From 49b483bf519f4163b30283950f3c2c7a7825c2a4 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 11 2007 14:08:33 +0000 Subject: - Allow modprobe to setsched on kernel --- diff --git a/policy-20070501.patch b/policy-20070501.patch index af7452d..459cf8e 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -244,10 +244,76 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te + hal_write_log(alsa_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.6.4/policy/modules/admin/amanda.if +--- nsaserefpolicy/policy/modules/admin/amanda.if 2007-05-07 14:51:04.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/amanda.if 2007-09-11 09:15:10.000000000 -0400 +@@ -71,6 +71,26 @@ + + ######################################## + ## ++## Search amanda var library directories. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`amanda_search_var_lib',` ++ gen_require(` ++ type amanda_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 amanda_var_lib_t:dir search_dir_perms; ++ ++') ++ ++######################################## ++## + ## Do not audit attempts to read /etc/dumpdates. + ## + ## +@@ -141,3 +161,4 @@ + + allow $1 amanda_log_t:file { read_file_perms append_file_perms }; + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.6.4/policy/modules/admin/amanda.te --- nsaserefpolicy/policy/modules/admin/amanda.te 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/amanda.te 2007-08-07 09:42:34.000000000 -0400 -@@ -85,7 +85,7 @@ ++++ serefpolicy-2.6.4/policy/modules/admin/amanda.te 2007-09-11 09:15:03.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(amanda,1.5.0) ++policy_module(amanda,1.6.1) + + ####################################### + # +@@ -51,8 +51,7 @@ + # type for amrecover + type amanda_recover_t; + type amanda_recover_exec_t; +-domain_type(amanda_recover_t) +-domain_entry_file(amanda_recover_t,amanda_recover_exec_t) ++application_domain(amanda_recover_t,amanda_recover_exec_t) + role system_r types amanda_recover_t; + + # type for recover files ( restored data ) +@@ -70,12 +69,11 @@ + + allow amanda_t self:capability { chown dac_override setuid kill }; + allow amanda_t self:process { setpgid signal }; +-allow amanda_t self:fifo_file { getattr read write ioctl lock }; ++allow amanda_t self:fifo_file rw_fifo_file_perms; + allow amanda_t self:unix_stream_socket create_stream_socket_perms; + allow amanda_t self:unix_dgram_socket create_socket_perms; + allow amanda_t self:tcp_socket create_stream_socket_perms; + allow amanda_t self:udp_socket create_socket_perms; +-allow amanda_t self:netlink_route_socket r_netlink_socket_perms; + + # access to amanda_amandates_t + allow amanda_t amanda_amandates_t:file { getattr lock read write }; +@@ -85,18 +83,22 @@ # access to amandas data structure allow amanda_t amanda_data_t:dir { read search write }; @@ -256,7 +322,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. # access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; -@@ -97,6 +97,9 @@ + + can_exec(amanda_t,amanda_exec_t) ++can_exec(amanda_t,amanda_inetd_exec_t) + + # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) + allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; @@ -266,6 +337,79 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t) manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t) logging_log_filetrans(amanda_t,amanda_log_t,{ file dir }) +@@ -105,6 +107,8 @@ + manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t) + files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) + ++auth_use_nsswitch(amanda_t) ++ + kernel_read_system_state(amanda_t) + kernel_read_kernel_sysctls(amanda_t) + kernel_dontaudit_getattr_unlabeled_files(amanda_t) +@@ -113,7 +117,8 @@ + # Added for targeted policy + term_use_unallocated_ttys(amanda_t) + +-corenet_non_ipsec_sendrecv(amanda_t) ++corenet_all_recvfrom_unlabeled(amanda_t) ++corenet_all_recvfrom_netlabel(amanda_t) + corenet_tcp_sendrecv_all_if(amanda_t) + corenet_udp_sendrecv_all_if(amanda_t) + corenet_raw_sendrecv_all_if(amanda_t) +@@ -150,8 +155,6 @@ + libs_use_ld_so(amanda_t) + libs_use_shared_libs(amanda_t) + +-sysnet_read_config(amanda_t) +- + optional_policy(` + auth_read_shadow(amanda_t) + ') +@@ -160,14 +163,6 @@ + logging_send_syslog_msg(amanda_t) + ') + +-optional_policy(` +- nis_use_ypbind(amanda_t) +-') +- +-optional_policy(` +- nscd_socket_use(amanda_t) +-') +- + ######################################## + # + # Amanda recover local policy +@@ -197,10 +192,13 @@ + manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t) + files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) + ++auth_use_nsswitch(amanda_recover_t) ++ + kernel_read_system_state(amanda_recover_t) + kernel_read_kernel_sysctls(amanda_recover_t) + +-corenet_non_ipsec_sendrecv(amanda_recover_t) ++corenet_all_recvfrom_unlabeled(amanda_recover_t) ++corenet_all_recvfrom_netlabel(amanda_recover_t) + corenet_tcp_sendrecv_all_if(amanda_recover_t) + corenet_udp_sendrecv_all_if(amanda_recover_t) + corenet_tcp_sendrecv_all_nodes(amanda_recover_t) +@@ -232,14 +230,4 @@ + + miscfiles_read_localization(amanda_recover_t) + +-sysnet_read_config(amanda_recover_t) +- + userdom_search_sysadm_home_content_dirs(amanda_recover_t) +- +-optional_policy(` +- nis_use_ypbind(amanda_recover_t) +-') +- +-optional_policy(` +- nscd_socket_use(amanda_recover_t) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amtu.fc serefpolicy-2.6.4/policy/modules/admin/amtu.fc --- nsaserefpolicy/policy/modules/admin/amtu.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/admin/amtu.fc 2007-08-07 09:42:34.000000000 -0400 @@ -1634,7 +1778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-04 13:41:27.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-11 08:17:57.000000000 -0400 @@ -48,6 +48,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -1673,15 +1817,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(mail, tcp,2000,s0) -@@ -152,6 +158,7 @@ +@@ -152,13 +158,18 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) +network_port(wccp, udp,2048,s0) network_port(xen, tcp,8002,s0) ++network_port(xfs, tcp,7100,s0) network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0) network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0) -@@ -159,6 +166,9 @@ + network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -4175,7 +4320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-09-11 09:16:17.000000000 -0400 @@ -42,6 +42,9 @@ type cron_log_t; logging_log_file(cron_log_t) @@ -4268,7 +4413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` optional_policy(` # Debian logcheck has the home dir set to its cache -@@ -185,34 +209,9 @@ +@@ -185,40 +209,19 @@ locallogin_link_keys(crond_t) ') @@ -4306,7 +4451,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file manage_file_perms; -@@ -232,11 +231,7 @@ + ') + + optional_policy(` ++ amanda_search_var_lib(crond_t) ++') ++ ++optional_policy(` + amavis_search_lib(crond_t) + ') + +@@ -232,11 +235,7 @@ ') optional_policy(` @@ -4319,7 +4474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -258,25 +253,39 @@ +@@ -258,25 +257,39 @@ # System cron process domain # @@ -4363,7 +4518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; allow system_crond_t self:process { signal_perms setsched }; allow system_crond_t self:fifo_file rw_fifo_file_perms; -@@ -369,7 +378,7 @@ +@@ -369,7 +382,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -4372,7 +4527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron libs_use_ld_so(system_crond_t) libs_use_shared_libs(system_crond_t) -@@ -428,6 +437,10 @@ +@@ -428,6 +441,10 @@ ') optional_policy(` @@ -4385,7 +4540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-09-11 08:58:55.000000000 -0400 @@ -8,6 +8,7 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -4403,12 +4558,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -@@ -52,3 +53,5 @@ +@@ -52,3 +53,4 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:cupsd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-08-07 09:42:35.000000000 -0400 @@ -5249,9 +5403,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet files_search_home(inetd_child_t) manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-2.6.4/policy/modules/services/kerberos.fc +--- nsaserefpolicy/policy/modules/services/kerberos.fc 2007-05-07 14:50:57.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/kerberos.fc 2007-09-11 09:03:39.000000000 -0400 +@@ -16,3 +16,4 @@ + + /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) + /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) ++/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.6.4/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/kerberos.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/kerberos.if 2007-09-11 09:02:58.000000000 -0400 @@ -33,43 +33,10 @@ # interface(`kerberos_use',` @@ -5298,109 +5460,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') ######################################## -@@ -94,46 +61,47 @@ +@@ -94,6 +61,27 @@ ######################################## ## --## Do not audit attempts to write the kerberos --## configuration file (/etc/krb5.conf). +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## ++## ++## +## - # --interface(`kerberos_dontaudit_write_config',` ++# +interface(`kerberos_read_kdc_config',` - gen_require(` -- type krb5_conf_t; ++ gen_require(` + type krb5kdc_conf_t; - ') - -- dontaudit $1 krb5_conf_t:file write; ++ ') ++ + files_search_etc($1) + allow $1 krb5kdc_conf_t:file read_file_perms; + - ') - - ######################################## - ## --## Read and write the kerberos configuration file (/etc/krb5.conf). -+## Do not audit attempts to write the kerberos -+## configuration file (/etc/krb5.conf). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## --## - # --interface(`kerberos_rw_config',` -+interface(`kerberos_dontaudit_write_config',` - gen_require(` - type krb5_conf_t; - ') - -- files_search_etc($1) -- allow $1 krb5_conf_t:file rw_file_perms; -+ dontaudit $1 krb5_conf_t:file write; - ') - - ######################################## - ## --## Read the kerberos key table. -+## Read and write the kerberos configuration file (/etc/krb5.conf). - ## - ## - ## -@@ -142,18 +110,18 @@ - ## - ## - # --interface(`kerberos_read_keytab',` -+interface(`kerberos_rw_config',` - gen_require(` -- type krb5_keytab_t; -+ type krb5_conf_t; - ') - - files_search_etc($1) -- allow $1 krb5_keytab_t:file read_file_perms; -+ allow $1 krb5_conf_t:file rw_file_perms; - ') - - ######################################## - ## --## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). -+## Read the kerberos key table. ++') ++ ++######################################## ++## + ## Do not audit attempts to write the kerberos + ## configuration file (/etc/krb5.conf). ## - ## - ## -@@ -162,12 +130,11 @@ +@@ -162,12 +150,13 @@ ## ## # -interface(`kerberos_read_kdc_config',` -+interface(`kerberos_read_keytab',` ++interface(`kerberos_manage_host_rcache',` gen_require(` - type krb5kdc_conf_t; -+ type krb5_keytab_t; ++ type krb5_host_rcache_t; ') - files_search_etc($1) +- files_search_etc($1) - allow $1 krb5kdc_conf_t:file read_file_perms; - -+ allow $1 krb5_keytab_t:file read_file_perms; ++ files_search_tmp($1) ++ allow $1 self:process setfscreate; ++ seutil_read_file_contexts($1) ++ allow $1 krb5_host_rcache_t:file manage_file_perms; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.6.4/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-09-04 11:12:55.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-09-11 09:02:16.000000000 -0400 @@ -5,6 +5,7 @@ # # Declarations @@ -5409,7 +5518,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ## ##

-@@ -62,7 +63,7 @@ +@@ -54,6 +55,9 @@ + type krb5kdc_var_run_t; + files_pid_file(krb5kdc_var_run_t) + ++type krb5_host_rcache_t; ++files_tmp_file(krb5_host_rcache_t) ++ + ######################################## + # + # kadmind local policy +@@ -62,7 +66,7 @@ # Use capabilities. Surplus capabilities may be allowed. allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; @@ -5418,7 +5537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; allow kadmind_t self:unix_dgram_socket { connect create write }; allow kadmind_t self:tcp_socket connected_stream_socket_perms; -@@ -91,6 +92,7 @@ +@@ -91,6 +95,7 @@ kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) kernel_read_proc_symlinks(kadmind_t) @@ -5426,7 +5545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb corenet_non_ipsec_sendrecv(kadmind_t) corenet_tcp_sendrecv_all_if(kadmind_t) -@@ -117,6 +119,9 @@ +@@ -117,6 +122,9 @@ domain_use_interactive_fds(kadmind_t) files_read_etc_files(kadmind_t) @@ -5436,7 +5555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb libs_use_ld_so(kadmind_t) libs_use_shared_libs(kadmind_t) -@@ -126,6 +131,7 @@ +@@ -126,6 +134,7 @@ miscfiles_read_localization(kadmind_t) sysnet_read_config(kadmind_t) @@ -5444,7 +5563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) -@@ -142,6 +148,7 @@ +@@ -142,6 +151,7 @@ optional_policy(` seutil_sigchld_newrole(kadmind_t) @@ -5452,7 +5571,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') optional_policy(` -@@ -227,6 +234,7 @@ +@@ -156,7 +166,7 @@ + # Use capabilities. Surplus capabilities may be allowed. + allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; + dontaudit krb5kdc_t self:capability sys_tty_config; +-allow krb5kdc_t self:process { setsched getsched signal_perms }; ++allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; + allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; + allow krb5kdc_t self:tcp_socket create_stream_socket_perms; + allow krb5kdc_t self:udp_socket create_socket_perms; +@@ -227,6 +237,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) @@ -5460,7 +5588,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) -@@ -248,3 +256,36 @@ +@@ -243,8 +254,42 @@ + + optional_policy(` + seutil_sigchld_newrole(krb5kdc_t) ++ seutil_read_file_contexts(krb5kdc_t) + ') + optional_policy(` udev_read_db(krb5kdc_t) ') @@ -7148,15 +7282,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.6.4/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rlogin.te 2007-08-07 09:42:35.000000000 -0400 -@@ -64,6 +64,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rlogin.te 2007-09-11 09:05:43.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(rlogin,1.3.0) ++policy_module(rlogin,1.4.0) + + ######################################## + # +@@ -50,7 +50,8 @@ + kernel_read_system_state(rlogind_t) + kernel_read_network_state(rlogind_t) + +-corenet_non_ipsec_sendrecv(rlogind_t) ++corenet_all_recvfrom_unlabeled(rlogind_t) ++corenet_all_recvfrom_netlabel(rlogind_t) + corenet_tcp_sendrecv_all_if(rlogind_t) + corenet_udp_sendrecv_all_if(rlogind_t) + corenet_tcp_sendrecv_all_nodes(rlogind_t) +@@ -63,9 +64,10 @@ + fs_getattr_xattr_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) ++auth_use_nsswitch(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) +auth_domtrans_upd_passwd(rlogind_t) auth_rw_login_records(rlogind_t) - auth_use_nsswitch(rlogind_t) +-auth_use_nsswitch(rlogind_t) + + files_read_etc_files(rlogind_t) + files_read_etc_runtime_files(rlogind_t) +@@ -81,7 +83,7 @@ + + miscfiles_read_localization(rlogind_t) + +-seutil_dontaudit_search_config(rlogind_t) ++seutil_read_config(rlogind_t) + + sysnet_read_config(rlogind_t) +@@ -92,7 +94,9 @@ + remotelogin_domtrans(rlogind_t) + + optional_policy(` ++ kerberos_use(rlogind_t) + kerberos_read_keytab(rlogind_t) ++ kerberos_manage_host_rcache(rlogind_t) + ') + + ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-2.6.4/policy/modules/services/rpcbind.fc --- nsaserefpolicy/policy/modules/services/rpcbind.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/rpcbind.fc 2007-08-07 09:42:35.000000000 -0400 @@ -7428,15 +7602,105 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`nfs_export_all_ro',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-2.6.4/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2007-08-07 09:42:35.000000000 -0400 -@@ -44,6 +44,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2007-09-11 09:10:41.000000000 -0400 +@@ -11,19 +11,22 @@ + domain_subj_id_change_exemption(rshd_t) + domain_role_change_exemption(rshd_t) + role system_r types rshd_t; ++domain_interactive_fd(rshd_t) + + ######################################## + # + # Local policy + # +-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; ++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; + allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; + allow rshd_t self:fifo_file rw_fifo_file_perms; + allow rshd_t self:tcp_socket create_stream_socket_perms; ++allow rshd_t self:key {search write link}; + + kernel_read_kernel_sysctls(rshd_t) + +-corenet_non_ipsec_sendrecv(rshd_t) ++corenet_all_recvfrom_unlabeled(rshd_t) ++corenet_all_recvfrom_netlabel(rshd_t) + corenet_tcp_sendrecv_generic_if(rshd_t) + corenet_udp_sendrecv_generic_if(rshd_t) + corenet_tcp_sendrecv_all_nodes(rshd_t) +@@ -32,6 +35,8 @@ + corenet_udp_sendrecv_all_ports(rshd_t) + corenet_tcp_bind_all_nodes(rshd_t) + corenet_tcp_bind_rsh_port(rshd_t) ++corenet_tcp_bind_all_rpc_ports(rshd_t) ++corenet_tcp_connect_all_rpc_ports(rshd_t) + corenet_sendrecv_rsh_server_packets(rshd_t) + + dev_read_urand(rshd_t) +@@ -43,31 +48,43 @@ + selinux_compute_relabel_context(rshd_t) selinux_compute_user_contexts(rshd_t) ++auth_use_nsswitch(rshd_t) auth_domtrans_chk_passwd(rshd_t) +auth_domtrans_upd_passwd(rshd_t) ++auth_search_key(rshd_t) ++auth_write_login_records(rshd_t) corecmd_read_bin_symlinks(rshd_t) + files_list_home(rshd_t) + files_read_etc_files(rshd_t) +-files_search_tmp(rshd_t) ++files_manage_generic_tmp_dirs(rshd_t) ++ ++init_rw_utmp(rshd_t) + + libs_use_ld_so(rshd_t) + libs_use_shared_libs(rshd_t) + + logging_send_syslog_msg(rshd_t) ++logging_search_logs(rshd_t) + + miscfiles_read_localization(rshd_t) + + seutil_read_config(rshd_t) + seutil_read_default_contexts(rshd_t) + +-sysnet_read_config(rshd_t) +- + userdom_search_all_users_home_content(rshd_t) + ++optional_policy(` ++ kerberos_use(rshd_t) ++ kerberos_read_keytab(rshd_t) ++ kerberos_manage_host_rcache(rshd_t) ++') ++ + ifdef(`targeted_policy',` + unconfined_domain(rshd_t) + unconfined_shell_domtrans(rshd_t) ++ unconfined_signal(rshd_t) + ') + + tunable_policy(`use_nfs_home_dirs',` +@@ -80,16 +97,3 @@ + fs_read_cifs_symlinks(rshd_t) + ') + +-optional_policy(` +- kerberos_use(rshd_t) +-') +- +-optional_policy(` +- nscd_socket_use(rshd_t) +-') +- +-ifdef(`TODO',` +-optional_policy(` +- allow rshd_t rlogind_tmp_t:file rw_file_perms; +-') +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.6.4/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/rsync.te 2007-08-07 09:42:35.000000000 -0400 @@ -7539,7 +7803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-2.6.4/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.fc 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/samba.fc 2007-09-11 09:23:35.000000000 -0400 @@ -3,6 +3,7 @@ # /etc # @@ -7548,7 +7812,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) -@@ -27,6 +28,9 @@ +@@ -14,6 +15,7 @@ + /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) + /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) + /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) + /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) + + /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +@@ -27,6 +29,9 @@ /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) @@ -7560,7 +7832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.6.4/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-09-11 09:24:04.000000000 -0400 @@ -177,6 +177,27 @@ ######################################## @@ -7653,7 +7925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## Allow the specified domain to write to smbmount tcp sockets. ##

## -@@ -377,3 +443,70 @@ +@@ -377,3 +443,121 @@ allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) ') @@ -7724,15 +7996,64 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + + read_files_pattern($1, samba_share_t, samba_share_t) +') ++ ++######################################## ++## ++## Execute a domain transition to run smbcontrol. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_domtrans_smbcontrol',` ++ gen_require(` ++ type smbcontrol_t; ++ type smbcontrol_exec_t; ++ ') ++ ++ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t) ++') ++ ++ ++######################################## ++## ++## Execute smbcontrol in the smbcontrol domain, and ++## allow the specified role the smbcontrol domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the smbcontrol domain. ++## ++## ++## ++## ++## The type of the role's terminal. ++## ++## ++# ++interface(`samba_run_smbcontrol',` ++ gen_require(` ++ type smbcontrol_t; ++ ') ++ ++ samba_domtrans_smbcontrol($1) ++ role $2 types smbcontrol_t; ++ dontaudit smbcontrol_t $3:chr_file rw_term_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-08-23 17:07:33.000000000 -0400 -@@ -28,6 +28,35 @@ - ## - gen_tunable(samba_share_nfs,false) ++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-09-11 09:56:07.000000000 -0400 +@@ -16,6 +16,14 @@ -+## -+##

+ ## + ##

+## Allow samba to run as the domain controller; add machines to passwd file +## +##

@@ -7741,17 +8062,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + +## +##

-+## Allow samba to be exported read/write. + ## Allow samba to export user home directories. + ##

+ ## +@@ -23,6 +31,27 @@ + + ## + ##

++## Export all files on system read only. +##

+## -+gen_tunable(samba_export_all_rw,false) ++gen_tunable(samba_export_all_ro,false) + +## +##

-+## Allow samba to be exported read only ++## Export all files on system read-write. +##

+## -+gen_tunable(samba_export_all_ro,false) ++gen_tunable(samba_export_all_rw,false) + +## +##

@@ -7760,27 +8088,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +## +gen_tunable(samba_run_unconfined,false) + - type nmbd_t; - type nmbd_exec_t; - init_daemon_domain(nmbd_t,nmbd_exec_t) -@@ -117,6 +146,7 @@ - allow samba_net_t self:unix_stream_socket create_stream_socket_perms; - allow samba_net_t self:udp_socket create_socket_perms; - allow samba_net_t self:tcp_socket create_socket_perms; -+allow samba_net_t self:netlink_route_socket r_netlink_socket_perms; ++## ++##

+ ## Allow samba to export NFS volumes. + ##

+ ## +@@ -108,6 +137,11 @@ + type winbind_var_run_t; + files_pid_file(winbind_var_run_t) + ++type smbcontrol_t; ++type smbcontrol_exec_t; ++application_domain(smbcontrol_t, smbcontrol_exec_t) ++role system_r types smbcontrol_t; ++ + ######################################## + # + # Samba net local policy +@@ -131,6 +165,8 @@ + manage_files_pattern(samba_net_t,samba_var_t,samba_var_t) + manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t) - allow samba_net_t samba_etc_t:file read_file_perms; ++auth_use_nsswitch(samba_net_t) ++ + kernel_read_proc_symlinks(samba_net_t) -@@ -159,6 +189,8 @@ + corenet_tcp_sendrecv_all_if(samba_net_t) +@@ -159,8 +195,7 @@ miscfiles_read_localization(samba_net_t) +-sysnet_read_config(samba_net_t) +-sysnet_use_ldap(samba_net_t) +samba_read_var_files(samba_net_t) -+ - sysnet_read_config(samba_net_t) - sysnet_use_ldap(samba_net_t) -@@ -191,7 +223,7 @@ + userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) + +@@ -173,10 +208,6 @@ + kerberos_use(samba_net_t) + ') + +-optional_policy(` +- nscd_socket_use(samba_net_t) +-') +- + ######################################## + # + # smbd Local policy +@@ -191,18 +222,16 @@ allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; @@ -7789,7 +8144,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -200,9 +232,8 @@ + allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow smbd_t self:netlink_route_socket r_netlink_socket_perms; allow smbd_t samba_etc_t:file { rw_file_perms setattr }; @@ -7801,7 +8157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t samba_log_t:dir setattr; dontaudit smbd_t samba_log_t:dir remove_name; -@@ -231,7 +262,8 @@ +@@ -231,7 +260,8 @@ manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) @@ -7811,17 +8167,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -256,6 +288,9 @@ - corenet_tcp_connect_ipp_port(smbd_t) - corenet_tcp_connect_smbd_port(smbd_t) +@@ -241,6 +271,9 @@ + kernel_read_software_raid_state(smbd_t) + kernel_read_system_state(smbd_t) +corecmd_exec_shell(smbd_t) +corecmd_exec_bin(smbd_t) + - dev_read_sysfs(smbd_t) - dev_read_urand(smbd_t) - dev_getattr_mtrr_dev(smbd_t) -@@ -265,11 +300,14 @@ + corenet_tcp_sendrecv_all_if(smbd_t) + corenet_udp_sendrecv_all_if(smbd_t) + corenet_raw_sendrecv_all_if(smbd_t) +@@ -265,11 +298,14 @@ fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) fs_getattr_rpc_dirs(smbd_t) @@ -7836,7 +8192,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb files_list_var_lib(smbd_t) files_read_etc_files(smbd_t) -@@ -296,6 +334,12 @@ +@@ -290,12 +326,16 @@ + miscfiles_read_localization(smbd_t) + miscfiles_read_public_files(smbd_t) + +-sysnet_read_config(smbd_t) +- + userdom_dontaudit_search_sysadm_home_dirs(smbd_t) userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) @@ -7849,7 +8211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -319,6 +363,14 @@ +@@ -319,6 +359,14 @@ ') optional_policy(` @@ -7864,7 +8226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -339,6 +391,23 @@ +@@ -339,6 +387,23 @@ udev_read_db(smbd_t) ') @@ -7888,7 +8250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # nmbd Local policy -@@ -352,7 +421,7 @@ +@@ -352,7 +417,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -7897,7 +8259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -362,9 +431,12 @@ +@@ -362,9 +427,12 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) @@ -7911,7 +8273,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) allow nmbd_t samba_log_t:dir setattr; -@@ -391,6 +463,7 @@ +@@ -373,6 +441,8 @@ + + allow nmbd_t smbd_var_run_t:dir rw_dir_perms; + ++auth_use_nsswitch(nmbd_t) ++ + kernel_getattr_core_if(nmbd_t) + kernel_getattr_message_if(nmbd_t) + kernel_read_kernel_sysctls(nmbd_t) +@@ -391,6 +461,7 @@ corenet_udp_bind_nmbd_port(nmbd_t) corenet_sendrecv_nmbd_server_packets(nmbd_t) corenet_sendrecv_nmbd_client_packets(nmbd_t) @@ -7919,7 +8290,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(nmbd_t) dev_getattr_mtrr_dev(nmbd_t) -@@ -457,6 +530,7 @@ +@@ -402,6 +473,7 @@ + + files_read_usr_files(nmbd_t) + files_read_etc_files(nmbd_t) ++files_list_var_lib(nmbd_t) + + libs_use_ld_so(nmbd_t) + libs_use_shared_libs(nmbd_t) +@@ -411,8 +483,6 @@ + + miscfiles_read_localization(nmbd_t) + +-sysnet_read_config(nmbd_t) +- + userdom_dontaudit_search_sysadm_home_dirs(nmbd_t) + userdom_dontaudit_use_unpriv_user_fds(nmbd_t) + userdom_use_unpriv_users_fds(nmbd_t) +@@ -457,6 +527,7 @@ allow smbmount_t samba_secrets_t:file manage_file_perms; @@ -7927,24 +8315,96 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbmount_t samba_var_t:dir rw_dir_perms; manage_files_pattern(smbmount_t,samba_var_t,samba_var_t) manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) -@@ -514,7 +588,7 @@ +@@ -489,6 +560,8 @@ + term_list_ptys(smbmount_t) + term_use_controlling_term(smbmount_t) + ++auth_use_nsswitch(smbmount_t) ++ + corecmd_list_bin(smbmount_t) + + files_list_mnt(smbmount_t) +@@ -508,21 +581,11 @@ + + logging_search_logs(smbmount_t) + +-sysnet_read_config(smbmount_t) +- + userdom_use_all_users_fds(smbmount_t) userdom_use_sysadm_ttys(smbmount_t) optional_policy(` - cups_read_rw_config(smbd_t) +-') +- +-optional_policy(` +- nis_use_ypbind(smbmount_t) +-') +- +-optional_policy(` +- nscd_socket_use(smbmount_t) + cups_read_rw_config(smbmount_t) ') - optional_policy(` -@@ -534,7 +608,6 @@ - allow swat_t self:process signal_perms; + ######################################## +@@ -530,22 +593,30 @@ + # SWAT Local policy + # + +-allow swat_t self:capability { setuid setgid }; +-allow swat_t self:process signal_perms; ++allow swat_t self:capability { setuid setgid sys_resource net_bind_service }; ++allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow swat_t self:netlink_audit_socket create; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; - allow swat_t self:netlink_route_socket r_netlink_socket_perms; -@@ -588,6 +661,7 @@ +-allow swat_t self:netlink_route_socket r_netlink_socket_perms; + +-allow swat_t nmbd_exec_t:file { execute read }; ++can_exec(swat_t, nmbd_exec_t) ++allow swat_t nmbd_port_t:udp_socket name_bind; ++allow swat_t nmbd_t:process { signal signull }; ++allow swat_t nmbd_var_run_t:file { lock read unlink }; + + rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) + ++init_read_utmp(swat_t) ++init_dontaudit_write_utmp(swat_t) ++ + append_files_pattern(swat_t,samba_log_t,samba_log_t) + +-allow swat_t smbd_exec_t:file execute ; ++allow swat_t self:unix_stream_socket connectto; ++can_exec(swat_t, smbd_exec_t) ++allow swat_t smbd_port_t:tcp_socket name_bind; ++allow swat_t smbd_t:process signal; ++allow swat_t smbd_var_run_t:file { lock unlink }; + + allow swat_t smbd_t:process signull; + +@@ -558,7 +629,11 @@ + manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) + files_pid_filetrans(swat_t,swat_var_run_t,file) + +-allow swat_t winbind_exec_t:file execute; ++can_exec(swat_t, winbind_exec_t) ++allow swat_t winbind_var_run_t:dir { write add_name remove_name }; ++allow swat_t winbind_var_run_t:sock_file { create unlink }; ++ ++auth_use_nsswitch(swat_t) + + kernel_read_kernel_sysctls(swat_t) + kernel_read_system_state(swat_t) +@@ -582,23 +657,24 @@ + + dev_read_urand(swat_t) + ++files_list_var_lib(swat_t) + files_read_etc_files(swat_t) + files_search_home(swat_t) + files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) auth_domtrans_chk_passwd(swat_t) @@ -7952,7 +8412,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb libs_use_ld_so(swat_t) libs_use_shared_libs(swat_t) -@@ -625,19 +699,25 @@ + + logging_send_syslog_msg(swat_t) ++logging_send_audit_msgs(swat_t) + logging_search_logs(swat_t) + + miscfiles_read_localization(swat_t) + +-sysnet_read_config(swat_t) +- + optional_policy(` + cups_read_rw_config(swat_t) + cups_stream_connect(swat_t) +@@ -612,32 +688,30 @@ + kerberos_use(swat_t) + ') + +-optional_policy(` +- nis_use_ypbind(swat_t) +-') +- +-optional_policy(` +- nscd_socket_use(swat_t) +-') +- + ######################################## + # # Winbind local policy # @@ -7979,7 +8464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t) filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file) -@@ -645,6 +725,8 @@ +@@ -645,6 +719,8 @@ manage_files_pattern(winbind_t,samba_log_t,samba_log_t) manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t) @@ -7988,7 +8473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_files_pattern(winbind_t,samba_var_t,samba_var_t) manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t) -@@ -682,7 +764,9 @@ +@@ -682,7 +758,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -7998,7 +8483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -695,9 +779,6 @@ +@@ -695,9 +773,6 @@ miscfiles_read_localization(winbind_t) @@ -8008,7 +8493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -713,10 +794,6 @@ +@@ -713,10 +788,6 @@ ') optional_policy(` @@ -8019,7 +8504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -736,6 +813,7 @@ +@@ -736,6 +807,7 @@ read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) @@ -8027,32 +8512,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_helper_t samba_var_t:dir search; stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) -@@ -763,4 +841,25 @@ +@@ -763,4 +835,60 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) -+') + ') + +######################################## +# +# samba_unconfined_script_t local policy +# -+type samba_unconfined_script_t; -+domain_type(samba_unconfined_script_t) -+role system_r types samba_unconfined_script_t; ++optional_policy(` ++ type samba_unconfined_script_t; ++ domain_type(samba_unconfined_script_t) ++ role system_r types samba_unconfined_script_t; + -+# This type is used for executable scripts files -+type samba_unconfined_script_exec_t; -+corecmd_shell_entry_type(samba_unconfined_script_t) -+domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t) -+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; -+allow smbd_t samba_unconfined_script_exec_t:file ioctl; ++ # This type is used for executable scripts files ++ type samba_unconfined_script_exec_t; ++ corecmd_shell_entry_type(samba_unconfined_script_t) ++ domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t) ++ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; ++ allow smbd_t samba_unconfined_script_exec_t:file ioctl; ++ ++ tunable_policy(`samba_run_unconfined',` ++ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ++ ') ++ unconfined_domain(samba_unconfined_script_t) ++') + -+tunable_policy(`samba_run_unconfined',` -+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) - ') -+unconfined_domain(samba_unconfined_script_t) ++######################################## ++# ++# smbcontrol local policy ++# ++ ++## internal communication is often done using fifo and unix sockets. ++allow smbcontrol_t self:fifo_file rw_file_perms; ++allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(smbcontrol_t) ++ ++libs_use_ld_so(smbcontrol_t) ++libs_use_shared_libs(smbcontrol_t) ++ ++miscfiles_read_localization(smbcontrol_t) ++ ++files_search_var_lib(smbcontrol_t) ++samba_read_config(smbcontrol_t) ++samba_rw_var_files(smbcontrol_t) ++samba_search_var(smbcontrol_t) ++samba_read_winbind_pid(smbcontrol_t) ++ ++allow smbcontrol_t smbd_t:process signal; ++allow smbd_t smbcontrol_t:process { signal signull }; ++ ++allow nmbd_t smbcontrol_t:process signal; ++allow smbcontrol_t nmbd_t:process { signal signull }; ++ ++allow smbcontrol_t winbind_t:process { signal signull }; ++allow winbind_t smbcontrol_t:process signal; ++ ++allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/sasl.te 2007-08-07 09:42:35.000000000 -0400 @@ -8430,8 +8950,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.6.4/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/ssh.if 2007-08-07 09:42:35.000000000 -0400 -@@ -709,3 +709,42 @@ ++++ serefpolicy-2.6.4/policy/modules/services/ssh.if 2007-09-11 09:11:48.000000000 -0400 +@@ -521,6 +521,7 @@ + + optional_policy(` + kerberos_use($1_t) ++ kerberos_manage_host_rcache($1_t) + ') + + optional_policy(` +@@ -709,3 +710,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -8510,6 +9038,83 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.6.4/policy/modules/services/telnet.te +--- nsaserefpolicy/policy/modules/services/telnet.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/telnet.te 2007-09-11 09:05:30.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(telnet,1.4.0) ++policy_module(telnet,1.5.0) + + ######################################## + # +@@ -32,7 +32,6 @@ + allow telnetd_t self:udp_socket create_socket_perms; + # for identd; cjp: this should probably only be inetd_child rules? + allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow telnetd_t self:netlink_route_socket r_netlink_socket_perms; + allow telnetd_t self:capability { setuid setgid }; + + allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; +@@ -49,7 +48,8 @@ + kernel_read_system_state(telnetd_t) + kernel_read_network_state(telnetd_t) + +-corenet_non_ipsec_sendrecv(telnetd_t) ++corenet_all_recvfrom_unlabeled(telnetd_t) ++corenet_all_recvfrom_netlabel(telnetd_t) + corenet_tcp_sendrecv_all_if(telnetd_t) + corenet_udp_sendrecv_all_if(telnetd_t) + corenet_tcp_sendrecv_all_nodes(telnetd_t) +@@ -61,10 +61,12 @@ + + fs_getattr_xattr_fs(telnetd_t) + ++auth_use_nsswitch(telnetd_t) + auth_rw_login_records(telnetd_t) + + corecmd_search_bin(telnetd_t) + ++files_read_usr_files(telnetd_t) + files_read_etc_files(telnetd_t) + files_read_etc_runtime_files(telnetd_t) + # for identd; cjp: this should probably only be inetd_child rules? +@@ -79,9 +81,7 @@ + + miscfiles_read_localization(telnetd_t) + +-seutil_dontaudit_search_config(telnetd_t) +- +-sysnet_read_config(telnetd_t) ++seutil_read_config(telnetd_t) + + remotelogin_domtrans(telnetd_t) + +@@ -89,17 +89,16 @@ + optional_policy(` + kerberos_use(telnetd_t) + kerberos_read_keytab(telnetd_t) ++ kerberos_manage_host_rcache(telnetd_t) + ') + +-optional_policy(` +- nis_use_ypbind(telnetd_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(telnetd_t) ++ fs_manage_nfs_files(telnetd_t) + ') + +-optional_policy(` +- nscd_socket_use(telnetd_t) ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(telnetd_t) ++ fs_manage_cifs_files(telnetd_t) + ') + +-ifdef(`TODO',` +-# Allow krb5 telnetd to use fork and open /dev/tty for use +-allow telnetd_t userpty_type:chr_file setattr; +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.6.4/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/tftp.te 2007-08-22 08:28:44.000000000 -0400 @@ -8574,6 +9179,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) + +miscfiles_read_certs(httpd_w3c_validator_script_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.6.4/policy/modules/services/xfs.te +--- nsaserefpolicy/policy/modules/services/xfs.te 2007-05-07 14:50:57.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/xfs.te 2007-09-11 08:17:28.000000000 -0400 +@@ -37,6 +37,15 @@ + kernel_read_kernel_sysctls(xfs_t) + kernel_read_system_state(xfs_t) + ++corenet_all_recvfrom_unlabeled(xfs_t) ++corenet_all_recvfrom_netlabel(xfs_t) ++corenet_tcp_sendrecv_generic_if(xfs_t) ++corenet_tcp_sendrecv_all_nodes(xfs_t) ++corenet_tcp_sendrecv_all_ports(xfs_t) ++corenet_tcp_bind_all_nodes(xfs_t) ++corenet_tcp_bind_xfs_port(xfs_t) ++corenet_sendrecv_xfs_client_packets(xfs_t) ++ + corecmd_list_bin(xfs_t) + + dev_read_sysfs(xfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400 @@ -10831,7 +11455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-09-10 14:35:42.000000000 -0400 @@ -1,10 +1,8 @@ policy_module(selinuxutil,1.5.0) @@ -11028,7 +11652,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu dev_read_urand(semanage_t) -@@ -595,6 +611,8 @@ +@@ -581,6 +597,7 @@ + files_read_etc_runtime_files(semanage_t) + files_read_usr_files(semanage_t) + files_list_pids(semanage_t) ++fs_list_inotifyfs(semanage_t) + + mls_file_write_down(semanage_t) + mls_rangetrans_target(semanage_t) +@@ -595,6 +612,8 @@ # Running genhomedircon requires this for finding all users auth_use_nsswitch(semanage_t) @@ -11037,7 +11669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) -@@ -621,6 +639,15 @@ +@@ -621,6 +640,15 @@ userdom_search_sysadm_home_dirs(semanage_t) @@ -11053,7 +11685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -700,6 +727,8 @@ +@@ -700,6 +728,8 @@ ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. optional_policy(`