From 49b960b9706f8d31257f966a723747b7dc315917 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 31 2007 21:06:21 +0000 Subject: - Allow ppp to signal networkmanager - Allow mount to transition to lvm --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 10b750b..9674bcd 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -1827,8 +1827,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f /opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-11-14 10:47:47.000000000 -0500 -@@ -36,6 +36,11 @@ ++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-12-31 06:44:11.000000000 -0500 +@@ -7,6 +7,7 @@ + /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -36,6 +37,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -1840,7 +1848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -72,10 +77,6 @@ +@@ -72,10 +78,6 @@ /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') @@ -1851,7 +1859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /lib # -@@ -131,7 +132,10 @@ +@@ -131,7 +133,10 @@ /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -1863,7 +1871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) -@@ -164,6 +168,10 @@ +@@ -164,6 +169,10 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -1874,7 +1882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -189,6 +197,7 @@ +@@ -189,6 +198,7 @@ ifdef(`distro_redhat', ` /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -1882,7 +1890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -220,6 +229,7 @@ +@@ -220,6 +230,7 @@ /usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -1890,7 +1898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -248,6 +258,7 @@ +@@ -248,6 +259,7 @@ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -1898,7 +1906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -256,3 +267,18 @@ +@@ -256,3 +268,18 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -2056,7 +2064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:37:43.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:12:48.000000000 -0500 @@ -48,6 +48,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -2086,7 +2094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -100,7 +106,7 @@ +@@ -100,11 +106,12 @@ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) @@ -2095,7 +2103,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(mail, tcp,2000,s0) -@@ -114,6 +120,7 @@ + network_port(monopd, tcp,1234,s0) ++network_port(mythtv, tcp,6543,s0, udp,6543,s0) + network_port(mysqld, tcp,3306,s0) + network_port(nessus, tcp,1241,s0) + network_port(netsupport, tcp,5405,s0, udp,5405,s0) +@@ -114,6 +121,7 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -2103,7 +2116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) -@@ -152,13 +159,18 @@ +@@ -152,13 +160,18 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) @@ -3645,7 +3658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-09-05 07:17:12.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-12-31 07:12:12.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -3673,7 +3686,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) -@@ -120,10 +116,6 @@ +@@ -96,6 +92,7 @@ + dev_read_urand(httpd_$1_script_t) + + corecmd_exec_all_executables(httpd_$1_script_t) ++ application_exec_all(httpd_$1_script_t) + + files_exec_etc_files(httpd_$1_script_t) + files_read_etc_files(httpd_$1_script_t) +@@ -120,10 +117,6 @@ can_exec(httpd_$1_script_t, httpdcontent) ') @@ -3684,7 +3705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -@@ -214,10 +206,6 @@ +@@ -214,10 +207,6 @@ ') optional_policy(` @@ -3695,7 +3716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) ') -@@ -268,8 +256,11 @@ +@@ -268,8 +257,11 @@ ') apache_content_template($1) @@ -3708,7 +3729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac userdom_user_home_content($1,httpd_$1_content_t) role $3 types httpd_$1_script_t; -@@ -434,6 +425,24 @@ +@@ -434,6 +426,24 @@ ######################################## ## @@ -3733,7 +3754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Inherit and use file descriptors from Apache. ## ## -@@ -752,6 +761,7 @@ +@@ -752,6 +762,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -3741,7 +3762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -923,7 +933,7 @@ +@@ -923,7 +934,7 @@ type httpd_squirrelmail_t; ') @@ -3750,7 +3771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1000,3 +1010,159 @@ +@@ -1000,3 +1011,159 @@ allow $1 httpd_sys_script_t:dir search_dir_perms; ') @@ -3912,7 +3933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-12-26 19:16:45.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-12-31 07:17:50.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(apache,1.6.0) @@ -4010,7 +4031,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_non_ipsec_sendrecv(httpd_t) corenet_tcp_sendrecv_all_if(httpd_t) -@@ -342,6 +379,9 @@ +@@ -322,9 +359,7 @@ + + auth_use_nsswitch(httpd_t) + +-# execute perl +-corecmd_exec_bin(httpd_t) +-corecmd_exec_shell(httpd_t) ++application_exec_all(httpd_t) + + domain_use_interactive_fds(httpd_t) + +@@ -342,6 +377,9 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -4020,7 +4052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -360,16 +400,14 @@ +@@ -360,16 +398,14 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -4040,7 +4072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`allow_httpd_anon_write',` -@@ -382,6 +420,7 @@ +@@ -382,6 +418,7 @@ # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) @@ -4048,7 +4080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -389,6 +428,16 @@ +@@ -389,6 +426,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -4065,7 +4097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -416,6 +465,10 @@ +@@ -416,6 +463,10 @@ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms; ') @@ -4076,7 +4108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -433,11 +486,21 @@ +@@ -433,11 +484,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -4098,7 +4130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -459,10 +522,27 @@ +@@ -459,10 +520,27 @@ ') optional_policy(` @@ -4126,7 +4158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac daemontools_service_domain(httpd_t, httpd_exec_t) ') -@@ -486,7 +566,6 @@ +@@ -486,7 +564,6 @@ optional_policy(` nagios_read_config(httpd_t) @@ -4134,7 +4166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -506,6 +585,7 @@ +@@ -506,6 +583,7 @@ ') optional_policy(` @@ -4142,7 +4174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -606,6 +686,10 @@ +@@ -606,6 +684,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4153,7 +4185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -668,6 +752,12 @@ +@@ -668,6 +750,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -4166,7 +4198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -685,18 +775,6 @@ +@@ -685,18 +773,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4185,7 +4217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -706,7 +784,8 @@ +@@ -706,7 +782,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -4195,7 +4227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -720,21 +799,64 @@ +@@ -720,21 +797,64 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -4265,7 +4297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -754,14 +876,8 @@ +@@ -754,14 +874,8 @@ # Apache unconfined script local policy # @@ -4281,7 +4313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -784,7 +900,19 @@ +@@ -784,7 +898,19 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -4672,8 +4704,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.6.4/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/clamav.fc 2007-11-14 10:43:00.000000000 -0500 -@@ -9,8 +9,9 @@ ++++ serefpolicy-2.6.4/policy/modules/services/clamav.fc 2007-12-31 09:06:13.000000000 -0500 +@@ -9,8 +9,10 @@ /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) @@ -4682,7 +4714,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te @@ -6893,7 +6926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.85 2007/12/27 01:16:34 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.86 2007/12/31 21:06:21 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -7074,7 +7107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.85 2007/12/27 01:16:34 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.86 2007/12/31 21:06:21 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -7890,8 +7923,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. +/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.6.4/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/lpd.if 2007-08-07 09:42:35.000000000 -0400 -@@ -394,3 +394,22 @@ ++++ serefpolicy-2.6.4/policy/modules/services/lpd.if 2007-12-31 06:41:14.000000000 -0500 +@@ -317,10 +317,8 @@ + ') + + files_search_spool($1) ++ manage_dirs_pattern($1,print_spool_t,print_spool_t) + manage_files_pattern($1,print_spool_t,print_spool_t) +- +- # cjp: cups wants setattr +- allow $1 print_spool_t:dir setattr; + ') + + ######################################## +@@ -394,3 +392,22 @@ domtrans_pattern($2, lpr_exec_t, $1_lpr_t) ') @@ -7916,8 +7961,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-2.6.4/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/mailman.if 2007-08-07 09:42:35.000000000 -0400 -@@ -275,6 +275,25 @@ ++++ serefpolicy-2.6.4/policy/modules/services/mailman.if 2007-12-31 14:17:22.000000000 -0500 +@@ -275,6 +275,44 @@ ####################################### ## @@ -7940,6 +7985,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + +####################################### +## ++## read ++## mailman logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mailman_read_log',` ++ gen_require(` ++ type mailman_log_t; ++ ') ++ ++ read_files_pattern($1,mailman_log_t,mailman_log_t) ++') ++ ++####################################### ++## ## Allow domain to read mailman archive files. ## ## @@ -8272,6 +8336,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.6.4/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/mysql.te 2007-12-31 07:00:25.000000000 -0500 +@@ -33,7 +33,8 @@ + allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; + dontaudit mysqld_t self:capability sys_tty_config; + allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +-allow mysqld_t self:fifo_file { read write }; ++allow mysqld_t self:fifo_file rw_fifo_file_perms; ++allow mysqld_t self:shm create_shm_file_perms; + allow mysqld_t self:unix_stream_socket create_stream_socket_perms; + allow mysqld_t self:tcp_socket create_stream_socket_perms; + allow mysqld_t self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-09-01 07:24:41.000000000 -0400 @@ -8417,18 +8494,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.6.4/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.fc 2007-08-07 09:42:35.000000000 -0400 -@@ -1,5 +1,6 @@ ++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.fc 2007-12-31 08:49:01.000000000 -0500 +@@ -1,5 +1,7 @@ /usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/(s)?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-2.6.4/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if 2007-08-07 09:42:35.000000000 -0400 -@@ -78,3 +78,22 @@ ++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if 2007-12-31 08:56:57.000000000 -0500 +@@ -78,3 +78,40 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; ') @@ -8451,10 +8529,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t) + +') ++ ++######################################## ++## ++## Send a generic signal to NetworkManager ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_signal',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:process signal; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.6.4/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te 2007-10-17 14:24:35.000000000 -0400 -@@ -20,7 +20,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te 2007-12-31 14:14:32.000000000 -0500 +@@ -1,4 +1,3 @@ +- + policy_module(networkmanager,1.6.0) + + ######################################## +@@ -20,7 +19,7 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -8463,7 +8564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -@@ -41,6 +41,8 @@ +@@ -41,6 +40,8 @@ kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) @@ -8472,7 +8573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw corenet_non_ipsec_sendrecv(NetworkManager_t) corenet_tcp_sendrecv_all_if(NetworkManager_t) corenet_udp_sendrecv_all_if(NetworkManager_t) -@@ -145,6 +147,9 @@ +@@ -145,6 +146,9 @@ dbus_system_bus_client_template(NetworkManager,NetworkManager_t) dbus_connect_system_bus(NetworkManager_t) dbus_send_system_bus(NetworkManager_t) @@ -8482,7 +8583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -161,9 +166,15 @@ +@@ -161,9 +165,15 @@ ') optional_policy(` @@ -8498,7 +8599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -178,3 +189,4 @@ +@@ -178,3 +188,4 @@ vpn_domtrans(NetworkManager_t) vpn_signal(NetworkManager_t) ') @@ -9357,7 +9458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-10-12 09:13:26.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-12-31 14:16:44.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -9442,15 +9543,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -280,6 +312,7 @@ +@@ -280,6 +312,8 @@ optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) ++ mailman_read_log(postfix_local_t) ') optional_policy(` -@@ -386,7 +419,7 @@ +@@ -386,7 +420,7 @@ # Postfix pipe local policy # @@ -9459,7 +9561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -@@ -395,6 +428,10 @@ +@@ -395,6 +429,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -9470,7 +9572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -403,6 +440,10 @@ +@@ -403,6 +441,10 @@ ') optional_policy(` @@ -9481,7 +9583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -441,6 +482,10 @@ +@@ -441,6 +483,10 @@ ') optional_policy(` @@ -9492,7 +9594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) ') -@@ -519,8 +564,6 @@ +@@ -519,8 +565,6 @@ # Postfix smtp delivery local policy # @@ -9501,7 +9603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -@@ -528,6 +571,8 @@ +@@ -528,6 +572,8 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -9510,7 +9612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') -@@ -536,6 +581,7 @@ +@@ -536,6 +582,7 @@ # # Postfix smtpd local policy # @@ -9518,7 +9620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; # connect to master process -@@ -552,9 +598,45 @@ +@@ -552,9 +599,45 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -9607,7 +9709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.6.4/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/ppp.te 2007-10-31 07:37:19.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/ppp.te 2007-12-31 08:55:04.000000000 -0500 @@ -155,7 +155,7 @@ files_exec_etc_files(pppd_t) @@ -9617,7 +9719,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. files_dontaudit_write_etc_files(pppd_t) # for scripts -@@ -202,6 +202,8 @@ +@@ -164,6 +164,8 @@ + init_read_utmp(pppd_t) + init_dontaudit_write_utmp(pppd_t) + ++auth_use_nsswitch(pppd_t) ++ + libs_use_ld_so(pppd_t) + libs_use_shared_libs(pppd_t) + +@@ -202,14 +204,12 @@ optional_policy(` mta_send_mail(pppd_t) @@ -9626,6 +9737,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` +- nis_use_ypbind(pppd_t) +-') +- +-optional_policy(` +- nscd_socket_use(pppd_t) ++ NetworkManager_signal(pppd_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.6.4/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/procmail.te 2007-08-07 09:42:35.000000000 -0400 @@ -11955,7 +12075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-12-27 11:36:50.000000000 -0500 @@ -83,6 +83,8 @@ manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t) logging_log_filetrans($1_xserver_t,xserver_log_t,file) @@ -11965,7 +12085,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state($1_xserver_t) kernel_read_device_sysctls($1_xserver_t) kernel_read_modprobe_sysctls($1_xserver_t) -@@ -540,6 +542,9 @@ +@@ -121,6 +123,7 @@ + dev_wx_raw_memory($1_xserver_t) + # for other device nodes such as the NVidia binary-only driver + dev_rw_xserver_misc($1_xserver_t) ++ dev_setattr_xserver_misc_dev($1_xserver_t) + # read events - the synaptics touchpad driver reads raw events + dev_rw_input_dev($1_xserver_t) + dev_rwx_zero($1_xserver_t) +@@ -540,6 +543,9 @@ allow $2 self:unix_dgram_socket create_socket_perms; allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -11975,7 +12103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Read .Xauthority file allow $2 $1_xauth_home_t:file { getattr read }; allow $2 $1_iceauth_home_t:file { getattr read }; -@@ -1136,7 +1141,7 @@ +@@ -1136,7 +1142,7 @@ type xdm_xserver_tmp_t; ') @@ -11984,7 +12112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1330,4 @@ +@@ -1325,3 +1331,4 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -14107,7 +14235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-12-21 02:33:51.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-12-31 09:58:45.000000000 -0500 @@ -9,6 +9,13 @@ ifdef(`targeted_policy',` ## @@ -14213,7 +14341,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -192,9 +212,6 @@ +@@ -183,6 +203,10 @@ + ') + ') + ++optional_policy(` ++ lvm_domtrans(mount_t) ++') ++ + # for kernel package installation + optional_policy(` + rpm_rw_pipes(mount_t) +@@ -192,9 +216,6 @@ samba_domtrans_smbmount(mount_t) ') @@ -14223,7 +14362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ######################################## # -@@ -204,4 +221,30 @@ +@@ -204,4 +225,30 @@ ifdef(`targeted_policy',` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -14231,7 +14370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + hal_dbus_chat(unconfined_mount_t) + ') + - ') ++') + +######################################## +# @@ -14252,7 +14391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_rw_pipes(mount_t) -+') + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.4/policy/modules/system/netlabel.te --- nsaserefpolicy/policy/modules/system/netlabel.te 2007-05-07 14:51:02.000000000 -0400