t)
+ auth_run_chk_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t })
+ auth_run_upd_passwd($1_su_t, $3, { $1_tty_device_t $1_devpts_t })
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
- auth_rw_faillog($1_su_t)
+ auth_keyring_domain($1_su_t)
+ auth_search_key($1_su_t)
- corecmd_search_bin($1_su_t)
+ corecmd_exec_bin($1_su_t)
domain_use_interactive_fds($1_su_t)
+ files_read_usr_symlinks($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
@@ -226,6 +229,7 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
+ logging_send_audit_msgs($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
@@ -295,6 +299,8 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
+ userdom_search_all_users_home_dirs($1_su_t)
+
ifdef(`TODO',`
allow $1_su_t $1_home_t:file manage_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.8/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/sudo.if 2008-06-12 23:37:59.000000000 -0400
@@ -55,7 +55,7 @@
#
# Use capabilities.
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
@@ -68,7 +68,6 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
# Enter this derived domain from the user domain
@@ -76,6 +75,7 @@
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t,$2)
+ corecmd_bin_domtrans($1_sudo_t,$2)
allow $2 $1_sudo_t:fd use;
allow $2 $1_sudo_t:fifo_file rw_file_perms;
allow $2 $1_sudo_t:process sigchld;
@@ -89,9 +89,11 @@
fs_search_auto_mountpoints($1_sudo_t)
fs_getattr_xattr_fs($1_sudo_t)
- auth_domtrans_chk_passwd($1_sudo_t)
+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ auth_run_upd_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
+ auth_search_key($1_sudo_t)
corecmd_read_bin_symlinks($1_sudo_t)
corecmd_getattr_all_executables($1_sudo_t)
@@ -106,18 +108,21 @@
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
+ files_list_tmp($1_sudo_t)
init_rw_utmp($1_sudo_t)
libs_use_ld_so($1_sudo_t)
libs_use_shared_libs($1_sudo_t)
+ logging_send_audit_msgs($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
userdom_manage_user_home_content_files($1,$1_sudo_t)
userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
+
userdom_manage_user_tmp_files($1,$1_sudo_t)
userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
userdom_use_user_terminals($1,$1_sudo_t)
@@ -126,6 +131,10 @@
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
optional_policy(`
+ locallogin_search_keys($1_sudo_t)
+ ')
+
+ optional_policy(`
nis_use_ypbind($1_sudo_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te 2008-06-12 23:37:59.000000000 -0400
@@ -28,6 +28,7 @@
files_purge_tmp(tmpreaper_t)
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
+files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
@@ -43,5 +44,14 @@
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
optional_policy(`
+ amavis_manage_spool_files(tmpreaper_t)
+')
+
+optional_policy(`
+ kismet_manage_log(tmpreaper_t)
+')
+
+optional_policy(`
lpd_manage_spool(tmpreaper_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.8/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.if 2008-06-12 23:37:59.000000000 -0400
@@ -265,6 +265,24 @@
########################################
## <summary>
+## Dontaudit attempts to use useradd fds
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`usermanage_dontaudit_useradd_use_fds',`
+ gen_require(`
+ type useradd_t;
+ ')
+
+ dontaudit $1 useradd_t:fd use;
+')
+
+########################################
+## <summary>
## Read the crack database.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2008-06-12 23:37:59.000000000 -0400
@@ -92,10 +92,12 @@
dev_read_urand(chfn_t)
auth_domtrans_chk_passwd(chfn_t)
+auth_domtrans_upd_passwd(chfn_t)
auth_dontaudit_read_shadow(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
+corecmd_exec_bin(chfn_t)
domain_use_interactive_fds(chfn_t)
@@ -238,6 +240,7 @@
userdom_use_unpriv_users_fds(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
+userdom_dontaudit_search_all_users_home_content(groupadd_t)
optional_policy(`
dpkg_use_fds(groupadd_t)
@@ -297,9 +300,11 @@
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
+auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
+auth_use_nsswitch(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -315,6 +320,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
@@ -511,6 +517,7 @@
userdom_use_unpriv_users_fds(useradd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
+userdom_dontaudit_search_all_users_home_content(useradd_t)
# Add/remove user home directories
userdom_home_filetrans_generic_user_home_dir(useradd_t)
userdom_manage_all_users_home_content_dirs(useradd_t)
@@ -520,6 +527,10 @@
mta_manage_spool(useradd_t)
optional_policy(`
+ apache_manage_all_content(useradd_t)
+')
+
+optional_policy(`
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
@@ -529,6 +540,12 @@
')
optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
+')
+
+optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.8/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te 2008-06-12 23:37:59.000000000 -0400
@@ -23,6 +23,8 @@
dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t)
+domain_mmap_low(vbetool_t)
+
term_use_unallocated_ttys(vbetool_t)
libs_use_ld_so(vbetool_t)
@@ -33,4 +35,5 @@
optional_policy(`
hal_rw_pid_files(vbetool_t)
hal_write_log(vbetool_t)
+ hal_dontaudit_append_lib_files(vbetool_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.0.8/policy/modules/admin/vpn.fc
--- nsaserefpolicy/policy/modules/admin/vpn.fc 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.fc 2008-06-12 23:37:59.000000000 -0400
@@ -7,3 +7,5 @@
# sbin
#
/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.0.8/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.if 2008-06-12 23:37:59.000000000 -0400
@@ -67,3 +67,25 @@
allow $1 vpnc_t:process signal;
')
+
+########################################
+## <summary>
+## Send and receive messages from
+## Vpnc over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpnc_dbus_chat',`
+ gen_require(`
+ type vpnc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 vpnc_t:dbus send_msg;
+ allow vpnc_t $1:dbus send_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2008-06-12 23:37:55.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2008-06-12 23:37:59.000000000 -0400
@@ -22,7 +22,7 @@
# Local policy
#
-allow vpnc_t self:capability { net_admin ipc_lock net_raw };
+allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
allow vpnc_t self:process getsched;
allow vpnc_t self:fifo_file { getattr ioctl read write };
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -38,8 +38,9 @@
manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
+manage_dirs_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
-files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
+files_pid_filetrans(vpnc_t,vpnc_var_run_t,{ file dir})
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -59,6 +60,7 @@
corenet_udp_bind_all_nodes(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_udp_bind_ipsecnat_port(vpnc_t)
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
@@ -90,13 +92,14 @@
locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
+logging_dontaudit_search_logs(vpnc_t)
miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
-sysnet_exec_ifconfig(vpnc_t)
+sysnet_domtrans_ifconfig(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-3.0.8/policy/modules/apps/ada.if
--- nsaserefpolicy/policy/modules/apps/ada.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/ada.if 2008-06-12 23:37:59.000000000 -0400
@@ -18,3 +18,34 @@
corecmd_search_bin($1)
domtrans_pattern($1, ada_exec_t, ada_t)
')
+
+########################################
+## <summary>
+## Execute ada in the ada domain, and
+## allow the specified role the ada domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ada domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ada domain to use.
+## </summary>
+## </param>
+#
+interface(`ada_run',`
+ gen_require(`
+ type ada_t;
+ ')
+
+ ada_domtrans($1)
+ role $2 types ada_t;
+ allow ada_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.fc serefpolicy-3.0.8/policy/modules/apps/awstats.fc
--- nsaserefpolicy/policy/modules/apps/awstats.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/apps/awstats.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,5 @@
+/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+
+/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.if serefpolicy-3.0.8/policy/modules/apps/awstats.if
--- nsaserefpolicy/policy/modules/apps/awstats.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/apps/awstats.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,42 @@
+## <summary>
+## AWStats is a free powerful and featureful tool that generates advanced
+## web, streaming, ftp or mail server statistics, graphically.
+## </summary>
+
+########################################
+## <summary>
+## Read and write awstats unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`awstats_rw_pipes',`
+ gen_require(`
+ type awstats_t;
+ ')
+
+ allow $1 awstats_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Execute awstats cgi scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`awstats_cgi_exec',`
+ gen_require(`
+ type httpd_awstats_script_exec_t;
+ ')
+
+ allow $1 httpd_awstats_content_t:dir search_dir_perms;
+ allow $1 httpd_awstats_script_exec_t:dir search_dir_perms;
+ can_exec($1,httpd_awstats_script_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.0.8/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/apps/awstats.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,77 @@
+
+policy_module(awstats,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type awstats_t;
+type awstats_exec_t;
+domain_type(awstats_t)
+domain_entry_file(awstats_t, awstats_exec_t)
+role system_r types awstats_t;
+
+type awstats_tmp_t;
+files_tmp_file(awstats_tmp_t)
+
+type awstats_var_lib_t;
+files_type(awstats_var_lib_t)
+
+apache_content_template(awstats)
+
+########################################
+#
+# awstats policy
+#
+
+awstats_rw_pipes(awstats_t)
+awstats_cgi_exec(awstats_t)
+
+manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file)
+
+# dontaudit access to /proc/meminfo
+kernel_dontaudit_read_system_state(awstats_t)
+
+corecmd_exec_bin(awstats_t)
+corecmd_exec_shell(awstats_t)
+
+dev_read_urand(awstats_t)
+
+files_read_etc_files(awstats_t)
+# e.g. /usr/share/awstats/lang/awstats-en.txt
+files_read_usr_files(awstats_t)
+
+libs_read_lib_files(awstats_t)
+libs_use_ld_so(awstats_t)
+libs_use_shared_libs(awstats_t)
+
+miscfiles_read_localization(awstats_t)
+
+sysnet_dns_name_resolve(awstats_t)
+
+apache_read_log(awstats_t)
+
+optional_policy(`
+ cron_system_entry(awstats_t, awstats_exec_t)
+')
+
+optional_policy(`
+ # dontaudit searching nscd pid directory
+ nscd_dontaudit_search_pid(awstats_t)
+')
+
+########################################
+#
+# awstats cgi script policy
+#
+
+allow httpd_awstats_script_t awstats_var_lib_t:dir read;
+
+read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(httpd_awstats_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.0.8/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/gnome.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,8 +1,7 @@
+HOME_DIR/.gnome2(/.*)? gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
-
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.8/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/gnome.if 2008-06-12 23:37:59.000000000 -0400
@@ -33,6 +33,51 @@
## </param>
#
template(`gnome_per_role_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+ type $1_gnome_home_t;
+ userdom_user_home_type($1_gnome_home_t)
+ userdom_user_home_content($1, $1_gnome_home_t)
+ manage_dirs_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
+ manage_files_pattern($2,$1_gnome_home_t, $1_gnome_home_t)
+')
+
+########################################
+## <summary>
+## The per role template for the gnome gconf module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is used
+## for gconf sessions.
+## </p>
+## <p>
+## This template is invoked automatically for each role, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_gconf_per_role_template',`
gen_require(`
type gconfd_exec_t;
attribute gnomedomain;
@@ -50,9 +95,6 @@
type $1_gconf_home_t;
userdom_user_home_content($1, $1_gconf_home_t)
- type $1_gnome_home_t;
- userdom_user_home_content($1, $1_gnome_home_t)
-
type $1_gconf_tmp_t;
files_tmp_file($1_gconf_tmp_t)
@@ -77,9 +119,6 @@
allow $1_gconfd_t $2:fifo_file write;
allow $1_gconfd_t $2:unix_stream_socket connectto;
- allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
-
ps_process_pattern($2,$1_gconfd_t)
dev_read_urand($1_gconfd_t)
@@ -100,9 +139,18 @@
gnome_stream_connect_gconf_template($1,$2)
optional_policy(`
+ mozilla_stream_connect_template($1,$1_gconfd_t)
+ ')
+
+ optional_policy(`
nscd_dontaudit_search_pid($1_gconfd_t)
+ nscd_socket_use($1_gconfd_t)
')
+# optional_policy(`
+# ssh_dontaudit_use_user_ssh_agent_fds($1,$1_gconfd_t)
+# ')
+
optional_policy(`
xserver_use_xdm_fds($1_gconfd_t)
xserver_rw_xdm_pipes($1_gconfd_t)
@@ -135,13 +183,32 @@
allow $2 $1_gconfd_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## Send general signals to all gconf domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signal_all',`
+ gen_require(`
+ attribute gnomedomain;
+ ')
+
+ allow $1 gnomedomain:process signal;
+')
+
########################################
## <summary>
## Run gconfd in the role-specific gconfd domain.
## </summary>
## <desc>
## <p>
-## Run gconfd in the role-specfic gconfd domain.
+## Run gconfd in the role-specific gconfd domain.
## </p>
## <p>
## This is a templated interface, and should only
@@ -170,6 +237,30 @@
########################################
## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_read_user_gnome_config',`
+ gen_require(`
+ type $1_gnome_home_t;
+ ')
+
+ read_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
+')
+
+########################################
+## <summary>
## manage gnome homedir content (.config)
## </summary>
## <param name="userdomain_prefix">
@@ -189,6 +280,26 @@
type $1_gnome_home_t;
')
- allow $2 $1_gnome_home_t:dir manage_dir_perms;
- allow $2 $1_gnome_home_t:file manage_file_perms;
+ manage_dirs_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
+ manage_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
')
+
+########################################
+## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.0.8/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/gnome.te 2008-06-12 23:37:59.000000000 -0400
@@ -8,8 +8,5 @@
attribute gnomedomain;
-type gconf_etc_t;
-files_type(gconf_etc_t)
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.0.8/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/gpg.if 2008-06-12 23:37:59.000000000 -0400
@@ -80,6 +80,10 @@
allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
+ # Thunderbird leaks descriptors
+ dontaudit $1_gpg_t $2:tcp_socket rw_socket_perms;
+ dontaudit $1_gpg_t $2:udp_socket rw_socket_perms;
+
# transition from the gpg domain to the helper domain
domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
@@ -116,6 +120,8 @@
files_read_usr_files($1_gpg_t)
files_dontaudit_search_var($1_gpg_t)
+ auth_use_nsswitch($1_gpg_t)
+
libs_use_shared_libs($1_gpg_t)
libs_use_ld_so($1_gpg_t)
@@ -123,14 +129,8 @@
logging_send_syslog_msg($1_gpg_t)
- sysnet_read_config($1_gpg_t)
-
userdom_use_user_terminals($1,$1_gpg_t)
- optional_policy(`
- nis_use_ypbind($1_gpg_t)
- ')
-
ifdef(`TODO',`
# Read content to encrypt/decrypt/sign
read_content($1_gpg_t, $1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.0.8/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/gpg.te 2008-06-12 23:37:59.000000000 -0400
@@ -19,3 +19,4 @@
# type for the pinentry executable
type pinentry_exec_t;
application_executable_file(pinentry_exec_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-06-12 23:37:59.000000000 -0400
@@ -3,14 +3,15 @@
#
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +21,9 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-06-12 23:37:59.000000000 -0400
@@ -32,7 +32,7 @@
## </summary>
## </param>
#
-template(`java_per_role_template',`
+template(`java_plugin_per_role_template',`
gen_require(`
type java_exec_t;
')
@@ -57,11 +57,14 @@
# Local policy
#
- allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
+ allow $1_javaplugin_t self:process { signal_perms getsched ptrace setsched execmem execstack };
allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
- allow $1_javaplugin_t self:tcp_socket create_socket_perms;
+ allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
+ allow $1_javaplugin_t $1_t:process signull;
+ allow $1_javaplugin_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_javaplugin_t:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
@@ -69,6 +72,7 @@
manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
+ allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
@@ -81,9 +85,7 @@
can_exec($1_javaplugin_t, java_exec_t)
- # The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
- allow $1_javaplugin_t $2:fd use;
+ domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
allow $1_javaplugin_t $2:process signull;
@@ -94,7 +96,7 @@
kernel_read_system_state($1_javaplugin_t)
# Search bin directory under javaplugin for javaplugin executable
- corecmd_search_bin($1_javaplugin_t)
+ corecmd_exec_bin($1_javaplugin_t)
corenet_all_recvfrom_unlabeled($1_javaplugin_t)
corenet_all_recvfrom_netlabel($1_javaplugin_t)
@@ -107,10 +109,12 @@
corenet_tcp_connect_all_ports($1_javaplugin_t)
corenet_sendrecv_all_client_packets($1_javaplugin_t)
+ dev_list_sysfs($1_javaplugin_t)
dev_read_sound($1_javaplugin_t)
dev_write_sound($1_javaplugin_t)
dev_read_urand($1_javaplugin_t)
dev_read_rand($1_javaplugin_t)
+ dev_write_rand($1_javaplugin_t)
files_read_etc_files($1_javaplugin_t)
files_read_usr_files($1_javaplugin_t)
@@ -122,6 +126,9 @@
fs_getattr_xattr_fs($1_javaplugin_t)
fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+ fs_getattr_tmpfs($1_javaplugin_t)
+
+ auth_use_nsswitch($1_javaplugin_t)
libs_use_ld_so($1_javaplugin_t)
libs_use_shared_libs($1_javaplugin_t)
@@ -134,9 +141,13 @@
sysnet_read_config($1_javaplugin_t)
+ userdom_manage_user_tmp_dirs($1,$1_javaplugin_t)
+ userdom_manage_user_tmp_files($1,$1_javaplugin_t)
+ userdom_manage_user_tmp_sockets($1,$1_javaplugin_t)
+ userdom_read_user_tmpfs_files($1,$1_javaplugin_t)
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
- userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
+ userdom_exec_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
userdom_manage_user_home_content_files($1,$1_javaplugin_t)
userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
@@ -147,8 +158,6 @@
tunable_policy(`allow_java_execstack',`
allow $1_javaplugin_t self:process execstack;
- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-
libs_legacy_use_shared_libs($1_javaplugin_t)
libs_legacy_use_ld_so($1_javaplugin_t)
@@ -166,6 +175,63 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
+
+')
+
+#######################################
+## <summary>
+## The per role template for the java module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`java_per_role_template',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t,java_exec_t)
+ role $3 types $1_java_t;
+
+ domain_interactive_fd($1_java_t)
+
+ userdom_unpriv_usertype($1, $1_java_t)
+ userdom_exec_user_home_content_files($1,$1_java_t)
+
+ allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
+ domtrans_pattern($2, java_exec_t, $1_java_t)
+
+ dev_read_urand($1_java_t)
+ dev_read_rand($1_java_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_java_t)
+ ')
')
########################################
@@ -219,3 +285,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
+
+########################################
+## <summary>
+## Execute a java in the specified domain
+## </summary>
+## <desc>
+## <p>
+## Execute the java command in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`java_spec_domtrans',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ domain_trans($1,java_exec_t,$2)
+ type_transition $1 java_exec_t:process $2;
+')
+
+########################################
+## <summary>
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the java domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the java domain to use.
+## </summary>
+## </param>
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.0.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.te 2008-06-12 23:37:59.000000000 -0400
@@ -23,11 +23,23 @@
#
# execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { getsched sigkill execheap execmem execstack };
-init_dbus_chat_script(java_t)
+optional_policy(`
+ init_dbus_chat_script(java_t)
+ optional_policy(`
+ hal_dbus_chat(java_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_chat(java_t)
+ ')
+')
optional_policy(`
unconfined_domain_noaudit(java_t)
- unconfined_dbus_chat(java_t)
+')
+
+optional_policy(`
+ xserver_xdm_rw_shm(java_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.8/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/loadkeys.te 2008-06-12 23:37:59.000000000 -0400
@@ -41,6 +41,9 @@
miscfiles_read_localization(loadkeys_t)
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
+userdom_dontaudit_list_user_home_dirs(user, loadkeys_t)
+
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2008-06-12 23:37:59.000000000 -0400
@@ -18,3 +18,105 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
+
+########################################
+## <summary>
+## Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mono domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the mono domain to use.
+## </summary>
+## </param>
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+ allow mono_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## The per role template for the mono module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mono applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`mono_per_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t,mono_exec_t)
+ role $3 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+
+ allow $1_mono_t self:process { execheap execmem };
+ allow $2 $1_mono_t:process noatsecure;
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_mono_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.8/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2008-06-12 23:37:59.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { signal getsched execheap execmem };
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
@@ -46,3 +46,7 @@
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
')
+
+optional_policy(`
+ xserver_xdm_rw_shm(mono_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2008-06-12 23:37:59.000000000 -0400
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
')
+ gen_tunable(browser_confine_$1,false)
+ gen_tunable(browser_write_$1_data,false)
########################################
#
@@ -52,13 +54,21 @@
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
+ type $1_mozilla_tmp_t;
+ files_tmp_file($1_mozilla_tmp_t)
+
+ ########################################
+ #
+ # Local booleans
+ #
+
########################################
#
# Local policy
#
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+ allow $1_mozilla_t self:process { ptrace sigkill signal setsched getsched setrlimit };
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
@@ -66,11 +76,15 @@
allow $1_mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
allow $1_mozilla_t self:tcp_socket create_socket_perms;
- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
+ domain_read_all_domains_state($1_mozilla_t)
+
+ fs_getattr_tmpfs($1_mozilla_t)
+ fs_manage_tmpfs_files($1_mozilla_t)
+
# X access, Home files
manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
@@ -96,15 +110,41 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
-
allow $1_mozilla_t $2:process signull;
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ tunable_policy(`browser_confine_$1',`
+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ ',`
+ can_exec($2, mozilla_exec_t)
+ ')
+
+ userdom_read_user_tmpfs_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_list_user_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
+ userdom_manage_user_tmp_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_tmp_filetrans_user_tmp($1,$1_mozilla_t, { file dir sock_file })
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mozilla_t)
+ fs_read_removable_files($1_mozilla_t)
+ fs_read_removable_symlinks($1_mozilla_t)
+ ')
+
+ tunable_policy(`browser_write_$1_data',`
+ userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
+ userdom_manage_user_home_content_files($1,$1_mozilla_t)
+ userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_manage_user_home_content_pipes($1,$1_mozilla_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_mozilla_t, { file dir })
+ ', `
+ # helper apps will try to create .files
+ userdom_dontaudit_create_user_home_content_files($1,$1_mozilla_t)
+ userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir)
+ ')
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
@@ -112,11 +152,13 @@
ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
+ kernel_read_fs_sysctls($1_mozilla_t)
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
- kernel_read_net_sysctls($1_mozilla_t)
+ kernel_dontaudit_read_system_state($1_mozilla_t)
+# kernel_read_system_state($1_mozilla_t)
+# kernel_read_net_sysctls($1_mozilla_t)
# Look for plugins
corecmd_list_bin($1_mozilla_t)
@@ -165,13 +207,28 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
+ files_dontaudit_list_non_security($1_mozilla_t)
+ files_dontaudit_getattr_non_security_files($1_mozilla_t)
+ files_dontaudit_getattr_non_security_symlinks($1_mozilla_t)
+ files_dontaudit_getattr_non_security_pipes($1_mozilla_t)
+ files_dontaudit_getattr_non_security_sockets($1_mozilla_t)
+
+ dev_dontaudit_getattr_all_blk_files($1_mozilla_t)
+ dev_dontaudit_getattr_all_chr_files($1_mozilla_t)
fs_search_auto_mountpoints($1_mozilla_t)
fs_list_inotifyfs($1_mozilla_t)
+ fs_manage_dos_dirs($1_mozilla_t)
+ fs_manage_dos_files($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
+ fs_read_noxattr_fs_files($1_mozilla_t)
+
+ selinux_dontaudit_getattr_fs($1_mozilla_t)
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
+ auth_use_nsswitch($1_mozilla_t)
+
libs_use_ld_so($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
@@ -180,16 +237,8 @@
miscfiles_read_fonts($1_mozilla_t)
miscfiles_read_localization($1_mozilla_t)
- # Browse the web, connect to printer
- sysnet_dns_name_resolve($1_mozilla_t)
- sysnet_read_config($1_mozilla_t)
-
- userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
- userdom_manage_user_home_content_files($1,$1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
- userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
@@ -211,131 +260,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_nfs_files($1_mozilla_t)
- fs_read_nfs_symlinks($1_mozilla_t)
-
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_nfs_files($1_mozilla_t)
- fs_dontaudit_list_nfs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_cifs_files($1_mozilla_t)
- fs_read_cifs_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_cifs_files($1_mozilla_t)
- fs_dontaudit_list_cifs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content',`
- userdom_list_user_tmp($1,$1_mozilla_t)
- userdom_read_user_tmp_files($1,$1_mozilla_t)
- userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
- userdom_read_user_home_content_files($1,$1_mozilla_t)
- userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
-
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mozilla_t)
- fs_read_removable_files($1_mozilla_t)
- fs_read_removable_symlinks($1_mozilla_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_removable($1_mozilla_t)
- fs_dontaudit_read_removable_files($1_mozilla_t)
- userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_default_t',`
- files_list_default($1_mozilla_t)
- files_read_default_files($1_mozilla_t)
- files_read_default_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_read_default_files($1_mozilla_t)
- files_dontaudit_list_default($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_untrusted_content',`
- files_list_tmp($1_mozilla_t)
- files_list_home($1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
-
- userdom_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
- userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- ')
-
- # Save web pages
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
- fs_dontaudit_manage_nfs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
- fs_dontaudit_manage_cifs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mozilla_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
-
- userdom_manage_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- files_dontaudit_list_tmp($1_mozilla_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
-
+ optional_policy(`
+ alsa_read_rw_config($1_mozilla_t)
')
optional_policy(`
@@ -350,21 +276,31 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
+ cups_stream_connect($1_mozilla_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat($1_mozilla_t)
')
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
- dbus_send_system_bus($1_mozilla_t)
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
- dbus_send_user_bus($1,$1_mozilla_t)
+# dbus_send_user_bus(xguest,xguest_mozilla_t)
+# dbus_connectto_user_bus(xguest,xguest_mozilla_t)
+ ')
+
+ optional_policy(`
+ gnome_exec_gconf($1_mozilla_t)
+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
')
optional_policy(`
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
optional_policy(`
- java_domtrans_user_javaplugin($1, $1_mozilla_t)
+ java_plugin_per_role_template($1, $1_mozilla_t, $1_r)
')
optional_policy(`
@@ -377,32 +313,9 @@
')
optional_policy(`
- nscd_socket_use($1_mozilla_t)
- ')
-
- optional_policy(`
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
- ifdef(`TODO',`
- #NOTE commented out in strict.
- ######### Launch email client, and make webcal links work
- #ifdef(`evolution.te', `
- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
- #')
-
- # Macros for mozilla/mozilla (or other browser) domains.
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # GNOME integration
- optional_policy(`
- gnome_application($1_mozilla, $1)
- gnome_file_dialog($1_mozilla, $1)
- ')
- ')
')
########################################
@@ -575,3 +488,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## mozilla connection template.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`mozilla_stream_connect_template',`
+ gen_require(`
+ type $1_mozilla_t;
+ ')
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.0.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.te 2008-06-12 23:37:59.000000000 -0400
@@ -6,13 +6,6 @@
# Declarations
#
-## <desc>
-## <p>
-## Control mozilla content access
-## </p>
-## </desc>
-gen_tunable(mozilla_read_content,false)
-
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.0.8/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/apps/openoffice.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.0.8/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/apps/openoffice.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,212 @@
+## <summary>Openoffice</summary>
+
+#######################################
+## <summary>
+## The per role template for the openoffice module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for openoffice plugins that are executed by a browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`openoffice_plugin_per_role_template',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_openofficeplugin_t;
+ application_domain($1_openofficeplugin_t,openoffice_exec_t)
+ role $3 types $1_openofficeplugin_t;
+
+ type $1_openofficeplugin_tmp_t;
+ files_tmp_file($1_openofficeplugin_tmp_t)
+
+ type $1_openofficeplugin_tmpfs_t;
+ files_tmpfs_file($1_openofficeplugin_tmpfs_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_openofficeplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched };
+ allow $1_openofficeplugin_t self:fifo_file rw_fifo_file_perms;
+ allow $1_openofficeplugin_t self:tcp_socket create_stream_socket_perms;
+ allow $1_openofficeplugin_t self:udp_socket create_socket_perms;
+
+ allow $1_openofficeplugin_t $1_t:process signull;
+ allow $1_openofficeplugin_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_openofficeplugin_t:unix_stream_socket connectto;
+ allow $1_openofficeplugin_t $2:unix_stream_socket connectto;
+ allow $1_openofficeplugin_t $2:tcp_socket { read write };
+
+ manage_dirs_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t)
+ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t)
+ files_tmp_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,{ file dir })
+ allow $1_openofficeplugin_t $1_openofficeplugin_tmp_t:file execute;
+
+ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
+ manage_lnk_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
+ manage_fifo_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
+ manage_sock_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
+ fs_tmpfs_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
+
+ can_exec($1_openofficeplugin_t, openoffice_exec_t)
+
+ domtrans_pattern($2, openoffice_exec_t, $1_openofficeplugin_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 $1_openofficeplugin_t:process { noatsecure siginh rlimitinh };
+ allow $1_openofficeplugin_t $2:process signull;
+
+ kernel_read_all_sysctls($1_openofficeplugin_t)
+ kernel_search_vm_sysctl($1_openofficeplugin_t)
+ kernel_read_network_state($1_openofficeplugin_t)
+ kernel_read_system_state($1_openofficeplugin_t)
+
+ # Search bin directory under openofficeplugin for openofficeplugin executable
+ corecmd_exec_bin($1_openofficeplugin_t)
+
+ corenet_all_recvfrom_unlabeled($1_openofficeplugin_t)
+ corenet_all_recvfrom_netlabel($1_openofficeplugin_t)
+ corenet_tcp_sendrecv_generic_if($1_openofficeplugin_t)
+ corenet_udp_sendrecv_generic_if($1_openofficeplugin_t)
+ corenet_tcp_sendrecv_all_nodes($1_openofficeplugin_t)
+ corenet_udp_sendrecv_all_nodes($1_openofficeplugin_t)
+ corenet_tcp_sendrecv_all_ports($1_openofficeplugin_t)
+ corenet_udp_sendrecv_all_ports($1_openofficeplugin_t)
+ corenet_tcp_connect_all_ports($1_openofficeplugin_t)
+ corenet_sendrecv_all_client_packets($1_openofficeplugin_t)
+
+ dev_list_sysfs($1_openofficeplugin_t)
+ dev_read_sound($1_openofficeplugin_t)
+ dev_write_sound($1_openofficeplugin_t)
+ dev_read_urand($1_openofficeplugin_t)
+ dev_read_rand($1_openofficeplugin_t)
+ dev_write_rand($1_openofficeplugin_t)
+
+ files_read_etc_files($1_openofficeplugin_t)
+ files_read_usr_files($1_openofficeplugin_t)
+ files_search_home($1_openofficeplugin_t)
+ files_search_var_lib($1_openofficeplugin_t)
+ files_read_etc_runtime_files($1_openofficeplugin_t)
+ # Read global fonts and font config
+ files_read_etc_files($1_openofficeplugin_t)
+
+ fs_getattr_xattr_fs($1_openofficeplugin_t)
+ fs_dontaudit_rw_tmpfs_files($1_openofficeplugin_t)
+ fs_getattr_tmpfs($1_openofficeplugin_t)
+
+ auth_use_nsswitch($1_openofficeplugin_t)
+
+ libs_use_ld_so($1_openofficeplugin_t)
+ libs_use_shared_libs($1_openofficeplugin_t)
+
+ logging_send_syslog_msg($1_openofficeplugin_t)
+
+ miscfiles_read_localization($1_openofficeplugin_t)
+ # Read global fonts and font config
+ miscfiles_read_fonts($1_openofficeplugin_t)
+
+ userdom_manage_unpriv_users_home_content_files($1_openofficeplugin_t)
+ userdom_dontaudit_use_user_terminals($1,$1_openofficeplugin_t)
+ userdom_dontaudit_setattr_user_home_content_files($1,$1_openofficeplugin_t)
+ userdom_exec_user_home_content_files($1,$1_openofficeplugin_t)
+ userdom_manage_user_tmp_dirs($1,$1_openofficeplugin_t)
+ userdom_manage_user_tmp_files($1,$1_openofficeplugin_t)
+ userdom_manage_user_tmp_sockets($1,$1_openofficeplugin_t)
+ userdom_read_user_tmpfs_files($1,$1_openofficeplugin_t)
+ userdom_manage_user_home_content_dirs($1,$1_openofficeplugin_t)
+ userdom_manage_user_home_content_files($1,$1_openofficeplugin_t)
+ userdom_manage_user_home_content_symlinks($1,$1_openofficeplugin_t)
+ userdom_manage_user_home_content_pipes($1,$1_openofficeplugin_t)
+ userdom_manage_user_home_content_sockets($1,$1_openofficeplugin_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_openofficeplugin_t,{ file lnk_file sock_file fifo_file })
+
+ optional_policy(`
+ xserver_user_x_domain_template($1,$1_openofficeplugin,$1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t)
+ ')
+
+')
+
+#######################################
+## <summary>
+## The per role template for the openoffice module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for openoffice applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`openoffice_role_template',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ type $1_openoffice_t;
+ domain_type($1_openoffice_t)
+ domain_entry_file($1_openoffice_t,openoffice_exec_t)
+ role $3 types $1_openoffice_t;
+
+ domain_interactive_fd($1_openoffice_t)
+
+ userdom_unpriv_usertype($1, $1_openoffice_t)
+ userdom_exec_user_home_content_files($1,$1_openoffice_t)
+
+ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+
+ allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $1_openoffice_t $2:tcp_socket { read write };
+
+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
+
+ dev_read_urand($1_openoffice_t)
+ dev_read_rand($1_openoffice_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.0.8/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/apps/openoffice.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,14 @@
+
+policy_module(openoffice,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t,openoffice_exec_t)
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.if serefpolicy-3.0.8/policy/modules/apps/slocate.if
--- nsaserefpolicy/policy/modules/apps/slocate.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/slocate.if 2008-06-12 23:37:59.000000000 -0400
@@ -39,3 +39,4 @@
allow $1 locate_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.0.8/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/slocate.te 2008-06-12 23:37:59.000000000 -0400
@@ -39,6 +39,7 @@
files_list_all(locate_t)
files_getattr_all_files(locate_t)
+files_getattr_all_pipes(locate_t)
files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
files_read_etc_files(locate_t)
@@ -46,6 +47,8 @@
fs_getattr_all_fs(locate_t)
fs_getattr_all_files(locate_t)
fs_list_all(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
# getpwnam
auth_use_nsswitch(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.8/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/userhelper.if 2008-06-12 23:37:59.000000000 -0400
@@ -130,6 +130,7 @@
term_use_all_user_ptys($1_userhelper_t)
auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_domtrans_upd_passwd($1_userhelper_t)
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.8/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/vmware.fc 2008-06-12 23:37:59.000000000 -0400
@@ -21,19 +21,25 @@
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
ifdef(`distro_gentoo',`
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -49,3 +55,4 @@
/opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
')
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.0.8/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/vmware.if 2008-06-12 23:37:59.000000000 -0400
@@ -202,3 +202,22 @@
allow $1 vmware_sys_conf_t:file append;
')
+
+########################################
+## <summary>
+## Append to VMWare log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_append_log',`
+ gen_require(`
+ type vmware_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1,vmware_log_t,vmware_log_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2008-06-12 23:37:59.000000000 -0400
@@ -22,17 +22,21 @@
type vmware_var_run_t;
files_pid_file(vmware_var_run_t)
+type vmware_log_t;
+logging_log_file(vmware_log_t)
+
########################################
#
# VMWare host local policy
#
-allow vmware_host_t self:capability { setuid net_raw };
+allow vmware_host_t self:capability { setgid setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
+allow vmware_host_t self:tcp_socket create_socket_perms;
# cjp: the ro and rw files should be split up
manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
@@ -41,6 +45,9 @@
manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
+manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t)
+logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir })
+
kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
@@ -63,6 +70,7 @@
corenet_sendrecv_all_server_packets(vmware_host_t)
dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
@@ -99,14 +107,11 @@
')
netutils_domtrans_ping(vmware_host_t)
-ifdef(`TODO',`
-# VMWare need access to pcmcia devices for network
optional_policy(`
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+ unconfined_domain(vmware_host_t)
')
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
+
+optional_policy(`
+ xserver_xdm_rw_shm(vmware_host_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.0.8/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/wine.fc 2008-06-16 06:22:49.000000000 -0400
@@ -1,4 +1,5 @@
/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+HOME_DIR/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2008-06-12 23:37:59.000000000 -0400
@@ -18,3 +18,84 @@
corecmd_search_bin($1)
domtrans_pattern($1, wine_exec_t, wine_t)
')
+
+########################################
+## <summary>
+## Execute wine in the wine domain, and
+## allow the specified role the wine domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the wine domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the wine domain to use.
+## </summary>
+## </param>
+#
+interface(`wine_run',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ wine_domtrans($1)
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## The per role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`wine_per_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t,wine_exec_t)
+ role $3 types $1_wine_t;
+
+ domain_interactive_fd($1_wine_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+
+ allow $1_wine_t self:process { execheap execmem };
+
+ domtrans_pattern($2, wine_exec_t, $1_wine_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_wine_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2008-06-12 23:37:59.000000000 -0400
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t,wine_exec_t)
+role system_r types wine_t;
########################################
#
@@ -17,10 +18,16 @@
optional_policy(`
allow wine_t self:process { execstack execmem execheap };
+ domain_mmap_low(wine_t)
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
- optional_policy(`
- hal_dbus_chat(wine_t)
- ')
+')
+
+optional_policy(`
+ hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ xserver_xdm_rw_shm(wine_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-06-12 23:37:59.000000000 -0400
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -36,6 +37,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -44,6 +50,7 @@
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
@@ -108,7 +115,6 @@
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
-
#
# /usr
#
@@ -126,10 +132,7 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -163,9 +166,16 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -180,6 +190,7 @@
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/lftp(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -188,6 +199,7 @@
ifdef(`distro_redhat', `
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -259,3 +271,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+
+/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commok -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/masterconnect -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/npviewer -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/npconfig -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2008-06-12 23:37:59.000000000 -0400
@@ -903,9 +903,11 @@
interface(`corenet_udp_bind_generic_port',`
gen_require(`
type port_t;
+ attribute port_type;
')
allow $1 port_t:udp_socket name_bind;
+ dontaudit $1 { port_type -port_t }:udp_socket name_bind;
')
########################################
@@ -1386,10 +1388,11 @@
#
interface(`corenet_tcp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute port_type;
+ type hi_reserved_port_t, reserved_port_t;
')
- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
')
########################################
@@ -1404,10 +1407,11 @@
#
interface(`corenet_udp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute port_type;
+ type hi_reserved_port_t, reserved_port_t;
')
- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
')
########################################
@@ -1449,6 +1453,43 @@
########################################
## <summary>
+## Connect TCP sockets to rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect TCP sockets
+## all rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
## Read and write the TUN/TAP virtual network device.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:37:59.000000000 -0400
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
@@ -67,8 +72,10 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
+network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
+network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -93,27 +100,34 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
+network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
+network_port(mythtv, tcp,6543,s0, udp,6543,s0)
+network_port(mysqld, tcp,3306,s0, tcp,1186,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
@@ -122,10 +136,12 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
@@ -137,16 +153,16 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0)
+network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
-network_port(smbd, tcp,139,s0, tcp,445,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
@@ -160,13 +176,20 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
+network_port(whois, tcp,43,s0, udp,43,s0)
+network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xfs, tcp,7100,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,8 +1,9 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/.* gen_context(system_u:object_r:device_t,s0)
-
+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -11,29 +12,45 @@
/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -44,6 +61,7 @@
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
@@ -65,14 +83,14 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
-/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -94,12 +112,23 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/pts(/.*)? <<none>>
@@ -113,14 +142,9 @@
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
-/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-
-/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-ifdef(`distro_debian',`
-# used by udev init script as temporary mount point
-/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-')
+/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2008-06-12 23:37:59.000000000 -0400
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
relabelfrom_files_pattern($1,device_t,device_node)
- relabelfrom_lnk_files_pattern($1,device_t,device_node)
+ relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node })
relabelfrom_fifo_files_pattern($1,device_t,device_node)
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@@ -185,6 +185,24 @@
########################################
## <summary>
+## Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to relabel.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_dirs_pattern($1,device_t,device_t)
+')
+
+########################################
+## <summary>
## Allow full relabeling (to and from) of directories in /dev.
## </summary>
## <param name="domain">
@@ -667,6 +685,7 @@
')
dontaudit $1 device_node:blk_file getattr;
+ dev_dontaudit_getattr_generic_blk_files($1)
')
########################################
@@ -704,6 +723,7 @@
')
dontaudit $1 device_node:chr_file getattr;
+ dev_dontaudit_getattr_generic_chr_files($1)
')
########################################
@@ -1306,6 +1326,44 @@
########################################
## <summary>
+## Get the attributes of the event devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_event_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the event devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_event_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
@@ -1623,6 +1681,78 @@
########################################
## <summary>
+## Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
+## Read the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ read_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ rw_chr_files_pattern($1,device_t,kvm_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of miscellaneous devices.
## </summary>
## <param name="domain">
@@ -3284,3 +3414,96 @@
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+## <summary>
+## Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_autofs_dev',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ getattr_chr_files_pattern($1,device_t,autofs_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
+ dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_autofs_dev',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ setattr_chr_files_pattern($1,device_t,autofs_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes of
+## the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
+ dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the autofs device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_autofs',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ rw_chr_files_pattern($1,device_t,autofs_device_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.0.8/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.te 2008-06-12 23:37:59.000000000 -0400
@@ -32,6 +32,12 @@
type apm_bios_t;
dev_node(apm_bios_t)
+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
@@ -66,12 +72,25 @@
dev_node(framebuf_device_t)
#
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
+#
# Type for /dev/kmsg
#
type kmsg_device_t;
dev_node(kmsg_device_t)
#
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+
+#
# Type for /dev/mapper/control
#
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2008-06-12 23:37:59.000000000 -0400
@@ -45,6 +45,11 @@
# start with basic domain
domain_base_type($1)
+ optional_policy(`
+ unconfined_use_fds($1)
+ unconfined_sigchld($1)
+ ')
+
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
@@ -59,6 +64,7 @@
')
optional_policy(`
+ selinux_dontaudit_getattr_fs($1)
selinux_dontaudit_read_fs($1)
')
@@ -1271,3 +1277,20 @@
typeattribute $1 mmap_low_domain_type;
')
+########################################
+## <summary>
+## Allow specified type to associate ipsec packets from any domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type of subject to be allowed this.
+## </summary>
+## </param>
+#
+interface(`domain_ipsec_labels',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:association { sendto recvfrom };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-06-12 23:37:59.000000000 -0400
@@ -6,6 +6,22 @@
# Declarations
#
+ifdef(`enable_mls',`
+## <desc>
+## <p>
+## Allow all domains to use netlabel labeled packets
+## </p>
+## </desc>
+gen_tunable(allow_netlabel,true)
+')
+
+## <desc>
+## <p>
+## Allow unlabeled packets to work on system
+## </p>
+## </desc>
+gen_tunable(allow_unlabeled_packets,true)
+
# Mark process types as domains
attribute domain;
@@ -80,9 +96,13 @@
allow domain self:lnk_file r_file_perms;
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+# Every domain gets the key ring, so we should default to no one allowed to look at it
+kernel_dontaudit_search_key(domain)
+kernel_dontaudit_link_key(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
+dontaudit domain domain:key manage_key_perms;
# Use trusted objects in /dev
dev_rw_null(domain)
@@ -91,6 +111,9 @@
# list the root directory
files_list_root(domain)
+# Apps getattr on the current working directory when they start, this just
+# eliminates lots of bogus avc messages
+files_getattr_all_dirs(domain)
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
@@ -129,8 +152,46 @@
# For /proc/pid
allow unconfined_domain_type domain:dir r_dir_perms;
-allow unconfined_domain_type domain:file r_file_perms;
+allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file r_file_perms;
# act on all domains keys
allow unconfined_domain_type domain:key *;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
+tunable_policy(`allow_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_association(domain)
+ corenet_sendrecv_unlabeled_packets(domain)
+')
+
+ifdef(`enable_mls',`
+ tunable_policy(`allow_netlabel',`
+ kernel_raw_recvfrom_unlabeled(domain)
+ kernel_tcp_recvfrom_unlabeled(domain)
+ kernel_udp_recvfrom_unlabeled(domain)
+ ')
+')
+
+# Allow all domains to use fds past to them
+allow domain domain:fd use;
+optional_policy(`
+ rpm_rw_pipes(domain)
+ rpm_dontaudit_use_script_fds(domain)
+ rpm_dontaudit_write_pid_files(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
+optional_policy(`
+ rhgb_dontaudit_use_ptys(domain)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2008-06-12 23:37:59.000000000 -0400
@@ -209,7 +209,8 @@
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
-/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+#/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-06-12 23:37:59.000000000 -0400
@@ -343,8 +343,7 @@
########################################
## <summary>
-## Mount a filesystem on all non-security
-## directories and files.
+## Mount a filesystem on all non-security directories.
## </summary>
## <param name="domain">
## <summary>
@@ -352,12 +351,29 @@
## </summary>
## </param>
#
-interface(`files_mounton_non_security',`
+interface(`files_mounton_non_security_dir',`
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir mounton;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on all non-security and files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
allow $1 { file_type -security_file_type }:file mounton;
')
@@ -376,7 +392,7 @@
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 { file_type -security_file_type }:dir rw_dir_perms;
')
########################################
@@ -656,44 +672,6 @@
########################################
## <summary>
-## Do not audit attempts to get the attributes
-## of non security block devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_blk_files',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security character devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_chr_files',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:chr_file getattr;
-')
-
-########################################
-## <summary>
## Read all symbolic links.
## </summary>
## <param name="domain">
@@ -885,6 +863,8 @@
attribute file_type;
')
+ # Have to be able to read badly labeled files like file_context and ld.so.cache
+ files_read_all_files($1)
allow $1 { file_type $2 }:dir list_dir_perms;
relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
@@ -1106,6 +1086,24 @@
########################################
## <summary>
+## search all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List the contents of the root directory.
## </summary>
## <param name="domain">
@@ -1192,6 +1190,25 @@
########################################
## <summary>
+## Do not audit attempts to write
+## files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:dir write;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write
## character device nodes in the root directory.
## </summary>
@@ -1229,6 +1246,24 @@
########################################
## <summary>
+## Remove entries from the tmp directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
@@ -2023,6 +2058,31 @@
########################################
## <summary>
+## Create a default directory in /
+## </summary>
+## <desc>
+## <p>
+## Create a default_t direcrory in /
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ allow $1 default_t:dir create;
+ filetrans_pattern($1,root_t,default_t,dir)
+')
+
+########################################
+## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
@@ -3107,6 +3167,24 @@
########################################
## <summary>
+## Manage temporary directories in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ manage_dirs_pattern($1,tmp_t,tmp_t)
+')
+
+########################################
+## <summary>
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
@@ -3198,6 +3276,44 @@
########################################
## <summary>
+## Allow attempts to get the attributes
+## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all tmp sock_file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ dontaudit $1 tmpfile:sock_file getattr;
+')
+
+########################################
+## <summary>
## Read all tmp files.
## </summary>
## <param name="domain">
@@ -3323,6 +3439,60 @@
########################################
## <summary>
+## dontaudit Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## dontaudit write of /usr files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in the /usr directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ manage_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
@@ -3381,7 +3551,7 @@
########################################
## <summary>
-## Create, read, write, and delete files in the /usr directory.
+## Relabel a file to the type used in /usr.
## </summary>
## <param name="domain">
## <summary>
@@ -3389,17 +3559,17 @@
## </summary>
## </param>
#
-interface(`files_manage_usr_files',`
+interface(`files_relabelto_usr_files',`
gen_require(`
type usr_t;
')
- manage_files_pattern($1, usr_t, usr_t)
+ relabelto_files_pattern($1,usr_t,usr_t)
')
########################################
## <summary>
-## Relabel a file to the type used in /usr.
+## Relabel a file from the type used in /usr.
## </summary>
## <param name="domain">
## <summary>
@@ -3407,12 +3577,12 @@
## </summary>
## </param>
#
-interface(`files_relabelto_usr_files',`
+interface(`files_relabelfrom_usr_files',`
gen_require(`
type usr_t;
')
- relabelto_files_pattern($1,usr_t,usr_t)
+ relabelfrom_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -4043,7 +4213,7 @@
type var_t, var_lock_t;
')
- rw_dirs_pattern($1,var_t,var_lock_t)
+ rw_files_pattern($1,var_t,var_lock_t)
')
########################################
@@ -4285,6 +4455,25 @@
########################################
## <summary>
+## Delete generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_unlink_generic_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ list_dirs_pattern($1,var_t,var_run_t)
+ delete_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
@@ -4560,6 +4749,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
+ files_search_home($1)
+
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
@@ -4582,6 +4773,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+ corecmd_exec_bin($1)
+ seutil_domtrans_setfiles($1)
+ fs_mount_tmpfs($1)
+ fs_unmount_tmpfs($1)
+
')
########################################
@@ -4619,3 +4815,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
+
+########################################
+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
+## <p>
+## Create a core file in /,
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.8/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.te 2008-06-12 23:37:59.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(files,1.6.1)
+policy_module(files,1.6.0)
########################################
#
@@ -55,6 +55,9 @@
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+typealias etc_t alias gconf_etc_t;
+typealias etc_t alias soundd_etc_t;
+typealias etc_t alias hplip_etc_t;
#
# etc_runtime_t is the type of various
@@ -188,6 +191,7 @@
fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
+fs_associate_ramfs(file_type)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-06-22 06:45:05.000000000 -0400
@@ -271,45 +271,6 @@
########################################
## <summary>
-## Read files on anon_inodefs file systems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_read_anon_inodefs_files',`
- gen_require(`
- type anon_inodefs_t;
-
- ')
-
- read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
-')
-
-########################################
-## <summary>
-## Read and write files on anon_inodefs
-## file systems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_rw_anon_inodefs_files',`
- gen_require(`
- type anon_inodefs_t;
-
- ')
-
- rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
-')
-
-########################################
-## <summary>
## Mount an automount pseudo filesystem.
## </summary>
## <param name="domain">
@@ -1171,6 +1132,25 @@
########################################
## <summary>
+## Create, read, write, and delete dirs
+## on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ manage_dirs_pattern($1,dosfs_t,dosfs_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete files
## on a DOS filesystem.
## </summary>
@@ -1231,7 +1211,7 @@
########################################
## <summary>
-## Unmount a FUSE filesystem.
+## unmount a FUSE filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -1249,6 +1229,106 @@
########################################
## <summary>
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_dirs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_dirs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ manage_files_pattern($1,fusefs_t,fusefs_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,fusefs_t,fusefs_t)
+')
+
+
+########################################
+## <summary>
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
@@ -1625,7 +1705,7 @@
type nfs_t;
')
- dontaudit $1 nfs_t:file { read write };
+ dontaudit $1 nfs_t:file rw_file_perms;
')
########################################
@@ -2139,6 +2219,7 @@
rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
')
+
########################################
## <summary>
## Mount a RAM filesystem.
@@ -2214,6 +2295,24 @@
########################################
## <summary>
+## Allow the type to associate to ramfs filesystems.
+## </summary>
+## <param name="type">
+## <summary>
+## The type of the object to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
## Search directories on a ramfs
## </summary>
## <param name="domain">
@@ -2276,7 +2375,7 @@
## Domain allowed access.
## </summary>
## </param>
-#
+
interface(`fs_dontaudit_read_ramfs_files',`
gen_require(`
type ramfs_t;
@@ -2885,6 +2984,7 @@
type tmpfs_t;
')
+ dontaudit $1 tmpfs_t:dir rw_dir_perms;
dontaudit $1 tmpfs_t:file rw_file_perms;
')
@@ -3206,6 +3306,7 @@
')
allow $1 filesystem_type:filesystem getattr;
+ files_getattr_all_file_type_fs($1)
')
########################################
@@ -3322,6 +3423,24 @@
########################################
## <summary>
+## Dontaudit Search all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_search_all',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List all directories with a filesystem type.
## </summary>
## <param name="domain">
@@ -3533,3 +3652,62 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
+
+########################################
+## <summary>
+## Read files of anon_inodefs file system files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+########################################
+## <summary>
+## Read/wrie files of anon_inodefs file system files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+
+########################################
+## <summary>
+## Read and write files on hugetlbfs files
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_hugetlbfs_files',`
+ gen_require(`
+ type hugetlbfs_t;
+
+ ')
+
+ rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2008-06-12 23:37:59.000000000 -0400
@@ -21,6 +21,7 @@
# Use xattrs for the following filesystem types.
# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -28,6 +29,7 @@
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
@@ -80,8 +82,10 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
allow fusefs_t self:filesystem associate;
+allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
type futexfs_t;
fs_type(futexfs_t)
@@ -116,6 +120,7 @@
type ramfs_t;
fs_type(ramfs_t)
+files_mountpoint(ramfs_t)
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
type romfs_t;
@@ -133,6 +138,16 @@
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
+type squash_t;
+fs_type(squash_t)
+genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+files_mountpoint(squash_t)
+
+type vmblock_t;
+fs_noxattr_type(vmblock_t)
+files_mountpoint(vmblock_t)
+genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
+
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
@@ -222,6 +237,8 @@
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
+genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2008-06-12 23:37:59.000000000 -0400
@@ -352,6 +352,24 @@
########################################
## <summary>
+## dontaudit search the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key search;
+')
+
+########################################
+## <summary>
## Allow link to the kernel key ring.
## </summary>
## <param name="domain">
@@ -370,6 +388,24 @@
########################################
## <summary>
+## dontaudit link to the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_link_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key link;
+')
+
+########################################
+## <summary>
## Allows caller to read the ring buffer.
## </summary>
## <param name="domain">
@@ -1137,6 +1173,7 @@
')
dontaudit $1 proc_type:dir list_dir_perms;
+ dontaudit $1 proc_type:file getattr;
')
########################################
@@ -1336,7 +1373,7 @@
read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
+ list_dirs_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
')
########################################
@@ -1707,6 +1744,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
+ dontaudit $1 sysctl_type:file getattr;
')
########################################
@@ -1867,6 +1905,27 @@
########################################
## <summary>
+## Read the process state (/proc/pid) of all unlabeled_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+ read_files_pattern($1,unlabeled_t,unlabeled_t)
+ read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
+
+########################################
+## <summary>
## Do not audit attempts to list unlabeled directories.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2008-06-12 23:37:59.000000000 -0400
@@ -255,6 +255,8 @@
fs_rw_tmpfs_chr_files(kernel_t)
')
+userdom_generic_user_home_dir_filetrans_generic_user_home_content(kernel_t, { file dir })
+
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
@@ -359,7 +361,7 @@
allow kern_unconfined proc_type:{ dir file lnk_file } *;
-allow kern_unconfined sysctl_t:{ dir file } *;
+allow kern_unconfined sysctl_type:{ dir file } *;
allow kern_unconfined kernel_t:system *;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2008-06-12 23:37:59.000000000 -0400
@@ -138,6 +138,7 @@
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
')
@@ -159,6 +160,7 @@
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
@@ -239,6 +241,34 @@
########################################
## <summary>
+## Allow caller to read the state of Booleans
+## </summary>
+## <desc>
+## <p>
+## Allow caller read the state of Booleans
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The process type allowed to set the Boolean.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_get_boolean',`
+ gen_require(`
+ type security_t;
+ attribute booleans_type;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file read_file_perms;
+')
+
+########################################
+## <summary>
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
## </summary>
@@ -262,11 +292,13 @@
interface(`selinux_set_boolean',`
gen_require(`
type security_t;
+ attribute booleans_type;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file { getattr read write };
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
@@ -336,6 +368,28 @@
########################################
## <summary>
+## dontaudit caller to validate security contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type permitted to validate contexts.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_dontaudit_validate_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file { getattr read write };
+ dontaudit $1 security_t:security check_context;
+')
+
+
+########################################
+## <summary>
## Allows caller to compute an access vector.
## </summary>
## <param name="domain">
@@ -463,3 +517,23 @@
typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+## <summary>
+## Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute booleans_type;
+ ')
+
+ type $1, booleans_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.0.8/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.te 2008-06-12 23:37:59.000000000 -0400
@@ -10,6 +10,7 @@
attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;
+attribute booleans_type;
#
# security_t is the target type when checking
@@ -22,6 +23,11 @@
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+type boolean_t, booleans_type;
+fs_type(boolean_t)
+mls_trusted_object(boolean_t)
+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
+
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2008-06-12 23:37:59.000000000 -0400
@@ -6,18 +6,22 @@
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/ad[[a-z] -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/iseries/vt.* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/iseries/nvt.* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -31,6 +35,7 @@
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -39,6 +44,7 @@
')
/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -52,7 +58,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.if 2008-06-12 23:37:59.000000000 -0400
@@ -106,6 +106,26 @@
########################################
## <summary>
+## dontaudit the caller attempts to read from a fixed disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_read_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_read;
+ type fixed_disk_device_t;
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts made by the caller to read
## fixed disk device nodes.
## </summary>
@@ -673,3 +693,61 @@
typeattribute $1 storage_unconfined_type;
')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes
+## of device nodes of fuse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_fuse_dev',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fuse_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## read or write fuse device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ allow $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## fuse device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dontaudit $1 fuse_device_t:chr_file rw_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.0.8/policy/modules/kernel/storage.te
--- nsaserefpolicy/policy/modules/kernel/storage.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.te 2008-06-12 23:37:59.000000000 -0400
@@ -23,6 +23,12 @@
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
#
+# fuse_device_t is the type of /dev/fuse
+#
+type fuse_device_t;
+dev_node(fuse_device_t)
+
+#
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.8/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/terminal.fc 2008-06-12 23:37:59.000000000 -0400
@@ -2,18 +2,27 @@
/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/[pt]ty[a-ep-z][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
/dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/bc[0-9] -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/holter[0=9] -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/isictl.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
-/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/slm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/specialix_sxctl -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/specialix_rioctl -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/tcldrv -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.0.8/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/terminal.if 2008-06-12 23:37:59.000000000 -0400
@@ -525,11 +525,13 @@
interface(`term_use_generic_ptys',`
gen_require(`
type devpts_t;
+ attribute server_ptynode;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:chr_file { rw_term_perms lock append };
+ allow $1 server_ptynode:chr_file { getattr read write ioctl };
')
########################################
@@ -547,9 +549,11 @@
interface(`term_dontaudit_use_generic_ptys',`
gen_require(`
type devpts_t;
+ attribute server_ptynode;
')
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ dontaudit $1 server_ptynode:chr_file { getattr read write ioctl };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.8/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2008-06-12 23:37:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/terminal.te 2008-06-12 23:37:59.000000000 -0400
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.8/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/amavis.te 2008-06-12 23:37:59.000000000 -0400
@@ -65,6 +65,7 @@
# Spool Files
manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
manage_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
+manage_lnk_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file)
files_search_spool(amavis_t)
@@ -116,6 +117,7 @@
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
+corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2008-06-12 23:37:58.000000000 -0400
@@ -3,12 +3,13 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/srv/([^/]*/)?web(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -16,7 +17,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -26,6 +26,7 @@
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -33,6 +34,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
+/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -48,16 +50,20 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
@@ -65,11 +71,24 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_fcgid(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2008-06-12 23:37:58.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
@@ -71,7 +67,7 @@
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
@@ -87,7 +83,6 @@
manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -96,6 +91,7 @@
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
+ application_exec_all(httpd_$1_script_t)
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
@@ -150,9 +142,11 @@
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
@@ -177,48 +171,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
- corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_all_ports(httpd_$1_script_t)
- corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- optional_policy(`
- mta_send_mail(httpd_$1_script_t)
- ')
-
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
@@ -265,12 +217,19 @@
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
- attribute httpd_exec_scripts;
- type httpd_t, httpd_suexec_t, httpd_log_t;
+ attribute httpd_exec_scripts, httpd_user_content_type;
+ attribute httpd_user_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
')
apache_content_template($1)
+ typeattribute httpd_$1_content_t httpd_user_content_type;
+ typeattribute httpd_$1_script_ra_t httpd_user_content_type;
+ typeattribute httpd_$1_script_rw_t httpd_user_content_type;
+ typeattribute httpd_$1_script_ro_t httpd_user_content_type;
+ typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;
+
typeattribute httpd_$1_script_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
@@ -324,6 +283,7 @@
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
+ userdom_search_user_home_dirs($1,httpd_sys_script_t)
')
')
@@ -345,12 +305,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
- type httpd_$1_script_exec_t;
+ attribute httpd_user_script_exec_type;
')
-
- allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
- read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
- read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ allow $2 httpd_user_script_exec_type:dir list_dir_perms;
+ read_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
+ read_lnk_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
')
########################################
@@ -371,12 +330,12 @@
#
template(`apache_read_user_content',`
gen_require(`
- type httpd_$1_content_t;
+ attribute httpd_user_content_type;
')
- allow $2 httpd_$1_content_t:dir list_dir_perms;
- read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
- read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
+ allow $2 httpd_user_content_type:dir list_dir_perms;
+ read_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
+ read_lnk_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
')
########################################
@@ -754,6 +713,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
')
########################################
@@ -838,6 +798,10 @@
type httpd_sys_script_t;
')
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
@@ -925,7 +889,7 @@
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr read };
+ read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t)
')
########################################
@@ -1005,6 +969,31 @@
########################################
## <summary>
+## Create, read, write, and delete all user web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_user_content',`
+ gen_require(`
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
+ ')
+
+ manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type)
+ manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type)
+ manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type)
+
+ manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+ manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+ manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type)
+')
+
+########################################
+## <summary>
## Search system script state directory.
## </summary>
## <param name="domain">
@@ -1056,3 +1045,138 @@
allow httpd_t $1:process signal;
')
+
+########################################
+## <summary>
+## Allow the specified domain to search
+## apache bugzilla directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## bugzill script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute apache server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apache_script_domtrans',`
+ gen_require(`
+ type httpd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,httpd_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an apache environment
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the apache domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_admin',`
+
+ gen_require(`
+ type httpd_t, httpd_script_exec_t, httpd_config_t;
+ type httpd_log_t, httpd_modules_t, httpd_lock_t;
+ type httpd_var_run_t;
+ attribute httpdcontent;
+ attribute httpd_script_exec_type;
+ type httpd_bool_t;
+ ')
+
+ allow $1 httpd_t:process { getattr ptrace signal_perms };
+
+ # Allow $1 to restart the apache service
+ apache_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 httpd_script_exec_t system_r;
+ allow $2 system_r;
+
+ apache_manage_all_content($1)
+
+ files_search_etc($1)
+ manage_dirs_pattern($1,httpd_config_t,httpd_config_t)
+ manage_files_pattern($1,httpd_config_t,httpd_config_t)
+ read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1,httpd_log_t,httpd_log_t)
+ manage_files_pattern($1,httpd_log_t,httpd_log_t)
+ read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
+
+ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
+
+ allow $1 httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans($1, httpd_lock_t, file)
+
+ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
+ files_pid_filetrans($1,httpd_var_run_t, file)
+
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_t,httpd_t)
+ read_lnk_files_pattern($1,httpd_t,httpd_t)
+
+ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
+ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
+
+ seutil_domtrans_setfiles($1)
+
+# apache_set_booleans($1, $2, $3, httpd_bool_t )
+# seutil_setsebool_per_role_template($1, httpd, $3)
+# allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+# allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-06-12 23:37:58.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(apache,1.7.1)
+policy_module(apache,1.8.2)
#
# NOTES:
@@ -20,20 +20,22 @@
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
## <desc>
## <p>
## Allow Apache to modify public files
-## used for public file transfer services.
+## used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_httpd_anon_write,false)
## <desc>
## <p>
-## Allow Apache to use mod_auth_pam
+## Allow Apache to communicate with avahi service via dbus
## </p>
## </desc>
-gen_tunable(allow_httpd_mod_auth_pam,false)
+gen_tunable(allow_httpd_dbus_avahi,false)
## <desc>
## <p>
@@ -44,14 +46,21 @@
## <desc>
## <p>
-## Allow http daemon to tcp connect
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail,false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network
## </p>
## </desc>
gen_tunable(httpd_can_network_connect,false)
## <desc>
## <p>
-## Allow httpd to connect to mysql/posgresql
+## Allow HTTPD scripts and modules to network connect to databases, mysql/posgresql
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
@@ -87,31 +96,54 @@
## <desc>
## <p>
-## Run SSI execs in system CGI script domain.
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts
## </p>
## </desc>
gen_tunable(httpd_ssi_exec,false)
## <desc>
## <p>
-## Allow http daemon to communicate with the TTY
+## Unify HTTPD to communicate with the terminal. Needed for handling certificates
## </p>
## </desc>
gen_tunable(httpd_tty_comm,false)
## <desc>
## <p>
-## Run CGI in the main httpd domain
+## Unify HTTPD handling of all content files
## </p>
## </desc>
gen_tunable(httpd_unified,false)
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs,false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs,false)
+
+## <desc>
+## <p>
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write,false)
+
attribute httpdcontent;
+attribute httpd_user_content_type;
# domains that can exec all users scripts
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
# user script domains
attribute httpd_script_domains;
@@ -142,6 +174,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
+type httpd_script_exec_t;
+init_script_type(httpd_script_exec_t)
+
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
@@ -202,7 +237,7 @@
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -244,6 +279,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
+read_lnk_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -284,6 +320,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -310,9 +347,7 @@
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -330,6 +365,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
@@ -344,29 +383,52 @@
seutil_dontaudit_search_config(httpd_t)
-sysnet_read_config(httpd_t)
-
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
')
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind,false)
+optional_policy(`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_send_mail(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
@@ -387,6 +449,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -404,11 +470,21 @@
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_read_nfs_files(httpd_t)
+ fs_read_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -430,6 +506,12 @@
')
optional_policy(`
+ tunable_policy(`httpd_tty_comm',`
+ unconfined_use_terminals(httpd_t)
+ ')
+')
+
+optional_policy(`
calamaris_read_www_files(httpd_t)
')
@@ -442,8 +524,14 @@
')
optional_policy(`
+ dbus_system_bus_client_template(httpd,httpd_t)
+ tunable_policy(`allow_httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
kerberos_use(httpd_t)
- kerberos_read_kdc_config(httpd_t)
+ kerberos_read_keytab(httpd_t)
')
optional_policy(`
@@ -457,11 +545,11 @@
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
+ mysql_read_config(httpd_t)
')
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
')
optional_policy(`
@@ -481,6 +569,7 @@
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -516,6 +605,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
+optional_policy(`
+ tunable_policy(`httpd_tty_comm',`
+ unconfined_use_terminals(httpd_helper_t)
+ ')
+')
+
+
########################################
#
# Apache PHP script local policy
@@ -553,6 +649,7 @@
optional_policy(`
mysql_stream_connect(httpd_php_t)
+ mysql_read_config(httpd_php_t)
')
optional_policy(`
@@ -567,7 +664,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
@@ -581,6 +677,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+auth_use_nsswitch(httpd_suexec_t)
+
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -590,8 +690,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -620,8 +719,6 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
-
- sysnet_read_config(httpd_suexec_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -634,6 +731,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
@@ -651,18 +754,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
-optional_policy(`
- nis_use_ypbind(httpd_suexec_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_suexec_t)
-')
-
########################################
#
# Apache system script local policy
@@ -672,7 +763,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+apache_read_squirrelmail_data(httpd_sys_script_t)
+apache_append_squirrelmail_data(httpd_sys_script_t)
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
@@ -686,15 +778,63 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+sysnet_read_config(httpd_sys_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_postgresql_port(httpd_sys_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+
+tunable_policy(`httpd_use_cifs', `
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -707,12 +847,14 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
')
########################################
#
# httpd_rotatelogs local policy
#
+allow httpd_rotatelogs_t self:capability dac_override;
manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
@@ -728,3 +870,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.8/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apcupsd.if 2008-06-12 23:37:58.000000000 -0400
@@ -90,10 +90,29 @@
## </summary>
## </param>
#
-interface(`httpd_apcupsd_cgi_script_domtrans',`
+interface(`apcupsd_cgi_script_domtrans',`
gen_require(`
type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
')
domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
')
+
+########################################
+## <summary>
+## Read apcupsd tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apcupsd_read_tmp_files',`
+ gen_require(`
+ type apcupsd_tmp_t;
+ ')
+
+ allow $1 apcupsd_tmp_t:file read_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.8/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apcupsd.te 2008-06-12 23:37:59.000000000 -0400
@@ -86,6 +86,11 @@
miscfiles_read_localization(apcupsd_t)
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_unpriv_users_ttys(apcupsd_t)
+userdom_use_unpriv_users_ptys(apcupsd_t)
+
optional_policy(`
hostname_exec(apcupsd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.0.8/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apm.te 2008-06-12 23:37:59.000000000 -0400
@@ -190,6 +190,10 @@
dbus_stub(apmd_t)
optional_policy(`
+ consolekit_dbus_chat(apmd_t)
+ ')
+
+ optional_policy(`
networkmanager_dbus_chat(apmd_t)
')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.0.8/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/asterisk.te 2008-06-12 23:37:59.000000000 -0400
@@ -98,6 +98,7 @@
# for VOIP voice channels.
corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
+corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
dev_read_sysfs(asterisk_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.8/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/audioentropy.te 2008-06-12 23:37:58.000000000 -0400
@@ -18,7 +18,7 @@
# Local policy
#
-allow entropyd_t self:capability { ipc_lock sys_admin };
+allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
@@ -32,6 +32,8 @@
dev_read_sysfs(entropyd_t)
dev_read_urand(entropyd_t)
dev_write_urand(entropyd_t)
+dev_read_rand(entropyd_t)
+dev_write_rand(entropyd_t)
dev_read_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.0.8/policy/modules/services/automount.fc
--- nsaserefpolicy/policy/modules/services/automount.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/automount.fc 2008-06-12 23:37:58.000000000 -0400
@@ -12,4 +12,6 @@
# /var
#
-/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/automount.if 2008-06-12 23:37:58.000000000 -0400
@@ -74,3 +74,39 @@
dontaudit $1 automount_tmp_t:dir getattr;
')
+
+########################################
+## <summary>
+## Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fd use;
+')
+########################################
+## <summary>
+## Do not audit attempts to write automount daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_write_pipes',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fifo_file write;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2008-06-12 23:37:59.000000000 -0400
@@ -52,7 +52,8 @@
files_root_filetrans(automount_t,automount_tmp_t,dir)
manage_files_pattern(automount_t,automount_var_run_t,automount_var_run_t)
-files_pid_filetrans(automount_t,automount_var_run_t,file)
+manage_fifo_files_pattern(automount_t,automount_var_run_t,automount_var_run_t)
+files_pid_filetrans(automount_t,automount_var_run_t,{ file fifo_file })
kernel_read_kernel_sysctls(automount_t)
kernel_read_irq_sysctls(automount_t)
@@ -69,6 +70,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
@@ -99,7 +101,9 @@
dev_read_sysfs(automount_t)
# for SSP
+dev_read_rand(automount_t)
dev_read_urand(automount_t)
+dev_rw_autofs(automount_t)
domain_use_interactive_fds(automount_t)
domain_dontaudit_read_all_domains_state(automount_t)
@@ -125,8 +129,12 @@
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
+storage_rw_fuse(automount_t)
+
term_dontaudit_getattr_pty_dirs(automount_t)
+auth_use_nsswitch(automount_t)
+
libs_use_ld_so(automount_t)
libs_use_shared_libs(automount_t)
@@ -147,10 +155,6 @@
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
optional_policy(`
- corecmd_exec_bin(automount_t)
-')
-
-optional_policy(`
bind_search_cache(automount_t)
')
@@ -173,6 +177,11 @@
')
optional_policy(`
+ samba_read_config(automount_t)
+ samba_manage_var_files(automount_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(automount_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.8/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/avahi.te 2008-06-12 23:37:58.000000000 -0400
@@ -85,6 +85,7 @@
dbus_connect_system_bus(avahi_t)
dbus_send_system_bus(avahi_t)
init_dbus_chat_script(avahi_t)
+ dbus_system_domain(avahi_t,avahi_exec_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.8/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/bind.fc 2008-06-12 23:37:59.000000000 -0400
@@ -45,4 +45,7 @@
/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
')
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-06-22 07:35:58.000000000 -0400
@@ -66,7 +66,6 @@
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
allow named_t self:udp_socket create_socket_perms;
-allow named_t self:netlink_route_socket r_netlink_socket_perms;
allow named_t dnssec_t:file { getattr read };
@@ -101,6 +100,8 @@
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
+corecmd_search_bin(named_t)
+
corenet_all_recvfrom_unlabeled(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_all_if(named_t)
@@ -112,22 +113,18 @@
corenet_tcp_bind_all_nodes(named_t)
corenet_udp_bind_all_nodes(named_t)
corenet_tcp_bind_dns_port(named_t)
-corenet_udp_bind_dns_port(named_t)
+corenet_udp_bind_all_ports(named_t)
corenet_tcp_bind_rndc_port(named_t)
corenet_tcp_connect_all_ports(named_t)
corenet_sendrecv_dns_server_packets(named_t)
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
+corenet_udp_bind_all_unreserved_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
-fs_getattr_all_fs(named_t)
-fs_search_auto_mountpoints(named_t)
-
-corecmd_search_bin(named_t)
-
dev_read_urand(named_t)
domain_use_interactive_fds(named_t)
@@ -135,6 +132,11 @@
files_read_etc_files(named_t)
files_read_etc_runtime_files(named_t)
+fs_getattr_all_fs(named_t)
+fs_search_auto_mountpoints(named_t)
+
+auth_use_nsswitch(named_t)
+
libs_use_ld_so(named_t)
libs_use_shared_libs(named_t)
@@ -155,19 +157,12 @@
')
optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow named_t self:dbus send_msg;
-
init_dbus_chat_script(named_t)
sysnet_dbus_chat_dhcpc(named_t)
dbus_system_bus_client_template(named,named_t)
dbus_connect_system_bus(named_t)
- dbus_send_system_bus(named_t)
optional_policy(`
networkmanager_dbus_chat(named_t)
@@ -175,6 +170,10 @@
')
optional_policy(`
+ kerberos_use(named_t)
+')
+
+optional_policy(`
# this seems like fds that arent being
# closed. these should probably be
# dontaudits instead.
@@ -184,14 +183,6 @@
')
optional_policy(`
- nis_use_ypbind(named_t)
-')
-
-optional_policy(`
- nscd_socket_use(named_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(named_t)
')
@@ -232,15 +223,16 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
+corenet_tcp_bind_all_nodes(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
-fs_getattr_xattr_fs(ndc_t)
-
domain_use_interactive_fds(ndc_t)
files_read_etc_files(ndc_t)
files_search_pids(ndc_t)
+fs_getattr_xattr_fs(ndc_t)
+
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.0.8/policy/modules/services/bitlbee.fc
--- nsaserefpolicy/policy/modules/services/bitlbee.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
+/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.0.8/policy/modules/services/bitlbee.if
--- nsaserefpolicy/policy/modules/services/bitlbee.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,22 @@
+## <summary>Bitlbee service</summary>
+
+########################################
+## <summary>
+## Read bitlbee configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed accesss.
+## </summary>
+## </param>
+#
+interface(`bitlbee_read_config',`
+ gen_require(`
+ type bitlbee_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 bitlbee_conf_t:dir { getattr read search };
+ allow $1 bitlbee_conf_t:file { read getattr };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,77 @@
+
+policy_module(bitlbee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bitlbee_t;
+type bitlbee_exec_t;
+init_daemon_domain(bitlbee_t, bitlbee_exec_t)
+inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
+
+type bitlbee_conf_t;
+files_config_file(bitlbee_conf_t)
+
+type bitlbee_var_t;
+files_type(bitlbee_var_t)
+
+########################################
+#
+# Local policy
+#
+#
+
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+
+bitlbee_read_config(bitlbee_t)
+
+# user account information is read and edited at runtime; give the usual
+# r/w access to bitlbee_var_t
+manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
+corenet_all_recvfrom_unlabeled(bitlbee_t)
+corenet_udp_sendrecv_generic_if(bitlbee_t)
+corenet_udp_sendrecv_generic_node(bitlbee_t)
+corenet_udp_sendrecv_lo_node(bitlbee_t)
+corenet_tcp_sendrecv_generic_if(bitlbee_t)
+corenet_tcp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_sendrecv_lo_node(bitlbee_t)
+# Allow bitlbee to connect to jabber servers
+corenet_tcp_connect_jabber_client_port(bitlbee_t)
+corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+# to AIM servers:
+corenet_tcp_connect_aol_port(bitlbee_t)
+corenet_tcp_sendrecv_aol_port(bitlbee_t)
+# and to MMCC (Yahoo IM) servers:
+corenet_tcp_connect_mmcc_port(bitlbee_t)
+corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
+# and to MSNP (MSN Messenger) servers:
+corenet_tcp_connect_msnp_port(bitlbee_t)
+corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+corenet_tcp_connect_http_port(bitlbee_t)
+corenet_tcp_sendrecv_http_port(bitlbee_t)
+
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
+
+files_read_etc_files(bitlbee_t)
+files_search_pids(bitlbee_t)
+# grant read-only access to the user help files
+files_read_usr_files(bitlbee_t)
+
+libs_legacy_use_shared_libs(bitlbee_t)
+libs_use_ld_so(bitlbee_t)
+
+miscfiles_read_localization(bitlbee_t)
+
+sysnet_dns_name_resolve(bitlbee_t)
+
+optional_policy(`
+ # normally started from inetd using tcpwrappers, so use those entry points
+ tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.0.8/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.fc 2008-06-12 23:37:58.000000000 -0400
@@ -22,3 +22,4 @@
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2008-06-12 23:37:59.000000000 -0400
@@ -37,14 +37,14 @@
# Bluetooth services local policy
#
-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
@@ -110,6 +110,8 @@
files_read_etc_runtime_files(bluetooth_t)
files_read_usr_files(bluetooth_t)
+auth_use_nsswitch(bluetooth_t)
+
libs_use_ld_so(bluetooth_t)
libs_use_shared_libs(bluetooth_t)
@@ -118,20 +120,20 @@
miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
-sysnet_read_config(bluetooth_t)
-
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
optional_policy(`
- dbus_system_bus_client_template(bluetooth,bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
- dbus_send_system_bus(bluetooth_t)
+ cups_dbus_chat(bluetooth_t)
')
optional_policy(`
- nis_use_ypbind(bluetooth_t)
+ dbus_system_bus_client_template(bluetooth,bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+ dbus_send_system_bus(bluetooth_t)
+ allow bluetooth_t self:dbus send_msg;
+ dbus_system_domain(bluetooth_t,bluetooth_exec_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.8/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2008-06-12 23:37:58.000000000 -0400
@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.0.8/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/clamav.if 2008-06-12 23:37:58.000000000 -0400
@@ -38,6 +38,27 @@
########################################
## <summary>
+## Allow the specified domain to append
+## to clamav log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_append_log',`
+ gen_require(`
+ type clamav_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 clamav_log_t:dir list_dir_perms;
+ append_files_pattern($1,clamav_log_t,clamav_log_t)
+')
+
+########################################
+## <summary>
## Read clamav configuration files.
## </summary>
## <param name="domain">
@@ -91,3 +112,22 @@
domtrans_pattern($1,clamscan_exec_t,clamscan_t)
')
+
+########################################
+## <summary>
+## Execute clamscan without a transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_exec_clamscan',`
+ gen_require(`
+ type clamscan_exec_t;
+ ')
+
+ can_exec($1,clamscan_exec_t)
+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2008-06-12 23:37:58.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(clamav,1.4.1)
+policy_module(clamav,1.5.1)
########################################
#
@@ -87,6 +87,9 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
@@ -120,6 +123,9 @@
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
@@ -127,6 +133,10 @@
amavis_create_pid_files(clamd_t)
')
+optional_policy(`
+ exim_read_spool_files(clamd_t)
+')
+
########################################
#
# Freshclam local policy
@@ -233,3 +243,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
+
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.0.8/policy/modules/services/comsat.te
--- nsaserefpolicy/policy/modules/services/comsat.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/comsat.te 2008-06-12 23:37:58.000000000 -0400
@@ -60,6 +60,8 @@
init_read_utmp(comsat_t)
init_dontaudit_write_utmp(comsat_t)
+auth_use_nsswitch(comsat_t)
+
libs_use_ld_so(comsat_t)
libs_use_shared_libs(comsat_t)
@@ -67,8 +69,6 @@
miscfiles_read_localization(comsat_t)
-sysnet_read_config(comsat_t)
-
userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
mta_getattr_spool(comsat_t)
@@ -77,10 +77,3 @@
kerberos_use(comsat_t)
')
-optional_policy(`
- nis_use_ypbind(comsat_t)
-')
-
-optional_policy(`
- nscd_socket_use(comsat_t)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.0.8/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/consolekit.if 2008-06-12 23:37:58.000000000 -0400
@@ -38,3 +38,24 @@
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## dontaudit send and receive messages from
+## consolekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 consolekit_t:dbus send_msg;
+ dontaudit consolekit_t $1:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2008-06-12 23:37:59.000000000 -0400
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
-# pid files
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -25,7 +24,8 @@
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
allow consolekit_t self:unix_dgram_socket create_socket_perms;
-# pid file
+auth_use_nsswitch(consolekit_t)
+
manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
@@ -38,6 +38,7 @@
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_etc_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
@@ -50,8 +51,16 @@
libs_use_ld_so(consolekit_t)
libs_use_shared_libs(consolekit_t)
+logging_send_syslog_msg(consolekit_t)
+
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
+userdom_dontaudit_read_unpriv_users_home_content_files(consolekit_t)
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_send_system_bus(consolekit_t)
@@ -62,9 +71,23 @@
optional_policy(`
unconfined_dbus_chat(consolekit_t)
')
+
')
optional_policy(`
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
+ xserver_stream_connect_xdm(consolekit_t)
+')
+
+optional_policy(`
+ #reading .Xauthity
+ unconfined_ptrace(consolekit_t)
+ unconfined_stream_connect(consolekit_t)
+')
+
+optional_policy(`
+ userdom_read_user_tmp_files(user,consolekit_t)
')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.0.8/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/courier.te 2008-06-12 23:37:59.000000000 -0400
@@ -58,6 +58,7 @@
files_getattr_tmp_dirs(courier_authdaemon_t)
auth_domtrans_chk_passwd(courier_authdaemon_t)
+auth_domtrans_upd_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.te serefpolicy-3.0.8/policy/modules/services/cpucontrol.te
--- nsaserefpolicy/policy/modules/services/cpucontrol.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cpucontrol.te 2008-06-12 23:37:58.000000000 -0400
@@ -63,6 +63,10 @@
')
optional_policy(`
+ rhgb_use_ptys(cpucontrol_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(cpucontrol_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.0.8/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cron.fc 2008-06-12 23:37:59.000000000 -0400
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/spool/anacron(/.*) gen_context(system_u:object_r:system_cron_spool_t,s0)
+
/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/at/[^/]* -- <<none>>
@@ -45,3 +47,4 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cron.if 2008-07-02 15:53:34.000000000 -0400
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
gen_require(`
+ class context contains;
attribute cron_spool_type;
type crond_t, cron_spool_t, crontab_exec_t;
')
@@ -53,9 +54,6 @@
application_domain($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
- type $1_crontab_tmp_t;
- files_tmp_file($1_crontab_tmp_t)
-
##############################
#
# $1_crond_t local policy
@@ -66,6 +64,7 @@
allow $1_crond_t self:fifo_file rw_fifo_file_perms;
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
allow $1_crond_t self:unix_dgram_socket create_socket_perms;
+ allow $1_crond_t self:context contains;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
@@ -138,51 +137,32 @@
userdom_manage_user_tmp_symlinks($1,$1_crond_t)
userdom_manage_user_tmp_pipes($1,$1_crond_t)
userdom_manage_user_tmp_sockets($1,$1_crond_t)
+ userdom_transition_user_tmp($1,$1_crond_t, { lnk_file file dir fifo_file })
# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files($1,$1_crond_t)
# Access user files and dirs.
-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
+ userdom_manage_user_home_content_dirs($1,$1_crond_t)
userdom_manage_user_home_content_files($1,$1_crond_t)
userdom_manage_user_home_content_symlinks($1,$1_crond_t)
userdom_manage_user_home_content_pipes($1,$1_crond_t)
userdom_manage_user_home_content_sockets($1,$1_crond_t)
-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file manage_file_perms;
')
- # need a per-role version of this:
- #optional_policy(`
- # mono_domtrans($1_crond_t)
- #')
-
- optional_policy(`
- dbus_stub($1_crond_t)
-
- allow $1_crond_t $2:dbus send_msg;
- ')
-
optional_policy(`
nis_use_ypbind($1_crond_t)
')
- ifdef(`TODO',`
optional_policy(`
- create_dir_file($1_crond_t, httpd_$1_content_t)
+ mta_send_mail($1_crond_t)
')
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
- ifdef(`mta.te', `
- domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
- allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms;
-
- # $1_mail_t should only be reading from the cron fifo not needing to write
- dontaudit $1_mail_t crond_t:fifo_file write;
- allow mta_user_agent $1_crond_t:fd use;
+ optional_policy(`
+ nscd_socket_use($1_crond_t)
')
- ') dnl endif TODO
##############################
#
@@ -192,9 +172,13 @@
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
+ allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
+
+ auth_domtrans_upd_passwd_chk($1_crontab_t)
# crontab shows up in user ps
ps_process_pattern($2,$1_crontab_t)
@@ -205,9 +189,6 @@
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
- allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
-
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
@@ -236,6 +217,7 @@
libs_use_shared_libs($1_crontab_t)
logging_send_syslog_msg($1_crontab_t)
+ logging_send_audit_msgs($1_crontab_t)
miscfiles_read_localization($1_crontab_t)
@@ -243,10 +225,12 @@
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)
+ userdom_transition_user_tmp($1,$1_crontab_t, { file dir })
# Access terminals.
userdom_use_user_terminals($1,$1_crontab_t)
# Read user crontabs
userdom_read_user_home_content_files($1,$1_crontab_t)
+ userdom_transition_user_tmp($1,$1_crontab_t, { lnk_file file dir fifo_file })
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
@@ -438,6 +422,25 @@
########################################
## <summary>
+## Read temporary files from cron.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 crond_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
@@ -583,3 +586,22 @@
dontaudit $1 system_crond_tmp_t:file append;
')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_crond_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-06-12 23:37:58.000000000 -0400
@@ -12,14 +12,6 @@
## <desc>
## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
-## </desc>
-gen_tunable(cron_can_relabel,false)
-
-## <desc>
-## <p>
## Enable extra rules in the cron domain
## to support fcron.
## </p>
@@ -50,6 +42,7 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
@@ -71,6 +64,12 @@
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
+type system_crond_var_lib_t;
+files_type(system_crond_var_lib_t)
+
+type system_crond_var_run_t;
+files_pid_file(system_crond_var_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
@@ -80,7 +79,7 @@
# Cron Local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -99,18 +98,20 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t,cron_spool_t,cron_spool_t)
manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
files_tmp_filetrans(crond_t,crond_tmp_t,{ file dir })
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+
+auth_use_nsswitch(crond_t)
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
+kernel_link_key(crond_t)
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
@@ -127,6 +128,8 @@
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
+auth_domtrans_upd_passwd_chk(crond_t)
+auth_search_key(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
@@ -142,11 +145,14 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -160,6 +166,16 @@
mta_send_mail(crond_t)
+tunable_policy(`allow_polyinstantiation',`
+ allow crond_t self:capability fowner;
+ files_search_tmp(crond_t)
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
@@ -180,29 +196,34 @@
locallogin_link_keys(crond_t)
')
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ init_dbus_send_script(crond_t)
')
optional_policy(`
- amavis_search_lib(crond_t)
+ mono_domtrans(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
- hal_dbus_send(crond_t)
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
- # cjp: why?
- munin_search_lib(crond_t)
+ amavis_search_lib(crond_t)
')
optional_policy(`
- nis_use_ypbind(crond_t)
+ hal_dbus_send(crond_t)
')
optional_policy(`
- nscd_socket_use(crond_t)
+ # cjp: why?
+ munin_search_lib(crond_t)
')
optional_policy(`
@@ -239,7 +260,6 @@
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
-allow system_crond_t system_cron_spool_t:file read_file_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -249,6 +269,8 @@
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;
+allow system_crond_t system_cron_spool_t:file read_file_perms;
+
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
@@ -270,9 +292,16 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
+# var/lib files for system_crond
+files_search_var_lib(system_crond_t)
+manage_files_pattern(system_crond_t,system_crond_var_lib_t,system_crond_var_lib_t)
+
+allow system_crond_t system_crond_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_crond_t,system_crond_var_run_t,file)
+
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir list_dir_perms;
-allow system_crond_t cron_spool_t:file read_file_perms;
+allow system_crond_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
@@ -326,7 +355,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_telinit(system_crond_t)
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
@@ -334,6 +363,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
+logging_send_audit_msgs(system_crond_t)
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
@@ -349,18 +379,6 @@
')
')
-tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_crond_t)
-',`
- selinux_get_fs_mount(system_crond_t)
- selinux_validate_context(system_crond_t)
- selinux_compute_access_vector(system_crond_t)
- selinux_compute_create_context(system_crond_t)
- selinux_compute_relabel_context(system_crond_t)
- selinux_compute_user_contexts(system_crond_t)
- seutil_read_file_contexts(system_crond_t)
-')
-
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
@@ -384,6 +402,14 @@
')
optional_policy(`
+ lpd_list_spool(system_crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(system_crond_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_crond_t)
')
@@ -424,8 +450,7 @@
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_crond_t)
+ spamassassin_manage_lib_files(system_crond_t)
')
optional_policy(`
@@ -433,15 +458,12 @@
')
optional_policy(`
- unconfined_domain(system_crond_t)
-
- userdom_priveleged_home_dir_manager(system_crond_t)
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
')
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_crond_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_crond_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
+optional_policy(`
+ userdom_priveleged_home_dir_manager(system_crond_t)
+ unconfined_domain(system_crond_t)
')
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2008-06-12 23:37:58.000000000 -0400
@@ -8,24 +8,28 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -33,7 +37,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/hplip/[^/]*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -51,4 +55,7 @@
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.if 2008-06-12 23:37:58.000000000 -0400
@@ -247,3 +247,4 @@
files_search_pids($1)
stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2008-06-12 23:37:58.000000000 -0400
@@ -48,9 +48,8 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t,hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
+domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
+domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
@@ -79,14 +78,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
+allow cupsd_t self:process { setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
-allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -105,7 +104,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
@@ -122,13 +121,14 @@
manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
-read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
-
+allow cupsd_t hplip_t:process sigkill;
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
allow cupsd_t ptal_var_run_t : sock_file setattr;
+auth_use_nsswitch(cupsd_t)
+
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
@@ -150,21 +150,27 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_input_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
@@ -174,6 +180,7 @@
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
+auth_domtrans_upd_passwd_chk(cupsd_t)
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
@@ -187,7 +194,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
-files_search_var_lib(cupsd_t)
+files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
@@ -196,12 +203,9 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
-# smbspool seems to be iterating through all existing tmp files.
-# redhat bug #214953
-# cjp: this might be a broken behavior
-files_dontaudit_getattr_all_tmp_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
@@ -220,18 +224,41 @@
seutil_read_config(cupsd_t)
sysnet_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
+files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
ifdef(`enable_mls',`
lpd_relabel_spool(cupsd_t)
')
optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+')
+
+optional_policy(`
+ init_stream_connect_script(cupsd_t)
+
+ unconfined_rw_pipes(cupsd_t)
+ unconfined_rw_stream_sockets(cupsd_t)
+
+ optional_policy(`
+ init_dbus_chat_script(cupsd_t)
+
+ unconfined_dbus_send(cupsd_t)
+
+ dbus_stub(cupsd_t)
+ ')
+')
+
+optional_policy(`
apm_domtrans_client(cupsd_t)
')
@@ -263,16 +290,16 @@
')
optional_policy(`
- nscd_socket_use(cupsd_t)
-')
-
-optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
')
optional_policy(`
+ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(cupsd_t)
')
@@ -331,6 +358,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -356,6 +384,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
@@ -377,6 +406,14 @@
')
optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
+ unconfined_rw_pipes(cupsd_config_t)
+')
+
+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -393,6 +430,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -482,6 +520,8 @@
files_read_etc_files(cupsd_lpd_t)
+auth_use_nsswitch(cupsd_lpd_t)
+
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
@@ -489,22 +529,12 @@
miscfiles_read_localization(cupsd_lpd_t)
-sysnet_read_config(cupsd_lpd_t)
-
cups_stream_connect(cupsd_lpd_t)
optional_policy(`
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')
-optional_policy(`
- nis_use_ypbind(cupsd_lpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(cupsd_lpd_t)
-')
-
########################################
#
# HPLIP local policy
@@ -522,14 +552,12 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
-allow hplip_t cupsd_etc_t:dir search;
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
cups_stream_connect(hplip_t)
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
-read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
-files_search_etc(hplip_t)
+# For CUPS to run as a backend
+allow cupsd_t hplip_t:process signal;
+allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms;
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
@@ -560,7 +588,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
@@ -587,7 +615,7 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
-lpd_read_config(cupsd_t)
+lpd_manage_spool(hplip_t)
optional_policy(`
seutil_sigchld_newrole(hplip_t)
@@ -668,3 +696,15 @@
optional_policy(`
udev_read_db(ptal_t)
')
+
+
+# This whole section needs to be moved to a smbspool policy
+# smbspool seems to be iterating through all existing tmp files.
+# Looking for kerberos files
+files_getattr_all_tmp_files(cupsd_t)
+userdom_read_unpriv_users_tmp_files(cupsd_t)
+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+
+optional_policy(`
+ unconfined_read_tmp_files(cupsd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.8/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cvs.te 2008-06-12 23:37:58.000000000 -0400
@@ -16,6 +16,7 @@
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+application_executable_file(cvs_exec_t)
role system_r types cvs_t;
type cvs_data_t; # customizable
@@ -68,6 +69,7 @@
fs_getattr_xattr_fs(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
+auth_domtrans_upd_passwd_chk(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@@ -81,6 +83,7 @@
libs_use_shared_libs(cvs_t)
logging_send_syslog_msg(cvs_t)
+logging_send_audit_msgs(cvs_t)
miscfiles_read_localization(cvs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.0.8/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/cyrus.te 2008-06-12 23:37:58.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.4.0)
+policy_module(cyrus,1.4.1)
########################################
#
@@ -41,7 +41,6 @@
allow cyrus_t self:unix_stream_socket connectto;
allow cyrus_t self:tcp_socket create_stream_socket_perms;
allow cyrus_t self:udp_socket create_socket_perms;
-allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
@@ -95,6 +94,8 @@
files_read_etc_runtime_files(cyrus_t)
files_read_usr_files(cyrus_t)
+auth_use_nsswitch(cyrus_t)
+
libs_use_ld_so(cyrus_t)
libs_use_shared_libs(cyrus_t)
libs_exec_lib_files(cyrus_t)
@@ -122,14 +123,6 @@
')
optional_policy(`
- ldap_stream_connect(cyrus_t)
-')
-
-optional_policy(`
- nis_use_ypbind(cyrus_t)
-')
-
-optional_policy(`
sasl_connect(cyrus_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.0.8/policy/modules/services/dbskk.te
--- nsaserefpolicy/policy/modules/services/dbskk.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbskk.te 2008-06-12 23:37:59.000000000 -0400
@@ -63,6 +63,8 @@
files_read_etc_files(dbskkd_t)
+auth_use_nsswitch(dbskkd_t)
+
libs_use_ld_so(dbskkd_t)
libs_use_shared_libs(dbskkd_t)
@@ -70,12 +72,3 @@
miscfiles_read_localization(dbskkd_t)
-sysnet_read_config(dbskkd_t)
-
-optional_policy(`
- nis_use_ypbind(dbskkd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dbskkd_t)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.0.8/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.fc 2008-06-12 23:37:58.000000000 -0400
@@ -3,6 +3,12 @@
# Sorting does not work correctly if I combine these next two roles
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
ifdef(`distro_redhat',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-06-12 23:37:58.000000000 -0400
@@ -50,6 +50,12 @@
## </param>
#
template(`dbus_per_role_template',`
+ gen_require(`
+ type system_dbusd_exec_t;
+ type system_dbusd_t;
+ type dbusd_etc_t;
+ class dbus { send_msg acquire_svc };
+ ')
##############################
#
@@ -71,6 +77,7 @@
#
allow $1_dbusd_t self:process { getattr sigkill signal };
+ dontaudit $1_dbusd_t self:process ptrace;
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
@@ -86,7 +93,7 @@
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+ allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@@ -135,7 +142,21 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $1_t:process sigkill;
+
+ allow $2 $1_dbusd_t:fd use;
+ allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+ allow $2 $1_dbusd_t:process sigchld;
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
+ ');
+
+ userdom_read_user_home_content_files($1, $1_dbusd_t)
+
auth_read_pam_console_data($1_dbusd_t)
+ auth_use_nsswitch($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
libs_use_shared_libs($1_dbusd_t)
@@ -193,18 +214,24 @@
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t;
+ type system_dbusd_var_lib_t;
class dbus send_msg;
')
- type $1_dbusd_system_t;
- type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
+ allow $2 { system_dbusd_t $2 }:dbus send_msg;
+ allow system_dbusd_t $2:dbus send_msg;
- # SE-DBus specific permissions
- allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
+ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t)
+ files_search_var_lib($2)
# For connecting to the bus
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
+ dbus_read_config($2)
+
+ optional_policy(`
+ rpm_script_dbus_chat($2)
+ ')
')
#######################################
@@ -236,14 +263,16 @@
class dbus send_msg;
')
- type $2_dbusd_$1_t;
- type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
+# type $2_dbusd_$1_t;
+# type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
# SE-DBus specific permissions
- allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+# allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
+ allow $3 { $1_dbusd_t self }:dbus send_msg;
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
+ userdom_dontaudit_write_user_home_content_files($1_dbusd_t)
')
########################################
@@ -271,6 +300,60 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
+
+########################################
+## <summary>
+## connectto a message on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`dbus_connectto_user_bus',`
+ gen_require(`
+ type $1_dbusd_t;
+ ')
+
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Chat on user/application specific DBUS.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`dbus_chat_user_bus',`
+ gen_require(`
+ type $1_dbusd_t;
+ type $1_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_dbusd_t:dbus send_msg;
+ allow $1_dbusd_t $2:dbus send_msg;
+ allow $2 $1_t:dbus send_msg;
+ allow $1_t $2:dbus send_msg;
+')
+
########################################
## <summary>
## Read dbus configuration.
@@ -286,6 +369,7 @@
type dbusd_etc_t;
')
+ allow $1 dbusd_etc_t:dir list_dir_perms;
allow $1 dbusd_etc_t:file read_file_perms;
')
@@ -346,3 +430,57 @@
allow $1 system_dbusd_t:dbus *;
')
+
+########################################
+## <summary>
+## dontaudit attempts to use system_dbus_t selinux_socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_dontaudit_rw_system_selinux_socket',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+')
+
+
+
+########################################
+## <summary>
+## Create a domain for processes
+## which can be started by the system dbus
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t,$2,$1)
+
+ dbus_system_bus_client_template($1,$1)
+ dbus_connect_system_bus($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2008-06-12 23:37:59.000000000 -0400
@@ -20,9 +20,25 @@
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
+type system_dbusd_var_lib_t;
+files_type(system_dbusd_var_lib_t)
+
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(system_dbusd_t,system_dbusd_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(system_dbusd_t,system_dbusd_exec_t,s0 - mls_systemhigh)
+ mls_fd_use_all_levels(system_dbusd_t)
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+ mls_socket_write_all_levels(system_dbusd_t)
+')
+
+
##############################
#
# Local policy
@@ -32,7 +48,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:process { getattr signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -40,6 +56,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+can_exec(system_dbusd_t,system_dbusd_exec_t)
+
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@@ -48,6 +66,8 @@
manage_files_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
@@ -60,6 +80,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
@@ -86,6 +108,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_dbus_chat_script(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
@@ -116,9 +140,26 @@
')
optional_policy(`
+ consolekit_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_init_script_domtrans_spec(system_dbusd_t)
+')
+
+optional_policy(`
+ rhgb_use_ptys(system_dbusd_t)
+')
+
+optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
+
+optional_policy(`
+ unconfined_use_terminals(system_dbusd_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.0.8/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dcc.if 2008-06-12 23:37:59.000000000 -0400
@@ -72,6 +72,24 @@
########################################
## <summary>
+## Send a signal to the dcc_client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_signal_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ allow $1 dcc_client_t:process signal;
+')
+
+########################################
+## <summary>
## Execute dcc_client in the dcc_client domain, and
## allow the specified role the dcc_client domain.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.0.8/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2008-06-12 23:37:58.000000000 -0400
@@ -124,7 +124,7 @@
# dcc procmail interface local policy
#
-allow dcc_client_t self:capability setuid;
+allow dcc_client_t self:capability { setgid setuid };
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
@@ -141,6 +141,7 @@
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_bind_all_nodes(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
@@ -148,6 +149,10 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
+kernel_read_system_state(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
+
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
@@ -155,11 +160,8 @@
miscfiles_read_localization(dcc_client_t)
-sysnet_read_config(dcc_client_t)
-sysnet_dns_name_resolve(dcc_client_t)
-
optional_policy(`
- nscd_socket_use(dcc_client_t)
+ spamassassin_read_spamd_tmp_files(dcc_client_t)
')
########################################
@@ -335,6 +337,8 @@
fs_getattr_all_fs(dccifd_t)
fs_search_auto_mountpoints(dccifd_t)
+auth_use_nsswitch(dcc_client_t)
+
libs_use_ld_so(dccifd_t)
libs_use_shared_libs(dccifd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.8/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dhcp.te 2008-06-12 23:37:58.000000000 -0400
@@ -24,7 +24,7 @@
# Local policy
#
-allow dhcpd_t self:capability net_raw;
+allow dhcpd_t self:capability { sys_resource net_raw };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file { read write getattr };
@@ -51,6 +51,7 @@
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
corenet_all_recvfrom_unlabeled(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2008-06-12 23:37:59.000000000 -0400
@@ -4,3 +4,4 @@
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.0.8/policy/modules/services/dictd.te
--- nsaserefpolicy/policy/modules/services/dictd.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dictd.te 2008-06-12 23:37:59.000000000 -0400
@@ -16,6 +16,9 @@
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+
########################################
#
# Local policy
@@ -34,6 +37,9 @@
allow dictd_t dictd_var_lib_t:dir list_dir_perms;
allow dictd_t dictd_var_lib_t:file read_file_perms;
+manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t)
+files_pid_filetrans(dictd_t,dictd_var_run_t,file)
+
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.0.8/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.fc 2008-06-12 23:37:58.000000000 -0400
@@ -1,4 +1,5 @@
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2008-06-12 23:37:58.000000000 -0400
@@ -16,6 +16,9 @@
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
+type dnsmasq_script_exec_t;
+init_script_type(dnsmasq_script_exec_t)
+
########################################
#
# Local policy
@@ -32,7 +35,7 @@
allow dnsmasq_t self:rawip_socket create_socket_perms;
# dhcp leases
-allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
@@ -94,3 +97,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
+
+optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.fc 2008-06-12 23:37:58.000000000 -0400
@@ -17,19 +17,24 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.8/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.if 2008-06-12 23:37:58.000000000 -0400
@@ -18,3 +18,43 @@
manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
')
+
+########################################
+## <summary>
+## Connect to dovecot auth unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_auth_stream_connect',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ allow $1 dovecot_var_run_t:dir search;
+ allow $1 dovecot_var_run_t:sock_file write;
+ allow $1 dovecot_auth_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Execute dovecot_deliver in the dovecot_deliver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2008-06-12 23:37:58.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t,dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
@@ -27,6 +33,9 @@
type dovecot_spool_t;
files_type(dovecot_spool_t)
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
@@ -46,8 +55,6 @@
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
-
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
@@ -59,6 +66,10 @@
can_exec(dovecot_t, dovecot_exec_t)
+# log files
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
+
manage_dirs_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
manage_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
@@ -67,6 +78,8 @@
manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
+auth_use_nsswitch(dovecot_t)
+
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
@@ -99,7 +112,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -111,9 +124,6 @@
miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
-sysnet_read_config(dovecot_t)
-sysnet_use_ldap(dovecot_auth_t)
-
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
userdom_priveleged_home_dir_manager(dovecot_t)
@@ -125,10 +135,6 @@
')
optional_policy(`
- nis_use_ypbind(dovecot_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dovecot_t)
')
@@ -145,33 +151,40 @@
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl connectto };
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
+dovecot_auth_stream_connect(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
+auth_domtrans_upd_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -185,12 +198,57 @@
seutil_dontaudit_search_config(dovecot_auth_t)
-sysnet_dns_name_resolve(dovecot_auth_t)
-
optional_policy(`
kerberos_use(dovecot_auth_t)
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_manage_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
+')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
+userdom_read_unpriv_users_tmp_files(dovecot_auth_t)
+userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t)
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir r_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_auth_stream_connect(dovecot_deliver_t)
+
+userdom_priveleged_home_dir_manager(dovecot_deliver_t)
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,5 @@
+
+/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,177 @@
+## <summary>Exim mail transfer agent</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run exim.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_domtrans',`
+ gen_require(`
+ type exim_t, exim_exec_t;
+ ')
+
+ domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## exim tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`exim_dontaudit_read_tmp_files',`
+ gen_require(`
+ type exim_tmp_t;
+ ')
+
+ dontaudit $1 exim_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read, exim tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`exim_read_tmp_files',`
+ gen_require(`
+ type exim_tmp_t;
+ ')
+
+ allow $1 exim_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Read exim PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_read_pid_files',`
+ gen_require(`
+ type exim_var_run_t;
+ ')
+
+ allow $1 exim_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read exim's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_read_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ read_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## exim log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_append_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ append_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Read exim spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_read_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ allow $1 exim_spool_t:file read_file_perms;
+ allow $1 exim_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## exim spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_manage_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read exim's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_manage_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ manage_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,214 @@
+
+policy_module(exim,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow exim to read unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_read_user_files,false)
+
+## <desc>
+## <p>
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_manage_user_files,false)
+
+## <desc>
+## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
+## </desc>
+gen_tunable(exim_can_connect_db,false)
+
+type exim_t;
+type exim_exec_t;
+init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_mailclient(exim_exec_t)
+
+type exim_log_t;
+logging_log_file(exim_log_t)
+
+type exim_spool_t;
+files_type(exim_spool_t)
+
+type exim_tmp_t;
+files_tmp_file(exim_tmp_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
+
+type exim_script_exec_t;
+init_script_type(exim_script_exec_t)
+
+########################################
+#
+# exim local policy
+#
+
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
+allow exim_t self:fifo_file rw_file_perms;
+allow exim_t self:unix_stream_socket create_stream_socket_perms;
+allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
+
+can_exec(exim_t,exim_exec_t)
+
+manage_files_pattern(exim_t, exim_log_t, exim_log_t)
+logging_log_filetrans(exim_t, exim_log_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
+kernel_read_network_state(exim_t)
+
+corecmd_search_bin(exim_t)
+
+corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
+corenet_udp_sendrecv_all_if(exim_t)
+corenet_udp_sendrecv_all_nodes(exim_t)
+corenet_tcp_sendrecv_all_if(exim_t)
+corenet_tcp_sendrecv_all_nodes(exim_t)
+corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_all_nodes(exim_t)
+corenet_tcp_bind_smtp_port(exim_t)
+corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_sendrecv_smtp_port(exim_t)
+corenet_sendrecv_smtp_server_packets(exim_t)
+corenet_sendrecv_all_client_packets(exim_t)
+
+corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_inetd_child_port(exim_t)
+corenet_tcp_sendrecv_auth_port(exim_t)
+
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
+corenet_tcp_sendrecv_spamd_port(exim_t)
+
+# Init script handling
+domain_use_interactive_fds(exim_t)
+
+files_search_usr(exim_t)
+files_search_var(exim_t)
+files_read_etc_files(exim_t)
+
+auth_use_nsswitch(exim_t)
+
+libs_use_ld_so(exim_t)
+libs_use_shared_libs(exim_t)
+
+logging_send_syslog_msg(exim_t)
+
+miscfiles_read_localization(exim_t)
+miscfiles_read_certs(exim_t)
+
+fs_getattr_xattr_fs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+tunable_policy(`exim_read_user_files',`
+ userdom_read_unpriv_users_home_content_files(exim_t)
+ userdom_read_unpriv_users_tmp_files(exim_t)
+')
+
+tunable_policy(`exim_manage_user_files',`
+ userdom_manage_unpriv_users_home_content_dirs(exim_t)
+ userdom_read_unpriv_users_tmp_files(exim_t)
+ userdom_write_unpriv_users_tmp_files(exim_t)
+')
+
+# TLS sessions need entropy
+dev_read_urand(exim_t)
+dev_read_rand(exim_t)
+
+tunable_policy(`exim_can_connect_db',`
+ corenet_tcp_connect_mysqld_port(exim_t)
+ corenet_sendrecv_mysqld_client_packets(exim_t)
+ corenet_tcp_connect_postgresql_port(exim_t)
+ corenet_sendrecv_postgresql_client_packets(exim_t)
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ postgresql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ mailman_read_data_files(exim_t)
+ mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+ procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+ sasl_connect(exim_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
+## receipt & validation
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
+ clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
+')
+
+# Debian uses a template based config generator which generates config
+# files under /var
+ifdef(`distro_debian',`
+ type exim_var_lib_t;
+ files_config_file(exim_var_lib_t)
+ exim_read_lib(exim_t)
+
+ type exim_lib_update_t;
+ type exim_lib_update_exec_t;
+ init_domain(exim_lib_update_t, exim_lib_update_exec_t)
+ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t)
+ exim_read_lib(exim_lib_update_t)
+ exim_manage_var_lib(exim_lib_update_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.0.8/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-06-12 23:37:58.000000000 -0400
@@ -1,3 +1,5 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
-/var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
-/var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-06-12 23:37:58.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(fail2ban,1.0.0)
+policy_module(fail2ban,1.1.0)
########################################
#
@@ -25,7 +25,7 @@
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
-allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
# log files
allow fail2ban_t fail2ban_log_t:dir setattr;
@@ -33,8 +33,9 @@
logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
# pid file
+manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
-files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
+files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file })
kernel_read_system_state(fail2ban_t)
@@ -46,15 +47,26 @@
domain_use_interactive_fds(fail2ban_t)
files_read_etc_files(fail2ban_t)
+files_read_etc_runtime_files(fail2ban_t)
files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
libs_use_ld_so(fail2ban_t)
libs_use_shared_libs(fail2ban_t)
-logging_read_generic_logs(fail2ban_t)
+logging_read_all_logs(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t)
+
optional_policy(`
apache_read_log(fail2ban_t)
')
@@ -64,5 +76,11 @@
')
optional_policy(`
+ gamin_domtrans(fail2ban_t)
+ gamin_stream_connect(fail2ban_t)
+')
+
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.0.8/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/fetchmail.te 2008-06-12 23:37:58.000000000 -0400
@@ -86,6 +86,14 @@
userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
optional_policy(`
+ procmail_domtrans(fetchmail_t)
+')
+
+optional_policy(`
+ sendmail_manage_log(fetchmail_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(fetchmail_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.0.8/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ftp.if 2008-06-12 23:37:59.000000000 -0400
@@ -28,11 +28,13 @@
type ftpd_t;
')
- userdom_manage_user_home_content_files($1,ftpd_t)
- userdom_manage_user_home_content_symlinks($1,ftpd_t)
- userdom_manage_user_home_content_sockets($1,ftpd_t)
- userdom_manage_user_home_content_pipes($1,ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ tunable_policy(`ftp_home_dir',`
+ userdom_manage_user_home_content_files($1,ftpd_t)
+ userdom_manage_user_home_content_symlinks($1,ftpd_t)
+ userdom_manage_user_home_content_sockets($1,ftpd_t)
+ userdom_manage_user_home_content_pipes($1,ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2008-06-12 23:37:58.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:key { search write link };
allow ftpd_t ftpd_etc_t:file read_file_perms;
@@ -105,9 +106,10 @@
manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
+files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} )
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
@@ -122,6 +124,7 @@
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
+kernel_search_network_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
@@ -157,6 +160,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
+auth_domtrans_upd_passwd_chk(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
@@ -168,7 +172,9 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
+logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
+logging_set_loginuid(ftpd_t)
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
@@ -217,6 +223,11 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
+ auth_manage_all_files_except_shadow(ftpd_t)
+
+ auth_read_all_dirs_except_shadow(ftpd_t)
+ auth_read_all_files_except_shadow(ftpd_t)
+ auth_read_all_symlinks_except_shadow(ftpd_t)
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -252,7 +263,10 @@
')
optional_policy(`
+ kerberos_use(ftpd_t)
kerberos_read_keytab(ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
+ selinux_validate_context(ftpd_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.0.8/policy/modules/services/gamin.fc
--- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/gamin.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.0.8/policy/modules/services/gamin.if
--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/gamin.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,39 @@
+
+## <summary>policy for gamin</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run gamin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gamin_domtrans',`
+ gen_require(`
+ type gamin_t;
+ type gamin_exec_t;
+ ')
+
+ domtrans_pattern($1,gamin_exec_t,gamin_t)
+')
+
+########################################
+## <summary>
+## Connect to gamin over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gamin_stream_connect',`
+ gen_require(`
+ type gamin_t;
+ ')
+
+ allow $1 gamin_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.0.8/policy/modules/services/gamin.te
--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/gamin.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,38 @@
+policy_module(gamin,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gamin_t;
+type gamin_exec_t;
+init_daemon_domain(gamin_t, gamin_exec_t)
+
+########################################
+#
+# gamin local policy
+#
+
+# Init script handling
+domain_use_interactive_fds(gamin_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow gamin_t self:fifo_file rw_file_perms;
+allow gamin_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(gamin_t)
+files_read_etc_runtime_files(gamin_t)
+files_list_all(gamin_t)
+files_getattr_all_files(gamin_t)
+
+fs_list_inotifyfs(gamin_t)
+domain_read_all_domains_state(gamin_t)
+
+libs_use_ld_so(gamin_t)
+libs_use_shared_libs(gamin_t)
+
+miscfiles_read_localization(gamin_t)
+
+role unconfined_r types gamin_t;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2008-06-12 23:37:59.000000000 -0400
@@ -8,14 +8,18 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.0.8/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.if 2008-06-12 23:37:58.000000000 -0400
@@ -247,6 +247,24 @@
########################################
## <summary>
+## Do not audit attempts to list
+## HAL libraries dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_list_lib_dirs',`
+ gen_require(`
+ type hald_var_lib_t;
+ ')
+
+ dontaudit $1 hald_var_lib_t:dir list_dir_perms;
+')
+########################################
+## <summary>
## Do not audit attempts to read or write
## HAL libraries files
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2008-06-12 23:37:59.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
########################################
#
# Local policy
@@ -70,7 +73,7 @@
manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
# log files for hald
-allow hald_t hald_log_t:file manage_file_perms;
+manage_files_pattern(hald_t, hald_log_t, hald_log_t)
logging_log_filetrans(hald_t,hald_log_t,file)
manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
@@ -93,6 +96,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
+kernel_setsched(hald_t)
auth_read_pam_console_data(hald_t)
@@ -145,6 +149,7 @@
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
files_getattr_all_mountpoints(hald_t)
+fstools_getattr_swap_files(hald_t)
mls_file_read_all_levels(hald_t)
@@ -155,6 +160,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
+dev_read_raw_memory(hald_t)
+
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
@@ -280,6 +287,10 @@
')
optional_policy(`
+ unconfined_domain(hald_t)
+')
+
+optional_policy(`
updfstab_domtrans(hald_t)
')
@@ -293,7 +304,9 @@
#
allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self:process signal;
allow hald_acl_t self:fifo_file read_fifo_file_perms;
+allow hald_acl_t self:unix_dgram_socket create_socket_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
allow hald_t hald_acl_t:process signal;
@@ -306,6 +319,7 @@
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
+dev_setattr_all_chr_files(hald_acl_t)
dev_getattr_generic_usb_dev(hald_acl_t)
dev_getattr_video_dev(hald_acl_t)
dev_setattr_video_dev(hald_acl_t)
@@ -325,6 +339,8 @@
libs_use_ld_so(hald_acl_t)
libs_use_shared_libs(hald_acl_t)
+logging_send_syslog_msg(hald_acl_t)
+
miscfiles_read_localization(hald_acl_t)
########################################
@@ -340,10 +356,14 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
+dev_read_raw_memory(hald_mac_t)
dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
+kernel_read_system_state(hald_mac_t)
+
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.0.8/policy/modules/services/inetd.if
--- nsaserefpolicy/policy/modules/services/inetd.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/inetd.if 2008-06-12 23:37:58.000000000 -0400
@@ -115,6 +115,10 @@
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
allow $1 inetd_t:udp_socket rw_socket_perms;
+
+ optional_policy(`
+ stunnel_service_domain($1,$2)
+ ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2008-06-12 23:37:58.000000000 -0400
@@ -30,6 +30,10 @@
type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
########################################
#
# Local policy
@@ -53,6 +57,8 @@
allow inetd_t inetd_var_run_t:file manage_file_perms;
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
+auth_search_key(inetd_t)
+
kernel_read_kernel_sysctls(inetd_t)
kernel_list_proc(inetd_t)
kernel_read_proc_symlinks(inetd_t)
@@ -80,16 +86,22 @@
corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
+corenet_tcp_bind_ftp_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rlogind_port(inetd_t)
corenet_udp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsh_port(inetd_t)
corenet_tcp_bind_rsync_port(inetd_t)
corenet_udp_bind_rsync_port(inetd_t)
#corenet_tcp_bind_stunnel_port(inetd_t)
corenet_tcp_bind_swat_port(inetd_t)
corenet_udp_bind_swat_port(inetd_t)
+corenet_tcp_bind_telnetd_port(inetd_t)
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
@@ -132,8 +144,10 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
+mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
+mls_socket_write_to_clearance(inetd_t)
mls_process_set_level(inetd_t)
sysnet_read_config(inetd_t)
@@ -141,6 +155,11 @@
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recvfrom_netlabel(inetd_t)
+ corenet_udp_recvfrom_netlabel(inetd_t)
+')
+
optional_policy(`
amanda_search_lib(inetd_t)
')
@@ -154,6 +173,7 @@
')
optional_policy(`
+ unconfined_domain(inetd_t)
unconfined_domtrans(inetd_t)
')
@@ -170,6 +190,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:dir search;
+allow inetd_child_t self:{ lnk_file file } { getattr read };
+
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
@@ -198,6 +221,8 @@
files_read_etc_files(inetd_child_t)
+auth_use_nsswitch(inetd_child_t)
+
libs_use_ld_so(inetd_child_t)
libs_use_shared_libs(inetd_child_t)
@@ -205,20 +230,11 @@
miscfiles_read_localization(inetd_child_t)
-sysnet_read_config(inetd_child_t)
-
optional_policy(`
kerberos_use(inetd_child_t)
')
optional_policy(`
- nis_use_ypbind(inetd_child_t)
-')
-
-optional_policy(`
- nscd_socket_use(inetd_child_t)
-')
-
-optional_policy(`
unconfined_domain(inetd_child_t)
+ inetd_service_domain(inetd_child_t,bin_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.0.8/policy/modules/services/inn.if
--- nsaserefpolicy/policy/modules/services/inn.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/inn.if 2008-06-12 23:37:58.000000000 -0400
@@ -54,8 +54,7 @@
')
logging_rw_generic_log_dirs($1)
- allow $1 innd_log_t:dir search;
- allow $1 innd_log_t:file manage_file_perms;
+ manage_files_pattern($1, innd_log_t,innd_log_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.0.8/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.fc 2008-06-12 23:37:58.000000000 -0400
@@ -16,3 +16,4 @@
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2008-06-12 23:37:58.000000000 -0400
@@ -42,11 +42,18 @@
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ selinux_dontaudit_validate_context($1)
+ seutil_dontaudit_read_file_contexts($1)
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
+ fs_rw_tmpfs_files($1)
+
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
@@ -61,9 +68,6 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
-
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
')
optional_policy(`
@@ -169,6 +173,53 @@
')
files_search_etc($1)
- allow $1 krb5kdc_conf_t:file read_file_perms;
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+')
+
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ tunable_policy(`allow_kerberos',`
+ files_search_tmp($1)
+ allow $1 self:process setfscreate;
+ selinux_validate_context($1)
+ seutil_read_file_contexts($1)
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ ')
+ # creates files as system_u no matter what the selinux user
+ domain_obj_id_change_exemption($1)
+')
+########################################
+## <summary>
+## Connect to krb524 service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_524_connect',`
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:udp_socket create_socket_perms;
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_udp_bind_all_nodes($1)
+ ')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.te 2008-06-12 23:37:59.000000000 -0400
@@ -54,6 +54,9 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
+type krb5_host_rcache_t;
+files_tmp_file(krb5_host_rcache_t)
+
########################################
#
# kadmind local policy
@@ -62,7 +65,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:process signal_perms;
+allow kadmind_t self:process { setfscreate signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -91,6 +94,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
@@ -115,9 +119,15 @@
fs_getattr_all_fs(kadmind_t)
fs_search_auto_mountpoints(kadmind_t)
+selinux_validate_context(kadmind_t)
+seutil_read_file_contexts(kadmind_t)
+
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
@@ -127,6 +137,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
+sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
@@ -137,6 +148,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
+ seutil_read_file_contexts(kadmind_t)
')
optional_policy(`
@@ -151,7 +163,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { setsched getsched signal_perms };
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
@@ -215,6 +227,9 @@
files_read_usr_symlinks(krb5kdc_t)
files_read_var_files(krb5kdc_t)
+selinux_validate_context(krb5kdc_t)
+seutil_read_file_contexts(krb5kdc_t)
+
libs_use_ld_so(krb5kdc_t)
libs_use_shared_libs(krb5kdc_t)
@@ -223,6 +238,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
+sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
@@ -233,6 +249,7 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
+ seutil_read_file_contexts(krb5kdc_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.0.8/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ktalk.te 2008-06-12 23:37:59.000000000 -0400
@@ -49,6 +49,8 @@
manage_files_pattern(ktalkd_t,ktalkd_var_run_t,ktalkd_var_run_t)
files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
+auth_use_nsswitch(ktalkd_t)
+
kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@@ -76,12 +78,4 @@
miscfiles_read_localization(ktalkd_t)
-sysnet_read_config(ktalkd_t)
-
-optional_policy(`
- nis_use_ypbind(ktalkd_t)
-')
-
-optional_policy(`
- nscd_socket_use(ktalkd_t)
-')
+term_search_ptys(ktalkd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.0.8/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ldap.te 2008-06-12 23:37:59.000000000 -0400
@@ -42,7 +42,6 @@
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file { read write };
-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
allow slapd_t self:udp_socket create_socket_perms;
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
allow slapd_t self:tcp_socket create_stream_socket_perms;
@@ -104,6 +103,8 @@
files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
+auth_use_nsswitch(slapd_t)
+
libs_use_ld_so(slapd_t)
libs_use_shared_libs(slapd_t)
@@ -112,8 +113,6 @@
miscfiles_read_certs(slapd_t)
miscfiles_read_localization(slapd_t)
-sysnet_read_config(slapd_t)
-
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
@@ -122,10 +121,6 @@
')
optional_policy(`
- nis_use_ypbind(slapd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(slapd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.0.8/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/lpd.fc 2008-06-12 23:37:59.000000000 -0400
@@ -22,6 +22,8 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
#
@@ -29,3 +31,5 @@
#
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2008-06-12 23:37:58.000000000 -0400
@@ -303,6 +303,25 @@
########################################
## <summary>
+## Read the contents of the printer spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_read_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,print_spool_t,print_spool_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete printer spool files.
## </summary>
## <param name="domain">
@@ -317,10 +336,8 @@
')
files_search_spool($1)
+ manage_dirs_pattern($1,print_spool_t,print_spool_t)
manage_files_pattern($1,print_spool_t,print_spool_t)
-
- # cjp: cups wants setattr
- allow $1 print_spool_t:dir setattr;
')
########################################
@@ -394,3 +411,22 @@
domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
')
+
+########################################
+## <summary>
+## Allow the specified domain to execute lpr
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_exec_lpr',`
+ gen_require(`
+ type lpr_exec_t;
+ ')
+
+ can_exec($1,lpr_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.0.8/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mailman.fc 2008-06-12 23:37:58.000000000 -0400
@@ -31,3 +31,4 @@
/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.0.8/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mailman.if 2008-06-12 23:37:58.000000000 -0400
@@ -256,6 +256,25 @@
#######################################
## <summary>
+## read
+## mailman logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ read_files_pattern($1,mailman_log_t,mailman_log_t)
+')
+
+#######################################
+## <summary>
## Append to mailman logs.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2008-06-12 23:37:58.000000000 -0400
@@ -55,6 +55,8 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
optional_policy(`
nscd_socket_use(mailman_cgi_t)
@@ -67,6 +69,17 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t self:process signal;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:capability { setuid setgid };
+
+mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
+
+auth_use_nsswitch(mailman_mail_t)
+
+files_search_spool(mailman_mail_t)
+fs_rw_anon_inodefs_files(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
@@ -96,6 +109,7 @@
kernel_read_proc_symlinks(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
+auth_domtrans_upd_passwd_chk(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.0.8/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/mailscanner.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.0.8/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/mailscanner.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
+########################################
+## <summary>
+## Search mailscanner spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_search_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mailscanner_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## read mailscanner spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_read_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mailscanner spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_manage_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.0.8/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/mailscanner.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.0.8/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mta.fc 2008-06-12 23:37:59.000000000 -0400
@@ -11,6 +11,7 @@
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2008-06-12 23:37:59.000000000 -0400
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
+ auth_use_nsswitch($1_mail_t)
+
libs_use_ld_so($1_mail_t)
libs_use_shared_libs($1_mail_t)
@@ -94,17 +96,6 @@
miscfiles_read_localization($1_mail_t)
- sysnet_read_config($1_mail_t)
- sysnet_dns_name_resolve($1_mail_t)
-
- optional_policy(`
- nis_use_ypbind($1_mail_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_mail_t)
- ')
-
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
@@ -142,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
')
#######################################
@@ -210,9 +207,9 @@
userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
- userdom_manage_user_home_content_dirs($1,mailserver_delivery)
- userdom_manage_user_home_content_files($1,mailserver_delivery)
- userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
+ userdom_manage_all_users_home_content_dirs(mailserver_delivery)
+ userdom_manage_all_users_home_content_files(mailserver_delivery)
+ userdom_manage_all_users_home_content_symlinks(mailserver_delivery)
userdom_manage_user_home_content_pipes($1,mailserver_delivery)
userdom_manage_user_home_content_sockets($1,mailserver_delivery)
userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
@@ -228,6 +225,11 @@
fs_manage_cifs_symlinks($1_mail_t)
')
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_mail_t)
+ fs_manage_nfs_symlinks($1_mail_t)
+ ')
+
optional_policy(`
allow $1_mail_t self:capability dac_override;
@@ -314,6 +316,42 @@
########################################
## <summary>
+## Make the specified type usable for a mta_send_mail.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_mailclient',`
+ gen_require(`
+ attribute mailclient_exec_type;
+ ')
+
+ typeattribute $1 mailclient_exec_type;
+')
+
+########################################
+## <summary>
+## Make the specified type readable for a system_mail_t
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_mailcontent',`
+ gen_require(`
+ attribute mailcontent_type;
+ ')
+
+ typeattribute $1 mailcontent_type;
+')
+
+########################################
+## <summary>
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
@@ -392,11 +430,13 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
+ append_files_pattern($1,mail_spool_t,mail_spool_t)
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
optional_policy(`
dovecot_manage_spool($1)
+ dovecot_domtrans_deliver($1)
')
optional_policy(`
@@ -431,6 +471,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
+ apache_append_log($1)
')
')
@@ -447,20 +488,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
- type system_mail_t, sendmail_exec_t;
+ type system_mail_t;
+ attribute mailclient_exec_type;
')
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
-
- allow $1 system_mail_t:fd use;
- allow system_mail_t $1:fd use;
- allow system_mail_t $1:fifo_file rw_file_perms;
- allow system_mail_t $1:process sigchld;
+ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
+ domtrans_pattern($1, mailclient_exec_type, system_mail_t)
+ allow system_mail_t mailclient_exec_type:file entrypoint;
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file { read write };
+
')
########################################
@@ -595,6 +634,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
+########################################
+## <summary>
+## manage mail aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_manage_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file manage_file_perms;
+')
#######################################
## <summary>
@@ -901,3 +959,23 @@
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## read mail queue files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-06-12 23:37:59.000000000 -0400
@@ -1,11 +1,13 @@
-policy_module(mta,1.7.1)
+policy_module(mta,1.9.0)
########################################
#
# Declarations
#
+attribute mailcontent_type;
+attribute mailclient_exec_type;
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
@@ -27,6 +29,7 @@
type sendmail_exec_t;
application_executable_file(sendmail_exec_t)
+mta_mailclient(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
@@ -37,30 +40,45 @@
#
# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+logging_append_all_logs(system_mail_t)
+
+dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
init_use_script_ptys(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+userdom_dontaudit_search_all_users_home_content(system_mail_t)
+
+optional_policy(`
+ apcupsd_read_tmp_files(system_mail_t)
+')
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+ apache_search_bugzilla_dirs(system_mail_t)
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
')
optional_policy(`
@@ -73,6 +91,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
+ cron_read_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
')
@@ -81,6 +100,11 @@
')
optional_policy(`
+ exim_domtrans(system_mail_t)
+ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
@@ -136,11 +160,38 @@
')
optional_policy(`
+ clamav_stream_connect(system_mail_t)
+ clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
+ fail2ban_append_log(system_mail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
-# should break this up among sections:
+init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery)
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
+
+# should break this up among sections:
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
@@ -154,3 +205,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.0.8/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/munin.fc 2008-06-12 23:37:58.000000000 -0400
@@ -6,6 +6,7 @@
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/munin.if 2008-06-12 23:37:59.000000000 -0400
@@ -61,3 +61,43 @@
allow $1 munin_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
+
+#######################################
+## <summary>
+## Do not audit attempts to search
+## munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ dontaudit $1 munin_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## to munin log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_append_log',`
+ gen_require(`
+ type munin_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 munin_log_t:dir list_dir_perms;
+ append_files_pattern($1,munin_log_t,munin_log_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.0.8/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/munin.te 2008-06-12 23:37:58.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(munin,1.3.0)
+policy_module(munin,1.4.0)
########################################
#
@@ -30,21 +30,25 @@
# Local policy
#
-allow munin_t self:capability { setgid setuid };
+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(munin_t, munin_exec_t)
allow munin_t munin_etc_t:dir list_dir_perms;
read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
files_search_etc(munin_t)
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t,munin_log_t,file)
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t,munin_log_t,{ file dir })
manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
@@ -61,9 +65,11 @@
files_pid_filetrans(munin_t,munin_var_run_t,file)
kernel_read_system_state(munin_t)
-kernel_read_kernel_sysctls(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
@@ -73,27 +79,37 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
+corenet_tcp_bind_all_nodes(munin_t)
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t)
+domain_dontaudit_read_all_domains_state(munin_t)
files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
files_read_usr_files(munin_t)
+files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
fs_search_auto_mountpoints(munin_t)
+auth_use_nsswitch(munin_t)
+
libs_use_ld_so(munin_t)
libs_use_shared_libs(munin_t)
logging_send_syslog_msg(munin_t)
+miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
-sysnet_read_config(munin_t)
+sysnet_exec_ifconfig(munin_t)
+netutils_domtrans_ping(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
@@ -108,7 +124,21 @@
')
optional_policy(`
- nis_use_ypbind(munin_t)
+ fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
+')
+
+optional_policy(`
+ mysql_read_config(munin_t)
+ mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(munin_t)
')
optional_policy(`
@@ -118,3 +148,9 @@
optional_policy(`
udev_read_db(munin_t)
')
+
+#============= http munin policy ==============
+apache_content_template(munin)
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.0.8/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mysql.fc 2008-06-12 23:37:58.000000000 -0400
@@ -22,3 +22,5 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.8/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2008-06-12 23:37:59.000000000 -0400
@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
')
+
+########################################
+## <summary>
+## Execute mysql server in the mysqld domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mysql_script_domtrans',`
+ gen_require(`
+ type mysqld_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,mysqld_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the mysql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the mysql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+
+ gen_require(`
+ type mysqld_t;
+ type mysqld_var_run_t;
+ type mysqld_tmp_t;
+ type mysqld_db_t;
+ type mysqld_etc_t;
+ type mysqld_log_t;
+ type mysqld_script_exec_t;
+ ')
+
+ allow $1 mysqld_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, mysqld_t, mysqld_t)
+
+ # Allow $1 to restart the apache service
+ mysql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 mysqld_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+
+ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
+ manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
+
+ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
+ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)
+
+ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
+ manage_files_pattern($1,mysqld_log_t,mysqld_log_t)
+
+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2008-06-12 23:37:59.000000000 -0400
@@ -25,6 +25,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
+type mysqld_script_exec_t;
+init_script_type(mysqld_script_exec_t)
+
########################################
#
# Local policy
@@ -33,7 +36,8 @@
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
-allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
@@ -79,6 +83,7 @@
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_rw_hugetlbfs_files(mysqld_t)
domain_use_interactive_fds(mysqld_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2008-06-12 23:37:59.000000000 -0400
@@ -4,13 +4,15 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.0.8/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nagios.if 2008-06-12 23:37:58.000000000 -0400
@@ -44,25 +44,6 @@
########################################
## <summary>
-## Execute the nagios CGI with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nagios_domtrans_cgi',`
- gen_require(`
- type nagios_cgi_t, nagios_cgi_exec_t;
- ')
-
- domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t)
-')
-
-########################################
-## <summary>
## Execute the nagios NRPE with
## a domain transition.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.0.8/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nagios.te 2008-06-12 23:37:59.000000000 -0400
@@ -10,10 +10,6 @@
type nagios_exec_t;
init_daemon_domain(nagios_t,nagios_exec_t)
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
-
type nagios_etc_t;
files_config_file(nagios_etc_t)
@@ -26,6 +22,9 @@
type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t,nrpe_exec_t)
@@ -60,6 +59,10 @@
manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
+auth_use_nsswitch(nagios_t)
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -106,10 +109,6 @@
mta_send_mail(nagios_t)
optional_policy(`
- auth_use_nsswitch(nagios_t)
-')
-
-optional_policy(`
netutils_domtrans_ping(nagios_t)
netutils_signal_ping(nagios_t)
netutils_kill_ping(nagios_t)
@@ -132,42 +131,31 @@
#
# Nagios CGI local policy
#
+apache_content_template(nagios)
+typealias httpd_nagios_script_t alias nagios_cgi_t;
+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
+allow httpd_nagios_script_t self:process signal_perms;
-read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+read_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
+read_lnk_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
-kernel_read_system_state(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
-corecmd_exec_bin(nagios_cgi_t)
+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
-
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
-
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
- apache_append_log(nagios_cgi_t)
-')
+logging_send_syslog_msg(httpd_nagios_script_t)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2008-06-12 23:37:58.000000000 -0400
@@ -1,7 +1,11 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2008-06-12 23:37:58.000000000 -0400
@@ -97,3 +97,40 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_init_script_domtrans_spec',`
+ gen_require(`
+ type NetworkManager_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1, NetworkManager_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-07-02 15:53:02.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.7.1)
+policy_module(networkmanager,1.9.0)
########################################
#
@@ -13,6 +13,13 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_script_exec_t;
+init_script_type(NetworkManager_script_exec_t)
+init_script_domtrans_spec(NetworkManager_t, NetworkManager_script_exec_t)
+
########################################
#
# Local policy
@@ -20,9 +27,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
@@ -38,10 +45,14 @@
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file)
+
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
@@ -64,9 +75,11 @@
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
+fs_list_inotifyfs(NetworkManager_t)
mls_file_read_all_levels(NetworkManager_t)
@@ -82,10 +95,16 @@
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
+files_list_tmp(NetworkManager_t)
+
+storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+auth_use_nsswitch(NetworkManager_t)
+
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
@@ -113,6 +132,9 @@
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_unpriv_users_home_content_files(NetworkManager_t)
+userdom_unpriv_users_stream_connect(NetworkManager_t)
+
+cron_read_system_job_lib_files(NetworkManager_t)
optional_policy(`
bind_domtrans(NetworkManager_t)
@@ -129,28 +151,22 @@
')
optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
-
- allow NetworkManager_t self:dbus send_msg;
-
- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
- dbus_send_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
')
optional_policy(`
- howl_signal(NetworkManager_t)
+ hal_dontaudit_list_lib_dirs(NetworkManager_t)
+ hal_write_log(NetworkManager_t)
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
+ howl_signal(NetworkManager_t)
')
optional_policy(`
- nscd_socket_use(NetworkManager_t)
nscd_signal(NetworkManager_t)
+ nscd_script_domtrans(NetworkManager_t)
+ nscd_domtrans(NetworkManager_t)
')
optional_policy(`
@@ -162,19 +178,20 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
')
optional_policy(`
- seutil_sigchld_newrole(NetworkManager_t)
+ # Dispatcher starting and stoping ntp
+ ntp_script_domtrans(NetworkManager_t)
')
optional_policy(`
- udev_read_db(NetworkManager_t)
+ seutil_sigchld_newrole(NetworkManager_t)
')
optional_policy(`
- # Read gnome-keyring
- unconfined_read_home_content_files(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.8/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nis.fc 2008-06-12 23:37:58.000000000 -0400
@@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2008-06-12 23:37:59.000000000 -0400
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_tcp_bind_reserved_port($1)
- corenet_udp_bind_reserved_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
@@ -87,6 +87,27 @@
########################################
## <summary>
+## Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ # Needs to bind to a port < 1024
+ allow $1 self:capability net_bind_service;
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ ')
+')
+
+########################################
+## <summary>
## Execute ypbind in the ypbind domain.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.8/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nis.te 2008-06-12 23:37:58.000000000 -0400
@@ -113,6 +113,18 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
+
+optional_policy(`
+ dbus_system_bus_client_template(ypbind,ypbind_t)
+ dbus_connect_system_bus(ypbind_t)
+ dbus_send_system_bus(ypbind_t)
+ init_dbus_chat_script(ypbind_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(ypbind_t)
+ ')
+')
+
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
@@ -126,6 +138,7 @@
# yppasswdd local policy
#
+allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { setfscreate signal_perms };
@@ -156,8 +169,8 @@
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_all_nodes(yppasswdd_t)
corenet_udp_bind_all_nodes(yppasswdd_t)
-corenet_tcp_bind_reserved_port(yppasswdd_t)
-corenet_udp_bind_reserved_port(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
@@ -247,6 +260,8 @@
corenet_udp_bind_all_nodes(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
@@ -315,6 +330,8 @@
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.0.8/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nscd.fc 2008-06-12 23:37:58.000000000 -0400
@@ -9,3 +9,6 @@
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.0.8/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2008-06-12 23:37:58.000000000 -0400
@@ -70,14 +70,15 @@
interface(`nscd_socket_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv};
+
files_search_pids($1)
stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t)
@@ -204,3 +205,22 @@
role $2 types nscd_t;
dontaudit nscd_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Execute nscd server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nscd_script_domtrans',`
+ gen_require(`
+ type nscd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,nscd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.8/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nscd.te 2008-06-12 23:37:59.000000000 -0400
@@ -23,19 +23,22 @@
type nscd_log_t;
logging_log_file(nscd_log_t)
+type nscd_script_exec_t;
+init_script_type(nscd_script_exec_t)
+
########################################
#
# Local policy
#
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:process { getattr setcap setsched signal_perms };
allow nscd_t self:fifo_file { read write };
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
@@ -50,6 +53,8 @@
manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
+can_exec(nscd_t, nscd_exec_t)
+
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
@@ -73,6 +78,8 @@
corenet_udp_sendrecv_all_nodes(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
@@ -93,6 +100,7 @@
libs_use_ld_so(nscd_t)
libs_use_shared_libs(nscd_t)
+logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
@@ -114,3 +122,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.8/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ntp.fc 2008-06-12 23:37:58.000000000 -0400
@@ -17,3 +17,8 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.8/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ntp.if 2008-06-12 23:37:58.000000000 -0400
@@ -53,3 +53,59 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ntp_script_domtrans',`
+ gen_require(`
+ type ntpd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,ntpd_script_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## ntp pid file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_manage_pid',`
+ gen_require(`
+ type ntpd_var_run_t;
+ ')
+ manage_files_pattern($1,ntpd_var_run_t,ntpd_var_run_t)
+ files_pid_filetrans($1,ntpd_var_run_t,file)
+')
+
+########################################
+## <summary>
+## Send generic signals to the ntp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_signal',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ allow $1 ntpd_t:process signal;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.8/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ntp.te 2008-06-12 23:37:58.000000000 -0400
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
+type ntpd_script_exec_t;
+init_script_type(ntpd_script_exec_t)
+
########################################
#
# Local policy
@@ -36,6 +42,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -49,6 +56,8 @@
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
+read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t)
+
# for some reason it creates a file in /tmp
manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
@@ -82,6 +91,8 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
auth_use_nsswitch(ntpd_t)
@@ -106,6 +117,9 @@
miscfiles_read_localization(ntpd_t)
sysnet_read_config(ntpd_t)
+sysnet_dontaudit_dhcpc_use_fds(ntpd_t)
+
+term_use_ptmx(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
@@ -122,6 +136,10 @@
')
optional_policy(`
+ hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
logrotate_exec(ntpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.0.8/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nx.fc 2008-06-12 23:37:58.000000000 -0400
@@ -1,3 +1,5 @@
+
+/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.0.8/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/oddjob.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,5 +1,5 @@
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-/var/run/oddjobd.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.0.8/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/oddjob.if 2008-06-12 23:37:59.000000000 -0400
@@ -44,6 +44,7 @@
')
domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.0.8/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/oddjob.te 2008-06-12 23:37:59.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(oddjob,1.3.0)
+policy_module(oddjob,1.4.0)
########################################
#
@@ -10,14 +10,20 @@
type oddjob_exec_t;
domain_type(oddjob_t)
init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_obj_id_change_exemption(oddjob_t)
domain_subj_id_change_exemption(oddjob_t)
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(oddjob_t,oddjob_exec_t,s0 - mcs_systemhigh)
+')
+
# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)
@@ -56,7 +62,6 @@
optional_policy(`
dbus_system_bus_client_template(oddjob,oddjob_t)
- dbus_send_system_bus(oddjob_t)
dbus_connect_system_bus(oddjob_t)
')
@@ -69,20 +74,38 @@
# oddjob_mkhomedir local policy
#
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file { read write };
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(oddjob_mkhomedir_t)
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
libs_use_ld_so(oddjob_mkhomedir_t)
libs_use_shared_libs(oddjob_mkhomedir_t)
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
miscfiles_read_localization(oddjob_mkhomedir_t)
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
# Add/remove user home directories
+userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t)
userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.0.8/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/openct.te 2008-06-12 23:37:59.000000000 -0400
@@ -22,6 +22,7 @@
allow openct_t self:process signal_perms;
manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.0.8/policy/modules/services/openvpn.fc
--- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/openvpn.fc 2008-06-12 23:37:58.000000000 -0400
@@ -11,5 +11,5 @@
#
# /var
#
-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2008-06-12 23:37:58.000000000 -0400
@@ -35,7 +35,7 @@
# openvpn local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -47,6 +47,7 @@
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
+can_exec(openvpn_t,openvpn_etc_t)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
@@ -77,6 +78,7 @@
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
+corenet_tcp_connect_http_port(openvpn_t)
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
@@ -108,6 +110,14 @@
dbus_system_bus_client_template(openvpn,openvpn_t)
dbus_connect_system_bus(openvpn_t)
dbus_send_system_bus(openvpn_t)
-
networkmanager_dbus_chat(openvpn_t)
')
+
+
+# Need to interact with terminals if config option "auth-user-pass" is used
+userdom_use_sysadm_terms(openvpn_t)
+
+optional_policy(`
+ unconfined_use_terminals(openvpn_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.0.8/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/pcscd.te 2008-06-12 23:37:58.000000000 -0400
@@ -45,6 +45,7 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
+term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
libs_use_ld_so(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.8/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/pegasus.if 2008-06-12 23:37:58.000000000 -0400
@@ -1 +1,19 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+ gen_require(`
+ type pegasus_t, pegasus_exec_t;
+ ')
+
+ domtrans_pattern($1,pegasus_exec_t,pegasus_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.0.8/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/pegasus.te 2008-06-12 23:37:58.000000000 -0400
@@ -42,6 +42,7 @@
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
@@ -95,13 +96,13 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_domtrans_upd_passwd_chk(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
@@ -113,19 +114,17 @@
libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
miscfiles_read_localization(pegasus_t)
sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
optional_policy(`
- logging_send_syslog_msg(pegasus_t)
-')
-
-optional_policy(`
rpm_exec(pegasus_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.0.8/policy/modules/services/portmap.te
--- nsaserefpolicy/policy/modules/services/portmap.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/portmap.te 2008-06-12 23:37:58.000000000 -0400
@@ -63,6 +63,7 @@
# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
+corenet_dontaudit_udp_bind_all_ports(portmap_t)
corenet_tcp_bind_reserved_port(portmap_t)
corenet_udp_bind_reserved_port(portmap_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.0.8/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/portslave.te 2008-06-12 23:37:58.000000000 -0400
@@ -85,6 +85,7 @@
auth_rw_login_records(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
+auth_domtrans_upd_passwd_chk(portslave_t)
init_rw_utmp(portslave_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.0.8/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postfix.fc 2008-06-12 23:37:58.000000000 -0400
@@ -14,6 +14,7 @@
/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@@ -32,7 +33,6 @@
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2008-06-12 23:37:58.000000000 -0400
@@ -41,6 +41,8 @@
allow postfix_$1_t self:unix_stream_socket connectto;
allow postfix_master_t postfix_$1_t:process signal;
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+ allow postfix_$1_t postfix_master_t:file read;
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
@@ -56,6 +58,8 @@
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
+ auth_use_nsswitch(postfix_$1_t)
+
kernel_read_system_state(postfix_$1_t)
kernel_read_network_state(postfix_$1_t)
kernel_read_all_sysctls(postfix_$1_t)
@@ -66,6 +70,7 @@
fs_search_auto_mountpoints(postfix_$1_t)
fs_getattr_xattr_fs(postfix_$1_t)
+ fs_rw_anon_inodefs_files(postfix_$1_t)
term_dontaudit_use_console(postfix_$1_t)
@@ -132,11 +137,6 @@
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
- sysnet_read_config(postfix_$1_t)
-
- optional_policy(`
- nis_use_ypbind(postfix_$1_t)
- ')
')
########################################
@@ -211,9 +211,8 @@
type postfix_etc_t;
')
- allow $1 postfix_etc_t:dir { getattr read search };
- allow $1 postfix_etc_t:file { read getattr };
- allow $1 postfix_etc_t:lnk_file { getattr read };
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
')
@@ -269,6 +268,42 @@
########################################
## <summary>
+## Allow domain to read postfix local process state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postfix_read_local_state',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ read_files_pattern($1,postfix_local_t,postfix_local_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read postfix master process state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postfix_read_master_state',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ read_files_pattern($1,postfix_master_t,postfix_master_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to use
## postfix master process file
## file descriptors.
@@ -434,6 +469,25 @@
########################################
## <summary>
+## Read postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_read_spool_files',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,postfix_spool_t, postfix_spool_t)
+')
+
+########################################
+## <summary>
## Execute postfix user mail programs
## in their respective domains.
## </summary>
@@ -450,3 +504,61 @@
typeattribute $1 postfix_user_domtrans;
')
+
+########################################
+## <summary>
+## Create a named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_create_pivate_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ create_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
+
+########################################
+## <summary>
+## Manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_pivate_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
+
+
+########################################
+## <summary>
+## Manage postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_spool_files',`
+ gen_require(`
+ type postfix_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1,postfix_spool_t, postfix_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2008-06-12 23:37:59.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+##
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool,false)
+
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
@@ -27,6 +35,10 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+tunable_policy(`allow_postfix_local_write_mail_spool', `
+ mta_manage_spool(postfix_local_t)
+')
+
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
@@ -34,6 +46,7 @@
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t,postfix_map_exec_t)
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
@@ -83,6 +96,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
+postfix_server_domain_template(virtual)
+mta_mailserver_delivery(postfix_virtual_t)
+
+type postfix_virtual_tmp_t;
+files_tmp_file(postfix_virtual_tmp_t)
+
########################################
#
# Postfix master process local policy
@@ -93,6 +112,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -164,10 +184,11 @@
# postfix does a "find" on startup for some reason - keep it quiet
seutil_dontaudit_search_config(postfix_master_t)
-sysnet_read_config(postfix_master_t)
-
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
+
+term_dontaudit_search_ptys(postfix_master_t)
optional_policy(`
cyrus_stream_connect(postfix_master_t)
@@ -179,7 +200,11 @@
')
optional_policy(`
- nis_use_ypbind(postfix_master_t)
+ mysql_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
+ sendmail_signal(postfix_master_t)
')
###########################################################
@@ -238,6 +263,10 @@
corecmd_exec_bin(postfix_cleanup_t)
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
+
########################################
#
# Postfix local local policy
@@ -263,6 +292,8 @@
files_read_etc_files(postfix_local_t)
+logging_dontaudit_search_logs(postfix_local_t)
+
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
@@ -270,11 +301,14 @@
optional_policy(`
clamav_search_lib(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
')
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
')
optional_policy(`
@@ -327,6 +361,8 @@
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
+auth_use_nsswitch(postfix_map_t)
+
libs_use_ld_so(postfix_map_t)
libs_use_shared_libs(postfix_map_t)
@@ -334,10 +370,6 @@
miscfiles_read_localization(postfix_map_t)
-seutil_read_config(postfix_map_t)
-
-sysnet_read_config(postfix_map_t)
-
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
@@ -350,10 +382,6 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
-optional_policy(`
- nscd_socket_use(postfix_map_t)
-')
-
########################################
#
# Postfix pickup local policy
@@ -377,7 +405,7 @@
# Postfix pipe local policy
#
-allow postfix_pipe_t self:fifo_file { read write };
+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
@@ -386,6 +414,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
+optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
@@ -394,6 +426,10 @@
')
optional_policy(`
+ mta_manage_spool(postfix_pipe_t)
+')
+
+optional_policy(`
uucp_domtrans_uux(postfix_pipe_t)
')
@@ -418,14 +454,17 @@
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
-sysnet_dns_name_resolve(postfix_postdrop_t)
-
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
+optional_policy(`
+ fstools_read_pipes(postfix_postdrop_t)
+')
+
optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
@@ -454,8 +493,6 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-sysnet_dontaudit_read_config(postfix_postqueue_t)
-
########################################
#
# Postfix qmgr local policy
@@ -498,15 +535,11 @@
term_use_all_user_ptys(postfix_showq_t)
term_use_all_user_ttys(postfix_showq_t)
-sysnet_dns_name_resolve(postfix_showq_t)
-
########################################
#
# Postfix smtp delivery local policy
#
-allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms;
-
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -514,6 +547,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+files_dontaudit_getattr_home_dir(postfix_smtp_t)
+
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
@@ -538,9 +573,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
+ mailman_read_data_files(postfix_smtpd_t)
+')
+
+optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
')
optional_policy(`
sasl_connect(postfix_smtpd_t)
')
+
+optional_policy(`
+ dovecot_auth_stream_connect(postfix_smtpd_t)
+')
+
+########################################
+#
+# Postfix virtual local policy
+#
+
+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+allow postfix_virtual_t self:process { setsched setrlimit };
+
+manage_dirs_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t)
+manage_files_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t)
+files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
+
+# connect to master process
+stream_connect_pattern(postfix_virtual_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
+
+allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_virtual_t)
+corecmd_exec_bin(postfix_virtual_t)
+
+files_read_etc_files(postfix_virtual_t)
+
+mta_read_aliases(postfix_virtual_t)
+mta_delete_spool(postfix_virtual_t)
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.0.8/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postgresql.fc 2008-06-12 23:37:59.000000000 -0400
@@ -38,3 +38,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.8/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2008-06-12 23:37:58.000000000 -0400
@@ -113,3 +113,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
+
+########################################
+## <summary>
+## Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+ gen_require(`
+ type postgresql_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postgresql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t;
+ type postgresql_var_run_t;
+ type postgresql_tmp_t;
+ type postgresql_db_t;
+ type postgresql_etc_t;
+ type postgresql_log_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, postgresql_t, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+
+ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t)
+ manage_files_pattern($1,postgresql_db_t,postgresql_db_t)
+
+ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t)
+ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t)
+
+ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t)
+ manage_files_pattern($1,postgresql_log_t,postgresql_log_t)
+
+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2008-06-12 23:37:59.000000000 -0400
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
########################################
#
# postgresql Local policy
@@ -42,7 +45,6 @@
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
@@ -101,6 +103,7 @@
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)
term_use_controlling_term(postgresql_t)
@@ -118,6 +121,8 @@
init_read_utmp(postgresql_t)
+auth_use_nsswitch(postgresql_t)
+
libs_use_ld_so(postgresql_t)
libs_use_shared_libs(postgresql_t)
@@ -127,9 +132,6 @@
seutil_dontaudit_search_config(postgresql_t)
-sysnet_read_config(postgresql_t)
-sysnet_use_ldap(postgresql_t)
-
userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
@@ -158,10 +160,6 @@
')
optional_policy(`
- nis_use_ypbind(postgresql_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(postgresql_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.0.8/policy/modules/services/postgrey.fc
--- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postgrey.fc 2008-06-12 23:37:58.000000000 -0400
@@ -7,3 +7,5 @@
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.0.8/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postgrey.if 2008-06-12 23:37:58.000000000 -0400
@@ -12,10 +12,11 @@
#
interface(`postgrey_stream_connect',`
gen_require(`
- type postgrey_var_run_t, postgrey_t;
+ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
allow $1 postgrey_t:unix_stream_socket connectto;
allow $1 postgrey_var_run_t:sock_file write;
+ allow $1 postgrey_spool_t:sock_file write;
files_search_pids($1)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.0.8/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-06-12 23:37:58.000000000 -0400
@@ -13,6 +13,9 @@
type postgrey_etc_t;
files_config_file(postgrey_etc_t)
+type postgrey_spool_t;
+files_type(postgrey_spool_t)
+
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
@@ -24,15 +27,21 @@
# Local policy
#
-allow postgrey_t self:capability { chown setgid setuid };
+allow postgrey_t self:capability { chown dac_override setgid setuid };
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t postgrey_etc_t:dir list_dir_perms;
read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
+manage_dirs_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+manage_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+manage_sock_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+
manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
@@ -68,6 +77,8 @@
fs_getattr_all_fs(postgrey_t)
fs_search_auto_mountpoints(postgrey_t)
+auth_use_nsswitch(postgrey_t)
+
libs_use_ld_so(postgrey_t)
libs_use_shared_libs(postgrey_t)
@@ -75,13 +86,12 @@
miscfiles_read_localization(postgrey_t)
-sysnet_read_config(postgrey_t)
-
userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
optional_policy(`
- nis_use_ypbind(postgrey_t)
+ postfix_read_config(postgrey_t)
+ postfix_manage_spool_files(postgrey_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ppp.fc 2008-06-12 23:37:58.000000000 -0400
@@ -25,7 +25,7 @@
#
# /var
#
-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
# Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2008-06-12 23:37:58.000000000 -0400
@@ -159,6 +159,25 @@
########################################
## <summary>
+## Read ppp configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_config',`
+ gen_require(`
+ type pppd_etc_t;
+ ')
+
+ read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
## Read PPP-writable configuration files.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.0.8/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ppp.te 2008-06-12 23:37:58.000000000 -0400
@@ -116,7 +116,7 @@
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
-kernel_read_net_sysctls(pppd_t)
+kernel_rw_net_sysctls(pppd_t)
kernel_read_network_state(pppd_t)
kernel_load_module(pppd_t)
@@ -197,11 +197,7 @@
')
optional_policy(`
- nis_use_ypbind(pppd_t)
-')
-
-optional_policy(`
- nscd_socket_use(pppd_t)
+ networkmanager_signal(pppd_t)
')
optional_policy(`
@@ -221,6 +217,7 @@
# PPTP Local policy
#
+allow pptp_t self:process signal;
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.0.8/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/prelude.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,13 @@
+
+/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
+
+/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
+
+/etc/rc.d/init.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
+
+/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
+
+/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.0.8/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/prelude.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,128 @@
+
+## <summary>policy for prelude</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run prelude.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_domtrans',`
+ gen_require(`
+ type prelude_t;
+ type prelude_exec_t;
+ ')
+
+ domtrans_pattern($1,prelude_exec_t,prelude_t)
+')
+
+
+########################################
+## <summary>
+## Execute prelude server in the prelude domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`prelude_script_domtrans',`
+ gen_require(`
+ type prelude_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,prelude_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an prelude environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelude_admin',`
+ gen_require(`
+ type prelude_t;
+ type prelude_spool_t;
+ type prelude_var_run_t;
+ type prelude_var_lib_t;
+ type prelude_script_exec_t;
+ type audisp_prelude_t;
+ type audisp_prelude_var_run_t;
+ ')
+
+ allow $1 prelude_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, prelude_t, prelude_t)
+
+ allow $1 audisp_prelude_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, audisp_prelude_t, audisp_prelude_t)
+
+ # Allow prelude_t to restart the apache service
+ prelude_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_all_pattern($1, prelude_spool_t)
+ manage_all_pattern($1, prelude_var_lib_t)
+ manage_all_pattern($1, prelude_var_run_t)
+ manage_all_pattern($1, audisp_prelude_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run audisp_prelude.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`audisp_prelude_domtrans',`
+ gen_require(`
+ type audisp_prelude_t;
+ type audisp_prelude_exec_t;
+ ')
+
+ domtrans_pattern($1,audisp_prelude_exec_t,audisp_prelude_t)
+')
+
+########################################
+## <summary>
+## Signal the audisp_prelude domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`audisp_prelude_signal',`
+ gen_require(`
+ type audisp_prelude_t;
+ ')
+
+ allow $1 audisp_prelude_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.0.8/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/prelude.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,162 @@
+policy_module(prelude,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type prelude_t;
+type prelude_exec_t;
+domain_type(prelude_t)
+init_daemon_domain(prelude_t, prelude_exec_t)
+
+type prelude_spool_t;
+files_type(prelude_spool_t)
+
+type prelude_var_run_t;
+files_pid_file(prelude_var_run_t)
+
+type prelude_var_lib_t;
+files_type(prelude_var_lib_t)
+
+type prelude_script_exec_t;
+init_script_type(prelude_script_exec_t)
+
+type audisp_prelude_t;
+type audisp_prelude_exec_t;
+domain_type(audisp_prelude_t)
+init_daemon_domain(audisp_prelude_t, audisp_prelude_exec_t)
+
+type audisp_prelude_var_run_t;
+files_pid_file(audisp_prelude_var_run_t)
+
+########################################
+#
+# prelude local policy
+#
+
+# Init script handling
+domain_use_interactive_fds(prelude_t)
+
+allow prelude_t self:capability sys_tty_config;
+
+# internal communication is often done using fifo and unix sockets.
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
+
+allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_t self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(prelude_t)
+dev_read_urand(prelude_t)
+
+manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+files_pid_filetrans(prelude_t, prelude_var_run_t, file)
+
+files_read_etc_files(prelude_t)
+files_read_usr_files(prelude_t)
+
+files_search_var_lib(prelude_t)
+manage_dirs_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
+manage_files_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
+
+files_search_spool(prelude_t)
+manage_dirs_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
+manage_files_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
+
+auth_use_nsswitch(prelude_t)
+
+libs_use_ld_so(prelude_t)
+libs_use_shared_libs(prelude_t)
+
+logging_send_audit_msgs(prelude_t)
+logging_send_syslog_msg(prelude_t)
+
+miscfiles_read_localization(prelude_t)
+
+corenet_all_recvfrom_unlabeled(prelude_t)
+corenet_all_recvfrom_netlabel(prelude_t)
+corenet_tcp_sendrecv_all_if(prelude_t)
+corenet_tcp_sendrecv_all_nodes(prelude_t)
+corenet_tcp_bind_all_nodes(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
+
+corecmd_search_bin(prelude_t)
+
+optional_policy(`
+ mysql_search_db(prelude_t)
+ mysql_stream_connect(prelude_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(prelude_t)
+')
+
+########################################
+#
+# audisp_prelude local policy
+#
+
+# Init script handling
+domain_use_interactive_fds(audisp_prelude_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow audisp_prelude_t self:fifo_file rw_file_perms;
+allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow audisp_prelude_t self:tcp_socket create_socket_perms;
+
+manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t)
+files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file)
+
+dev_read_rand(audisp_prelude_t)
+dev_read_urand(audisp_prelude_t)
+
+files_read_etc_files(audisp_prelude_t)
+
+libs_use_ld_so(audisp_prelude_t)
+libs_use_shared_libs(audisp_prelude_t)
+
+logging_send_syslog_msg(audisp_prelude_t)
+
+miscfiles_read_localization(audisp_prelude_t)
+
+corecmd_search_bin(audisp_prelude_t)
+allow audisp_prelude_t self:unix_dgram_socket create_socket_perms;
+
+logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t)
+
+files_search_spool(audisp_prelude_t)
+manage_dirs_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
+manage_files_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
+
+corenet_all_recvfrom_unlabeled(audisp_prelude_t)
+corenet_all_recvfrom_netlabel(audisp_prelude_t)
+corenet_tcp_sendrecv_all_if(audisp_prelude_t)
+corenet_tcp_sendrecv_all_nodes(audisp_prelude_t)
+corenet_tcp_bind_all_nodes(audisp_prelude_t)
+corenet_tcp_connect_prelude_port(audisp_prelude_t)
+
+allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms;
+
+########################################
+#
+# prewikka_cgi Declarations
+#
+
+optional_policy(`
+ apache_content_template(prewikka)
+ files_read_etc_files(httpd_prewikka_script_t)
+
+ optional_policy(`
+ mysql_search_db(httpd_prewikka_script_t)
+ mysql_stream_connect(httpd_prewikka_script_t)
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_prewikka_script_t)
+ ')
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.0.8/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/privoxy.fc 2008-06-12 23:37:58.000000000 -0400
@@ -1,6 +1,8 @@
/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.0.8/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/privoxy.te 2008-06-12 23:37:58.000000000 -0400
@@ -51,6 +51,7 @@
corenet_tcp_connect_http_cache_port(privoxy_t)
corenet_tcp_connect_ftp_port(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
corenet_sendrecv_http_cache_client_packets(privoxy_t)
corenet_sendrecv_http_cache_server_packets(privoxy_t)
corenet_sendrecv_http_client_packets(privoxy_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.0.8/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,2 +1,4 @@
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.0.8/policy/modules/services/procmail.if
--- nsaserefpolicy/policy/modules/services/procmail.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/procmail.if 2008-06-12 23:37:58.000000000 -0400
@@ -39,3 +39,41 @@
corecmd_search_bin($1)
can_exec($1,procmail_exec_t)
')
+
+########################################
+## <summary>
+## Read procmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read/write procmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_rw_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-06-12 23:37:58.000000000 -0400
@@ -14,6 +14,10 @@
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
+# log files
+type procmail_log_t;
+logging_log_file(procmail_log_t)
+
########################################
#
# Local policy
@@ -27,9 +31,18 @@
allow procmail_t self:tcp_socket create_stream_socket_perms;
allow procmail_t self:udp_socket create_socket_perms;
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
+allow procmail_t procmail_log_t:dir setattr;
+create_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
+append_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
+read_lnk_files_pattern(procmail_t,procmail_log_t,procmail_log_t)
+logging_log_filetrans(procmail_t,procmail_log_t, { file dir })
+
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+can_exec(procmail_t,procmail_exec_t)
+
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
@@ -50,11 +63,13 @@
fs_getattr_xattr_fs(procmail_t)
fs_search_auto_mountpoints(procmail_t)
+fs_rw_anon_inodefs_files(procmail_t)
auth_use_nsswitch(procmail_t)
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
+corecmd_read_bin_symlinks(procmail_t)
files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
@@ -65,6 +80,9 @@
libs_use_ld_so(procmail_t)
libs_use_shared_libs(procmail_t)
+logging_send_syslog_msg(procmail_t)
+logging_read_all_logs(procmail_t)
+
miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
@@ -97,26 +115,31 @@
')
optional_policy(`
- logging_send_syslog_msg(procmail_t)
+ cron_read_pipes(procmail_t)
')
optional_policy(`
- nis_use_ypbind(procmail_t)
+ munin_dontaudit_search_lib(procmail_t)
')
optional_policy(`
# for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
')
optional_policy(`
pyzor_domtrans(procmail_t)
+ pyzor_signal(procmail_t)
')
optional_policy(`
mta_read_config(procmail_t)
sendmail_domtrans(procmail_t)
+ sendmail_signal(procmail_t)
sendmail_rw_tcp_sockets(procmail_t)
sendmail_rw_unix_stream_sockets(procmail_t)
')
@@ -125,7 +148,12 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
+ spamassassin_manage_user_home_files(procmail_t)
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')
+
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.0.8/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/pyzor.if 2008-06-12 23:37:58.000000000 -0400
@@ -25,16 +25,16 @@
#
template(`pyzor_per_role_template',`
gen_require(`
- type pyzord_t;
+ type pyzor_t;
')
type $1_pyzor_home_t;
userdom_user_home_content($1,$1_pyzor_home_t)
- manage_dirs_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- manage_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- manage_lnk_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
+ manage_dirs_pattern(pyzor_t,$1_pyzor_home_t,$1_pyzor_home_t)
+ manage_files_pattern(pyzor_t,$1_pyzor_home_t,$1_pyzor_home_t)
+ manage_lnk_files_pattern(pyzor_t,$1_pyzor_home_t,$1_pyzor_home_t)
+ userdom_user_home_dir_filetrans($1,pyzor_t,$1_pyzor_home_t,{ dir file lnk_file })
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.0.8/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/pyzor.te 2008-06-12 23:37:58.000000000 -0400
@@ -68,6 +68,8 @@
miscfiles_read_localization(pyzor_t)
+mta_read_queue(pyzor_t)
+
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
optional_policy(`
@@ -76,8 +78,13 @@
')
optional_policy(`
+ procmail_read_tmp_files(pyzor_t)
+')
+
+optional_policy(`
spamassassin_signal_spamd(pyzor_t)
spamassassin_read_spamd_tmp_files(pyzor_t)
+ userdom_read_user_home_content_files(unconfined,pyzor_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/q serefpolicy-3.0.8/policy/modules/services/q
--- nsaserefpolicy/policy/modules/services/q 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/q 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,156 @@
+seinfo(1) seinfo(1)
+
+
+
+N�NA�AM�ME�E
+ seinfo - SELinux policy query tool
+
+S�SY�YN�NO�OP�PS�SI�IS�S
+ s�se�ei�in�nf�fo�o [OPTIONS] [EXPRESSION] [POLICY ...]
+
+D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
+ s�se�ei�in�nf�fo�o allows the user to query the components of a SELinux policy.
+
+P�PO�OL�LI�IC�CY�Y
+ s�se�ei�in�nf�fo�o supports loading a SELinux policy in one of four formats.
+
+ source A single text file containing policy source for versions 12
+ through 21. This file is usually named policy.conf.
+
+ binary A single file containing a monolithic kernel binary policy for
+ versions 15 through 21. This file is usually named by version -
+ for example, policy.20.
+
+ modular
+ A list of policy packages each containing a loadable policy mod-
+ ule. The first module listed must be a base module.
+
+ policy list
+ A single text file containing all the information needed to load
+ a policy, usually exported by SETools graphical utilities.
+
+ If no policy file is provided, s�se�ei�in�nf�fo�o will search for the system
+ default policy: checking first for a source policy, next for a binary
+ policy matching the running kernel’s preferred version, and finally for
+ the highest version that can be found. If no policy can be found,
+ s�se�ei�in�nf�fo�o will print an error message and exit.
+
+E�EX�XP�PR�RE�ES�SS�SI�IO�ON�NS�S
+ One or more of the following component types can be queried. Each
+ option may only be specified once. If an option is provided multiple
+ times, the last instance will be used. Some components support the -x
+ flag to print expanded information about that component; if a particu-
+ lar component specified does not support expanded information, the flag
+ will be ignored for that component (see -x below). If no expressions
+ are provided, policy statistics will be printed (see --stats below).
+
+ -c[NAME], --class[=NAME]
+ Print a list of object classes or, if NAME is provided, print
+ the object class NAME. With -x, print a list of permissions for
+ each displayed object class.
+
+ --sensitivity[=NAME]
+ Print a list of sensitivities or, if NAME is provided, print the
+ sensitivity NAME. With -x, print the corresponding level state-
+ ment for each displayed sensitivity.
+
+ --category[=NAME]
+ Print a list of categories or, if NAME is provided, print the
+ category NAME. With -x, print a list of sensitivities with
+ which each displayed category may be associated.
+
+ -t[NAME], --type[=NAME]
+ Print a list of types (not including aliases or attributes) or,
+ if NAME is provided, print the type NAME. With -x, print a list
+ of attributes which include each displayed type.
+
+ -a[NAME], --attribute[=NAME]
+ Print a list of type attributes or, if NAME is provided, print
+ the attribute NAME. With -x, print a list of types assigned to
+ each displayed attribute.
+
+ -r[NAME], --role[=NAME]
+ Print a list of roles or, if NAME is provided, print the role
+ NAME. With -x, print a list of types assigned to each displayed
+ role.
+
+ -u[NAME], --user[=NAME]
+ Print a list of users or, if NAME is provided, print the user
+ NAME. With -x, print a list of roles assigned to each displayed
+ user.
+
+ -b[NAME], --bool[=NAME]
+ Print a list of conditional booleans or, if NAME is provided,
+ print the boolean NAME. With -x, print the default state of
+ each displayed conditional boolean.
+
+ --initialsid[=NAME]
+ Print a list of initial SIDs or, if NAME is provided, print the
+ initial SID NAME. With -x, print the context assigned to each
+ displayed SID.
+
+ --fs_use[=TYPE]
+ Print a list of fs_use statements or, if TYPE is provided, print
+ the statement for filesystem TYPE. There is no expanded infor-
+ mation for this component.
+
+ --genfscon[=TYPE]
+ Print a list of genfscon statements or, if TYPE is provided,
+ print the statement for the filesystem TYPE. There is no
+ expanded information for this component.
+
+ --netifcon[=NAME]
+ Print a list of netif contexts or, if NAME is provided, print
+ the statement for interface NAME. There is no expanded informa-
+ tion for this component.
+
+ --nodecon[=ADDR]
+ Print a list of node contexts or, if ADDR is provided, print the
+ statement for the node with address ADDR. There is no expanded
+ information for this component.
+
+ --portcon[=PORT]
+ Print a list of port contexts or, if PORT is provided, print the
+ statement for port PORT. There is no expanded information for
+ this component.
+
+ --protocol=PROTO
+ Print only portcon statements for the protocol PROTO. This
+ option is ignored if portcon statements are not printed or if no
+ statement exists for the requested port.
+
+ --all Print all components.
+
+O�OP�PT�TI�IO�ON�NS�S
+ -x, --expand
+ Print additional details for each component matching the expres-
+ sion. These details include the types assigned to an attribute
+ or role and the permissions for an object class. This option is
+ not available for all component types; see the description of
+ each component for the details this option will provide.
+
+ --stats
+ Print policy statistics including policy type and version infor-
+ mation and counts of all components and rules.
+
+ -h, --help
+ Print help information and exit.
+
+ -V, --version
+ Print version information and exit.
+
+A�AU�UT�TH�HO�OR�R
+ This manual page was written by Jeremy A. Mowery <jmowery@tresys.com>.
+
+C�CO�OP�PY�YR�RI�IG�GH�HT�T
+ Copyright(C) 2003-2007 Tresys Technology, LLC
+
+B�BU�UG�GS�S
+ Please report bugs via an email to setools-bugs@tresys.com.
+
+S�SE�EE�E A�AL�LS�SO�O
+ sesearch(1), apol(1)
+
+
+
+ seinfo(1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.0.8/policy/modules/services/radius.fc
--- nsaserefpolicy/policy/modules/services/radius.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/radius.fc 2008-06-12 23:37:59.000000000 -0400
@@ -18,3 +18,4 @@
/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.8/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/radius.te 2008-06-12 23:37:58.000000000 -0400
@@ -19,6 +19,9 @@
type radiusd_log_t;
logging_log_file(radiusd_log_t)
+type radiusd_var_lib_t;
+files_type(radiusd_var_lib_t)
+
type radiusd_var_run_t;
files_pid_file(radiusd_var_run_t)
@@ -52,6 +55,8 @@
manage_files_pattern(radiusd_t,radiusd_log_t,radiusd_log_t)
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
+manage_files_pattern(radiusd_t,radiusd_var_lib_t,radiusd_var_lib_t)
+
manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t)
files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
@@ -73,6 +78,7 @@
corenet_sendrecv_radacct_server_packets(radiusd_t)
# for RADIUS proxy port
corenet_udp_bind_generic_port(radiusd_t)
+corenet_dontaudit_udp_bind_all_ports(radiusd_t)
corenet_sendrecv_generic_server_packets(radiusd_t)
dev_read_sysfs(radiusd_t)
@@ -82,6 +88,7 @@
auth_read_shadow(radiusd_t)
auth_domtrans_chk_passwd(radiusd_t)
+auth_domtrans_upd_passwd_chk(radiusd_t)
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.0.8/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/radvd.te 2008-06-12 23:37:58.000000000 -0400
@@ -27,6 +27,7 @@
allow radvd_t self:rawip_socket create_socket_perms;
allow radvd_t self:tcp_socket create_stream_socket_perms;
allow radvd_t self:udp_socket create_socket_perms;
+allow radvd_t self:fifo_file rw_file_perms;
allow radvd_t radvd_etc_t:file read_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.0.8/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/razor.if 2008-06-12 23:37:58.000000000 -0400
@@ -218,3 +218,41 @@
domtrans_pattern($1, razor_exec_t, razor_t)
')
+
+########################################
+## <summary>
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`razor_manage_user_home_files',`
+ gen_require(`
+ type $1_home_dir_t, $1_razor_home_t;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search_dir_perms;
+ manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
+ read_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.0.8/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/remotelogin.if 2008-06-12 23:37:58.000000000 -0400
@@ -18,3 +18,20 @@
auth_domtrans_login_program($1,remote_login_t)
')
+########################################
+## <summary>
+## allow Domain to signal remote login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`remotelogin_signal',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ allow $1 remote_login_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.0.8/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/remotelogin.te 2008-06-12 23:37:58.000000000 -0400
@@ -85,6 +85,7 @@
miscfiles_read_localization(remote_login_t)
+userdom_read_all_users_home_dirs_symlinks(remote_login_t)
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_all_users_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.8/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rhgb.te 2008-06-12 23:37:59.000000000 -0400
@@ -59,6 +59,7 @@
corenet_sendrecv_all_client_packets(rhgb_t)
dev_read_sysfs(rhgb_t)
+dev_read_urand(rhgb_t)
domain_use_interactive_fds(rhgb_t)
@@ -68,6 +69,7 @@
files_search_tmp(rhgb_t)
files_read_usr_files(rhgb_t)
files_mounton_mnt(rhgb_t)
+files_dontaudit_write_root_dir(rhgb_t)
files_dontaudit_read_default_files(rhgb_t)
files_dontaudit_search_pids(rhgb_t)
# for nscd
@@ -76,6 +78,7 @@
fs_search_auto_mountpoints(rhgb_t)
fs_mount_ramfs(rhgb_t)
fs_unmount_ramfs(rhgb_t)
+fs_getattr_xattr_fs(rhgb_t)
fs_getattr_tmpfs(rhgb_t)
# for ramfs file systems
fs_manage_ramfs_dirs(rhgb_t)
@@ -100,6 +103,7 @@
miscfiles_read_localization(rhgb_t)
miscfiles_read_fonts(rhgb_t)
+miscfiles_dontaudit_write_fonts(rhgb_t)
seutil_search_default_contexts(rhgb_t)
seutil_read_config(rhgb_t)
@@ -109,6 +113,7 @@
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
+userdom_dontaudit_search_all_users_home_content(rhgb_t)
xserver_read_xdm_xserver_tmp_files(rhgb_t)
xserver_kill_xdm_xserver(rhgb_t)
@@ -117,6 +122,7 @@
xserver_domtrans_xdm_xserver(rhgb_t)
xserver_signal_xdm_xserver(rhgb_t)
xserver_read_xdm_tmp_files(rhgb_t)
+xserver_stream_connect_xdm_xserver(rhgb_t)
optional_policy(`
consoletype_exec(rhgb_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.8/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ricci.te 2008-06-12 23:37:58.000000000 -0400
@@ -138,6 +138,7 @@
files_create_boot_flag(ricci_t)
auth_domtrans_chk_passwd(ricci_t)
+auth_domtrans_upd_passwd_chk(ricci_t)
auth_append_login_records(ricci_t)
init_dontaudit_stream_connect_script(ricci_t)
@@ -260,7 +261,7 @@
# ricci_modclusterd local policy
#
-allow ricci_modclusterd_t self:capability sys_nice;
+allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
allow ricci_modclusterd_t self:process { signal sigkill setsched };
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
@@ -321,6 +322,10 @@
')
optional_policy(`
+ rpm_dontaudit_use_script_fds(ricci_modclusterd_t)
+')
+
+optional_policy(`
unconfined_use_fds(ricci_modclusterd_t)
')
@@ -468,9 +473,6 @@
logging_send_syslog_msg(ricci_modstorage_t)
-lvm_domtrans(ricci_modstorage_t)
-lvm_manage_config(ricci_modstorage_t)
-
miscfiles_read_localization(ricci_modstorage_t)
modutils_read_module_deps(ricci_modstorage_t)
@@ -482,6 +484,7 @@
optional_policy(`
lvm_domtrans(ricci_modstorage_t)
+ lvm_manage_config(ricci_modstorage_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2008-06-12 23:37:58.000000000 -0400
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
+domain_interactive_fd(rlogind_t)
+
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
@@ -64,9 +66,10 @@
fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
+auth_use_nsswitch(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
+auth_domtrans_upd_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
-auth_use_nsswitch(rlogind_t)
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
@@ -82,21 +85,17 @@
miscfiles_read_localization(rlogind_t)
-seutil_dontaudit_search_config(rlogind_t)
-
-sysnet_read_config(rlogind_t)
+seutil_read_config(rlogind_t)
userdom_setattr_unpriv_users_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_all_users_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
optional_policy(`
+ kerberos_use(rlogind_t)
kerberos_read_keytab(rlogind_t)
-')
-
-ifdef(`TODO',`
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
+ kerberos_manage_host_rcache(rlogind_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.if 2008-06-12 23:37:58.000000000 -0400
@@ -89,8 +89,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
- corenet_udp_bind_reserved_port($1_t)
+ corenet_dontaudit_tcp_bind_all_ports($1_t)
+ corenet_dontaudit_udp_bind_all_ports($1_t)
corenet_sendrecv_generic_server_packets($1_t)
+ corenet_tcp_bind_all_rpc_ports($1_t)
+ corenet_udp_bind_all_rpc_ports($1_t)
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
@@ -214,6 +217,24 @@
########################################
## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ domtrans_pattern($1,rpcd_exec_t,rpcd_t)
+')
+
+########################################
+## <summary>
## Read NFS exported content.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2008-06-12 23:37:58.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
+corecmd_exec_bin(rpcd_t)
+
kernel_read_system_state(rpcd_t)
-kernel_search_network_state(rpcd_t)
+kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
+kernel_getattr_core_if(nfsd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
@@ -73,12 +77,22 @@
# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)
+auth_read_cache(gssd_t)
+
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
optional_policy(`
nis_read_ypserv_config(rpcd_t)
+ nis_use_ypbind(rpcd_t)
+')
+
+# automount -> mount -> rpcd
+optional_policy(`
+ automount_dontaudit_use_fds(rpcd_t)
+ automount_dontaudit_write_pipes(rpcd_t)
')
########################################
@@ -91,9 +105,15 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+dev_rw_lvm_control(nfsd_t)
+storage_dontaudit_raw_read_fixed_disk(nfsd_t)
+
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -102,6 +122,7 @@
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_rw_nfsd_fs(nfsd_t)
+fs_search_all(nfsd_t)
term_use_controlling_term(nfsd_t)
@@ -123,6 +144,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir })
')
tunable_policy(`nfs_export_all_ro',`
@@ -143,6 +165,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+auth_use_nsswitch(gssd_t)
+
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -158,6 +183,9 @@
miscfiles_read_certs(gssd_t)
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
+userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2008-06-12 23:37:58.000000000 -0400
@@ -21,11 +21,13 @@
# rpcbind local policy
#
-allow rpcbind_t self:capability setuid;
+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
allow rpcbind_t self:fifo_file rw_file_perms;
allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
allow rpcbind_t self:udp_socket create_socket_perms;
+# BROKEN ...
+dontaudit rpcbind_t self:udp_socket listen;
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
@@ -37,6 +39,7 @@
manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2008-06-12 23:37:59.000000000 -0400
@@ -16,10 +16,11 @@
#
# Local policy
#
-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
+allow rshd_t self:key {search write link};
kernel_read_kernel_sysctls(rshd_t)
@@ -33,6 +34,9 @@
corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
@@ -44,28 +48,42 @@
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
-auth_domtrans_chk_passwd(rshd_t)
+auth_login_pgm_domain(rshd_t)
+auth_search_key(rshd_t)
+auth_write_login_records(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
files_list_home(rshd_t)
files_read_etc_files(rshd_t)
-files_search_tmp(rshd_t)
+files_manage_generic_tmp_dirs(rshd_t)
+
+init_rw_utmp(rshd_t)
libs_use_ld_so(rshd_t)
libs_use_shared_libs(rshd_t)
logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
miscfiles_read_localization(rshd_t)
seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
-sysnet_read_config(rshd_t)
-
userdom_search_all_users_home_content(rshd_t)
+optional_policy(`
+ kerberos_use(rshd_t)
+ kerberos_read_keytab(rshd_t)
+ kerberos_manage_host_rcache(rshd_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(rshd_t)
+ unconfined_signal(rshd_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
fs_read_nfs_symlinks(rshd_t)
@@ -76,15 +94,3 @@
fs_read_cifs_symlinks(rshd_t)
')
-optional_policy(`
- kerberos_use(rshd_t)
-')
-
-optional_policy(`
- nscd_socket_use(rshd_t)
-')
-
-optional_policy(`
- unconfined_domain(rshd_t)
- unconfined_shell_domtrans(rshd_t)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.0.8/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rsync.fc 2008-06-12 23:37:58.000000000 -0400
@@ -1,2 +1,4 @@
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2008-06-12 23:37:58.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
## <p>
+## Allow rsync export files read only
+## </p>
+## </desc>
+gen_tunable(rsync_export_all_ro,false)
+
+## <desc>
+## <p>
## Allow rsync to modify public files
## used for public file transfer services.
## </p>
@@ -17,6 +24,7 @@
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t)
+application_executable_file(rsync_exec_t)
role system_r types rsync_t;
type rsync_data_t;
@@ -25,6 +33,9 @@
type rsync_tmp_t;
files_tmp_file(rsync_tmp_t)
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
type rsync_var_run_t;
files_pid_file(rsync_var_run_t)
@@ -33,7 +44,7 @@
# Local policy
#
-allow rsync_t self:capability sys_chroot;
+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -43,7 +54,6 @@
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
#end for identd
allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -57,6 +67,8 @@
manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+auth_use_nsswitch(rsync_t)
+
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -80,17 +92,18 @@
files_read_etc_files(rsync_t)
files_search_home(rsync_t)
+auth_use_nsswitch(rsync_t)
+
libs_use_ld_so(rsync_t)
libs_use_shared_libs(rsync_t)
logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
+logging_log_filetrans(rsync_t,rsync_log_t,file)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
-sysnet_read_config(rsync_t)
-
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
@@ -107,10 +120,7 @@
inetd_service_domain(rsync_t,rsync_exec_t)
')
-optional_policy(`
- nis_use_ypbind(rsync_t)
-')
-
-optional_policy(`
- nscd_socket_use(rsync_t)
+tunable_policy(`rsync_export_all_ro',`
+ fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_files_except_shadow(rsync_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.fc 2008-06-12 23:37:59.000000000 -0400
@@ -15,6 +15,7 @@
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
@@ -30,6 +31,8 @@
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-06-12 23:37:58.000000000 -0400
@@ -33,8 +33,8 @@
')
tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs($1,smbd_t)
- userdom_manage_user_home_content_files($1,smbd_t)
+ userdom_manage_unpriv_users_home_content_dirs(smbd_t)
+ userdom_manage_unpriv_users_home_content_files(smbd_t)
userdom_manage_user_home_content_symlinks($1,smbd_t)
userdom_manage_user_home_content_sockets($1,smbd_t)
userdom_manage_user_home_content_pipes($1,smbd_t)
@@ -63,6 +63,25 @@
########################################
## <summary>
+## Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,samba_net_exec_t,samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
@@ -93,6 +112,39 @@
allow samba_net_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_unconfined_net domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the samba_unconfined_net domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
+ allow samba_unconfined_net_t $3:chr_file rw_term_perms;
+')
+
########################################
## <summary>
## Execute smbmount in the smbmount domain.
@@ -332,6 +384,25 @@
########################################
## <summary>
+## dontaudit the specified domain to
+## write samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
## Allow the specified domain to
## read and write samba /var files.
## </summary>
@@ -349,6 +420,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t)
+ manage_lnk_files_pattern($1,samba_var_t,samba_var_t)
')
########################################
@@ -421,6 +493,7 @@
')
domtrans_pattern($1,winbind_helper_exec_t,winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
')
########################################
@@ -493,3 +566,103 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
+
+########################################
+## <summary>
+## Create a set of derived types for samba
+## helper scripts.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ ')
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's shares
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_share_files',`
+ gen_require(`
+ type samba_share_t;
+ ')
+
+ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
+ ')
+
+ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
+')
+
+
+########################################
+## <summary>
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the smbcontrol domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`samba_run_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ ')
+
+ samba_domtrans_smbcontrol($1)
+ role $2 types smbcontrol_t;
+ dontaudit smbcontrol_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-06-12 23:37:59.000000000 -0400
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
########################################
#
# Samba net local policy
@@ -146,7 +151,6 @@
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
allow samba_net_t self:udp_socket create_socket_perms;
allow samba_net_t self:tcp_socket create_socket_perms;
-allow samba_net_t self:netlink_route_socket r_netlink_socket_perms;
allow samba_net_t samba_etc_t:file read_file_perms;
@@ -161,6 +165,8 @@
manage_files_pattern(samba_net_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
+auth_use_nsswitch(samba_net_t)
+
kernel_read_proc_symlinks(samba_net_t)
corenet_all_recvfrom_unlabeled(samba_net_t)
@@ -190,19 +196,15 @@
miscfiles_read_localization(samba_net_t)
-sysnet_read_config(samba_net_t)
-sysnet_use_ldap(samba_net_t)
+samba_read_var_files(samba_net_t)
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
+userdom_list_all_users_home_dirs(samba_net_t)
optional_policy(`
kerberos_use(samba_net_t)
')
-optional_policy(`
- nscd_socket_use(samba_net_t)
-')
-
########################################
#
# smbd Local policy
@@ -217,19 +219,16 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:sock_file read_file_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
-allow smbd_t samba_log_t:dir setattr;
-dontaudit smbd_t samba_log_t:dir remove_name;
+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
allow smbd_t samba_net_tmp_t:file getattr;
@@ -239,6 +238,7 @@
manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
+allow smbd_t samba_share_t:filesystem getattr;
manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
@@ -256,7 +256,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
-allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -292,12 +292,13 @@
fs_getattr_all_fs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
-fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
+fs_search_auto_mountpoints(smbd_t)
-auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
+auth_domtrans_upd_passwd(smbd_t)
+auth_use_nsswitch(smbd_t)
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
@@ -321,12 +322,12 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
-sysnet_read_config(smbd_t)
-
userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
+term_use_ptmx(smbd_t)
+
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -347,6 +348,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
+ fs_manage_nfs_symlinks(smbd_t)
+ fs_manage_nfs_named_pipes(smbd_t)
+ fs_manage_nfs_named_sockets(smbd_t)
+')
+
+optional_policy(`
+ kerberos_read_keytab(smbd_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(smbd_t)
')
optional_policy(`
@@ -398,7 +410,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:sock_file read_file_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -410,8 +422,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -421,6 +432,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+auth_use_nsswitch(nmbd_t)
+
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
@@ -446,6 +459,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
+fs_list_inotifyfs(nmbd_t)
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
@@ -462,17 +476,11 @@
miscfiles_read_localization(nmbd_t)
-sysnet_read_config(nmbd_t)
-
userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)
optional_policy(`
- nis_use_ypbind(nmbd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(nmbd_t)
')
@@ -506,6 +514,8 @@
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)
+auth_use_nsswitch(smbmount_t)
+
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
@@ -533,6 +543,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
corecmd_list_bin(smbmount_t)
@@ -553,16 +564,11 @@
logging_search_logs(smbmount_t)
-sysnet_read_config(smbmount_t)
-
userdom_use_all_users_fds(smbmount_t)
+userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
- nis_use_ypbind(smbmount_t)
-')
-
-optional_policy(`
- nscd_socket_use(smbmount_t)
+ cups_read_rw_config(smbmount_t)
')
########################################
@@ -570,24 +576,28 @@
# SWAT Local policy
#
-allow swat_t self:capability { setuid setgid };
-allow swat_t self:process signal_perms;
+allow swat_t self:capability { setuid setgid sys_resource net_bind_service };
+allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
-allow swat_t self:netlink_route_socket r_netlink_socket_perms;
-allow swat_t nmbd_exec_t:file { execute read };
+allow swat_t self:unix_stream_socket connectto;
+can_exec(swat_t, smbd_exec_t)
+allow swat_t smbd_port_t:tcp_socket name_bind;
+allow swat_t smbd_t:process { signal signull };
+allow swat_t smbd_var_run_t:file { lock unlink };
+
+can_exec(swat_t, nmbd_exec_t)
+allow swat_t nmbd_port_t:udp_socket name_bind;
+allow swat_t nmbd_t:process { signal signull };
+allow swat_t nmbd_var_run_t:file { lock read unlink };
rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
append_files_pattern(swat_t,samba_log_t,samba_log_t)
-allow swat_t smbd_exec_t:file execute ;
-
-allow swat_t smbd_t:process signull;
-
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
@@ -597,7 +607,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
-allow swat_t winbind_exec_t:file execute;
+can_exec(swat_t, winbind_exec_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
+
+auth_use_nsswitch(swat_t)
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -622,23 +636,24 @@
dev_read_urand(swat_t)
+files_list_var_lib(swat_t)
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
auth_domtrans_chk_passwd(swat_t)
+auth_domtrans_upd_passwd(swat_t)
libs_use_ld_so(swat_t)
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-sysnet_read_config(swat_t)
-
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -652,13 +667,16 @@
kerberos_use(swat_t)
')
-optional_policy(`
- nis_use_ypbind(swat_t)
-')
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
-optional_policy(`
- nscd_socket_use(swat_t)
-')
+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
+create_files_pattern(swat_t,samba_log_t,samba_log_t)
+
+manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t)
+
+manage_files_pattern(swat_t,samba_var_t,samba_var_t)
+files_list_var_lib(swat_t)
########################################
#
@@ -672,7 +690,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
@@ -709,6 +726,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
+corecmd_exec_bin(winbind_t)
+
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
@@ -733,7 +752,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
+auth_use_nsswitch(winbind_t)
auth_domtrans_chk_passwd(winbind_t)
+auth_domtrans_upd_passwd(winbind_t)
domain_use_interactive_fds(winbind_t)
@@ -746,9 +767,6 @@
miscfiles_read_localization(winbind_t)
-sysnet_read_config(winbind_t)
-sysnet_dns_name_resolve(winbind_t)
-
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
@@ -758,10 +776,6 @@
')
optional_policy(`
- nscd_socket_use(winbind_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(winbind_t)
')
@@ -784,6 +798,8 @@
allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)
+auth_use_nsswitch(winbind_helper_t)
+
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
@@ -798,12 +814,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
- nscd_socket_use(winbind_helper_t)
+ apache_append_log(winbind_helper_t)
')
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
')
########################################
@@ -812,6 +829,13 @@
#
optional_policy(`
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ unconfined_domain(samba_unconfined_net_t)
+ role system_r types samba_unconfined_net_t;
+ manage_files_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t,file)
+
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
@@ -828,3 +852,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(smbcontrol_t)
+
+libs_use_ld_so(smbcontrol_t)
+libs_use_shared_libs(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+files_search_var_lib(smbcontrol_t)
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+allow smbcontrol_t smbd_t:process signal;
+domain_use_interactive_fds(smbcontrol_t)
+allow smbd_t smbcontrol_t:process { signal signull };
+
+allow nmbd_t smbcontrol_t:process signal;
+allow smbcontrol_t nmbd_t:process { signal signull };
+
+allow smbcontrol_t winbind_t:process { signal signull };
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.8/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2008-06-12 23:37:59.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(sasl,1.6.0)
+policy_module(sasl,1.6.1)
########################################
#
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
auth_domtrans_chk_passwd(saslauthd_t)
+auth_domtrans_upd_passwd(saslauthd_t)
auth_use_nsswitch(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
@@ -107,6 +108,10 @@
')
optional_policy(`
+ nis_authenticate(saslauthd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(saslauthd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.8/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.if 2008-06-12 23:37:59.000000000 -0400
@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
')
+
+########################################
+## <summary>
+## Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the sendmail domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the sendmail domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ sendmail_domtrans($1)
+ role $2 types sendmail_t;
+ allow sendmail_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t, sendmail_exec_t;
+ ')
+
+ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain, and
+## allow the specified role the unconfined sendmail domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the unconfined sendmail domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the unconfined sendmail domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ sendmail_domtrans_unconfined($1)
+ role $2 types unconfined_sendmail_t;
+ allow unconfined_sendmail_t $3:chr_file rw_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-06-12 23:37:58.000000000 -0400
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t,sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
########################################
#
# Sendmail local policy
#
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t self:tcp_socket create_stream_socket_perms;
allow sendmail_t self:udp_socket create_socket_perms;
-allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
allow sendmail_t sendmail_log_t:dir setattr;
manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
@@ -48,6 +51,9 @@
kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
+kernel_read_network_state(sendmail_t)
+
+auth_use_nsswitch(sendmail_t)
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -66,14 +72,18 @@
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
+selinux_getattr_fs(sendmail_t)
+
term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
domain_use_interactive_fds(sendmail_t)
files_read_etc_files(sendmail_t)
+files_read_usr_files(sendmail_t)
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
@@ -83,6 +93,7 @@
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_utmp(sendmail_t)
init_dontaudit_write_utmp(sendmail_t)
+init_rw_script_tmp_files(sendmail_t)
libs_use_ld_so(sendmail_t)
libs_use_shared_libs(sendmail_t)
@@ -90,34 +101,39 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
+logging_dontaudit_write_generic_logs(sendmail_t)
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
-sysnet_dns_name_resolve(sendmail_t)
-sysnet_read_config(sendmail_t)
-
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+userdom_read_all_users_home_content_files(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
# Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
+mta_manage_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+ cron_read_pipes(sendmail_t)
+')
optional_policy(`
clamav_search_lib(sendmail_t)
+ clamav_stream_connect(sendmail_t)
')
optional_policy(`
- nis_use_ypbind(sendmail_t)
+ cyrus_stream_connect(sendmail_t)
')
optional_policy(`
- nscd_socket_use(sendmail_t)
+ munin_dontaudit_search_lib(sendmail_t)
')
optional_policy(`
@@ -128,6 +144,11 @@
optional_policy(`
procmail_domtrans(sendmail_t)
+ procmail_rw_tmp_files(sendmail_t)
+')
+
+optional_policy(`
+ rhgb_use_ptys(sendmail_t)
')
optional_policy(`
@@ -135,24 +156,25 @@
')
optional_policy(`
+ sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
udev_read_db(sendmail_t)
')
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file manage_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file manage_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t)
+')
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-06-12 23:37:58.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.4.1)
+policy_module(setroubleshoot,1.6.0)
########################################
#
@@ -22,13 +22,16 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
+type setroubleshoot_script_exec_t;
+init_script_type(setroubleshoot_script_exec_t)
+
########################################
#
# setroubleshootd local policy
#
-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signull signal getattr getsched };
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52,7 +55,9 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
@@ -67,16 +72,24 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
+dev_getattr_all_blk_files(setroubleshootd_t)
+dev_getattr_all_chr_files(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
-files_getattr_all_dirs(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
@@ -96,17 +109,23 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
+logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
-logging_stream_connect_auditd(setroubleshootd_t)
+logging_stream_connect_audisp(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-
-sysnet_read_config(setroubleshootd_t)
+seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
optional_policy(`
+ dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
+ dbus_connect_system_bus(setroubleshootd_t)
+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t)
+')
+
+optional_policy(`
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.8/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/smartmon.te 2008-06-12 23:37:59.000000000 -0400
@@ -49,6 +49,7 @@
corenet_udp_sendrecv_all_ports(fsdaemon_t)
dev_read_sysfs(fsdaemon_t)
+dev_read_urand(fsdaemon_t)
domain_use_interactive_fds(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.0.8/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/snmp.te 2008-06-12 23:37:59.000000000 -0400
@@ -81,8 +81,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
-files_getattr_boot_dirs(snmpd_t)
-files_dontaudit_getattr_home_dir(snmpd_t)
+auth_read_all_dirs_except_shadow(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.0.8/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/soundserver.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,10 +1,16 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-
-/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
+
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
+
+
+#
+# Following is for nas
+
+#
+# /usr/bin
+#
+
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.8/policy/modules/services/soundserver.if
--- nsaserefpolicy/policy/modules/services/soundserver.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/soundserver.if 2008-06-12 23:37:59.000000000 -0400
@@ -13,3 +13,64 @@
interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+
+########################################
+## <summary>
+## Execute a domain transition to run soundserver.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`soundserver_domtrans',`
+ gen_require(`
+ type soundd_t, soundd_exec_t;
+ ')
+
+ domain_auto_trans($1,soundd_exec_t,soundd_t)
+
+ allow soundd_t $1:fd use;
+ allow soundd_t $1:fifo_file rw_file_perms;
+ allow soundd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## soundserver socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`soundserver_dontaudit_read_socket_files',`
+ gen_require(`
+ type soundd_var_run_t;
+ ')
+
+ dontaudit $1 soundd_var_run_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read, soundserver socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`soundserver_read_socket_files',`
+ gen_require(`
+ type soundd_var_run_t;
+ ')
+
+ allow $1 soundd_var_run_t:sock_file r_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.8/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/soundserver.te 2008-06-12 23:37:59.000000000 -0400
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
-type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
-
type soundd_state_t;
files_type(soundd_state_t)
@@ -28,20 +25,24 @@
########################################
#
-# Declarations
+# sound server local policy
#
dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms };
+
allow soundd_t self:tcp_socket create_stream_socket_perms;
allow soundd_t self:udp_socket create_socket_perms;
+
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+allow soundd_t self:capability { dac_override };
+
+fs_getattr_all_fs(soundd_t)
+
# for yiff
allow soundd_t self:shm create_shm_perms;
-allow soundd_t soundd_etc_t:dir list_dir_perms;
-allow soundd_t soundd_etc_t:file read_file_perms;
-allow soundd_t soundd_etc_t:lnk_file { getattr read };
-
manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
@@ -55,8 +56,10 @@
manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
-files_pid_filetrans(soundd_t,soundd_var_run_t,file)
+manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir })
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
@@ -99,6 +102,10 @@
userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(soundd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.8/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.fc 2008-06-12 23:37:58.000000000 -0400
@@ -11,6 +11,7 @@
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-06-12 23:37:59.000000000 -0400
@@ -286,6 +286,12 @@
userdom_manage_user_home_content_symlinks($1,spamd_t)
')
+ optional_policy(`
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files($1,spamd_t)
+ ')
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_spamassassin_t)
fs_manage_nfs_files($1_spamassassin_t)
@@ -472,6 +478,7 @@
')
files_search_var_lib($1)
+ list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
@@ -531,3 +538,90 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
+
+########################################
+## <summary>
+## Connect to run spamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
+
+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
+')
+
+########################################
+## <summary>
+## Read spamassassin per user homedir
+## </summary>
+## <desc>
+## <p>
+## Read spamassassin per user homedir
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`spamassassin_read_user_home_files',`
+ gen_require(`
+ type user_spamassassin_home_t;
+ ')
+
+ allow $1 user_spamassassin_home_t:dir list_dir_perms;
+ allow $1 user_spamassassin_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read spamassassin per user homedir
+## </summary>
+## <desc>
+## <p>
+## Read spamassassin per user homedir
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`spamassassin_manage_user_home_files',`
+ gen_require(`
+ type user_spamassassin_home_t;
+ ')
+
+ manage_files_pattern($1, user_spamassassin_home_t, user_spamassassin_home_t)
+ razor_manage_user_home_files(user,$1)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2008-06-12 23:37:58.000000000 -0400
@@ -53,7 +53,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
@@ -81,11 +81,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
+manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file sock_file })
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
@@ -150,10 +151,12 @@
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamd_t)
fs_manage_nfs_files(spamd_t)
')
tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamd_t)
fs_manage_cifs_files(spamd_t)
')
@@ -171,6 +174,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
+ dcc_signal_client(spamd_t)
dcc_stream_connect_dccifd(spamd_t)
')
@@ -212,3 +216,30 @@
optional_policy(`
udev_read_db(spamd_t)
')
+
+optional_policy(`
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(unconfined,spamd_t)
+ userdom_manage_user_home_content_files(unconfined,spamd_t)
+ userdom_manage_user_home_content_symlinks(unconfined,spamd_t)
+')
+
+optional_policy(`
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(unconfined,spamd_t)
+ ')
+')
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamd_t)
+ fs_manage_nfs_files(spamd_t)
+ fs_manage_nfs_symlinks(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamd_t)
+ fs_manage_cifs_files(spamd_t)
+ fs_manage_cifs_symlinks(spamd_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2008-06-12 23:37:58.000000000 -0400
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.0.8/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/squid.if 2008-06-12 23:37:58.000000000 -0400
@@ -131,3 +131,22 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+## <summary>
+## Allow read and write squid
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_rw_stream_sockets',`
+ gen_require(`
+ type squid_t;
+ ')
+
+ allow $1 squid_t:unix_stream_socket { getattr read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/squid.te 2008-06-12 23:37:58.000000000 -0400
@@ -36,7 +36,7 @@
# Local policy
#
-allow squid_t self:capability { setgid setuid dac_override sys_resource };
+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
@@ -53,6 +53,9 @@
allow squid_t self:tcp_socket create_stream_socket_perms;
allow squid_t self:udp_socket create_socket_perms;
+auth_use_nsswitch(squid_t)
+auth_domtrans_chkpwd(squid_t)
+
# Grant permissions to create, access, and delete cache files.
manage_dirs_pattern(squid_t,squid_cache_t,squid_cache_t)
manage_files_pattern(squid_t,squid_cache_t,squid_cache_t)
@@ -85,6 +88,7 @@
corenet_udp_sendrecv_all_ports(squid_t)
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
+corenet_tcp_bind_http_port(squid_t)
corenet_tcp_bind_http_cache_port(squid_t)
corenet_udp_bind_http_cache_port(squid_t)
corenet_tcp_bind_ftp_port(squid_t)
@@ -92,10 +96,12 @@
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
+corenet_udp_bind_wccp_port(squid_t)
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
corenet_tcp_connect_http_cache_port(squid_t)
+corenet_tcp_connect_pgpkeyserver_port(squid_t)
corenet_sendrecv_http_client_packets(squid_t)
corenet_sendrecv_ftp_client_packets(squid_t)
corenet_sendrecv_gopher_client_packets(squid_t)
@@ -109,6 +115,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
selinux_dontaudit_getattr_dir(squid_t)
@@ -137,9 +145,6 @@
miscfiles_read_certs(squid_t)
miscfiles_read_localization(squid_t)
-sysnet_dns_name_resolve(squid_t)
-sysnet_read_config(squid_t)
-
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_use_unpriv_user_fds(squid_t)
userdom_dontaudit_search_sysadm_home_dirs(squid_t)
@@ -149,19 +154,7 @@
')
optional_policy(`
- allow squid_t self:capability kill;
- cron_use_fds(squid_t)
- cron_use_system_job_fds(squid_t)
- cron_rw_pipes(squid_t)
- cron_write_system_job_pipes(squid_t)
-')
-
-optional_policy(`
- nis_use_ypbind(squid_t)
-')
-
-optional_policy(`
- nscd_socket_use(squid_t)
+ cron_system_entry(squid_t,squid_exec_t)
')
optional_policy(`
@@ -176,7 +169,12 @@
udev_read_db(squid_t)
')
-ifdef(`TODO',`
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
+optional_policy(`
+ apache_content_template(squid)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+ squid_read_config(httpd_squid_script_t)
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+ sysnet_dns_name_resolve(httpd_squid_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2008-06-12 23:37:58.000000000 -0400
@@ -202,6 +202,7 @@
#
template(`ssh_per_role_template',`
gen_require(`
+ type sshd_t;
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
@@ -383,10 +384,6 @@
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
- ifdef(`TODO',`
- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
- ') dnl endif TODO
-
##############################
#
# $1_ssh_keysign_t local policy
@@ -443,13 +440,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
@@ -478,7 +476,11 @@
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
+ # -R qualifier
corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
fs_dontaudit_getattr_all_fs($1_t)
@@ -494,6 +496,8 @@
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
+ # Required for FreeNX
+ files_read_var_lib_symlinks($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
@@ -506,12 +510,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
+ userdom_read_all_users_home_content_files($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
')
tunable_policy(`use_samba_home_dirs',`
@@ -520,6 +526,7 @@
optional_policy(`
kerberos_use($1_t)
+ kerberos_manage_host_rcache($1_t)
')
optional_policy(`
@@ -675,6 +682,25 @@
########################################
## <summary>
+## Execute the ssh agent client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_agent_exec',`
+ gen_require(`
+ type ssh_agent_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1,ssh_agent_exec_t)
+')
+
+########################################
+## <summary>
## Execute the ssh key generator in the ssh keygen domain.
## </summary>
## <param name="domain">
@@ -708,3 +734,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor
+## from the ssh-agent.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_use_user_ssh_agent_fds',`
+ gen_require(`
+ type $1_ssh_agent_t;
+ ')
+
+ allow $2 $1_ssh_agent_t:fd use;
+')
+
+########################################
+## <summary>
+## dontaudit use of file descriptor
+## from the ssh-agent.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_dontaudit_use_user_ssh_agent_fds',`
+ gen_require(`
+ type $1_ssh_agent_t;
+ ')
+
+ dontaudit $2 $1_ssh_agent_t:fd use;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2008-06-12 23:37:59.000000000 -0400
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
+application_executable_file(ssh_agent_exec_t)
# ssh client executable.
type ssh_exec_t;
@@ -80,6 +80,12 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
+userdom_read_all_users_home_content_files(sshd_t)
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
+userdom_read_unpriv_users_home_content_files(sshd_t)
+
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -100,6 +106,11 @@
userdom_use_unpriv_users_ptys(sshd_t)
')
+
+optional_policy(`
+ xserver_getattr_xauth(sshd_t)
+')
+
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
@@ -119,7 +130,13 @@
')
optional_policy(`
- unconfined_domain(sshd_t)
+ usermanage_domtrans_passwd(sshd_t)
+ usermanage_read_crack_db(sshd_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(sshd_t)
+ userdom_read_all_users_home_content_files(sshd_t)
')
ifdef(`TODO',`
@@ -231,9 +248,15 @@
')
optional_policy(`
+ rhgb_use_ptys(ssh_keygen_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`
udev_read_db(ssh_keygen_t)
')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.0.8/policy/modules/services/stunnel.if
--- nsaserefpolicy/policy/modules/services/stunnel.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/stunnel.if 2008-06-12 23:37:59.000000000 -0400
@@ -1 +1,25 @@
## <summary>SSL Tunneling Proxy</summary>
+
+########################################
+## <summary>
+## Define the specified domain as a stunnel inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the stunnel inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`stunnel_service_domain',`
+ gen_require(`
+ type stunnel_t;
+ ')
+
+ domtrans_pattern(stunnel_t,$2,$1)
+ allow $1 stunnel_t:tcp_socket rw_socket_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.0.8/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/stunnel.te 2008-06-12 23:37:58.000000000 -0400
@@ -38,7 +38,6 @@
allow stunnel_t self:fifo_file rw_fifo_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
allow stunnel_t self:udp_socket create_socket_perms;
-allow stunnel_t self:netlink_route_socket r_netlink_socket_perms;
allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
@@ -68,6 +67,8 @@
fs_getattr_all_fs(stunnel_t)
+auth_use_nsswitch(stunnel_t)
+
libs_use_ld_so(stunnel_t)
libs_use_shared_libs(stunnel_t)
@@ -75,8 +76,6 @@
miscfiles_read_localization(stunnel_t)
-sysnet_read_config(stunnel_t)
-
ifdef(`distro_gentoo', `
dontaudit stunnel_t self:capability sys_tty_config;
allow stunnel_t self:udp_socket create_socket_perms;
@@ -112,14 +111,6 @@
optional_policy(`
kerberos_use(stunnel_t)
')
-
- optional_policy(`
- nis_use_ypbind(stunnel_t)
- ')
-
- optional_policy(`
- nscd_socket_use(stunnel_t)
- ')
')
# hack since this port has no interfaces since it doesnt
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.0.8/policy/modules/services/tcpd.if
--- nsaserefpolicy/policy/modules/services/tcpd.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/tcpd.if 2008-06-12 23:37:58.000000000 -0400
@@ -15,5 +15,31 @@
type tcpd_t, tcpd_exec_t;
')
- domtrans_pattern($1,tcpd_exec_t,tcpd_t)
+ domtrans_pattern($1, tcpd_exec_t, tcpd_t)
+')
+
+########################################
+## <summary>
+## Create a domain for services that
+## utilize tcp wrappers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`tcpd_wrapped_domain',`
+ gen_require(`
+ type tcpd_t;
+ role system_r;
+ ')
+
+ domtrans_pattern(tcpd_t, $2, $1)
+ role system_r types $1;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2008-06-12 23:37:58.000000000 -0400
@@ -32,12 +32,13 @@
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
allow telnetd_t self:capability { setuid setgid };
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
+domain_interactive_fd(telnetd_t)
+
manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
@@ -62,10 +63,12 @@
fs_getattr_xattr_fs(telnetd_t)
+auth_use_nsswitch(telnetd_t)
auth_rw_login_records(telnetd_t)
corecmd_search_bin(telnetd_t)
+files_read_usr_files(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
@@ -80,27 +83,26 @@
miscfiles_read_localization(telnetd_t)
-seutil_dontaudit_search_config(telnetd_t)
-
-sysnet_read_config(telnetd_t)
+seutil_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
+userdom_search_unpriv_users_home_dirs(telnetd_t)
+
# for identd; cjp: this should probably only be inetd_child rules?
optional_policy(`
kerberos_use(telnetd_t)
kerberos_read_keytab(telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
')
-optional_policy(`
- nis_use_ypbind(telnetd_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telnetd_t)
+ fs_manage_nfs_files(telnetd_t)
')
-optional_policy(`
- nscd_socket_use(telnetd_t)
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telnetd_t)
+ fs_manage_cifs_files(telnetd_t)
')
-ifdef(`TODO',`
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.0.8/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/tftp.fc 2008-06-12 23:37:59.000000000 -0400
@@ -4,3 +4,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2008-06-12 23:37:58.000000000 -0400
@@ -16,6 +16,17 @@
type tftpdir_t;
files_type(tftpdir_t)
+type tftpdir_rw_t;
+files_type(tftpdir_rw_t)
+
+## <desc>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_tftp_anon_write,false)
+
########################################
#
# Local policy
@@ -32,6 +43,10 @@
allow tftpd_t tftpdir_t:file { read getattr };
allow tftpd_t tftpdir_t:lnk_file { getattr read };
+manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+
manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
@@ -64,6 +79,8 @@
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
+auth_use_nsswitch(tftpd_t)
+
libs_use_ld_so(tftpd_t)
libs_use_shared_libs(tftpd_t)
@@ -72,8 +89,9 @@
miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t)
-sysnet_read_config(tftpd_t)
-sysnet_use_ldap(tftpd_t)
+tunable_policy(`allow_tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
+')
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
@@ -84,14 +102,6 @@
')
optional_policy(`
- nis_use_ypbind(tftpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(tftpd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(tftpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.if 2008-06-12 23:37:58.000000000 -0400
@@ -20,7 +20,7 @@
## </summary>
## </param>
#
-interface(`ucspitcp_service_domain', `
+interface(`ucspitcp_service_domain',`
gen_require(`
type ucspitcp_t;
role system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.0.8/policy/modules/services/ucspitcp.te
--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.te 2008-06-12 23:37:59.000000000 -0400
@@ -35,6 +35,7 @@
corenet_udp_sendrecv_all_ports(rblsmtpd_t)
corenet_tcp_bind_all_nodes(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
+corenet_dontaudit_udp_bind_all_ports(rblsmtpd_t)
files_read_etc_files(rblsmtpd_t)
files_search_var(rblsmtpd_t)
@@ -78,6 +79,7 @@
corenet_tcp_bind_dns_port(ucspitcp_t)
corenet_udp_bind_dns_port(ucspitcp_t)
corenet_udp_bind_generic_port(ucspitcp_t)
+corenet_dontaudit_udp_bind_all_ports(ucspitcp_t)
# server packets:
corenet_sendrecv_ftp_server_packets(ucspitcp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.0.8/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/uucp.te 2008-06-12 23:37:58.000000000 -0400
@@ -88,6 +88,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
+auth_use_nsswitch(uucpd_t)
+
libs_use_ld_so(uucpd_t)
libs_use_shared_libs(uucpd_t)
@@ -95,20 +97,10 @@
miscfiles_read_localization(uucpd_t)
-sysnet_read_config(uucpd_t)
-
optional_policy(`
kerberos_use(uucpd_t)
')
-optional_policy(`
- nis_use_ypbind(uucpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(uucpd_t)
-')
-
########################################
#
# UUX Local policy
@@ -124,6 +116,8 @@
files_read_etc_files(uux_t)
+fs_rw_anon_inodefs_files(uux_t)
+
libs_use_ld_so(uux_t)
libs_use_shared_libs(uux_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2008-06-12 23:37:58.000000000 -0400
@@ -64,6 +64,7 @@
fs_search_auto_mountpoints(imapd_t)
auth_domtrans_chk_passwd(imapd_t)
+auth_domtrans_upd_passwd(imapd_t)
libs_use_ld_so(imapd_t)
libs_use_shared_libs(imapd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.0.8/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/w3c.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.0.8/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/w3c.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+## <summary>W3C</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.0.8/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/w3c.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
+apache_content_template(w3c_validator)
+
+sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-3.0.8/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xfs.te 2008-06-12 23:37:58.000000000 -0400
@@ -26,6 +26,7 @@
allow xfs_t self:process { signal_perms setpgid };
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
allow xfs_t self:unix_dgram_socket create_socket_perms;
+allow xfs_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t)
manage_sock_files_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t)
@@ -37,6 +38,15 @@
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
+corenet_all_recvfrom_unlabeled(xfs_t)
+corenet_all_recvfrom_netlabel(xfs_t)
+corenet_tcp_sendrecv_generic_if(xfs_t)
+corenet_tcp_sendrecv_all_nodes(xfs_t)
+corenet_tcp_sendrecv_all_ports(xfs_t)
+corenet_tcp_bind_all_nodes(xfs_t)
+corenet_tcp_bind_xfs_port(xfs_t)
+corenet_sendrecv_xfs_client_packets(xfs_t)
+
corecmd_list_bin(xfs_t)
dev_read_sysfs(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2008-06-12 23:37:58.000000000 -0400
@@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-ifdef(`distro_redhat',`
-/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-')
-
#
# /opt
#
@@ -91,14 +86,19 @@
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2008-06-12 23:37:58.000000000 -0400
@@ -116,16 +116,19 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
- dev_create_generic_dirs($1_xserver_t)
- dev_setattr_generic_dirs($1_xserver_t)
+ dev_manage_generic_dirs($1_xserver_t)
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t)
# for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc($1_xserver_t)
+ dev_setattr_xserver_misc_dev($1_xserver_t)
+
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
+ dev_read_urand($1_xserver_t)
+ dev_rw_generic_usb_dev($1_xserver_t)
domain_mmap_low($1_xserver_t)
@@ -141,10 +144,12 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
- fs_search_ramfs($1_xserver_t)
+ fs_manage_ramfs_files($1_xserver_t)
+ fs_list_inotifyfs($1_xserver_t)
init_getpgid($1_xserver_t)
+ term_search_ptys($1_xserver_t)
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
@@ -178,13 +183,7 @@
auth_search_pam_console_data($1_xserver_t)
')
- optional_policy(`
- nis_use_ypbind($1_xserver_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_xserver_t)
- ')
+ auth_use_nsswitch($1_xserver_t)
optional_policy(`
rhgb_getpgid($1_xserver_t)
@@ -251,7 +250,7 @@
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
- userdom_user_home_content($1,$1_fonts_cache_t)
+ userdom_user_home_content($1,$1_fonts_config_t)
type $1_iceauth_t;
domain_type($1_iceauth_t)
@@ -282,11 +281,15 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+ allow xdm_t $1_xauth_home_t:file append_file_perms;
+ read_files_pattern($1_xserver_t, $2, $2)
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
allow $1_xserver_t $2:shm rw_shm_perms;
+ # Certain X Libraries want to read /proc/self/cmdline when started with startx
+ allow $1_xserver_t $2:file r_file_perms;
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
@@ -316,6 +319,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
+ userdom_rw_user_tmp_files($1,$1_xserver_t)
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
@@ -324,13 +328,6 @@
userhelper_search_config($1_xserver_t)
')
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- allow $1_t xdm_tmp_t:sock_file unlink;
- allow $1_xserver_t xdm_var_run_t:dir search;
- ')
- ') dnl end TODO
-
##############################
#
# $1_xauth_t Local policy
@@ -353,12 +350,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
-
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
@@ -387,6 +378,14 @@
')
optional_policy(`
+ xserver_read_user_xauth($1, $2)
+ ')
+
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
+
+ optional_policy(`
nis_use_ypbind($1_xauth_t)
')
@@ -536,17 +535,16 @@
template(`xserver_user_client_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+ type xdm_t, xdm_tmp_t, xdm_xserver_t;
+ type xdm_var_run_t;
')
- allow $2 self:shm create_shm_perms;
- allow $2 self:unix_dgram_socket create_socket_perms;
- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow $2 $2:shm create_shm_perms;
+ allow $2 $2:unix_dgram_socket create_socket_perms;
+ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms };
- # Read .Xauthority file
- allow $2 $1_xauth_home_t:file { getattr read };
- allow $2 $1_iceauth_home_t:file { getattr read };
+ # this should cause the .xsession-errors file to be written to /tmp
+ dontaudit xdm_t $1_home_t:file rw_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -555,25 +553,55 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
+ # consolekit needs this for fast user switching
+ allow $2 xdm_var_run_t:dir search_dir_perms;
+ allow $2 xdm_var_run_t:sock_file getattr;
+
+ corenet_tcp_connect_xserver_port($2)
+
# Allow connections to X server.
files_search_tmp($2)
miscfiles_read_fonts($2)
userdom_search_user_home_dirs($1,$2)
- # for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1,$2)
+ userdom_manage_user_home_content_dirs($1, xdm_t)
+ userdom_manage_user_home_content_files($1, xdm_t)
+ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
+ userdom_manage_user_tmp_dirs($1, xdm_t)
+ userdom_manage_user_tmp_files($1, xdm_t)
xserver_ro_session_template(xdm,$2,$3)
- xserver_rw_session_template($1,$2,$3)
- xserver_use_user_fonts($1,$2)
xserver_read_xdm_tmp_files($2)
- # Client write xserver shm
- tunable_policy(`allow_write_xshm',`
- allow $2 $1_xserver_t:shm rw_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ xserver_xdm_stream_connect($2)
+
+ read_files_pattern(xdm_xserver_t, $2, $2)
+ optional_policy(`
+ userdom_read_all_users_home_content_files(xdm_t)
+ userdom_read_all_users_home_content_files(xdm_xserver_t)
+ userdom_rw_user_tmpfs_files($1, xdm_xserver_t)
+#Compiler is broken so these wont work
+ gnome_read_user_gnome_config($1, xdm_t)
+ gnome_read_user_gnome_config($1, xdm_xserver_t)
+ ')
+
+ # Read .Xauthority file
+ optional_policy(`
+ xserver_read_user_xauth($1, $2)
+ ')
+
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
+
+ optional_policy(`
+ xserver_use_user_fonts($1,$2)
+ ')
+
+ optional_policy(`
+ xserver_rw_session_template($1,$2,$3)
')
')
@@ -626,6 +654,24 @@
########################################
## <summary>
+## Get the attributes of xauth executable
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_getattr_xauth',`
+ gen_require(`
+ type xauth_exec_t;
+ ')
+
+ allow $1 xauth_exec_t:file getattr;
+')
+
+########################################
+## <summary>
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -659,6 +705,73 @@
########################################
## <summary>
+## Read a user Xauthority domain.
+## </summary>
+## <desc>
+## <p>
+## read to a user Xauthority domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type $1_xauth_home_t;
+ ')
+
+ allow $2 $1_xauth_home_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read a user Iceauthority domain.
+## </summary>
+## <desc>
+## <p>
+## read to a user Iceauthority domain.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_read_user_iceauth',`
+ gen_require(`
+ type $1_iceauth_home_t;
+ ')
+
+ # Read .Iceauthority file
+ allow $2 $1_iceauth_home_t:file { getattr read };
+')
+
+########################################
+## <summary>
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -927,6 +1040,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
+ allow $1 xdm_tmp_t:sock_file unlink;
')
########################################
@@ -987,6 +1101,37 @@
########################################
## <summary>
+## Execute xsever in the xdm_xserver domain, and
+## allow the specified role the xdm_xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xdm_xserver domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the xdm_xserver domain to use.
+## </summary>
+## </param>
+#
+interface(`xserver_run_xdm_xserver',`
+ gen_require(`
+ type xdm_xserver_t;
+ ')
+
+ xserver_domtrans_xdm_xserver($1)
+ role $2 types xdm_xserver_t;
+ allow xdm_xserver_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1136,7 +1281,7 @@
type xdm_xserver_tmp_t;
')
- allow $1 xdm_xserver_tmp_t:file { getattr read };
+ read_files_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
')
########################################
@@ -1325,3 +1470,64 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
+
+########################################
+## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_stream_connect',`
+ gen_require(`
+ type xdm_t, xdm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 xdm_var_run_t:sock_file write;
+ allow $1 xdm_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+ gen_require(`
+ type xdm_xserver_t, xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
+')
+
+########################################
+## <summary>
+## xdm xserver RW shared memory socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_rw_shm',`
+ gen_require(`
+ type xdm_xserver_t;
+ ')
+
+ allow xdm_xserver_t $1:fd use;
+ allow $1 xdm_xserver_t:shm rw_shm_perms;
+ allow xdm_xserver_t $1:shm rw_shm_perms;
+
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-06-12 23:37:58.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem,false)
+
+## <desc>
+## <p>
## Allow xdm logins as sysadm
## </p>
## </desc>
@@ -56,6 +63,9 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
@@ -67,6 +77,9 @@
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
# Type for the executable used to start the X server, e.g. Xwrapper.
type xserver_exec_t;
corecmd_executable_file(xserver_exec_t)
@@ -95,8 +108,8 @@
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -110,6 +123,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -132,15 +147,21 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_rw_tmpfs_files(xdm_xserver_t)
+fs_getattr_all_fs(xdm_t)
+fs_list_all(xdm_t)
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+files_var_lib_filetrans(xdm_t,xdm_var_lib_t,{ file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
-files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
+manage_sock_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file sock_file })
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -185,6 +206,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
+corenet_udp_bind_xdmcp_port(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
@@ -197,6 +219,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
+dev_rw_input_dev(xdm_t)
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
@@ -209,8 +232,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
-dev_getattr_sound_dev(xdm_t)
-dev_setattr_sound_dev(xdm_t)
+dev_read_sound(xdm_t)
+dev_write_sound(xdm_t)
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
@@ -246,6 +269,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -257,6 +281,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
+logging_send_audit_msgs(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
@@ -268,9 +293,14 @@
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
+
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+#
+# Wants to delete .xsession-errors file
+#
+userdom_unlink_unpriv_users_home_content_files(xdm_t)
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
@@ -305,7 +335,16 @@
')
optional_policy(`
+ bootloader_domtrans(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
+ dbus_system_bus_client_template(xdm, xdm_t)
+ dbus_send_system_bus(xdm_t)
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
')
optional_policy(`
@@ -313,6 +352,10 @@
')
optional_policy(`
+ gnome_exec_gconf(xdm_t)
+')
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
@@ -348,12 +391,10 @@
')
optional_policy(`
+ unconfined_domain(xdm_xserver_t)
unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
-
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
- ')
+ unconfined_signal(xdm_t)
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
@@ -385,7 +426,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+read_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -397,6 +438,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
+manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir)
+
+manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir)
+
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -425,6 +475,14 @@
')
optional_policy(`
+ locallogin_use_fds(xdm_xserver_t)
+')
+
+optional_policy(`
+ mono_rw_shm(xdm_xserver_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
@@ -434,47 +492,26 @@
')
optional_policy(`
- unconfined_domain_noaudit(xdm_xserver_t)
- unconfined_domtrans(xdm_xserver_t)
+ rpm_dontaudit_rw_shm(xdm_xserver_t)
+ rpm_rw_tmpfs_files(xdm_xserver_t)
+')
- ifndef(`distro_redhat',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+ unconfined_rw_tmpfs_files(xdm_xserver_t)
+ unconfined_manage_tmp_files(xdm_xserver_t)
- ifdef(`distro_rhel4',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
')
-ifdef(`TODO',`
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file manage_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-tunable_policy(`allow_polyinstantiation',`
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
+')
+
+ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
')
-#
-# Wants to delete .xsession-errors file
-#
-allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.0.8/policy/modules/services/zebra.te
--- nsaserefpolicy/policy/modules/services/zebra.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/zebra.te 2008-06-12 23:37:59.000000000 -0400
@@ -115,8 +115,7 @@
userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
tunable_policy(`allow_zebra_write_config',`
- allow zebra_t zebra_conf_t:dir write;
- allow zebra_t zebra_conf_t:file write;
+ manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.0.8/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/application.if 2008-06-12 23:37:59.000000000 -0400
@@ -63,6 +63,26 @@
########################################
## <summary>
+## Execute all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+ # Need this dontaudit or command completion fires hundreds of avcs
+ corecmd_dontaudit_exec_all_executables($1)
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+ corecmd_exec_chroot($1)
+ application_exec($1)
+')
+
+########################################
+## <summary>
## Create a domain which can be started by users
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-06-12 23:37:59.000000000 -0400
@@ -13,7 +13,9 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -38,5 +40,9 @@
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-06-22 06:46:13.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
- allow $1_chkpwd_t self:capability { audit_control setuid };
+ allow $1_chkpwd_t self:capability { dac_override setuid };
+ dontaudit $1_chkpwd_t self:capability sys_tty_config;
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
@@ -99,6 +100,7 @@
gen_require(`
type system_chkpwd_t, shadow_t;
+ type pam_t;
')
authlogin_common_auth_domain_template($1)
@@ -106,9 +108,6 @@
role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t;
- # cjp: is this really needed?
- allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
dontaudit $2 shadow_t:file { getattr read };
# Transition from the user domain to this domain.
@@ -120,6 +119,7 @@
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_chkpwd_t)
+ userdom_dontaudit_write_user_home_content_files($1, pam_t)
')
########################################
@@ -169,6 +169,10 @@
## </param>
#
interface(`auth_login_pgm_domain',`
+ gen_require(`
+ attribute keyring_type;
+ type auth_cache_t;
+ ')
domain_type($1)
domain_subj_id_change_exemption($1)
@@ -176,11 +180,34 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_write_proc_files($1)
+
+ # pam_keyring
+ allow $1 self:capability ipc_lock;
+ allow $1 self:process setkeycreate;
+ allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
+
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+ files_var_filetrans($1,auth_cache_t,dir)
+
# for SSP/ProPolice
dev_read_urand($1)
+ # for fingerprint readers
+ dev_rw_input_dev($1)
+ dev_rw_generic_usb_dev($1)
+
files_read_etc_files($1)
+ fs_list_auto_mountpoints($1)
+
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
@@ -196,20 +223,58 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1)
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
- auth_append_faillog($1)
+ auth_rw_faillog($1)
auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
init_rw_utmp($1)
+ logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
+ logging_set_loginuid($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
+ userdom_set_rlimitnh($1)
+ userdom_unlink_unpriv_users_tmp_files($1)
+ userdom_unpriv_users_stream_connect($1)
+
+ optional_policy(`
+ dbus_system_bus_client_template(notused, $1)
+ optional_policy(`
+ oddjob_dbus_chat($1)
+ oddjob_domtrans_mkhomedir($1)
+ ')
+ ')
+
+ optional_policy(`
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
+ ')
+
+ optional_policy(`
+ nis_authenticate($1)
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ userdom_read_all_users_home_content_files($1)
+ ')
+
+ optional_policy(`
+ unconfined_set_rlimitnh($1)
+ ')
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
@@ -309,9 +374,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
- # cjp: is this really needed?
- allow $1 self:capability audit_control;
-
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
@@ -329,6 +391,8 @@
optional_policy(`
kerberos_use($1)
+ kerberos_read_keytab($1)
+ kerberos_524_connect($1)
')
optional_policy(`
@@ -347,6 +411,58 @@
########################################
## <summary>
+## Run unix_chkpwd to check a password.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_chkpwd',`
+ gen_require(`
+ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
+ dontaudit $1 shadow_t:file { getattr read };
+ auth_domtrans_upd_passwd($1)
+')
+
+########################################
+## <summary>
+## Execute chkpwd programs in the chkpwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow hte updpwd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the updpwd domain to use.
+## </summary>
+## </param>
+#
+interface(`auth_run_chk_passwd',`
+ gen_require(`
+ type system_chkpwd_t;
+ ')
+
+ auth_domtrans_chk_passwd($1)
+ role $2 types system_chkpwd_t;
+ allow system_chkpwd_t $3:chr_file rw_file_perms;
+
+')
+
+########################################
+## <summary>
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
@@ -695,6 +811,24 @@
########################################
## <summary>
+## Execute pam programs in the pam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_signal_pam',`
+ gen_require(`
+ type pam_t;
+ ')
+
+ allow $1 pam_t:process signal;
+')
+
+########################################
+## <summary>
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
@@ -1318,16 +1452,14 @@
## </param>
#
interface(`auth_use_nsswitch',`
- gen_require(`
- type var_auth_t;
- ')
allow $1 self:netlink_route_socket r_netlink_socket_perms;
- allow $1 var_auth_t:dir list_dir_perms;
- allow $1 var_auth_t:file manage_file_perms;
files_list_var_lib($1)
+ # read /etc/nsswitch.conf
+ files_read_etc_files($1)
+
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
@@ -1347,6 +1479,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
+ samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
')
')
@@ -1381,3 +1515,181 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
+
+########################################
+## <summary>
+## read login keyrings.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_key',`
+ gen_require(`
+ attribute keyring_type;
+ ')
+
+ allow $1 keyring_type:key { read search view };
+')
+
+########################################
+## <summary>
+## search login keyrings.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_search_key',`
+ gen_require(`
+ attribute keyring_type;
+ ')
+
+ allow $1 keyring_type:key { search link };
+')
+
+
+
+########################################
+## <summary>
+## Make the specified domain a keyring domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain type used for a login program domain.
+## </summary>
+## </param>
+#
+interface(`auth_keyring_domain',`
+ gen_require(`
+ attribute keyring_type;
+ ')
+
+ typeattribute $1 keyring_type;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run unix_update.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_upd_passwd',`
+ gen_require(`
+ type updpwd_t, updpwd_exec_t;
+ ')
+
+ domtrans_pattern($1,updpwd_exec_t,updpwd_t)
+ auth_dontaudit_read_shadow($1)
+
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run unix_update in Read Only Mode.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_upd_passwd_chk',`
+ gen_require(`
+ type system_chkpwd_t, updpwd_exec_t;
+ ')
+
+ domain_auto_trans($1,updpwd_exec_t,system_chkpwd_t)
+ allow system_chkpwd_t $1:fd use;
+ allow system_chkpwd_t $1:fifo_file rw_file_perms;
+ allow system_chkpwd_t $1:process sigchld;
+ auth_dontaudit_read_shadow($1)
+
+')
+
+########################################
+## <summary>
+## Execute updpwd programs in the updpwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the updpwd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the updpwd domain to use.
+## </summary>
+## </param>
+#
+interface(`auth_run_upd_passwd',`
+ gen_require(`
+ type updpwd_t;
+ ')
+
+ auth_domtrans_upd_passwd($1)
+ role $2 types updpwd_t;
+ allow updpwd_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Execute updpwd programs in the chkpwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the updpwd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the updpwd domain to use.
+## </summary>
+## </param>
+#
+interface(`auth_run_upd_passwd_chk',`
+ gen_require(`
+ type system_chkpwd_t;
+ ')
+
+ auth_domtrans_upd_passwd_chk($1)
+ role $2 types system_chkpwd_t;
+ allow system_chkpwd_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-06-22 06:47:13.000000000 -0400
@@ -1,4 +1,4 @@
-
+
policy_module(authlogin,1.7.1)
########################################
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute keyring_type;
+
+type updpwd_t;
+type updpwd_exec_t;
+domain_type(updpwd_t)
+domain_entry_file(updpwd_t,updpwd_exec_t)
+role system_r types updpwd_t;
type chkpwd_exec_t;
application_executable_file(chkpwd_exec_t)
@@ -53,6 +60,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
@@ -67,6 +77,10 @@
authlogin_common_auth_domain_template(system)
role system_r types system_chkpwd_t;
+# Read only version of updpwd
+domain_entry_file(system_chkpwd_t,updpwd_exec_t)
+
+
########################################
#
# PAM local policy
@@ -94,36 +108,39 @@
allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
+auth_use_nsswitch(pam_t)
+
kernel_read_system_state(pam_t)
fs_search_auto_mountpoints(pam_t)
+miscfiles_read_localization(pam_t)
+
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
-init_dontaudit_rw_utmp(pam_t)
+init_read_utmp(pam_t)
+init_dontaudit_write_utmp(pam_t)
files_read_etc_files(pam_t)
-
libs_use_ld_so(pam_t)
libs_use_shared_libs(pam_t)
logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
+userdom_write_unpriv_users_tmp_files(pam_t)
+userdom_unlink_unpriv_users_tmp_files(pam_t)
+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_write_user_home_content_files(user, pam_t)
+userdom_append_unpriv_users_home_content_files(pam_t)
+userdom_dontaudit_read_user_tmp_files(user, pam_t)
+userdom_dontaudit_write_user_home_content_files(unconfined, pam_t)
optional_policy(`
locallogin_use_fds(pam_t)
')
-optional_policy(`
- nis_use_ypbind(pam_t)
-')
-
-optional_policy(`
- nscd_socket_use(pam_t)
-')
-
########################################
#
# PAM console local policy
@@ -149,6 +166,8 @@
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
+dev_getattr_event_dev(pam_console_t)
+dev_setattr_event_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
@@ -159,6 +178,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
+dev_getattr_printer_dev(pam_console_t)
+dev_setattr_printer_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
@@ -168,6 +189,8 @@
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)
+dev_getattr_all_chr_files(pam_console_t)
+dev_setattr_all_chr_files(pam_console_t)
mls_file_read_all_levels(pam_console_t)
mls_file_write_all_levels(pam_console_t)
@@ -200,6 +223,7 @@
fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
+fs_getattr_all_fs(pam_console_t)
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
@@ -236,7 +260,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
- xserver_use_xdm_fds(pam_t)
+ xserver_dontaudit_write_log(pam_console_t)
')
########################################
@@ -256,6 +280,7 @@
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
+userdom_unlink_unpriv_users_tmp_files(pam_t)
########################################
#
@@ -302,3 +327,31 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
+
+########################################
+#
+# updpwd local policy
+#
+
+allow updpwd_t self:process setfscreate;
+allow updpwd_t self:fifo_file { read write };
+allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
+allow updpwd_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(updpwd_t)
+libs_use_ld_so(updpwd_t)
+libs_use_shared_libs(updpwd_t)
+miscfiles_read_localization(updpwd_t)
+
+auth_manage_shadow(updpwd_t)
+auth_use_nsswitch(updpwd_t)
+
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_all_user_ptys(updpwd_t)
+term_dontaudit_use_all_user_ttys(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+term_dontaudit_use_generic_ptys(updpwd_t)
+
+files_manage_etc_files(updpwd_t)
+kernel_read_system_state(updpwd_t)
+logging_send_syslog_msg(updpwd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.8/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/fstools.fc 2008-06-12 23:37:59.000000000 -0400
@@ -20,7 +20,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.8/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/fstools.te 2008-06-12 23:37:59.000000000 -0400
@@ -109,8 +109,7 @@
term_use_console(fsadm_t)
-corecmd_list_bin(fsadm_t)
-corecmd_read_bin_symlinks(fsadm_t)
+corecmd_exec_bin(fsadm_t)
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
@@ -126,6 +125,7 @@
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
+files_manage_isid_type_files(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t,file)
@@ -183,4 +183,13 @@
optional_policy(`
xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
+')
+
+tunable_policy(`xen_use_nfs',`
+ fs_manage_nfs_files(fsadm_t)
+')
+
+optional_policy(`
+ unconfined_domain(fsadm_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.8/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/fusermount.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,7 @@
+# fusermount executable will have:
+# label: system_u:object_r:fusermount_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.8/policy/modules/system/fusermount.if
--- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/fusermount.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,41 @@
+## <summary>policy for fusermount</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fusermount_domtrans',`
+ gen_require(`
+ type fusermount_t, fusermount_exec_t;
+ ')
+
+ domain_auto_trans($1,fusermount_exec_t,fusermount_t)
+
+ allow fusermount_t $1:fd use;
+ allow fusermount_t $1:fifo_file rw_file_perms;
+ allow fusermount_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fusermount_use_fds',`
+ gen_require(`
+ type fusermount_t;
+ ')
+
+ allow $1 fusermount_t:fd use;
+')
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-3.0.8/policy/modules/system/fusermount.te
--- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/fusermount.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,45 @@
+policy_module(fusermount,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fusermount_t;
+type fusermount_exec_t;
+application_domain(fusermount_t, fusermount_exec_t)
+role system_r types fusermount_t;
+
+########################################
+#
+# fusermount local policy
+#
+allow fusermount_t self:capability sys_admin;
+allow fusermount_t self:fifo_file { read write };
+allow fusermount_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(fusermount_t)
+
+libs_use_ld_so(fusermount_t)
+libs_use_shared_libs(fusermount_t)
+
+miscfiles_read_localization(fusermount_t)
+
+files_manage_etc_runtime_files(fusermount_t)
+files_etc_filetrans_etc_runtime(fusermount_t,file)
+files_mounton_all_mountpoints(fusermount_t)
+
+fs_mount_fusefs(fusermount_t)
+
+storage_raw_read_fixed_disk(fusermount_t)
+storage_raw_write_fixed_disk(fusermount_t)
+storage_rw_fuse(fusermount_t)
+
+optional_policy(`
+ hal_write_log(fusermount_t)
+ hal_use_fds(fusermount_t)
+ hal_rw_pipes(fusermount_t)
+')
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-3.0.8/policy/modules/system/getty.fc
--- nsaserefpolicy/policy/modules/system/getty.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/getty.fc 2008-06-12 23:37:59.000000000 -0400
@@ -8,5 +8,5 @@
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
-/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
-/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.8/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/getty.te 2008-06-12 23:37:59.000000000 -0400
@@ -33,7 +33,8 @@
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+# getty requires sys_admin #209426
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid sys_admin };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.0.8/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/hostname.te 2008-06-12 23:37:59.000000000 -0400
@@ -8,7 +8,9 @@
type hostname_t;
type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+application_domain(hostname_t, hostname_exec_t)
role system_r types hostname_t;
########################################
@@ -60,3 +62,11 @@
xen_append_log(hostname_t)
xen_dontaudit_use_fds(hostname_t)
')
+
+optional_policy(`
+ xen_append_log(hostname_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.0.8/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/hotplug.te 2008-06-12 23:37:59.000000000 -0400
@@ -179,6 +179,7 @@
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
sysnet_domtrans_ifconfig(hotplug_t)
+ sysnet_signal_ifconfig(hotplug_t)
')
optional_policy(`
@@ -188,6 +189,10 @@
')
optional_policy(`
+ unconfined_domain(bootloader_t)
+')
+
+optional_policy(`
updfstab_domtrans(hotplug_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/init.if 2008-06-12 23:37:59.000000000 -0400
@@ -211,6 +211,21 @@
kernel_dontaudit_use_fds($1)
')
')
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_user_ttys($1)
+ term_use_all_user_ptys($1)
+ ', `
+ term_dontaudit_use_all_user_ttys($1)
+ term_dontaudit_use_all_user_ptys($1)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_daemons_use_tty',`
+ unconfined_use_terminals($1)
+ ', `
+ unconfined_dontaudit_use_terminals($1)
+ ')
+ ')
')
########################################
@@ -540,18 +555,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
')
files_list_etc($1)
- spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
+ spec_domtrans_pattern($1,initscript,initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 initscript:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 initscript:process s0 - mls_systemhigh;
')
')
@@ -567,18 +583,46 @@
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
')
files_list_etc($1)
- domtrans_pattern($1,initrc_exec_t,initrc_t)
+ domtrans_pattern($1,initscript,initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 initscript:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 initscript:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute init a specific script with an automatic domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_script_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ files_list_etc($1)
+ domtrans_pattern($1,$2,initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 $2:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 $2:process s0 - mls_systemhigh;
')
')
@@ -609,11 +653,11 @@
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- domain_auto_trans($1,initrc_exec_t,$2)
+ domain_auto_trans($1,initscript,$2)
')
########################################
@@ -684,11 +728,11 @@
#
interface(`init_getattr_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- allow $1 initrc_exec_t:file getattr;
+ allow $1 initscript:file getattr;
')
########################################
@@ -703,11 +747,11 @@
#
interface(`init_exec_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- can_exec($1,initrc_exec_t)
+ can_exec($1,initscript)
')
########################################
@@ -931,6 +975,7 @@
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
+
########################################
## <summary>
## Send messages to init scripts over dbus.
@@ -1030,11 +1075,11 @@
#
interface(`init_read_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_search_etc($1)
- allow $1 initrc_exec_t:file read_file_perms;
+ allow $1 initscript:file read_file_perms;
')
########################################
@@ -1252,7 +1297,7 @@
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
@@ -1273,3 +1318,83 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_init_state',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file r_file_perms;
+ allow $1 init_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Ptrace init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace_init_domain',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for initscripts
+## in a filesystem.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`init_script_type',`
+ gen_require(`
+ type initrc_t;
+ attribute initscript;
+ ')
+
+ typeattribute $1 initscript;
+ domain_entry_file(initrc_t,$1)
+
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/init.te 2008-06-12 23:37:59.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow all daemons the ability to use unallocated ttys
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty,false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core,false)
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
@@ -19,6 +33,8 @@
# Mark process types as daemons
attribute daemon;
+attribute initscript;
+
#
# init_t is the domain of the init process.
#
@@ -45,7 +61,7 @@
mls_trusted_object(initctl_t)
type initrc_t;
-type initrc_exec_t;
+type initrc_exec_t, initscript;
domain_type(initrc_t)
domain_entry_file(initrc_t,initrc_exec_t)
role system_r types initrc_t;
@@ -73,7 +89,7 @@
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -171,13 +187,14 @@
nscd_socket_use(init_t)
')
-optional_policy(`
- unconfined_domain(init_t)
-')
-
-# Run the shell in the sysadm_t domain for single-user mode.
-optional_policy(`
+# Run the shell in the unconfined_t or sysadm_t domain for single-user mode.
+ifdef(`enable_mls',`
userdom_shell_domtrans_sysadm(init_t)
+',`
+ optional_policy(`
+ unconfined_shell_domtrans(init_t)
+ unconfined_domain(init_t)
+ ')
')
########################################
@@ -186,7 +203,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
@@ -196,15 +213,13 @@
allow initrc_t self:tcp_socket create_stream_socket_perms;
allow initrc_t self:udp_socket create_socket_perms;
allow initrc_t self:fifo_file rw_file_perms;
-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
-# Going to single user mode
-init_exec(initrc_t)
+init_telinit(initrc_t)
-can_exec(initrc_t,initrc_exec_t)
+can_exec(initrc_t,initscript)
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
@@ -233,6 +248,8 @@
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
+auth_use_nsswitch(initrc_t)
+
files_read_kernel_symbol_table(initrc_t)
corenet_all_recvfrom_unlabeled(initrc_t)
@@ -283,7 +300,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
-mls_fd_share_all_levels(initrc_t)
selinux_get_enforce_mode(initrc_t)
@@ -365,8 +381,6 @@
seutil_read_config(initrc_t)
-sysnet_read_config(initrc_t)
-
userdom_read_all_users_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -496,6 +510,52 @@
')
')
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+')
+
+optional_policy(`
+ rhgb_use_ptys(daemon)
+')
+
+domain_dontaudit_use_interactive_fds(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_user_ttys(daemon)
+ term_use_all_user_ptys(daemon)
+', `
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_user_ttys(daemon)
+ term_dontaudit_use_all_user_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+ files_dump_core(daemon)
+')
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_user_ttys(daemon)
+ term_use_all_user_ptys(daemon)
+', `
+ term_dontaudit_use_all_user_ttys(daemon)
+ term_dontaudit_use_all_user_ptys(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+
+ tunable_policy(`allow_daemons_use_tty',`
+ unconfined_use_terminals(daemon)
+ ', `
+ unconfined_dontaudit_use_terminals(daemon)
+ ')
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -632,12 +692,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-# cjp: require doesnt work in the else of optionals :\
-# this also would result in a type transition
-# conflict if sendmail is enabled
-#optional_policy(`',`
-# mta_send_mail(initrc_t)
-#')
optional_policy(`
ifdef(`distro_redhat',`
@@ -649,15 +703,10 @@
')
optional_policy(`
- nis_use_ypbind(initrc_t)
nis_list_var_yp(initrc_t)
')
optional_policy(`
- nscd_socket_use(initrc_t)
-')
-
-optional_policy(`
openvpn_read_config(initrc_t)
')
@@ -703,6 +752,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
')
optional_policy(`
@@ -715,9 +767,11 @@
squid_manage_logs(initrc_t)
')
-optional_policy(`
- # allow init scripts to su
- su_restricted_domain_template(initrc,initrc_t,system_r)
+ifndef(`targeted_policy',`
+ optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc,initrc_t,system_r)
+ ')
')
optional_policy(`
@@ -738,6 +792,7 @@
optional_policy(`
unconfined_domain(initrc_t)
+ unconfined_domain(init_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -749,6 +804,12 @@
')
')
+userdom_dontaudit_search_sysadm_home_dirs(daemon)
+
+optional_policy(`
+ rpm_dontaudit_rw_pipes(daemon)
+')
+
optional_policy(`
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.0.8/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/ipsec.fc 2008-06-12 23:37:59.000000000 -0400
@@ -32,3 +32,4 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2008-06-12 23:37:59.000000000 -0400
@@ -55,11 +55,11 @@
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
dontaudit ipsec_t self:capability sys_tty_config;
-allow ipsec_t self:process signal;
-allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
+allow ipsec_t self:process { signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:key_socket { create write read setopt };
allow ipsec_t self:fifo_file { read getattr };
+allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
@@ -69,7 +69,7 @@
read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
+manage_files_pattern(ipsec_t,ipsec_var_run_t, ipsec_var_run_t)
allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
@@ -84,6 +84,8 @@
allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
+auth_use_nsswitch(ipsec_t)
+
kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
@@ -104,6 +106,11 @@
corenet_tcp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
+
+corenet_udp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_ipsecnat_port(ipsec_t)
+
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
@@ -134,16 +141,10 @@
miscfiles_read_localization(ipsec_t)
-sysnet_read_config(ipsec_t)
-
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
optional_policy(`
- nis_use_ypbind(ipsec_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(ipsec_t)
')
@@ -170,6 +171,8 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
+logging_send_syslog_msg(ipsec_mgmt_t)
+
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -225,6 +228,7 @@
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
+corecmd_exec_shell(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -278,11 +282,11 @@
#
allow racoon_t self:capability { net_admin net_bind_service };
-allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket { create read setopt write };
+logging_send_audit_msgs(racoon_t)
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -299,11 +303,16 @@
allow racoon_t ipsec_spd_t:association setcontext;
+auth_use_nsswitch(racoon_t)
+
kernel_read_network_state(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
+corenet_udp_bind_ipsecnat_port(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
dev_read_urand(racoon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.8/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/iptables.te 2008-06-12 23:37:59.000000000 -0400
@@ -64,13 +64,14 @@
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
+init_rw_script_stream_sockets(iptables_t)
libs_use_ld_so(iptables_t)
libs_use_shared_libs(iptables_t)
logging_send_syslog_msg(iptables_t)
-# system-config-network appends to /var/log
-#logging_append_system_logs(iptables_t)
+# system-config-network appends to /var/lo
+logging_append_all_logs(iptables_t)
miscfiles_read_localization(iptables_t)
@@ -102,6 +103,10 @@
')
optional_policy(`
+ rhgb_dontaudit_use_ptys(iptables_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(iptables_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.0.8/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2008-06-12 23:37:59.000000000 -0400
@@ -29,7 +29,7 @@
#
allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process setsched;
+allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow iscsid_t self:unix_dgram_socket create_socket_perms;
@@ -61,6 +61,7 @@
corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
@@ -68,6 +69,8 @@
files_read_etc_files(iscsid_t)
+kernel_read_system_state(iscsid_t)
+
libs_use_ld_so(iscsid_t)
libs_use_shared_libs(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-06-12 23:37:59.000000000 -0400
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/firefox-[^/]/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -95,8 +99,8 @@
#
# /usr
#
-/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -111,7 +115,10 @@
/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/virtualbox/components/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/VBox[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -135,6 +142,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -142,6 +151,8 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -223,8 +234,10 @@
/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Flash plugin, Macromedia
+HOME_DIR/\.gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -236,6 +249,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
@@ -284,3 +299,18 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/usr/lib/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
+/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2008-06-12 23:37:59.000000000 -0400
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)
@@ -44,9 +47,11 @@
# ldconfig local policy
#
-allow ldconfig_t self:capability sys_chroot;
+allow ldconfig_t self:capability { dac_override sys_chroot };
+
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -60,8 +65,11 @@
fs_getattr_xattr_fs(ldconfig_t)
+corecmd_search_bin(ldconfig_t)
+
domain_use_interactive_fds(ldconfig_t)
+files_search_home(ldconfig_t)
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
@@ -79,6 +87,7 @@
logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
+userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t)
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -96,4 +105,13 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
+ # smart package manager needs the following for the same reason
+ rpm_rw_tmp_files(ldconfig_t)
')
+
+optional_policy(`
+ # run mkinitrd as unconfined user
+ unconfined_manage_tmp_files(ldconfig_t)
+ unconfined_domain(ldconfig_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.8/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/locallogin.te 2008-06-12 23:37:59.000000000 -0400
@@ -97,6 +97,12 @@
term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
+tunable_policy(`allow_console_login', `
+ term_relabel_console(local_login_t)
+ term_setattr_console(local_login_t)
+')
+
+auth_use_nsswitch(local_login_t)
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
auth_manage_pam_console_data(local_login_t)
@@ -130,6 +136,7 @@
miscfiles_read_localization(local_login_t)
+userdom_read_all_users_home_dirs_symlinks(local_login_t)
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_all_users_home_content(local_login_t)
@@ -160,6 +167,15 @@
')
optional_policy(`
+ consolekit_dbus_chat(local_login_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(local_login,local_login_t)
+ dbus_send_system_bus(local_login_t)
+')
+
+optional_policy(`
gpm_getattr_gpmctl(local_login_t)
gpm_setattr_gpmctl(local_login_t)
')
@@ -178,13 +194,18 @@
')
optional_policy(`
- unconfined_domain(local_login_t)
+ unconfined_shell_domtrans(local_login_t)
')
optional_policy(`
usermanage_read_crack_db(local_login_t)
')
+optional_policy(`
+ xserver_read_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_tmp_files(local_login_t)
+')
+
#################################
#
# Sulogin local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.8/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,12 +1,17 @@
-
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -26,12 +31,22 @@
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
')
+ifdef(`distro_redhat',`
+/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+')
+
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
@@ -43,3 +58,10 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
+
+
+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-06-12 23:37:59.000000000 -0400
@@ -34,6 +34,51 @@
#
interface(`logging_send_audit_msgs',`
allow $1 self:capability audit_write;
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+#######################################
+## <summary>
+## dontaudit attempts to send audit messages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_send_audit_msgs',`
+ dontaudit $1 self:capability audit_write;
+ dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+## Set login uid
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_set_loginuid',`
+ allow $1 self:capability audit_control;
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+## Set up audit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_set_audit_parameters',`
+ allow $1 self:capability { audit_write audit_control };
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
@@ -168,12 +213,7 @@
## </param>
#
interface(`logging_stream_connect_auditd',`
- gen_require(`
- type auditd_t, auditd_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+ logging_stream_connect_audisp($1)
')
########################################
@@ -219,6 +259,25 @@
########################################
## <summary>
+## Execute klogd in the klog domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_klog',`
+ gen_require(`
+ type klogd_t, klogd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,klogd_exec_t,klogd_t)
+')
+
+########################################
+## <summary>
## Execute syslogd in the syslog domain.
## </summary>
## <param name="domain">
@@ -465,12 +524,11 @@
interface(`logging_read_all_logs',`
gen_require(`
attribute logfile;
- type var_log_t;
')
files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
- read_files_pattern($1,var_log_t,logfile)
+ allow $1 logfile:dir list_dir_perms;
+ read_files_pattern($1, logfile, logfile)
')
########################################
@@ -514,6 +572,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
+ allow $1 logfile:dir { relabelfrom relabelto };
+ allow $1 logfile:file { relabelfrom relabelto };
')
########################################
@@ -539,6 +599,26 @@
########################################
## <summary>
+## Dontaudit Write generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_write_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ dontaudit $1 var_log_t:file write;
+')
+
+
+########################################
+## <summary>
## Write generic log files.
## </summary>
## <param name="domain">
@@ -597,3 +677,273 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## the audit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the audit domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_audit',`
+ gen_require(`
+ type auditd_t, auditd_etc_t, auditd_log_t;
+ type auditd_script_exec_t;
+ type auditd_var_run_t;
+ ')
+
+ allow $1 auditd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, auditd_t)
+
+ manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+ manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+ manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
+ manage_files_pattern($1, auditd_log_t, auditd_log_t)
+
+ manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
+ manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+ logging_run_auditctl($1, $2, $3)
+
+ # Allow $1 to restart the audit service
+ logging_audit_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_script_exec_t system_r;
+ allow $2 system_r;
+
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## the syslog environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_syslog',`
+ gen_require(`
+ type syslogd_t, klogd_t, syslog_conf_t;
+ type syslogd_tmp_t, syslogd_var_lib_t;
+ type syslogd_var_run_t, klogd_var_run_t;
+ type klogd_tmp_t, var_log_t;
+ type syslogd_script_exec_t;
+ ')
+
+ allow $1 syslogd_t:process { ptrace signal_perms };
+ allow $1 klogd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, syslogd_t)
+ ps_process_pattern($1, klogd_t)
+
+ manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+ manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+
+ manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
+ manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
+
+ manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+
+ manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
+ manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
+ files_etc_filetrans($1, syslog_conf_t, file)
+
+ manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+ manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+
+ manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+
+ logging_manage_all_logs($1)
+
+ # Allow $1 to restart the syslog service
+ logging_syslog_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 syslogd_script_exec_t system_r;
+ allow $2 system_r;
+
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## the logging environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin',`
+ logging_admin_audit($1, $2, $3)
+ logging_admin_syslog($1, $2, $3)
+')
+
+########################################
+## <summary>
+## Execute syslog server in the syslogd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`logging_syslog_script_domtrans',`
+ gen_require(`
+ type syslogd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,syslogd_script_exec_t)
+')
+
+########################################
+## <summary>
+## Execute audit server in the auditd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`logging_audit_script_domtrans',`
+ gen_require(`
+ type auditd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,auditd_script_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run audisp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_audisp',`
+ gen_require(`
+ type audisp_t;
+ type audisp_exec_t;
+ ')
+
+ domtrans_pattern($1,audisp_exec_t,audisp_t)
+')
+
+########################################
+## <summary>
+## Signal the audisp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_audisp_signal',`
+ gen_require(`
+ type audisp_t;
+ ')
+
+ allow $1 audisp_t:process signal;
+')
+
+########################################
+## <summary>
+## Create a domain for processes
+## which can be started by the system audisp
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`logging_audisp_system_domain',`
+ gen_require(`
+ type audisp_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domtrans_pattern(audisp_t,$2,$1)
+
+ allow audisp_t $2:file getattr;
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Connect to auditdstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_stream_connect_audisp',`
+ gen_require(`
+ type audisp_t, audisp_var_run_t;
+ type auditd_t, auditd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
+ stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-06-12 23:37:59.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(logging,1.7.3)
+policy_module(logging,1.9.0)
########################################
#
@@ -41,6 +41,9 @@
type klogd_var_run_t;
files_pid_file(klogd_var_run_t)
+type syslog_conf_t;
+files_type(syslog_conf_t)
+
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t,syslogd_exec_t)
@@ -48,6 +51,9 @@
type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)
+type syslogd_var_lib_t;
+files_type(syslogd_var_lib_t)
+
type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
@@ -55,23 +61,42 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
+type auditd_script_exec_t;
+init_script_type(auditd_script_exec_t)
+
+type syslogd_script_exec_t;
+init_script_type(syslogd_script_exec_t)
+
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
+type audisp_t;
+type audisp_exec_t;
+init_system_domain(audisp_t, audisp_exec_t)
+
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
+type audisp_remote_t;
+type audisp_remote_exec_t;
+domain_type(audisp_remote_t)
+domain_entry_file(audisp_remote_t, audisp_remote_exec_t)
+
########################################
#
-# Auditd local policy
+# Auditctl local policy
#
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
+files_getattr_all_files(auditctl_t)
files_read_etc_files(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
@@ -91,6 +116,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
+logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
########################################
@@ -98,16 +124,15 @@
# Auditd local policy
#
-allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
+allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-allow auditd_t auditd_etc_t:file r_file_perms;
+allow auditd_t auditd_etc_t:file read_file_perms;
manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
@@ -141,6 +166,7 @@
init_telinit(auditd_t)
+logging_set_audit_parameters(auditd_t)
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
@@ -153,9 +179,21 @@
seutil_dontaudit_read_config(auditd_t)
+sysnet_dns_name_resolve(auditd_t)
+
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(auditd_t)
+ ')
+')
+
+optional_policy(`
+ mta_send_mail(auditd_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
@@ -194,6 +232,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
+fs_search_tmpfs(klogd_t)
domain_use_interactive_fds(klogd_t)
@@ -212,6 +251,12 @@
userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(klogd_t)
+ ')
+')
+
optional_policy(`
udev_read_db(klogd_t)
')
@@ -241,12 +286,16 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
+allow syslogd_t syslog_conf_t:file read_file_perms;
+
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
# create/append log files.
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
+rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t)
+
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -255,6 +304,9 @@
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
+manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+files_search_var_lib(syslogd_t)
+
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
@@ -300,6 +352,7 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
@@ -312,6 +365,8 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
+files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
@@ -341,6 +396,12 @@
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
')
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(syslogd_t)
+ ')
+')
+
optional_policy(`
inn_manage_log(syslogd_t)
')
@@ -365,3 +426,69 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
+
+########################################
+#
+# audisp local policy
+#
+
+# Init script handling
+domain_use_interactive_fds(audisp_t)
+
+## internal communication is often done using fifo and unix sockets.
+allow audisp_t self:fifo_file rw_file_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+
+files_read_etc_files(audisp_t)
+
+libs_use_ld_so(audisp_t)
+libs_use_shared_libs(audisp_t)
+
+logging_send_syslog_msg(audisp_t)
+
+miscfiles_read_localization(audisp_t)
+
+corecmd_search_bin(audisp_t)
+
+sysnet_dns_name_resolve(audisp_t)
+
+logging_domtrans_audisp(auditd_t)
+logging_audisp_signal(auditd_t)
+
+#gen_require(`
+# type zos_remote_exec_t, zos_remote_t;
+#')
+
+#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
+
+########################################
+#
+# audisp_remote local policy
+#
+
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
+
+allow audisp_remote_t self:tcp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
+corenet_all_recvfrom_netlabel(audisp_remote_t)
+corenet_tcp_sendrecv_all_if(audisp_remote_t)
+corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+corenet_tcp_connect_audit_port(audisp_remote_t)
+
+files_read_etc_files(audisp_remote_t)
+
+libs_use_ld_so(audisp_remote_t)
+libs_use_shared_libs(audisp_remote_t)
+
+logging_send_syslog_msg(audisp_remote_t)
+logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t)
+
+miscfiles_read_localization(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.8/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/lvm.fc 2008-06-12 23:37:59.000000000 -0400
@@ -15,6 +15,7 @@
#
/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
/etc/lvm/\.cache -- gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/cache(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -96,3 +97,4 @@
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
/var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-06-12 23:37:59.000000000 -0400
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
-allow clvmd_t self:capability { sys_admin mknod };
+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
dontaudit clvmd_t self:capability sys_tty_config;
-allow clvmd_t self:process signal_perms;
+allow clvmd_t self:process { signal_perms setsched };
dontaudit clvmd_t self:process ptrace;
allow clvmd_t self:socket create_socket_perms;
allow clvmd_t self:fifo_file rw_fifo_file_perms;
@@ -54,11 +54,15 @@
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
+init_dontaudit_getattr_initctl(clvmd_t)
+
manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t)
files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
read_files_pattern(clvmd_t,lvm_metadata_t,lvm_metadata_t)
+auth_use_nsswitch(clvmd_t)
+
kernel_read_kernel_sysctls(clvmd_t)
kernel_read_system_state(clvmd_t)
kernel_list_proc(clvmd_t)
@@ -85,10 +89,15 @@
corenet_sendrecv_generic_server_packets(clvmd_t)
dev_read_sysfs(clvmd_t)
+dev_manage_generic_symlinks(clvmd_t)
+dev_relabel_generic_dev_dirs(clvmd_t)
+dev_manage_generic_blk_files(clvmd_t)
dev_manage_generic_chr_files(clvmd_t)
dev_rw_lvm_control(clvmd_t)
dev_dontaudit_getattr_all_blk_files(clvmd_t)
dev_dontaudit_getattr_all_chr_files(clvmd_t)
+dev_create_generic_dirs(clvmd_t)
+dev_delete_generic_dirs(clvmd_t)
files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
@@ -99,9 +108,12 @@
fs_dontaudit_read_removable_files(clvmd_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
+storage_dev_filetrans_fixed_disk(clvmd_t)
+storage_manage_fixed_disk(clvmd_t)
domain_use_interactive_fds(clvmd_t)
+storage_relabel_fixed_disk(clvmd_t)
storage_raw_read_fixed_disk(clvmd_t)
libs_use_ld_so(clvmd_t)
@@ -113,8 +125,9 @@
seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
-
-sysnet_read_config(clvmd_t)
+seutil_read_config(clvmd_t)
+seutil_read_file_contexts(clvmd_t)
+seutil_search_default_contexts(clvmd_t)
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
@@ -131,12 +144,12 @@
')
optional_policy(`
- nis_use_ypbind(clvmd_t)
+ ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
+ ricci_dontaudit_use_modcluster_fds(clvmd_t)
')
optional_policy(`
- ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
- ricci_dontaudit_use_modcluster_fds(clvmd_t)
+ unconfined_domain(clvmd_t)
')
optional_policy(`
@@ -150,17 +163,19 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+# lvm needs net_admin for multipath
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
-allow lvm_t self:fifo_file rw_file_perms;
+allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow lvm_t clvmd_t:unix_stream_socket connectto;
+allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
@@ -208,7 +223,6 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
-dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -228,6 +242,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
+dev_delete_generic_dirs(lvm_t)
+dev_rw_generic_files(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
@@ -246,6 +262,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
+mls_file_read_all_levels(lvm_t)
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
@@ -254,10 +271,12 @@
domain_use_interactive_fds(lvm_t)
+files_read_usr_files(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
+files_search_mnt(lvm_t)
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
@@ -275,6 +294,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
+userdom_dontaudit_search_sysadm_home_dirs(lvm_t)
+
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
@@ -293,5 +314,18 @@
')
optional_policy(`
+ modutils_domtrans_insmod(lvm_t)
+')
+
+optional_policy(`
+ unconfined_domain(lvm_t)
+')
+
+optional_policy(`
udev_read_db(lvm_t)
')
+
+optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.0.8/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/miscfiles.fc 2008-06-12 23:37:59.000000000 -0400
@@ -80,3 +80,6 @@
/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
+
+/usr/games(/.*)?/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.0.8/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2008-06-12 23:37:59.000000000 -0400
@@ -57,6 +57,26 @@
## </param>
## <rolecap/>
#
+interface(`miscfiles_dontaudit_write_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ dontaudit $1 fonts_t:dir write;
+ dontaudit $1 fonts_t:file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
interface(`miscfiles_manage_fonts',`
gen_require(`
type fonts_t;
@@ -253,6 +273,8 @@
files_search_usr($1)
allow $1 man_t:dir setattr;
+ # 309351
+ allow $1 man_t:dir list_dir_perms;
delete_dirs_pattern($1,man_t,man_t)
delete_files_pattern($1,man_t,man_t)
delete_lnk_files_pattern($1,man_t,man_t)
@@ -467,3 +489,23 @@
manage_lnk_files_pattern($1,locale_t,locale_t)
')
+########################################
+## <summary>
+## dontaudit_attempts to write locale files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_write_locale',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ dontaudit $1 locale_t:dir write;
+ dontaudit $1 locale_t:file write;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.0.8/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/modutils.if 2008-06-12 23:37:59.000000000 -0400
@@ -66,6 +66,25 @@
########################################
## <summary>
+## Unlink a file with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_unlink_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ allow $1 modules_conf_t:file unlink;
+')
+
+########################################
+## <summary>
## Unconditionally execute insmod in the insmod domain.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2008-06-12 23:37:59.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
-allow insmod_t self:capability { dac_override net_raw sys_tty_config };
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
@@ -54,6 +54,7 @@
can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
+kernel_search_network_state(insmod_t)
kernel_read_system_state(insmod_t)
kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
@@ -63,6 +64,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
+kernel_setsched(insmod_t)
files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
@@ -76,9 +78,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
-# cjp: why is this needed? insmod cannot mounton any dir
-# and it also transitions to mount
-dev_mount_usbfs(insmod_t)
+dev_create_generic_chr_files(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@@ -101,6 +101,7 @@
init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
libs_use_ld_so(insmod_t)
libs_use_shared_libs(insmod_t)
@@ -112,11 +113,27 @@
seutil_read_file_contexts(insmod_t)
+term_dontaudit_use_unallocated_ttys(insmod_t)
+userdom_dontaudit_search_users_home_dirs(insmod_t)
+userdom_dontaudit_search_sysadm_home_dirs(insmod_t)
+
if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
optional_policy(`
+ alsa_domtrans(insmod_t)
+')
+
+optional_policy(`
+ firstboot_dontaudit_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+ hal_write_log(insmod_t)
+')
+
+optional_policy(`
hotplug_search_config(insmod_t)
')
@@ -149,10 +166,13 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
+ rpm_read_script_tmp_files(insmod_t)
')
optional_policy(`
unconfined_dontaudit_rw_pipes(insmod_t)
+ unconfined_dontaudit_use_terminals(insmod_t)
+ unconfined_domain(insmod_t)
')
optional_policy(`
@@ -179,6 +199,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
+files_delete_kernel_modules(depmod_t)
fs_getattr_xattr_fs(depmod_t)
@@ -205,13 +226,18 @@
userdom_read_staff_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t)
+userdom_dontaudit_use_sysadm_terms(depmod_t)
+
optional_policy(`
# Read System.map from home directories.
unconfined_read_home_content_files(depmod_t)
+ unconfined_dontaudit_use_terminals(depmod_t)
+ unconfined_domain(depmod_t)
')
optional_policy(`
rpm_rw_pipes(depmod_t)
+ rpm_manage_script_tmp_files(depmod_t)
')
#################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.8/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/mount.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,4 +1,4 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2008-06-12 23:37:59.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
## <p>
+## Allow mount to mount any dir
+## </p>
+## </desc>
+gen_tunable(allow_mounton_anydir,true)
+
+## <desc>
+## <p>
## Allow mount to mount any file
## </p>
## </desc>
@@ -18,17 +25,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-# causes problems with interfaces when
-# this is optionally declared in monolithic
-# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t,mount_exec_t)
+role system_r types unconfined_mount_t;
########################################
#
@@ -36,21 +44,24 @@
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_loopback_t:file read_file_perms;
-allow mount_t self:netlink_route_socket r_netlink_socket_perms;
allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
-can_exec(mount_t, mount_exec_t)
+auth_use_nsswitch(mount_t)
-files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
+can_exec(mount_t, mount_exec_t)
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
+# In order to mount reiserfs_t
+kernel_list_unlabeled(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
@@ -63,6 +74,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
@@ -71,6 +83,7 @@
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
fs_list_auto_mountpoints(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
@@ -101,6 +114,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
@@ -118,6 +133,7 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_read_sysadm_home_content_files(mount_t)
ifdef(`distro_redhat',`
optional_policy(`
@@ -127,10 +143,15 @@
')
')
+tunable_policy(`allow_mounton_anydir',`
+ auth_read_all_dirs_except_shadow(mount_t)
+ files_mounton_non_security_dir(mount_t)
+')
+
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
- files_mounton_non_security(mount_t)
+ files_mounton_non_security_files(mount_t)
')
optional_policy(`
@@ -159,13 +180,9 @@
fs_search_rpc(mount_t)
- sysnet_dns_name_resolve(mount_t)
-
rpc_stub(mount_t)
- optional_policy(`
- nis_use_ypbind(mount_t)
- ')
+ rpc_domtrans_rpcd(mount_t)
')
optional_policy(`
@@ -180,17 +197,18 @@
')
')
-# for kernel package installation
optional_policy(`
- rpm_rw_pipes(mount_t)
+ lvm_domtrans(mount_t)
')
+# for kernel package installation
optional_policy(`
- samba_domtrans_smbmount(mount_t)
+ rpm_rw_pipes(mount_t)
')
optional_policy(`
- nscd_socket_use(mount_t)
+ samba_domtrans_smbmount(mount_t)
+ samba_read_config(mount_t)
')
########################################
@@ -201,4 +219,29 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
+ optional_policy(`
+ hal_dbus_chat(unconfined_mount_t)
+ ')
')
+
+########################################
+#
+# ntfs local policy
+#
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_shell(mount_t)
+
+fusermount_domtrans(mount_t)
+fusermount_use_fds(mount_t)
+
+modutils_domtrans_insmod(mount_t)
+
+optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_rw_pipes(mount_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.8/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/raid.te 2008-06-12 23:37:59.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+allow mdadm_t self:capability { dac_override mknod sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -39,6 +39,7 @@
dev_dontaudit_getattr_generic_files(mdadm_t)
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+dev_read_realtime_clock(mdadm_t)
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
@@ -83,5 +84,10 @@
')
optional_policy(`
+ unconfined_domain(mdadm_t)
+')
+
+optional_policy(`
udev_read_db(mdadm_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc 2008-06-12 23:37:59.000000000 -0400
@@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2008-06-12 23:37:59.000000000 -0400
@@ -585,7 +585,7 @@
type selinux_config_t;
')
- dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
')
########################################
@@ -604,7 +604,7 @@
type selinux_config_t;
')
- dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file { getattr read };
')
@@ -669,6 +669,7 @@
')
files_search_etc($1)
+ manage_dirs_pattern($1,selinux_config_t,selinux_config_t)
manage_files_pattern($1,selinux_config_t,selinux_config_t)
read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
@@ -778,6 +779,28 @@
########################################
## <summary>
+## dontaudit Read the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_dontaudit_read_file_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t, file_context_t;
+ ')
+
+ files_search_etc($1)
+ dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ dontaudit $1 file_context_t:dir search_dir_perms;
+ dontaudit $1 file_context_t:file r_file_perms;
+')
+
+########################################
+## <summary>
## Read and write the file_contexts files.
## </summary>
## <param name="domain">
@@ -968,6 +991,26 @@
########################################
## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setsebool',`
+ gen_require(`
+ type setsebool_t, setsebool_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1,setsebool_exec_t,setsebool_t)
+')
+
+########################################
+## <summary>
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
@@ -979,7 +1022,7 @@
## </param>
## <param name="role">
## <summary>
-## The role to be allowed the checkpolicy domain.
+## The role to be allowed the semanage domain.
## </summary>
## </param>
## <param name="terminal">
@@ -1001,6 +1044,39 @@
########################################
## <summary>
+## Execute setsebool in the semanage domain, and
+## allow the specified role the semanage domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the semanage domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the semanage domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setsebool',`
+ gen_require(`
+ type semanage_t;
+ ')
+
+ seutil_domtrans_setsebool($1)
+ role $2 types semanage_t;
+ allow semanage_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
## Full management of the semanage
## module store.
## </summary>
@@ -1058,3 +1134,141 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
+
+#######################################
+## <summary>
+## The per role template for the setsebool module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for setsebool plugins that are executed by a browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`seutil_setsebool_per_role_template',`
+ gen_require(`
+ type setsebool_exec_t;
+ ')
+
+ type $1_setsebool_t;
+ domain_type($1_setsebool_t)
+ domain_entry_file($1_setsebool_t,setsebool_exec_t)
+ role $3 types $1_setsebool_t;
+
+ files_search_usr($2)
+ corecmd_search_bin($2)
+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t)
+ seutil_semanage_policy($1_setsebool_t)
+
+ # Need to define per type booleans
+ selinux_set_boolean($1_setsebool_t)
+
+ # Bug in semanage
+ seutil_domtrans_setfiles($1_setsebool_t)
+ seutil_manage_file_contexts($1_setsebool_t)
+ seutil_manage_default_contexts($1_setsebool_t)
+ seutil_manage_selinux_config($1_setsebool_t)
+')
+
+#######################################
+## <summary>
+## All rules necessary to run semanage command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_semanage_policy',`
+ gen_require(`
+ type semanage_tmp_t;
+ type policy_config_t;
+ ')
+ allow $1 self:capability { dac_override audit_write sys_resource };
+ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
+
+ # Running genhomedircon requires this for finding all users
+ auth_use_nsswitch($1)
+
+ allow $1 policy_config_t:file { read write };
+
+ allow $1 semanage_tmp_t:dir manage_dir_perms;
+ allow $1 semanage_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_read_usr_files($1)
+ files_list_pids($1)
+ fs_list_inotifyfs($1)
+
+ mls_file_write_all_levels($1)
+ mls_file_read_all_levels($1)
+
+ selinux_getattr_fs($1)
+ selinux_validate_context($1)
+ selinux_get_enforce_mode($1)
+
+ term_use_all_terms($1)
+
+ libs_use_ld_so($1)
+ libs_use_shared_libs($1)
+
+ locallogin_use_fds($1)
+
+ logging_send_syslog_msg($1)
+
+ miscfiles_read_localization($1)
+
+ seutil_search_default_contexts($1)
+ seutil_domtrans_loadpolicy($1)
+ seutil_read_config($1)
+ seutil_manage_bin_policy($1)
+ seutil_use_newrole_fds($1)
+ seutil_manage_module_store($1)
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
+ userdom_dontaudit_write_unpriv_user_home_content_files($1)
+
+ optional_policy(`
+ rpm_dontaudit_rw_tmp_files($1)
+ rpm_dontaudit_rw_pipes($1)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2008-06-12 23:37:59.000000000 -0400
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
@@ -93,6 +92,10 @@
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
+type setsebool_t;
+type setsebool_exec_t;
+init_system_domain(setsebool_t, setsebool_exec_t)
+
type semanage_store_t;
files_type(semanage_store_t)
@@ -170,6 +173,7 @@
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
+fs_list_inotifyfs(load_policy_t)
mls_file_read_all_levels(load_policy_t)
@@ -194,10 +198,19 @@
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
+ unconfined_dontaudit_rw_pipes(load_policy_t)
')
')
+optional_policy(`
+ rpm_dontaudit_rw_pipes(load_policy_t)
+')
+
+optional_policy(`
+ usermanage_dontaudit_useradd_use_fds(load_policy_t)
+')
+
+
########################################
#
# Newrole local policy
@@ -215,7 +228,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(newrole_t)
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
@@ -252,8 +265,11 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
+auth_use_nsswitch(newrole_t)
auth_domtrans_chk_passwd(newrole_t)
+auth_domtrans_upd_passwd_chk(newrole_t)
auth_rw_faillog(newrole_t)
+auth_search_key(newrole_t)
corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t)
@@ -273,6 +289,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
+logging_send_audit_msgs(newrole_t)
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
@@ -294,14 +311,6 @@
files_polyinstantiate_all(newrole_t)
')
-optional_policy(`
- nis_use_ypbind(newrole_t)
-')
-
-optional_policy(`
- nscd_socket_use(newrole_t)
-')
-
########################################
#
# Restorecond local policy
@@ -309,11 +318,12 @@
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
-allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
allow restorecond_t restorecond_var_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
+auth_use_nsswitch(restorecond_t)
+
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -343,15 +353,12 @@
miscfiles_read_localization(restorecond_t)
+userdom_read_all_users_home_dirs_symlinks(restorecond_t)
+
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
-optional_policy(`
- # restorecond watches for users logging in,
- # so it getspwnam when a user logs in to find his homedir
- nis_use_ypbind(restorecond_t)
-')
#################################
#
@@ -361,7 +368,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(run_init_t)
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -375,6 +382,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
+auth_domtrans_upd_passwd_chk(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
@@ -423,77 +431,52 @@
nscd_socket_use(run_init_t)
')
+
########################################
#
-# semodule local policy
+# setsebool local policy
#
+seutil_semanage_policy(setsebool_t)
+selinux_set_boolean(setsebool_t)
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file { read write };
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
+init_dontaudit_use_fds(setsebool_t)
-domain_use_interactive_fds(semanage_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_selinux_config(setsebool_t)
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
-
-selinux_validate_context(semanage_t)
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
-selinux_set_boolean(semanage_t)
-
-term_use_all_terms(semanage_t)
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-libs_use_ld_so(semanage_t)
-libs_use_shared_libs(semanage_t)
-
-locallogin_use_fds(semanage_t)
+########################################
+#
+# semodule local policy
+#
-logging_send_syslog_msg(semanage_t)
+seutil_semanage_policy(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
-miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_selinux_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
-seutil_read_config(semanage_t)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
+
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
+userdom_search_sysadm_home_dirs(semanage_t)
+
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -516,11 +499,20 @@
allow setfiles_t self:capability { dac_override dac_read_search fowner };
dontaudit setfiles_t self:capability sys_tty_config;
allow setfiles_t self:fifo_file rw_file_perms;
+dontaudit setfiles_t self:dir relabelfrom;
+dontaudit setfiles_t self:file relabelfrom;
+dontaudit setfiles_t self:lnk_file relabelfrom;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
+logging_send_audit_msgs(setfiles_t)
+
+files_list_isid_type_dirs(setfiles_t)
+files_read_isid_type_files(setfiles_t)
+files_dontaudit_read_all_symlinks(setfiles_t)
+
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -537,6 +529,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
+fs_getattr_all_files(setfiles_t)
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
@@ -552,9 +545,7 @@
selinux_compute_relabel_context(setfiles_t)
selinux_compute_user_contexts(setfiles_t)
-term_use_all_user_ttys(setfiles_t)
-term_use_all_user_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
+term_use_all_terms(setfiles_t)
# this is to satisfy the assertion:
auth_relabelto_shadow(setfiles_t)
@@ -590,8 +581,20 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
+optional_policy(`
+ cron_system_entry(setfiles_t, setfiles_exec_t)
+')
+
+optional_policy(`
+ rpm_dontaudit_rw_pipes(setfiles_t)
+')
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
+ ppp_dontaudit_use_fds(setfiles_t)
+ ')
+
+ optional_policy(`
udev_dontaudit_rw_dgram_sockets(setfiles_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc 2008-06-12 23:37:59.000000000 -0400
@@ -52,8 +52,7 @@
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
-/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
-/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhclient[^/]* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2008-06-12 23:37:59.000000000 -0400
@@ -145,6 +145,25 @@
########################################
## <summary>
+## Send a generic signal to the ifconfig client.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the signal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ allow $1 ifconfig_t:process signal;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## dhcpc over dbus.
## </summary>
@@ -493,6 +512,10 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
+
+ optional_policy(`
+ avahi_stream_connect($1)
+ ')
')
########################################
@@ -522,6 +545,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
')
########################################
@@ -556,3 +581,23 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the SIGCHLD.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_dhcpc_use_fds',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:fd use;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2008-06-12 23:37:59.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process signal_perms;
+allow dhcpc_t self:process { ptrace signal_perms };
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
@@ -136,6 +136,7 @@
modutils_domtrans_insmod(dhcpc_t)
+userdom_dontaudit_search_sysadm_home_dirs(dhcpc_t)
userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
ifdef(`distro_redhat', `
@@ -159,6 +160,10 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
+ dbus_read_config(dhcpc_t)
+
+ dbus_dontaudit_rw_system_selinux_socket(dhcpc_t)
+
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
@@ -177,6 +182,7 @@
')
')
+
# for the dhcp client to run ping to check IP addresses
optional_policy(`
netutils_domtrans_ping(dhcpc_t)
@@ -187,6 +193,10 @@
')
optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+')
+
+optional_policy(`
nis_use_ypbind(dhcpc_t)
nis_signal_ypbind(dhcpc_t)
nis_read_ypbind_pid(dhcpc_t)
@@ -203,9 +213,7 @@
')
optional_policy(`
- # dhclient sometimes starts ntpd
- init_exec_script_files(dhcpc_t)
- ntp_domtrans(dhcpc_t)
+ ntp_script_domtrans(dhcpc_t)
')
optional_policy(`
@@ -216,6 +224,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
+ seutil_domtrans_setfiles(dhcpc_t)
')
optional_policy(`
@@ -227,6 +236,10 @@
')
optional_policy(`
+ vmware_append_log(dhcpc_t)
+')
+
+optional_policy(`
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
@@ -240,7 +253,6 @@
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
-dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -254,6 +266,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
+allow ifconfig_t net_conf_t:file r_file_perms;
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -269,7 +282,10 @@
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
+kernel_search_debugfs(ifconfig_t)
kernel_rw_net_sysctls(ifconfig_t)
+# This should be put inside a boolean, but can not because of attributes
+kernel_load_module(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -280,8 +296,11 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+selinux_dontaudit_getattr_fs(ifconfig_t)
+
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -327,6 +346,14 @@
')
optional_policy(`
+ unconfined_dontaudit_rw_pipes(ifconfig_t)
+')
+
+optional_policy(`
+ vmware_append_log(ifconfig_t)
+')
+
+optional_policy(`
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.0.8/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.if 2008-06-12 23:37:59.000000000 -0400
@@ -106,11 +106,11 @@
#
interface(`udev_read_db',`
gen_require(`
- type udev_tdb_t;
+ type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file read_file_perms;
+ read_files_pattern($1, udev_tbl_t, udev_tbl_t)
')
########################################
@@ -125,9 +125,9 @@
#
interface(`udev_rw_db',`
gen_require(`
- type udev_tdb_t;
+ type udev_tbl_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file rw_file_perms;
+ allow $1 udev_tbl_t:file rw_file_perms;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2008-06-12 23:37:59.000000000 -0400
@@ -132,6 +132,7 @@
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
+init_getattr_initctl(udev_t)
libs_use_ld_so(udev_t)
libs_use_shared_libs(udev_t)
@@ -184,6 +185,12 @@
')
optional_policy(`
+ alsa_domtrans(udev_t)
+ alsa_read_lib(udev_t)
+ alsa_read_rw_config(udev_t)
+')
+
+optional_policy(`
brctl_domtrans(udev_t)
')
@@ -220,6 +227,10 @@
')
optional_policy(`
+ raid_domtrans_mdadm(udev_t)
+')
+
+optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
@@ -227,5 +238,9 @@
')
optional_policy(`
+ unconfined_domain(udev_t)
+')
+
+optional_policy(`
xserver_read_xdm_pid(udev_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-06-12 23:37:59.000000000 -0400
@@ -7,6 +7,8 @@
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2008-06-12 23:37:59.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
- type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
- allow $1 self:capability *;
+ allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
@@ -27,12 +26,13 @@
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
+ allow $1 self:dir rw_dir_perms;
# Userland object managers
- allow $1 self:nscd *;
- allow $1 self:dbus *;
- allow $1 self:passwd *;
- allow $1 self:association *;
+ allow $1 self:nscd all_nscd_perms;
+ allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association_perms;
kernel_unconfined($1)
corenet_unconfined($1)
@@ -399,12 +399,11 @@
########################################
## <summary>
-## Do not audit attempts to read and write
-## unconfined domain unnamed pipes.
+## dontaudit Read and write unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -413,9 +412,10 @@
type unconfined_t;
')
- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+ dontaudit $1 unconfined_t:fifo_file rw_fifo_file_perms;
')
+
########################################
## <summary>
## Connect to the unconfined domain using
@@ -437,6 +437,25 @@
########################################
## <summary>
+## Allow the specified domain to read/write to
+## unconfined with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_stream_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
@@ -558,7 +577,7 @@
')
files_search_home($1)
- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+ allow $1 { unconfined_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
@@ -601,3 +620,216 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
+
+########################################
+## <summary>
+## manage unconfined users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_manage_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1,unconfined_tmp_t,unconfined_tmp_t)
+ manage_lnk_files_pattern($1,unconfined_tmp_t,unconfined_tmp_t)
+')
+
+########################################
+## <summary>
+## Allow ptrace of unconfined domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined execmem shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_rw_shm',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Transform specified type into a unconfined_terminal type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_terminal_type',`
+ gen_require(`
+ attribute unconfined_terminal;
+ ')
+
+ typeattribute $1 unconfined_terminal;
+')
+
+########################################
+## <summary>
+## allow attempts to use unconfined ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_use_terminals',`
+ gen_require(`
+ type unconfined_devpts_t;
+ type unconfined_tty_device_t;
+ ')
+
+ allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
+ allow $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use unconfined ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_use_terminals',`
+ gen_require(`
+ type unconfined_devpts_t;
+ type unconfined_tty_device_t;
+ ')
+
+ dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
+ dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Read/write unconfined tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read/write unconfined tmpfs files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_tmpfs_files',`
+ gen_require(`
+ type unconfined_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Read and write unconfined named sockets in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_tmp_sockets',`
+ gen_require(`
+ type tmp_t;
+ ')
+ files_search_tmp($1)
+ rw_sock_files_pattern($1,unconfined_tmp_t,unconfined_tmp_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2008-06-12 23:37:59.000000000 -0400
@@ -5,36 +5,53 @@
#
# Declarations
#
+type unconfined_gnome_home_t;
+files_type(unconfined_gnome_home_t)
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
-# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
+userdom_unpriv_user_template(unconfined)
+userdom_xwindows_client_template(unconfined)
+
+userdom_user_home_content(unconfined,unconfined_gnome_home_t)
type unconfined_exec_t;
init_system_domain(unconfined_t,unconfined_exec_t)
+role unconfined_r types unconfined_t;
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
type unconfined_execmem_t;
type unconfined_execmem_exec_t;
init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+unconfined_domain(unconfined_t)
+
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
########################################
#
# Local policy
#
+dontaudit unconfined_t self:dir write;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
domtrans_pattern(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
init_run_daemon(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+init_domtrans_script(unconfined_t)
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -42,37 +59,40 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
+seutil_run_setsebool(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
seutil_run_setfiles(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
seutil_run_semanage(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-unconfined_domain(unconfined_t)
-
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
- ada_domtrans(unconfined_t)
+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ apache_per_role_template(unconfined, unconfined_t, unconfined_r)
+ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ unconfined_domain(httpd_unconfined_script_t)
')
optional_policy(`
- bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
cron_per_role_template(unconfined,unconfined_t,unconfined_r)
# this is disallowed usage:
unconfined_domain(unconfined_crond_t)
+ unconfined_domain(unconfined_crontab_t)
+ role system_r types unconfined_crontab_t;
+ rpm_transition_script(unconfined_crond_t)
')
optional_policy(`
@@ -107,22 +127,22 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
-')
-optional_policy(`
- firstboot_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ optional_policy(`
+ vpnc_dbus_chat(unconfined_t)
+ ')
')
optional_policy(`
- ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ firstboot_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- inn_domtrans(unconfined_t)
+ java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- java_domtrans(unconfined_t)
+ ftp_run_ftpdctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -130,15 +150,10 @@
')
optional_policy(`
- modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-')
-
-optional_policy(`
- mono_domtrans(unconfined_t)
+ mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
-
optional_policy(`
- mta_per_role_template(unconfined,unconfined_t,unconfined_r)
+ modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -154,33 +169,20 @@
')
optional_policy(`
- postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
-
-
-optional_policy(`
- pyzor_per_role_template(unconfined)
-')
-
-optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
-')
-
-optional_policy(`
rpm_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
')
optional_policy(`
samba_per_role_template(unconfined)
- samba_run_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_unconfined_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
samba_run_winbind_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_smbcontrol(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- spamassassin_per_role_template(unconfined,unconfined_t,unconfined_r)
+ sendmail_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -205,11 +207,22 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
+')
+
+optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
+ xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
@@ -219,14 +232,42 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition;
optional_policy(`
- dbus_stub(unconfined_execmem_t)
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
+')
+optional_policy(`
init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+')
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
+optional_policy(`
+ avahi_dbus_chat(unconfined_execmem_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
+')
+
+optional_policy(`
+ xserver_xdm_rw_shm(unconfined_execmem_t)
')
+
+corecmd_exec_all_executables(unconfined_t)
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.8/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.fc 2008-06-12 23:37:59.000000000 -0400
@@ -1,4 +1,4 @@
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
-
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-06-27 07:07:05.000000000 -0400
@@ -29,8 +29,9 @@
')
attribute $1_file_type;
+ attribute $1_usertype;
- type $1_t, userdomain;
+ type $1_t, userdomain, $1_usertype;
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
@@ -45,65 +46,73 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:sem create_sem_perms;
- allow $1_t self:msgq create_msgq_perms;
- allow $1_t self:msg { send receive };
- allow $1_t self:context contains;
- dontaudit $1_t self:socket create;
-
- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
- term_create_pty($1_t,$1_devpts_t)
-
- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
-
- kernel_read_kernel_sysctls($1_t)
- kernel_dontaudit_list_unlabeled($1_t)
- kernel_dontaudit_getattr_unlabeled_files($1_t)
- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
+
+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_usertype $1_usertype:shm create_shm_perms;
+ allow $1_usertype $1_usertype:sem create_sem_perms;
+ allow $1_usertype $1_usertype:msgq create_msgq_perms;
+ allow $1_usertype $1_usertype:msg { send receive };
+ allow $1_usertype $1_usertype:context contains;
+ dontaudit $1_usertype $1_usertype:socket create;
+
+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ term_create_pty($1_usertype,$1_devpts_t)
+
+ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
+
+ application_exec_all($1_usertype)
+
+ auth_use_nsswitch($1_usertype)
+
+ kernel_read_kernel_sysctls($1_usertype)
+ kernel_dontaudit_list_unlabeled($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
- domain_dontaudit_read_all_domains_state($1_t)
- domain_dontaudit_getattr_all_domains($1_t)
- domain_dontaudit_getsession_all_domains($1_t)
-
- files_read_etc_files($1_t)
- files_read_etc_runtime_files($1_t)
- files_read_usr_files($1_t)
+ domain_dontaudit_read_all_domains_state($1_usertype)
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
+
+ files_list_mnt($1_usertype)
+ files_read_etc_files($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
- files_list_world_readable($1_t)
- files_read_world_readable_files($1_t)
- files_read_world_readable_symlinks($1_t)
- files_read_world_readable_pipes($1_t)
- files_read_world_readable_sockets($1_t)
+ files_list_world_readable($1_usertype)
+ files_read_world_readable_files($1_usertype)
+ files_read_world_readable_symlinks($1_usertype)
+ files_read_world_readable_pipes($1_usertype)
+ files_read_world_readable_sockets($1_usertype)
# old broswer_domain():
- files_dontaudit_list_non_security($1_t)
- files_dontaudit_getattr_non_security_files($1_t)
- files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t)
- files_dontaudit_getattr_non_security_blk_files($1_t)
- files_dontaudit_getattr_non_security_chr_files($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_non_security_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
+
+ dev_dontaudit_getattr_all_blk_files($1_usertype)
+ dev_dontaudit_getattr_all_chr_files($1_usertype)
+
+ libs_use_ld_so($1_usertype)
+ libs_use_shared_libs($1_usertype)
+ libs_exec_ld_so($1_usertype)
- miscfiles_read_localization($1_t)
- miscfiles_read_certs($1_t)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
- sysnet_read_config($1_t)
+ sysnet_read_config($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
@@ -114,6 +123,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ')
')
#######################################
@@ -184,7 +197,7 @@
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs_dirs($1_t)
+ fs_list_nfs($1_t)
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
fs_read_nfs_named_sockets($1_t)
@@ -195,7 +208,7 @@
')
tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs_dirs($1_t)
+ fs_list_cifs($1_t)
fs_read_cifs_files($1_t)
fs_read_cifs_symlinks($1_t)
fs_read_cifs_named_sockets($1_t)
@@ -262,42 +275,42 @@
# full control of the home directory
allow $1_t $1_home_t:file entrypoint;
- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
- files_list_home($1_t)
+ manage_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
+ filetrans_pattern($1_usertype,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+ files_list_home($1_usertype)
# cjp: this should probably be removed:
- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1_usertype $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_t)
- fs_manage_nfs_files($1_t)
- fs_manage_nfs_symlinks($1_t)
- fs_manage_nfs_named_sockets($1_t)
- fs_manage_nfs_named_pipes($1_t)
+ fs_manage_nfs_dirs($1_usertype)
+ fs_manage_nfs_files($1_usertype)
+ fs_manage_nfs_symlinks($1_usertype)
+ fs_manage_nfs_named_sockets($1_usertype)
+ fs_manage_nfs_named_pipes($1_usertype)
',`
- fs_dontaudit_manage_nfs_dirs($1_t)
- fs_dontaudit_manage_nfs_files($1_t)
+ fs_dontaudit_manage_nfs_dirs($1_usertype)
+ fs_dontaudit_manage_nfs_files($1_usertype)
')
tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_t)
- fs_manage_cifs_files($1_t)
- fs_manage_cifs_symlinks($1_t)
- fs_manage_cifs_named_sockets($1_t)
- fs_manage_cifs_named_pipes($1_t)
+ fs_manage_cifs_dirs($1_usertype)
+ fs_manage_cifs_files($1_usertype)
+ fs_manage_cifs_symlinks($1_usertype)
+ fs_manage_cifs_named_sockets($1_usertype)
+ fs_manage_cifs_named_pipes($1_usertype)
',`
- fs_dontaudit_manage_cifs_dirs($1_t)
- fs_dontaudit_manage_cifs_files($1_t)
+ fs_dontaudit_manage_cifs_dirs($1_usertype)
+ fs_dontaudit_manage_cifs_files($1_usertype)
')
')
@@ -315,14 +328,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
- can_exec($1_t,$1_home_t)
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1_t)
+ tunable_policy(`allow_$1_exec_content', `
+ can_exec($1_usertype,user_home_type)
+ ',`
+ dontaudit $1_usertype user_home_type:file execute;
')
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1_t)
+
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
+
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
')
')
@@ -374,12 +393,12 @@
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
+ manage_dirs_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
+ manage_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
+ manage_lnk_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
+ manage_sock_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
+ manage_fifo_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
+ files_tmp_filetrans($1_usertype, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -395,7 +414,9 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ tunable_policy(`allow_$1_exec_content', `
+ exec_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
+ ')
')
#######################################
@@ -509,10 +530,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
- gen_require(`
- type $1_t;
- ')
-
corecmd_exec_bin($1_t)
')
@@ -530,9 +547,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
- gen_require(`
- type $1_t;
- ')
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
@@ -563,32 +577,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
- type $1_t, $1_tmpfs_t;
+ type $1_tmpfs_t;
')
- optional_policy(`
- dev_rw_xserver_misc($1_t)
- dev_rw_power_management($1_t)
- dev_read_input($1_t)
- dev_read_misc($1_t)
- dev_write_misc($1_t)
- # open office is looking for the following
- dev_getattr_agp_dev($1_t)
- dev_dontaudit_rw_dri($1_t)
- # GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
-
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
- # certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
- # gnome-session creates socket under /tmp/.ICE-unix/
- xserver_create_xdm_tmp_sockets($1_t)
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
- ')
+ dev_rw_xserver_misc($1_usertype)
+ dev_rw_power_management($1_usertype)
+ dev_read_input($1_usertype)
+ dev_read_misc($1_usertype)
+ dev_write_misc($1_usertype)
+ # open office is looking for the following
+ dev_getattr_agp_dev($1_usertype)
+ dev_dontaudit_rw_dri($1_usertype)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_usertype)
+ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t)
+ xserver_xsession_entry_type($1_usertype)
+ xserver_dontaudit_write_log($1_usertype)
+ xserver_stream_connect_xdm($1_usertype)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_usertype)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_usertype)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($1_usertype)
')
#######################################
@@ -664,67 +675,39 @@
attribute unpriv_userdomain;
')
- userdom_base_user_template($1)
-
- userdom_manage_home_template($1)
- userdom_exec_home_template($1)
-
- userdom_manage_tmp_template($1)
- userdom_exec_tmp_template($1)
-
- userdom_manage_tmpfs_template($1)
-
userdom_untrusted_content_template($1)
userdom_basic_networking_template($1)
userdom_exec_generic_pgms_template($1)
- userdom_xwindows_client_template($1)
-
- userdom_change_password_template($1)
+ optional_policy(`
+ userdom_xwindows_client_template($1)
+ ')
##############################
#
# User domain Local policy
#
- allow $1_t self:capability { setgid chown fowner };
- dontaudit $1_t self:capability { sys_nice fsetid };
- allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_t self:process { ptrace setfscreate };
-
- allow $1_t self:context contains;
-
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t unpriv_userdomain:fd use;
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
- kernel_read_net_sysctls($1_t)
# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t)
- # Find CDROM devices:
- kernel_read_device_sysctls($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_udp_bind_generic_port($1_t)
- dev_read_sysfs($1_t)
dev_read_rand($1_t)
- dev_read_urand($1_t)
dev_write_sound($1_t)
dev_read_sound($1_t)
dev_read_sound_mixer($1_t)
dev_write_sound_mixer($1_t)
- domain_use_interactive_fds($1_t)
- # Command completion can fire hundreds of denials
- domain_dontaudit_exec_all_entry_files($1_t)
-
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
@@ -737,12 +720,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
- fs_get_all_fs_quotas($1_t)
- fs_getattr_all_fs($1_t)
- fs_getattr_all_dirs($1_t)
- fs_search_auto_mountpoints($1_t)
- fs_list_inotifyfs($1_t)
-
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
@@ -755,31 +732,14 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
- auth_dontaudit_write_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
init_read_utmp($1_t)
- # The library functions always try to open read-write first,
- # then fall back to read-only if it fails.
- init_dontaudit_write_utmp($1_t)
- # Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
-
- libs_exec_lib_files($1_t)
-
- logging_dontaudit_getattr_all_logs($1_t)
-
- miscfiles_read_man_pages($1_t)
- # for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
- seutil_read_config($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
@@ -794,19 +754,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
- ',`
- files_dontaudit_list_default($1_t)
- files_dontaudit_read_default_files($1_t)
')
tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
')
- tunable_policy(`user_ttyfile_stat',`
- term_getattr_all_user_ttys($1_t)
- ')
-
optional_policy(`
alsa_read_rw_config($1_t)
')
@@ -821,11 +774,6 @@
')
optional_policy(`
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
- ')
-
- optional_policy(`
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
@@ -834,20 +782,20 @@
')
optional_policy(`
- evolution_dbus_chat($1,$1_t)
- evolution_alarm_dbus_chat($1,$1_t)
+ consolekit_dbus_chat($1_t)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
+ networkmanager_dbus_chat($1_t)
')
optional_policy(`
- hal_dbus_chat($1_t)
+ evolution_dbus_chat($1,$1_t)
+ evolution_alarm_dbus_chat($1,$1_t)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
+ vpnc_dbus_chat($1_t)
')
')
@@ -876,17 +824,17 @@
')
optional_policy(`
- nis_use_ypbind($1_t)
+ alsa_read_rw_config($1_t)
')
- optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
- ')
- ')
+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_t)
+ ')
+ ')
- optional_policy(`
- nscd_socket_use($1_t)
+ tunable_policy(`user_ttyfile_stat',`
+ term_getattr_all_user_ttys($1_t)
')
optional_policy(`
@@ -900,16 +848,6 @@
')
optional_policy(`
- tunable_policy(`allow_user_postgresql_connect',`
- postgresql_stream_connect($1_t)
- ')
- ')
-
- optional_policy(`
- quota_dontaudit_getattr_db($1_t)
- ')
-
- optional_policy(`
resmgr_stream_connect($1_t)
')
@@ -919,11 +857,6 @@
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
- ')
-
- optional_policy(`
samba_stream_connect_winbind($1_t)
')
@@ -954,21 +887,164 @@
## </summary>
## </param>
#
-template(`userdom_unpriv_user_template', `
-
+template(`userdom_privhome_user_template',`
gen_require(`
- attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
+ type $1_home_dir_t, $1_home_t;
')
+ # privileged home directory writers
+ manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+## The template for creating a login user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_login_user_template', `
+ userdom_base_user_template($1)
+
+ userdom_manage_home_template($1)
+ userdom_poly_home_template($1)
+ userdom_poly_tmp_template($1)
+
+ userdom_manage_tmp_template($1)
+ userdom_manage_tmpfs_template($1)
+
+ gen_tunable(allow_$1_exec_content,true)
+
+ userdom_exec_tmp_template($1)
+ userdom_exec_home_template($1)
+
+ userdom_change_password_template($1)
+
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+
+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+ allow $1_t self:context contains;
+
##############################
#
- # Declarations
+ # User domain Local policy
#
- # Inherit rules for ordinary users.
- userdom_common_user_template($1)
+ auth_dontaudit_write_login_records($1_t)
+
+ dev_read_sysfs($1_usertype)
+ dev_read_urand($1_usertype)
+
+ kernel_dontaudit_read_system_state($1_usertype)
+
+ domain_use_interactive_fds($1_usertype)
+ # Command completion can fire hundreds of denials
+ domain_dontaudit_exec_all_entry_files($1_usertype)
+
+ # Stat lost+found.
+ files_getattr_lost_found_dirs($1_usertype)
+ files_dontaudit_list_default($1_usertype)
+ files_dontaudit_read_default_files($1_usertype)
+
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
+
+ # Stop warnings about access to /dev/console
+ init_dontaudit_rw_utmp($1_usertype)
+ init_dontaudit_use_fds($1_usertype)
+ init_dontaudit_use_script_fds($1_usertype)
+
+ libs_exec_lib_files($1_usertype)
+
+ logging_dontaudit_getattr_all_logs($1_usertype)
+
+ miscfiles_read_man_pages($1_usertype)
+ # for running TeX programs
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
+
+ seutil_read_config($1_usertype)
+
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_usertype)
+ kerberos_524_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ mta_dontaudit_read_spool_symlinks($1_usertype)
+ ')
+
+ optional_policy(`
+ quota_dontaudit_getattr_db($1_usertype)
+ ')
+
+ optional_policy(`
+ rpm_read_db($1_usertype)
+ rpm_dontaudit_manage_db($1_usertype)
+ ')
+')
+
+
+#######################################
+## <summary>
+## The template for creating a unprivileged login user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_restricted_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
+ ')
+ userdom_login_user_template($1)
+ userdom_privhome_user_template($1)
typeattribute $1_t unpriv_userdomain;
+
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -976,24 +1052,48 @@
typeattribute $1_home_t user_home_type;
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
+')
- userdom_poly_home_template($1)
- userdom_poly_tmp_template($1)
+#######################################
+## <summary>
+## The template for creating a unprivileged user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_user_template', `
+ userdom_restricted_user_template($1)
+
+
+ # Find CDROM devices:
+ kernel_read_device_sysctls($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_net_sysctls($1_t)
+ kernel_read_system_state($1_t)
##############################
#
- # Local policy
+ # Declarations
#
- # privileged home directory writers
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+ # Inherit rules for ordinary users.
+ userdom_common_user_template($1)
- corecmd_exec_all_executables($1_t)
+ ##############################
+ #
+ # Local policy
+ #
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -1029,20 +1129,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
')
optional_policy(`
- kerberos_use($1_t)
- ')
-
- optional_policy(`
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
- ')
-
- optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ hal_dbus_chat($1_t)
')
# Run pppd in pppd_t by default for user
@@ -1054,17 +1145,6 @@
setroubleshoot_stream_connect($1_t)
')
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- # this should cause the .xsession-errors file to be written to /tmp
- dontaudit xdm_t $1_home_t:file rw_file_perms;
- ')
-
- # Do not audit write denials to /etc/ld.so.cache.
- dontaudit $1_t ld_so_cache_t:file write;
-
- dontaudit $1_t sysadm_home_t:file { read append };
- ') dnl end TODO
')
#######################################
@@ -1102,6 +1182,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
+ userdom_login_user_template($1)
+
##############################
#
# Declarations
@@ -1127,7 +1209,7 @@
# $1_t local policy
#
- allow $1_t self:capability ~sys_module;
+ allow $1_t self:capability ~{ sys_module audit_control audit_write };
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
@@ -1139,7 +1221,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
- allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+ # Find CDROM devices:
+ kernel_read_device_sysctls($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_net_sysctls($1_t)
+ kernel_read_system_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
@@ -1277,6 +1363,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
+ files_create_default_dir($1)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1642,9 +1729,13 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
+ attribute user_home_type;
+ attribute home_type;
')
typeattribute $2 $1_file_type;
+ typeattribute $2 user_home_type;
+ typeattribute $2 home_type;
files_type($2)
')
@@ -1744,7 +1835,7 @@
type $1_home_dir_t;
')
- files_search_home($2)
+ files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
')
@@ -1778,7 +1869,7 @@
type $1_home_dir_t;
')
- files_search_home($2)
+ files_list_home($2)
allow $2 $1_home_dir_t:dir list_dir_perms;
')
@@ -1826,7 +1917,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
domain_auto_trans($2,$1_home_t,$3)
')
@@ -1894,10 +1985,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($2)
+ manage_dirs_pattern($2,{ $1_home_dir_t user_home_type },$1_home_t)
+')
+
+########################################
+## <summary>
+## dontaudit attemps to Create files
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete directories
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_dontaudit_create_user_home_content_files',`
+ gen_require(`
+ type $1_home_dir_t;
')
- files_search_home($2)
- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ dontaudit $2 $1_home_dir_t:file create;
')
########################################
@@ -1965,7 +2092,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
@@ -2034,6 +2161,10 @@
')
dontaudit $2 $1_home_t:file write;
+ fs_dontaudit_list_nfs($2)
+ fs_dontaudit_rw_nfs_files($2)
+ fs_dontaudit_list_cifs($2)
+ fs_dontaudit_rw_cifs_files($2)
')
########################################
@@ -2066,7 +2197,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
@@ -2100,7 +2231,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
@@ -2169,7 +2300,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_files_pattern($2,$1_home_t,$1_home_t)
')
@@ -2241,7 +2372,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
')
@@ -2278,7 +2409,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
')
@@ -2315,7 +2446,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
manage_sock_files_pattern($2,$1_home_t,$1_home_t)
')
@@ -2365,7 +2496,7 @@
type $1_home_dir_t;
')
- files_search_home($2)
+ files_list_home($2)
filetrans_pattern($2,$1_home_dir_t,$3,$4)
')
@@ -2414,7 +2545,7 @@
type $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
filetrans_pattern($2,$1_home_t,$3,$4)
')
@@ -2458,7 +2589,7 @@
type $1_home_dir_t, $1_home_t;
')
- files_search_home($2)
+ files_list_home($2)
filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
')
@@ -2994,6 +3125,25 @@
########################################
## <summary>
+## Connect to unpriviledged users over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unpriv_users_stream_connect',`
+ gen_require(`
+ attribute user_tmpfile;
+ attribute userdomain;
+ ')
+
+ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
+')
+
+########################################
+## <summary>
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
@@ -3078,7 +3228,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
- type $1_home_dir_t;
+ type $1_tmp_t;
')
files_tmp_filetrans($2,$1_tmp_t,$3)
@@ -3086,11 +3236,11 @@
########################################
## <summary>
-## Read user tmpfs files.
+## Read/write user tmpfs files.
## </summary>
## <desc>
## <p>
-## Read user tmpfs files.
+## Read/Write user tmpfs files.
## </p>
## <p>
## This is a templated interface, and should only
@@ -3122,6 +3272,42 @@
########################################
## <summary>
+## Read user tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read user tmpfs files.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_read_user_tmpfs_files',`
+ gen_require(`
+ type $1_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($2)
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
+ read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+')
+
+########################################
+## <summary>
## List users untrusted directories.
## </summary>
## <desc>
@@ -4089,7 +4275,7 @@
type staff_home_dir_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 staff_home_dir_t:dir search_dir_perms;
')
@@ -4128,7 +4314,7 @@
type staff_home_dir_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 staff_home_dir_t:dir manage_dir_perms;
')
@@ -4147,7 +4333,7 @@
type staff_home_dir_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 staff_home_dir_t:dir relabelto;
')
@@ -4185,7 +4371,7 @@
type staff_home_dir_t, staff_home_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
@@ -4410,6 +4596,7 @@
')
dontaudit $1 sysadm_home_dir_t:dir getattr;
+ userdom_dontaudit_search_all_users_home_content($1)
')
########################################
@@ -4444,9 +4631,11 @@
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
type sysadm_home_dir_t;
+ type user_home_dir_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ dontaudit $1 user_home_dir_t:dir search_dir_perms;
')
########################################
@@ -4570,10 +4759,11 @@
type sysadm_home_dir_t, sysadm_home_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
+ userdom_read_unpriv_users_home_content_files($1)
')
########################################
@@ -4609,11 +4799,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
+ attribute user_home_dir_type;
+ ')
+
+ files_list_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+')
+########################################
+## <summary>
+## Read all users home directories symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
attribute home_dir_type;
')
files_list_home($1)
- allow $1 home_dir_type:dir search_dir_perms;
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
')
########################################
@@ -4633,6 +4841,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(crond_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(crond_t)
+ ')
')
########################################
@@ -4670,6 +4886,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
')
########################################
@@ -4895,7 +5113,7 @@
type user_home_dir_t, user_home_t;
')
- files_search_home($1)
+ files_list_home($1)
filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
')
@@ -4933,7 +5151,7 @@
type user_home_dir_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 user_home_dir_t:dir manage_dir_perms;
')
@@ -4954,7 +5172,7 @@
type user_home_t;
')
- files_search_home($1)
+ files_list_home($1)
manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
@@ -4973,7 +5191,7 @@
type staff_home_dir_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 user_home_dir_t:dir relabelto;
')
@@ -4992,7 +5210,7 @@
type user_home_t, user_home_dir_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 user_home_t:dir list_dir_perms;
read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
@@ -5013,7 +5231,7 @@
type user_home_t;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 user_home_t:file execute;
')
@@ -5033,7 +5251,7 @@
type user_home_dir_t, user_home_t;
')
- files_search_home($1)
+ files_list_home($1)
manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
@@ -5072,7 +5290,7 @@
type user_home_t;
')
- files_search_home($1)
+ files_list_home($1)
manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
@@ -5092,7 +5310,7 @@
type user_home_t;
')
- files_search_home($1)
+ files_list_home($1)
manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
@@ -5112,7 +5330,7 @@
type user_home_t;
')
- files_search_home($1)
+ files_list_home($1)
manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
@@ -5131,7 +5349,7 @@
attribute user_home_dir_type;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 user_home_dir_type:dir search_dir_perms;
')
@@ -5151,7 +5369,7 @@
attribute user_home_dir_type, user_home_type;
')
- files_search_home($1)
+ files_list_home($1)
allow $1 user_home_type:dir list_dir_perms;
read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
@@ -5173,7 +5391,7 @@
attribute user_home_dir_type, user_home_type;
')
- files_search_home($1)
+ files_list_home($1)
manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
@@ -5193,7 +5411,7 @@
attribute user_home_dir_type, user_home_type;
')
- files_search_home($1)
+ files_list_home($1)
manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
@@ -5323,7 +5541,7 @@
attribute user_tmpfile;
')
- allow $1 user_tmpfile:file { read getattr };
+ allow $1 user_tmpfile:file r_file_perms;
')
########################################
@@ -5346,6 +5564,25 @@
########################################
## <summary>
+## unlink all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unlink_unpriv_users_tmp_files',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ files_delete_tmp_dir_entry($1)
+ allow $1 user_tmpfile:file unlink;
+')
+
+########################################
+## <summary>
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
@@ -5529,6 +5766,24 @@
########################################
## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
@@ -5559,3 +5814,420 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+## <summary>
+## Manage and create all files in /tmp on behalf of the user
+## </summary>
+## <desc>
+## <p>
+## The interface for full access to the temporary directories.
+## This creates a derived type for the user
+## temporary type. Execute access is not given.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The class of the object to be created.
+## If not specified, file is used.
+## </summary>
+## </param>
+#
+template(`userdom_transition_user_tmp',`
+ gen_require(`
+ type $1_tmp_t;
+ ')
+
+ files_tmp_filetrans($2,$1_tmp_t, $3)
+')
+
+########################################
+## <summary>
+## dontaudit getattr all user file type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_list_user_files',`
+ gen_require(`
+ attribute $1_file_type;
+ ')
+
+ dontaudit $2 $1_file_type:dir search_dir_perms;
+ dontaudit $2 $1_file_type:file getattr;
+')
+
+########################################
+## <summary>
+## allow getattr all user file type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_list_user_files',`
+ gen_require(`
+ attribute $1_file_type;
+ ')
+
+ allow $2 $1_file_type:dir search_dir_perms;
+ allow $2 $1_file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to homedirs of sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_sysadm_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir write;
+')
+
+########################################
+## <summary>
+## Ptrace all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_ptrace_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process ptrace;
+')
+
+########################################
+## <summary>
+## unlink all unprivileged users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_unlink_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 user_home_dir_type:dir list_dir_perms;
+ allow $1 user_home_type:file unlink;
+')
+
+########################################
+## <summary>
+## append all unprivileged users home files
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_append_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_list_home($1)
+ append_files_pattern($1, user_home_dir_type, user_home_type)
+')
+
+########################################
+## <summary>
+## dontaudit search all users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_users_home_dirs',`
+
+ gen_require(`
+ attribute user_home_dir_type;
+ ')
+
+ files_list_home($1)
+ dontaudit $1 user_home_dir_type:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## The template for creating a unprivileged xwindows login user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_restricted_xwindows_user_template', `
+
+userdom_restricted_user_template($1)
+
+ optional_policy(`
+ dbus_per_role_template($1, $1_usertype, $1_r)
+ dbus_system_bus_client_template($1, $1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat($1_usertype)
+ ')
+ ')
+
+ optional_policy(`
+ java_per_role_template($1, $1_t, $1_r)
+ ')
+
+ optional_policy(`
+ mono_per_role_template($1, $1_t, $1_r)
+ ')
+
+ optional_policy(`
+ loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ ')
+
+userdom_xwindows_client_template($1)
+
+logging_send_syslog_msg($1_usertype)
+logging_dontaudit_send_audit_msgs($1_t)
+
+# Broken Cover up bugzilla #345921 Should be removed when this is fixed
+corenet_tcp_connect_soundd_port($1_t)
+corenet_tcp_sendrecv_soundd_port($1_t)
+corenet_tcp_sendrecv_all_if($1_t)
+corenet_tcp_sendrecv_lo_node($1_t)
+
+# Need to to this just so screensaver will work. Should be moved to screensaver domain
+logging_send_audit_msgs($1_t)
+selinux_get_enforce_mode($1_t)
+
+optional_policy(`
+ alsa_read_rw_config($1_usertype)
+')
+
+
+authlogin_per_role_template($1, $1_t, $1_r)
+
+auth_search_pam_console_data($1_usertype)
+
+dev_read_sound($1_usertype)
+dev_write_sound($1_usertype)
+
+# gnome keyring wants to read this. Needs to be exlicitly granted
+dev_dontaudit_read_rand($1_usertype)
+
+')
+
+########################################
+## <summary>
+## Identify specified type as being in a users home directory
+## </summary>
+## <desc>
+## <p>
+## Make the specified type a home type.
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used as a home directory type.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_type',`
+ gen_require(`
+ attribute user_home_type;
+ attribute home_type;
+ ')
+ typeattribute $1 user_home_type;
+ typeattribute $1 home_type;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to relabel unpriv user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabel_unpriv_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ dontaudit $1 user_home_type:file { relabelto relabelfrom };
+')
+
+
+########################################
+## <summary>
+## Mmap of unpriv user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mmap_unpriv_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 user_home_type:file execute;
+')
+
+########################################
+## <summary>
+## dontaudit Read all unprivileged users home directory
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_list_home($1)
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
+ dontaudit $1 user_home_type:file read_lnk_file_perms;
+')
+
+
+########################################
+## <summary>
+## dontaudit attempts to write to user home dir files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_unpriv_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file write;
+')
+
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_set_rlimitnh',`
+ gen_require(`
+ attribute userdomain;
+ ')
+ allow $1 userdomain:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_usertype',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ attribute $1_usertype;
+ ')
+ typeattribute $2 $1_usertype;
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2008-06-12 23:37:59.000000000 -0400
@@ -24,13 +24,6 @@
## <desc>
## <p>
-## Allow users to connect to mysql
-## </p>
-## </desc>
-gen_tunable(allow_user_mysql_connect,false)
-
-## <desc>
-## <p>
## Allow users to connect to PostgreSQL
## </p>
## </desc>
@@ -74,6 +67,9 @@
# users home directory contents
attribute home_type;
+# Executables to be run by user
+attribute user_exec_type;
+
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
@@ -136,13 +132,6 @@
userdom_role_change_template(secadm,sysadm)
')
-# this should be tunable_policy, but
-# currently type_change and RBAC allow
-# do not work in conditionals
-ifdef(`user_canbe_sysadm',`
- userdom_role_change_template(user,sysadm)
-')
-
########################################
#
# Sysadm local policy
@@ -161,6 +150,11 @@
init_exec(sysadm_t)
+kernel_sigstop_unlabeled(sysadm_t)
+kernel_signal_unlabeled(sysadm_t)
+kernel_kill_unlabeled(sysadm_t)
+kernel_read_unlabeled_state(sysadm_t)
+
# Following for sending reboot and wall messages
userdom_use_unpriv_users_ptys(sysadm_t)
userdom_use_unpriv_users_ttys(sysadm_t)
@@ -231,6 +225,10 @@
')
optional_policy(`
+ amtu_run(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -286,14 +284,6 @@
')
optional_policy(`
- consoletype_exec(sysadm_t)
-
- ifdef(`enable_mls',`
- consoletype_exec(auditadm_t)
- ')
-')
-
-optional_policy(`
cron_admin_template(sysadm,sysadm_t,sysadm_r)
')
@@ -359,6 +349,10 @@
')
optional_policy(`
+ kismet_run(sysadm_t, sysadm_r, admin_terminal)
+')
+
+optional_policy(`
lvm_run(sysadm_t,sysadm_r,admin_terminal)
')
@@ -394,6 +388,10 @@
')
optional_policy(`
+ netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
@@ -443,15 +441,20 @@
optional_policy(`
samba_run_net(sysadm_t,sysadm_r,admin_terminal)
+ samba_run_smbcontrol(sysadm_t,sysadm_r,admin_terminal)
samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
+ seutil_run_setsebool(sysadm_t,sysadm_r,admin_terminal)
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+# tunable_policy(`allow_sysadm_manage_security',`
+ userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
+# ')
', `
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
@@ -494,3 +497,30 @@
optional_policy(`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
+
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
+')
+
+optional_policy(`
+ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
+ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
+ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t })
+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ manage_dirs_pattern(privhome, nfs_t, nfs_t)
+ manage_files_pattern(privhome, nfs_t, nfs_t)
+ manage_lnk_files_pattern(privhome, nfs_t, nfs_t)
+ manage_sock_files_pattern(privhome, nfs_t, nfs_t)
+ manage_fifo_files_pattern(privhome, nfs_t, nfs_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ manage_dirs_pattern(privhome, cifs_t, cifs_t)
+ manage_files_pattern(privhome, cifs_t, cifs_t)
+ manage_lnk_files_pattern(privhome, cifs_t, cifs_t)
+ manage_sock_files_pattern(privhome, cifs_t, cifs_t)
+ manage_fifo_files_pattern(privhome, cifs_t, cifs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.8/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/virt.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.8/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/virt.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,78 @@
+## <summary>Virtualization </summary>
+
+########################################
+## <summary>
+## Read virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t,virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## append virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_append_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ allow $1 virt_var_lib_t:file append;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_rw_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.8/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/virt.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,3 @@
+# var/lib files
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.8/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/xen.if 2008-06-12 23:37:59.000000000 -0400
@@ -191,3 +191,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## xend image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1,xen_image_t,xen_image_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/xen.te 2008-06-12 23:37:59.000000000 -0400
@@ -45,9 +45,7 @@
type xenstored_t;
type xenstored_exec_t;
-domain_type(xenstored_t)
-domain_entry_file(xenstored_t,xenstored_exec_t)
-role system_r types xenstored_t;
+init_daemon_domain(xenstored_t,xenstored_exec_t)
# var/lib files
type xenstored_var_lib_t;
@@ -59,8 +57,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
-domain_type(xenconsoled_t)
-domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
+init_daemon_domain(xenconsoled_t,xenconsoled_exec_t)
role system_r types xenconsoled_t;
# pid files
@@ -95,7 +92,7 @@
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
-allow xend_t xenctl_t:fifo_file manage_file_perms;
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(xend_t, xenctl_t, fifo_file)
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
@@ -103,14 +100,14 @@
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
# pid file
-allow xend_t xend_var_run_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_run_t,xend_var_run_t)
manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file dir })
# log files
-allow xend_t xend_var_log_t:dir setattr;
+manage_dirs_pattern(xend_t,xend_var_log_t,xend_var_log_t)
manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
@@ -122,15 +119,13 @@
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
+init_stream_connect_script(xend_t)
+
# transition to store
-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-allow xenstored_t xend_t:fd use;
-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
# transition to console
-domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-allow xenconsoled_t xend_t:fd use;
+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
@@ -176,6 +171,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
@@ -214,6 +210,10 @@
netutils_domtrans(xend_t)
optional_policy(`
+ brctl_domtrans(xend_t)
+')
+
+optional_policy(`
consoletype_exec(xend_t)
')
@@ -224,7 +224,7 @@
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
@@ -257,7 +257,7 @@
miscfiles_read_localization(xenconsoled_t)
-xen_append_log(xenconsoled_t)
+xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
########################################
@@ -265,7 +265,7 @@
# Xen store local policy
#
-allow xenstored_t self:capability { dac_override mknod ipc_lock };
+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
@@ -318,12 +318,13 @@
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xm_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
+manage_sock_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
@@ -336,6 +337,7 @@
kernel_write_xen_state(xm_t)
corecmd_exec_bin(xm_t)
+corecmd_exec_shell(xm_t)
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
@@ -351,8 +353,11 @@
storage_raw_read_fixed_disk(xm_t)
+fs_getattr_all_fs(xm_t)
+
term_use_all_terms(xm_t)
+init_stream_connect_script(xm_t)
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
@@ -363,6 +368,23 @@
sysnet_read_config(xm_t)
+userdom_dontaudit_search_sysadm_home_dirs(xm_t)
+
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_getattr_all_fs(xend_t)
+fs_read_dos_files(xend_t)
+
+tunable_policy(`xen_use_nfs',`
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+')
+
+optional_policy(`
+ unconfined_domain(xend_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.8/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/guest.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+# No guest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.0.8/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/guest.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,12 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
+userdom_restricted_user_template(gadmin)
+
+optional_policy(`
+ gen_require(`
+ type xguest_mozilla_t;
+ ')
+
+ dbus_chat_user_bus(xguest,xguest_mozilla_t)
+ dbus_connectto_user_bus(xguest,xguest_mozilla_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/logadm.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+# No logadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.8/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/logadm.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+## <summary>Policy for logadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.8/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/logadm.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,11 @@
+policy_module(logadm,1.0.0)
+
+########################################
+#
+# logadmin local policy
+#
+userdom_base_user_template(logadm)
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.0.8/policy/modules/users/metadata.xml
--- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/metadata.xml 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+<summary>Policy modules for users</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.0.8/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/webadm.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.0.8/policy/modules/users/webadm.if
--- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/webadm.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
+########################################
+#
+# webadmin local policy
+#
+
+userdom_base_user_template(webadm)
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+bool webadm_read_user_files false;
+bool webadm_manage_user_files false;
+
+if (webadm_read_user_files) {
+ userdom_read_unpriv_users_home_content_files(webadm_t)
+ userdom_read_unpriv_users_tmp_files(webadm_t)
+}
+
+if (webadm_manage_user_files) {
+ userdom_manage_unpriv_users_home_content_dirs(webadm_t)
+ userdom_read_unpriv_users_tmp_files(webadm_t)
+ userdom_write_unpriv_users_tmp_files(webadm_t)
+}
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_list_var(webadm_t)
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(webadm_t)
+userdom_dontaudit_search_generic_user_home_dirs(webadm_t)
+
+apache_admin(webadm_t, webadm_r, { webadm_tty_device_t webadm_devpts_t })
+
+gen_require(`
+ type gadmin_t;
+')
+allow gadmin_t webadm_t:process transition;
+allow webadm_t gadmin_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.0.8/policy/modules/users/xguest.fc
--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/xguest.fc 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+# No xguest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.0.8/policy/modules/users/xguest.if
--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/xguest.if 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1 @@
+## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2008-06-12 23:37:59.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(xguest,1.0.1)
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media,false)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network,false)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth,false)
+
+userdom_restricted_xwindows_user_template(xguest)
+
+optional_policy(`
+ mozilla_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+# Allow mounting of file systems
+optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ hal_dbus_chat(xguest_t)
+ init_read_utmp(xguest_t)
+ auth_list_pam_console_data(xguest_t)
+ kernel_read_fs_sysctls(xguest_t)
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
+ ')
+')
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ networkmanager_dbus_chat(xguest_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`xguest_use_bluetooth',`
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:37:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2008-06-12 23:37:59.000000000 -0400
@@ -216,7 +216,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
@@ -327,3 +327,16 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.8/policy/users
--- nsaserefpolicy/policy/users 2008-06-12 23:37:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/users 2008-06-12 23:37:59.000000000 -0400
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u, user, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -25,13 +25,10 @@
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-gen_user(user_u, user, user_r, s0, s0)
+gen_user(user_u, user, user_r system_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
@@ -39,8 +36,4 @@
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.8/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2008-06-12 23:37:58.000000000 -0400
+++ serefpolicy-3.0.8/support/Makefile.devel 2008-06-12 23:38:00.000000000 -0400
@@ -31,10 +31,10 @@
genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
-docs = doc
-polxml = $(docs)/policy.xml
-xmldtd = $(HEADERDIR)/support/policy.dtd
-metaxml = metadata.xml
+docs := doc
+polxml := $(docs)/policy.xml
+xmldtd := $(HEADERDIR)/support/policy.dtd
+metaxml := metadata.xml
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
@@ -76,35 +76,23 @@
# policy headers
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
-all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
-all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
-rolemap = $(HEADERDIR)/rolemap
-
-detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
-
-clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
-all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
-detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
-
-3rd_party_mods = $(wildcard *.te)
-detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
-detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
-
-detected_ifs = $(detected_mods:.te=.if)
-detected_fcs = $(detected_mods:.te=.fc)
-all_packages = $(notdir $(detected_mods:.te=.pp))
-
-modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
-layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
-
-hmodxml = $(all_interfaces:.if=.xml)
-hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
-hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
-
-cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
-cmodxml = $(cmods:.te=.xml)
-clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
-cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
+header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
+header_xml := $(addsuffix .xml,$(header_layers))
+header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if))
+
+rolemap := $(HEADERDIR)/rolemap
+
+local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers)))
+
+all_layer_names := $(sort $(notdir $(header_layers) $(local_layers)))
+
+3rd_party_mods := $(wildcard *.te)
+detected_mods := $(3rd_party_mods) $(foreach layer,$(local_layers),$(wildcard $(layer)/*.te))
+
+detected_ifs := $(detected_mods:.te=.if)
+detected_fcs := $(detected_mods:.te=.fc)
+all_packages := $(notdir $(detected_mods:.te=.pp))
# figure out what modules we may want to reload
loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1))
@@ -112,9 +100,9 @@
match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods))
match_loc = $(filter $(all_packages),$(loaded_mods))
-vpath %.te $(detected_layers)
-vpath %.if $(detected_layers)
-vpath %.fc $(detected_layers)
+vpath %.te $(local_layers)
+vpath %.if $(local_layers)
+vpath %.fc $(local_layers)
########################################
#
@@ -192,7 +180,7 @@
#
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
- @test -d tmp || mkdir -p tmp
+ @test -d $(@D) || mkdir -p $(@D)
$(call peruser-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
@@ -204,55 +192,50 @@
@echo "Creating $(NAME) $(@F) policy package"
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
-tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
- @test -d tmp || mkdir -p tmp
- $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs)
+ @test -d $(@D) || mkdir -p $(@D)
+ @echo "ifdef(\`__if_error',\`m4exit(1)')" > tmp/iferror.m4
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@
+ @echo "divert" >> $@
# so users dont have to make empty .fc and .if files
-$(detected_ifs) $(detected_fcs):
+$(detected_fcs):
@touch $@
+
+$(detected_ifs):
+ @echo "## <summary>$(basename $(@D))</summary>" > $@
########################################
#
# Documentation generation
#
+tmp/%.xml: %/*.te %/*.if
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) test -f $(HEADERDIR)/$*.xml || cat $*/$(metaxml) > $@
+ $(verbose) $(genxml) -w -m $(sort $(basename $^)) >> $@
-$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
- @test -d tmp || mkdir -p tmp
- $(verbose) echo '<layer name="$(*F)">' > $@
- $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
- $(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
- $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
- $(verbose) echo '</layer>' >> $@
-
-$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
- @test -d tmp || mkdir -p tmp
- $(verbose) echo '<layer name="$(*F)">' > $@
- $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
- $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
- $(verbose) echo '</layer>' >> $@
-
-$(cmodxml) $(modxml): %.xml: %.if %.te
- $(verbose) $(genxml) -w -m $* > $@
-
-$(layerxml): %.xml: $(modxml)
- @test -d tmp || mkdir -p tmp
- $(verbose) echo '<layer name="$(*F)">' > $@
- $(verbose) if test -f '$(metaxml)'; then \
- cat $(metaxml) >> $@; \
- else \
- echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
- fi
- $(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
- $(verbose) echo '</layer>' >> $@
+vars: $(local_xml)
-$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
+$(polxml): $(header_xml) $(local_xml) $(globaltun) $(globalbool) $(detected_mods) $(detected_ifs)
@echo "Creating $(@F)"
- @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
+ @test -d $(@D) || mkdir -p $(@D)
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
$(verbose) echo '<policy>' >> $@
- $(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
+ $(verbose) for i in $(all_layer_names); do \
+ echo "<layer name=\"$$i\">" >> $@ ;\
+ test -f $(HEADERDIR)/$$i.xml && cat $(HEADERDIR)/$$i.xml >> $@ ;\
+ test -f tmp/$$i.xml && cat tmp/$$i.xml >> $@ ;\
+ echo "</layer>" >> $@ ;\
+ done
+ifneq "$(strip $(3rd_party_mods))" ""
+ $(verbose) echo "<layer name=\"third_party\">" >> $@
+ $(verbose) echo "<summary>These are all third-party modules.</summary>" >> $@
+ $(verbose) $(genxml) -w -m $(addprefix ./,$(basename $(3rd_party_mods))) >> $@
+ $(verbose) echo "</layer>" >> $@
+endif
+ $(verbose) cat $(globaltun) $(globalbool) >> $@
$(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\