diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.12/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mcs/default_contexts 2009-04-07 16:01:44.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 -system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:crond_t:s0 system_r:system_cronjob_t:s0 +system_r:local_login_t:s0 user_r:user_t:s0 +system_r:remote_login_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 user_r:user_t:s0 system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 -system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 - -staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 - -sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 - -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.12/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.12/config/appconfig-mcs/failsafe_context 2009-04-07 16:01:44.000000000 -0400 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mcs/root_default_contexts 2009-04-07 16:01:44.000000000 -0400 @@ -1,11 +1,7 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 - # # Uncomment if you want to automatically login as sysadm_r # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.12/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.12/config/appconfig-mcs/seusers 2009-04-07 16:01:44.000000000 -0400 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mcs/staff_u_default_contexts 2009-04-07 16:01:44.000000000 -0400 @@ -1,10 +1,12 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 staff_r:cronjob_t:s0 +system_r:crond_t:s0 staff_r:staff_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 +system_r:initrc_su_t:s0 staff_r:staff_t:s0 +staff_r:staff_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mcs/unconfined_u_default_contexts 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0 @@ -6,4 +6,6 @@ system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 +system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.12/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.12/config/appconfig-mcs/userhelper_context 2009-04-07 16:01:44.000000000 -0400 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.12/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mcs/user_u_default_contexts 2009-04-07 16:01:44.000000000 -0400 @@ -1,8 +1,9 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 user_r:user_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 - +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.12/config/appconfig-mcs/virtual_domain_context --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mcs/virtual_domain_context 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:svirt_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.12/config/appconfig-mcs/virtual_image_context --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mcs/virtual_image_context 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,2 @@ +system_u:object_r:svirt_image_t:s0 +system_u:object_r:virt_content_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.12/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mls/default_contexts 2009-04-07 16:01:44.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 -system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:crond_t:s0 system_r:system_crond_t:s0 +system_r:local_login_t:s0 user_r:user_t:s0 +system_r:remote_login_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 user_r:user_t:s0 system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 -system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 - -staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 - -sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 - -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.12/config/appconfig-mls/root_default_contexts --- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mls/root_default_contexts 2009-04-07 16:01:44.000000000 -0400 @@ -1,11 +1,11 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 # # Uncomment if you want to automatically login as sysadm_r # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/securetty_types serefpolicy-3.6.12/config/appconfig-mls/securetty_types --- nsaserefpolicy/config/appconfig-mls/securetty_types 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.12/config/appconfig-mls/securetty_types 2009-04-20 10:13:02.000000000 -0400 @@ -1,6 +1 @@ -auditadm_tty_device_t -secadm_tty_device_t -staff_tty_device_t -sysadm_tty_device_t -unconfined_tty_device_t user_tty_device_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mls/virtual_domain_context 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:qemu_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.12/config/appconfig-mls/virtual_image_context --- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/config/appconfig-mls/virtual_image_context 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,2 @@ +system_u:object_r:virt_image_t:s0 +system_u:object_r:virt_content_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.12/Makefile --- nsaserefpolicy/Makefile 2009-01-19 11:07:35.000000000 -0500 +++ serefpolicy-3.6.12/Makefile 2009-04-07 16:01:44.000000000 -0400 @@ -241,7 +241,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) @@ -315,20 +315,22 @@ # parse-rolemap modulename,outputfile define parse-rolemap - $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ - $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + echo "" >> $2 +# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 endef # perrole-expansion modulename,outputfile define perrole-expansion - $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 - $(call parse-rolemap,$1,$2) - $(verbose) echo "')" >> $2 - - $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 - $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 - $(call parse-rolemap-compat,$1,$2) - $(verbose) echo "')" >> $2 + echo "No longer doing perrole-expansion" +# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +# $(call parse-rolemap,$1,$2) +# $(verbose) echo "')" >> $2 + +# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +# $(call parse-rolemap-compat,$1,$2) +# $(verbose) echo "')" >> $2 endef # create-base-per-role-tmpl modulenames,outputfile @@ -397,7 +399,7 @@ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "#" >> $@ $(verbose) cat $@.in >> $@ - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ + $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \ | $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ @@ -527,6 +529,10 @@ @mkdir -p $(appdir)/users $(verbose) $(INSTALL) -m 644 $^ $@ +$(appdir)/initrc_context: $(tmpdir)/initrc_context + @mkdir -p $(appdir) + $(verbose) $(INSTALL) -m 644 $< $@ + $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.12/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500 +++ serefpolicy-3.6.12/man/man8/httpd_selinux.8 2009-04-13 10:52:18.000000000 -0400 @@ -22,7 +22,7 @@ .EX httpd_sys_content_t .EE -- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon. +- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. .EX httpd_sys_script_exec_t .EE @@ -30,11 +30,11 @@ .EX httpd_sys_content_rw_t .EE -- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. +- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. .EX httpd_sys_content_ra_t .EE -- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. +- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. .EX httpd_unconfined_script_exec_t .EE @@ -57,8 +57,7 @@ .EE .SH BOOLEANS -SELinux policy is customizable based on least access required. So by -default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. +SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. .PP httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this @@ -67,7 +66,7 @@ .EE .PP -httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. +SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. .EX setsebool -P httpd_enable_homedirs 1 @@ -75,7 +74,7 @@ .EE .PP -httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. +SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. .EX setsebool -P httpd_tty_comm 1 @@ -89,7 +88,7 @@ .EE .PP -httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. +SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. .EX setsebool -P httpd_can_sendmail 1 @@ -102,7 +101,7 @@ .EE .PP -httpd scripts by default are not allowed to connect out to the network. +SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. This would prevent a hacker from breaking into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.12/man/man8/kerberos_selinux.8 --- nsaserefpolicy/man/man8/kerberos_selinux.8 2009-03-05 09:22:34.000000000 -0500 +++ serefpolicy-3.6.12/man/man8/kerberos_selinux.8 2009-04-13 10:53:14.000000000 -0400 @@ -12,7 +12,7 @@ .SH "DESCRIPTION" Security-Enhanced Linux secures the system via flexible mandatory access -control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. +control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. .SH BOOLEANS .PP You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.12/man/man8/nfs_selinux.8 --- nsaserefpolicy/man/man8/nfs_selinux.8 2009-03-05 09:22:34.000000000 -0500 +++ serefpolicy-3.6.12/man/man8/nfs_selinux.8 2009-04-13 10:49:43.000000000 -0400 @@ -6,7 +6,7 @@ Security Enhanced Linux secures the NFS server via flexible mandatory access control. .SH BOOLEANS -SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: +SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: .TP setsebool -P nfs_export_all_ro 1 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ypbind_selinux.8 serefpolicy-3.6.12/man/man8/ypbind_selinux.8 --- nsaserefpolicy/man/man8/ypbind_selinux.8 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.12/man/man8/ypbind_selinux.8 2009-04-13 10:54:03.000000000 -0400 @@ -4,7 +4,7 @@ .SH "DESCRIPTION" Security-Enhanced Linux secures the system via flexible mandatory access -control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network. +control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. .SH BOOLEANS .TP You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/policy/global_tunables 2009-04-07 16:01:44.000000000 -0400 @@ -61,15 +61,6 @@ ## ##

-## Allow email client to various content. -## nfs, samba, removable devices, and user temp -## files -##

-##
-gen_tunable(mail_read_content,false) - -## -##

## Allow any files/directories to be exported read/write via NFS. ##

##
@@ -111,3 +102,12 @@ ##

## gen_tunable(user_tcp_server,false) + +## +##

+## Allow direct login to the console device. Required for System 390 +##

+##
+gen_tunable(allow_console_login,false) + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs --- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500 +++ serefpolicy-3.6.12/policy/mcs 2009-04-07 16:01:44.000000000 -0400 @@ -67,7 +67,7 @@ # Note that getattr on files is always permitted. # mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } - ( h1 dom h2 ); + (( h1 dom h2 ) or ( t1 == mlsfilewrite )); mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); @@ -75,7 +75,7 @@ # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite )); # At this time we do not restrict "ps" type operations via MCS. This # will probably change in future. @@ -84,10 +84,10 @@ # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - ( h1 dom h2 ); + (( h1 dom h2 ) or ( t1 == mlsfilewrite )); mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite )); mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.12/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-01-05 15:39:44.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/anaconda.te 2009-04-07 16:01:44.000000000 -0400 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te 2009-04-07 16:01:44.000000000 -0400 @@ -27,15 +27,20 @@ fs_list_inotifyfs(certwatch_t) +auth_manage_cache(certwatch_t) +auth_filetrans_cache(certwatch_t) + logging_send_syslog_msg(certwatch_t) miscfiles_read_certs(certwatch_t) miscfiles_read_localization(certwatch_t) userdom_use_user_terminals(certwatch_t) +userdom_dontaudit_list_admin_dir(certwatch_t) optional_policy(` apache_exec_modules(certwatch_t) + apache_read_config(certwatch_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-07 16:01:44.000000000 -0400 @@ -35,7 +35,7 @@ domain_use_interactive_fds(dmesg_t) -files_list_etc(dmesg_t) +files_read_etc_files(dmesg_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(dmesg_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.12/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 2008-11-11 16:13:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/kismet.if 2009-04-07 16:01:44.000000000 -0400 @@ -16,6 +16,7 @@ ') domtrans_pattern($1, kismet_exec_t, kismet_t) + allow kismet_t $1:process signull; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.12/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/kismet.te 2009-04-07 16:01:44.000000000 -0400 @@ -14,27 +14,36 @@ type kismet_var_run_t; files_pid_file(kismet_var_run_t) -type kismet_var_lib_t; -files_type(kismet_var_lib_t) - type kismet_log_t; logging_log_file(kismet_log_t) +type kismet_tmp_t; +files_tmp_file(kismet_tmp_t) + +type kismet_var_lib_t; +files_type(kismet_var_lib_t) + ######################################## # # kismet local policy # -allow kismet_t self:capability { net_admin net_raw setuid setgid }; +allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid }; +allow kismet_t self:process signal_perms; allow kismet_t self:fifo_file rw_file_perms; allow kismet_t self:packet_socket create_socket_perms; -allow kismet_t self:unix_dgram_socket create_socket_perms; +allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; allow kismet_t self:unix_stream_socket create_stream_socket_perms; +allow kismet_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) allow kismet_t kismet_log_t:dir setattr; logging_log_filetrans(kismet_t, kismet_log_t, { file dir }) +manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir }) + allow kismet_t kismet_var_lib_t:file manage_file_perms; allow kismet_t kismet_var_lib_t:dir manage_dir_perms; files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) @@ -47,10 +56,22 @@ corecmd_exec_bin(kismet_t) +corenet_all_recvfrom_unlabeled(kismet_t) +corenet_all_recvfrom_netlabel(kismet_t) +corenet_tcp_sendrecv_generic_if(kismet_t) +corenet_tcp_sendrecv_generic_node(kismet_t) +corenet_tcp_sendrecv_all_ports(kismet_t) +corenet_tcp_bind_generic_node(kismet_t) +corenet_tcp_bind_kismet_port(kismet_t) +corenet_tcp_connect_kismet_port(kismet_t) +corenet_tcp_connect_pulseaudio_port(kismet_t) + auth_use_nsswitch(kismet_t) files_read_etc_files(kismet_t) +files_read_usr_files(kismet_t) miscfiles_read_localization(kismet_t) userdom_use_user_terminals(kismet_t) +userdom_read_user_tmpfs_files(kismet_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-04-07 15:53:36.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te 2009-04-07 16:01:44.000000000 -0400 @@ -116,8 +116,9 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) -userdom_dontaudit_search_user_home_dirs(logrotate_t) +userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) +userdom_dontaudit_list_admin_dir(logrotate_t) cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) @@ -149,6 +150,10 @@ ') optional_policy(` + bind_manage_cache(logrotate_t) +') + +optional_policy(` consoletype_exec(logrotate_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.12/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-03-20 12:39:40.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/logwatch.te 2009-04-07 16:01:44.000000000 -0400 @@ -62,10 +62,9 @@ files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) files_search_mnt(logwatch_t) -files_dontaudit_search_home(logwatch_t) -files_dontaudit_search_boot(logwatch_t) # Execs df and if file system mounted with a context avc raised -files_dontaudit_search_all_dirs(logwatch_t) +files_search_all(logwatch_t) +files_getattr_all_file_type_fs(logwatch_t) fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) @@ -93,6 +92,7 @@ sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) +userdom_dontaudit_list_admin_dir(logwatch_t) mta_send_mail(logwatch_t) @@ -131,4 +131,5 @@ optional_policy(` samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.12/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/mrtg.te 2009-04-07 16:01:44.000000000 -0400 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) userdom_dontaudit_use_unpriv_user_fds(mrtg_t) +userdom_dontaudit_list_admin_dir(mrtg_t) ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-04-07 16:01:44.000000000 -0400 @@ -152,6 +152,10 @@ ') optional_policy(` + nagios_dontaudit_rw_pipes(ping_t) +') + +optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.12/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/prelink.fc 2009-04-07 16:01:44.000000000 -0400 @@ -5,3 +5,5 @@ /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +/var/lib/misc/prelink\* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.12/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/prelink.if 2009-04-07 16:01:44.000000000 -0400 @@ -120,3 +120,23 @@ logging_search_logs($1) manage_files_pattern($1, prelink_log_t, prelink_log_t) ') + +######################################## +## +## Create, read, write, and delete +## prelink var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`prelink_manage_var_lib',` + gen_require(` + type prelink_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-04-07 16:01:44.000000000 -0400 @@ -21,12 +21,15 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) +type prelink_var_lib_t; +files_tmp_file(prelink_var_lib_t) + ######################################## # # Local policy # -allow prelink_t self:capability { chown dac_override fowner fsetid }; +allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; @@ -40,17 +43,20 @@ read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) logging_log_filetrans(prelink_t, prelink_log_t, file) -allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom }; +allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; files_tmp_filetrans(prelink_t, prelink_tmp_t, file) fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) +manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +files_search_var_lib(prelink_t) + # prelink misc objects that are not system # libraries or entrypoints allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; kernel_read_system_state(prelink_t) -kernel_dontaudit_search_kernel_sysctl(prelink_t) -kernel_dontaudit_search_sysctl(prelink_t) +kernel_read_kernel_sysctls(prelink_t) corecmd_manage_all_executables(prelink_t) corecmd_relabel_all_executables(prelink_t) @@ -65,6 +71,8 @@ files_read_etc_files(prelink_t) files_read_etc_runtime_files(prelink_t) files_dontaudit_read_all_symlinks(prelink_t) +files_manage_usr_files(prelink_t) +files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -81,6 +89,9 @@ userdom_use_user_terminals(prelink_t) +# prelink executables in the user homedir +userdom_manage_home_role(system_r, prelink_t) + optional_policy(` amanda_manage_lib(prelink_t) ') @@ -88,3 +99,7 @@ optional_policy(` cron_system_entry(prelink_t, prelink_exec_t) ') + +optional_policy(` + unconfined_domain(prelink_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-04-19 15:52:53.000000000 -0400 @@ -3,15 +3,12 @@ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) - -/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) - +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` @@ -21,14 +18,18 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ') /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - -/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) # SuSE ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-04-21 14:06:47.000000000 -0400 @@ -146,6 +146,24 @@ ######################################## ## +## dontaudit read and write an unnamed RPM pipe. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpm_dontaudit_rw_pipes',` + gen_require(` + type rpm_t; + ') + + dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## ## Send and receive messages from ## rpm over dbus. ## @@ -167,6 +185,48 @@ ######################################## ## +## dontaudit attempts to Send and receive messages from +## rpm over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_dontaudit_dbus_chat',` + gen_require(` + type rpm_t; + class dbus send_msg; + ') + + dontaudit $1 rpm_t:dbus send_msg; + dontaudit rpm_t $1:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## rpm_script over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_script_dbus_chat',` + gen_require(` + type rpm_script_t; + class dbus send_msg; + ') + + allow $1 rpm_script_t:dbus send_msg; + allow rpm_script_t $1:dbus send_msg; +') + +######################################## +## ## Create, read, write, and delete the RPM log. ## ## @@ -186,6 +246,24 @@ ######################################## ## +## Search RPM log directory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpm_search_log',` + gen_require(` + type rpm_log_t; + ') + + allow $1 rpm_log_t:dir search_dir_perms; +') + +######################################## +## ## Inherit and use file descriptors from RPM scripts. ## ## @@ -204,6 +282,24 @@ ######################################## ## +## dontaudit and use file descriptors from RPM scripts. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpm_dontaudit_use_script_fds',` + gen_require(` + type rpm_script_t; + ') + + dontaudit $1 rpm_script_t:fd use; +') + +######################################## +## ## Create, read, write, and delete RPM ## script temporary files. ## @@ -219,7 +315,29 @@ ') files_search_tmp($1) + manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + +######################################## +## +## read, RPM +## script temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_read_script_tmp_files',` + gen_require(` + type rpm_script_tmp_t; + ') + + read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) ') ######################################## @@ -245,6 +363,24 @@ ######################################## ## +## Delete the RPM package database. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpm_delete_db',` + gen_require(` + type rpm_var_lib_t; + ') + + delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) +') + +######################################## +## ## Create, read, write, and delete the RPM package database. ## ## @@ -283,3 +419,175 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') + + +######################################## +## +## Allow application to transition to rpm_script domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_transition_script',` + gen_require(` + type rpm_script_t; + ') + + allow $1 rpm_script_t:process transition; + + allow $1 rpm_script_t:fd use; + allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fifo_file rw_fifo_file_perms; + allow rpm_script_t $1:process sigchld; +') + +######################################## +## +## allow domain to read, +## write RPM tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_rw_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + allow $1 rpm_tmp_t:file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read, +## write RPM tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_dontaudit_rw_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + dontaudit $1 rpm_tmp_t:file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read, +## write RPM shm +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_dontaudit_rw_shm',` + gen_require(` + type rpm_t; + ') + + dontaudit $1 rpm_t:shm rw_shm_perms; +') + +######################################## +## +## Read/write rpm tmpfs files. +## +## +##

+## Read/write rpm tmpfs files. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`rpm_rw_tmpfs_files',` + gen_require(` + type rpm_tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 rpm_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t) + read_lnk_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t) +') + +######################################## +## +## Transition to system_r when execute an rpm script +## +## +##

+## Execute rpm script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Role to transition from. +## +## +interface(`rpm_role_transition',` + gen_require(` + type rpm_exec_t; + ') + + role_transition $1 rpm_exec_t system_r; +') + +######################################## +## +## Do not audit attempts to write, and delete the +## RPM var run files +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_dontaudit_write_pid_files',` + gen_require(` + type rpm_var_run_t; + ') + + dontaudit $1 rpm_var_run_t:file write_file_perms; +') + +######################################## +## +## Send a null signal to rpm. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_signull',` + gen_require(` + type rpm_t; + ') + + allow $1 rpm_t:process signull; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-20 12:07:11.000000000 -0400 @@ -9,6 +9,8 @@ type rpm_t; type rpm_exec_t; init_system_domain(rpm_t, rpm_exec_t) +#application_domain(rpm_t, rpm_exec_t) + domain_obj_id_change_exemption(rpm_t) domain_role_change_exemption(rpm_t) domain_system_change_exemption(rpm_t) @@ -31,11 +33,15 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; +type rpm_var_run_t; +files_pid_file(rpm_var_run_t) + type rpm_script_t; type rpm_script_exec_t; domain_obj_id_change_exemption(rpm_script_t) domain_system_change_exemption(rpm_script_t) corecmd_shell_entry_type(rpm_script_t) +corecmd_bin_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) @@ -52,8 +58,9 @@ # rpm Local policy # -allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod }; -allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; + +allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; @@ -68,6 +75,8 @@ allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; +allow rpm_t self:dir search; +allow rpm_t self:file rw_file_perms;; allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) @@ -87,8 +96,12 @@ manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) +manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) +files_pid_filetrans(rpm_t, rpm_var_run_t, file) + kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) +kernel_read_network_state_symlinks(rpm_t) corecmd_exec_all_executables(rpm_t) @@ -108,13 +121,16 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) +dev_read_raw_memory(rpm_t) #devices_manage_all_device_types(rpm_t) fs_manage_nfs_dirs(rpm_t) fs_manage_nfs_files(rpm_t) fs_manage_nfs_symlinks(rpm_t) fs_getattr_all_fs(rpm_t) +fs_getattr_all_dirs(rpm_t) fs_search_auto_mountpoints(rpm_t) +fs_list_inotifyfs(rpm_t) mls_file_read_all_levels(rpm_t) mls_file_write_all_levels(rpm_t) @@ -132,6 +148,8 @@ # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) +term_list_ptys(rpm_t) + auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) @@ -155,6 +173,7 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) +init_use_script_ptys(rpm_t) libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) @@ -174,17 +193,28 @@ ') optional_policy(` + optional_policy(` hal_dbus_chat(rpm_t) ') optional_policy(` + networkmanager_dbus_chat(rpm_t) + ') + + optional_policy(` + dbus_system_domain(rpm_t, rpm_exec_t) + ') +') + +optional_policy(` prelink_domtrans(rpm_t) ') optional_policy(` - unconfined_domain(rpm_t) + unconfined_domain_noaudit(rpm_t) # yum-updatesd requires this unconfined_dbus_chat(rpm_t) + unconfined_dbus_chat(rpm_script_t) ') ifdef(`TODO',` @@ -210,8 +240,8 @@ # rpm-script Local policy # -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; +allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; @@ -222,12 +252,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; +allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; allow rpm_script_t rpm_tmp_t:file read_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) @@ -239,6 +272,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) +kernel_read_network_state(rpm_script_t) +kernel_list_all_proc(rpm_script_t) +kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) @@ -255,6 +291,7 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) +fs_getattr_all_fs(rpm_script_t) mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) @@ -272,14 +309,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) +term_getattr_unallocated_ttys(rpm_script_t) +term_list_ptys(rpm_script_t) term_use_all_terms(rpm_script_t) auth_dontaudit_getattr_shadow(rpm_script_t) auth_use_nsswitch(rpm_script_t) # ideally we would not need this auth_manage_all_files_except_shadow(rpm_script_t) +auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) +can_exec(rpm_script_t, rpm_script_tmp_t) +can_exec(rpm_script_t, rpm_script_tmpfs_t) domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) @@ -291,6 +333,7 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) +files_relabel_all_files(rpm_script_t) init_domtrans_script(rpm_script_t) @@ -308,12 +351,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) +seutil_domtrans_setsebool(rpm_script_t) userdom_use_all_users_fds(rpm_script_t) +userdom_exec_admin_home_files(rpm_script_t) ifdef(`distro_redhat',` optional_policy(` mta_send_mail(rpm_script_t) + mta_system_content(rpm_var_run_t) ') ') @@ -326,13 +372,18 @@ ') optional_policy(` + lvm_domtrans(rpm_script_t) +') + +optional_policy(` tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') optional_policy(` - unconfined_domain(rpm_script_t) + unconfined_domain_noaudit(rpm_script_t) unconfined_domtrans(rpm_script_t) + unconfined_execmem_domtrans(rpm_script_t) optional_policy(` java_domtrans_unconfined(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.12/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/sudo.if 2009-04-07 16:01:44.000000000 -0400 @@ -32,6 +32,7 @@ gen_require(` type sudo_exec_t; + attribute sudodomain; ') ############################## @@ -39,7 +40,7 @@ # Declarations # - type $1_sudo_t; + type $1_sudo_t, sudodomain; application_domain($1_sudo_t, sudo_exec_t) domain_interactive_fd($1_sudo_t) ubac_constrained($1_sudo_t) @@ -51,7 +52,7 @@ # # Use capabilities. - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; + allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; @@ -64,33 +65,37 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; - allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; + allow $1_sudo_t self:key manage_key_perms; + allow $1_sudo_t $1_t:key search; # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) + corecmd_bin_domtrans($1_sudo_t, $3) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_file_perms; allow $3 $1_sudo_t:process sigchld; kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) - kernel_search_key($1_sudo_t) + kernel_link_key($1_sudo_t) dev_read_urand($1_sudo_t) + dev_rw_generic_usb_dev($1_sudo_t) + dev_read_sysfs($1_sudo_t) fs_search_auto_mountpoints($1_sudo_t) fs_getattr_xattr_fs($1_sudo_t) - auth_domtrans_chk_passwd($1_sudo_t) + auth_run_chk_passwd($1_sudo_t, $3) # sudo stores a token in the pam_pid directory auth_manage_pam_pid($1_sudo_t) auth_use_nsswitch($1_sudo_t) corecmd_read_bin_symlinks($1_sudo_t) - corecmd_getattr_all_executables($1_sudo_t) + corecmd_exec_all_executables($1_sudo_t) domain_use_interactive_fds($1_sudo_t) domain_sigchld_interactive_fds($1_sudo_t) @@ -102,9 +107,11 @@ files_getattr_usr_files($1_sudo_t) # for some PAM modules and for cwd files_dontaudit_search_home($1_sudo_t) + files_list_tmp($1_sudo_t) init_rw_utmp($1_sudo_t) + logging_send_audit_msgs($1_sudo_t) logging_send_syslog_msg($1_sudo_t) miscfiles_read_localization($1_sudo_t) @@ -114,6 +121,54 @@ userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) + + mta_role($2, $1_sudo_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_sudo_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files($1_sudo_t) + ') + # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content($1_sudo_t) + userdom_manage_all_users_keys($1_sudo_t) + + domain_role_change_exemption($1_sudo_t) + userdom_spec_domtrans_all_users($1_sudo_t) + + selinux_validate_context($1_sudo_t) + selinux_compute_relabel_context($1_sudo_t) + selinux_getattr_fs($1_sudo_t) + seutil_read_config($1_sudo_t) + seutil_search_default_contexts($1_sudo_t) + + userdom_use_user_terminals($1_sudo_t) + term_relabel_all_user_ttys($1_sudo_t) + term_relabel_all_user_ptys($1_sudo_t) + + optional_policy(` + dbus_system_bus_client($1_sudo_t) + ') ') + +######################################## +## +## Send a SIGCHLD signal to the sudo domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sudo_sigchld',` + gen_require(` + attribute sudodomain; + ') + + allow $1 sudodomain:process sigchld; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.12/policy/modules/admin/sudo.te --- nsaserefpolicy/policy/modules/admin/sudo.te 2009-01-05 15:39:44.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/sudo.te 2009-04-07 16:01:44.000000000 -0400 @@ -4,6 +4,7 @@ ######################################## # # Declarations +attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.12/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/su.if 2009-04-21 15:49:55.000000000 -0400 @@ -90,15 +90,6 @@ miscfiles_read_localization($1_su_t) - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora - auth_domtrans_upd_passwd($1_su_t) - - optional_policy(` - locallogin_search_keys($1_su_t) - ') - ') - ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) domain_subj_id_change_exemption($1_su_t) @@ -227,15 +218,6 @@ userdom_use_user_terminals($1_su_t) userdom_search_user_home_dirs($1_su_t) - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora - auth_domtrans_upd_passwd($1_su_t) - - optional_policy(` - locallogin_search_keys($1_su_t) - ') - ') - ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) domain_subj_id_change_exemption($1_su_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.12/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-11-11 16:13:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/admin/tmpreaper.te 2009-04-07 16:01:44.000000000 -0400 @@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) +fs_list_inotifyfs(tmpreaper_t) files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) +files_getattr_lost_found_dirs(tmpreaper_t) +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) @@ -39,6 +43,26 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) +userdom_delete_user_home_content_dirs(tmpreaper_t) +userdom_delete_user_home_content_files(tmpreaper_t) +userdom_delete_user_home_content_symlinks(tmpreaper_t) + +optional_policy(` + amavis_manage_spool_files(tmpreaper_t) +') + +optional_policy(` + apache_delete_sys_content_rw(tmpreaper_t) +') + +optional_policy(` + kismet_manage_log(tmpreaper_t) +') + optional_policy(` lpd_manage_spool(tmpreaper_t) ') + +optional_policy(` + unconfined_domain(tmpreaper_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-03-20 12:39:40.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-04-07 16:01:44.000000000 -0400 @@ -326,6 +326,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) optional_policy(` nscd_domtrans(passwd_t) @@ -515,6 +516,12 @@ ') optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(useradd_t) + ') +') + +optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.12/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/vbetool.te 2009-04-07 16:01:44.000000000 -0400 @@ -23,6 +23,7 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) +domain_mmap_low_type(vbetool_t) domain_mmap_low(vbetool_t) term_use_unallocated_ttys(vbetool_t) @@ -34,3 +35,9 @@ hal_write_log(vbetool_t) hal_dontaudit_append_lib_files(vbetool_t) ') + +optional_policy(` + xserver_exec_pid(vbetool_t) + xserver_write_pid(vbetool_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-3.6.12/policy/modules/apps/ada.te --- nsaserefpolicy/policy/modules/apps/ada.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/ada.te 2009-04-09 04:47:52.000000000 -0400 @@ -21,5 +21,5 @@ userdom_use_user_terminals(ada_t) optional_policy(` - unconfined_domain_noaudit(ada_t) + unconfined_domain(ada_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-04-07 16:01:44.000000000 -0400 @@ -51,6 +51,8 @@ libs_read_lib_files(awstats_t) +logging_read_generic_logs(awstats_t) + miscfiles_read_localization(awstats_t) sysnet_dns_name_resolve(awstats_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.12/policy/modules/apps/cdrecord.fc --- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/cdrecord.fc 2009-04-07 16:01:44.000000000 -0400 @@ -2,4 +2,5 @@ # /usr # /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.12/policy/modules/apps/cpufreqselector.fc --- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/cpufreqselector.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1 @@ +/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.12/policy/modules/apps/cpufreqselector.if --- nsaserefpolicy/policy/modules/apps/cpufreqselector.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/cpufreqselector.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,2 @@ +## cpufreq-selector policy + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.12/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/cpufreqselector.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,44 @@ +policy_module(cpufreqselector,1.0.0) + +######################################## +# +# Declarations +# + +type cpufreqselector_t; +type cpufreqselector_exec_t; + +dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) + +######################################## +# +# cpufreq-selector local policy +# + +allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; +allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; + +files_read_etc_files(cpufreqselector_t) +files_read_usr_files(cpufreqselector_t) + +corecmd_search_bin(cpufreqselector_t) + +dev_rw_sysfs(cpufreqselector_t) + +fs_list_inotifyfs(cpufreqselector_t) + +userdom_read_all_users_state(cpufreqselector_t) + +nscd_dontaudit_search_pid(cpufreqselector_t) + +optional_policy(` + consolekit_dbus_chat(cpufreqselector_t) +') + +optional_policy(` + polkit_domtrans_auth(cpufreqselector_t) + polkit_read_lib(cpufreqselector_t) + polkit_read_reload(cpufreqselector_t) +') + +permissive cpufreqselector_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.12/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/gnome.fc 2009-04-15 08:01:57.000000000 -0400 @@ -1,8 +1,16 @@ HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.12/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/gnome.if 2009-04-15 08:01:57.000000000 -0400 @@ -89,5 +89,173 @@ allow $1 gnome_home_t:dir manage_dir_perms; allow $1 gnome_home_t:file manage_file_perms; + allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; userdom_search_user_home_dirs($1) ') + +######################################## +## +## Send general signals to all gconf domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_signal_all',` + gen_require(` + attribute gnomedomain; + ') + + allow $1 gnomedomain:process signal; +') + +######################################## +## +## read gnome homedir content (.config) +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_read_config',` + gen_require(` + type gnome_home_t; + ') + + read_files_pattern($1, gnome_home_t, gnome_home_t) +') + +######################################## +## +## read gconf config files +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_read_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) +') + +####################################### +## +## Manage gconf config files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_gconf_config',` + gen_require(` + type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; + manage_files_pattern($1, gconf_etc_t, gconf_etc_t) +') + +######################################## +## +## Execute gconf programs in +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; + ') + + can_exec($1, gconfd_exec_t) +') + +######################################## +## +## Read gconf home files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_read_gconf_home_files',` + gen_require(` + type gconf_home_t; + ') + + allow $1 gconf_home_t:dir list_dir_perms; + read_files_pattern($1, gconf_home_t, gconf_home_t) +') + +######################################## +## +## manage gconf home files +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_gconf_home_files',` + gen_require(` + type gconf_home_t; + ') + + allow $1 gconf_home_t:dir list_dir_perms; + manage_files_pattern($1, gconf_home_t, gconf_home_t) +') + +######################################## +## +## Connect to gnome over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`gnome_stream_connect',` + gen_require(` + type gnome_home_t; + ') + + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.12/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/gnome.te 2009-04-15 08:01:57.000000000 -0400 @@ -9,16 +9,18 @@ attribute gnomedomain; type gconf_etc_t; -files_type(gconf_etc_t) +files_config_file(gconf_etc_t) type gconf_home_t; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; +typealias gconf_home_t alias unconfined_gconf_home_t; userdom_user_home_content(gconf_home_t) type gconf_tmp_t; typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; +typealias gconf_tmp_t alias unconfined_gconf_tmp_t; files_tmp_file(gconf_tmp_t) ubac_constrained(gconf_tmp_t) @@ -32,8 +34,17 @@ type gnome_home_t; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; +typealias gnome_home_t alias unconfined_gnome_home_t; userdom_user_home_content(gnome_home_t) +type gconfdefaultsm_t; +type gconfdefaultsm_exec_t; +dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) + +type gnomesystemmm_t; +type gnomesystemmm_exec_t; +dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) + ############################## # # Local Policy @@ -73,3 +84,91 @@ xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') + +####################################### +# +# gconf-defaults-mechanisms local policy +# + +allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace }; +allow gconfdefaultsm_t self:process getsched; +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; + +fs_list_inotifyfs(gconfdefaultsm_t) + +corecmd_search_bin(gconfdefaultsm_t) + +files_read_etc_files(gconfdefaultsm_t) +files_read_usr_files(gconfdefaultsm_t) + +libs_use_ld_so(gconfdefaultsm_t) +libs_use_shared_libs(gconfdefaultsm_t) + +miscfiles_read_localization(gconfdefaultsm_t) + +gnome_manage_gconf_home_files(gconfdefaultsm_t) +gnome_manage_gconf_config(gconfdefaultsm_t) + +userdom_read_all_users_state(gconfdefaultsm_t) +userdom_search_user_home_dirs(gconfdefaultsm_t) + +userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) + +optional_policy(` + consolekit_dbus_chat(gconfdefaultsm_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(gconfdefaultsm_t) +') + +optional_policy(` + polkit_domtrans_auth(gconfdefaultsm_t) + polkit_read_lib(gconfdefaultsm_t) + polkit_read_reload(gconfdefaultsm_t) +') + +permissive gconfdefaultsm_t; + +####################################### +# +# gnome-system-monitor-mechanisms local policy +# + +allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; +allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; + +fs_list_inotifyfs(gnomesystemmm_t) + +corecmd_search_bin(gnomesystemmm_t) + +domain_search_all_domains_state(gnomesystemmm_t) +domain_setpriority_all_domains(gnomesystemmm_t) +domain_signal_all_domains(gnomesystemmm_t) +domain_sigstop_all_domains(gnomesystemmm_t) +domain_kill_all_domains(gnomesystemmm_t) + +files_read_etc_files(gnomesystemmm_t) +files_read_usr_files(gnomesystemmm_t) + +libs_use_ld_so(gnomesystemmm_t) +libs_use_shared_libs(gnomesystemmm_t) + +userdom_read_all_users_state(gnomesystemmm_t) + +optional_policy(` + consolekit_dbus_chat(gnomesystemmm_t) +') + +optional_policy(` + nscd_dontaudit_search_pid(gnomesystemmm_t) +') + +optional_policy(` + polkit_domtrans_auth(gnomesystemmm_t) + polkit_read_lib(gnomesystemmm_t) + polkit_read_reload(gnomesystemmm_t) +') + +permissive gnomesystemmm_t; + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.12/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/gpg.fc 2009-04-07 16:01:44.000000000 -0400 @@ -5,5 +5,5 @@ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) -/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.12/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/gpg.if 2009-04-07 16:01:44.000000000 -0400 @@ -30,7 +30,7 @@ # allow ps to show gpg ps_process_pattern($2, gpg_t) - allow $2 gpg_t:process signal; + allow $2 gpg_t:process { signal sigkill }; # communicate with the user allow gpg_helper_t $2:fd use; @@ -46,9 +46,16 @@ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - # Transition from the user domain to the agent domain. domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) + + #Leaked File Descriptors + dontaudit gpg_t $2:tcp_socket rw_socket_perms; + dontaudit gpg_t $2:udp_socket rw_socket_perms; + dontaudit gpg_t $2:unix_stream_socket rw_socket_perms; + dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms; + dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; + ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-04-07 16:01:44.000000000 -0400 @@ -60,7 +60,7 @@ allow gpg_t self:capability { ipc_lock setuid }; # setrlimit is for ulimit -c 0 -allow gpg_t self:process { signal setrlimit setcap setpgid }; +allow gpg_t self:process { signal setrlimit getcap setcap setpgid }; allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket create_stream_socket_perms; @@ -73,6 +73,12 @@ manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) +manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) + +kernel_read_sysctl(gpg_t) + corenet_all_recvfrom_unlabeled(gpg_t) corenet_all_recvfrom_netlabel(gpg_t) corenet_tcp_sendrecv_generic_if(gpg_t) @@ -88,6 +94,7 @@ dev_read_urand(gpg_t) fs_getattr_xattr_fs(gpg_t) +fs_list_inotifyfs(gpg_t) domain_use_interactive_fds(gpg_t) @@ -95,23 +102,21 @@ files_read_usr_files(gpg_t) files_dontaudit_search_var(gpg_t) +auth_use_nsswitch(gpg_t) + miscfiles_read_localization(gpg_t) logging_send_syslog_msg(gpg_t) -sysnet_read_config(gpg_t) - userdom_use_user_terminals(gpg_t) -optional_policy(` - nis_use_ypbind(gpg_t) -') - ######################################## # # GPG helper local policy # +allow gpg_helper_t self:process { getsched setsched }; + # for helper programs (which automatically fetch keys) # Note: this is only tested with the hkp interface. If you use eg the # mail interface you will likely need additional permissions. @@ -136,13 +141,13 @@ corenet_udp_bind_generic_node(gpg_helper_t) corenet_tcp_connect_all_ports(gpg_helper_t) -dev_read_urand(gpg_helper_t) - files_read_etc_files(gpg_helper_t) -# for nscd -files_dontaudit_search_var(gpg_helper_t) -sysnet_read_config(gpg_helper_t) +fs_list_inotifyfs(gpg_helper_t) + +auth_use_nsswitch(gpg_helper_t) + +userdom_use_user_terminals(gpg_helper_t) tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) @@ -157,6 +162,19 @@ xserver_rw_xdm_pipes(gpg_t) ') +userdom_manage_user_tmp_files(gpg_t) +userdom_manage_user_home_content_files(gpg_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(gpg_t) + fs_manage_nfs_files(gpg_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(gpg_t) + fs_manage_cifs_files(gpg_t) +') + ######################################## # # GPG agent local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.12/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/java.fc 2009-04-07 16:01:44.000000000 -0400 @@ -2,15 +2,16 @@ # /opt # /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) # # /usr # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) @@ -20,5 +21,11 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.12/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/java.if 2009-04-08 08:35:54.000000000 -0400 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; allow java_t $2:unix_stream_socket { read write }; + allow java_t $2:tcp_socket { read write }; ') ######################################## @@ -68,3 +69,129 @@ domtrans_pattern($1, java_exec_t, unconfined_java_t) corecmd_search_bin($1) ') + +######################################## +## +## Execute java in the java domain, and +## allow the specified role the java domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the java domain. +## +## +# +interface(`java_run',` + gen_require(` + type java_t; + ') + + java_domtrans($1) + role $2 types java_t; +') + +######################################## +## +## Execute java in the unconfined java domain, and +## allow the specified role the unconfined java domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the java domain. +## +## +# +interface(`java_run_unconfined',` + gen_require(` + type unconfined_java_t; + type java_t; + ') + + java_domtrans_unconfined($1) + role $2 types unconfined_java_t; + role $2 types java_t; +') + +######################################## +## +## Execute the java program in the java domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`java_exec',` + gen_require(` + type java_exec_t; + ') + + can_exec($1, java_exec_t) +') + +####################################### +## +## The role template for the java module. +## +## +##

+## This template creates a derived domains which are used +## for java applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`java_role_template',` + gen_require(` + type java_exec_t; + ') + + type $1_java_t; + domain_type($1_java_t) + domain_entry_file($1_java_t, java_exec_t) + role $2 types $1_java_t; + + domain_interactive_fd($1_java_t) + + userdom_unpriv_usertype($1, $1_java_t) + userdom_manage_tmpfs_role($2, $1_java_t) + + allow $1_java_t self:process { ptrace signal getsched execmem execstack }; + allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($3, java_exec_t, $1_java_t) + dev_dontaudit_append_rand($1_java_t) + + fs_dontaudit_rw_tmpfs_files($1_java_t) + corecmd_bin_domtrans($1_java_t, $1_t) + + optional_policy(` + xserver_role($1_r, $1_java_t) + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/java.te 2009-04-07 16:01:44.000000000 -0400 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; +role system_r types java_t; + type java_tmp_t; files_tmp_file(java_tmp_t) ubac_constrained(java_tmp_t) @@ -40,7 +42,7 @@ # Local policy # -allow java_t self:process { signal_perms getsched setsched execmem }; +allow java_t self:process { signal_perms getsched execmem }; allow java_t self:fifo_file rw_fifo_file_perms; allow java_t self:tcp_socket create_socket_perms; allow java_t self:udp_socket create_socket_perms; @@ -80,6 +82,7 @@ dev_write_sound(java_t) dev_read_urand(java_t) dev_read_rand(java_t) +dev_dontaudit_append_rand(java_t) files_read_etc_files(java_t) files_read_usr_files(java_t) @@ -116,12 +119,13 @@ allow java_t java_tmp_t:file execute; - libs_legacy_use_shared_libs(java_t) libs_legacy_use_ld_so(java_t) miscfiles_legacy_read_localization(java_t) ') +libs_legacy_use_shared_libs(java_t) + optional_policy(` nis_use_ypbind(java_t) ') @@ -147,4 +151,11 @@ unconfined_domain_noaudit(unconfined_java_t) unconfined_dbus_chat(unconfined_java_t) + optional_policy(` + hal_dbus_chat(unconfined_java_t) + ') + + optional_policy(` + rpm_domtrans(unconfined_java_t) + ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.12/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/livecd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.12/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/livecd.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,50 @@ + +## policy for livecd + +######################################## +## +## Execute a domain transition to run livecd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`livecd_domtrans',` + gen_require(` + type livecd_t; + type livecd_exec_t; + ') + + domtrans_pattern($1, livecd_exec_t, livecd_t) +') + + +######################################## +## +## Execute livecd in the livecd domain, and +## allow the specified role the livecd domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the livecd domain. +## +## +# +interface(`livecd_run',` + gen_require(` + type livecd_t; + ') + + livecd_domtrans($1) + role $2 types livecd_t; + + seutil_run_setfiles_mac(livecd_t, $2) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.12/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/livecd.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + +######################################## +# +# Declarations +# + +type livecd_t; +type livecd_exec_t; +application_domain(livecd_t, livecd_exec_t) +role system_r types livecd_t; + +######################################## +# +# livecd local policy +# +dontaudit livecd_t self:capability2 mac_admin; + +unconfined_domain_noaudit(livecd_t) +domain_ptrace_all_domains(livecd_t) + +optional_policy(` + hal_dbus_chat(livecd_t) +') + +seutil_domtrans_setfiles_mac(livecd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.12/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-04-08 08:35:44.000000000 -0400 @@ -21,6 +21,104 @@ ######################################## ## +## Read and write to mono shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`mono_rw_shm',` + gen_require(` + type mono_t; + ') + + allow $1 mono_t:shm rw_shm_perms; +') + +######################################## +## +## Execute mono in the mono domain, and +## allow the specified role the mono domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the mono domain. +## +## +# +interface(`mono_run',` + gen_require(` + type mono_t; + ') + + mono_domtrans($1) + role $2 types mono_t; +') + +####################################### +## +## The role template for the mono module. +## +## +##

+## This template creates a derived domains which are used +## for mono applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`mono_role_template',` + gen_require(` + type mono_exec_t; + ') + + type $1_mono_t; + domain_type($1_mono_t) + domain_entry_file($1_mono_t, mono_exec_t) + role $2 types $1_mono_t; + + domain_interactive_fd($1_mono_t) + + userdom_unpriv_usertype($1, $1_mono_t) + userdom_manage_tmpfs_role($2, $1_mono_t) + + allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; + allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + + domtrans_pattern($3, mono_exec_t, $1_mono_t) + + fs_dontaudit_rw_tmpfs_files($1_mono_t) + corecmd_bin_domtrans($1_mono_t, $1_t) + + optional_policy(` + xserver_role($1_r, $1_mono_t) + ') +') + +######################################## +## ## Execute the mono program in the caller domain. ## ## @@ -31,7 +129,7 @@ # interface(`mono_exec',` gen_require(` - type mono_t, mono_exec_t; + type mono_exec_t; ') corecmd_search_bin($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-09 04:48:20.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # -allow mono_t self:process { execheap execmem }; +allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; init_dbus_chat_script(mono_t) @@ -42,7 +42,11 @@ ') optional_policy(` - unconfined_domain_noaudit(mono_t) + unconfined_domain(mono_t) unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) ') + +optional_policy(` + xserver_rw_shm(mono_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.12/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.fc 2009-04-07 16:01:44.000000000 -0400 @@ -17,7 +17,6 @@ # # /etc # -/etc/mozpluggerrc -- gen_context(system_u:object_r:mozilla_conf_t,s0) # # /lib @@ -29,3 +28,5 @@ /usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-04-07 16:01:44.000000000 -0400 @@ -82,8 +82,7 @@ type mozilla_home_t; ') - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file write; + write_files_pattern($1, mozilla_home_t, mozilla_home_t) userdom_search_user_home_dirs($1) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te 2009-04-07 16:01:44.000000000 -0400 @@ -105,6 +105,7 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) corenet_dontaudit_tcp_bind_generic_port(mozilla_t) +corenet_tcp_connect_speech_port(mozilla_t) dev_read_urand(mozilla_t) dev_read_rand(mozilla_t) @@ -128,6 +129,7 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) +term_use_all_user_ttys(mozilla_t) logging_send_syslog_msg(mozilla_t) @@ -243,6 +245,8 @@ optional_policy(` gnome_stream_connect_gconf(mozilla_t) + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ') optional_policy(` @@ -263,5 +267,10 @@ ') optional_policy(` + nsplugin_manage_rw(mozilla_t) + nsplugin_manage_home_files(mozilla_t) +') + +optional_policy(` thunderbird_domtrans(mozilla_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.12/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/mplayer.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,9 +1,4 @@ # -# /etc -# -/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0) - -# # /usr # /usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.12/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,12 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) + +/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-04-21 15:54:32.000000000 -0400 @@ -0,0 +1,274 @@ + +## policy for nsplugin + +######################################## +## +## Create, read, write, and delete +## nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + + allow $1 nsplugin_rw_t:file manage_file_perms; + allow $1 nsplugin_rw_t:dir rw_dir_perms; +') + +######################################## +## +## Manage nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_rw',` + gen_require(` + type nsplugin_rw_t; + ') + + manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +##

+## This template creates a derived domains which are used +## for nsplugin web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +interface(`nsplugin_role_notrans',` + gen_require(` + type nsplugin_rw_t; + type nsplugin_home_t; + type nsplugin_exec_t; + type nsplugin_config_exec_t; + type nsplugin_t; + type nsplugin_config_t; + class x_drawable all_x_drawable_perms; + class x_resource all_x_resource_perms; + ') + + role $1 types nsplugin_t; + role $1 types nsplugin_config_t; + + allow nsplugin_t $2:process signull; + + list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) + can_exec($2, nsplugin_rw_t) + + #Leaked File Descriptors + dontaudit nsplugin_t $2:tcp_socket rw_socket_perms; + dontaudit nsplugin_t $2:udp_socket rw_socket_perms; + dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms; + dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms; + dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms; + dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms; + dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms; + dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms; + dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms; + dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms; + allow nsplugin_t $2:unix_stream_socket connectto; + dontaudit nsplugin_t $2:process ptrace; + allow nsplugin_t $2:sem { unix_read unix_write }; + allow nsplugin_t $2:shm { unix_read unix_write }; + + allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:unix_stream_socket connectto; + + # Connect to pulseaudit server + stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) + gnome_stream_connect(nsplugin_t, $2) + + userdom_use_user_terminals(nsplugin_t) + userdom_use_user_terminals(nsplugin_config_t) + userdom_dontaudit_setattr_user_home_content_files(nsplugin_t) + userdom_manage_tmpfs_role($1, nsplugin_t) + + xserver_communicate(nsplugin_t, $2) +') + +####################################### +## +## Role access for nsplugin +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`nsplugin_role',` + gen_require(` + type nsplugin_exec_t; + type nsplugin_config_exec_t; + type nsplugin_t; + type nsplugin_config_t; + ') + + nsplugin_role_notrans($1, $2) + + domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) + domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +## +## The type of the user domain. +## +## +# +interface(`nsplugin_domtrans',` + gen_require(` + type nsplugin_exec_t; + type nsplugin_t; + ') + + domtrans_pattern($1, nsplugin_exec_t, nsplugin_t) + allow $1 nsplugin_t:unix_stream_socket connectto; + allow nsplugin_t $1:process signal; +') +####################################### +## +## The per role template for the nsplugin module. +## +## +## +## The type of the user domain. +## +## +# +interface(`nsplugin_domtrans_config',` + gen_require(` + type nsplugin_config_exec_t; + type nsplugin_config_t; + ') + + domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t) +') + +######################################## +## +## Search nsplugin rw directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_search_rw_dir',` + gen_require(` + type nsplugin_rw_t; + ') + + allow $1 nsplugin_rw_t:dir search_dir_perms; +') + +######################################## +## +## Read nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_read_rw_files',` + gen_require(` + type nsplugin_rw_t; + ') + + read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') + +######################################## +## +## Exec nsplugin rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_rw_exec',` + gen_require(` + type nsplugin_rw_t; + ') + + can_exec($1, nsplugin_rw_t) +') + +######################################## +## +## Create, read, write, and delete +## nsplugin home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_home_files',` + gen_require(` + type nsplugin_home_t; + ') + + manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400 @@ -0,0 +1,293 @@ + +policy_module(nsplugin, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Allow nsplugin code to execmem/execstack +##

+##
+gen_tunable(allow_nsplugin_execmem, false) + +## +##

+## Allow nsplugin code to connect to unreserved ports +##

+##
+gen_tunable(nsplugin_can_network, true) + +type nsplugin_exec_t; +application_executable_file(nsplugin_exec_t) + +type nsplugin_config_exec_t; +application_executable_file(nsplugin_config_exec_t) + +type nsplugin_rw_t; +files_type(nsplugin_rw_t) + +type nsplugin_tmp_t; +files_tmp_file(nsplugin_tmp_t) + +type nsplugin_home_t; +files_poly_member(nsplugin_home_t) +userdom_user_home_content(nsplugin_home_t) +typealias nsplugin_home_t alias user_nsplugin_home_t; + +type nsplugin_t; +domain_type(nsplugin_t) +domain_entry_file(nsplugin_t, nsplugin_exec_t) + +type nsplugin_config_t; +domain_type(nsplugin_config_t) +domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) + +application_executable_file(nsplugin_exec_t) +application_executable_file(nsplugin_config_exec_t) + + +######################################## +# +# nsplugin local policy +# +dontaudit nsplugin_t self:capability sys_tty_config; +allow nsplugin_t self:fifo_file rw_file_perms; +allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; + +allow nsplugin_t self:sem create_sem_perms; +allow nsplugin_t self:shm create_shm_perms; +allow nsplugin_t self:msgq create_msgq_perms; +allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow nsplugin_t self:unix_dgram_socket create_socket_perms; + +tunable_policy(`allow_nsplugin_execmem',` + allow nsplugin_t self:process { execstack execmem }; + allow nsplugin_config_t self:process { execstack execmem }; +') + +tunable_policy(`nsplugin_can_network',` + corenet_tcp_connect_all_unreserved_ports(nsplugin_t) +') + +manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) +userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir}) +userdom_dontaudit_write_user_home_content_files(nsplugin_t) + +corecmd_exec_bin(nsplugin_t) +corecmd_exec_shell(nsplugin_t) + +corenet_all_recvfrom_unlabeled(nsplugin_t) +corenet_all_recvfrom_netlabel(nsplugin_t) +corenet_tcp_connect_flash_port(nsplugin_t) +corenet_tcp_connect_streaming_port(nsplugin_t) +corenet_tcp_connect_pulseaudio_port(nsplugin_t) +corenet_tcp_connect_http_port(nsplugin_t) +corenet_tcp_connect_http_cache_port(nsplugin_t) +corenet_tcp_sendrecv_generic_if(nsplugin_t) +corenet_tcp_sendrecv_generic_node(nsplugin_t) +corenet_tcp_connect_ipp_port(nsplugin_t) +corenet_tcp_connect_speech_port(nsplugin_t) + +domain_dontaudit_read_all_domains_state(nsplugin_t) + +dev_read_rand(nsplugin_t) +dev_read_sound(nsplugin_t) +dev_write_sound(nsplugin_t) +dev_read_video_dev(nsplugin_t) +dev_write_video_dev(nsplugin_t) +dev_getattr_dri_dev(nsplugin_t) +dev_rwx_zero(nsplugin_t) + +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) + +files_dontaudit_getattr_lost_found_dirs(nsplugin_t) +files_dontaudit_list_home(nsplugin_t) +files_read_usr_files(nsplugin_t) +files_read_etc_files(nsplugin_t) +files_read_config_files(nsplugin_t) + +fs_list_inotifyfs(nsplugin_t) +fs_getattr_tmpfs(nsplugin_t) +fs_getattr_xattr_fs(nsplugin_t) +fs_search_auto_mountpoints(nsplugin_t) +fs_rw_anon_inodefs_files(nsplugin_t) + +storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) + +term_dontaudit_getattr_all_user_ptys(nsplugin_t) +term_dontaudit_getattr_all_user_ttys(nsplugin_t) + +auth_use_nsswitch(nsplugin_t) + +libs_exec_ld_so(nsplugin_t) + +miscfiles_read_localization(nsplugin_t) +miscfiles_read_fonts(nsplugin_t) +miscfiles_dontaudit_write_fonts(nsplugin_t) + +userdom_manage_user_tmp_dirs(nsplugin_t) +userdom_manage_user_tmp_files(nsplugin_t) +userdom_manage_user_tmp_sockets(nsplugin_t) +userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file }) +userdom_rw_semaphores(nsplugin_t) + +userdom_read_user_home_content_symlinks(nsplugin_t) +userdom_read_user_home_content_files(nsplugin_t) +userdom_read_user_tmp_files(nsplugin_t) +userdom_write_user_tmp_sockets(nsplugin_t) +userdom_dontaudit_append_user_home_content_files(nsplugin_t) +userdom_dontaudit_delete_user_home_content_files(nsplugin_t) + +optional_policy(` + alsa_read_rw_config(nsplugin_t) +') + +optional_policy(` + cups_stream_connect(nsplugin_t) +') + +optional_policy(` + dbus_session_bus_client(nsplugin_t) + dbus_system_bus_client(nsplugin_t) +') + +optional_policy(` + gnome_exec_gconf(nsplugin_t) + gnome_manage_config(nsplugin_t) + gnome_read_gconf_home_files(nsplugin_t) +') + +optional_policy(` + mozilla_read_user_home_files(nsplugin_t) + mozilla_write_user_home_files(nsplugin_t) +') + +optional_policy(` + mplayer_exec(nsplugin_t) + mplayer_read_user_home_files(nsplugin_t) +') + +optional_policy(` + unconfined_execmem_signull(nsplugin_t) +') + +optional_policy(` + gen_require(` + type user_tmpfs_t; + ') + xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t) + xserver_stream_connect_xdm(nsplugin_t) + xserver_stream_connect(nsplugin_t) + xserver_rw_shm(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) + xserver_read_xdm_pid(nsplugin_t) + xserver_read_user_xauth(nsplugin_t) + xserver_read_user_iceauth(nsplugin_t) + xserver_use_user_fonts(nsplugin_t) + xserver_manage_home_fonts(nsplugin_t) + xserver_dontaudit_rw_xdm_home_files(nsplugin_t) +') + +######################################## +# +# nsplugin_config local policy +# + +allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; +allow nsplugin_config_t self:process { setsched signal_perms getsched execmem }; +#execing pulseaudio +dontaudit nsplugin_t self:process { getcap setcap }; + +allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + +fs_list_inotifyfs(nsplugin_config_t) +fs_search_auto_mountpoints(nsplugin_config_t) + +can_exec(nsplugin_config_t, nsplugin_rw_t) +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) + +manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) +manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) +manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) + +corecmd_exec_bin(nsplugin_config_t) +corecmd_exec_shell(nsplugin_config_t) + +kernel_read_system_state(nsplugin_config_t) + +files_read_etc_files(nsplugin_config_t) +files_read_usr_files(nsplugin_config_t) +files_dontaudit_search_home(nsplugin_config_t) +files_list_tmp(nsplugin_config_t) + +auth_use_nsswitch(nsplugin_config_t) + +miscfiles_read_localization(nsplugin_config_t) +miscfiles_read_fonts(nsplugin_config_t) + +userdom_search_user_home_content(nsplugin_config_t) +userdom_read_user_home_content_files(nsplugin_config_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(nsplugin_t) + fs_manage_nfs_dirs(nsplugin_t) + fs_manage_nfs_files(nsplugin_t) + fs_read_nfs_symlinks(nsplugin_t) + fs_manage_nfs_named_pipes(nsplugin_t) + fs_manage_nfs_dirs(nsplugin_config_t) + fs_manage_nfs_files(nsplugin_config_t) + fs_manage_nfs_named_pipes(nsplugin_config_t) + fs_read_nfs_symlinks(nsplugin_config_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_getattr_cifs(nsplugin_t) + fs_manage_cifs_dirs(nsplugin_t) + fs_manage_cifs_files(nsplugin_t) + fs_read_cifs_symlinks(nsplugin_t) + fs_manage_cifs_named_pipes(nsplugin_t) + fs_manage_cifs_dirs(nsplugin_config_t) + fs_manage_cifs_files(nsplugin_config_t) + fs_manage_cifs_named_pipes(nsplugin_config_t) + fs_read_cifs_symlinks(nsplugin_config_t) +') + +domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) + +optional_policy(` + xserver_read_home_fonts(nsplugin_config_t) +') + +optional_policy(` + mozilla_read_user_home_files(nsplugin_config_t) +') + +optional_policy(` + gen_require(` + type unconfined_mono_t; + ') + allow nsplugin_t unconfined_mono_t:process signull; +') + +optional_policy(` + pulseaudio_stream_connect(nsplugin_t) +') + +optional_policy(` + unconfined_execmem_exec(nsplugin_t) +') + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.12/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/openoffice.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.12/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/openoffice.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,92 @@ +## Openoffice + +####################################### +## +## The per role template for the openoffice module. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`openoffice_plugin_role',` + gen_require(` + type openoffice_exec_t; + type openoffice_t; + ') + + ######################################## + # + # Local policy + # + + domtrans_pattern($1, openoffice_exec_t, openoffice_t) + allow $1 openoffice_t:process { signal sigkill }; +') + +####################################### +## +## role for openoffice +## +## +##

+## This template creates a derived domains which are used +## for java applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`openoffice_role_template',` + gen_require(` + type openoffice_exec_t; + ') + + role $2 types $1_openoffice_t; + + type $1_openoffice_t; + domain_type($1_openoffice_t) + domain_entry_file($1_openoffice_t, openoffice_exec_t) + domain_interactive_fd($1_openoffice_t) + + userdom_unpriv_usertype($1, $1_openoffice_t) + userdom_exec_user_home_content_files($1_openoffice_t) + + allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; + + allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; + allow $1_openoffice_t $3:tcp_socket { read write }; + + domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) + + dev_read_urand($1_openoffice_t) + dev_read_rand($1_openoffice_t) + + fs_dontaudit_rw_tmpfs_files($1_openoffice_t) + + allow $3 $1_openoffice_t:process { signal sigkill }; + allow $1_openoffice_t $3:unix_stream_socket connectto; + optional_policy(` + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.12/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/openoffice.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,14 @@ + +policy_module(openoffice, 1.0.0) + +######################################## +# +# Declarations +# + +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) + + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.6.12/policy/modules/apps/podsleuth.fc --- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,2 +1,4 @@ /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.6.12/policy/modules/apps/podsleuth.if --- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.if 2009-04-07 16:01:44.000000000 -0400 @@ -16,4 +16,32 @@ ') domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) + allow $1 podsleuth_t:process signal; ') + + +######################################## +## +## Execute podsleuth in the podsleuth domain, and +## allow the specified role the podsleuth domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the podsleuth domain. +## +## +# +interface(`podsleuth_run',` + gen_require(` + type podsleuth_t; + ') + + podsleuth_domtrans($1) + role $2 types podsleuth_t; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.12/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te 2009-04-18 06:04:47.000000000 -0400 @@ -11,25 +11,80 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; +type podsleuth_tmp_t; +files_tmp_file(podsleuth_tmp_t) + +type podsleuth_tmpfs_t; +files_tmpfs_file(podsleuth_tmpfs_t) +ubac_constrained(podsleuth_tmpfs_t) + +type podsleuth_cache_t; +files_type(podsleuth_cache_t) + ######################################## # # podsleuth local policy # - -allow podsleuth_t self:process { signal getsched execheap execmem }; +allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack }; allow podsleuth_t self:fifo_file rw_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; +allow podsleuth_t self:sem create_sem_perms; +allow podsleuth_t self:tcp_socket create_stream_socket_perms; +allow podsleuth_t self:udp_socket create_socket_perms; kernel_read_system_state(podsleuth_t) +corecmd_exec_bin(podsleuth_t) +corenet_tcp_connect_http_port(podsleuth_t) + dev_read_urand(podsleuth_t) files_read_etc_files(podsleuth_t) +fs_mount_dos_fs(podsleuth_t) +fs_unmount_dos_fs(podsleuth_t) +fs_getattr_dos_fs(podsleuth_t) +fs_read_dos_files(podsleuth_t) +fs_search_dos(podsleuth_t) +fs_getattr_tmpfs(podsleuth_t) +fs_list_tmpfs(podsleuth_t) +fs_mount_nfs(podsleuth_t) +fs_unmount_nfs(podsleuth_t) +fs_getattr_nfs(podsleuth_t) +fs_read_nfs_files(podsleuth_t) +fs_search_nfs(podsleuth_t) + +allow podsleuth_t podsleuth_tmp_t:dir mounton; +manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) +files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) +manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) + +manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) +fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) + +manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) + +storage_raw_rw_fixed_disk(podsleuth_t) + +sysnet_dns_name_resolve(podsleuth_t) + miscfiles_read_localization(podsleuth_t) -dbus_system_bus_client(podsleuth_t) +userdom_signal_all_users(podsleuth_t) -mono_exec(podsleuth_t) +optional_policy(` + dbus_system_bus_client(podsleuth_t) +') +optional_policy(` hal_dbus_chat(podsleuth_t) +') + +optional_policy(` + mono_exec(podsleuth_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,148 @@ + +## policy for pulseaudio + +######################################## +## +## Execute a domain transition to run pulseaudio. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`pulseaudio_domtrans',` + gen_require(` + type pulseaudio_t; + type pulseaudio_exec_t; + ') + + domtrans_pattern($1,pulseaudio_exec_t,pulseaudio_t) +') + + +######################################## +## +## Execute pulseaudio in the pulseaudio domain, and +## allow the specified role the pulseaudio domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the pulseaudio domain. +## +## +# +interface(`pulseaudio_run',` + gen_require(` + type pulseaudio_t; + ') + + pulseaudio_domtrans($1) + role $2 types pulseaudio_t; +') + +######################################## +## +## Execute a pulseaudio in the current domain +## +## +## +## Domain allowed to transition. +## +## +# +interface(`pulseaudio_exec',` + gen_require(` + type pulseaudio_exec_t; + ') + + can_exec($1,pulseaudio_exec_t) +') + +######################################## +## +## Role access for pulseaudio +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`pulseaudio_role',` + gen_require(` + type pulseaudio_t, pulseaudio_exec_t, print_spool_t; + class dbus { send_msg }; + ') + + role $1 types pulseaudio_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) + + ps_process_pattern($2, pulseaudio_t) + + allow pulseaudio_t $2:process { signal signull }; + allow $2 pulseaudio_t:process { signal signull }; + ps_process_pattern(pulseaudio_t, $2) + + allow pulseaudio_t $2:unix_stream_socket connectto; + allow $2 pulseaudio_t:unix_stream_socket connectto; + + userdom_manage_home_role($1, pulseaudio_t) + userdom_manage_tmp_role($1, pulseaudio_t) + userdom_manage_tmpfs_role($1, pulseaudio_t) + + allow $2 pulseaudio_t:dbus send_msg; + allow pulseaudio_t $2:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## pulseaudio over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_dbus_chat',` + gen_require(` + type pulseaudio_t; + class dbus send_msg; + ') + + allow $1 pulseaudio_t:dbus send_msg; + allow pulseaudio_t $1:dbus send_msg; +') + +######################################## +## +## pulsaudio connection template. +## +## +## +## The type of the user domain. +## +## +# +interface(`pulseaudio_stream_connect',` + gen_require(` + type pulseaudio_t; + ') + + allow nsplugin_t pulseaudio_t:process signull; + allow $1 pulseaudio_t:unix_stream_socket connectto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te 2009-04-14 13:40:38.000000000 -0400 @@ -0,0 +1,110 @@ +policy_module(pulseaudio,1.0.0) + +######################################## +# +# Declarations +# + +type pulseaudio_t; +type pulseaudio_exec_t; +application_domain(pulseaudio_t, pulseaudio_exec_t) +role system_r types pulseaudio_t; + +permissive pulseaudio_t; + +## +##

+## Allow pulseaudio to connect to the network +##

+##
+gen_tunable(pulseaudio_network,false) + +######################################## +# +# pulseaudio local policy +# +allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; + +## internal communication is often done using fifo and unix sockets. +allow pulseaudio_t self:fifo_file rw_file_perms; +allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms; +allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; +allow pulseaudio_t self:tcp_socket create_stream_socket_perms; +allow pulseaudio_t self:udp_socket create_socket_perms; + +corecmd_exec_bin(pulseaudio_t) + +corenet_all_recvfrom_unlabeled(pulseaudio_t) +corenet_all_recvfrom_netlabel(pulseaudio_t) +corenet_tcp_bind_pulseaudio_port(pulseaudio_t) +corenet_tcp_bind_soundd_port(pulseaudio_t) +corenet_tcp_sendrecv_generic_if(pulseaudio_t) +corenet_tcp_sendrecv_generic_node(pulseaudio_t) +corenet_udp_bind_sap_port(pulseaudio_t) +corenet_udp_sendrecv_generic_if(pulseaudio_t) +corenet_udp_sendrecv_generic_node(pulseaudio_t) + +dev_read_sound(pulseaudio_t) +dev_write_sound(pulseaudio_t) +dev_read_sysfs(pulseaudio_t) +dev_read_urand(pulseaudio_t) + +kernel_read_kernel_sysctls(pulseaudio_t) + +files_read_etc_files(pulseaudio_t) +files_read_usr_files(pulseaudio_t) + +fs_rw_anon_inodefs_files(pulseaudio_t) +fs_getattr_tmpfs(pulseaudio_t) + +term_use_all_user_ttys(pulseaudio_t) +term_use_all_user_ptys(pulseaudio_t) + +auth_use_nsswitch(pulseaudio_t) + +miscfiles_read_localization(pulseaudio_t) + +logging_send_syslog_msg(pulseaudio_t) + +optional_policy(` + gnome_manage_config(pulseaudio_t) +') + +optional_policy(` + dbus_system_bus_client(pulseaudio_t) + dbus_session_bus_client(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) + ') + + optional_policy(` + hal_dbus_chat(pulseaudio_t) + ') +') + +optional_policy(` + polkit_domtrans_auth(pulseaudio_t) + polkit_read_lib(pulseaudio_t) + polkit_read_reload(pulseaudio_t) +') + +optional_policy(` + udev_read_db(pulseaudio_t) +') + +optional_policy(` + xserver_common_app(pulseaudio_t) + xserver_read_xdm_pid(pulseaudio_t) + xserver_stream_connect(pulseaudio_t) + xserver_manage_xdm_tmp_files(pulseaudio_t) + xserver_read_xdm_lib_files(pulseaudio_t) +') + +tunable_policy(`pulseaudio_network',` +#TRUE +',` +#FALSE +') + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.12/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/qemu.if 2009-04-07 16:01:44.000000000 -0400 @@ -40,6 +40,93 @@ qemu_domtrans($1) role $2 types qemu_t; + + optional_policy(` + samba_run_smb(qemu_t, $2, $3) + ') +') + +####################################### +## +## The per role template for the qemu module. +## +## +##

+## This template creates a derived domains which are used +## for qemu web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +interface(`qemu_role_notrans',` + gen_require(` + type qemu_t; + ') + + role $1 types qemu_t; +') + +####################################### +## +## The per role template for the qemu module. +## +## +##

+## This template creates a derived domains which are used +## for qemu web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`qemu_role',` + gen_require(` + type qemu_exec_t; + ') + + qemu_role_notrans($1, $2, $3) + + domtrans_pattern($3, qemu_exec_t, qemu_t) + domtrans_pattern($3, qemu_config_exec_t, qemu_config_t) ') ######################################## @@ -62,6 +149,66 @@ ######################################## ## +## Set the schedule on qemu. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_setsched',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process setsched; +') + +######################################## +## +## Execute qemu_exec_t +## in the specified domain but do not +## do it automatically. This is an explicit +## transition, requiring the caller to use setexeccon(). +## +## +##

+## Execute qemu_exec_t +## in the specified domain. This allows +## the specified domain to qemu programs +## on these filesystems in the specified +## domain. +##

+##
+## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`qemu_spec_domtrans',` + gen_require(` + type qemu_exec_t; + ') + + read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) + domain_transition_pattern($1, qemu_exec_t, $2) + domain_entry_file($2,qemu_exec_t) + can_exec($1,qemu_exec_t) + + allow $2 $1:fd use; + allow $2 $1:fifo_file rw_fifo_file_perms; + allow $2 $1:process sigchld; +') + +######################################## +## ## Send a signal to qemu. ## ## @@ -98,7 +245,25 @@ ######################################## ## -## Execute a domain transition to run qemu unconfined. +## Execute qemu unconfined programs in the role. +## +## +## +## The role to allow the PAM domain. +## +## +# +interface(`qemu_unconfined_role',` + gen_require(` + type qemu_unconfined_t; + ') + role $1 types qemu_unconfined_t; +') + + +######################################## +## +## Execute a domain transition to run qemu. ## ## ## @@ -116,95 +281,36 @@ ######################################## ## -## Creates types and rules for a basic -## qemu process domain. +## Manage qemu temporary dirs. ## -## +## ## -## Prefix for the domain. +## Domain allowed access. ## ## # -template(`qemu_domain_template',` - - ############################## - # - # Local Policy - # - - type $1_t; - domain_type($1_t) +interface(`qemu_manage_tmp_dirs',` + gen_require(` + type qemu_tmp_t; + ') - type $1_tmp_t; - files_tmp_file($1_tmp_t) + manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) + ') - ############################## - # - # Local Policy +######################################## +## +## Manage qemu temporary files. +## +## +## +## Domain allowed access. +## +## # - - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - kernel_read_system_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) - -# dev_rw_kvm($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) - - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) - - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) - - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - - userdom_use_user_terminals($1_t) - -# optional_policy(` -# samba_domtrans_smb($1_t) -# ') - - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) +interface(`qemu_manage_tmp_files',` + gen_require(` + type qemu_tmp_t; ') - optional_policy(` - xserver_stream_connect($1_t) - xserver_read_xdm_tmp_files($1_t) - xserver_read_xdm_pid($1_t) -# xserver_xdm_rw_shm($1_t) - ') + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-04-07 16:01:44.000000000 -0400 @@ -13,28 +13,96 @@ ## gen_tunable(qemu_full_network, false) +## +##

+## Allow qemu to use usb devices +##

+##
+gen_tunable(qemu_use_usb, true) + +## +##

+## Allow qemu to use nfs file systems +##

+##
+gen_tunable(qemu_use_nfs, true) + +## +##

+## Allow qemu to use cifs/Samba file systems +##

+##
+gen_tunable(qemu_use_cifs, true) + +## +##

+## Allow qemu to user serial/parallell communication ports +##

+##
+gen_tunable(qemu_use_comm, false) + + type qemu_exec_t; -qemu_domain_template(qemu) +virt_domain_template(qemu) application_domain(qemu_t, qemu_exec_t) role system_r types qemu_t; -######################################## -# -# qemu local policy -# +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) + +userdom_search_user_home_content(qemu_t) +userdom_read_user_tmpfs_files(qemu_t) +userdom_signull_unpriv_users(qemu_t) tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; - corenet_udp_sendrecv_all_if(qemu_t) - corenet_udp_sendrecv_all_nodes(qemu_t) + corenet_udp_sendrecv_generic_if(qemu_t) + corenet_udp_sendrecv_generic_node(qemu_t) corenet_udp_sendrecv_all_ports(qemu_t) - corenet_udp_bind_all_nodes(qemu_t) + corenet_udp_bind_generic_node(qemu_t) corenet_udp_bind_all_ports(qemu_t) corenet_tcp_bind_all_ports(qemu_t) corenet_tcp_connect_all_ports(qemu_t) ') +tunable_policy(`qemu_use_comm',` + term_use_unallocated_ttys(qemu_t) + dev_rw_printer(qemu_t) +') + +tunable_policy(`qemu_use_nfs',` + fs_manage_nfs_dirs(qemu_t) + fs_manage_nfs_files(qemu_t) +') + +tunable_policy(`qemu_use_cifs',` + fs_manage_cifs_dirs(qemu_t) + fs_manage_cifs_files(qemu_t) +') + +tunable_policy(`qemu_use_usb',` + dev_rw_usbfs(qemu_t) + fs_manage_dos_dirs(qemu_t) + fs_manage_dos_files(qemu_t) +') + +optional_policy(` + samba_domtrans_smb(qemu_t) +') + +optional_policy(` + virt_manage_images(qemu_t) +') + +optional_policy(` + xen_rw_image_files(qemu_t) +') + +optional_policy(` + xen_rw_image_files(qemu_t) +') + ######################################## # # qemu_unconfined local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.12/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/sambagui.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,4 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) + + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.12/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/sambagui.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-samba policy + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.12/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/sambagui.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,59 @@ +policy_module(sambagui,1.0.0) + +######################################## +# +# Declarations +# + +type sambagui_t; +type sambagui_exec_t; + +dbus_system_domain(sambagui_t, sambagui_exec_t) + +######################################## +# +# system-config-samba local policy +# + +allow sambagui_t self:fifo_file rw_fifo_file_perms; + +# handling with samba conf files +samba_append_log(sambagui_t) +samba_manage_config(sambagui_t) +samba_manage_var_files(sambagui_t) +samba_initrc_domtrans(sambagui_t) +samba_domtrans_smb(sambagui_t) +samba_domtrans_nmb(sambagui_t) + +# execut apps of system-config-samba +corecmd_exec_shell(sambagui_t) +corecmd_exec_bin(sambagui_t) + +files_read_etc_files(sambagui_t) +files_search_var_lib(sambagui_t) +files_search_usr(sambagui_t) + +fs_list_inotifyfs(sambagui_t) + +# reading shadow by pdbedit +#auth_read_shadow(sambagui_t) + +auth_use_nsswitch(sambagui_t) + +miscfiles_read_localization(sambagui_t) + +# read meminfo +kernel_read_system_state(sambagui_t) + +dev_dontaudit_read_urand(sambagui_t) +nscd_dontaudit_search_pid(sambagui_t) + +optional_policy(` + consoletype_exec(sambagui_t) +') + +optional_policy(` + polkit_dbus_chat(sambagui_t) +') + +permissive sambagui_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-04-07 16:01:44.000000000 -0400 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(vmware_host_t,vmware_host_exec_t,s0 - mcs_systemhigh) +') + type vmware_host_pid_t alias vmware_var_run_t; files_pid_file(vmware_host_pid_t) @@ -65,9 +69,9 @@ # VMWare host local policy # -allow vmware_host_t self:capability { setgid setuid net_raw }; +allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; dontaudit vmware_host_t self:capability sys_tty_config; -allow vmware_host_t self:process signal_perms; +allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; allow vmware_host_t self:rawip_socket create_socket_perms; @@ -84,8 +88,9 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) kernel_read_kernel_sysctls(vmware_host_t) -kernel_list_proc(vmware_host_t) -kernel_read_proc_symlinks(vmware_host_t) +kernel_read_system_state(vmware_host_t) + +libs_exec_ld_so(vmware_host_t) corenet_all_recvfrom_unlabeled(vmware_host_t) corenet_all_recvfrom_netlabel(vmware_host_t) @@ -104,13 +109,20 @@ corenet_sendrecv_all_client_packets(vmware_host_t) corenet_sendrecv_all_server_packets(vmware_host_t) +corecmd_exec_bin(vmware_host_t) +corecmd_exec_shell(vmware_host_t) + +dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) domain_use_interactive_fds(vmware_host_t) +domain_dontaudit_read_all_domains_state(vmware_host_t) +files_list_tmp(vmware_host_t) files_read_etc_files(vmware_host_t) +files_read_etc_runtime_files(vmware_host_t) fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) @@ -126,6 +138,8 @@ sysnet_dns_name_resolve(vmware_host_t) +storage_getattr_fixed_disk_dev(vmware_host_t) + userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) userdom_dontaudit_search_user_home_dirs(vmware_host_t) @@ -140,6 +154,13 @@ udev_read_db(vmware_host_t) ') +optional_policy(` + xserver_read_tmp_files(vmware_host_t) + xserver_read_xdm_pid(vmware_host_t) + xserver_stream_connect(vmware_host_t) +') + + ifdef(`TODO',` # VMWare need access to pcmcia devices for network optional_policy(` @@ -226,7 +247,7 @@ files_read_usr_files(vmware_t) files_list_home(vmware_t) -fs_getattr_xattr_fs(vmware_t) +fs_getattr_all_fs(vmware_t) fs_search_auto_mountpoints(vmware_t) storage_raw_read_removable_device(vmware_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.12/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/apps/wine.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,21 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) + + +HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.12/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-11-11 16:13:41.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/wine.if 2009-04-07 16:01:44.000000000 -0400 @@ -43,3 +43,63 @@ wine_domtrans($1) role $2 types wine_t; ') + +####################################### +## +## The per role template for the wine module. +## +## +##

+## This template creates a derived domains which are used +## for wine applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`wine_role',` + gen_require(` + type wine_exec_t; + ') + + role $1 types wine_t; + + domain_auto_trans($2, wine_exec_t, wine_t) + # Unrestricted inheritance from the caller. + allow $2 wine_t:process { noatsecure siginh rlimitinh }; + allow wine_t $2:fd use; + allow wine_t $2:process { sigchld signull }; + allow wine_t $2:unix_stream_socket connectto; + + # Allow the user domain to signal/ps. + ps_process_pattern($2, wine_t) + allow $2 wine_t:process signal_perms; + + allow $2 wine_t:fd use; + allow $2 wine_t:shm { associate getattr }; + allow $2 wine_t:shm { unix_read unix_write }; + allow $2 wine_t:unix_stream_socket connectto; + + # X access, Home files + manage_dirs_pattern($2, wine_home_t, wine_home_t) + manage_files_pattern($2, wine_home_t, wine_home_t) + manage_lnk_files_pattern($2, wine_home_t, wine_home_t) + relabel_dirs_pattern($2, wine_home_t, wine_home_t) + relabel_files_pattern($2, wine_home_t, wine_home_t) + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) + +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.12/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-09 04:47:36.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; application_domain(wine_t, wine_exec_t) +role system_r types wine_t; ######################################## # @@ -19,10 +20,20 @@ optional_policy(` allow wine_t self:process { execstack execmem execheap }; - unconfined_domain_noaudit(wine_t) + domain_mmap_low_type(wine_t) + domain_mmap_low(wine_t) + unconfined_domain(wine_t) files_execmod_all_files(wine_t) +') + optional_policy(` hal_dbus_chat(wine_t) ') + +optional_policy(` + xserver_common_app(wine_t) + xserver_read_xdm_pid(wine_t) + xserver_stream_connect(wine_t) + xserver_rw_shm(wine_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.12/policy/modules/apps/wm.fc --- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/wm.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.12/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/wm.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,108 @@ +## Window Manager. + +######################################## +## +## Execute the wm program in the wm domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`wm_exec',` + gen_require(` + type wm_exec_t; + ') + + can_exec($1, wm_exec_t) +') + +####################################### +## +## The role template for the wm module. +## +## +##

+## This template creates a derived domains which are used +## for wm applications. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`wm_role_template',` + gen_require(` + type wm_exec_t; + ') + + type $1_wm_t; + domain_type($1_wm_t) + domain_entry_file($1_wm_t, wm_exec_t) + role $2 types $1_wm_t; + + domtrans_pattern($3, wm_exec_t, $1_wm_t) + + corecmd_bin_domtrans($1_wm_t, $1_t) + corecmd_shell_domtrans($1_wm_t, $1_t) + + ifdef(`enable_mls',` + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) + mls_xwin_read_all_levels($1_wm_t) + mls_xwin_write_all_levels($1_wm_t) + mls_fd_use_all_levels($1_wm_t) + ') + + files_read_etc_files($1_wm_t) + files_read_usr_files($1_wm_t) + + miscfiles_read_fonts($1_wm_t) + miscfiles_read_localization($1_wm_t) + + optional_policy(` + gnome_read_config($1_wm_t) + gnome_read_gconf_config($1_wm_t) + ') + + auth_use_nsswitch($1_wm_t) + + kernel_read_system_state($1_wm_t) + + allow $1_wm_t self:fifo_file rw_fifo_file_perms; + allow $1_wm_t self:process getsched; + allow $1_wm_t self:shm create_shm_perms; + + allow $1_wm_t $1_t:unix_stream_socket connectto; + + optional_policy(` + dbus_system_bus_client($1_wm_t) + ') + + userdom_unpriv_usertype($1, $1_wm_t) + + userdom_manage_home_role($1_r, $1_wm_t) + userdom_manage_tmpfs_role($1_r, $1_wm_t) + userdom_manage_tmp_role($1_r, $1_wm_t) + + dev_read_urand($1_wm_t) + + optional_policy(` + xserver_role($1_r, $1_wm_t) + xserver_use_xdm($1_wm_t) + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.12/policy/modules/apps/wm.te --- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/wm.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,9 @@ +policy_module(wm,0.0.4) + +######################################## +# +# Declarations +# + +type wm_exec_t; +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-19 15:53:09.000000000 -0400 @@ -32,6 +32,8 @@ # # /etc # +/etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) @@ -134,6 +136,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') +/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /usr # @@ -299,3 +303,20 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') + +/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) + +/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.12/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.if 2009-04-07 16:01:44.000000000 -0400 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, chroot_exec_t) + allow $1 self:capability sys_chroot; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-02-03 22:50:50.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in 2009-04-07 16:01:44.000000000 -0400 @@ -1612,6 +1612,24 @@ ######################################## ## +## Connect TCP sockets to all ports > 1024. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`corenet_tcp_connect_all_unreserved_ports',` + gen_require(` + attribute port_type, reserved_port_type; + ') + + allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; +') + +######################################## +## ## Do not audit attempts to connect TCP sockets ## all reserved ports. ## @@ -1687,6 +1705,24 @@ ######################################## ## +## Getattr the point-to-point device. +## +## +## +## The domain allowed access. +## +## +# +interface(`corenet_getattr_ppp_dev',` + gen_require(` + type ppp_device_t; + ') + + allow $1 ppp_device_t:chr_file getattr; +') + +######################################## +## ## Read and write the point-to-point device. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-23 13:47:10.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-04-07 16:01:44.000000000 -0400 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) +network_port(afs_client, udp,7001,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) network_port(afs_vl, udp,7003,s0) +network_port(agentx, udp,705,s0, tcp,705,s0) network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) @@ -79,26 +81,34 @@ network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict +network_port(certmaster, tcp,51235,s0) network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(comsat, udp,512,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) +portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) +network_port(dccm, tcp,5679,s0, udp,5679,s0) network_port(dbskkd, tcp,1178,s0) -network_port(dhcpc, udp,68,s0) +network_port(dhcpc, udp,68,s0, tcp,68,s0) network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) +network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) +network_port(ftps, tcp,990,s0, udp,990,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) +network_port(gpsd,tcp,2947,s0) network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy +portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) @@ -118,6 +128,7 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) +network_port(kismet, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) @@ -128,6 +139,7 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) +network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) @@ -138,12 +150,21 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) +network_port(pingd, tcp,9125,s0) +network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0) +network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0) +network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0) network_port(postfix_policyd, tcp,10031,s0) +network_port(pulseaudio, tcp,4713,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) network_port(postgrey, tcp,60000,s0) +network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) @@ -160,11 +181,14 @@ network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) +network_port(sap, tcp,9875,s0, udp,9875,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) +network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) network_port(spamd, tcp,783,s0) +network_port(speech, tcp,8036,s0) network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 1755, s0, udp, 1755, s0) network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict @@ -173,14 +197,17 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) +network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(vnc, tcp,5900,s0) network_port(wccp, udp,2048,s0) -network_port(whois, tcp,43,s0, udp,43,s0) +# Reserve 100 ports for vnc/virt machines +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0) +network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) @@ -209,6 +236,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) +typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t }; + # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-04-07 16:01:44.000000000 -0400 @@ -91,6 +91,7 @@ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-03-05 12:28:57.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-04-14 12:49:22.000000000 -0400 @@ -188,6 +188,12 @@ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) # +# Type for /dev/tpm +# +type tpm_device_t; +dev_node(tpm_device_t) + +# # urandom_device_t is the type of /dev/urandom # type urandom_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-18 06:12:57.000000000 -0400 @@ -525,7 +525,7 @@ ') kernel_search_proc($1) - allow $1 domain:dir search; + allow $1 domain:dir search_dir_perms; ') ######################################## @@ -629,6 +629,7 @@ dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:file read_file_perms; + dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; ') ######################################## @@ -1247,18 +1248,34 @@ ##
## # -interface(`domain_mmap_low',` +interface(`domain_mmap_low_type',` gen_require(` attribute mmap_low_domain_type; ') - allow $1 self:memprotect mmap_zero; - typeattribute $1 mmap_low_domain_type; ') ######################################## ## +## Ability to mmap a low area of the address space, +## as configured by /proc/sys/kernel/mmap_min_addr. +## Preventing such mappings helps protect against +## exploiting null deref bugs in the kernel. +## +## +## +## Domain allowed to mmap low memory. +## +## +# +interface(`domain_mmap_low',` + + allow $1 self:memprotect mmap_zero; +') + +######################################## +## ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) @@ -1279,6 +1296,24 @@ ######################################## ## +## Polyinstatiated access to domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_poly',` + gen_require(` + attribute polydomain; + ') + + typeattribute $1 polydomain; +') + +######################################## +## ## Unconfined access to domains. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-21 16:08:44.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations # +## +##

+## Allow all domains to use other domains file descriptors +##

+##
+# +gen_tunable(allow_domain_fd_use, true) # Mark process types as domains attribute domain; @@ -15,6 +22,8 @@ # Domains that are unconfined attribute unconfined_domain_type; +attribute polydomain; + # Domains that can mmap low memory. attribute mmap_low_domain_type; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; @@ -80,6 +89,8 @@ allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) +kernel_read_crypto_sysctls(domain) + # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring @@ -106,6 +117,10 @@ ') optional_policy(` + afs_rw_cache(domain) +') + +optional_policy(` libs_use_ld_so(domain) libs_use_shared_libs(domain) ') @@ -118,6 +133,7 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) + xserver_dontaudit_rw_xdm_home_files(domain) ') ######################################## @@ -136,6 +152,9 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; +allow unconfined_domain_type domain:dbus send_msg; +allow domain unconfined_domain_type:dbus send_msg; + # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; @@ -145,7 +164,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; -allow unconfined_domain_type domain:file read_file_perms; +allow unconfined_domain_type domain:file rw_file_perms; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys @@ -153,3 +172,45 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + +tunable_policy(`allow_domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; +') + +optional_policy(` + cron_dontaudit_write_system_job_tmp_files(domain) + cron_rw_pipes(domain) + cron_rw_system_job_pipes(domain) + +ifdef(`hide_broken_symptoms',` + fs_list_inotifyfs(domain) + allow domain domain:key { link search }; +') +') + +optional_policy(` + rpm_rw_pipes(domain) + rpm_dontaudit_use_script_fds(domain) + rpm_dontaudit_write_pid_files(domain) +') + +optional_policy(` + rhgb_dontaudit_use_ptys(domain) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(domain) + unconfined_sigchld(domain) +') + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; + +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(polydomain) + userdom_manage_user_home_content_dirs(polydomain) + userdom_manage_user_home_content_files(polydomain) + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.12/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/files.fc 2009-04-07 16:01:44.000000000 -0400 @@ -8,6 +8,8 @@ /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) +/afs -d gen_context(system_u:object_r:mnt_t,s0) + ifdef(`distro_redhat',` /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -17,6 +19,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) +/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') ifdef(`distro_suse',` @@ -228,6 +231,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) + /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-20 12:17:02.000000000 -0400 @@ -110,6 +110,11 @@ ## # interface(`files_config_file',` + gen_require(` + attribute etcfile; + ') + + typeattribute $1 etcfile; files_type($1) ') @@ -928,8 +933,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: seutil_relabelto_bin_policy($1) @@ -1086,6 +1091,24 @@ ##
## # +interface(`files_relabel_all_file_type_fs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:filesystem { relabelfrom relabelto }; +') + +######################################## +## +## Relabel a filesystem to the type of a file. +## +## +## +## Domain allowed access. +## +## +# interface(`files_relabelto_all_file_type_fs',` gen_require(` attribute file_type; @@ -1695,6 +1718,25 @@ ######################################## ## +## Manage a filesystem on a directory with the default file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_default',` + gen_require(` + type default_t; + ') + + manage_dirs_pattern($1, default_t, default_t) + manage_files_pattern($1, default_t, default_t) +') + +######################################## +## ## Mount a filesystem on a directory with the default file type. ## ## @@ -1915,6 +1957,26 @@ ######################################## ## +## Read config files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_config_files',` + gen_require(` + attribute etcfile; + ') + + allow $1 etcfile:dir list_dir_perms; + read_files_pattern($1, etcfile, etcfile) + read_lnk_files_pattern($1, etcfile, etcfile) +') + +######################################## +## ## Do not audit attempts to write generic files in /etc. ## ## @@ -2250,6 +2312,49 @@ ######################################## ## +## Delete directories on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_dirs',` + gen_require(` + type file_t; + ') + + delete_dirs_pattern($1, file_t, file_t) +') + +######################################## +## +## Delete files on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_isid_type_files',` + gen_require(` + type file_t; + ') + + delete_files_pattern($1, file_t, file_t) + delete_lnk_files_pattern($1, file_t, file_t) + delete_fifo_files_pattern($1, file_t, file_t) + delete_sock_files_pattern($1, file_t, file_t) + delete_blk_files_pattern($1, file_t, file_t) + delete_chr_files_pattern($1, file_t, file_t) +') + +######################################## +## ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## @@ -3390,6 +3495,24 @@ ######################################## ## +## List all tmp directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; + ') + + allow $1 tmppfile:dir list_dir_perms; +') + +######################################## +## ## Read all tmp files. ## ## @@ -3456,6 +3579,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) + files_delete_isid_type_dirs($1) + files_delete_isid_type_files($1) ') ######################################## @@ -3546,7 +3671,7 @@ type usr_t; ') - allow $1 usr_t:file delete_dir_perms; + delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## @@ -3564,7 +3689,12 @@ type usr_t; ') - allow $1 usr_t:file delete_file_perms; + delete_files_pattern($1, usr_t, usr_t) + delete_lnk_files_pattern($1, usr_t, usr_t) + delete_fifo_files_pattern($1, usr_t, usr_t) + delete_sock_files_pattern($1, usr_t, usr_t) + delete_blk_files_pattern($1, usr_t, usr_t) + delete_chr_files_pattern($1, usr_t, usr_t) ') ######################################## @@ -4413,6 +4543,28 @@ ######################################## ## +## manage all lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_all_locks',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 { var_t var_lock_t }:dir search_dir_perms; + manage_dirs_pattern($1, lockfile, lockfile) + manage_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, lockfile, lockfile) +') + +######################################## +## ## Create an object in the locks directory, with a private ## type using a type transition. ## @@ -4532,7 +4684,8 @@ type var_t, var_run_t; ') - read_files_pattern($1, { var_t var_run_t }, var_run_t) + list_dirs_pattern($1,var_t,var_run_t) + read_files_pattern($1, var_run_t, var_run_t) ') ######################################## @@ -4873,7 +5026,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting - allow $1 self:capability { chown fsetid sys_admin }; + allow $1 self:capability { chown fsetid sys_admin fowner }; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; @@ -4895,12 +5048,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) + fs_mount_tmpfs($1) + fs_unmount_tmpfs($1) + ifdef(`distro_redhat',` # namespace.init + files_search_tmp($1) files_search_home($1) corecmd_exec_bin($1) seutil_domtrans_setfiles($1) - mount_domtrans($1) ') ') @@ -4921,3 +5077,114 @@ typeattribute $1 files_unconfined_type; ') + +######################################## +## +## Create a core files in / +## +## +##

+## Create a core file in /, +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`files_dump_core',` + gen_require(` + type root_t; + ') + + manage_files_pattern($1, root_t, root_t) +') + +######################################## +## +## Create a default directory in / +## +## +##

+## Create a default_t direcrory in / +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`files_create_default_dir',` + gen_require(` + type root_t, default_t; + ') + + allow $1 default_t:dir create; + filetrans_pattern($1, root_t, default_t, dir) +') + +######################################## +## +## manage generic symbolic links +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_generic_pids_symlinks',` + gen_require(` + type var_run_t; + ') + + manage_lnk_files_pattern($1,var_run_t,var_run_t) +') + +######################################## +## +## manage generic symbolic links +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_boot',` + gen_require(` + type root_t; + ') + + allow $1 root_t:blk_file manage_blk_file_perms; + allow $1 root_t:chr_file manage_chr_file_perms; + manage_dirs_pattern($1, root_t, root_t) + manage_files_pattern($1, root_t, root_t) + manage_lnk_files_pattern($1, root_t, root_t) + can_exec(kernel_t, root_t) +') + +######################################## +## +## Do not audit attempts to getattr +## all tmpfs files. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_getattr_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + allow $1 tmpfsfile:file getattr; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.12/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/files.te 2009-04-07 16:01:44.000000000 -0400 @@ -52,7 +52,9 @@ # # etc_t is the type of the system etc directories. # -type etc_t; +attribute etcfile; + +type etc_t, etcfile; files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; @@ -198,10 +200,7 @@ # # Rules for all tmp file types # - -allow tmpfile tmp_t:filesystem associate; - -fs_associate_tmpfs(tmpfile) +allow file_type tmp_t:filesystem associate; ######################################## # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.12/policy/modules/kernel/filesystem.fc --- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1 +1 @@ -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.12/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-20 12:16:40.000000000 -0400 @@ -723,6 +723,24 @@ ######################################## ## +## Dont audit attempts to write to all noxattrfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_write_noxattr_fs_files',` + gen_require(` + attribute noxattrfs; + ') + + dontaudit $1 noxattrfs:file write; +') + +######################################## +## ## Create, read, write, and delete all noxattrfs directories. ## ## @@ -754,6 +772,7 @@ attribute noxattrfs; ') + list_dirs_pattern($1, noxattrfs, noxattrfs) read_files_pattern($1, noxattrfs, noxattrfs) ') @@ -2173,6 +2192,7 @@ type removable_t; ') + allow $1 removable_t:dir list_dir_perms; rw_blk_files_pattern($1, removable_t, removable_t) ') @@ -3322,6 +3342,7 @@ type tmpfs_t; ') + dontaudit $1 tmpfs_t:dir rw_dir_perms; dontaudit $1 tmpfs_t:file rw_file_perms; ') @@ -3643,6 +3664,7 @@ ') allow $1 filesystem_type:filesystem getattr; + files_getattr_all_file_type_fs($1) ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.12/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-03-04 15:43:10.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.te 2009-04-17 08:55:09.000000000 -0400 @@ -206,6 +206,10 @@ genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) +# Labeling dosfs_t since these are removable file systems with the i +# same security properties as dosfs_t +genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) +genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0) type fusefs_t; fs_noxattr_type(fusefs_t) @@ -244,12 +248,12 @@ genfscon afs / gen_context(system_u:object_r:nfs_t,s0) genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0) genfscon coda / gen_context(system_u:object_r:nfs_t,s0) -genfscon hfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0) genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) +genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0) +genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) ######################################## # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-21 13:21:45.000000000 -0400 @@ -1197,6 +1197,26 @@ ') dontaudit $1 proc_type:dir list_dir_perms; + dontaudit $1 proc_type:file getattr; +') + +######################################## +## +## Allow attempts to list all proc directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_list_all_proc',` + gen_require(` + attribute proc_type; + ') + + allow $1 proc_type:dir list_dir_perms; + allow $1 proc_type:file getattr; ') ######################################## @@ -1233,9 +1253,11 @@ interface(`kernel_read_sysctl',` gen_require(` type sysctl_t; + type proc_t; ') list_dirs_pattern($1, proc_t, sysctl_t) + read_files_pattern($1, sysctl_t, sysctl_t) ') ######################################## @@ -1568,6 +1590,26 @@ ######################################## ## +## Read generic crypto sysctls. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_crypto_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_crypto_t; + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) + + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) +') + +######################################## +## ## Read generic kernel sysctls. ## ## @@ -1767,6 +1809,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; + dontaudit $1 sysctl_type:file read_file_perms; ') ######################################## @@ -2580,6 +2623,24 @@ ######################################## ## +## Relabel to unlabeled context . +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_relabelto_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir_file_class_set relabelto; +') + +######################################## +## ## Unconfined access to kernel module resources. ## ## @@ -2595,3 +2656,23 @@ typeattribute $1 kern_unconfined; ') + +######################################## +## +## Allow the specified domain to connect to +## the kernel with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_stream_connect',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:unix_stream_socket connectto; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-09 10:10:27.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) # +# infinibandeventfs fs +# + +type infinibandeventfs_t; +fs_type(infinibandeventfs_t) +allow infinibandeventfs_t self:filesystem associate; +genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) + +# # kvmFS # @@ -120,6 +129,10 @@ type sysctl_rpc_t, sysctl_type; genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) +# /proc/sys/crypto directory and files +type sysctl_crypto_t, sysctl_type; +genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) + # /proc/sys/fs directory and files type sysctl_fs_t, sysctl_type; files_mountpoint(sysctl_fs_t) @@ -160,6 +173,7 @@ # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +fs_associate(unlabeled_t) # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -198,6 +212,8 @@ allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:fd use; +allow kernel_t debugfs_t:dir search; + allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; @@ -248,7 +264,8 @@ selinux_load_policy(kernel_t) -term_use_console(kernel_t) +term_use_all_terms(kernel_t) +term_use_ptmx(kernel_t) corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) @@ -262,6 +279,8 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) +files_manage_mounttab(kernel_t) +files_manage_generic_spool_dirs(kernel_t) mcs_process_set_categories(kernel_t) @@ -269,12 +288,18 @@ mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) +mls_fd_share_all_levels(kernel_t) + +logging_manage_generic_logs(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') +userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) @@ -356,7 +381,11 @@ ') optional_policy(` - unconfined_domain(kernel_t) + unconfined_domain_noaudit(kernel_t) +') + +optional_policy(` + xserver_xdm_manage_spool(kernel_t) ') ######################################## @@ -388,3 +417,7 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) + +permissive kernel_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.12/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/selinux.if 2009-04-07 16:01:44.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which # calls this interface must be in the base module: - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) +# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) ') ######################################## @@ -202,6 +202,7 @@ type security_t; ') + selinux_dontaudit_getattr_fs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') @@ -223,6 +224,7 @@ type security_t; ') + selinux_get_fs_mount($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') @@ -404,6 +406,7 @@ ') allow $1 security_t:dir list_dir_perms; + allow $1 boolean_type:dir list_dir_perms; allow $1 boolean_type:file rw_file_perms; if(!secure_mode_policyload) { @@ -622,3 +625,23 @@ typeattribute $1 selinux_unconfined_type; ') + +######################################## +## +## Generate a file context for a boolean type +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_genbool',` + gen_require(` + attribute boolean_type; + ') + + type $1, boolean_type; + fs_type($1) + mls_trusted_object($1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.12/policy/modules/kernel/terminal.fc --- nsaserefpolicy/policy/modules/kernel/terminal.fc 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/terminal.fc 2009-04-11 08:00:47.000000000 -0400 @@ -13,6 +13,7 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) +/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-04-07 16:01:44.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; - allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; + allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; ') ######################################## @@ -250,9 +250,11 @@ interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; + type tty_device_t; ') dontaudit $1 console_device_t:chr_file rw_chr_file_perms; + dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.12/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/roles/guest.te 2009-04-07 16:01:44.000000000 -0400 @@ -16,7 +16,11 @@ # optional_policy(` - java_role(guest_r, guest_t) + java_role_template(guest, guest_r, guest_t) ') -#gen_user(guest_u,, guest_r, s0, s0) +optional_policy(` + mono_role_template(guest, guest_r, guest_t) +') + +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-04-07 16:01:44.000000000 -0400 @@ -15,156 +15,90 @@ # Local policy # -optional_policy(` - apache_role(staff_r, staff_t) -') - -optional_policy(` - auth_role(staff_r, staff_t) -') - -optional_policy(` - auditadm_role_change(staff_r) -') +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) -optional_policy(` - bluetooth_role(staff_r, staff_t) -') +auth_domtrans_pam_console(staff_t) -optional_policy(` - cdrecord_role(staff_r, staff_t) -') +libs_manage_shared_libs(staff_t) -optional_policy(` - cron_role(staff_r, staff_t) -') - -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') +seutil_run_newrole(staff_t, staff_r) +netutils_run_ping(staff_t, staff_r) optional_policy(` - ethereal_role(staff_r, staff_t) -') - -optional_policy(` - evolution_role(staff_r, staff_t) -') - -optional_policy(` - games_role(staff_r, staff_t) -') - -optional_policy(` - gift_role(staff_r, staff_t) -') - -optional_policy(` - gnome_role(staff_r, staff_t) -') - -optional_policy(` - gpg_role(staff_r, staff_t) -') - -optional_policy(` - irc_role(staff_r, staff_t) -') - -optional_policy(` - java_role(staff_r, staff_t) -') - -optional_policy(` - lockdev_role(staff_r, staff_t) -') - -optional_policy(` - lpd_role(staff_r, staff_t) -') - -optional_policy(` - mozilla_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` - mplayer_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` - mta_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` - oident_manage_user_content(staff_t) - oident_relabel_user_content(staff_t) + logadm_role_change(staff_r) ') optional_policy(` - pyzor_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` - razor_role(staff_r, staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` - rssh_role(staff_r, staff_t) + sysadm_role_change(staff_r) ') optional_policy(` - screen_role_template(staff, staff_r, staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` - secadm_role_change(staff_r) + unconfined_role_change(staff_r) ') optional_policy(` - spamassassin_role(staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` - ssh_role_template(staff, staff_r, staff_t) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` - su_role_template(staff, staff_r, staff_t) -') +files_read_kernel_modules(staff_t) -optional_policy(` - sudo_role_template(staff, staff_r, staff_t) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` - sysadm_role_change(staff_r) - userdom_dontaudit_use_user_terminals(staff_t) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` - thunderbird_role(staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) -optional_policy(` - tvtime_role(staff_r, staff_t) -') +term_use_unallocated_ttys(staff_t) optional_policy(` - uml_role(staff_r, staff_t) + gnomeclock_dbus_chat(staff_t) ') optional_policy(` - userhelper_role_template(staff, staff_r, staff_t) + kerneloops_dbus_chat(staff_t) ') optional_policy(` - vmware_role(staff_r, staff_t) + rpm_dbus_chat(staff_usertype) ') optional_policy(` - wireshark_role(staff_r, staff_t) + setroubleshoot_stream_connect(staff_t) + setroubleshoot_dbus_chat(staff_t) ') optional_policy(` - xserver_role(staff_r, staff_t) + virt_stream_connect(staff_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-04-07 16:01:44.000000000 -0400 @@ -116,41 +116,6 @@ ######################################## ## -## Allow sysadm to execute all entrypoint files in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -## -## -##

-## Allow sysadm to execute all entrypoint files in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain allowed access. -## -## -# -interface(`sysadm_entry_spec_domtrans_to',` - gen_require(` - type sysadm_t; - ') - - domain_entry_file_spec_domtrans(sysadm_t, $1) - allow $1 sysadm_t:fd use; - allow $1 sysadm_t:fifo_file rw_file_perms; - allow $1 sysadm_t:process sigchld; -') - -######################################## -## ## Allow sysadm to execute a generic bin program in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-04-21 15:50:14.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; -userdom_admin_user_template(sysadm) +userdom_admin_login_user_template(sysadm) ifndef(`enable_mls',` userdom_security_admin_template(sysadm_t, sysadm_r) @@ -70,7 +70,6 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) - apache_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -87,10 +86,6 @@ ') optional_policy(` - auth_role(sysadm_r, sysadm_t) -') - -optional_policy(` backup_run(sysadm_t, sysadm_r) ') @@ -99,18 +94,10 @@ ') optional_policy(` - bluetooth_role(sysadm_r, sysadm_t) -') - -optional_policy(` bootloader_run(sysadm_t, sysadm_r) ') optional_policy(` - cdrecord_role(sysadm_r, sysadm_t) -') - -optional_policy(` certwatch_run(sysadm_t, sysadm_r) ') @@ -127,7 +114,7 @@ ') optional_policy(` - cron_admin_role(sysadm_r, sysadm_t) + su_exec(sysadm_t) ') optional_policy(` @@ -135,10 +122,6 @@ ') optional_policy(` - dbus_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) @@ -166,10 +149,6 @@ ') optional_policy(` - evolution_role(sysadm_r, sysadm_t) -') - -optional_policy(` firstboot_run(sysadm_t, sysadm_r) ') @@ -178,22 +157,6 @@ ') optional_policy(` - games_role(sysadm_r, sysadm_t) -') - -optional_policy(` - gift_role(sysadm_r, sysadm_t) -') - -optional_policy(` - gnome_role(sysadm_r, sysadm_t) -') - -optional_policy(` - gpg_role(sysadm_r, sysadm_t) -') - -optional_policy(` hostname_run(sysadm_t, sysadm_r) ') @@ -212,11 +175,7 @@ ') optional_policy(` - irc_role(sysadm_r, sysadm_t) -') - -optional_policy(` - java_role(sysadm_r, sysadm_t) + kerberos_exec_kadmind(sysadm_t) ') optional_policy(` @@ -228,10 +187,6 @@ ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -') - -optional_policy(` logrotate_run(sysadm_t, sysadm_r) ') @@ -255,14 +210,6 @@ ') optional_policy(` - mozilla_role(sysadm_r, sysadm_t) -') - -optional_policy(` - mplayer_role(sysadm_r, sysadm_t) -') - -optional_policy(` mta_role(sysadm_r, sysadm_t) ') @@ -290,11 +237,6 @@ ') optional_policy(` - oident_manage_user_content(sysadm_t) - oident_relabel_user_content(sysadm_t) -') - -optional_policy(` pcmcia_run_cardctl(sysadm_t, sysadm_r) ') @@ -308,10 +250,6 @@ ') optional_policy(` - pyzor_role(sysadm_r, sysadm_t) -') - -optional_policy(` quota_run(sysadm_t, sysadm_r) ') @@ -320,22 +258,10 @@ ') optional_policy(` - razor_role(sysadm_r, sysadm_t) -') - -optional_policy(` rpc_domtrans_nfsd(sysadm_t) ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) -') - -optional_policy(` - rssh_role(sysadm_r, sysadm_t) -') - -optional_policy(` rsync_exec(sysadm_t) ') @@ -345,10 +271,6 @@ ') optional_policy(` - screen_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` secadm_role_change(sysadm_r) ') @@ -358,35 +280,15 @@ ') optional_policy(` - spamassassin_role(sysadm_r, sysadm_t) -') - -optional_policy(` - ssh_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` staff_role_change(sysadm_r) ') optional_policy(` - su_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` - sudo_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` sysnet_run_ifconfig(sysadm_t, sysadm_r) sysnet_run_dhcpc(sysadm_t, sysadm_r) ') optional_policy(` - thunderbird_role(sysadm_r, sysadm_t) -') - -optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) @@ -394,18 +296,10 @@ ') optional_policy(` - tvtime_role(sysadm_r, sysadm_t) -') - -optional_policy(` tzdata_domtrans(sysadm_t) ') optional_policy(` - uml_role(sysadm_r, sysadm_t) -') - -optional_policy(` unconfined_domtrans(sysadm_t) ') @@ -418,20 +312,12 @@ ') optional_policy(` - userhelper_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) ') optional_policy(` - vmware_role(sysadm_r, sysadm_t) -') - -optional_policy(` vpn_run(sysadm_t, sysadm_r) ') @@ -440,13 +326,5 @@ ') optional_policy(` - wireshark_role(sysadm_r, sysadm_t) -') - -optional_policy(` - xserver_role(sysadm_r, sysadm_t) -') - -optional_policy(` yam_run(sysadm_t, sysadm_r) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-15 10:01:33.000000000 -0400 @@ -0,0 +1,32 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + +/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +ifdef(`distro_gentoo',` +/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +') +/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/opera/[^/]*/works -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/opera/[^/]*/opera -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-18 06:06:56.000000000 -0400 @@ -0,0 +1,638 @@ +## Unconfiend user role + +######################################## +## +## Change from the unconfineduser role. +## +## +##

+## Change from the unconfineduser role to +## the specified role. +##

+##

+## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Role allowed access. +## +## +## +# +interface(`unconfined_role_change_to',` + gen_require(` + role unconfined_r; + ') + + allow unconfined_r $1; +') + +######################################## +## +## Transition to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_domtrans',` + gen_require(` + type unconfined_t, unconfined_exec_t; + ') + + domtrans_pattern($1,unconfined_exec_t,unconfined_t) +') + +######################################## +## +## Execute specified programs in the unconfined domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to allow the unconfined domain. +## +## +# +interface(`unconfined_run',` + gen_require(` + type unconfined_t; + ') + + unconfined_domtrans($1) + role $2 types unconfined_t; +') + +######################################## +## +## Transition to the unconfined domain by executing a shell. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_shell_domtrans',` + gen_require(` + attribute unconfined_login_domain; + ') + typeattribute $1 unconfined_login_domain; +') + +######################################## +## +## Allow unconfined to execute the specified program in +## the specified domain. +## +## +##

+## Allow unconfined to execute the specified program in +## the specified domain. +##

+##

+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Domain to execute in. +## +## +## +## +## Domain entry point file. +## +## +# +interface(`unconfined_domtrans_to',` + gen_require(` + type unconfined_t; + ') + + domtrans_pattern(unconfined_t,$2,$1) +') + +######################################## +## +## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +## +## +##

+## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +##

+##

+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Domain to execute in. +## +## +## +## +## Domain entry point file. +## +## +# +interface(`unconfined_run_to',` + gen_require(` + type unconfined_t; + role unconfined_r; + ') + + domtrans_pattern(unconfined_t,$2,$1) + role unconfined_r types $1; + userdom_use_user_terminals($1) +') + +######################################## +## +## Inherit file descriptors from the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_use_fds',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fd use; +') + +######################################## +## +## Send a SIGCHLD signal to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_sigchld',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process sigchld; +') + +######################################## +## +## Send a SIGNULL signal to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_signull',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process signull; +') + +######################################## +## +## Send a SIGNULL signal to the unconfined execmem domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_signull',` + gen_require(` + type unconfined_execmem_t; + ') + + allow $1 unconfined_execmem_t:process signull; +') + +######################################## +## +## Send a signal to the unconfined execmem domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_signal',` + gen_require(` + type unconfined_execmem_t; + ') + + allow $1 unconfined_execmem_t:process signal; +') + +######################################## +## +## Send generic signals to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_signal',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process signal; +') + +######################################## +## +## Read unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_read_pipes',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fifo_file read_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dontaudit_read_pipes',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:fifo_file read; +') + +######################################## +## +## Read and write unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_rw_pipes',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## unconfined domain unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_pipes',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:fifo_file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## unconfined domain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_stream',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Connect to the unconfined domain using +## a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_stream_connect',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:unix_stream_socket connectto; +') + +######################################## +## +## Do not audit attempts to read or write +## unconfined domain tcp sockets. +## +## +##

+## Do not audit attempts to read or write +## unconfined domain tcp sockets. +##

+##

+## This interface was added due to a broken +## symptom in ldconfig. +##

+##
+## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_tcp_sockets',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:tcp_socket { read write }; +') + +######################################## +## +## Create keys for the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_create_keys',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:key create; +') + +######################################## +## +## Send messages to the unconfined domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_send',` + gen_require(` + type unconfined_t; + class dbus send_msg; + ') + + allow $1 unconfined_t:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## unconfined_t over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_chat',` + gen_require(` + type unconfined_t; + class dbus send_msg; + ') + + allow $1 unconfined_t:dbus send_msg; + allow unconfined_t $1:dbus send_msg; +') + +######################################## +## +## Connect to the the unconfined DBUS +## for service (acquire_svc). +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_connect',` + gen_require(` + type unconfined_t; + class dbus acquire_svc; + ') + + allow $1 unconfined_t:dbus acquire_svc; +') + +######################################## +## +## Allow ptrace of unconfined domain +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_ptrace',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process ptrace; +') + +######################################## +## +## Read and write to unconfined shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`unconfined_rw_shm',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:shm rw_shm_perms; +') + +######################################## +## +## Read and write to unconfined execmem shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`unconfined_execmem_rw_shm',` + gen_require(` + type unconfined_execmem_t; + ') + + allow $1 unconfined_execmem_t:shm rw_shm_perms; +') + +######################################## +## +## Transition to the unconfined_execmem domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_domtrans',` + + gen_require(` + type unconfined_execmem_t, execmem_exec_t; + ') + + domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) +') + +######################################## +## +## execute the execmem applications +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_execmem_exec',` + + gen_require(` + type execmem_exec_t; + ') + + can_exec($1, execmem_exec_t) +') + +######################################## +## +## Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_set_rlimitnh',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process rlimitinh; +') + +######################################## +## +## Get the process group of unconfined. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_getpgid',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process getpgid; +') + +######################################## +## +## Change to the unconfined role. +## +## +## +## Role allowed access. +## +## +## +# +interface(`unconfined_role_change',` + gen_require(` + role unconfined_r; + ') + + allow $1 unconfined_r; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-16 10:03:34.000000000 -0400 @@ -0,0 +1,403 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## +# +# Declarations +# +attribute unconfined_login_domain; + +## +##

+## Transition to confined nsplugin domains from unconfined user +##

+##
+gen_tunable(allow_unconfined_nsplugin_transition, false) + +## +##

+## Allow a user to login as an unconfined domain +##

+##
+gen_tunable(unconfined_login, true) + +## +##

+## Allow unconfined domain to map low memory in the kernel +##

+##
+gen_tunable(allow_unconfined_mmap_low, false) + +## +##

+## Transition to confined qemu domains from unconfined user +##

+##
+gen_tunable(allow_unconfined_qemu_transition, false) + +# usage in this module of types created by these +# calls is not correct, however we dont currently +# have another method to add access to these types +userdom_base_user_template(unconfined) +userdom_manage_home_role(unconfined_r, unconfined_t) +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +userdom_execmod_user_home_files(unconfined_t) + +type unconfined_exec_t; +init_system_domain(unconfined_t, unconfined_exec_t) +role unconfined_r types unconfined_t; + +domain_user_exemption_target(unconfined_t) +allow system_r unconfined_r; +allow unconfined_r system_r; +init_script_role_transition(unconfined_r) +role system_r types unconfined_t; +typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t }; + +type unconfined_execmem_t; +type execmem_exec_t; +init_system_domain(unconfined_execmem_t, execmem_exec_t) +role unconfined_r types unconfined_execmem_t; +typealias execmem_exec_t alias unconfined_execmem_exec_t; + +type unconfined_notrans_t; +type unconfined_notrans_exec_t; +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) +role unconfined_r types unconfined_notrans_t; + +######################################## +# +# Local policy +# + +dontaudit unconfined_t self:dir write; + +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + +domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) + +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) + +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) +mls_file_write_all_levels(unconfined_t) + +init_run_daemon(unconfined_t, unconfined_r) +init_domtrans_script(unconfined_t) +init_chat(unconfined_t) + +libs_run_ldconfig(unconfined_t, unconfined_r) + +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + +mount_run_unconfined(unconfined_t, unconfined_r) +# Unconfined running as system_r +mount_domtrans_unconfined(unconfined_t) + +seutil_run_setsebool(unconfined_t, unconfined_r) +seutil_run_setfiles(unconfined_t, unconfined_r) +seutil_run_semanage(unconfined_t, unconfined_r) + +unconfined_domain_noaudit(unconfined_t) +domain_mmap_low(unconfined_t) + +userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) + +usermanage_run_passwd(unconfined_t, unconfined_r) +usermanage_run_chfn(unconfined_t, unconfined_r) + +tunable_policy(`unconfined_login',` + corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) + allow unconfined_t unconfined_login_domain:fd use; + allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; + allow unconfined_t unconfined_login_domain:process sigchld; +') + +optional_policy(` + loadkeys_run(unconfined_t, unconfined_r) +') + +optional_policy(` + nsplugin_role_notrans(unconfined_r, unconfined_t) + tunable_policy(`allow_unconfined_nsplugin_transition',` + nsplugin_domtrans(unconfined_execmem_t) + nsplugin_domtrans_config(unconfined_execmem_t) + nsplugin_domtrans(unconfined_t) + nsplugin_domtrans_config(unconfined_t) + ') +') + +ifdef(`distro_gentoo',` + seutil_run_runinit(unconfined_t, unconfined_r) + seutil_init_script_run_runinit(unconfined_t, unconfined_r) +') + +optional_policy(` + ada_run(unconfined_t, unconfined_r) +') + +optional_policy(` + apache_run_helper(unconfined_t, unconfined_r) +') + +optional_policy(` + bind_run_ndc(unconfined_t, unconfined_r) +') + +optional_policy(` + bootloader_run(unconfined_t, unconfined_r) +') + +optional_policy(` + cron_unconfined_role(unconfined_r, unconfined_t) +') + +optional_policy(` + init_dbus_chat_script(unconfined_t) + + dbus_stub(unconfined_t) + + optional_policy(` + avahi_dbus_chat(unconfined_t) + ') + + optional_policy(` + bluetooth_dbus_chat(unconfined_t) + ') + + optional_policy(` + consolekit_dbus_chat(unconfined_t) + ') + + optional_policy(` + cups_dbus_chat_config(unconfined_t) + ') + + optional_policy(` + hal_dbus_chat(unconfined_t) + ') + + optional_policy(` + gnomeclock_dbus_chat(unconfined_t) + ') + + optional_policy(` + kerneloops_dbus_chat(unconfined_t) + ') + + optional_policy(` + networkmanager_dbus_chat(unconfined_t) + ') + + optional_policy(` + oddjob_dbus_chat(unconfined_t) + ') + + optional_policy(` + vpnc_dbus_chat(unconfined_t) + ') +') + +optional_policy(` + firstboot_run(unconfined_t, unconfined_r) +') + +optional_policy(` + ftp_run_ftpdctl(unconfined_t, unconfined_r) +') + +optional_policy(` + gpsd_run(unconfined_t, unconfined_r) +') + +optional_policy(` + iptables_run(unconfined_t, unconfined_r) +') + +optional_policy(` + java_run_unconfined(unconfined_t, unconfined_r) +') + +optional_policy(` + kismet_run(unconfined_t, unconfined_r) +') + +optional_policy(` + livecd_run(unconfined_t, unconfined_r) +') + +optional_policy(` + lpd_run_checkpc(unconfined_t, unconfined_r) +') + +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) +') + +optional_policy(` + mono_role_template(unconfined, unconfined_r, unconfined_t) + unconfined_domain_noaudit(unconfined_mono_t) + role system_r types unconfined_mono_t; +') + +optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) +') + +optional_policy(` + prelink_run(unconfined_t, unconfined_r) +') + +optional_policy(` + portmap_run_helper(unconfined_t, unconfined_r) +') + +optional_policy(` + qemu_role_notrans(unconfined_r, unconfined_t) + qemu_unconfined_role(unconfined_r) + + tunable_policy(`allow_unconfined_qemu_transition',` + qemu_domtrans(unconfined_t) + ',` + qemu_domtrans_unconfined(unconfined_t) +') +') + +optional_policy(` + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) + rpm_role_transition(unconfined_r) +') + +optional_policy(` + samba_role_notrans(unconfined_r) + samba_run_unconfined_net(unconfined_t, unconfined_r) + samba_run_winbind_helper(unconfined_t, unconfined_r) + samba_run_smbcontrol(unconfined_t, unconfined_r) +') + +optional_policy(` + sendmail_run_unconfined(unconfined_t, unconfined_r) +') + +optional_policy(` + sysnet_run_dhcpc(unconfined_t, unconfined_r) + sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_role_transition_dhcpc(unconfined_r) +') + +optional_policy(` + tzdata_run(unconfined_t, unconfined_r) +') + +optional_policy(` + vbetool_run(unconfined_t, unconfined_r) +') + +optional_policy(` + vpn_run(unconfined_t, unconfined_r) +') + +optional_policy(` + webalizer_run(unconfined_t, unconfined_r) +') + +optional_policy(` + wine_run(unconfined_t, unconfined_r) +') + +optional_policy(` + xserver_run(unconfined_t, unconfined_r) + xserver_rw_shm(unconfined_t) +') + +######################################## +# +# Unconfined Execmem Local policy +# + +allow unconfined_execmem_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_execmem_t) +allow unconfined_execmem_t unconfined_t:process transition; + +optional_policy(` + init_dbus_chat_script(unconfined_execmem_t) + dbus_system_bus_client(unconfined_execmem_t) + unconfined_dbus_chat(unconfined_execmem_t) + unconfined_dbus_connect(unconfined_execmem_t) +') + +optional_policy(` + avahi_dbus_chat(unconfined_execmem_t) +') + + optional_policy(` + hal_dbus_chat(unconfined_execmem_t) + ') + +optional_policy(` + xserver_rw_shm(unconfined_execmem_t) +') + +######################################## +# +# Unconfined notrans Local policy +# + +allow unconfined_notrans_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_notrans_t) +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) +domain_ptrace_all_domains(unconfined_notrans_t) + +optional_policy(` + gen_require(` + type mplayer_exec_t; + ') + domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) +') + +optional_policy(` +tunable_policy(`allow_unconfined_nsplugin_transition',`', ` + gen_require(` + type mozilla_exec_t; + ') + domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) +') +') + +optional_policy(` + gen_require(` + type openoffice_exec_t; + ') + domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) +') + +######################################## +# +# Unconfined mount local policy +# + +optional_policy(` + gen_require(` + type unconfined_mount_t; + ') + + files_etc_filetrans_etc_runtime(unconfined_mount_t,file) + + rpc_domtrans_rpcd(unconfined_mount_t) + + unconfined_domain_noaudit(unconfined_mount_t) + optional_policy(` + hal_dbus_chat(unconfined_mount_t) + ') +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-04-07 16:01:44.000000000 -0400 @@ -14,142 +14,13 @@ userdom_unpriv_user_template(user) optional_policy(` - apache_role(user_r, user_t) + kerneloops_dontaudit_dbus_chat(user_t) ') optional_policy(` - auth_role(user_r, user_t) + rpm_dontaudit_dbus_chat(user_t) ') optional_policy(` - bluetooth_role(user_r, user_t) -') - -optional_policy(` - cdrecord_role(user_r, user_t) -') - -optional_policy(` - cron_role(user_r, user_t) -') - -optional_policy(` - dbus_role_template(user, user_r, user_t) -') - -optional_policy(` - ethereal_role(user_r, user_t) -') - -optional_policy(` - evolution_role(user_r, user_t) -') - -optional_policy(` - games_role(user_r, user_t) -') - -optional_policy(` - gift_role(user_r, user_t) -') - -optional_policy(` - gnome_role(user_r, user_t) -') - -optional_policy(` - gpg_role(user_r, user_t) -') - -optional_policy(` - irc_role(user_r, user_t) -') - -optional_policy(` - java_role(user_r, user_t) -') - -optional_policy(` - lockdev_role(user_r, user_t) -') - -optional_policy(` - lpd_role(user_r, user_t) -') - -optional_policy(` - mozilla_role(user_r, user_t) -') - -optional_policy(` - mplayer_role(user_r, user_t) -') - -optional_policy(` - mta_role(user_r, user_t) -') - -optional_policy(` - oident_manage_user_content(user_t) - oident_relabel_user_content(user_t) -') - -optional_policy(` - pyzor_role(user_r, user_t) -') - -optional_policy(` - razor_role(user_r, user_t) -') - -optional_policy(` - rssh_role(user_r, user_t) -') - -optional_policy(` - screen_role_template(user, user_r, user_t) -') - -optional_policy(` - spamassassin_role(user_r, user_t) -') - -optional_policy(` - ssh_role_template(user, user_r, user_t) -') - -optional_policy(` - su_role_template(user, user_r, user_t) -') - -optional_policy(` - sudo_role_template(user, user_r, user_t) -') - -optional_policy(` - thunderbird_role(user_r, user_t) -') - -optional_policy(` - tvtime_role(user_r, user_t) -') - -optional_policy(` - uml_role(user_r, user_t) -') - -optional_policy(` - userhelper_role_template(user, user_r, user_t) -') - -optional_policy(` - vmware_role(user_r, user_t) -') - -optional_policy(` - wireshark_role(user_r, user_t) -') - -optional_policy(` - xserver_role(user_r, user_t) + setroubleshoot_dontaudit_stream_connect(user_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.12/policy/modules/roles/webadm.te --- nsaserefpolicy/policy/modules/roles/webadm.te 2009-04-07 15:53:36.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/roles/webadm.te 2009-04-07 16:06:28.000000000 -0400 @@ -42,7 +42,7 @@ userdom_dontaudit_search_user_home_dirs(webadm_t) -#apache_admin(webadm_t, webadm_r) +apache_admin(webadm_t, webadm_r) tunable_policy(`webadm_manage_user_files',` userdom_manage_user_home_content_files(webadm_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.12/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/roles/xguest.te 2009-04-07 16:01:44.000000000 -0400 @@ -67,7 +67,11 @@ ') optional_policy(` - java_role(xguest_r, xguest_t) + java_role_template(xguest, xguest_r, xguest_t) +') + +optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) ') optional_policy(` @@ -75,9 +79,13 @@ ') optional_policy(` + nsplugin_role(xguest_r, xguest_t) +') + +optional_policy(` tunable_policy(`xguest_connect_network',` networkmanager_dbus_chat(xguest_t) ') ') -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.12/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/afs.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) +/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) + /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) @@ -17,6 +20,13 @@ /usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) +/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) + /vicepa gen_context(system_u:object_r:afs_files_t,s0) /vicepb gen_context(system_u:object_r:afs_files_t,s0) /vicepc gen_context(system_u:object_r:afs_files_t,s0) + + +/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) + +/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.12/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/afs.if 2009-04-07 16:01:44.000000000 -0400 @@ -1 +1,110 @@ ## Andrew Filesystem server + +######################################## +## +## Execute a domain transition to run afs. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`afs_domtrans',` + gen_require(` + type afs_t; + type afs_exec_t; + ') + + domtrans_pattern($1,afs_exec_t,afs_t) +') + + +######################################## +## +## Read and write afs UDP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`afs_rw_udp_sockets',` + gen_require(` + type afs_t; + ') + + allow $1 afs_t:udp_socket { read write }; +') + +######################################## +## +## read/write afs cache files +## +## +## +## Domain allowed to transition. +## +## +# +interface(`afs_rw_cache',` + gen_require(` + type afs_cache_t; + ') + + allow $1 afs_cache_t:file {read write}; +') + + +######################################## +## +## Execute afs server in the afs domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`afs_initrc_domtrans',` + gen_require(` + type afs_initrc_exec_t; + ') + + init_script_domtrans_spec($1,afs_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an afs environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the afs domain. +## +## +## +# +interface(`afs_admin',` + gen_require(` + type afs_t; + type afs_initrc_exec_t; + ') + + allow $1 afs_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, afs_t, afs_t) + + # Allow afs_t to restart the apache service + afs_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 afs_initrc_exec_t system_r; + allow $2 system_r; + +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.12/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/afs.te 2009-04-07 16:01:44.000000000 -0400 @@ -6,6 +6,16 @@ # Declarations # +type afs_t; +type afs_exec_t; +init_daemon_domain(afs_t, afs_exec_t) + +type afs_initrc_exec_t; +init_script_file(afs_initrc_exec_t) + +type afs_cache_t; +files_type(afs_cache_t) + type afs_bosserver_t; type afs_bosserver_exec_t; init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) @@ -302,3 +312,46 @@ sysnet_read_config(afs_vlserver_t) userdom_dontaudit_use_user_terminals(afs_vlserver_t) + +######################################## +# +# afs local policy +# + +allow afs_t self:capability { sys_nice sys_tty_config }; +allow afs_t self:process setsched; +allow afs_t self:udp_socket create_socket_perms; +allow afs_t self:fifo_file rw_file_perms; +allow afs_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(afs_t,afs_cache_t,afs_cache_t) +manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t) +files_var_filetrans(afs_t,afs_cache_t,{file dir}) + +files_mounton_mnt(afs_t) +files_read_etc_files(afs_t) +files_rw_etc_runtime_files(afs_t) + +fs_getattr_xattr_fs(afs_t) +fs_mount_nfs(afs_t) + +kernel_rw_afs_state(afs_t) + +# Init script handling +domain_use_interactive_fds(afs_t) + +corenet_all_recvfrom_unlabeled(afs_t) +corenet_all_recvfrom_netlabel(afs_t) +corenet_tcp_sendrecv_generic_if(afs_t) +corenet_udp_sendrecv_generic_if(afs_t) +corenet_tcp_sendrecv_generic_node(afs_t) +corenet_udp_sendrecv_generic_node(afs_t) +corenet_tcp_sendrecv_all_ports(afs_t) +corenet_udp_sendrecv_all_ports(afs_t) +corenet_udp_bind_generic_node(afs_t) + +miscfiles_read_localization(afs_t) + +logging_send_syslog_msg(afs_t) + +permissive afs_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) -/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -22,6 +23,7 @@ /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -32,12 +34,17 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') +/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) @@ -47,6 +54,7 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -50,8 +58,10 @@ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) +/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -64,11 +74,28 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +#Bugzilla file context +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) +#viewvc file context +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/apache.if 2009-04-07 16:01:44.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` gen_require(` - attribute httpdcontent; attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; ') - # allow write access to public file transfer - # services files. - gen_tunable(allow_httpd_$1_script_anon_write, false) - #This type is for webpages - type httpd_$1_content_t, httpdcontent; # customizable + type httpd_$1_content_t; files_type(httpd_$1_content_t) # This type is used for .htaccess files - type httpd_$1_htaccess_t; # customizable; + type httpd_$1_htaccess_t; files_type(httpd_$1_htaccess_t) # Type that CGI scripts run as @@ -42,20 +37,22 @@ # The following three are the only areas that # scripts can read, read/write, or append to - type httpd_$1_script_ro_t, httpdcontent; # customizable - files_type(httpd_$1_script_ro_t) + typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - type httpd_$1_script_rw_t, httpdcontent; # customizable - files_type(httpd_$1_script_rw_t) + type httpd_$1_content_rw_t; + files_type(httpd_$1_content_rw_t) + typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; - type httpd_$1_script_ra_t, httpdcontent; # customizable - files_type(httpd_$1_script_ra_t) + type httpd_$1_content_ra_t; + files_type(httpd_$1_content_ra_t) + typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; - allow httpd_t httpd_$1_htaccess_t:file read_file_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; + allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; + allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; @@ -65,29 +62,27 @@ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; # Allow the script process to search the cgi directory, and users directory - allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; + allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; + list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) + read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) logging_search_logs(httpd_$1_script_t) can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; + allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - - allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; - read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) - read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) + allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + + manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) @@ -96,6 +91,7 @@ dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) + application_exec_all(httpd_$1_script_t) files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) @@ -109,34 +105,21 @@ seutil_dontaudit_search_config(httpd_$1_script_t) - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t httpdcontent:file entrypoint; - - manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) - can_exec(httpd_$1_script_t, httpdcontent) - ') - - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) - - allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) - - allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) - read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) + manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) + + allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) @@ -149,9 +132,13 @@ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; + # apache runs the script: domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) + allow httpd_t httpd_$1_script_exec_t:file read_file_perms; + allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; @@ -175,50 +162,6 @@ miscfiles_read_localization(httpd_$1_script_t) ') - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_$1_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_$1_script_t) - corenet_all_recvfrom_netlabel(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) - corenet_udp_sendrecv_generic_if(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) - corenet_udp_sendrecv_generic_node(httpd_$1_script_t) - corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) - corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - - sysnet_read_config(httpd_$1_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_$1_script_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled(httpd_$1_script_t) - corenet_all_recvfrom_netlabel(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) - corenet_udp_sendrecv_generic_if(httpd_$1_script_t) - corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) - corenet_udp_sendrecv_generic_node(httpd_$1_script_t) - corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) - corenet_udp_sendrecv_all_ports(httpd_$1_script_t) - corenet_tcp_connect_all_ports(httpd_$1_script_t) - corenet_sendrecv_all_client_packets(httpd_$1_script_t) - - sysnet_read_config(httpd_$1_script_t) - ') - - optional_policy(` - mta_send_mail(httpd_$1_script_t) - ') - - optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_$1_script_t) - ') - ') - optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) @@ -227,10 +170,6 @@ optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) - - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_$1_script_t) - ') ') optional_policy(` @@ -504,6 +443,47 @@ ######################################## ## ## Allow the specified domain to read +## apache tmp files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`apache_read_tmp',` + gen_require(` + type httpd_config_t; + ') + + files_search_tmp($1) + read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) +') + +######################################## +## +## Dontaudit attempts ti write +## apache tmp files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`apache_dontaudit_write_tmp',` + gen_require(` + type httpd_config_t; + ') + + dontaudit $1 httpd_tmp_t:file write; +') + +######################################## +## +## Allow the specified domain to read ## apache configuration files. ## ## @@ -579,7 +559,7 @@ ## ## ## -## The role to be allowed the dmidecode domain. +## The role to be allowed the http_helper domain. ## ## ## @@ -715,6 +695,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; + read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) ') ######################################## @@ -782,6 +763,32 @@ ######################################## ## +## Allow the specified domain to delete +## apache system content rw files. +## +## +## +## Domain allowed access. +## +## +## +# +# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr +interface(`apache_delete_sys_content_rw',` + gen_require(` + type httpd_sys_content_rw_t; + ') + + files_search_tmp($1) + delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) + delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) + delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) + delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) + delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) +') + +######################################## +## ## Execute all web scripts in the system ## script domain. ## @@ -791,16 +798,18 @@ ##
## # -# cjp: this interface specifically added to allow -# sysadm_t to run scripts interface(`apache_domtrans_sys_script',` gen_require(` - attribute httpdcontent; type httpd_sys_script_t; + type httpd_sys_content_t; + ') + + tunable_policy(`httpd_enable_cgi',` + domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($1, httpdcontent, httpd_sys_script_t) + domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t) ') ') @@ -859,6 +868,8 @@ ## ## # +# cjp: this is missing the terminal since scripts +# do not output to the terminal interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; @@ -884,7 +895,7 @@ type httpd_squirrelmail_t; ') - allow $1 httpd_squirrelmail_t:file read_file_perms; + read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) ') ######################################## @@ -1040,3 +1051,160 @@ allow httpd_t $1:process signal; ') + +######################################## +## +## Allow the specified domain to search +## apache bugzilla directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_search_bugzilla_dirs',` + gen_require(` + type httpd_bugzilla_content_t; + ') + + allow $1 httpd_bugzilla_content_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to read and write Apache +## bugzill script unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` + gen_require(` + type httpd_bugzilla_script_t; + ') + + dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') + +######################################## +## +## All of the rules required to administrate an apache environment +## +## +## +## Prefix of the domain. Example, user would be +## the prefix for the uder_t domain. +## +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the apache domain. +## +## +## +# +interface(`apache_admin',` + + gen_require(` + type httpd_t, httpd_initrc_exec_t, httpd_config_t; + type httpd_log_t, httpd_modules_t, httpd_lock_t; + type httpd_var_run_t; + attribute httpdcontent; + attribute httpd_script_exec_type; + type httpd_bool_t; + type httpd_php_tmp_t; + type httpd_suexec_tmp_t; + type httpd_tmp_t; + + ') + + allow $1 httpd_t:process { getattr ptrace signal_perms }; + ps_process_pattern($1, httpd_t) + + init_labeled_script_domtrans($1, httpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 httpd_initrc_exec_t system_r; + allow $2 system_r; + + apache_manage_all_content($1) + miscfiles_manage_public_files($1) + + files_search_etc($1) + admin_pattern($1, httpd_config_t) + + logging_search_logs($1) + admin_pattern($1, httpd_log_t) + + admin_pattern($1, httpd_modules_t) + + admin_pattern($1, httpd_lock_t) + files_lock_filetrans($1, httpd_lock_t, file) + + admin_pattern($1, httpd_var_run_t) + files_pid_filetrans($1, httpd_var_run_t, file) + + kernel_search_proc($1) + allow $1 httpd_t:dir list_dir_perms; + ps_process_pattern($1, httpd_t) + read_lnk_files_pattern($1, httpd_t, httpd_t) + + admin_pattern($1, httpdcontent) + admin_pattern($1, httpd_script_exec_type) + + seutil_domtrans_setfiles($1) + + admin_pattern($1, httpd_tmp_t) + admin_pattern($1, httpd_php_tmp_t) + admin_pattern($1, httpd_suexec_tmp_t) + files_tmp_filetrans($1, httpd_tmp_t, { file dir }) + +ifdef(`TODO',` + apache_set_booleans($1, $2, $3, httpd_bool_t ) + seutil_setsebool_role_template($1, $3, $2) + allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; + allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; +') +') + +######################################## +## +## Mark content as being readable by standard apache processes +## +## +## +## Domain allowed access. +## +## +# +template(`apache_ro_content',` + gen_require(` + attribute httpd_ro_content; + ') + typeattribute $1 httpd_ro_content; +') + +######################################## +## +## Mark content as being read/write by standard apache processes +## +## +## +## Domain allowed access. +## +## +# +template(`apache_rw_content',` + gen_require(` + attribute httpd_rw_content; + ') + typeattribute $1 httpd_rw_content; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-04-07 16:01:44.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # +selinux_genbool(httpd_bool_t) + ## ##

## Allow Apache to modify public files @@ -30,10 +32,17 @@ ## ##

-## Allow Apache to use mod_auth_pam +## Allow httpd scripts and modules execmem/execstack ##

##
-gen_tunable(allow_httpd_mod_auth_pam, false) +gen_tunable(httpd_execmem, false) + +## +##

+## Allow Apache to communicate with avahi service via dbus +##

+##
+gen_tunable(httpd_dbus_avahi, false) ## ##

@@ -44,6 +53,13 @@ ## ##

+## Allow http daemon to send mail +##

+##
+gen_tunable(httpd_can_sendmail, false) + +## +##

## Allow HTTPD scripts and modules to connect to the network using TCP. ##

##
@@ -108,6 +124,29 @@ ## gen_tunable(httpd_unified, false) +## +##

+## Allow httpd to access nfs file systems +##

+##
+gen_tunable(httpd_use_nfs, false) + +## +##

+## Allow httpd to access cifs file systems +##

+##
+gen_tunable(httpd_use_cifs, false) + +## +##

+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. +##

+##
+gen_tunable(allow_httpd_sys_script_anon_write, false) + +attribute httpd_ro_content; +attribute httpd_rw_content; attribute httpdcontent; attribute httpd_user_content_type; @@ -140,6 +179,9 @@ domain_entry_file(httpd_helper_t, httpd_helper_exec_t) role system_r types httpd_helper_t; +type httpd_initrc_exec_t; +init_script_file(httpd_initrc_exec_t) + type httpd_lock_t; files_lock_file(httpd_lock_t) @@ -180,6 +222,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) +typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable +typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable +typeattribute httpd_sys_content_ra_t httpdcontent; # customizable + type httpd_tmp_t; files_tmp_file(httpd_tmp_t) @@ -187,15 +233,20 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) + ubac_constrained(httpd_user_script_t) +typeattribute httpd_user_content_t httpdcontent; +typeattribute httpd_user_content_rw_t httpdcontent; +typeattribute httpd_user_content_ra_t httpdcontent; + userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -userdom_user_home_content(httpd_user_script_ra_t) -userdom_user_home_content(httpd_user_script_ro_t) -userdom_user_home_content(httpd_user_script_rw_t) +userdom_user_home_content(httpd_user_content_ra_t) +userdom_user_home_content(httpd_user_content_rw_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias httpd_unconfined_content_t; typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; @@ -230,7 +281,7 @@ # Apache server local policy # -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; @@ -272,6 +323,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. @@ -283,9 +335,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; -allow httpd_t httpd_sys_content_t:dir list_dir_perms; -read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +allow httpd_t httpd_ro_content:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) +read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -301,6 +353,7 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) +setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) @@ -312,6 +365,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) +kernel_search_network_sysctl(httpd_t) corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) @@ -322,6 +376,7 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) +corenet_udp_bind_generic_node(httpd_t) corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) @@ -335,12 +390,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) +fs_list_inotifyfs(httpd_t) +fs_read_iso9660_files(httpd_t) auth_use_nsswitch(httpd_t) -# execute perl -corecmd_exec_bin(httpd_t) -corecmd_exec_shell(httpd_t) +application_exec_all(httpd_t) domain_use_interactive_fds(httpd_t) @@ -358,6 +413,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them +manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file }) libs_read_lib_files(httpd_t) @@ -372,18 +431,33 @@ userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) - tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -ifdef(`TODO', ` # # We need optionals to be able to be within booleans to make this work # +## +##

+## Allow Apache to use mod_auth_pam +##

+##
+gen_tunable(allow_httpd_mod_auth_pam, false) + tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + +## +##

+## Allow Apache to use mod_auth_pam +##

+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` +tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') @@ -391,20 +465,54 @@ corenet_tcp_connect_all_ports(httpd_t) ') +tunable_policy(`httpd_can_sendmail',` + # allow httpd to connect to mail servers + corenet_tcp_connect_smtp_port(httpd_t) + corenet_sendrecv_smtp_client_packets(httpd_t) + corenet_tcp_connect_pop_port(httpd_t) + corenet_sendrecv_pop_client_packets(httpd_t) + mta_send_mail(httpd_t) + mta_send_mail(httpd_sys_script_t) +') + tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) corenet_tcp_connect_ftp_port(httpd_t) corenet_tcp_connect_http_port(httpd_t) corenet_tcp_connect_http_cache_port(httpd_t) + corenet_tcp_connect_memcache_port(httpd_t) corenet_sendrecv_gopher_client_packets(httpd_t) corenet_sendrecv_ftp_client_packets(httpd_t) corenet_sendrecv_http_client_packets(httpd_t) corenet_sendrecv_http_cache_client_packets(httpd_t) ') +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') + +tunable_policy(`allow_httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` + fs_nfs_domtrans(httpd_t, httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) +') + + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) + manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) + manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) @@ -415,20 +523,28 @@ corenet_tcp_bind_ftp_port(httpd_t) ') -tunable_policy(`httpd_enable_homedirs',` - userdom_read_user_home_content_files(httpd_t) -') - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_nfs',` + fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) +') + tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; @@ -451,6 +567,10 @@ ') optional_policy(` + cvs_read_data(httpd_t) +') + +optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) ') @@ -459,8 +579,13 @@ ') optional_policy(` - kerberos_use(httpd_t) - kerberos_read_kdc_config(httpd_t) + dbus_system_bus_client(httpd_t) + tunable_policy(`httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') +') +optional_policy(` + kerberos_keytab_template(httpd, httpd_t) ') optional_policy(` @@ -468,22 +593,18 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) + mailman_read_data_files(httpd_t) mailman_read_archive(httpd_t) ') optional_policy(` - # Allow httpd to work with mysql mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_t) - ') + mysql_read_config(httpd_t) ') optional_policy(` nagios_read_config(httpd_t) - nagios_domtrans_cgi(httpd_t) ') optional_policy(` @@ -493,6 +614,12 @@ openca_kill(httpd_t) ') +tunable_policy(`httpd_execmem',` + allow httpd_t self:process { execmem execstack }; + allow httpd_sys_script_t self:process { execmem execstack }; + allow httpd_suexec_t self:process { execmem execstack }; +') + optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) @@ -500,6 +627,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) + postgresql_tcp_connect(httpd_sys_script_t) ') ') @@ -508,6 +636,7 @@ ') optional_policy(` + files_dontaudit_rw_usr_dirs(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') @@ -535,6 +664,22 @@ userdom_use_user_terminals(httpd_helper_t) +tunable_policy(`httpd_tty_comm',` + userdom_use_user_terminals(httpd_helper_t) +') + +optional_policy(` + type httpd_unconfined_script_t; + type httpd_unconfined_script_exec_t; + domain_type(httpd_unconfined_script_t) + domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) + + role system_r types httpd_unconfined_script_t; +') + + ######################################## # # Apache PHP script local policy @@ -564,20 +709,25 @@ fs_search_auto_mountpoints(httpd_php_t) +auth_use_nsswitch(httpd_php_t) + libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) -optional_policy(` - mysql_stream_connect(httpd_php_t) +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mysqld_port(httpd_t) + corenet_sendrecv_mysqld_client_packets(httpd_t) + corenet_tcp_connect_mysqld_port(httpd_sys_script_t) + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mysqld_port(httpd_suexec_t) + corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) ') -optional_policy(` - nis_use_ypbind(httpd_php_t) -') optional_policy(` - postgresql_stream_connect(httpd_php_t) + mysql_stream_connect(httpd_php_t) + mysql_read_config(httpd_php_t) ') ######################################## @@ -595,23 +745,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -allow httpd_suexec_t httpd_t:fifo_file getattr; +allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) dev_read_urand(httpd_suexec_t) +fs_read_iso9660_files(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) -# for shell scripts -corecmd_exec_bin(httpd_suexec_t) -corecmd_exec_shell(httpd_suexec_t) +application_exec_all(httpd_suexec_t) files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) @@ -624,6 +775,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) +miscfiles_read_public_files(httpd_suexec_t) tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; @@ -641,12 +793,20 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) +read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t) +read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpdcontent:file entrypoint; domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ') - -tunable_policy(`httpd_enable_homedirs',` - userdom_read_user_home_content_files(httpd_suexec_t) +tunable_policy(`httpd_enable_cgi',` + domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -672,15 +832,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') -optional_policy(` - nagios_domtrans_cgi(httpd_suexec_t) -') - ######################################## # # Apache system script local policy # +auth_use_nsswitch(httpd_sys_script_t) + +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -699,12 +858,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) +sysnet_read_config(httpd_sys_script_t) + ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -tunable_policy(`httpd_enable_homedirs',` - userdom_read_user_home_content_files(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) + +tunable_policy(`httpd_use_nfs',` + fs_manage_nfs_dirs(httpd_sys_script_t) + fs_manage_nfs_files(httpd_sys_script_t) + fs_manage_nfs_symlinks(httpd_sys_script_t) + fs_exec_nfs_files(httpd_sys_script_t) + + fs_manage_nfs_dirs(httpd_suexec_t) + fs_manage_nfs_files(httpd_suexec_t) + fs_manage_nfs_symlinks(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -712,6 +883,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; + + corenet_tcp_bind_generic_node(httpd_sys_script_t) + corenet_udp_bind_generic_node(httpd_sys_script_t) + corenet_all_recvfrom_unlabeled(httpd_sys_script_t) + corenet_all_recvfrom_netlabel(httpd_sys_script_t) + corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) + corenet_udp_sendrecv_generic_if(httpd_sys_script_t) + corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) + corenet_udp_sendrecv_generic_node(httpd_sys_script_t) + corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) + corenet_udp_sendrecv_all_ports(httpd_sys_script_t) + corenet_tcp_connect_all_ports(httpd_sys_script_t) + corenet_sendrecv_all_client_packets(httpd_sys_script_t) +') + + +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) + fs_manage_cifs_symlinks(httpd_sys_script_t) + fs_manage_cifs_dirs(httpd_suexec_t) + fs_manage_cifs_files(httpd_suexec_t) + fs_manage_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) @@ -724,6 +924,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) + mysql_stream_connect(httpd_suexec_t) + mysql_rw_db_sockets(httpd_suexec_t) + mysql_read_config(httpd_suexec_t) ') optional_policy(` @@ -735,6 +939,8 @@ # httpd_rotatelogs local policy # +allow httpd_rotatelogs_t self:capability dac_override; + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) @@ -754,6 +960,12 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) + manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) + manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) ') # allow accessing files/dirs below the users home dir @@ -762,3 +974,66 @@ userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') + +#============= bugzilla policy ============== +apache_content_template(bugzilla) + +type httpd_bugzilla_tmp_t; +files_tmp_file(httpd_bugzilla_tmp_t) + +allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; +allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; +allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) +corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) +corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) +corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) +corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) +corenet_tcp_connect_http_port(httpd_bugzilla_script_t) +corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) +corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) +corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) + +manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) +manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) +files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) + +files_search_var_lib(httpd_bugzilla_script_t) + +mta_send_mail(httpd_bugzilla_script_t) + +sysnet_read_config(httpd_bugzilla_script_t) +sysnet_use_ldap(httpd_bugzilla_script_t) + +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) +') + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') + +manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) +manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) +manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) + +manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) +manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) +manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) + +# Removal of fastcgi, will cause problems without the following +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; +typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.12/policy/modules/services/audioentropy.te --- nsaserefpolicy/policy/modules/services/audioentropy.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/audioentropy.te 2009-04-14 08:16:44.000000000 -0400 @@ -40,6 +40,9 @@ # and sample rate. dev_write_sound(entropyd_t) +files_read_etc_files(entropyd_t) +files_read_usr_files(entropyd_t) + fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) @@ -53,6 +56,11 @@ userdom_dontaudit_search_user_home_dirs(entropyd_t) optional_policy(` + alsa_read_lib(entropyd_t) + alsa_read_rw_config(entropyd_t) +') + +optional_policy(` seutil_sigchld_newrole(entropyd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.12/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/automount.te 2009-04-07 16:01:44.000000000 -0400 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) files_unmount_all_file_type_fs(automount_t) +files_manage_non_security_dirs(automount_t) fs_mount_all_fs(automount_t) fs_unmount_all_fs(automount_t) @@ -100,6 +101,7 @@ corenet_udp_bind_all_rpc_ports(automount_t) dev_read_sysfs(automount_t) +dev_rw_autofs(automount_t) # for SSP dev_read_rand(automount_t) dev_read_urand(automount_t) @@ -127,6 +129,7 @@ fs_unmount_autofs(automount_t) fs_mount_autofs(automount_t) fs_manage_autofs_symlinks(automount_t) +fs_read_nfs_files(automount_t) storage_rw_fuse(automount_t) @@ -142,6 +145,7 @@ # Run mount in the mount_t domain. mount_domtrans(automount_t) +mount_signal(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) userdom_dontaudit_search_user_home_dirs(automount_t) @@ -155,7 +159,7 @@ ') optional_policy(` - kerberos_read_keytab(automount_t) + kerberos_keytab_template(automount, automount_t) kerberos_read_config(automount_t) kerberos_dontaudit_write_config(automount_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-04-07 16:01:44.000000000 -0400 @@ -33,6 +33,7 @@ allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; +files_search_var_lib(avahi_t) manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) @@ -93,6 +94,7 @@ dbus_connect_system_bus(avahi_t) init_dbus_chat_script(avahi_t) + dbus_system_domain(avahi_t, avahi_exec_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.12/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/bind.fc 2009-04-13 10:45:45.000000000 -0400 @@ -1,17 +1,22 @@ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ifdef(`distro_debian',` /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -40,8 +45,12 @@ /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/var/named/chroot/proc(/.*)? <> /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.12/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/bind.if 2009-04-07 16:01:44.000000000 -0400 @@ -38,6 +38,42 @@ ######################################## ## +## Send signulls to BIND. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_signull',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signull; +') + +######################################## +## +## Send BIND the kill signal +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_kill',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process sigkill; +') + +######################################## +## ## Execute ndc in the ndc domain, and ## allow the specified role the ndc domain. ## @@ -251,6 +287,25 @@ ######################################## ## +## Execute bind server in the bind domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`bind_initrc_domtrans',` + gen_require(` + type bind_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, bind_initrc_exec_t) +') + +######################################## +## ## All of the rules required to administrate ## an bind environment ## @@ -269,7 +324,7 @@ interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; - type named_conf_t, named_var_run_t; + type named_conf_t, named_var_lib_t, named_var_run_t; type named_cache_t, named_zone_t; type dnssec_t, ndc_t; type named_initrc_exec_t; @@ -283,6 +338,7 @@ bind_run_ndc($1, $2) + bind_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 named_initrc_exec_t system_r; allow $2 system_r; @@ -300,6 +356,9 @@ admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) + files_list_var_lib($1) + admin_pattern($1, named_var_lib_t) + files_list_pids($1) admin_pattern($1, named_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.12/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/bind.te 2009-04-07 16:01:44.000000000 -0400 @@ -123,6 +123,7 @@ corenet_sendrecv_dns_client_packets(named_t) corenet_sendrecv_rndc_server_packets(named_t) corenet_sendrecv_rndc_client_packets(named_t) +corenet_dontaudit_udp_bind_all_reserved_ports(named_t) corenet_udp_bind_all_unreserved_ports(named_t) dev_read_sysfs(named_t) @@ -169,7 +170,7 @@ ') optional_policy(` - kerberos_use(named_t) + kerberos_keytab_template(named, named_t) ') optional_policy(` @@ -229,6 +230,7 @@ files_search_pids(ndc_t) fs_getattr_xattr_fs(ndc_t) +fs_list_inotifyfs(ndc_t) init_use_fds(ndc_t) init_use_script_ptys(ndc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.12/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/bitlbee.te 2009-04-07 16:01:44.000000000 -0400 @@ -75,6 +75,8 @@ # grant read-only access to the user help files files_read_usr_files(bitlbee_t) +kernel_read_system_state(bitlbee_t) + libs_legacy_use_shared_libs(bitlbee_t) miscfiles_read_localization(bitlbee_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,9 @@ + +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) +/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) + +/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) + +/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) + +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.12/policy/modules/services/certmaster.if --- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/certmaster.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,123 @@ +## policy for certmaster + +######################################## +## +## Execute a domain transition to run certmaster. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`certmaster_domtrans',` + gen_require(` + type certmaster_t, certmaster_exec_t; + ') + + domtrans_pattern($1,certmaster_exec_t,certmaster_t) +') + +####################################### +## +## read certmaster logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`certmaster_read_log',` + gen_require(` + type certmaster_var_log_t; + ') + + read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) +') + +####################################### +## +## Append to certmaster logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`certmaster_append_log',` + gen_require(` + type certmaster_var_log_t; + ') + + append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) +') + +####################################### +## +## Create, read, write, and delete +## certmaster logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`certmaster_manage_log',` + gen_require(` + type certmaster_var_log_t; + ') + + manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) + manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) +') + +######################################## +## +## All of the rules required to administrate +## an snort environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +# +interface(`certmaster_admin',` + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; + type certmaster_etc_rw_t, certmaster_var_log_t; + type certmaster_initrc_exec_t; + ') + + allow $1 certmaster_t:process { ptrace signal_perms }; + ps_process_pattern($1, certmaster_t) + + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 certmaster_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + miscfiles_manage_cert_dirs($1) + miscfiles_manage_cert_files($1) + + admin_pattern($1, certmaster_etc_rw_t) + + files_list_pids($1) + admin_pattern($1, certmaster_var_run_t) + + logging_list_logs($1) + admin_pattern($1, certmaster_var_log_t) + + files_list_var_lib($1) + admin_pattern($1, certmaster_var_lib_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.12/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/certmaster.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,79 @@ +policy_module(certmaster,1.0.0) + +######################################## +# +# Declarations +# + +# type and domain for certmaster +type certmaster_t; +type certmaster_exec_t; +init_daemon_domain(certmaster_t, certmaster_exec_t) + +type certmaster_initrc_exec_t; +init_script_file(certmaster_initrc_exec_t) + +# var/lib files +type certmaster_var_lib_t; +files_type(certmaster_var_lib_t) + +# config files +type certmaster_etc_rw_t; +files_config_file(certmaster_etc_rw_t) + +# log files +type certmaster_var_log_t; +logging_log_file(certmaster_var_log_t) + +# pid files +type certmaster_var_run_t; +files_pid_file(certmaster_var_run_t) + +########################################### +# +# certmaster local policy +# + +allow certmaster_t self:capability sys_tty_config; +allow certmaster_t self:tcp_socket create_stream_socket_perms; + +# config files +list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) +manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) + +# var/lib files for certmaster +manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) +manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) +files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) + +# log files +manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) +logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) + +# pid file +manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) +manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) +files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) + +corecmd_search_bin(certmaster_t) +corecmd_getattr_bin_files(certmaster_t) + +# network +corenet_tcp_bind_generic_node(certmaster_t) +corenet_tcp_bind_certmaster_port(certmaster_t) + +files_search_etc(certmaster_t) +files_list_var(certmaster_t) +files_search_var_lib(certmaster_t) + +# read meminfo +kernel_read_system_state(certmaster_t) + +auth_use_nsswitch(certmaster_t) + +miscfiles_read_localization(certmaster_t) + +miscfiles_manage_cert_dirs(certmaster_t) +miscfiles_manage_cert_files(certmaster_t) + +permissive certmaster_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.12/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/clamav.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,20 +1,23 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) +/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) +/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.12/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/clamav.if 2009-04-07 16:01:44.000000000 -0400 @@ -38,6 +38,27 @@ ######################################## ## +## Allow the specified domain to append +## to clamav log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_append_log',` + gen_require(` + type clamav_log_t; + ') + + logging_search_logs($1) + allow $1 clamav_log_t:dir list_dir_perms; + append_files_pattern($1, clamav_log_t, clamav_log_t) +') + +######################################## +## ## Read clamav configuration files. ## ## @@ -91,3 +112,87 @@ domtrans_pattern($1, clamscan_exec_t, clamscan_t) ') + +######################################## +## +## Execute clamscan without a transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_exec_clamscan',` + gen_require(` + type clamscan_exec_t; + ') + + can_exec($1, clamscan_exec_t) + +') + +######################################## +## +## All of the rules required to administrate +## an clamav environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the clamav domain. +## +## +## +# +interface(`clamav_admin',` + gen_require(` + type clamd_t, clamd_etc_t, clamd_tmp_t; + type clamd_var_log_t, clamd_var_lib_t; + type clamd_var_run_t; + + type clamscan_t, clamscan_tmp_t; + + type freshclam_t, freshclam_var_log_t; + + type clamd_initrc_exec_t; + ') + + allow $1 clamd_t:process { ptrace signal_perms }; + ps_process_pattern($1, clamd_t) + + allow $1 clamscan_t:process { ptrace signal_perms }; + ps_process_pattern($1, clamscan_t) + + allow $1 freshclam_t:process { ptrace signal_perms }; + ps_process_pattern($1, freshclam_t) + + init_labeled_script_domtrans($1, clamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 clamd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, clamd_tmp_t) + + files_list_etc($1) + admin_pattern($1, clamd_etc_t) + + logging_list_logs($1) + admin_pattern($1, clamd_var_log_t) + + files_list_var_lib($1) + admin_pattern($1, clamd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, clamd_var_run_t) + + admin_pattern($1, clamscan_tmp_t) + + admin_pattern($1, freshclam_var_log_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.12/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/clamav.te 2009-04-07 16:01:44.000000000 -0400 @@ -13,7 +13,10 @@ # configuration files type clamd_etc_t; -files_type(clamd_etc_t) +files_config_file(clamd_etc_t) + +type clamd_initrc_exec_t; +init_script_file(clamd_initrc_exec_t) # tmp files type clamd_tmp_t; @@ -87,6 +90,9 @@ kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) kernel_read_kernel_sysctls(clamd_t) +kernel_read_system_state(clamd_t) + +corecmd_exec_shell(clamd_t) corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) @@ -97,6 +103,8 @@ corenet_tcp_bind_generic_node(clamd_t) corenet_tcp_bind_clamd_port(clamd_t) corenet_sendrecv_clamd_server_packets(clamd_t) +corenet_tcp_bind_generic_port(clamd_t) +corenet_tcp_connect_generic_port(clamd_t) dev_read_rand(clamd_t) dev_read_urand(clamd_t) @@ -117,6 +125,9 @@ cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) +mta_read_config(clamd_t) +mta_send_mail(clamd_t) + optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) @@ -124,6 +135,10 @@ amavis_create_pid_files(clamd_t) ') +optional_policy(` + exim_read_spool_files(clamd_t) +') + ######################################## # # Freshclam local policy @@ -191,7 +206,7 @@ allow clamscan_t self:fifo_file rw_file_perms; allow clamscan_t self:unix_stream_socket create_stream_socket_perms; allow clamscan_t self:unix_dgram_socket create_socket_perms; -allow clamscan_t self:tcp_socket { listen accept }; +allow clamscan_t self:tcp_socket create_stream_socket_perms; # configuration files allow clamscan_t clamd_etc_t:dir list_dir_perms; @@ -207,6 +222,14 @@ manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; +corenet_all_recvfrom_unlabeled(clamscan_t) +corenet_all_recvfrom_netlabel(clamscan_t) +corenet_tcp_sendrecv_generic_if(clamscan_t) +corenet_tcp_sendrecv_generic_node(clamscan_t) +corenet_tcp_sendrecv_all_ports(clamscan_t) +corenet_tcp_sendrecv_clamd_port(clamscan_t) +corenet_tcp_connect_clamd_port(clamscan_t) + kernel_read_kernel_sysctls(clamscan_t) files_read_etc_files(clamscan_t) @@ -221,6 +244,8 @@ clamav_stream_connect(clamscan_t) +mta_send_mail(clamscan_t) + optional_policy(` apache_read_sys_content(clamscan_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.12/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/consolekit.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.12/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/consolekit.if 2009-04-07 16:01:44.000000000 -0400 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; ') + +######################################## +## +## Read consolekit log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_read_log',` + gen_require(` + type consolekit_log_t; + ') + + files_search_pids($1) + read_files_pattern($1, consolekit_log_t, consolekit_log_t) +') + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-15 07:59:08.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) +type consolekit_log_t; +files_pid_file(consolekit_log_t) + ######################################## # # consolekit local policy @@ -24,20 +27,27 @@ allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; +manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +logging_log_filetrans(consolekit_t, consolekit_log_t, file) + +manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) +files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) kernel_read_system_state(consolekit_t) corecmd_exec_bin(consolekit_t) +corecmd_exec_shell(consolekit_t) dev_read_urand(consolekit_t) dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) +domain_dontaudit_ptrace_all_domains(consolekit_t) files_read_etc_files(consolekit_t) +files_read_usr_files(consolekit_t) # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) @@ -47,13 +57,35 @@ auth_use_nsswitch(consolekit_t) +init_telinit(consolekit_t) +init_rw_utmp(consolekit_t) +init_chat(consolekit_t) + +logging_send_syslog_msg(consolekit_t) + miscfiles_read_localization(consolekit_t) +# consolekit needs to be able to ptrace all logged in users +userdom_ptrace_all_users(consolekit_t) +userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_read_user_tmp_files(consolekit_t) + +hal_ptrace(consolekit_t) +mcs_ptrace_all(consolekit_t) + optional_policy(` - dbus_system_bus_client(consolekit_t) - dbus_connect_system_bus(consolekit_t) + cron_read_system_job_lib_files(consolekit_t) +') +optional_policy(` + dbus_system_domain(consolekit_t, consolekit_exec_t) + optional_policy(` hal_dbus_chat(consolekit_t) + ') + + optional_policy(` + rpm_dbus_chat(consolekit_t) + ') optional_policy(` unconfined_dbus_chat(consolekit_t) @@ -61,6 +93,32 @@ ') optional_policy(` + polkit_domtrans_auth(consolekit_t) + polkit_read_lib(consolekit_t) + polkit_read_reload(consolekit_t) +') + +optional_policy(` + xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_stream_connect(consolekit_t) + xserver_ptrace_xdm(consolekit_t) + xserver_common_app(consolekit_t) +') + +optional_policy(` + #reading .Xauthity + unconfined_ptrace(consolekit_t) + unconfined_stream_connect(consolekit_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_list_nfs(consolekit_t) + fs_dontaudit_rw_nfs_files(consolekit_t) ') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_list_cifs(consolekit_t) + fs_dontaudit_rw_cifs_files(consolekit_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.12/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/courier.if 2009-04-07 16:01:44.000000000 -0400 @@ -179,6 +179,24 @@ ######################################## ## +## Read courier spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`courier_read_spool',` + gen_require(` + type courier_spool_t; + ') + + read_files_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## ## Read and write to courier spool pipes. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.12/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/courier.te 2009-04-07 16:01:44.000000000 -0400 @@ -10,6 +10,7 @@ type courier_etc_t; files_config_file(courier_etc_t) +mta_system_content(courier_etc_t) courier_domain_template(pcp) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.12/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -17,9 +18,9 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/at/[^/]* -- <> +/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + +/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) @@ -41,7 +42,11 @@ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/fcron/[^/]* <> +/var/spool/fcron/.* <> /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-04-07 16:01:44.000000000 -0400 @@ -12,6 +12,10 @@ ## # template(`cron_common_crontab_template',` + gen_require(` + type crond_t, crond_var_run_t; + ') + ############################## # # Declarations @@ -31,16 +35,21 @@ # dac_override is to create the file in the directory under /tmp allow $1_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_t self:process signal_perms; + allow $1_t self:process { setsched signal_perms }; + allow $1_t self:fifo_file rw_fifo_file_perms; + + allow $1_t crond_t:process signal; + allow $1_t crond_var_run_t:file read_file_perms; allow $1_t $1_tmp_t:file manage_file_perms; files_tmp_filetrans($1_t,$1_tmp_t,file) # create files in /var/spool/cron # cjp: change this to a role transition + manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t) manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) - files_search_spool($1_t) + files_list_spool($1_t) # crontab signals crond by updating the mtime on the spooldir allow $1_t cron_spool_t:dir setattr; @@ -55,9 +64,16 @@ domain_use_interactive_fds($1_t) files_read_etc_files($1_t) + files_read_usr_files($1_t) files_dontaudit_search_pids($1_t) logging_send_syslog_msg($1_t) + logging_send_audit_msgs($1_t) + logging_set_loginuid($1_t) + auth_domtrans_chk_passwd($1_t) + + init_dontaudit_write_utmp($1_t) + init_read_utmp($1_t) miscfiles_read_localization($1_t) @@ -147,26 +163,26 @@ # interface(`cron_unconfined_role',` gen_require(` - type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; + type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; ') - role $1 types { unconfined_cronjob_t crontab_t }; + role $1 types { unconfined_cronjob_t admin_crontab_t }; # cronjob shows up in user ps ps_process_pattern($2, unconfined_cronjob_t) # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) # crontab shows up in user ps - ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process signal; + ps_process_pattern($2, admin_crontab_t) + allow $2 admin_crontab_t:process signal; # Run helper programs as the user domain - #corecmd_bin_domtrans(crontab_t, $2) - #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) + #corecmd_bin_domtrans(admin_crontab_t, $2) + #corecmd_shell_domtrans(admin_crontab_t, $2) + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) optional_policy(` gen_require(` @@ -261,10 +277,12 @@ allow $1 system_cronjob_t:fifo_file rw_file_perms; allow $1 system_cronjob_t:process sigchld; + domain_auto_trans(crond_t, $2, $1) allow $1 crond_t:fifo_file rw_file_perms; allow $1 crond_t:fd use; allow $1 crond_t:process sigchld; + userdom_dontaudit_list_admin_dir($1) role system_r types $1; ') @@ -343,6 +361,24 @@ ######################################## ## +## Allow read/write unix stream sockets from the system cron jobs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_system_stream_sockets',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:unix_stream_socket { read write }; +') + +######################################## +## ## Read and write a cron daemon unnamed pipe. ## ## @@ -361,7 +397,7 @@ ######################################## ## -## Read, and write cron daemon TCP sockets. +## Dontaudit Read, and write cron daemon TCP sockets. ## ## ## @@ -369,7 +405,7 @@ ## ## # -interface(`cron_rw_tcp_sockets',` +interface(`cron_dontaudit_rw_tcp_sockets',` gen_require(` type crond_t; ') @@ -416,6 +452,42 @@ ######################################## ## +## Execute cron in the cron system domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_domtrans',` + gen_require(` + type system_cronjob_t, crond_exec_t; + ') + + domtrans_pattern($1,crond_exec_t,system_cronjob_t) +') + +######################################## +## +## Execute crond_exec_t +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_exec',` + gen_require(` + type crond_exec_t; + ') + + can_exec($1,crond_exec_t) +') + +######################################## +## ## Inherit and use a file descriptor ## from system cron jobs. ## @@ -481,11 +553,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` - type system_cronjob_tmp_t; + type system_cronjob_tmp_t, cron_var_run_t; ') files_search_tmp($1) allow $1 system_cronjob_tmp_t:file read_file_perms; + + files_search_pids($1) + allow $1 cron_var_run_t:file read_file_perms; ') ######################################## @@ -506,3 +581,101 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') + + +######################################## +## +## Do not audit attempts to write temporary +## files from the system cron jobs. +## +## +## +## Domain to not audit. +## +## +# +interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + type cron_var_run_t; + type system_cronjob_var_run_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file write_file_perms; + dontaudit $1 cron_var_run_t:file write_file_perms; + ') + +######################################## +## +## Read temporary files from the system cron jobs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_read_system_job_lib_files',` + gen_require(` + type system_cronjob_var_lib_t; + ') + + + read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + +######################################## +## +## Manage files from the system cron jobs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_manage_system_job_lib_files',` + gen_require(` + type system_cronjob_var_lib_t; + ') + + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + +######################################## +## +## Manage pid files used by cron +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_manage_pid_files',` + gen_require(` + type crond_var_run_t; + ') + + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') + +######################################## +## +## Execute crond server in the nscd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`cron_initrc_domtrans',` + gen_require(` + type crond_initrc_exec_t; +') + + init_labeled_script_domtrans($1, crond_initrc_exec_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 16:03:54.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) +# var/lib files +type cron_var_run_t; +files_type(cron_var_run_t) + # var/log files type cron_log_t; logging_log_file(cron_log_t) @@ -56,8 +60,13 @@ domain_interactive_fd(crond_t) domain_cron_exemption_source(crond_t) +type crond_initrc_exec_t; +init_script_file(crond_initrc_exec_t) + type crond_tmp_t; files_tmp_file(crond_tmp_t) +files_poly_parent(crond_tmp_t) +mta_system_content(crond_tmp_t) type crond_var_run_t; files_pid_file(crond_var_run_t) @@ -74,6 +83,7 @@ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +allow admin_crontab_t crond_t:process signal; type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) @@ -98,11 +108,18 @@ # Type of user crontabs once moved to cron spool. type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t }; +typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) +type system_cronjob_var_lib_t; +files_type(system_cronjob_var_lib_t) +typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; + +type system_cronjob_var_run_t; +files_pid_file(system_cronjob_var_run_t) + ######################################## # # Admin crontab local policy @@ -130,7 +147,7 @@ # Cron daemon local policy # -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -146,22 +163,23 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; -allow crond_t crond_var_run_t:file manage_file_perms; +manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) files_pid_filetrans(crond_t,crond_var_run_t,file) -allow crond_t cron_spool_t:dir rw_dir_perms; -allow crond_t cron_spool_t:file read_file_perms; +manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) -allow crond_t system_cron_spool_t:dir list_dir_perms; -allow crond_t system_cron_spool_t:file read_file_perms; +list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) kernel_read_kernel_sysctls(crond_t) +kernel_read_fs_sysctls(crond_t) kernel_search_key(crond_t) +dev_read_kmsg(crond_t) dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) selinux_validate_context(crond_t) @@ -174,6 +192,7 @@ fs_getattr_all_fs(crond_t) fs_search_auto_mountpoints(crond_t) +fs_list_inotifyfs(crond_t) # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) @@ -183,7 +202,11 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) +domain_subj_id_change_exemption(crond_t) +domain_role_change_exemption(crond_t) +files_read_usr_files(crond_t) +files_read_etc_runtime_files(crond_t) files_read_etc_files(crond_t) files_read_generic_spool(crond_t) files_list_usr(crond_t) @@ -192,10 +215,15 @@ files_search_default(crond_t) init_rw_utmp(crond_t) +init_spec_domtrans_script(crond_t) auth_use_nsswitch(crond_t) +logging_send_audit_msgs(crond_t) logging_send_syslog_msg(crond_t) +logging_set_loginuid(crond_t) + +rpc_search_nfs_state_data(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -208,6 +236,7 @@ userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) +mta_system_content(cron_spool_t) ifdef(`distro_debian',` # pam_limits is used @@ -227,21 +256,44 @@ ') ') +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(crond_t) +') + +optional_policy(` + apache_search_sys_content(crond_t) +') + optional_policy(` locallogin_search_keys(crond_t) locallogin_link_keys(crond_t) ') +optional_policy(` + # these should probably be unconfined_crond_t + init_dbus_send_script(crond_t) +') + +optional_policy(` + mono_domtrans(crond_t) +') + tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file manage_file_perms; ') optional_policy(` + amanda_search_var_lib(crond_t) +') + +optional_policy(` amavis_search_lib(crond_t) ') optional_policy(` - hal_dbus_send(crond_t) + hal_dbus_chat(crond_t) + hal_write_log(crond_t) + hal_dbus_chat(system_cronjob_t) ') optional_policy(` @@ -268,8 +320,8 @@ # System cron process domain # -allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; -allow system_cronjob_t self:process { signal_perms setsched }; +allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; @@ -283,7 +335,14 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) +allow system_cronjob_t cron_var_run_t:file manage_file_perms; +files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) + allow system_cronjob_t system_cron_spool_t:file read_file_perms; + +# anacron forces the following +allow system_cronjob_t system_cron_spool_t:file { write setattr }; + # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that @@ -303,6 +362,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; +allow crond_t system_cronjob_t:key manage_key_perms; # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; @@ -314,9 +374,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) +# var/lib files for system_crond +files_search_var_lib(system_cronjob_t) +manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + # Read from /var/spool/cron. allow system_cronjob_t cron_spool_t:dir list_dir_perms; -allow system_cronjob_t cron_spool_t:file read_file_perms; +allow system_cronjob_t cron_spool_t:file rw_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) @@ -345,6 +409,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) +fs_list_inotifyfs(system_cronjob_t) # quiet other ps operations domain_dontaudit_read_all_domains_state(system_cronjob_t) @@ -370,7 +435,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit -init_write_initctl(system_cronjob_t) +init_telinit(system_cronjob_t) +init_spec_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) @@ -378,6 +444,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) +logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) @@ -418,6 +485,10 @@ ') optional_policy(` + dbus_system_bus_client(system_cronjob_t) +') + +optional_policy(` ftp_read_log(system_cronjob_t) ') @@ -428,11 +499,20 @@ ') optional_policy(` + lpd_list_spool(system_cronjob_t) +') + +optional_policy(` + mono_domtrans(system_cronjob_t) +') + +optional_policy(` mrtg_append_create_logs(system_cronjob_t) ') optional_policy(` mta_send_mail(system_cronjob_t) + mta_system_content(system_cron_spool_t) ') optional_policy(` @@ -447,6 +527,7 @@ prelink_read_cache(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) + prelink_manage_var_lib(system_cronjob_t) ') optional_policy(` @@ -460,8 +541,7 @@ ') optional_policy(` - # cjp: why? - squid_domtrans(system_cronjob_t) + spamassassin_manage_lib_files(system_cronjob_t) ') optional_policy(` @@ -469,24 +549,17 @@ ') optional_policy(` + unconfined_dbus_send(crond_t) + unconfined_shell_domtrans(crond_t) + unconfined_domain(crond_t) unconfined_domain(system_cronjob_t) - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) -') - -ifdef(`TODO',` -ifdef(`mta.te', ` -allow system_cronjob_t mail_spool_t:lnk_file read; -allow mta_user_agent system_cronjob_t:fd use; -r_dir_file(system_mail_t, crond_tmp_t) ') -') dnl end TODO ######################################## # # User cronjobs local policy # -allow cronjob_t self:capability dac_override; allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; @@ -570,6 +643,9 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) +list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) + tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-04-07 16:01:44.000000000 -0400 @@ -5,27 +5,38 @@ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) + +/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +# keep as separate lines to ensure proper sorting +/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) + /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) @@ -33,7 +44,7 @@ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -43,10 +54,19 @@ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) +/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + +/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.12/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/cups.if 2009-04-07 16:01:44.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## ## +## Setup cups to transtion to the cups backend domain +## +## +## +## The type of the process performing this action. +## +## +# +interface(`cups_backend',` + gen_require(` + type cupsd_t; + ') + + domtrans_pattern(cupsd_t, $2, $1) + + allow cupsd_t $1:process signal; + allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; + + cups_read_config($1) + cups_append_log($1) +') + +######################################## +## ## Connect to cupsd over an unix domain stream socket. ## ## @@ -212,6 +236,25 @@ ######################################## ## +## Append cups log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cups_append_log',` + gen_require(` + type cupsd_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, cupsd_log_t, cupsd_log_t) +') + +######################################## +## ## Write cups log files. ## ## @@ -247,3 +290,66 @@ files_search_pids($1) stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) ') + +######################################## +## +## All of the rules required to administrate +## an cups environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the cups domain. +## +## +## +# +interface(`cups_admin',` + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; + type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; + type cupsd_var_run_t, ptal_etc_t; + type ptal_var_run_t, hplip_var_run_t; + type cupsd_initrc_exec_t; + ') + + allow $1 cupsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cupsd_t) + + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cupsd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, cupsd_tmp_t) + + admin_pattern($1, cupsd_lpd_tmp_t) + + files_list_etc($1) + admin_pattern($1, cupsd_etc_t) + + admin_pattern($1, ptal_etc_t) + + files_list_spool($1) + admin_pattern($1, cupsd_spool_t) + + logging_list_logs($1) + admin_pattern($1, cupsd_log_t) + + files_list_pids($1) + admin_pattern($1, cupsd_var_run_t) + + admin_pattern($1, ptal_var_run_t) + + admin_pattern($1, cupsd_config_var_run_t) + + admin_pattern($1, cupsd_lpd_var_run_t) + + admin_pattern($1, hplip_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-08 08:57:24.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) +type cupsd_initrc_exec_t; +init_script_file(cupsd_initrc_exec_t) + +type cupsd_interface_t; +files_type(cupsd_interface_t) + type cupsd_rw_etc_t; files_config_file(cupsd_rw_etc_t) +type cupsd_lock_t; +files_lock_file(cupsd_lock_t) + type cupsd_log_t; logging_log_file(cupsd_log_t) @@ -48,6 +57,10 @@ type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) +# For CUPS to run as a backend +cups_backend(hplip_t, hplip_exec_t) +domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) +read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) type hplip_etc_t; files_config_file(hplip_etc_t) @@ -55,6 +68,9 @@ type hplip_var_run_t; files_pid_file(hplip_var_run_t) +type hplip_tmp_t; +files_tmp_file(hplip_tmp_t) + type ptal_t; type ptal_exec_t; init_daemon_domain(ptal_t, ptal_exec_t) @@ -65,6 +81,16 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) +type cups_pdf_t; +type cups_pdf_exec_t; +domain_type(cups_pdf_t) +domain_entry_file(cups_pdf_t, cups_pdf_exec_t) +cups_backend(cups_pdf_t, cups_pdf_exec_t) +role system_r types cups_pdf_t; + +type cups_pdf_tmp_t; +files_tmp_file(cups_pdf_tmp_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') @@ -79,13 +105,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) -allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; +allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { setsched signal_perms }; -allow cupsd_t self:fifo_file rw_file_perms; +allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; +allow cupsd_t self:fifo_file rw_fifo_file_perms; allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_selinux_socket create_socket_perms; +allow cupsd_t self:shm create_shm_perms; allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; @@ -97,6 +124,9 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) +manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) +can_exec(cupsd_t, cupsd_interface_t) + manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) @@ -104,8 +134,11 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) -allow cupsd_t cupsd_exec_t:dir search; -allow cupsd_t cupsd_exec_t:lnk_file read; +allow cupsd_t cupsd_exec_t:dir search_dir_perms; +allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; + +allow cupsd_t cupsd_lock_t:file manage_file_perms; +files_lock_filetrans(cupsd_t, cupsd_lock_t, file) manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; @@ -116,13 +149,20 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) +# This whole section needs to be moved to a smbspool policy +# smbspool seems to be iterating through all existing tmp files. +# Looking for kerberos files +files_getattr_all_tmp_files(cupsd_t) +userdom_read_user_tmp_files(cupsd_t) +files_dontaudit_getattr_all_tmp_sockets(cupsd_t) + allow cupsd_t cupsd_var_run_t:dir setattr; manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) -read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - +allow cupsd_t hplip_t:process {signal sigkill }; allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) @@ -149,44 +189,49 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) +corenet_tcp_connect_smbd_port(cupsd_t) corenet_sendrecv_hplip_client_packets(cupsd_t) corenet_sendrecv_ipp_client_packets(cupsd_t) corenet_sendrecv_ipp_server_packets(cupsd_t) +corenet_tcp_bind_all_rpc_ports(cupsd_t) dev_rw_printer(cupsd_t) dev_read_urand(cupsd_t) dev_read_sysfs(cupsd_t) -dev_read_usbfs(cupsd_t) +dev_rw_input_dev(cupsd_t) #447878 +dev_rw_generic_usb_dev(cupsd_t) +dev_rw_usbfs(cupsd_t) dev_getattr_printer_dev(cupsd_t) domain_read_all_domains_state(cupsd_t) fs_getattr_all_fs(cupsd_t) fs_search_auto_mountpoints(cupsd_t) +fs_read_anon_inodefs_files(cupsd_t) +mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) mls_file_read_all_levels(cupsd_t) +mls_rangetrans_target(cupsd_t) mls_socket_write_all_levels(cupsd_t) term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -auth_domtrans_chk_passwd(cupsd_t) -auth_dontaudit_read_pam_pid(cupsd_t) - # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) corecmd_exec_bin(cupsd_t) domain_use_interactive_fds(cupsd_t) +files_list_spool(cupsd_t) files_read_etc_files(cupsd_t) files_read_etc_runtime_files(cupsd_t) # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma -files_search_var_lib(cupsd_t) +files_read_var_lib_files(cupsd_t) files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) @@ -195,15 +240,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) -# smbspool seems to be iterating through all existing tmp files. -# redhat bug #214953 -# cjp: this might be a broken behavior -files_dontaudit_getattr_all_tmp_files(cupsd_t) selinux_compute_access_vector(cupsd_t) +selinux_validate_context(cupsd_t) init_exec_script_files(cupsd_t) +init_read_utmp(cupsd_t) +auth_domtrans_chk_passwd(cupsd_t) +auth_dontaudit_read_pam_pid(cupsd_t) +auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* @@ -217,17 +263,21 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) +sysnet_exec_ifconfig(cupsd_t) -sysnet_read_config(cupsd_t) - +files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) +lpd_read_config(cupsd_t) +lpd_exec_lpr(cupsd_t) +lpd_relabel_spool(cupsd_t) ifdef(`enable_mls',` - lpd_relabel_spool(cupsd_t) + mls_trusted_object(cupsd_var_run_t) + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh) ') optional_policy(` @@ -244,8 +294,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` + avahi_dbus_chat(cupsd_t) + ') + + optional_policy(` hal_dbus_chat(cupsd_t) ') + + optional_policy(` + unconfined_dbus_chat(cupsd_t) + ') ') optional_policy(` @@ -261,6 +319,10 @@ ') optional_policy(` + mta_send_mail(cupsd_t) +') + +optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -279,7 +341,7 @@ # Cups configuration daemon local policy # -allow cupsd_config_t self:capability { chown sys_tty_config }; +allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -302,8 +364,10 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; -allow cupsd_config_t cupsd_tmp_t:file manage_file_perms; -files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir }) +manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -311,7 +375,7 @@ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) kernel_read_system_state(cupsd_config_t) -kernel_read_kernel_sysctls(cupsd_config_t) +kernel_read_all_sysctls(cupsd_config_t) corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) @@ -324,6 +388,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) +dev_rw_generic_usb_dev(cupsd_config_t) fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) @@ -341,13 +406,14 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this -init_getattr_script_files(cupsd_config_t) +init_getattr_all_script_files(cupsd_config_t) auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) +miscfiles_read_hwdata(cupsd_config_t) seutil_dontaudit_search_config(cupsd_config_t) @@ -359,14 +425,16 @@ lpd_read_config(cupsd_config_t) ifdef(`distro_redhat',` - init_getattr_script_files(cupsd_config_t) - optional_policy(` rpm_read_db(cupsd_config_t) ') ') optional_policy(` + term_use_generic_ptys(cupsd_config_t) +') + +optional_policy(` cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') @@ -382,6 +450,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) + hal_dontaudit_use_fds(hplip_t) ') optional_policy(` @@ -491,7 +560,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; -allow hplip_t cupsd_etc_t:dir search; +allow hplip_t cupsd_etc_t:dir search_dir_perms; +manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) cups_stream_connect(hplip_t) @@ -500,6 +572,13 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) +fs_rw_anon_inodefs_files(hplip_t) + +read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) + +manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) +files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) + manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) @@ -529,7 +608,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) -dev_read_usbfs(hplip_t) +dev_rw_usbfs(hplip_t) + fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) @@ -553,7 +633,9 @@ userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) -lpd_read_config(cupsd_t) + +lpd_read_config(hplip_t) +lpd_manage_spool(hplip_t) optional_policy(` dbus_system_bus_client(hplip_t) @@ -635,3 +717,49 @@ optional_policy(` udev_read_db(ptal_t) ') + +######################################## +# +# cups_pdf local policy +# + +allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; + +allow cups_pdf_t self:fifo_file rw_file_perms; +allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(cups_pdf_t) +files_read_usr_files(cups_pdf_t) + +kernel_read_system_state(cups_pdf_t) + +auth_use_nsswitch(cups_pdf_t) + +corecmd_exec_shell(cups_pdf_t) +corecmd_exec_bin(cups_pdf_t) + +miscfiles_read_localization(cups_pdf_t) + +manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) +manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) +files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) + +userdom_home_filetrans_user_home_dir(cups_pdf_t) +userdom_manage_user_home_content_dirs(cups_pdf_t) +userdom_manage_user_home_content_files(cups_pdf_t) + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(cups_pdf_t) + fs_manage_nfs_files(cups_pdf_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(cups_pdf_t) + fs_manage_cifs_files(cups_pdf_t) +') + +lpd_manage_spool(cups_pdf_t) + +manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +miscfiles_read_fonts(cups_pdf_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-07 16:01:44.000000000 -0400 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.12/policy/modules/services/dbus.fc --- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dbus.fc 2009-04-07 16:01:44.000000000 -0400 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) + /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-21 13:57:58.000000000 -0400 @@ -44,6 +44,7 @@ attribute session_bus_type; type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; + type $1_t; ') ############################## @@ -76,7 +77,7 @@ allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; @@ -91,7 +92,7 @@ allow $3 $1_dbusd_t:process { sigkill signal }; # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) + corecmd_bin_domtrans($1_dbusd_t, $1_t) allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; @@ -117,6 +118,7 @@ dev_read_urand($1_dbusd_t) domain_use_interactive_fds($1_dbusd_t) + domain_read_all_domains_state($1_dbusd_t) files_read_etc_files($1_dbusd_t) files_list_home($1_dbusd_t) @@ -145,7 +147,10 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) + term_use_all_terms($1_dbusd_t) + userdom_read_user_home_content_files($1_dbusd_t) + userdom_dontaudit_search_admin_dir($1_dbusd_t) ifdef(`hide_broken_symptoms', ` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; @@ -160,6 +165,10 @@ ') optional_policy(` + gnome_read_gconf_home_files($1_dbusd_t) + ') + + optional_policy(` hal_dbus_chat($1_dbusd_t) ') @@ -185,10 +194,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; + attribute dbusd_unconfined; ') # SE-DBus specific permissions - allow $1 { system_dbusd_t self }:dbus send_msg; + allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg; + allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) @@ -197,6 +208,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) + + optional_policy(` + rpm_script_dbus_chat($1) + ') ') ####################################### @@ -244,6 +259,35 @@ ######################################## ## +## Chat on user/application specific DBUS. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`dbus_chat_user_bus',` + gen_require(` + type $1_t; + type $1_dbusd_t; + class dbus send_msg; + ') + + allow $2 $1_dbusd_t:dbus send_msg; + allow $1_dbusd_t $2:dbus send_msg; + allow $2 $1_t:dbus send_msg; + allow $1_t $2:dbus send_msg; +') + +######################################## +## ## Read dbus configuration. ## ## @@ -318,3 +362,79 @@ allow $1 system_dbusd_t:dbus *; ') + +######################################## +## +## Allow unconfined access to the system DBUS. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_unconfined',` + gen_require(` + attribute dbusd_unconfined; + ') + + typeattribute $1 dbusd_unconfined; +') + +######################################## +## +## Create a domain for processes +## which can be started by the system dbus +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`dbus_system_domain',` + gen_require(` + type system_dbusd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(system_dbusd_t, $2, $1) + + dbus_system_bus_client($1) + dbus_connect_system_bus($1) + + ifdef(`hide_broken_symptoms', ` + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; + '); + + userdom_dontaudit_search_admin_dir($1) +') + +######################################## +## +## Dontaudit Read, and write system dbus TCP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` + gen_require(` + type system_dbusd_t; + ') + + allow $1 system_dbusd_t:tcp_socket { read write }; + allow $1 system_dbusd_t:fd use; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.12/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dbus.te 2009-04-07 16:01:44.000000000 -0400 @@ -9,14 +9,15 @@ # # Delcarations # - +attribute dbusd_unconfined; attribute session_bus_type; type dbusd_etc_t; -files_type(dbusd_etc_t) +files_config_file(dbusd_etc_t) type dbusd_exec_t; corecmd_executable_file(dbusd_exec_t) +typealias dbusd_exec_t alias system_dbusd_exec_t; type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; @@ -31,11 +32,25 @@ files_tmp_file(system_dbusd_tmp_t) type system_dbusd_var_lib_t; -files_pid_file(system_dbusd_var_lib_t) +files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh) + mls_fd_use_all_levels(system_dbusd_t) + mls_rangetrans_target(system_dbusd_t) + mls_file_read_all_levels(system_dbusd_t) + mls_socket_write_all_levels(system_dbusd_t) + mls_socket_read_to_clearance(system_dbusd_t) + mls_dbus_recv_all_levels(system_dbusd_t) +') + ############################## # # System bus local policy @@ -45,7 +60,7 @@ # cjp: dac_override should probably go in a distro_debian allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; -allow system_dbusd_t self:process { getattr signal_perms setcap }; +allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; @@ -53,6 +68,8 @@ # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; +can_exec(system_dbusd_t, dbusd_exec_t) + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) @@ -75,6 +92,8 @@ fs_getattr_all_fs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) +fs_list_inotifyfs(system_dbusd_t) +fs_dontaudit_list_nfs(system_dbusd_t) selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) @@ -91,9 +110,9 @@ corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) -corecmd_exec_bin(system_dbusd_t) domain_use_interactive_fds(system_dbusd_t) +domain_read_all_domains_state(system_dbusd_t) files_read_etc_files(system_dbusd_t) files_list_home(system_dbusd_t) @@ -101,6 +120,8 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) +init_bin_domtrans_spec(system_dbusd_t) +init_domtrans_script(system_dbusd_t) logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) @@ -128,9 +149,38 @@ ') optional_policy(` + gnome_exec_gconf(system_dbusd_t) +') + +optional_policy(` + networkmanager_initrc_domtrans(system_dbusd_t) +') + +optional_policy(` + polkit_domtrans_auth(system_dbusd_t) + polkit_search_lib(system_dbusd_t) +') + +optional_policy(` sysnet_domtrans_dhcpc(system_dbusd_t) ') optional_policy(` udev_read_db(system_dbusd_t) ') + +optional_policy(` + gen_require(` + type unconfined_dbusd_t; + ') + unconfined_domain(unconfined_dbusd_t) + unconfined_execmem_domtrans(unconfined_dbusd_t) + + optional_policy(` + xserver_rw_shm(unconfined_dbusd_t) + ') +') + +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.12/policy/modules/services/dcc.fc --- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/dcc.fc 2009-04-07 16:01:44.000000000 -0400 @@ -12,6 +12,8 @@ /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) +/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-04-07 16:01:44.000000000 -0400 @@ -137,6 +137,7 @@ corenet_all_recvfrom_unlabeled(dcc_client_t) corenet_all_recvfrom_netlabel(dcc_client_t) +corenet_udp_bind_generic_node(dcc_client_t) corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_generic_node(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.12/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.fc 2009-04-11 06:40:12.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) +/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + +/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-09 05:23:51.000000000 -0400 @@ -0,0 +1,197 @@ + +## policy for devicekit + +######################################## +## +## Execute a domain transition to run devicekit. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`devicekit_domtrans',` + gen_require(` + type devicekit_t; + type devicekit_exec_t; + ') + + domtrans_pattern($1,devicekit_exec_t,devicekit_t) +') + + +######################################## +## +## Read devicekit PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_read_pid_files',` + gen_require(` + type devicekit_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + +######################################## +## +## Manage devicekit var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_manage_var_run',` + gen_require(` + type devicekit_var_run_t; + ') + + manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t) + manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) + manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) +') + + +######################################## +## +## Send and receive messages from +## devicekit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_dbus_chat',` + gen_require(` + type devicekit_t; + class dbus send_msg; + ') + + allow $1 devicekit_t:dbus send_msg; + allow devicekit_t $1:dbus send_msg; +') + +######################################## +## +## Send signal devicekit power +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_power_signal',` + gen_require(` + type devicekit_power_t; + ') + + allow $1 devicekit_power_t:process signal; +') + +######################################## +## +## Send and receive messages from +## devicekit power over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_power_dbus_chat',` + gen_require(` + type devicekit_power_t; + class dbus send_msg; + ') + + allow $1 devicekit_power_t:dbus send_msg; + allow devicekit_power_t $1:dbus send_msg; +') + +######################################## +## +## All of the rules required to administrate +## an devicekit environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the devicekit domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`devicekit_admin',` + gen_require(` + type devicekit_t; + ') + + allow $1 devicekit_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, devicekit_t, devicekit_t) + + + devicekit_manage_var_run($1) + +') + +######################################## +## +## Send to devicekit over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_dgram_send',` + gen_require(` + type devicekit_t; + ') + + allow $1 devicekit_t:unix_dgram_socket sendto; +') + +######################################## +## +## Send and receive messages from +## devicekit disk over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`devicekit_disk_dbus_chat',` + gen_require(` + type devicekit_disk_t; + class dbus send_msg; + ') + + allow $1 devicekit_disk_t:dbus send_msg; + allow devicekit_disk_t $1:dbus send_msg; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-13 08:28:53.000000000 -0400 @@ -0,0 +1,237 @@ +policy_module(devicekit,1.0.0) + +######################################## +# +# Declarations +# + +type devicekit_t; +type devicekit_exec_t; +dbus_system_domain(devicekit_t, devicekit_exec_t) + +type devicekit_power_t; +type devicekit_power_exec_t; +dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + +type devicekit_disk_t; +type devicekit_disk_exec_t; +dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + +type devicekit_tmp_t; +files_tmp_file(devicekit_tmp_t) + +type devicekit_var_run_t; +files_pid_file(devicekit_var_run_t) + +type devicekit_var_lib_t; +files_type(devicekit_var_lib_t) + +# +# DeviceKit local policy +# +allow devicekit_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir }) + +dev_read_sysfs(devicekit_t) +dev_read_urand(devicekit_t) + +files_read_etc_files(devicekit_t) + +fs_list_inotifyfs(devicekit_t) + +miscfiles_read_localization(devicekit_t) + +optional_policy(` + dbus_system_bus_client(devicekit_t) +') + +optional_policy(` + udev_read_db(devicekit_t) +') + +# +# DeviceKit-Power local policy +# +allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice }; +allow devicekit_power_t self:fifo_file rw_fifo_file_perms; +allow devicekit_power_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) +files_read_kernel_img(devicekit_power_t) + +corecmd_exec_bin(devicekit_power_t) +corecmd_exec_shell(devicekit_power_t) + +consoletype_exec(devicekit_power_t) + +domain_read_all_domains_state(devicekit_power_t) + +kernel_read_network_state(devicekit_power_t) +kernel_read_system_state(devicekit_power_t) +kernel_rw_hotplug_sysctls(devicekit_power_t) +kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t) + +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) +dev_rw_sysfs(devicekit_power_t) + +files_read_etc_files(devicekit_power_t) +files_read_usr_files(devicekit_power_t) + +fs_list_inotifyfs(devicekit_power_t) + +term_use_all_terms(devicekit_power_t) + +auth_use_nsswitch(devicekit_power_t) + +miscfiles_read_localization(devicekit_power_t) + +userdom_read_all_users_state(devicekit_power_t) + +optional_policy(` + hal_domtrans_mac(devicekit_power_t) + hal_create_log(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) + hal_dbus_chat(devicekit_power_t) +') + +optional_policy(` + cron_initrc_domtrans(devicekit_power_t) +') + +optional_policy(` + polkit_domtrans_auth(devicekit_power_t) + polkit_read_lib(devicekit_power_t) + polkit_read_reload(devicekit_power_t) +') + +optional_policy(` + dbus_system_bus_client(devicekit_power_t) + allow devicekit_power_t devicekit_t:dbus send_msg; + allow devicekit_t devicekit_power_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + networkmanager_dbus_chat(devicekit_power_t) + ') + + optional_policy(` + rpm_dbus_chat(devicekit_power_t) + ') +') + +optional_policy(` + bootloader_domtrans(devicekit_power_t) +') + +optional_policy(` + fstools_domtrans(devicekit_power_t) +') + +optional_policy(` + vbetool_domtrans(devicekit_power_t) +') +# +# DeviceKit disk local policy +# + +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) + +manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) + +corecmd_exec_bin(devicekit_disk_t) + +dev_rw_sysfs(devicekit_disk_t) +dev_read_urand(devicekit_disk_t) +dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) + +kernel_read_software_raid_state(devicekit_disk_t) +kernel_setsched(devicekit_disk_t) + +files_manage_mnt_dirs(devicekit_disk_t) +files_read_etc_files(devicekit_disk_t) +files_read_etc_runtime_files(devicekit_disk_t) +files_read_usr_files(devicekit_disk_t) +files_manage_isid_type_dirs(devicekit_disk_t) + +fs_list_inotifyfs(devicekit_disk_t) +fs_mount_all_fs(devicekit_disk_t) +fs_unmount_all_fs(devicekit_disk_t) + +storage_raw_read_fixed_disk(devicekit_disk_t) +storage_raw_write_fixed_disk(devicekit_disk_t) +storage_raw_read_removable_device(devicekit_disk_t) +storage_raw_write_removable_device(devicekit_disk_t) + +term_use_all_terms(devicekit_disk_t) + +auth_use_nsswitch(devicekit_disk_t) + +miscfiles_read_localization(devicekit_disk_t) + +userdom_read_all_users_state(devicekit_disk_t) +userdom_search_user_home_dirs(devicekit_disk_t) + +optional_policy(` + fstools_domtrans(devicekit_disk_t) +') + +optional_policy(` + lvm_domtrans(devicekit_disk_t) +') + +optional_policy(` + polkit_domtrans_auth(devicekit_disk_t) + polkit_read_lib(devicekit_disk_t) + polkit_read_reload(devicekit_disk_t) +') + +optional_policy(` + mount_domtrans(devicekit_disk_t) +') + +optional_policy(` + dbus_system_bus_client(devicekit_disk_t) + allow devicekit_disk_t devicekit_t:dbus send_msg; + allow devicekit_t devicekit_disk_t:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat(devicekit_disk_t) + ') +') + +optional_policy(` + udev_domtrans(devicekit_disk_t) + udev_read_db(devicekit_disk_t) +') + + +ifdef(`TESTING',` + permissive devicekit_t; + permissive devicekit_power_t; + permissive devicekit_disk_t; +',` +optional_policy(` + unconfined_domain(devicekit_t) + unconfined_domain(devicekit_power_t) + unconfined_domain(devicekit_disk_t) +') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.12/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dhcp.if 2009-04-07 16:01:44.000000000 -0400 @@ -22,6 +22,25 @@ ######################################## ## +## Execute dhcp server in the dhcp domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dhcpd_initrc_domtrans',` + gen_require(` + type dhcpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) +') + +######################################## +## ## All of the rules required to administrate ## an dhcp environment ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.12/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.if 2009-04-07 16:01:44.000000000 -0400 @@ -22,6 +22,25 @@ ######################################## ## +## Execute dnsmasq server in the dnsmasq domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`dnsmasq_initrc_domtrans',` + gen_require(` + type dnsmasq_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) +') + +######################################## +## ## Send dnsmasq a signal ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-21 10:30:59.000000000 -0400 @@ -42,8 +42,7 @@ files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) kernel_read_kernel_sysctls(dnsmasq_t) -kernel_list_proc(dnsmasq_t) -kernel_read_proc_symlinks(dnsmasq_t) +kernel_read_system_state(dnsmasq_t) corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) @@ -84,6 +83,14 @@ userdom_dontaudit_search_user_home_dirs(dnsmasq_t) optional_policy(` + cron_manage_pid_files(dnsmasq_t) +') + +optional_policy(` + tftp_read_content(dnsmasq_t) +') + +optional_policy(` seutil_sigchld_newrole(dnsmasq_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.12/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dovecot.fc 2009-04-07 16:01:44.000000000 -0400 @@ -6,6 +6,7 @@ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) +/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) # # /usr @@ -17,19 +18,22 @@ ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') ifdef(`distro_redhat', ` /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') # # /var # /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -# this is a hard link to /var/lib/dovecot/ssl-parameters.dat -/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) +/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.12/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dovecot.if 2009-04-07 16:01:44.000000000 -0400 @@ -21,7 +21,46 @@ ######################################## ## -## Do not audit attempts to delete dovecot lib files. +## Connect to dovecot auth unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dovecot_auth_stream_connect',` + gen_require(` + type dovecot_auth_t, dovecot_var_run_t; + ') + + allow $1 dovecot_var_run_t:dir search; + allow $1 dovecot_var_run_t:sock_file write; + allow $1 dovecot_auth_t:unix_stream_socket connectto; +') + +######################################## +## +## Execute dovecot_deliver in the dovecot_deliver domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dovecot_domtrans_deliver',` + gen_require(` + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + + domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) +') + +####################################### +## +## Do not audit attempts to d`elete dovecot lib files. ## ## ## @@ -36,3 +75,60 @@ dontaudit $1 dovecot_var_lib_t:file unlink; ') + +######################################## +## +## All of the rules required to administrate +## an dovecot environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the dovecot domain. +## +## +## +# +interface(`dovecot_admin',` + gen_require(` + type dovecot_t, dovecot_etc_t, dovecot_log_t; + type dovecot_spool_t, dovecot_var_lib_t; + type dovecot_var_run_t; + + type dovecot_cert_t, dovecot_passwd_t; + type dovecot_initrc_exec_t; + ') + + allow $1 dovecot_t:process { ptrace signal_perms }; + ps_process_pattern($1, dovecot_t) + + init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dovecot_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, dovecot_etc_t) + + logging_list_logs($1) + admin_pattern($1, dovecot_log_t) + + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + + files_list_var_lib($1) + admin_pattern($1, dovecot_var_lib_t) + + files_list_pids($1) + admin_pattern($1, dovecot_var_run_t) + + admin_pattern($1, dovecot_cert_t) + + admin_pattern($1, dovecot_passwd_t) +') + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.12/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dovecot.te 2009-04-07 16:01:44.000000000 -0400 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; +type dovecot_deliver_t; +type dovecot_deliver_exec_t; +domain_type(dovecot_deliver_t) +domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) +role system_r types dovecot_deliver_t; + type dovecot_cert_t; files_type(dovecot_cert_t) type dovecot_etc_t; files_config_file(dovecot_etc_t) +type dovecot_initrc_exec_t; +init_script_file(dovecot_initrc_exec_t) + type dovecot_passwd_t; files_type(dovecot_passwd_t) @@ -31,9 +40,15 @@ type dovecot_var_lib_t; files_type(dovecot_var_lib_t) +type dovecot_var_log_t; +logging_log_file(dovecot_var_log_t) + type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) +type dovecot_auth_tmp_t; +files_tmp_file(dovecot_auth_tmp_t) + ######################################## # # dovecot local policy @@ -58,6 +73,10 @@ can_exec(dovecot_t, dovecot_exec_t) +# log files +manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -85,6 +104,7 @@ dev_read_urand(dovecot_t) fs_getattr_all_fs(dovecot_t) +fs_getattr_all_dirs(dovecot_t) fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) @@ -98,7 +118,7 @@ files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) -files_getattr_all_mountpoints(dovecot_t) +files_search_all_mountpoints(dovecot_t) init_getattr_utmp(dovecot_t) @@ -120,7 +140,7 @@ mta_manage_spool(dovecot_t) optional_policy(` - kerberos_use(dovecot_t) + kerberos_keytab_template(dovecot, dovecot_t) ') optional_policy(` @@ -140,25 +160,35 @@ # dovecot auth local policy # -allow dovecot_auth_t self:capability { setgid setuid }; +allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; allow dovecot_auth_t self:process signal_perms; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; -allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; +read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + +manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) # Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) files_search_var_lib(dovecot_t) +files_read_var_symlinks(dovecot_t) allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; +manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) +dovecot_auth_stream_connect(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) +logging_send_audit_msgs(dovecot_auth_t) +logging_send_syslog_msg(dovecot_auth_t) + dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) @@ -167,6 +197,7 @@ files_read_etc_files(dovecot_auth_t) files_read_etc_runtime_files(dovecot_auth_t) files_search_pids(dovecot_auth_t) +files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) @@ -182,5 +213,58 @@ ') optional_policy(` - logging_send_syslog_msg(dovecot_auth_t) + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) ') + +optional_policy(` + nis_authenticate(dovecot_auth_t) +') + +optional_policy(` + postfix_manage_private_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) +') + +# for gssapi (kerberos) +userdom_list_user_tmp(dovecot_auth_t) +userdom_read_user_tmp_files(dovecot_auth_t) +userdom_read_user_tmp_symlinks(dovecot_auth_t) + +######################################## +# +# dovecot deliver local policy +# +allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + +allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; +allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + +kernel_read_all_sysctls(dovecot_deliver_t) +kernel_read_system_state(dovecot_deliver_t) + +files_read_etc_files(dovecot_deliver_t) +files_read_etc_runtime_files(dovecot_deliver_t) + +auth_use_nsswitch(dovecot_deliver_t) + +logging_send_syslog_msg(dovecot_deliver_t) + +miscfiles_read_localization(dovecot_deliver_t) + +dovecot_auth_stream_connect(dovecot_deliver_t) + +files_search_tmp(dovecot_deliver_t) +fs_getattr_all_fs(dovecot_deliver_t) + +userdom_manage_user_home_content_dirs(dovecot_deliver_t) +userdom_manage_user_home_content_files(dovecot_deliver_t) +userdom_manage_user_home_content_symlinks(dovecot_deliver_t) +userdom_manage_user_home_content_pipes(dovecot_deliver_t) +userdom_manage_user_home_content_sockets(dovecot_deliver_t) +userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + mta_manage_spool(dovecot_deliver_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.12/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/exim.if 2009-04-07 16:01:44.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## ## +## Allow the specified domain to manage exim's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`exim_manage_log',` + gen_require(` + type exim_log_t; + ') + + manage_files_pattern($1, exim_log_t, exim_log_t) + logging_search_logs($1) +') + +######################################## +## ## Allow the specified domain to append ## exim log files. ## @@ -154,3 +174,23 @@ manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) ') + +######################################## +## +## Create, read, write, and delete +## exim spool dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_manage_spool_dirs',` + gen_require(` + type exim_spool_t; + ') + + manage_dirs_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-15 08:33:18.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) +## +##

+## Allow exim to connect to databases (postgres, mysql) +##

+##
+gen_tunable(exim_can_connect_db, false) + type exim_t; type exim_exec_t; init_daemon_domain(exim_t, exim_exec_t) +mta_mailserver(exim_t, exim_exec_t) +mta_mailserver_user_agent(exim_t) +application_executable_file(exim_exec_t) +mta_agent_executable(exim_exec_t) type exim_log_t; logging_log_file(exim_log_t) @@ -42,10 +53,12 @@ # exim local policy # -allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; +allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; +allow exim_t self:process { setrlimit setpgid }; allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket create_stream_socket_perms; allow exim_t self:tcp_socket create_stream_socket_perms; +allow exim_t self:udp_socket create_socket_perms; can_exec(exim_t,exim_exec_t) @@ -66,12 +79,15 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) kernel_read_kernel_sysctls(exim_t) - kernel_dontaudit_read_system_state(exim_t) +kernel_read_network_state(exim_t) corecmd_search_bin(exim_t) corenet_all_recvfrom_unlabeled(exim_t) +corenet_all_recvfrom_netlabel(exim_t) +corenet_udp_sendrecv_generic_if(exim_t) +corenet_udp_sendrecv_generic_node(exim_t) corenet_tcp_sendrecv_generic_if(exim_t) corenet_tcp_sendrecv_generic_node(exim_t) corenet_tcp_sendrecv_all_ports(exim_t) @@ -82,6 +98,8 @@ corenet_tcp_connect_smtp_port(exim_t) corenet_tcp_connect_ldap_port(exim_t) corenet_tcp_connect_inetd_child_port(exim_t) +# connect to spamassassin +corenet_tcp_connect_spamd_port(exim_t) dev_read_rand(exim_t) dev_read_urand(exim_t) @@ -89,20 +107,27 @@ # Init script handling domain_use_interactive_fds(exim_t) +files_search_usr(exim_t) +files_search_var(exim_t) files_read_etc_files(exim_t) +files_read_etc_runtime_files(exim_t) auth_use_nsswitch(exim_t) logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) +miscfiles_read_certs(exim_t) -sysnet_dns_name_resolve(exim_t) +fs_getattr_xattr_fs(exim_t) +fs_list_inotifyfs(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) mta_read_aliases(exim_t) -mta_rw_spool(exim_t) +mta_read_config(exim_t) +mta_manage_spool(exim_t) +mta_mailserver_delivery(exim_t) tunable_policy(`exim_read_user_files',` userdom_read_user_home_content_files(exim_t) @@ -114,3 +139,62 @@ userdom_read_user_tmp_files(exim_t) userdom_write_user_tmp_files(exim_t) ') + +tunable_policy(`exim_can_connect_db',` + corenet_tcp_connect_mysqld_port(exim_t) + corenet_sendrecv_mysqld_client_packets(exim_t) + corenet_tcp_connect_postgresql_port(exim_t) + corenet_sendrecv_postgresql_client_packets(exim_t) +') + +optional_policy(` + dovecot_auth_stream_connect(exim_t) +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + mysql_stream_connect(exim_t) + ') +') + +optional_policy(` + tunable_policy(`exim_can_connect_db',` + postgresql_stream_connect(exim_t) +') +') + +optional_policy(` + kerberos_keytab_template(exim, exim_t) +') + +optional_policy(` + mailman_read_data_files(exim_t) + mailman_domtrans(exim_t) +') + +optional_policy(` + procmail_domtrans(exim_t) +') + +optional_policy(` + sasl_connect(exim_t) +') + +optional_policy(` + cron_read_pipes(exim_t) + cron_rw_system_job_pipes(exim_t) +') + +optional_policy(` + cyrus_stream_connect(exim_t) +') + +optional_policy(` + clamav_domtrans_clamscan(exim_t) + clamav_stream_connect(exim_t) +') + +optional_policy(` + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.6.12/policy/modules/services/fail2ban.fc --- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-10-08 19:00:27.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/fail2ban.fc 2009-04-13 08:03:31.000000000 -0400 @@ -2,5 +2,9 @@ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) + /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) + + /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.12/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if 2009-04-13 08:04:42.000000000 -0400 @@ -20,6 +20,25 @@ ######################################## ## +## Read fail2ban lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_read_lib_files',` + gen_require(` + type fail2ban_var_lib_t; + ') + + files_search_pids($1) + allow $1 fail2ban_var_lib_t:file read_file_perms; +') + +######################################## +## ## Allow the specified domain to read fail2ban's log files. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-04-13 08:09:29.000000000 -0400 @@ -17,6 +17,9 @@ type fail2ban_log_t; logging_log_file(fail2ban_log_t) +type fail2ban_var_lib_t; +files_type(fail2ban_var_lib_t) + # pid files type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) @@ -26,6 +29,7 @@ # fail2ban local policy # +allow fail2ban_t self:capability { sys_tty_config }; allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -36,6 +40,10 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) +manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) +manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) +files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file }) + # pid file manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-04-07 16:01:44.000000000 -0400 @@ -26,7 +26,7 @@ ## ##

## Allow ftp servers to use cifs -## used for public file transfer services. +## for public file transfer services. ##

##
gen_tunable(allow_ftpd_use_cifs, false) @@ -34,13 +34,20 @@ ## ##

## Allow ftp servers to use nfs -## used for public file transfer services. +## for public file transfer services. ##

##
gen_tunable(allow_ftpd_use_nfs, false) ## ##

+## Allow ftp servers to use connect to mysql database +##

+##
+gen_tunable(ftpd_connect_db, false) + +## +##

## Allow ftp to read and write files in the user home directories ##

##
@@ -92,6 +99,7 @@ allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; +allow ftpd_t self:key manage_key_perms; allow ftpd_t ftpd_etc_t:file read_file_perms; @@ -131,6 +139,7 @@ dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) +fs_list_inotifyfs(ftpd_t) corecmd_exec_bin(ftpd_t) @@ -160,6 +169,7 @@ fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) +fs_search_fusefs(ftpd_t) auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) @@ -222,9 +232,15 @@ userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_files(ftpd_t) userdom_manage_user_home_content_symlinks(ftpd_t) - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) + + auth_read_all_dirs_except_shadow(ftpd_t) + auth_read_all_files_except_shadow(ftpd_t) + auth_read_all_symlinks_except_shadow(ftpd_t) ') +# Needed for permissive mode, to make sure everything gets labeled correctly +userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) + tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` fs_manage_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) @@ -258,7 +274,26 @@ ') optional_policy(` - kerberos_read_keytab(ftpd_t) + kerberos_keytab_template(ftpd, ftpd_t) + kerberos_manage_host_rcache(ftpd_t) + selinux_validate_context(ftpd_t) +') + +optional_policy(` + tunable_policy(`ftpd_connect_db',` + mysql_stream_connect(ftpd_t) + ') +') + +optional_policy(` + tunable_policy(`ftpd_connect_db',` + postgresql_stream_connect(ftpd_t) + ') +') + +tunable_policy(`ftpd_connect_db',` + corenet_tcp_connect_mysqld_port(ftpd_t) + corenet_tcp_connect_postgresql_port(ftpd_t) ') optional_policy(` @@ -270,6 +305,14 @@ ') optional_policy(` + dbus_system_bus_client(ftpd_t) + optional_policy(` + oddjob_dbus_chat(ftpd_t) + oddjob_domtrans_mkhomedir(ftpd_t) + ') +') + +optional_policy(` seutil_sigchld_newrole(ftpd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.12/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-04-07 15:53:35.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/git.te 2009-04-07 16:03:07.000000000 -0400 @@ -7,3 +6,4 @@ # apache_content_template(git) +permissive httpd_git_script_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.12/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.12/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,69 @@ + +## policy for gnomeclock + +######################################## +## +## Execute a domain transition to run gnomeclock. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gnomeclock_domtrans',` + gen_require(` + type gnomeclock_t; + type gnomeclock_exec_t; + ') + + domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) +') + + +######################################## +## +## Execute gnomeclock in the gnomeclock domain, and +## allow the specified role the gnomeclock domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the gnomeclock domain. +## +## +# +interface(`gnomeclock_run',` + gen_require(` + type gnomeclock_t; + ') + + gnomeclock_domtrans($1) + role $2 types gnomeclock_t; +') + + +######################################## +## +## Send and receive messages from +## gnomeclock over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnomeclock_dbus_chat',` + gen_require(` + type gnomeclock_t; + class dbus send_msg; + ') + + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(gnomeclock, 1.0.0) +######################################## +# +# Declarations +# + +type gnomeclock_t; +type gnomeclock_exec_t; +dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + +######################################## +# +# gnomeclock local policy +# +allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; +allow gnomeclock_t self:process { getattr getsched }; +allow gnomeclock_t self:fifo_file rw_fifo_file_perms; +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + +corecmd_exec_bin(gnomeclock_t) + +userdom_ptrace_all_users(gnomeclock_t) + +files_read_etc_files(gnomeclock_t) +files_read_usr_files(gnomeclock_t) + +miscfiles_manage_localization(gnomeclock_t) +miscfiles_etc_filetrans_localization(gnomeclock_t) + +fs_list_inotifyfs(gnomeclock_t) + +auth_use_nsswitch(gnomeclock_t) + +miscfiles_read_localization(gnomeclock_t) + +userdom_read_all_users_state(gnomeclock_t) + +optional_policy(` + consolekit_dbus_chat(gnomeclock_t) +') + +optional_policy(` + clock_domtrans(gnomeclock_t) +') + +optional_policy(` + polkit_domtrans_auth(gnomeclock_t) + polkit_read_lib(gnomeclock_t) + polkit_read_reload(gnomeclock_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.if serefpolicy-3.6.12/policy/modules/services/gpm.if --- nsaserefpolicy/policy/modules/services/gpm.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/gpm.if 2009-04-20 08:24:22.000000000 -0400 @@ -16,7 +16,7 @@ type gpmctl_t, gpm_t; ') - allow $1 gpmctl_t:sock_file { getattr write }; + allow $1 gpmctl_t:sock_file rw_sock_file_perms; allow $1 gpm_t:unix_stream_socket connectto; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.12/policy/modules/services/gpm.te --- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gpm.te 2009-04-07 16:01:44.000000000 -0400 @@ -54,6 +54,8 @@ dev_rw_input_dev(gpm_t) dev_rw_mouse(gpm_t) +files_read_etc_files(gpm_t) + fs_getattr_all_fs(gpm_t) fs_search_auto_mountpoints(gpm_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.12/policy/modules/services/gpsd.fc --- nsaserefpolicy/policy/modules/services/gpsd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gpsd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.12/policy/modules/services/gpsd.if --- nsaserefpolicy/policy/modules/services/gpsd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gpsd.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,83 @@ +## gpsd monitor daemon + +######################################## +## +## Execute a domain transition to run gpsd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gpsd_domtrans',` + gen_require(` + type gpsd_t, gpsd_exec_t; + ') + + domtrans_pattern($1, gpsd_exec_t, gpsd_t) +') + +######################################## +## +## Execute gpsd in the gpsd domain, and +## allow the specified role the gpsd domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the gpsd domain. +## +## +# +interface(`gpsd_run',` + gen_require(` + type gpsd_t; + ') + + gpsd_domtrans($1) + role $2 types gpsd_t; +') + +######################################## +## +## Read and write to gpsd shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`gpsd_rw_shm',` + gen_require(` + type gpsd_t; + ') + + allow $1 gpsd_t:shm rw_shm_perms; +') + +######################################## +## +## Read/write gpsd tmpfs files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`gpsd_rw_tmpfs_files',` + gen_require(` + type gpsd_tmpfs_t; + ') + + fs_search_tmpfs($1) + allow $1 gpsd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.12/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/gpsd.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,52 @@ +policy_module(gpsd,1.0.0) + +######################################## +# +# Declarations +# + +type gpsd_t; +type gpsd_exec_t; +application_domain(gpsd_t, gpsd_exec_t) +role system_r types gpsd_t; + +type gpsd_tmpfs_t; +files_tmpfs_file(gpsd_tmpfs_t) + +######################################## +# +# gpsd local policy +# + +allow gpsd_t self:capability { setuid sys_nice setgid fowner }; +allow gpsd_t self:process setsched; +allow gpsd_t self:shm create_shm_perms; +allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow gpsd_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) + +corenet_tcp_bind_all_nodes(gpsd_t) +corenet_tcp_bind_gpsd_port(gpsd_t) + +term_use_unallocated_ttys(gpsd_t) +term_setattr_unallocated_ttys(gpsd_t) + +auth_use_nsswitch(gpsd_t) + +logging_send_syslog_msg(gpsd_t) + +miscfiles_read_localization(gpsd_t) + +optional_policy(` + ntpd_rw_shm(gpsd_t) + ntpd_rw_tmpfs_files(gpsd_t) +') + +optional_policy(` + dbus_system_bus_client(gpsd_t) +') + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.12/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/hal.fc 2009-04-07 16:01:44.000000000 -0400 @@ -5,6 +5,7 @@ /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) +/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.12/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/hal.if 2009-04-09 10:12:15.000000000 -0400 @@ -20,6 +20,24 @@ ######################################## ## +## Execute hal mac in the hal mac domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_domtrans_mac',` + gen_require(` + type hald_mac_t, hald_mac_exec_t; + ') + + domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) +') + +######################################## +## ## Get the attributes of a hal process. ## ## @@ -51,10 +69,7 @@ type hald_t; ') - allow $1 hald_t:dir list_dir_perms; - read_files_pattern($1, hald_t, hald_t) - read_lnk_files_pattern($1, hald_t, hald_t) - dontaudit $1 hald_t:process ptrace; + ps_process_pattern($1, hald_t) ') ######################################## @@ -170,6 +185,24 @@ ######################################## ## +## Allo read/write to a hal unix datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_rw_dgram_sockets',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:unix_dgram_socket { read write }; +') + +######################################## +## ## Send to hal over a unix domain ## stream socket. ## @@ -340,3 +373,62 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; ') + +######################################## +## +## Manage hald PID dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_manage_pid_dirs',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## +## +## Manage hald PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_manage_pid_files',` + gen_require(` + type hald_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## +## +## Manage hald log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`hal_create_log',` + gen_require(` + type hald_log_t; + ') + + # log files for hald + manage_files_pattern($1, hald_log_t, hald_log_t) + logging_log_filetrans($1, hald_log_t, file) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-20 07:58:45.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) +typealias hald_log_t alias pmtools_log_t; +typealias hald_var_run_t alias pmtools_var_run_t; + +type hald_dccm_t; +type hald_dccm_exec_t; +domain_type(hald_dccm_t) +domain_entry_file(hald_dccm_t, hald_dccm_exec_t) +role system_r types hald_dccm_t; + ######################################## # # Local policy @@ -143,11 +152,16 @@ files_getattr_all_dirs(hald_t) files_read_kernel_img(hald_t) files_rw_lock_dirs(hald_t) +files_read_generic_pids(hald_t) fs_getattr_all_fs(hald_t) fs_search_all(hald_t) fs_list_inotifyfs(hald_t) fs_list_auto_mountpoints(hald_t) +fs_mount_dos_fs(hald_t) +fs_unmount_dos_fs(hald_t) +fs_manage_dos_files(hald_t) + files_getattr_all_mountpoints(hald_t) mls_file_read_all_levels(hald_t) @@ -195,6 +209,7 @@ seutil_read_file_contexts(hald_t) sysnet_read_config(hald_t) +sysnet_domtrans_dhcpc(hald_t) userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) @@ -277,6 +292,17 @@ ') optional_policy(` + ppp_read_rw_config(hald_t) +') + +optional_policy(` + polkit_domtrans_auth(hald_t) + polkit_domtrans_resolve(hald_t) + polkit_read_lib(hald_t) + polkit_read_reload(hald_t) +') + +optional_policy(` rpc_search_nfs_state_data(hald_t) ') @@ -298,7 +324,11 @@ ') optional_policy(` - virt_manage_images(hald_t) + virtual_manage_image(hald_t) +') + +optional_policy(` + xserver_read_pid(hald_t) ') ######################################## @@ -306,7 +336,7 @@ # Hal acl local policy # -allow hald_acl_t self:capability { dac_override fowner }; +allow hald_acl_t self:capability { dac_override fowner sys_resource }; allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; @@ -321,6 +351,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) +allow hald_t hald_var_run_t:dir mounton; corecmd_exec_bin(hald_acl_t) @@ -339,6 +370,8 @@ storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) +storage_getattr_fixed_disk_dev(hald_acl_t) +storage_setattr_fixed_disk_dev(hald_acl_t) auth_use_nsswitch(hald_acl_t) @@ -346,12 +379,18 @@ miscfiles_read_localization(hald_acl_t) +optional_policy(` + polkit_domtrans_auth(hald_acl_t) + polkit_read_lib(hald_acl_t) + polkit_read_reload(hald_acl_t) +') + ######################################## # # Local hald mac policy # -allow hald_mac_t self:capability { setgid setuid }; +allow hald_mac_t self:capability { setgid setuid sys_admin }; domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; @@ -374,6 +413,8 @@ auth_use_nsswitch(hald_mac_t) +logging_send_syslog_msg(hald_mac_t) + miscfiles_read_localization(hald_mac_t) ######################################## @@ -415,6 +456,55 @@ dev_rw_input_dev(hald_keymap_t) +files_read_etc_files(hald_keymap_t) files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) + +# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +cron_read_system_job_lib_files(hald_t) + +######################################## +# +# Local hald dccm policy +# +allow hald_dccm_t self:capability { net_bind_service }; +allow hald_dccm_t self:process getsched; +allow hald_dccm_t self:tcp_socket create_stream_socket_perms; +allow hald_dccm_t self:udp_socket create_socket_perms; +allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; + +domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) +allow hald_t hald_dccm_t:process signal; +allow hald_dccm_t hald_t:unix_stream_socket connectto; + +corenet_all_recvfrom_unlabeled(hald_dccm_t) +corenet_all_recvfrom_netlabel(hald_dccm_t) +corenet_tcp_sendrecv_generic_if(hald_dccm_t) +corenet_udp_sendrecv_generic_if(hald_dccm_t) +corenet_tcp_sendrecv_generic_node(hald_dccm_t) +corenet_udp_sendrecv_generic_node(hald_dccm_t) +corenet_tcp_sendrecv_all_ports(hald_dccm_t) +corenet_udp_sendrecv_all_ports(hald_dccm_t) +corenet_tcp_bind_generic_node(hald_dccm_t) +corenet_udp_bind_generic_node(hald_dccm_t) +corenet_udp_bind_dhcpc_port(hald_dccm_t) +corenet_tcp_bind_ftps_port(hald_dccm_t) +corenet_tcp_bind_dccm_port(hald_dccm_t) + +kernel_search_network_sysctl(hald_dccm_t) + +logging_send_syslog_msg(hald_dccm_t) + +manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) +files_search_var_lib(hald_dccm_t) + +write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) + +files_read_usr_files(hald_dccm_t) + +miscfiles_read_localization(hald_dccm_t) + +permissive hald_dccm_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.12/policy/modules/services/ifplugd.fc --- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ifplugd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,9 @@ + +/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) + +/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) + +/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) + +/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.12/policy/modules/services/ifplugd.if --- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ifplugd.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,194 @@ +## policy for ifplugd + +######################################## +## +## Execute a domain transition to run ifplugd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ifplugd_domtrans',` + gen_require(` + type ifplugd_t, ifplugd_exec_t; + ') + + domtrans_pattern($1,ifplugd_exec_t,ifplugd_t) +') + +######################################## +## +## Read and write ifplugd UDP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`ifplugd_rw_udp_sockets',` + gen_require(` + type ifplugd_t; + ') + + allow $1 ifplugd_t:udp_socket { read write }; +') + +######################################## +## +## Read and write ifplugd packet sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`ifplugd_rw_packet_sockets',` + gen_require(` + type ifplugd_t; + ') + + allow $1 ifplugd_t:packet_socket { read write }; +') + +######################################## +## +## Read and write ifplugd netlink +## routing sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`ifplugd_rw_routing_sockets',` + gen_require(` + type ifplugd_t; + ') + + allow $1 ifplugd_t:netlink_route_socket { read write }; +') + +######################################## +## +## Send a generic signal to ifplugd +## +## +## +## Domain allowed access. +## +## +# +interface(`ifplugd_signal',` + gen_require(` + type ifplugd_t; + ') + + allow $1 ifplugd_t:process signal; +') + +######################################## +## +## Read ifplugd etc configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`ifplugd_read_etc',` + gen_require(` + type ifplugd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) +') + +######################################## +## +## Manage ifplugd etc configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`ifplugd_manage_etc',` + gen_require(` + type ifplugd_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) + manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) + +') + +######################################## +## +## Read ifplugd PID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`ifplugd_read_pid_files',` + gen_require(` + type ifplugd_var_run_t; + ') + + files_search_pids($1) + allow $1 ifplugd_var_run_t:file read_file_perms; +') + +######################################## +## +## All of the rules required to administrate +## an ifplugd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the ifplugd domain. +## +## +## +## +# +interface(`ifplugd_admin',` + gen_require(` + type ifplugd_t, ifplugd_etc_t; + type ifplugd_var_run_t, ifplugd_initrc_exec_t; + ') + + allow $1 ifplugd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ifplugd_t) + + init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ifplugd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, ifplugd_etc_t) + + files_list_pids($1) + admin_pattern($1, ifplugd_var_run_t) + +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.12/policy/modules/services/ifplugd.te --- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ifplugd.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,89 @@ +policy_module(ifplugd,1.0.0) + +######################################## +# +# Declarations +# + +type ifplugd_t; +type ifplugd_exec_t; +init_daemon_domain(ifplugd_t, ifplugd_exec_t) + +type ifplugd_initrc_exec_t; +init_script_file(ifplugd_initrc_exec_t) + +# config files +type ifplugd_etc_t; +files_type(ifplugd_etc_t) + +# pid files +type ifplugd_var_run_t; +files_pid_file(ifplugd_var_run_t) + +######################################## +# +# ifplugd local policy +# + +allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; +dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; +allow ifplugd_t self:process { signal signull }; + +allow ifplugd_t self:fifo_file rw_fifo_file_perms; +allow ifplugd_t self:tcp_socket create_stream_socket_perms; +allow ifplugd_t self:udp_socket create_socket_perms; +allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; +allow ifplugd_t self:packet_socket create_socket_perms; + +# pid file +manage_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) +manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) +files_pid_filetrans(ifplugd_t,ifplugd_var_run_t, { file sock_file }) + +# config files +read_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) +exec_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) + +kernel_read_system_state(ifplugd_t) +kernel_read_network_state(ifplugd_t) +kernel_search_network_sysctl(ifplugd_t) +kernel_rw_net_sysctls(ifplugd_t) +kernel_read_kernel_sysctls(ifplugd_t) + +# reading of hardware information +dev_read_sysfs(ifplugd_t) + +corecmd_exec_shell(ifplugd_t) +corecmd_exec_bin(ifplugd_t) + +domain_read_confined_domains_state(ifplugd_t) +domain_dontaudit_read_all_domains_state(ifplugd_t) + +auth_use_nsswitch(ifplugd_t) + +libs_use_ld_so(ifplugd_t) +libs_use_shared_libs(ifplugd_t) +miscfiles_read_localization(ifplugd_t) + +logging_send_syslog_msg(ifplugd_t) + +netutils_domtrans(ifplugd_t) +# transition to ifconfig & dhcpc +sysnet_domtrans_ifconfig(ifplugd_t) +sysnet_domtrans_dhcpc(ifplugd_t) + +sysnet_delete_dhcpc_pid(ifplugd_t) +sysnet_read_dhcpc_pid(ifplugd_t) +sysnet_signal_dhcpc(ifplugd_t) +#sysnet_kill_dhcpc(ifplugd_t) +#sysnet_manage_config(ifplugd_t) +#sysnet_read_dhcp_config(ifplugd_t) +#sysnet_search_dhcp_state(ifplugd_t) + +optional_policy(` + consoletype_exec(ifplugd_t) +') + +permissive ifplugd_t; + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if --- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if 2009-04-07 16:01:44.000000000 -0400 @@ -63,6 +63,25 @@ ######################################## ## +## Allow domain to manage kerneloops tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`kerneloops_manage_tmp_files',` + gen_require(` + type kerneloops_tmp_t; + ') + + manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) + files_search_tmp($1) +') + +######################################## +## ## All of the rules required to administrate ## an kerneloops environment ## @@ -81,6 +100,7 @@ interface(`kerneloops_admin',` gen_require(` type kerneloops_t, kerneloops_initrc_exec_t; + type kerneloops_tmp_t; ') allow $1 kerneloops_t:process { ptrace signal_perms }; @@ -90,4 +110,7 @@ domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; allow $2 system_r; + + admin_pattern($1, kerneloops_tmp_t) ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-04-07 16:01:44.000000000 -0400 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) +type kerneloops_tmp_t; +files_tmp_file(kerneloops_tmp_t) + ######################################## # # kerneloops local policy @@ -23,8 +26,13 @@ allow kerneloops_t self:fifo_file rw_file_perms; allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) +files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) + kernel_read_ring_buffer(kerneloops_t) +fs_list_inotifyfs(kerneloops_t) + # Init script handling domain_use_interactive_fds(kerneloops_t) @@ -46,6 +54,5 @@ sysnet_dns_name_resolve(kerneloops_t) optional_policy(` - dbus_system_bus_client(kerneloops_t) - dbus_connect_system_bus(kerneloops_t) + dbus_system_domain(kerneloops_t, kerneloops_exec_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.12/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ktalk.te 2009-04-07 16:01:44.000000000 -0400 @@ -69,6 +69,7 @@ files_read_etc_files(ktalkd_t) term_search_ptys(ktalkd_t) +term_use_all_terms(ktalkd_t) auth_use_nsswitch(ktalkd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.12/policy/modules/services/lircd.fc --- nsaserefpolicy/policy/modules/services/lircd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/lircd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,9 @@ + +/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0) + +/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) +/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) + +/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + +/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.12/policy/modules/services/lircd.if --- nsaserefpolicy/policy/modules/services/lircd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/lircd.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,100 @@ +## Lirc daemon + +######################################## +## +## Execute a domain transition to run lircd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`lircd_domtrans',` + gen_require(` + type lircd_t, lircd_exec_t; + ') + + domain_auto_trans($1,lircd_exec_t,lircd_t) + +') + +####################################### +## +## Read lircd etc file +## +## +## +## The type of the process performing this action. +## +## +# +interface(`lircd_read_etc',` + gen_require(` + type lircd_etc_t; + ') + + read_files_pattern($1, lircd_etc_t, lircd_etc_t) +') + +###################################### +## +## Connect to lircd over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`lircd_stream_connect',` + gen_require(` + type lircd_sock_t, lircd_t; + ') + + allow $1 lircd_t:unix_stream_socket connectto; + allow $1 lircd_sock_t:sock_file { getattr write }; + files_search_pids($1) +') + +######################################## +## +## All of the rules required to administrate +## an lircd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +# +interface(`lircd_admin',` + gen_require(` + type lircd_t, lircd_var_run_t, lircd_sock_t; + type lircd_initrc_exec_t, lircd_etc_t; + ') + + allow $1 lircd_t:process { ptrace signal_perms }; + ps_process_pattern($1, lircd_t) + + init_labeled_script_domtrans($1, lircd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 lircd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, lircd_etc_t) + + files_search_pids($1) + admin_pattern($1, lircd_var_run_t) + + admin_pattern($1, lircd_sock_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-16 09:47:17.000000000 -0400 @@ -0,0 +1,58 @@ +policy_module(lircd,1.0.0) + +######################################## +# +# Declarations +# + +type lircd_t; +type lircd_exec_t; +init_daemon_domain(lircd_t, lircd_exec_t) + +type lircd_initrc_exec_t; +init_script_file(lircd_initrc_exec_t) + +# pid files +type lircd_var_run_t; +files_pid_file(lircd_var_run_t) + +# etc file +type lircd_etc_t; +files_config_file(lircd_etc_t) + +# type for lircd /dev/ sock file +type lircd_sock_t; +files_type(lircd_sock_t) + +######################################## +# +# lircd local policy +# + +allow lircd_t self:process signal; +allow lircd_t self:unix_dgram_socket create_socket_perms; + +# etc file +read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + +# pid file +manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +files_pid_filetrans(lircd_t,lircd_var_run_t, { dir file }) + +# /dev/lircd socket +manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) +dev_filetrans(lircd_t, lircd_sock_t, sock_file ) +dev_read_generic_usb_dev(lircd_t) + +logging_send_syslog_msg(lircd_t) + +files_read_etc_files(lircd_t) +files_list_var(lircd_t) +files_manage_generic_locks(lircd_t) +files_read_all_locks(lircd_t) + +fs_list_inotifyfs(lircd_t) + +miscfiles_read_localization(lircd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.6.12/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/lpd.if 2009-04-15 17:56:28.000000000 -0400 @@ -134,6 +134,7 @@ files_search_spool($1) manage_dirs_pattern($1, print_spool_t, print_spool_t) manage_files_pattern($1, print_spool_t, print_spool_t) + manage_lnk_files_pattern($1, print_spool_t, print_spool_t) ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.12/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/mailman.fc 2009-04-07 16:01:44.000000000 -0400 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-04-07 16:01:44.000000000 -0400 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; + files_search_spool(mailman_$1_t) + + manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) @@ -64,6 +70,7 @@ corenet_sendrecv_smtp_client_packets(mailman_$1_t) fs_getattr_xattr_fs(mailman_$1_t) + fs_list_inotifyfs(mailman_$1_t) corecmd_exec_all_executables(mailman_$1_t) @@ -191,6 +198,7 @@ ') read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') ####################################### @@ -209,6 +217,7 @@ type mailman_data_t; ') + manage_dirs_pattern($1, mailman_data_t, mailman_data_t) manage_files_pattern($1, mailman_data_t, mailman_data_t) ') @@ -250,6 +259,25 @@ ####################################### ## +## read +## mailman logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailman_read_log',` + gen_require(` + type mailman_log_t; + ') + + read_files_pattern($1, mailman_log_t, mailman_log_t) +') + +####################################### +## ## Append to mailman logs. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.12/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/mailman.te 2009-04-07 16:01:44.000000000 -0400 @@ -53,10 +53,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) - - optional_policy(` - nscd_socket_use(mailman_cgi_t) - ') + apache_read_config(mailman_cgi_t) + apache_dontaudit_rw_stream_sockets(mailman_cgi_t) ') ######################################## @@ -65,15 +63,31 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +allow mailman_mail_t initrc_t:process signal; +allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + +files_search_spool(mailman_mail_t) +fs_rw_anon_inodefs_files(mailman_mail_t) +fs_list_inotifyfs(mailman_mail_t) + +manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) +manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) +manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) +mta_dontaudit_rw_queue(mailman_mail_t) -ifdef(`TODO',` optional_policy(` - allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; - # do we really need this? - allow mailman_mail_t qmail_lspawn_t:fifo_file write; + courier_read_spool(mailman_mail_t) ') + +optional_policy(` + postfix_search_spool(mailman_mail_t) +') + +optional_policy(` + cron_read_pipes(mailman_mail_t) ') ######################################## @@ -99,11 +113,15 @@ # for su seutil_dontaudit_search_config(mailman_queue_t) +su_exec(mailman_queue_t) + # some of the following could probably be changed to dontaudit, someone who # knows mailman well should test this out and send the changes userdom_search_user_home_dirs(mailman_queue_t) -su_exec(mailman_queue_t) +optional_policy(` + apache_read_config(mailman_queue_t) +') optional_policy(` cron_system_entry(mailman_queue_t, mailman_queue_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.12/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/mta.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,4 @@ -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) @@ -10,10 +10,13 @@ ') /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) @@ -22,7 +25,5 @@ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - -#ifdef(`postfix.te', `', ` -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#') +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-07 16:01:44.000000000 -0400 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') + optional_policy(` + exim_read_log($1_mail_t) + exim_append_log($1_mail_t) + exim_manage_spool_files($1_mail_t) +') + + optional_policy(` + uucp_manage_spool($1_mail_t) + ') ') ######################################## @@ -302,11 +311,13 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1, mail_spool_t, mail_spool_t) read_files_pattern($1, mail_spool_t, mail_spool_t) + append_files_pattern($1, mail_spool_t, mail_spool_t) create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) optional_policy(` dovecot_manage_spool($1) + dovecot_domtrans_deliver($1) ') optional_policy(` @@ -341,6 +352,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) + apache_append_log($1) ') ') @@ -591,8 +603,8 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:lnk_file read; - allow $1 mail_spool_t:file getattr; + getattr_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') ######################################## @@ -612,7 +624,7 @@ ') files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search; + dontaudit $1 mail_spool_t:dir search_dir_perms; dontaudit $1 mail_spool_t:lnk_file read; dontaudit $1 mail_spool_t:file getattr; ') @@ -665,7 +677,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; - rw_files_pattern($1, mail_spool_t, mail_spool_t) + manage_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') @@ -806,6 +818,7 @@ ') files_search_spool($1) + manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.12/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/mta.te 2009-04-07 16:01:44.000000000 -0400 @@ -27,6 +27,9 @@ type mail_spool_t; files_mountpoint(mail_spool_t) +type mail_forward_t, mailcontent_type; +files_type(mail_forward_t) + type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) @@ -47,34 +50,49 @@ # # newalias required this, not sure if it is needed in 'if' file -allow system_mail_t self:capability { dac_override }; +allow system_mail_t self:capability { dac_override fowner }; +allow system_mail_t self:fifo_file rw_fifo_file_perms; read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) +read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) allow system_mail_t mta_exec_type:file entrypoint; -allow system_mail_t mailcontent_type:file read_file_perms; +can_exec(system_mail_t, mta_exec_type) + +files_read_all_tmp_files(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) +dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) +fs_rw_anon_inodefs_files(system_mail_t) +fs_list_inotifyfs(system_mail_t) + +selinux_getattr_fs(system_mail_t) + init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) + +logging_append_all_logs(system_mail_t) optional_policy(` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) + apache_search_bugzilla_dirs(system_mail_t) # apache should set close-on-exec apache_dontaudit_append_log(system_mail_t) apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) ') optional_policy(` @@ -88,6 +106,13 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) + cron_rw_system_stream_sockets(system_mail_t) +') + +optional_policy(` + courier_manage_spool_dirs(system_mail_t) + courier_manage_spool_files(system_mail_t) + courier_rw_spool_pipes(system_mail_t) ') optional_policy(` @@ -95,16 +120,16 @@ ') optional_policy(` - logrotate_read_tmp_files(system_mail_t) + exim_domtrans(system_mail_t) + exim_manage_log(system_mail_t) ') optional_policy(` - logwatch_read_tmp_files(system_mail_t) + logrotate_read_tmp_files(system_mail_t) ') optional_policy(` - # newaliases runs as system_mail_t when the sendmail initscript does a restart - milter_getattr_all_sockets(system_mail_t) + logwatch_read_tmp_files(system_mail_t) ') optional_policy(` @@ -132,10 +157,6 @@ # compatability for old default main.cf postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) ') - - optional_policy(` - cron_rw_tcp_sockets(system_mail_t) - ') ') optional_policy(` @@ -155,6 +176,19 @@ ') optional_policy(` + clamav_stream_connect(system_mail_t) + clamav_append_log(system_mail_t) +') + +optional_policy(` + fail2ban_append_log(system_mail_t) + ') + + optional_policy(` + spamd_stream_connect(system_mail_t) +') + +optional_policy(` smartmon_read_tmp_files(system_mail_t) ') @@ -174,6 +208,25 @@ ') ') +read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) +userdom_search_admin_dir(mailserver_delivery) +read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) + +init_stream_connect_script(mailserver_delivery) +init_rw_script_stream_sockets(mailserver_delivery) + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mailserver_delivery) + fs_manage_cifs_files(mailserver_delivery) + fs_manage_cifs_symlinks(mailserver_delivery) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(mailserver_delivery) + fs_manage_nfs_files(mailserver_delivery) + fs_manage_nfs_symlinks(mailserver_delivery) +') + ######################################## # # User send mail local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.12/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/munin.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,5 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) @@ -6,6 +7,8 @@ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) +/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.12/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/munin.if 2009-04-07 16:01:44.000000000 -0400 @@ -59,8 +59,9 @@ type munin_log_t; ') - allow $1 munin_log_t:file append_file_perms; logging_search_logs($1) + allow $1 munin_log_t:dir list_dir_perms; + append_files_pattern($1, munin_log_t, munin_log_t) ') ####################################### @@ -100,3 +101,55 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; ') + +######################################## +## +## All of the rules required to administrate +## an munin environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the munin domain. +## +## +## +# +interface(`munin_admin',` + gen_require(` + type munin_t, munin_etc_t, munin_tmp_t; + type munin_log_t, munin_var_lib_t, munin_var_run_t; + type httpd_munin_content_t; + type munin_initrc_exec_t; + ') + + allow $1 munin_t:process { ptrace signal_perms }; + ps_process_pattern($1, munin_t) + + init_labeled_script_domtrans($1, munin_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 munin_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, munin_tmp_t) + + logging_list_logs($1) + admin_pattern($1, munin_log_t) + + files_list_etc($1) + admin_pattern($1, munin_etc_t) + + files_list_var_lib($1) + admin_pattern($1, munin_var_lib_t) + + files_list_pids($1) + admin_pattern($1, munin_var_run_t) + + admin_pattern($1, httpd_munin_content_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.12/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/munin.te 2009-04-07 16:01:44.000000000 -0400 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) +type munin_initrc_exec_t; +init_script_file(munin_initrc_exec_t) + type munin_log_t alias lrrd_log_t; logging_log_file(munin_log_t) @@ -30,21 +33,25 @@ # Local policy # -allow munin_t self:capability { setgid setuid }; +allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; +allow munin_t self:fifo_file manage_fifo_file_perms; + +can_exec(munin_t, munin_exec_t) allow munin_t munin_etc_t:dir list_dir_perms; read_files_pattern(munin_t, munin_etc_t, munin_etc_t) read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) files_search_etc(munin_t) -allow munin_t munin_log_t:file manage_file_perms; -logging_log_filetrans(munin_t, munin_log_t, file) +manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +manage_files_pattern(munin_t, munin_log_t, munin_log_t) +logging_log_filetrans(munin_t, munin_log_t, { file dir }) manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) @@ -61,9 +68,11 @@ files_pid_filetrans(munin_t, munin_var_run_t, file) kernel_read_system_state(munin_t) -kernel_read_kernel_sysctls(munin_t) +kernel_read_network_state(munin_t) +kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) +corecmd_exec_shell(munin_t) corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) @@ -73,24 +82,36 @@ corenet_udp_sendrecv_generic_node(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) +corenet_tcp_bind_munin_port(munin_t) +corenet_tcp_connect_munin_port(munin_t) +corenet_tcp_connect_http_port(munin_t) +corenet_tcp_bind_generic_node(munin_t) dev_read_sysfs(munin_t) dev_read_urand(munin_t) +fs_list_inotifyfs(munin_t) domain_use_interactive_fds(munin_t) +domain_read_all_domains_state(munin_t) files_read_etc_files(munin_t) files_read_etc_runtime_files(munin_t) files_read_usr_files(munin_t) +files_list_spool(munin_t) fs_getattr_all_fs(munin_t) fs_search_auto_mountpoints(munin_t) +auth_use_nsswitch(munin_t) + logging_send_syslog_msg(munin_t) +logging_read_all_logs(munin_t) +miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) -sysnet_read_config(munin_t) +sysnet_exec_ifconfig(munin_t) +netutils_domtrans_ping(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) @@ -105,7 +126,31 @@ ') optional_policy(` - nis_use_ypbind(munin_t) + fstools_domtrans(munin_t) +') + +optional_policy(` + mta_read_config(munin_t) + mta_send_mail(munin_t) + mta_read_queue(munin_t) +') + +optional_policy(` + mysql_read_config(munin_t) + mysql_stream_connect(munin_t) +') + +optional_policy(` + postfix_list_spool(munin_t) + postfix_getattr_spool_files(munin_t) +') + +optional_policy(` + rpc_search_nfs_state_data(munin_t) +') + +optional_policy(` + sendmail_read_log(munin_t) ') optional_policy(` @@ -115,3 +160,10 @@ optional_policy(` udev_read_db(munin_t) ') + +#============= http munin policy ============== +apache_content_template(munin) + +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.12/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/mysql.fc 2009-04-07 16:01:44.000000000 -0400 @@ -12,6 +12,8 @@ # /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) + /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.12/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/mysql.if 2009-04-07 16:01:44.000000000 -0400 @@ -121,6 +121,44 @@ allow $1 mysqld_db_t:dir rw_dir_perms; ') +####################################### +## +## Append to the MySQL database directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_append_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + append_files_pattern($1, mysqld_db_t, mysqld_db_t) +') + +####################################### +## +## Read and write to the MySQL database directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_rw_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1,mysqld_db_t,mysqld_db_t) +') + ######################################## ## ## Create, read, write, and delete MySQL database directories. @@ -140,6 +178,25 @@ allow $1 mysqld_db_t:dir manage_dir_perms; ') +####################################### +## +## Create, read, write, and delete MySQL database files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_manage_db_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1,mysqld_db_t,mysqld_db_t) +') + ######################################## ## ## Read and write to the MySQL database @@ -161,6 +218,25 @@ allow $1 mysqld_db_t:sock_file rw_sock_file_perms; ') +##################################### +## +## Search MySQL PID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mysql_search_pid_files',` + gen_require(` + type mysqld_var_run_t; + ') + + search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + ######################################## ## ## Write to the MySQL log. @@ -177,7 +253,7 @@ ') logging_search_logs($1) - allow $1 mysqld_log_t:file { write_file_perms setattr }; + allow $1 mysqld_log_t:file { write_file_perms setattr getattr }; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-04-07 16:01:44.000000000 -0400 @@ -10,6 +10,10 @@ type mysqld_exec_t; init_daemon_domain(mysqld_t, mysqld_exec_t) +type mysqld_safe_t; +type mysqld_safe_exec_t; +init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) + type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) @@ -121,3 +125,36 @@ optional_policy(` udev_read_db(mysqld_t) ') + +####################################### +# +# Local mysqld_safe policy +# + +domtrans_pattern(mysqld_safe_t,mysqld_exec_t,mysqld_t) + +allow mysqld_safe_t self:capability { dac_override fowner chown }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + +allow mysqld_safe_t mysqld_log_t:file manage_file_perms; +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + +mysql_append_db_files(mysqld_safe_t) +mysql_read_config(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) +mysql_write_log(mysqld_safe_t) + +kernel_read_system_state(mysqld_safe_t) + +dev_list_sysfs(mysqld_safe_t) + +files_read_etc_files(mysqld_safe_t) +files_read_usr_files(mysqld_safe_t) + +corecmd_exec_bin(mysqld_safe_t) + +miscfiles_read_localization(mysqld_safe_t) + +hostname_exec(mysqld_safe_t) + +permissive mysqld_safe_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.12/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/nagios.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,16 +1,19 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ifdef(`distro_debian',` /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.12/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/nagios.if 2009-04-07 16:01:44.000000000 -0400 @@ -44,7 +44,7 @@ ######################################## ## -## Execute the nagios CGI with +## Execute the nagios NRPE with ## a domain transition. ## ## @@ -53,18 +53,37 @@ ## ## # -interface(`nagios_domtrans_cgi',` +interface(`nagios_domtrans_nrpe',` gen_require(` - type nagios_cgi_t, nagios_cgi_exec_t; + type nrpe_t, nrpe_exec_t; ') - domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) + domtrans_pattern($1, nrpe_exec_t, nrpe_t) ') ######################################## ## -## Execute the nagios NRPE with -## a domain transition. +## Do not audit attempts to read and write +## NAGIOS unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`nagios_dontaudit_rw_pipes',` + + gen_require(` + type nagios_t; + ') + + dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Search nagios spool directories. ## ## ## @@ -72,10 +91,63 @@ ## ## # -interface(`nagios_domtrans_nrpe',` +interface(`nagios_search_spool',` gen_require(` - type nrpe_t, nrpe_exec_t; + type nagios_spool_t; ') - domtrans_pattern($1, nrpe_exec_t, nrpe_t) + allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## +## All of the rules required to administrate +## an nagios environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the nagios domain. +## +## +## +# +interface(`nagios_admin',` + gen_require(` + type nagios_t, nrpe_t; + type nagios_tmp_t, nagios_log_t; + type nagios_etc_t, nrpe_etc_t; + type nagios_spool_t, nagios_var_run_t; + type nagios_initrc_exec_t; + ') + + allow $1 nagios_t:process { ptrace signal_perms }; + ps_process_pattern($1, nagios_t) + + init_labeled_script_domtrans($1, nagios_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 nagios_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, nagios_tmp_t) + + logging_list_logs($1) + admin_pattern($1, nagios_log_t) + + files_list_etc($1) + admin_pattern($1, nagios_etc_t) + + files_list_spool($1) + admin_pattern($1, nagios_spool_t) + + files_list_pids($1) + admin_pattern($1, nagios_var_run_t) + + admin_pattern($1, nrpe_etc_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.12/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/nagios.te 2009-04-07 16:01:44.000000000 -0400 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) -type nagios_cgi_t; -type nagios_cgi_exec_t; -init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) - type nagios_etc_t; files_config_file(nagios_etc_t) +type nagios_initrc_exec_t; +init_script_file(nagios_initrc_exec_t) + type nagios_log_t; logging_log_file(nagios_log_t) @@ -26,6 +25,9 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) +type nagios_spool_t; +files_type(nagios_spool_t) + type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) @@ -60,6 +62,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) +rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) + kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) @@ -127,39 +131,34 @@ # # Nagios CGI local policy # +apache_content_template(nagios) +typealias httpd_nagios_script_t alias nagios_cgi_t; +typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; +allow httpd_nagios_script_t self:process signal_perms; -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) +read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) +files_search_spool(httpd_nagios_script_t) +rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -corecmd_exec_bin(nagios_cgi_t) +kernel_read_system_state(httpd_nagios_script_t) -domain_dontaudit_read_all_domains_state(nagios_cgi_t) +domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) +files_read_etc_runtime_files(httpd_nagios_script_t) +files_read_kernel_symbol_table(httpd_nagios_script_t) -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) - -miscfiles_read_localization(nagios_cgi_t) - -optional_policy(` - apache_append_log(nagios_cgi_t) -') +logging_send_syslog_msg(httpd_nagios_script_t) ######################################## # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.12/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/networkmanager.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,12 +1,25 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.12/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/networkmanager.if 2009-04-07 16:01:44.000000000 -0400 @@ -118,6 +118,24 @@ ######################################## ## +## Execute NetworkManager scripts with an automatic domain transition to initrc. +## +## +## +## Domain allowed access. +## +## +# +interface(`networkmanager_initrc_domtrans',` + gen_require(` + type NetworkManager_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + +######################################## +## ## Read NetworkManager PID files. ## ## @@ -134,3 +152,30 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') + +######################################## +## +## Execute NetworkManager in the NetworkManager domain, and +## allow the specified role the NetworkManager domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the NetworkManager domain. +## +## +## +# +interface(`networkmanager_run',` + gen_require(` + type NetworkManager_t, NetworkManager_exec_t; + ') + + networkmanager_domtrans($1) + role $2 types NetworkManager_t; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.12/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/networkmanager.te 2009-04-07 16:01:44.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) +type NetworkManager_var_lib_t; +files_type(NetworkManager_var_lib_t) + type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -33,9 +36,9 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock }; +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; -allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; @@ -51,8 +54,10 @@ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) -rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -files_search_tmp(NetworkManager_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) + +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) @@ -63,6 +68,8 @@ kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) +kernel_read_debugfs(NetworkManager_t) +kernel_rw_net_sysctls(NetworkManager_t) corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) @@ -81,13 +88,18 @@ corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t) +corenet_rw_tun_tap_dev(NetworkManager_t) +corenet_getattr_ppp_dev(NetworkManager_t) dev_read_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) +dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +dev_getattr_all_chr_files(NetworkManager_t) fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) +fs_list_inotifyfs(NetworkManager_t) mls_file_read_all_levels(NetworkManager_t) @@ -98,15 +110,19 @@ domain_use_interactive_fds(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t) -domain_dontaudit_read_all_domains_state(NetworkManager_t) files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) +storage_getattr_fixed_disk_dev(NetworkManager_t) + init_read_utmp(NetworkManager_t) +init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +auth_use_nsswitch(NetworkManager_t) + logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) @@ -116,25 +132,40 @@ seutil_read_config(NetworkManager_t) -sysnet_domtrans_ifconfig(NetworkManager_t) -sysnet_domtrans_dhcpc(NetworkManager_t) -sysnet_signal_dhcpc(NetworkManager_t) -sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_etc_filetrans_config(NetworkManager_t) sysnet_delete_dhcpc_pid(NetworkManager_t) -sysnet_search_dhcp_state(NetworkManager_t) -# in /etc created by NetworkManager will be labelled net_conf_t. +sysnet_domtrans_dhcpc(NetworkManager_t) +sysnet_domtrans_ifconfig(NetworkManager_t) +sysnet_kill_dhcpc(NetworkManager_t) sysnet_manage_config(NetworkManager_t) -sysnet_etc_filetrans_config(NetworkManager_t) +sysnet_read_dhcp_config(NetworkManager_t) +sysnet_read_dhcpc_pid(NetworkManager_t) +sysnet_delete_dhcpc_state(NetworkManager_t) +sysnet_read_dhcpc_state(NetworkManager_t) +sysnet_signal_dhcpc(NetworkManager_t) +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) # Read gnome-keyring userdom_read_user_home_content_files(NetworkManager_t) +userdom_dgram_send(NetworkManager_t) + +cron_read_system_job_lib_files(NetworkManager_t) + +optional_policy(` + avahi_domtrans(NetworkManager_t) + avahi_kill(NetworkManager_t) + avahi_signal(NetworkManager_t) + avahi_signull(NetworkManager_t) +') optional_policy(` bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) + bind_kill(NetworkManager_t) bind_signal(NetworkManager_t) + bind_signull(NetworkManager_t) ') optional_policy(` @@ -146,8 +177,25 @@ ') optional_policy(` - dbus_system_bus_client(NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) + dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + + optional_policy(` + consolekit_dbus_chat(NetworkManager_t) + ') +') + +optional_policy(` + dnsmasq_read_pid_files(NetworkManager_t) + dnsmasq_delete_pid_files(NetworkManager_t) + dnsmasq_domtrans(NetworkManager_t) + dnsmasq_initrc_domtrans(NetworkManager_t) + dnsmasq_kill(NetworkManager_t) + dnsmasq_signal(NetworkManager_t) + dnsmasq_signull(NetworkManager_t) +') + +optional_policy(` + hal_write_log(NetworkManager_t) ') optional_policy(` @@ -155,23 +203,50 @@ ') optional_policy(` - nis_use_ypbind(NetworkManager_t) + iptables_domtrans(NetworkManager_t) ') optional_policy(` - nscd_socket_use(NetworkManager_t) + nscd_domtrans(NetworkManager_t) nscd_signal(NetworkManager_t) + nscd_signull(NetworkManager_t) + nscd_kill(NetworkManager_t) + nscd_initrc_domtrans(NetworkManager_t) +') + +optional_policy(` + # Dispatcher starting and stoping ntp + ntp_initrc_domtrans(NetworkManager_t) ') optional_policy(` openvpn_domtrans(NetworkManager_t) + openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) ') optional_policy(` + polkit_domtrans_auth(NetworkManager_t) + polkit_read_lib(NetworkManager_t) + polkit_read_reload(NetworkManager_t) + userdom_read_all_users_state(NetworkManager_t) +') + +optional_policy(` + ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) + ppp_kill(NetworkManager_t) ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) + ppp_read_config(NetworkManager_t) +') + +optional_policy(` + rpm_exec(NetworkManager_t) + rpm_read_db(NetworkManager_t) + rpm_dontaudit_manage_db(NetworkManager_t) ') optional_policy(` @@ -179,12 +254,15 @@ ') optional_policy(` + udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') optional_policy(` vpn_domtrans(NetworkManager_t) + vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) + vpn_signull(NetworkManager_t) ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.12/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/nis.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,9 +1,13 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) +/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.12/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/nis.if 2009-04-07 16:01:44.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') - dontaudit $1 self:capability net_bind_service; + allow $1 self:capability net_bind_service; allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; @@ -49,8 +49,8 @@ corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) - corenet_tcp_bind_reserved_port($1) - corenet_udp_bind_reserved_port($1) + corenet_dontaudit_tcp_bind_all_reserved_ports($1) + corenet_dontaudit_udp_bind_all_reserved_ports($1) corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) @@ -87,6 +87,25 @@ ######################################## ## +## Use the nis to authenticate passwords +## +## +## +## The type of the process performing this action. +## +## +## +# +interface(`nis_authenticate',` + tunable_policy(`allow_ypbind',` + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) + ') +') + +######################################## +## ## Execute ypbind in the ypbind domain. ## ## @@ -244,3 +263,130 @@ corecmd_search_bin($1) domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) ') + +######################################## +## +## Execute nis server in the nis domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`nis_initrc_domtrans',` + gen_require(` + type nis_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nis_initrc_exec_t) +') + +######################################## +## +## Execute nis server in the nis domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`nis_ypbind_initrc_domtrans',` + gen_require(` + type ypbind_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ypbind_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an nis environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the nis domain. +## +## +## +# +interface(`nis_admin',` + gen_require(` + type ypbind_t, yppasswdd_t; + type ypserv_t, ypxfr_t; + type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; + type ypbind_initrc_exec_t; + type nis_initrc_exec_t; + ') + + allow $1 ypbind_t:process { ptrace signal_perms }; + ps_process_pattern($1, ypbind_t) + + allow $1 yppasswdd_t:process { ptrace signal_perms }; + ps_process_pattern($1, yppasswdd_t) + + allow $1 ypserv_t:process { ptrace signal_perms }; + ps_process_pattern($1, ypserv_t) + + allow $1 ypxfr_t:process { ptrace signal_perms }; + ps_process_pattern($1, ypxfr_t) + + nis_initrc_domtrans($1) + nis_ypbind_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nis_initrc_exec_t system_r; + role_transition $2 ypbind_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, ypbind_tmp_t) + + files_list_pids($1) + admin_pattern($1, ypbind_var_run_t) + + admin_pattern($1, yppasswdd_var_run_t) + + files_list_etc($1) + admin_pattern($1, ypserv_conf_t) + + admin_pattern($1, ypserv_tmp_t) + + admin_pattern($1, ypserv_var_run_t) +') + + +######################################## +## +## Execute ypbind in the ypbind domain, and +## allow the specified role the ypbind domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the ypbind domain. +## +## +## +# +interface(`nis_run_ypbind',` + gen_require(` + type ypbind_t; + ') + + nis_domtrans_ypbind($1) + role $2 types ypbind_t; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-04-07 16:01:44.000000000 -0400 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) +type ypbind_initrc_exec_t; +init_script_file(ypbind_initrc_exec_t) + type ypbind_tmp_t; files_tmp_file(ypbind_tmp_t) @@ -44,6 +47,9 @@ type ypxfr_exec_t; init_daemon_domain(ypxfr_t, ypxfr_exec_t) +type nis_initrc_exec_t; +init_script_file(nis_initrc_exec_t) + ######################################## # # ypbind local policy @@ -111,6 +117,16 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) optional_policy(` + dbus_system_bus_client(ypbind_t) + dbus_connect_system_bus(ypbind_t) + init_dbus_chat_script(ypbind_t) + + optional_policy(` + networkmanager_dbus_chat(ypbind_t) + ') +') + +optional_policy(` seutil_sigchld_newrole(ypbind_t) ') @@ -123,6 +139,7 @@ # yppasswdd local policy # +allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { setfscreate signal_perms }; @@ -153,8 +170,8 @@ corenet_udp_sendrecv_all_ports(yppasswdd_t) corenet_tcp_bind_generic_node(yppasswdd_t) corenet_udp_bind_generic_node(yppasswdd_t) -corenet_tcp_bind_reserved_port(yppasswdd_t) -corenet_udp_bind_reserved_port(yppasswdd_t) +corenet_tcp_bind_all_rpc_ports(yppasswdd_t) +corenet_udp_bind_all_rpc_ports(yppasswdd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) corenet_sendrecv_generic_server_packets(yppasswdd_t) @@ -241,6 +258,8 @@ corenet_udp_bind_generic_node(ypserv_t) corenet_tcp_bind_reserved_port(ypserv_t) corenet_udp_bind_reserved_port(ypserv_t) +corenet_tcp_bind_all_rpc_ports(ypserv_t) +corenet_udp_bind_all_rpc_ports(ypserv_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) corenet_sendrecv_generic_server_packets(ypserv_t) @@ -306,6 +325,8 @@ corenet_udp_bind_generic_node(ypxfr_t) corenet_tcp_bind_reserved_port(ypxfr_t) corenet_udp_bind_reserved_port(ypxfr_t) +corenet_tcp_bind_all_rpc_ports(ypxfr_t) +corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.12/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/nscd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.12/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/nscd.if 2009-04-07 16:01:44.000000000 -0400 @@ -58,6 +58,42 @@ ######################################## ## +## Send NSCD the kill signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`nscd_kill',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process sigkill; +') + +######################################## +## +## Send signulls to NSCD. +## +## +## +## Domain allowed access. +## +## +# +interface(`nscd_signull',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:process signull; +') + +######################################## +## ## Use NSCD services by connecting using ## a unix stream socket. ## @@ -70,15 +106,14 @@ interface(`nscd_socket_use',` gen_require(` type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; ') allow $1 self:unix_stream_socket create_socket_perms; allow $1 nscd_t:nscd { getpwd getgrp gethost }; dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; - + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) dontaudit $1 nscd_var_run_t:file { getattr read }; @@ -198,3 +233,60 @@ nscd_domtrans($1) role $2 types nscd_t; ') + +######################################## +## +## Execute nscd server in the nscd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`nscd_initrc_domtrans',` + gen_require(` + type nscd_initrc_exec_t; +') + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an nscd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the nscd domain. +## +## +## +# +interface(`nscd_admin',` + gen_require(` + type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_initrc_exec_t; + ') + + allow $1 nscd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nscd_t) + + nscd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nscd_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, nscd_log_t) + + files_list_pids($1) + admin_pattern($1, nscd_var_run_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.12/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/nscd.te 2009-04-07 16:01:44.000000000 -0400 @@ -20,6 +20,9 @@ type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) +type nscd_initrc_exec_t; +init_script_file(nscd_initrc_exec_t) + type nscd_log_t; logging_log_file(nscd_log_t) @@ -28,14 +31,14 @@ # Local policy # -allow nscd_t self:capability { kill setgid setuid audit_write }; +allow nscd_t self:capability { kill setgid setuid }; dontaudit nscd_t self:capability sys_tty_config; -allow nscd_t self:process { getattr setsched signal_perms }; +allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; allow nscd_t self:unix_stream_socket create_stream_socket_perms; allow nscd_t self:unix_dgram_socket create_socket_perms; allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + allow nscd_t self:tcp_socket create_socket_perms; allow nscd_t self:udp_socket create_socket_perms; @@ -50,6 +53,9 @@ manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) +corecmd_search_bin(nscd_t) +can_exec(nscd_t, nscd_exec_t) + kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) @@ -60,6 +66,7 @@ fs_getattr_all_fs(nscd_t) fs_search_auto_mountpoints(nscd_t) +fs_list_inotifyfs(nscd_t) # for when /etc/passwd has just been updated and has the wrong type auth_getattr_shadow(nscd_t) @@ -73,6 +80,7 @@ corenet_udp_sendrecv_generic_node(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) +corenet_udp_bind_generic_node(nscd_t) corenet_tcp_connect_all_ports(nscd_t) corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) @@ -84,12 +92,14 @@ selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) +domain_search_all_domains_state(nscd_t) files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) # Needed to read files created by firstboot "/etc/hesiod.conf" files_read_etc_runtime_files(nscd_t) +logging_send_audit_msgs(nscd_t) logging_send_syslog_msg(nscd_t) miscfiles_read_localization(nscd_t) @@ -105,6 +115,14 @@ userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` + cron_read_system_job_tmp_files(nscd_t) +') + +optional_policy(` + kerberos_use(nscd_t) +') + +optional_policy(` udev_read_db(nscd_t) ') @@ -112,3 +130,12 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') + +optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.12/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/ntp.if 2009-04-07 16:01:44.000000000 -0400 @@ -37,6 +37,32 @@ ######################################## ## +## Execute ntp in the ntp domain, and +## allow the specified role the ntp domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the ntp domain. +## +## +## +# +interface(`ntp_run',` + gen_require(` + type ntpd_t; + ') + + ntp_domtrans($1) + role $2 types ntpd_t; +') + +######################################## +## ## Execute ntp server in the ntpd domain. ## ## @@ -56,6 +82,63 @@ ######################################## ## +## Execute ntp server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ntp_initrc_domtrans',` + gen_require(` + type ntpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + +####################################### +## +## Read/write ntpdd tmpfs files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ntpd_rw_tmpfs_files',` + gen_require(` + type ntpd_tmpfs_t; + ') + + fs_search_tmpfs($1) + list_dirs_pattern($1,ntpd_tmpfs_t,ntpd_tmpfs_t) + rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) +') + +######################################## +## +## Read and write to ntpd shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ntpd_rw_shm',` + gen_require(` + type ntpd_t; + ') + + allow $1 ntpd_t:shm rw_shm_perms; +') + +######################################## +## ## All of the rules required to administrate ## an ntp environment ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.12/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ntp.te 2009-04-07 16:01:44.000000000 -0400 @@ -25,6 +25,9 @@ type ntpd_tmp_t; files_tmp_file(ntpd_tmp_t) +type ntpd_tmpfs_t; +files_tmpfs_file(ntpd_tmpfs_t) + type ntpd_var_run_t; files_pid_file(ntpd_var_run_t) @@ -38,10 +41,11 @@ # sys_resource and setrlimit is for locking memory # ntpdate wants sys_nice -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; +allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; @@ -52,6 +56,7 @@ can_exec(ntpd_t,ntpd_exec_t) read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr; manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) @@ -62,6 +67,10 @@ manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) +manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) +manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) +fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) + manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) @@ -90,6 +99,9 @@ fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) +# Necessary to communicate with gpsd devices +fs_rw_tmpfs_files(ntpd_t) +fs_list_inotifyfs(ntpd_t) term_use_ptmx(ntpd_t) @@ -121,6 +133,11 @@ ') optional_policy(` + gpsd_rw_shm(ntpd_t) + gpsd_rw_tmpfs_files(ntpd_t) +') + +optional_policy(` firstboot_dontaudit_use_fds(ntpd_t) firstboot_dontaudit_rw_pipes(ntpd_t) firstboot_dontaudit_rw_stream_sockets(ntpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.12/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/nx.te 2009-04-07 16:01:44.000000000 -0400 @@ -25,6 +25,9 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) +type nx_server_home_ssh_t; +files_type(nx_server_home_ssh_t) + ######################################## # # NX server local policy @@ -44,6 +47,9 @@ manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) +manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) +manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) + kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.12/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/oddjob.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.12/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/oddjob.if 2009-04-07 16:01:44.000000000 -0400 @@ -44,6 +44,7 @@ ') domtrans_pattern(oddjob_t, $2, $1) + domain_user_exemption_target($1) ') ######################################## @@ -84,3 +85,28 @@ domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) ') + +######################################## +## +## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the oddjob_mkhomedir domain. +## +## +## +# +interface(`oddjob_run_mkhomedir',` + gen_require(` + type oddjob_mkhomedir_t; + ') + + oddjob_domtrans_mkhomedir($1) + role $2 types oddjob_mkhomedir_t; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.12/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/oddjob.te 2009-04-07 16:01:44.000000000 -0400 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) init_daemon_domain(oddjob_t, oddjob_exec_t) +domain_obj_id_change_exemption(oddjob_t) +domain_role_change_exemption(oddjob_t) domain_subj_id_change_exemption(oddjob_t) type oddjob_mkhomedir_t; type oddjob_mkhomedir_exec_t; domain_type(oddjob_mkhomedir_t) -init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +domain_obj_id_change_exemption(oddjob_mkhomedir_t) +init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) +') + # pid files type oddjob_var_run_t; files_pid_file(oddjob_var_run_t) @@ -65,13 +72,32 @@ # oddjob_mkhomedir local policy # +allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(oddjob_mkhomedir_t) +kernel_read_system_state(oddjob_mkhomedir_t) + +auth_use_nsswitch(oddjob_mkhomedir_t) + +logging_send_syslog_msg(oddjob_mkhomedir_t) + miscfiles_read_localization(oddjob_mkhomedir_t) +selinux_get_fs_mount(oddjob_mkhomedir_t) +selinux_validate_context(oddjob_mkhomedir_t) +selinux_compute_access_vector(oddjob_mkhomedir_t) +selinux_compute_create_context(oddjob_mkhomedir_t) +selinux_compute_relabel_context(oddjob_mkhomedir_t) +selinux_compute_user_contexts(oddjob_mkhomedir_t) + +seutil_read_config(oddjob_mkhomedir_t) +seutil_read_file_contexts(oddjob_mkhomedir_t) +seutil_read_default_contexts(oddjob_mkhomedir_t) + # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.12/policy/modules/services/pads.fc --- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pads.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,12 @@ + +/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) +/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) +/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) +/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) + +/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) + +/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) + +/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.12/policy/modules/services/pads.if --- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pads.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,10 @@ +## SELinux policy for PADS daemon. +## +##

+## PADS is a libpcap based detection engine used to +## passively detect network assets. It is designed to +## complement IDS technology by providing context to IDS +## alerts. +##

+##
+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.12/policy/modules/services/pads.te --- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pads.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,65 @@ + +policy_module(pads, 0.0.1) + +######################################## +# +# Declarations +# + +type pads_t; +type pads_exec_t; +init_daemon_domain(pads_t, pads_exec_t) +role system_r types pads_t; + +type pads_initrc_exec_t; +init_script_file(pads_initrc_exec_t) + +type pads_config_t; +files_config_file(pads_config_t) + +type pads_var_run_t; +files_pid_file(pads_var_run_t) + +######################################## +# +# Declarations +# + +allow pads_t self:capability { dac_override net_raw }; +allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; +allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; +allow pads_t self:udp_socket { create ioctl }; +allow pads_t self:unix_dgram_socket { write create connect }; + +allow pads_t pads_config_t:file manage_file_perms; +files_etc_filetrans(pads_t, pads_config_t, file) + +allow pads_t pads_var_run_t:file manage_file_perms; +files_pid_filetrans(pads_t, pads_var_run_t, file) + +corecmd_search_bin(pads_t) + +corenet_all_recvfrom_unlabeled(pads_t) +corenet_all_recvfrom_netlabel(pads_t) +corenet_tcp_sendrecv_generic_if(pads_t) +corenet_tcp_sendrecv_generic_node(pads_t) + +corenet_tcp_connect_prelude_port(pads_t) + +dev_read_rand(pads_t) +dev_read_urand(pads_t) + +kernel_read_sysctl(pads_t) + +files_read_etc_files(pads_t) +files_search_spool(pads_t) + +miscfiles_read_localization(pads_t) + +logging_send_syslog_msg(pads_t) + +sysnet_dns_name_resolve(pads_t) + +optional_policy(` + prelude_manage_spool(pads_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.12/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pegasus.te 2009-04-07 16:01:44.000000000 -0400 @@ -30,7 +30,7 @@ # Local policy # -allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; +allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; @@ -66,6 +66,8 @@ kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) kernel_read_net_sysctls(pegasus_t) +kernel_read_xen_state(pegasus_t) +kernel_write_xen_state(pegasus_t) corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) @@ -96,13 +98,12 @@ auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) +auth_read_shadow(pegasus_t) domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -files_read_etc_files(pegasus_t) -files_list_var_lib(pegasus_t) -files_read_var_lib_files(pegasus_t) +files_read_all_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) @@ -115,7 +116,6 @@ miscfiles_read_localization(pegasus_t) -sysnet_read_config(pegasus_t) sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) @@ -126,6 +126,14 @@ ') optional_policy(` + samba_manage_config(pegasus_t) +') + +optional_policy(` + ssh_exec(pegasus_t) +') + +optional_policy(` seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') @@ -137,3 +145,13 @@ optional_policy(` unconfined_signull(pegasus_t) ') + +optional_policy(` + virt_domtrans(pegasus_t) + virt_manage_config(pegasus_t) +') + +optional_policy(` + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.12/policy/modules/services/pingd.fc --- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pingd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,11 @@ + +/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) + +/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) + +/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) + +/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) + + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.12/policy/modules/services/pingd.if --- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pingd.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,99 @@ +## policy for pingd + +######################################## +## +## Execute a domain transition to run pingd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`pingd_domtrans',` + gen_require(` + type pingd_t, pingd_exec_t; + ') + + domtrans_pattern($1,pingd_exec_t,pingd_t) +') + +####################################### +## +## Read pingd etc configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pingd_read_etc',` + gen_require(` + type pingd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, pingd_etc_t, pingd_etc_t) +') + +####################################### +## +## Manage pingd etc configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pingd_manage_etc',` + gen_require(` + type pingd_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) + manage_files_pattern($1, pingd_etc_t, pingd_etc_t) + +') + +####################################### +## +## All of the rules required to administrate +## an pingd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the pingd domain. +## +## +## +# +interface(`pingd_admin',` + gen_require(` + type pingd_t, pingd_etc_t; + type pingd_initrc_exec_t, pingd_modules_t; + ') + + allow $1 pingd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pingd_t) + + init_labeled_script_domtrans($1, pingd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pingd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, pingd_etc_t) + + files_list_usr($1) + admin_pattern($1, pingd_modules_t) + +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.12/policy/modules/services/pingd.te --- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pingd.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,54 @@ +policy_module(pingd,1.0.0) + +######################################## +# +# Declarations +# + +type pingd_t; +type pingd_exec_t; +init_daemon_domain(pingd_t, pingd_exec_t) + +type pingd_initrc_exec_t; +init_script_file(pingd_initrc_exec_t) + +# type for config +type pingd_etc_t; +files_type(pingd_etc_t); + +# type for pingd modules +type pingd_modules_t; +files_type(pingd_modules_t) + +######################################## +# +# pingd local policy +# + +allow pingd_t self:capability net_raw; +allow pingd_t self:tcp_socket create_stream_socket_perms; +allow pingd_t self:rawip_socket { write read create bind }; + +read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) + +read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) +mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) + +corenet_raw_bind_generic_node(pingd_t) +corenet_tcp_bind_generic_node(pingd_t) +corenet_tcp_bind_pingd_port(pingd_t) + +auth_use_nsswitch(pingd_t) + +files_search_usr(pingd_t) + +libs_use_ld_so(pingd_t) +libs_use_shared_libs(pingd_t) +miscfiles_read_localization(pingd_t) + +logging_send_syslog_msg(pingd_t) + +permissive pingd_t; + + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,11 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) +/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) +/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) + +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) + +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,241 @@ + +## policy for polkit_auth + +######################################## +## +## Execute a domain transition to run polkit_auth. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_auth',` + gen_require(` + type polkit_auth_t; + type polkit_auth_exec_t; + ') + + domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t) +') + +######################################## +## +## Search polkit lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_search_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + allow $1 polkit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## read polkit lib files +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_read_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) + + # Broken placement + cron_read_system_job_lib_files($1) +') + +######################################## +## +## read polkit reload files +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_read_reload',` + gen_require(` + type polkit_reload_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, polkit_reload_t, polkit_reload_t) +') + +######################################## +## +## rw polkit reload files +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_rw_reload',` + gen_require(` + type polkit_reload_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, polkit_reload_t, polkit_reload_t) +') + +######################################## +## +## Execute a domain transition to run polkit_grant. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_grant',` + gen_require(` + type polkit_grant_t; + type polkit_grant_exec_t; + ') + + domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t) +') + +######################################## +## +## Execute a domain transition to run polkit_resolve. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_resolve',` + gen_require(` + type polkit_resolve_t; + type polkit_resolve_exec_t; + ') + + domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t) + + allow polkit_resolve_t $1:dir list_dir_perms; + read_files_pattern(polkit_resolve_t, $1, $1) + read_lnk_files_pattern(polkit_resolve_t, $1, $1) + allow polkit_resolve_t $1:process getattr; +') + +######################################## +## +## Execute a policy_grant in the policy_grant domain, and +## allow the specified role the policy_grant domain, +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +## +# +interface(`polkit_run_grant',` + gen_require(` + type polkit_grant_t; + ') + + polkit_domtrans_grant($1) + role $2 types polkit_grant_t; + allow $1 polkit_grant_t:process signal; + read_files_pattern(polkit_grant_t, $1, $1) + allow polkit_grant_t $1:process getattr; +') + +######################################## +## +## Execute a policy_auth in the policy_auth domain, and +## allow the specified role the policy_auth domain, +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the load_policy domain. +## +## +# +interface(`polkit_run_auth',` + gen_require(` + type polkit_auth_t; + ') + + polkit_domtrans_auth($1) + role $2 types polkit_auth_t; +') + +####################################### +## +## The per role template for the nsplugin module. +## +## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +## +# +template(`polkit_role',` + polkit_run_auth($2, $1) + polkit_run_grant($2, $1) + polkit_read_lib($2) + polkit_read_reload($2) +') + +######################################## +## +## Send and receive messages from +## polkit over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_dbus_chat',` + gen_require(` + type polkit_t; + class dbus send_msg; + ') + + allow $1 polkit_t:dbus send_msg; + allow polkit_t $1:dbus send_msg; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.12/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/polkit.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,237 @@ +policy_module(polkit_auth, 1.0.0) + +######################################## +# +# Declarations +# + +type polkit_t; +type polkit_exec_t; +init_daemon_domain(polkit_t, polkit_exec_t) + +type polkit_grant_t; +type polkit_grant_exec_t; +init_system_domain(polkit_grant_t, polkit_grant_exec_t) + +type polkit_resolve_t; +type polkit_resolve_exec_t; +init_system_domain(polkit_resolve_t, polkit_resolve_exec_t) + +type polkit_auth_t; +type polkit_auth_exec_t; +init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) + +type polkit_reload_t; +files_type(polkit_reload_t) + +type polkit_var_lib_t; +files_type(polkit_var_lib_t) + +type polkit_var_run_t; +files_pid_file(polkit_var_run_t) + +######################################## +# +# polkit local policy +# + +allow polkit_t self:capability { setgid setuid }; +allow polkit_t self:process getattr; + +allow polkit_t self:unix_dgram_socket create_socket_perms; +allow polkit_t self:fifo_file rw_file_perms; +allow polkit_t self:unix_stream_socket create_stream_socket_perms; + +polkit_domtrans_auth(polkit_t) +polkit_domtrans_resolve(polkit_t) + +can_exec(polkit_t, polkit_exec_t) +corecmd_exec_bin(polkit_t) + +domain_use_interactive_fds(polkit_t) + +files_read_etc_files(polkit_t) +files_read_usr_files(polkit_t) + +fs_list_inotifyfs(polkit_t) + +kernel_read_kernel_sysctls(polkit_t) + +auth_use_nsswitch(polkit_t) + +miscfiles_read_localization(polkit_t) + +logging_send_syslog_msg(polkit_t) + +manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) + +rw_files_pattern(polkit_t, polkit_reload_t, polkit_reload_t) + +# pid file +manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) +manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) +files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) + +userdom_read_all_users_state(polkit_t) + +optional_policy(` + dbus_system_domain(polkit_t, polkit_exec_t) + + optional_policy(` + consolekit_dbus_chat(polkit_t) + ') +') + +######################################## +# +# polkit_auth local policy +# + +allow polkit_auth_t self:capability setgid; +allow polkit_auth_t self:process { getattr }; + +allow polkit_auth_t self:unix_dgram_socket create_socket_perms; +allow polkit_auth_t self:fifo_file rw_file_perms; +allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_auth_t, polkit_auth_exec_t) +corecmd_search_bin(polkit_auth_t) + +domain_use_interactive_fds(polkit_auth_t) + +files_read_etc_files(polkit_auth_t) +files_read_usr_files(polkit_auth_t) + +auth_use_nsswitch(polkit_auth_t) + +miscfiles_read_localization(polkit_auth_t) + +logging_send_syslog_msg(polkit_auth_t) + +manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) +rw_files_pattern(polkit_auth_t, polkit_reload_t, polkit_reload_t) + +# pid file +manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) +manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) +files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) + +userdom_dontaudit_read_user_home_content_files(polkit_auth_t) + +optional_policy(` + cron_read_system_job_lib_files(polkit_auth_t) +') + +optional_policy(` + dbus_system_domain( polkit_auth_t, polkit_auth_exec_t) + + dbus_session_bus_client(polkit_auth_t) + + optional_policy(` + consolekit_dbus_chat(polkit_auth_t) + ') +') + +optional_policy(` + kernel_search_proc(polkit_auth_t) + hal_read_state(polkit_auth_t) +') + +optional_policy(` + xserver_xdm_append_log(polkit_auth_t) +') + +######################################## +# +# polkit_grant local policy +# + +allow polkit_grant_t self:capability setuid; +allow polkit_grant_t self:process getattr; + +allow polkit_grant_t self:unix_dgram_socket create_socket_perms; +allow polkit_grant_t self:fifo_file rw_file_perms; +allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_grant_t, polkit_grant_exec_t) +corecmd_search_bin(polkit_grant_t) + +files_read_etc_files(polkit_grant_t) +files_read_usr_files(polkit_grant_t) + +auth_use_nsswitch(polkit_grant_t) +auth_domtrans_chk_passwd(polkit_grant_t) + +miscfiles_read_localization(polkit_grant_t) + +logging_send_syslog_msg(polkit_grant_t) + +polkit_domtrans_auth(polkit_grant_t) +polkit_domtrans_resolve(polkit_grant_t) + +manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) + +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) +rw_files_pattern(polkit_grant_t, polkit_reload_t, polkit_reload_t) +userdom_read_all_users_state(polkit_grant_t) + +optional_policy(` + cron_manage_system_job_lib_files(polkit_grant_t) +') + +optional_policy(` + dbus_system_bus_client(polkit_grant_t) + optional_policy(` + consolekit_dbus_chat(polkit_grant_t) + ') +') + +######################################## +# +# polkit_resolve local policy +# + +allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace }; +allow polkit_resolve_t self:process getattr; + +allow polkit_resolve_t self:unix_dgram_socket create_socket_perms; +allow polkit_resolve_t self:fifo_file rw_file_perms; +allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms; + +read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t) +read_files_pattern(polkit_resolve_t, polkit_reload_t, polkit_reload_t) + +can_exec(polkit_resolve_t, polkit_resolve_exec_t) +corecmd_search_bin(polkit_resolve_t) + +polkit_domtrans_auth(polkit_resolve_t) + +files_read_etc_files(polkit_resolve_t) +files_read_usr_files(polkit_resolve_t) + +auth_use_nsswitch(polkit_resolve_t) + +miscfiles_read_localization(polkit_resolve_t) + +logging_send_syslog_msg(polkit_resolve_t) + +userdom_read_all_users_state(polkit_resolve_t) +userdom_ptrace_all_users(polkit_resolve_t) +mcs_ptrace_all(polkit_resolve_t) + +optional_policy(` + dbus_system_bus_client(polkit_resolve_t) + optional_policy(` + consolekit_dbus_chat(polkit_resolve_t) + ') +') + +optional_policy(` + kernel_search_proc(polkit_resolve_t) + hal_read_state(polkit_resolve_t) +') + +optional_policy(` + unconfined_ptrace(polkit_resolve_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.12/policy/modules/services/portreserve.fc --- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/portreserve.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,12 @@ +# portreserve executable will have: +# label: system_u:object_r:portreserve_exec_t +# MLS sensitivity: s0 +# MCS categories: + +#exec +/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) + +/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) + +/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.12/policy/modules/services/portreserve.if --- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/portreserve.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,66 @@ +## policy for portreserve + +######################################## +## +## Execute a domain transition to run portreserve. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`portreserve_domtrans',` + gen_require(` + type portreserve_t, portreserve_exec_t; + ') + + domtrans_pattern($1,portreserve_exec_t,portreserve_t) +') + +####################################### +## +## Allow the specified domain to read +## portreserve etcuration files. +## +## +## +## Domain allowed access. +## +## +## +## +# +interface(`portreserve_read_etc',` + gen_require(` + type portreserve_etc_t; + ') + + files_search_etc($1) + allow $1 portreserve_etc_t:dir list_dir_perms; + read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) + read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) +') + +####################################### +## +## Allow the specified domain to manage +## portreserve etcuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`portreserve_manage_etc',` + gen_require(` + type portreserve_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) + manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) + read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.12/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/portreserve.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(portreserve,1.0.0) + +######################################## +# +# Declarations +# + +type portreserve_t; +type portreserve_exec_t; +init_daemon_domain(portreserve_t, portreserve_exec_t) + +type portreserve_etc_t; +files_type(portreserve_etc_t) + +type portreserve_var_run_t; +files_pid_file(portreserve_var_run_t) + +######################################## +# +# Portreserve local policy +# +allow portreserve_t self:fifo_file rw_fifo_file_perms; +allow portreserve_t self:unix_stream_socket create_stream_socket_perms; +allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; +allow portreserve_t self:tcp_socket create_socket_perms; +allow portreserve_t self:udp_socket create_socket_perms; + +# Read etc files +list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) +read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) + +# Manage /var/run/portreserve/* +manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) +files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) + +corenet_all_recvfrom_unlabeled(portreserve_t) +corenet_all_recvfrom_netlabel(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_tcp_bind_generic_node(portreserve_t) +corenet_udp_bind_generic_node(portreserve_t) +corenet_udp_bind_all_ports(portreserve_t) + +files_read_etc_files(portreserve_t) + +# Init script handling +#init_use_fds(portreserve_t) +#init_use_script_ptys(portreserve_t) +#domain_use_interactive_fds(portreserve_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.12/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/postfix.fc 2009-04-07 16:01:44.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ') /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-20 07:42:10.000000000 -0400 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) + read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) can_exec(postfix_$1_t, postfix_$1_exec_t) @@ -79,6 +80,7 @@ files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) + files_search_all_mountpoints(postfix_$1_t) init_dontaudit_use_fds(postfix_$1_t) init_sigchld(postfix_$1_t) @@ -174,9 +176,8 @@ type postfix_etc_t; ') - allow $1 postfix_etc_t:dir list_dir_perms; - allow $1 postfix_etc_t:file read_file_perms; - allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, postfix_etc_t, postfix_etc_t) + read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) files_search_etc($1) ') @@ -232,6 +233,25 @@ ######################################## ## +## Allow read/write postfix local pipes +## TCP sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`postfix_rw_local_pipes',` + gen_require(` + type postfix_local_t; + ') + + allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## ## Allow domain to read postfix local process state ## ## @@ -378,7 +398,7 @@ ##
## # -interface(`postfix_create_pivate_sockets',` +interface(`postfix_create_private_sockets',` gen_require(` type postfix_private_t; ') @@ -389,6 +409,25 @@ ######################################## ## +## manage named socket in a postfix private directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_manage_private_sockets',` + gen_require(` + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; + manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) +') + +######################################## +## ## Execute the master postfix program in the ## postfix_master domain. ## @@ -418,10 +457,10 @@ # interface(`postfix_search_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ') - allow $1 postfix_spool_t:dir search_dir_perms; + allow $1 postfix_spool_type:dir search_dir_perms; files_search_spool($1) ') @@ -437,11 +476,30 @@ # interface(`postfix_list_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; + ') + + allow $1 postfix_spool_type:dir list_dir_perms; + files_search_spool($1) +') + +######################################## +## +## Getattr postfix mail spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_getattr_spool_files',` + gen_require(` + attribute postfix_spool_type; ') - allow $1 postfix_spool_t:dir list_dir_perms; files_search_spool($1) + getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## @@ -456,16 +514,16 @@ # interface(`postfix_read_spool_files',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ') files_search_spool($1) - read_files_pattern($1, postfix_spool_t, postfix_spool_t) + read_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## ## -## Create, read, write, and delete postfix mail spool files. +## Manage postfix mail spool files. ## ## ## @@ -475,11 +533,11 @@ # interface(`postfix_manage_spool_files',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ') files_search_spool($1) - manage_files_pattern($1, postfix_spool_t, postfix_spool_t) + manage_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## @@ -500,3 +558,43 @@ typeattribute $1 postfix_user_domtrans; ') + +######################################## +## +## Execute the master postdrop in the +## postfix_postdrop domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_domtrans_postdrop',` + gen_require(` + type postfix_postdrop_t, postfix_postdrop_exec_t; + ') + + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + +######################################## +## +## Execute the master postdrop in the +## postfix_postdrop domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_run_postdrop',` + gen_require(` + type postfix_postdrop_t; + ') + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-15 08:35:07.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # +## +##

+## Allow postfix_local domain full write access to mail_spool directories +## +##

+##
+gen_tunable(allow_postfix_local_write_mail_spool, false) + +attribute postfix_spool_type; attribute postfix_user_domains; # domains that transition to the # postfix user domains @@ -13,13 +22,13 @@ postfix_server_domain_template(bounce) -type postfix_spool_bounce_t; +type postfix_spool_bounce_t, postfix_spool_type; files_type(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) type postfix_etc_t; -files_type(postfix_etc_t) +files_config_file(postfix_etc_t) type postfix_exec_t; application_executable_file(postfix_exec_t) @@ -27,6 +36,12 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) +userdom_read_user_home_content_files(postfix_local_t) + +tunable_policy(`allow_postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) +') + type postfix_local_tmp_t; files_tmp_file(postfix_local_tmp_t) @@ -34,6 +49,7 @@ type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t, postfix_map_exec_t) +role system_r types postfix_map_t; type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) @@ -68,13 +84,13 @@ postfix_server_domain_template(smtpd) -type postfix_spool_t; +type postfix_spool_t, postfix_spool_type; files_type(postfix_spool_t) -type postfix_spool_maildrop_t; +type postfix_spool_maildrop_t, postfix_spool_type; files_type(postfix_spool_maildrop_t) -type postfix_spool_flush_t; +type postfix_spool_flush_t, postfix_spool_type; files_type(postfix_spool_flush_t) type postfix_public_t; @@ -103,6 +119,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; +allow postfix_master_t self:process setrlimit; allow postfix_master_t postfix_etc_t:file rw_file_perms; @@ -132,6 +149,7 @@ # allow access to deferred queue and allow removing bogus incoming entries manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; allow postfix_master_t postfix_spool_bounce_t:file getattr; @@ -142,6 +160,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) kernel_read_all_sysctls(postfix_master_t) @@ -153,6 +172,9 @@ corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) +corenet_udp_bind_generic_node(postfix_master_t) +corenet_udp_bind_all_unreserved_ports(postfix_master_t) +corenet_dontaudit_udp_bind_all_ports(postfix_master_t) corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) @@ -170,6 +192,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) +files_search_var_lib(postfix_master_t) +files_search_tmp(postfix_master_t) term_dontaudit_search_ptys(postfix_master_t) @@ -181,15 +205,14 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +mta_getattr_spool(postfix_master_t) -ifdef(`distro_redhat',` - # for newer main.cf that uses /etc/aliases - mta_manage_aliases(postfix_master_t) - mta_etc_filetrans_aliases(postfix_master_t) +optional_policy(` + cyrus_stream_connect(postfix_master_t) ') optional_policy(` - cyrus_stream_connect(postfix_master_t) + kerberos_keytab_template(postfix, postfix_t) ') optional_policy(` @@ -202,9 +225,29 @@ ') optional_policy(` + postgrey_search_spool(postfix_master_t) +') + +optional_policy(` sendmail_signal(postfix_master_t) ') +########################################################### +# +# Partially converted rules. THESE ARE ONLY TEMPORARY +# + +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + allow postfix_master_t etc_aliases_t:dir manage_dir_perms; + allow postfix_master_t etc_aliases_t:file manage_file_perms; + allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms; + mta_etc_filetrans_aliases(postfix_master_t) + filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file }) +') + +# end partially converted rules + ######################################## # # Postfix bounce local policy @@ -219,6 +262,7 @@ manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) @@ -240,11 +284,16 @@ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) +optional_policy(` + mailman_read_data_files(postfix_cleanup_t) +') + ######################################## # # Postfix local local policy @@ -270,18 +319,29 @@ files_read_etc_files(postfix_local_t) +logging_dontaudit_search_logs(postfix_local_t) + mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) +domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) + optional_policy(` clamav_search_lib(postfix_local_t) + clamav_exec_clamscan(postfix_local_t) ') optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) +') + +optional_policy(` + nagios_search_spool(postfix_local_t) ') optional_policy(` @@ -292,8 +352,7 @@ # # Postfix map local policy # - -allow postfix_map_t self:capability setgid; +allow postfix_map_t self:capability { dac_override setgid setuid }; allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; @@ -340,10 +399,6 @@ miscfiles_read_localization(postfix_map_t) -seutil_read_config(postfix_map_t) - -userdom_use_user_terminals(postfix_map_t) - tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) @@ -356,6 +411,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') +optional_policy(` +# for postalias + mailman_manage_data_files(postfix_map_t) +') + ######################################## # # Postfix pickup local policy @@ -380,6 +440,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; +allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) @@ -387,6 +448,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + +optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) +') + optional_policy(` procmail_domtrans(postfix_pipe_t) ') @@ -396,6 +463,15 @@ ') optional_policy(` + mta_manage_spool(postfix_pipe_t) + mta_send_mail(postfix_pipe_t) +') + +optional_policy(` + spamassassin_domtrans_client(postfix_pipe_t) +') + +optional_policy(` uucp_domtrans_uux(postfix_pipe_t) ') @@ -432,8 +508,11 @@ ') optional_policy(` - ppp_use_fds(postfix_postqueue_t) - ppp_sigchld(postfix_postqueue_t) + sendmail_rw_unix_stream_sockets(postfix_postdrop_t) +') + +optional_policy(` + uucp_manage_spool(postfix_postdrop_t) ') ####################################### @@ -459,6 +538,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) +optional_policy(` + cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) +') + +optional_policy(` + ppp_use_fds(postfix_postqueue_t) + ppp_sigchld(postfix_postqueue_t) +') + ######################################## # # Postfix qmgr local policy @@ -472,6 +560,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) +files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -513,7 +602,7 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; -files_dontaudit_getattr_home_dir(postfix_smtp_t) +files_search_all_mountpoints(postfix_smtp_t) optional_policy(` cyrus_stream_connect(postfix_smtp_t) @@ -543,9 +632,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) + +# postfix checks the size of all mounted file systems +fs_getattr_all_dirs(postfix_smtpd_t) +fs_getattr_all_fs(postfix_smtpd_t) + mta_read_aliases(postfix_smtpd_t) optional_policy(` + dovecot_auth_stream_connect(postfix_smtpd_t) +') + +optional_policy(` mailman_read_data_files(postfix_smtpd_t) ') @@ -572,15 +670,21 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process -stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t) +stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) files_read_etc_files(postfix_virtual_t) +files_read_usr_files(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) + +userdom_manage_user_home_dirs(postfix_virtual_t) +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.12/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/postgresql.fc 2009-04-07 16:01:44.000000000 -0400 @@ -2,6 +2,7 @@ # /etc # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) # # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.12/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/postgresql.if 2009-04-07 16:01:44.000000000 -0400 @@ -351,3 +351,46 @@ typeattribute $1 sepgsql_unconfined_type; ') + +######################################## +## +## All of the rules required to administrate an postgresql environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the postgresql domain. +## +## +## +# +interface(`postgresql_admin',` + gen_require(` + type postgresql_t, postgresql_var_run_t; + type postgresql_tmp_t, postgresql_db_t; + type postgresql_etc_t, postgresql_log_t; + type postgresql_initrc_exec_t; + ') + + allow $1 postgresql_t:process { ptrace signal_perms }; + ps_process_pattern($1, postgresql_t) + + init_labeled_script_domtrans($1, postgresql_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postgresql_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, postgresql_var_run_t) + + admin_pattern($1, postgresql_db_t) + + admin_pattern($1, postgresql_etc_t) + + admin_pattern($1, postgresql_log_t) + + admin_pattern($1, postgresql_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-02-03 22:50:50.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-04-07 16:01:44.000000000 -0400 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) +type postgresql_initrc_exec_t; +init_script_file(postgresql_initrc_exec_t) + type postgresql_lock_t; files_lock_file(postgresql_lock_t) @@ -124,6 +127,7 @@ dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; allow postgresql_t self:fifo_file rw_fifo_file_perms; +allow postgresql_t self:file { getattr read }; allow postgresql_t self:sem create_sem_perms; allow postgresql_t self:shm create_shm_perms; allow postgresql_t self:tcp_socket create_stream_socket_perms; @@ -178,7 +182,7 @@ manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) +files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) @@ -194,6 +198,7 @@ corenet_udp_sendrecv_generic_node(postgresql_t) corenet_tcp_sendrecv_all_ports(postgresql_t) corenet_udp_sendrecv_all_ports(postgresql_t) +corenet_udp_bind_generic_node(postgresql_t) corenet_tcp_bind_generic_node(postgresql_t) corenet_tcp_bind_postgresql_port(postgresql_t) corenet_tcp_connect_auth_port(postgresql_t) @@ -304,7 +309,7 @@ allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute install }; -allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint }; +allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; @@ -345,7 +350,7 @@ # unconfined domain is not allowed to invoke user defined procedure directly. # They have to confirm and relabel it at first. -allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *; +allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *; allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.12/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/ppp.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,7 +1,7 @@ # # /etc # -/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) +/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) @@ -8,9 +8,8 @@ /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) /etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) - # Fix /etc/ppp {up,down} family scripts (see man pppd) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0) +/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) # # /sbin diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-04-07 16:01:44.000000000 -0400 @@ -58,6 +58,25 @@ ######################################## ## +## Send ppp a kill signal +## +## +## +## Domain allowed access. +## +## +# +# +interface(`ppp_kill',` + gen_require(` + type pppd_t; + ') + + allow $1 pppd_t:process sigkill; +') + +######################################## +## ## Send a generic signal to PPP. ## ## @@ -298,6 +317,24 @@ ######################################## ## +## Execute ppp server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ppp_initrc_domtrans',` + gen_require(` + type pppd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, pppd_initrc_exec_t) +') + +######################################## +## ## All of the rules required to administrate ## an ppp environment ## @@ -315,33 +352,39 @@ type pppd_etc_rw_t, pppd_var_run_t; type pptp_t, pptp_log_t, pptp_var_run_t; + type pppd_initrc_exec_t; ') allow $1 pppd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, pppd_t) + ppp_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pppd_initrc_exec_t system_r; + allow $2 system_r; + files_list_tmp($1) - manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t) + admin_pattern($1, pppd_tmp_t) logging_list_logs($1) - manage_files_pattern($1, pppd_log_t, pppd_log_t) + admin_pattern($1, pppd_log_t) - manage_files_pattern($1, pppd_lock_t, pppd_lock_t) + admin_pattern($1, pppd_lock_t) files_list_etc($1) - manage_files_pattern($1, pppd_etc_t, pppd_etc_t) + admin_pattern($1, pppd_etc_t) - manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t) + admin_pattern($1, pppd_etc_rw_t) - manage_files_pattern($1, pppd_secret_t, pppd_secret_t) + admin_pattern($1, pppd_secret_t) files_list_pids($1) - manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) + admin_pattern($1, pppd_var_run_t) allow $1 pptp_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, pptp_t) - manage_files_pattern($1, pptp_log_t, pptp_log_t) + admin_pattern($1, pptp_log_t) - manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) + admin_pattern($1, pptp_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.12/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ppp.te 2009-04-07 16:01:44.000000000 -0400 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) -type pppd_script_exec_t; -files_type(pppd_script_exec_t) +type pppd_initrc_exec_t; +files_type(pppd_initrc_exec_t) # pppd_secret_t is the type of the pap and chap password files type pppd_secret_t; @@ -114,6 +114,8 @@ # Access secret files allow pppd_t pppd_secret_t:file read_file_perms; +ppp_initrc_domtrans(pppd_t) + kernel_read_kernel_sysctls(pppd_t) kernel_read_system_state(pppd_t) kernel_rw_net_sysctls(pppd_t) @@ -161,6 +163,7 @@ init_read_utmp(pppd_t) init_dontaudit_write_utmp(pppd_t) +init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) @@ -174,7 +177,6 @@ userdom_use_user_terminals(pppd_t) userdom_dontaudit_use_unpriv_user_fds(pppd_t) -# for ~/.ppprc - if it actually exists then you need some policy to read it userdom_search_user_home_dirs(pppd_t) ppp_exec(pppd_t) @@ -191,6 +193,8 @@ optional_policy(` mta_send_mail(pppd_t) + mta_system_content(pppd_etc_t) + mta_system_content(pppd_etc_rw_t) ') optional_policy(` @@ -214,7 +218,7 @@ # PPTP Local policy # -allow pptp_t self:capability net_raw; +allow pptp_t self:capability { net_raw net_admin }; dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; allow pptp_t self:fifo_file rw_fifo_file_perms; @@ -222,14 +226,16 @@ allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow pptp_t self:rawip_socket create_socket_perms; allow pptp_t self:tcp_socket create_socket_perms; +allow pptp_t self:udp_socket create_socket_perms; +allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -allow pptp_t pppd_etc_t:lnk_file { getattr read }; +allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; -allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; +allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; can_exec(pptp_t, pppd_etc_rw_t) # Allow pptp to append to pppd log files @@ -245,9 +251,13 @@ kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) kernel_read_proc_symlinks(pptp_t) +kernel_read_system_state(pptp_t) dev_read_sysfs(pptp_t) +corecmd_exec_shell(pptp_t) +corecmd_read_bin_symlinks(pptp_t) + corenet_all_recvfrom_unlabeled(pptp_t) corenet_all_recvfrom_netlabel(pptp_t) corenet_tcp_sendrecv_generic_if(pptp_t) @@ -263,17 +273,21 @@ fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) +files_read_etc_files(pptp_t) + term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) domain_use_interactive_fds(pptp_t) +auth_use_nsswitch(pptp_t) + logging_send_syslog_msg(pptp_t) miscfiles_read_localization(pptp_t) -sysnet_read_config(pptp_t) +sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_search_user_home_dirs(pptp_t) @@ -283,11 +297,15 @@ ') optional_policy(` - hostname_exec(pptp_t) + dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` + networkmanager_dbus_chat(pppd_t) + ') ') optional_policy(` - nscd_socket_use(pptp_t) + hostname_exec(pptp_t) ') optional_policy(` @@ -301,6 +319,3 @@ optional_policy(` postfix_read_config(pppd_t) ') - -# FIXME: -domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.12/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/prelude.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,3 +1,9 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + +/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) +/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) + /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) @@ -5,7 +11,15 @@ /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) +/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) + /var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) + +/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) +/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) + +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.12/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/prelude.if 2009-04-07 16:01:44.000000000 -0400 @@ -6,7 +6,7 @@ ##
## ## -## Domain allowed to transition. +## Domain allowed access. ## ## # @@ -42,7 +42,7 @@ ##
## ## -## Domain allowed acccess. +## Domain allowed to transition. ## ## # @@ -56,6 +56,45 @@ ######################################## ## +## Read the prelude spool files +## +## +## +## Domain allowed access. +## +## +# +interface(`prelude_read_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## +## Manage to prelude-manager spool files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`prelude_manage_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) + manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## ## All of the rules required to administrate ## an prelude environment ## @@ -64,6 +103,11 @@ ## Domain allowed access. ##
## +## +## +## The role to be allowed to manage the syslog domain. +## +## ## # interface(`prelude_admin',` @@ -71,6 +115,10 @@ type prelude_t, prelude_spool_t; type prelude_var_run_t, prelude_var_lib_t; type prelude_audisp_t, prelude_audisp_var_run_t; + type prelude_initrc_exec_t; + + type prelude_lml_t, prelude_lml_tmp_t; + type prelude_lml_var_run_t; ') allow $1 prelude_t:process { ptrace signal_perms }; @@ -79,11 +127,18 @@ allow $1 prelude_audisp_t:process { ptrace signal_perms }; ps_process_pattern($1, prelude_audisp_t) - manage_files_pattern($1, prelude_spool_t, prelude_spool_t) - - manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t) - - manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t) + allow $1 prelude_lml_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_lml_t) - manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t) + init_labeled_script_domtrans($1, prelude_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 prelude_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, prelude_spool_t) + admin_pattern($1, prelude_var_lib_t) + admin_pattern($1, prelude_var_run_t) + admin_pattern($1, prelude_audisp_var_run_t) + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.12/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/prelude.te 2009-04-07 16:01:44.000000000 -0400 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) +type prelude_log_t; +logging_log_file(prelude_log_t) + type prelude_var_run_t; files_pid_file(prelude_var_run_t) type prelude_var_lib_t; files_type(prelude_var_lib_t) +type prelude_initrc_exec_t; +init_script_file(prelude_initrc_exec_t) + type prelude_audisp_t; type prelude_audisp_exec_t; init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) +typealias prelude_audisp_t alias audisp_prelude_t; +typealias prelude_audisp_exec_t alias audisp_prelude_exec_t; type prelude_audisp_var_run_t; files_pid_file(prelude_audisp_var_run_t) +typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t; + +type prelude_lml_t; +type prelude_lml_exec_t; +init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) + +type prelude_lml_var_run_t; +files_pid_file(prelude_lml_var_run_t) + +type prelude_lml_tmp_t; +files_tmp_file(prelude_lml_tmp_t) + +######################################## +# +# prelude_correlator declarations +# + +type prelude_correlator_t; +type prelude_correlator_exec_t; +init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) +role system_r types prelude_correlator_t; + +type prelude_correlator_config_t; +files_config_file(prelude_correlator_config_t) ######################################## # # prelude local policy # -allow prelude_t self:capability sys_tty_config; +allow prelude_t self:capability { dac_override sys_tty_config }; allow prelude_t self:fifo_file rw_file_perms; allow prelude_t self:unix_stream_socket create_stream_socket_perms; allow prelude_t self:netlink_route_socket r_netlink_socket_perms; @@ -49,6 +81,9 @@ manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) files_pid_filetrans(prelude_t, prelude_var_run_t, file) +manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) +logging_log_filetrans(prelude_t, prelude_log_t, file) + corecmd_search_bin(prelude_t) corenet_all_recvfrom_unlabeled(prelude_t) @@ -56,15 +91,25 @@ corenet_tcp_sendrecv_generic_if(prelude_t) corenet_tcp_sendrecv_generic_node(prelude_t) corenet_tcp_bind_generic_node(prelude_t) +corenet_tcp_bind_prelude_port(prelude_t) +corenet_tcp_connect_prelude_port(prelude_t) +corenet_tcp_connect_postgresql_port(prelude_t) dev_read_rand(prelude_t) dev_read_urand(prelude_t) +kernel_read_system_state(prelude_t) +kernel_read_sysctl(prelude_t) + # Init script handling domain_use_interactive_fds(prelude_t) files_read_etc_files(prelude_t) +files_read_etc_runtime_files(prelude_t) files_read_usr_files(prelude_t) +files_search_tmp(prelude_t) + +fs_rw_anon_inodefs_files(prelude_t) auth_use_nsswitch(prelude_t) @@ -86,7 +131,7 @@ # # prelude_audisp local policy # - +allow prelude_audisp_t self:capability dac_override; allow prelude_audisp_t self:fifo_file rw_file_perms; allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; @@ -107,6 +152,7 @@ corenet_tcp_sendrecv_generic_if(prelude_audisp_t) corenet_tcp_sendrecv_generic_node(prelude_audisp_t) corenet_tcp_bind_generic_node(prelude_audisp_t) +corenet_tcp_connect_prelude_port(prelude_audisp_t) dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) @@ -114,12 +160,135 @@ # Init script handling domain_use_interactive_fds(prelude_audisp_t) +kernel_read_sysctl(prelude_audisp_t) +kernel_read_system_state(prelude_audisp_t) + files_read_etc_files(prelude_audisp_t) +files_read_etc_runtime_files(prelude_audisp_t) +files_search_tmp(prelude_audisp_t) logging_send_syslog_msg(prelude_audisp_t) +logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) miscfiles_read_localization(prelude_audisp_t) +sysnet_dns_name_resolve(prelude_audisp_t) + +######################################## +# +# prelude_correlator local policy +# + +allow prelude_correlator_t self:capability dac_override; +allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; + +allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; +read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) + +prelude_manage_spool(prelude_correlator_t) + +corecmd_search_bin(prelude_correlator_t) + +corenet_all_recvfrom_unlabeled(prelude_correlator_t) +corenet_all_recvfrom_netlabel(prelude_correlator_t) +corenet_tcp_sendrecv_generic_if(prelude_correlator_t) +corenet_tcp_sendrecv_generic_node(prelude_correlator_t) +corenet_tcp_connect_prelude_port(prelude_correlator_t) + +kernel_read_sysctl(prelude_correlator_t) + +dev_read_rand(prelude_correlator_t) +dev_read_urand(prelude_correlator_t) + +files_read_etc_files(prelude_correlator_t) +files_read_usr_files(prelude_correlator_t) +files_search_spool(prelude_correlator_t) + +logging_send_syslog_msg(prelude_correlator_t) + +miscfiles_read_localization(prelude_correlator_t) + +sysnet_dns_name_resolve(prelude_correlator_t) + +######################################## +# +# prelude_lml local declarations +# + +allow prelude_lml_t self:capability dac_override; + +# Init script handling +domain_use_interactive_fds(prelude_lml_t) + +allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; +allow prelude_lml_t self:unix_dgram_socket { write create connect }; +allow prelude_lml_t self:fifo_file rw_fifo_file_perms; +allow prelude_lml_t self:unix_stream_socket connectto; + +files_list_tmp(prelude_lml_t) +manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) + +files_search_spool(prelude_lml_t) +manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) + +files_search_var_lib(prelude_lml_t) +manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) +manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) + +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) + +corecmd_exec_bin(prelude_lml_t) + +corenet_tcp_sendrecv_generic_if(prelude_lml_t) +corenet_tcp_sendrecv_generic_node(prelude_lml_t) +corenet_tcp_recvfrom_netlabel(prelude_lml_t) +corenet_tcp_recvfrom_unlabeled(prelude_lml_t) +corenet_sendrecv_unlabeled_packets(prelude_lml_t) +corenet_tcp_connect_prelude_port(prelude_lml_t) + +dev_read_rand(prelude_lml_t) +dev_read_urand(prelude_lml_t) + +kernel_read_system_state(prelude_lml_t) +kernel_read_sysctl(prelude_lml_t) + +files_list_etc(prelude_lml_t) +files_read_etc_files(prelude_lml_t) +files_read_etc_runtime_files(prelude_lml_t) + +files_search_spool(prelude_lml_t) +files_search_usr(prelude_lml_t) +files_search_var_lib(prelude_lml_t) + +fs_list_inotifyfs(prelude_lml_t) +fs_read_anon_inodefs_files(prelude_lml_t) +fs_rw_anon_inodefs_files(prelude_lml_t) + +auth_use_nsswitch(prelude_lml_t) + +libs_exec_lib_files(prelude_lml_t) +libs_read_lib_files(prelude_lml_t) + +logging_send_syslog_msg(prelude_lml_t) +logging_read_generic_logs(prelude_lml_t) + +miscfiles_read_localization(prelude_lml_t) + +sysnet_dns_name_resolve(prelude_lml_t) + +userdom_read_all_users_state(prelude_lml_t) + +optional_policy(` + apache_search_sys_content(prelude_lml_t) + apache_read_log(prelude_lml_t) +') + ######################################## # # prewikka_cgi Declarations @@ -128,6 +297,20 @@ optional_policy(` apache_content_template(prewikka) files_read_etc_files(httpd_prewikka_script_t) + files_search_tmp(httpd_prewikka_script_t) + + kernel_read_sysctl(httpd_prewikka_script_t) + kernel_search_network_sysctl(httpd_prewikka_script_t) + + can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) + + corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) + + auth_use_nsswitch(httpd_prewikka_script_t) + + logging_send_syslog_msg(httpd_prewikka_script_t) + + apache_search_sys_content(httpd_prewikka_script_t) optional_policy(` mysql_search_db(httpd_prewikka_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-07 16:01:44.000000000 -0400 @@ -77,6 +77,7 @@ files_read_usr_files(procmail_t) logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) miscfiles_read_localization(procmail_t) @@ -92,6 +93,7 @@ userdom_dontaudit_search_user_home_dirs(procmail_t) mta_manage_spool(procmail_t) +mta_read_queue(procmail_t) ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) @@ -128,6 +130,10 @@ ') optional_policy(` + nagios_search_spool(procmail_t) +') + +optional_policy(` pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.12/policy/modules/services/psad.fc --- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/psad.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,17 @@ + + +/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) + +/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) + +/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) + +#/usr/sbin/psadwatchd -- gen_context(system_u:object_r:psadwatchd_exec_t,s0) + +#/usr/sbin/kmsgsd -- gen_context(system_u:object_r:kmsgsd_exec_t,s0) + +/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) + +/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) + +/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.12/policy/modules/services/psad.if --- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/psad.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,304 @@ +## Psad SELinux policy + +######################################## +## +## Execute a domain transition to run psad. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`psad_domtrans',` + gen_require(` + type psad_t, psad_exec_t; + ') + + domtrans_pattern($1, psad_exec_t, psad_t) +') + +######################################## +## +## Read and write psad UDP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`psad_rw_udp_sockets',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:udp_socket { read write }; +') + +######################################## +## +## Read and write psad packet sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`psad_rw_packet_sockets',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:packet_socket { read write }; +') + +######################################## +## +## Send a generic signal to psad +## +## +## +## Domain allowed access. +## +## +# +interface(`psad_signal',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:process signal; +') + +####################################### +## +## Send a null signal to psad. +## +## +## +## Domain allowed access. +## +## +# +interface(`psad_signull',` + gen_require(` + type psad_t; + ') + + allow $1 psad_t:process signull; +') + +######################################## +## +## Read psad etc configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`psad_read_etc',` + gen_require(` + type psad_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, psad_etc_t, psad_etc_t) +') + +######################################## +## +## Manage psad etc configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`psad_manage_etc',` + gen_require(` + type psad_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, psad_etc_t, psad_etc_t) + manage_files_pattern($1, psad_etc_t, psad_etc_t) + +') + +######################################## +## +## Read psad PID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`psad_read_pid_files',` + gen_require(` + type psad_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, psad_var_run_t, psad_var_run_t) +') + +######################################## +## +## Read psad PID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`psad_rw_pid_files',` + gen_require(` + type psad_var_run_t; + ') + + files_search_pids($1) + rw_files_pattern($1, psad_var_run_t, psad_var_run_t) +') + +######################################## +## +## Allow the specified domain to read psad's log files. +## +## +## +## Domain allowed access. +## +## +## +## +# +interface(`psad_read_log',` + gen_require(` + type psad_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) + read_files_pattern($1, psad_var_log_t, psad_var_log_t) +') + +######################################## +## +## Allow the specified domain to append to psad's log files. +## +## +## +## Domain allowed access. +## +## +## +## +# +interface(`psad_append_log',` + gen_require(` + type psad_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) + append_files_pattern($1, psad_var_log_t, psad_var_log_t) +') + +######################################## +## +## Read and write psad fifo files. +## +## +## +## Domain allowed access. +## +## +# +interface(`psad_rw_fifo_file',` + gen_require(` + type psad_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) + rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) +') + +####################################### +## +## Read and write psad tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`psad_rw_tmp_files',` + gen_require(` + type psad_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, psad_tmp_t, psad_tmp_t) +') + +######################################## +## +## All of the rules required to administrate +## an psad environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +# +interface(`psad_admin',` + gen_require(` + type psad_t, psad_var_run_t, psad_var_log_t; + type psad_initrc_exec_t, psad_var_lib_t; + type psad_tmp_t; + ') + + allow $1 psad_t:process { ptrace signal_perms }; + ps_process_pattern($1, psad_t) + + init_labeled_script_domtrans($1, psad_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 psad_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, psad_etc_t) + + files_search_pids($1) + admin_pattern($1, psad_var_run_t) + + logging_search_logs($1) + admin_pattern($1, psad_var_log_t) + + files_search_var_lib($1) + admin_pattern($1, psad_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, psad_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.12/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/psad.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,107 @@ +policy_module(psad,1.0.0) + +######################################## +# +# Declarations +# +type psad_t; +type psad_exec_t; +init_daemon_domain(psad_t, psad_exec_t) + +type psad_initrc_exec_t; +init_script_file(psad_initrc_exec_t) + +# config files +type psad_etc_t; +files_config_file(psad_etc_t) + +# var/lib files +type psad_var_lib_t; +files_type(psad_var_lib_t) + +# log files +type psad_var_log_t; +logging_log_file(psad_var_log_t) + +# pid files +type psad_var_run_t; +files_pid_file(psad_var_run_t) + +# tmp files +type psad_tmp_t; +files_tmp_file(psad_tmp_t) + +######################################## +# +# psad local policy +# + +allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; +dontaudit psad_t self:capability { sys_tty_config }; +allow psad_t self:process signull; + +allow psad_t self:fifo_file rw_fifo_file_perms; +allow psad_t self:rawip_socket create_socket_perms; + +# config files +read_files_pattern(psad_t,psad_etc_t,psad_etc_t) +list_dirs_pattern(psad_t,psad_etc_t,psad_etc_t) + +# pid file +manage_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) +manage_sock_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) +files_pid_filetrans(psad_t,psad_var_run_t, { file sock_file }) + +# log files +manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) +manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) +logging_log_filetrans(psad_t,psad_var_log_t, { file dir }) + +# tmp files +manage_dirs_pattern(psad_t,psad_tmp_t,psad_tmp_t) +manage_files_pattern(psad_t,psad_tmp_t,psad_tmp_t) +files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) + +# /var/lib files +search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) +manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) + +kernel_read_system_state(psad_t) +kernel_read_network_state(psad_t) +#kernel_read_kernel_sysctls(psad_t) +kernel_read_net_sysctls(psad_t) + +corecmd_exec_shell(psad_t) +corecmd_exec_bin(psad_t) + +auth_use_nsswitch(psad_t) + +corenet_tcp_connect_whois_port(psad_t) + +dev_read_urand(psad_t) + +files_read_etc_runtime_files(psad_t) + +fs_getattr_all_fs(psad_t) + +libs_use_ld_so(psad_t) +libs_use_shared_libs(psad_t) + +miscfiles_read_localization(psad_t) + +logging_read_generic_logs(psad_t) +logging_read_syslog_config(psad_t) +logging_send_syslog_msg(psad_t) + +#sysnet_domtrans_ifconfig(psad_t) +sysnet_exec_ifconfig(psad_t) +iptables_domtrans(psad_t) + +optional_policy(` + mta_send_mail(psad_t) + mta_read_queue(psad_t) +') + +permissive psad_t; + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,6 +1,8 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.12/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pyzor.if 2009-04-07 16:01:44.000000000 -0400 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) ') + +######################################## +## +## All of the rules required to administrate +## an pyzor environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the pyzor domain. +## +## +## +# +interface(`pyzor_admin',` + gen_require(` + type pyzord_t, pyzor_tmp_t, pyzord_log_t; + type pyzor_etc_t, pyzor_var_lib_t; + type pyzord_initrc_exec_t; + ') + + allow $1 pyzord_t:process { ptrace signal_perms }; + ps_process_pattern($1, pyzord_t) + + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pyzord_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, pyzor_tmp_t) + + logging_list_logs($1) + admin_pattern($1, pyzord_log_t) + + files_list_etc($1) + admin_pattern($1, pyzor_etc_t) + + files_list_var_lib($1) + admin_pattern($1, pyzor_var_lib_t) +') + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-04-07 16:01:44.000000000 -0400 @@ -6,6 +6,38 @@ # Declarations # + +ifdef(`distro_redhat',` + + gen_require(` + type spamc_t; + type spamc_exec_t; + type spamd_t; + type spamd_initrc_exec_t; + type spamd_exec_t; + type spamc_tmp_t; + type spamd_log_t; + type spamd_var_lib_t; + type spamd_etc_t; + type spamc_tmp_t; + type spamc_home_t; + ') + + typealias spamc_t alias pyzor_t; + typealias spamc_exec_t alias pyzor_exec_t; + typealias spamd_t alias pyzord_t; + typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; + typealias spamd_exec_t alias pyzord_exec_t; + typealias spamc_tmp_t alias pyzor_tmp_t; + typealias spamd_log_t alias pyzor_log_t; + typealias spamd_log_t alias pyzord_log_t; + typealias spamd_var_lib_t alias pyzor_var_lib_t; + typealias spamd_etc_t alias pyzor_etc_t; + typealias spamc_home_t alias pyzor_home_t; + typealias spamc_home_t alias user_pyzor_home_t; + +',` + type pyzor_t; type pyzor_exec_t; typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; @@ -40,6 +72,7 @@ type pyzord_log_t; logging_log_file(pyzord_log_t) +') ######################################## # @@ -83,6 +116,8 @@ miscfiles_read_localization(pyzor_t) +mta_read_queue(pyzor_t) + userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.12/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2008-11-11 16:13:45.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/razor.fc 2009-04-13 10:23:30.000000000 -0400 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.12/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/razor.if 2009-04-07 16:01:44.000000000 -0400 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) ') + +######################################## +## +## Create, read, write, and delete razor files +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +template(`razor_manage_user_home_files',` + gen_require(` + type razor_home_t; + ') + + files_search_home($1) + userdom_search_user_home_dirs($1) + manage_files_pattern($1, razor_home_t, razor_home_t) + read_lnk_files_pattern($1, razor_home_t, razor_home_t) +') + +######################################## +## +## read razor lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`razor_read_lib_files',` + gen_require(` + type razor_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.12/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/razor.te 2009-04-07 16:01:44.000000000 -0400 @@ -6,6 +6,32 @@ # Declarations # +ifdef(`distro_redhat',` + + gen_require(` + type spamc_t; + type spamc_exec_t; + type spamd_log_t; + type spamd_spool_t; + type spamd_var_lib_t; + type spamd_etc_t; + type spamc_home_t; + type spamc_tmp_t; + ') + + typealias spamc_t alias razor_t; + typealias spamc_exec_t alias razor_exec_t; + typealias spamd_log_t alias razor_log_t; + typealias spamd_var_lib_t alias razor_var_lib_t; + typealias spamd_etc_t alias razor_etc_t; + typealias spamc_home_t alias razor_home_t; + typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; + typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; + typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; + typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; + +',` + type razor_exec_t; corecmd_executable_file(razor_exec_t) @@ -122,3 +148,5 @@ optional_policy(` nscd_socket_use(razor_t) ') + +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ricci.te 2009-04-07 16:01:44.000000000 -0400 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) +domain_read_all_domains_state(ricci_t) + files_read_etc_files(ricci_t) files_read_etc_runtime_files(ricci_t) files_create_boot_flag(ricci_t) @@ -140,7 +142,7 @@ auth_domtrans_chk_passwd(ricci_t) auth_append_login_records(ricci_t) -init_dontaudit_stream_connect_script(ricci_t) +init_stream_connect_script(ricci_t) locallogin_dontaudit_use_fds(ricci_t) @@ -202,7 +204,7 @@ corecmd_exec_shell(ricci_modcluster_t) corecmd_exec_bin(ricci_modcluster_t) -domain_dontaudit_read_all_domains_state(ricci_modcluster_t) +domain_read_all_domains_state(ricci_modcluster_t) files_search_locks(ricci_modcluster_t) files_read_etc_runtime_files(ricci_modcluster_t) @@ -214,6 +216,8 @@ logging_send_syslog_msg(ricci_modcluster_t) +consoletype_exec(ricci_modcluster_t) + miscfiles_read_localization(ricci_modcluster_t) modutils_domtrans_insmod(ricci_modcluster_t) @@ -229,10 +233,6 @@ ') optional_policy(` - consoletype_exec(ricci_modcluster_t) -') - -optional_policy(` lvm_domtrans(ricci_modcluster_t) ') @@ -287,14 +287,14 @@ corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) -domain_dontaudit_read_all_domains_state(ricci_modclusterd_t) +domain_read_all_domains_state(ricci_modclusterd_t) files_read_etc_files(ricci_modclusterd_t) files_read_etc_runtime_files(ricci_modclusterd_t) fs_getattr_xattr_fs(ricci_modclusterd_t) -init_dontaudit_stream_connect_script(ricci_modclusterd_t) +init_stream_connect_script(ricci_modclusterd_t) locallogin_dontaudit_use_fds(ricci_modclusterd_t) @@ -328,7 +328,7 @@ corecmd_exec_bin(ricci_modlog_t) -domain_dontaudit_read_all_domains_state(ricci_modlog_t) +domain_read_all_domains_state(ricci_modlog_t) files_read_etc_files(ricci_modlog_t) files_search_usr(ricci_modlog_t) @@ -432,7 +432,7 @@ dev_read_urand(ricci_modstorage_t) dev_manage_generic_blk_files(ricci_modstorage_t) -domain_dontaudit_read_all_domains_state(ricci_modstorage_t) +domain_read_all_domains_state(ricci_modstorage_t) #Needed for editing /etc/fstab files_manage_etc_files(ricci_modstorage_t) @@ -440,6 +440,10 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) +files_create_default_dir(ricci_modstorage_t) +files_mounton_default(ricci_modstorage_t) +files_manage_default(ricci_modstorage_t) + storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) @@ -452,6 +456,10 @@ modutils_read_module_deps(ricci_modstorage_t) +consoletype_exec(ricci_modstorage_t) + +mount_domtrans(ricci_modstorage_t) + optional_policy(` ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.12/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/rpcbind.te 2009-04-21 13:15:10.000000000 -0400 @@ -40,6 +40,8 @@ manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file }) +fs_list_inotifyfs(rpcbind_t) + kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-21 15:17:25.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) type exports_t; -files_type(exports_t) +files_config_file(exports_t) rpc_domain_template(gssd) @@ -74,21 +74,31 @@ files_manage_mounttab(rpcd_t) +fs_list_inotifyfs(rpcd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) fs_rw_rpc_sockets(rpcd_t) +kernel_signal(rpcd_t) + selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) + optional_policy(` nis_read_ypserv_config(rpcd_t) ') +optional_policy(` + unconfined_execmem_signal(rpcd_t) + unconfined_signal(rpcd_t) +') + ######################################## # # NFSD local policy @@ -116,8 +126,9 @@ # for exportfs and rpc.mountd files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type -files_manage_mounttab(rpcd_t) +files_manage_mounttab(nfsd_t) +fs_list_inotifyfs(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) @@ -125,6 +136,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) +storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -141,6 +153,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') +userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) @@ -175,6 +188,7 @@ corecmd_exec_bin(gssd_t) +fs_list_inotifyfs(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -183,9 +197,12 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) +auth_manage_cache(gssd_t) miscfiles_read_certs(gssd_t) +mount_signal(gssd_t) + tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.12/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/rshd.te 2009-04-07 16:01:44.000000000 -0400 @@ -51,7 +51,7 @@ files_list_home(rshd_t) files_read_etc_files(rshd_t) -files_search_tmp(rshd_t) +files_manage_generic_tmp_dirs(rshd_t) auth_login_pgm_domain(rshd_t) auth_write_login_records(rshd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/samba.fc 2009-04-07 16:01:44.000000000 -0400 @@ -2,6 +2,9 @@ # # /etc # +/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) /etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) @@ -15,6 +18,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) @@ -47,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.12/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/samba.if 2009-04-07 16:01:44.000000000 -0400 @@ -4,6 +4,45 @@ ## from Windows NT servers. ## + +######################################## +## +## Execute smbd net in the smbd_t domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`samba_domtrans_smb',` + gen_require(` + type smbd_t, smbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, smbd_exec_t, smbd_t) +') + +######################################## +## +## Execute nmbd net in the nmbd_t domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`samba_domtrans_nmb',` + gen_require(` + type nmbd_t, nmbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nmbd_exec_t, nmbd_t) +') + ######################################## ## ## Execute samba net in the samba_net domain. @@ -25,6 +64,25 @@ ######################################## ## +## Execute samba net in the samba_unconfined_net domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`samba_domtrans_unconfined_net',` + gen_require(` + type samba_unconfined_net_t, samba_net_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) +') + +######################################## +## ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## @@ -49,6 +107,50 @@ role $2 types samba_net_t; ') +####################################### +## +## The role for the samba module. +## +## +## +## The role to be allowed the samba_net domain. +## +## +# +template(`samba_role_notrans',` + gen_require(` + type smbd_t; + ') + + role $1 types smbd_t; +') + +######################################## +## +## Execute samba net in the samba_unconfined_net domain, and +## allow the specified role the samba_unconfined_net domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the samba_unconfined_net domain. +## +## +## +# +interface(`samba_run_unconfined_net',` + gen_require(` + type samba_unconfined_net_t; + ') + + samba_domtrans_unconfined_net($1) + role $2 types samba_unconfined_net_t; +') + ######################################## ## ## Execute smbmount in the smbmount domain. @@ -138,6 +240,28 @@ ######################################## ## +## Allow the specified domain to read +## and write samba configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`samba_manage_config',` + gen_require(` + type samba_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, samba_etc_t, samba_etc_t) + manage_files_pattern($1, samba_etc_t, samba_etc_t) +') + +######################################## +## ## Allow the specified domain to read samba's log files. ## ## @@ -281,6 +405,25 @@ ######################################## ## +## dontaudit the specified domain to +## write samba /var files. +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_dontaudit_write_var_files',` + gen_require(` + type samba_var_t; + ') + + dontaudit $1 samba_var_t:file write; +') + +######################################## +## ## Allow the specified domain to ## read and write samba /var files. ## @@ -298,6 +441,7 @@ files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ') ######################################## @@ -370,6 +514,7 @@ ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_helper_t:process signal; ') ######################################## @@ -447,3 +592,202 @@ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) ') ') + +######################################## +## +## Create a set of derived types for apache +## web content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`samba_helper_template',` + gen_require(` + type smbd_t; + ') + #This type is for samba helper scripts + type samba_$1_script_t; + domain_type(samba_$1_script_t) + role system_r types samba_$1_script_t; + + # This type is used for executable scripts files + type samba_$1_script_exec_t; + corecmd_shell_entry_type(samba_$1_script_t) + domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) + + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; + +') + +######################################## +## +## Allow the specified domain to read samba's shares +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_read_share_files',` + gen_require(` + type samba_share_t; + ') + + allow $1 samba_share_t:filesystem getattr; + read_files_pattern($1, samba_share_t, samba_share_t) +') + +######################################## +## +## Execute a domain transition to run smbcontrol. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`samba_domtrans_smbcontrol',` + gen_require(` + type smbcontrol_t; + type smbcontrol_exec_t; + ') + + domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) +') + + +######################################## +## +## Execute smbcontrol in the smbcontrol domain, and +## allow the specified role the smbcontrol domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the smbcontrol domain. +## +## +# +interface(`samba_run_smbcontrol',` + gen_require(` + type smbcontrol_t; + ') + + samba_domtrans_smbcontrol($1) + role $2 types smbcontrol_t; +') + +######################################## +## +## Execute samba server in the samba domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`samba_initrc_domtrans',` + gen_require(` + type samba_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, samba_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an samba environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the samba domain. +## +## +## +# +interface(`samba_admin',` + gen_require(` + type nmbd_t, nmbd_var_run_t; + type smbd_t, smbd_tmp_t; + type smbd_initrc_exec_t; + type smbd_spool_t, smbd_var_run_t; + + type samba_log_t, samba_var_t; + type samba_etc_t, samba_share_t; + type samba_secrets_t; + + type swat_var_run_t, swat_tmp_t; + + type winbind_var_run_t, winbind_tmp_t; + type winbind_log_t; + + type samba_unconfined_script_t, samba_unconfined_script_exec_t; + type samba_initrc_exec_t; + ') + + allow $1 smbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, smbd_t) + + allow $1 nmbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nmbd_t) + + allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) + + samba_run_smbcontrol($1, $2, $3) + samba_run_winbind_helper($1, $2, $3) + samba_run_smbmount($1, $2, $3) + samba_run_net($1, $2, $3) + + init_labeled_script_domtrans($1, samba_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 samba_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, smbd_tmp_t) + admin_pattern($1, swat_tmp_t) + admin_pattern($1, winbind_tmp_t) + + admin_pattern($1, samba_secrets_t) + + files_list_etc($1) + admin_pattern($1, samba_etc_t) + + admin_pattern($1, samba_share_t) + + logging_list_logs($1) + admin_pattern($1, samba_log_t) + admin_pattern($1, winbind_log_t) + + files_list_spool($1) + admin_pattern($1, smbd_spool_t) + + files_list_var($1) + admin_pattern($1, samba_var_t) + + files_list_pids($1) + admin_pattern($1, smbd_var_run_t) + admin_pattern($1, nmbd_var_run_t) + admin_pattern($1, swat_var_run_t) + admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-04-07 16:01:44.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) +## +##

+## Allow samba to export ntfs/fusefs volumes. +##

+##
+gen_tunable(samba_share_fusefs, false) + type nmbd_t; type nmbd_exec_t; init_daemon_domain(nmbd_t, nmbd_exec_t) @@ -73,6 +80,9 @@ type nmbd_var_run_t; files_pid_file(nmbd_var_run_t) +type samba_initrc_exec_t; +init_script_file(samba_initrc_exec_t) + type samba_etc_t; files_config_file(samba_etc_t) @@ -80,11 +90,9 @@ logging_log_file(samba_log_t) type samba_net_t; -domain_type(samba_net_t) -role system_r types samba_net_t; - type samba_net_exec_t; -domain_entry_file(samba_net_t, samba_net_exec_t) +role system_r types samba_net_t; +application_domain(samba_net_t, samba_net_exec_t) type samba_net_tmp_t; files_tmp_file(samba_net_tmp_t) @@ -146,11 +154,17 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) +type smbcontrol_t; +type smbcontrol_exec_t; +application_domain(smbcontrol_t, smbcontrol_exec_t) +role system_r types smbcontrol_t; + ######################################## # # Samba net local policy # - +allow samba_net_t self:capability { sys_nice dac_read_search dac_override }; +allow samba_net_t self:process { getsched setsched }; allow samba_net_t self:unix_dgram_socket create_socket_perms; allow samba_net_t self:unix_stream_socket create_stream_socket_perms; allow samba_net_t self:udp_socket create_socket_perms; @@ -165,11 +179,12 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) -allow samba_net_t samba_var_t:dir rw_dir_perms; +manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) kernel_read_proc_symlinks(samba_net_t) +kernel_read_system_state(samba_net_t) corenet_all_recvfrom_unlabeled(samba_net_t) corenet_all_recvfrom_netlabel(samba_net_t) @@ -190,15 +205,23 @@ domain_use_interactive_fds(samba_net_t) files_read_etc_files(samba_net_t) +files_read_usr_symlinks(samba_net_t) auth_use_nsswitch(samba_net_t) +auth_read_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) miscfiles_read_localization(samba_net_t) +samba_read_var_files(samba_net_t) + userdom_use_user_terminals(samba_net_t) -userdom_dontaudit_search_user_home_dirs(samba_net_t) +userdom_list_user_home_dirs(samba_net_t) + +optional_policy(` + pcscd_read_pub_files(samba_net_t) +') optional_policy(` kerberos_use(samba_net_t) @@ -208,7 +231,7 @@ # # smbd Local policy # -allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search }; +allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -226,10 +249,8 @@ allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -create_dirs_pattern(smbd_t, samba_log_t, samba_log_t) +manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) manage_files_pattern(smbd_t, samba_log_t, samba_log_t) -allow smbd_t samba_log_t:dir setattr; -dontaudit smbd_t samba_log_t:dir remove_name; allow smbd_t samba_net_tmp_t:file getattr; @@ -239,6 +260,7 @@ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) +allow smbd_t samba_share_t:filesystem getattr; manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) manage_files_pattern(smbd_t, samba_var_t, samba_var_t) @@ -256,7 +278,7 @@ manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) files_pid_filetrans(smbd_t, smbd_var_run_t, file) -allow smbd_t winbind_var_run_t:sock_file { read write getattr }; +allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) @@ -298,6 +320,7 @@ auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) +auth_domtrans_upd_passwd(smbd_t) domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) @@ -321,6 +344,10 @@ userdom_use_unpriv_users_fds(smbd_t) userdom_dontaudit_search_user_home_dirs(smbd_t) +usermanage_read_crack_db(smbd_t) + +term_use_ptmx(smbd_t) + ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) @@ -333,25 +360,33 @@ tunable_policy(`samba_domain_controller',` usermanage_domtrans_passwd(smbd_t) + usermanage_kill_passwd(smbd_t) usermanage_domtrans_useradd(smbd_t) usermanage_domtrans_groupadd(smbd_t) ') tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_content_dirs(smbd_t) - userdom_manage_user_home_content_files(smbd_t) - userdom_manage_user_home_content_symlinks(smbd_t) - userdom_manage_user_home_content_sockets(smbd_t) - userdom_manage_user_home_content_pipes(smbd_t) - userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) + userdom_manage_user_home_content(smbd_t) ') # Support Samba sharing of NFS mount points tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) + fs_manage_nfs_symlinks(smbd_t) + fs_manage_nfs_named_pipes(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) +') + +# Support Samba sharing of ntfs/fusefs mount points +tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +',` + fs_search_fusefs(smbd_t) ') + optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) @@ -359,6 +394,16 @@ optional_policy(` kerberos_use(smbd_t) + kerberos_keytab_template(smbd, smbd_t) +') + +optional_policy(` + lpd_exec_lpr(smbd_t) +') + +optional_policy(` + qemu_manage_tmp_dirs(smbd_t) + qemu_manage_tmp_files(smbd_t) ') optional_policy(` @@ -376,13 +421,15 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) - userdom_home_filetrans_user_home_dir(smbd_t) ') +userdom_home_filetrans_user_home_dir(smbd_t) tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) + auth_read_all_dirs_except_shadow(smbd_t) auth_read_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) + auth_read_all_dirs_except_shadow(nmbd_t) auth_read_all_files_except_shadow(nmbd_t) ') @@ -391,8 +438,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) - userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ') +userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ######################################## # @@ -417,14 +464,11 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) -read_files_pattern(nmbd_t, samba_log_t, samba_log_t) -create_files_pattern(nmbd_t, samba_log_t, samba_log_t) -allow nmbd_t samba_log_t:dir setattr; - manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) allow nmbd_t smbd_var_run_t:dir rw_dir_perms; @@ -454,6 +498,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) +fs_list_inotifyfs(nmbd_t) fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) @@ -553,21 +598,36 @@ userdom_use_user_terminals(smbmount_t) userdom_use_all_users_fds(smbmount_t) +optional_policy(` + cups_read_rw_config(smbmount_t) +') + ######################################## # # SWAT Local policy # -allow swat_t self:capability { setuid setgid }; -allow swat_t self:process signal_perms; -allow swat_t self:fifo_file rw_file_perms; +allow swat_t self:capability { setuid setgid sys_resource }; +allow swat_t self:process { setrlimit signal_perms }; +allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; +allow swat_t self:unix_stream_socket connectto; +samba_domtrans_smb(swat_t) +allow swat_t smbd_port_t:tcp_socket name_bind; +allow swat_t smbd_t:process { signal signull }; +allow swat_t smbd_var_run_t:file { lock unlink }; + allow swat_t nmbd_exec_t:file mmap_file_perms; +can_exec(swat_t, nmbd_exec_t) +allow swat_t nmbd_port_t:udp_socket name_bind; +allow swat_t nmbd_t:process { signal signull }; +allow swat_t nmbd_var_run_t:file { lock read unlink }; rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) +read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) append_files_pattern(swat_t, samba_log_t, samba_log_t) @@ -585,6 +645,9 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; +can_exec(swat_t, winbind_exec_t) +allow swat_t winbind_var_run_t:dir { write add_name remove_name }; +allow swat_t winbind_var_run_t:sock_file { create unlink }; kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) @@ -609,15 +672,18 @@ dev_read_urand(swat_t) +files_list_var_lib(swat_t) files_read_etc_files(swat_t) files_search_home(swat_t) files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) +fs_list_inotifyfs(swat_t) auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) logging_send_syslog_msg(swat_t) +logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -635,6 +701,17 @@ kerberos_use(swat_t) ') +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) + +manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) +create_files_pattern(swat_t, samba_log_t, samba_log_t) + +manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) + +manage_files_pattern(swat_t, samba_var_t, samba_var_t) +files_list_var_lib(swat_t) + ######################################## # # Winbind local policy @@ -642,7 +719,7 @@ allow winbind_t self:capability { dac_override ipc_lock setuid }; dontaudit winbind_t self:capability sys_tty_config; -allow winbind_t self:process signal_perms; +allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; @@ -683,9 +760,10 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, file) +corecmd_exec_bin(winbind_t) + kernel_read_kernel_sysctls(winbind_t) -kernel_list_proc(winbind_t) -kernel_read_proc_symlinks(winbind_t) +kernel_read_system_state(winbind_t) corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) @@ -709,10 +787,12 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) +auth_rw_cache(winbind_t) domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) +files_read_usr_symlinks(winbind_t) logging_send_syslog_msg(winbind_t) @@ -768,8 +848,13 @@ userdom_use_user_terminals(winbind_helper_t) optional_policy(` + apache_append_log(winbind_helper_t) +') + +optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) ') ######################################## @@ -778,6 +863,16 @@ # optional_policy(` + type samba_unconfined_net_t; + domain_type(samba_unconfined_net_t) + role system_r types samba_unconfined_net_t; + + unconfined_domain(samba_unconfined_net_t) + + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) +') + type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) @@ -788,9 +883,43 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; +optional_policy(` unconfined_domain(samba_unconfined_script_t) +') tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -') + +######################################## +# +# smbcontrol local policy +# + +# internal communication is often done using fifo and unix sockets. +allow smbcontrol_t self:fifo_file rw_file_perms; +allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(smbcontrol_t) + +miscfiles_read_localization(smbcontrol_t) + +files_search_var_lib(smbcontrol_t) +samba_read_config(smbcontrol_t) +samba_rw_var_files(smbcontrol_t) +samba_search_var(smbcontrol_t) +samba_read_winbind_pid(smbcontrol_t) + +allow smbcontrol_t smbd_t:process signal; +domain_use_interactive_fds(smbcontrol_t) +allow smbd_t smbcontrol_t:process { signal signull }; + +allow nmbd_t smbcontrol_t:process signal; +allow smbcontrol_t nmbd_t:process { signal signull }; + +allow smbcontrol_t winbind_t:process { signal signull }; +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.12/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/sasl.te 2009-04-07 16:01:44.000000000 -0400 @@ -99,6 +99,7 @@ optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) + kerberos_manage_host_rcache(saslauthd_t) ') optional_policy(` @@ -107,6 +108,10 @@ ') optional_policy(` + nis_authenticate(saslauthd_t) +') + +optional_policy(` seutil_sigchld_newrole(saslauthd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-07 16:01:44.000000000 -0400 @@ -149,3 +149,92 @@ logging_log_filetrans($1, sendmail_log_t, file) ') + +######################################## +## +## Execute the sendmail program in the sendmail domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the sendmail domain. +## +## +## +# +interface(`sendmail_run',` + gen_require(` + type sendmail_t; + ') + + sendmail_domtrans($1) + role $2 types sendmail_t; +') + +######################################## +## +## Execute sendmail in the unconfined sendmail domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sendmail_domtrans_unconfined',` + gen_require(` + type unconfined_sendmail_t, sendmail_exec_t; + ') + + domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) +') + +######################################## +## +## Execute sendmail in the unconfined sendmail domain, and +## allow the specified role the unconfined sendmail domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the unconfined sendmail domain. +## +## +## +# +interface(`sendmail_run_unconfined',` + gen_require(` + type unconfined_sendmail_t; + ') + + sendmail_domtrans_unconfined($1) + role $2 types unconfined_sendmail_t; +') + +######################################## +## +## Allow attempts to read and write to +## sendmail unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`sendmail_rw_pipes',` + gen_require(` + type sendmail_t; + ') + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-04-13 11:43:41.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) +type unconfined_sendmail_t; +application_domain(unconfined_sendmail_t, sendmail_exec_t) +role system_r types unconfined_sendmail_t; + ######################################## # # Sendmail local policy # -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process signal; +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; +allow sendmail_t self:process { setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -47,6 +51,7 @@ kernel_read_kernel_sysctls(sendmail_t) # for piping mail to a command kernel_read_system_state(sendmail_t) +kernel_read_network_state(sendmail_t) corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) @@ -64,24 +69,30 @@ fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) +fs_rw_anon_inodefs_files(sendmail_t) +fs_list_inotifyfs(sendmail_t) term_dontaudit_use_console(sendmail_t) # for piping mail to a command corecmd_exec_shell(sendmail_t) +corecmd_exec_bin(sendmail_t) domain_use_interactive_fds(sendmail_t) files_read_etc_files(sendmail_t) +files_read_usr_files(sendmail_t) files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) +files_read_all_tmp_files(sendmail_t) init_use_fds(sendmail_t) init_use_script_ptys(sendmail_t) # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console init_read_utmp(sendmail_t) init_dontaudit_write_utmp(sendmail_t) +init_rw_script_tmp_files(sendmail_t) auth_use_nsswitch(sendmail_t) @@ -89,23 +100,42 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) +logging_dontaudit_write_generic_logs(sendmail_t) miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -userdom_dontaudit_search_user_home_dirs(sendmail_t) +userdom_read_user_home_content_files(sendmail_t) mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) # Write to /etc/aliases and /etc/mail. -mta_rw_aliases(sendmail_t) +mta_manage_aliases(sendmail_t) # Write to /var/spool/mail and /var/spool/mqueue. mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) +mta_sendmail_exec(sendmail_t) + +optional_policy(` + cron_read_pipes(sendmail_t) +') optional_policy(` clamav_search_lib(sendmail_t) + clamav_stream_connect(sendmail_t) +') + +optional_policy(` + cyrus_stream_connect(sendmail_t) +') + +optional_policy(` + fail2ban_read_lib_files(sendmail_t) +') + +optional_policy(` + kerberos_keytab_template(sendmail, sendmail_t) ') optional_policy(` @@ -113,13 +143,19 @@ ') optional_policy(` - postfix_exec_master(sendmail_t) + munin_dontaudit_search_lib(sendmail_t) +') + +optional_policy(` + postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') optional_policy(` procmail_domtrans(sendmail_t) + procmail_rw_tmp_files(sendmail_t) ') optional_policy(` @@ -127,24 +163,29 @@ ') optional_policy(` + sasl_connect(sendmail_t) +') + +optional_policy(` + spamd_stream_connect(sendmail_t) +') + +optional_policy(` udev_read_db(sendmail_t) ') -ifdef(`TODO',` -allow sendmail_t etc_mail_t:dir rw_dir_perms; -allow sendmail_t etc_mail_t:file manage_file_perms; -# for the start script to run make -C /etc/mail -allow initrc_t etc_mail_t:dir rw_dir_perms; -allow initrc_t etc_mail_t:file manage_file_perms; -allow system_mail_t initrc_t:fd use; -allow system_mail_t initrc_t:fifo_file write; - -# When sendmail runs as user_mail_domain, it needs some extra permissions -# to update /etc/mail/statistics. -allow user_mail_domain etc_mail_t:file rw_file_perms; +optional_policy(` + uucp_domtrans_uux(sendmail_t) +') -# Silently deny attempts to access /root. -dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; +######################################## +# +# Unconfined sendmail local policy +# Allow unconfined domain to run newalias and have transitions work +# + +optional_policy(` + mta_etc_filetrans_aliases(unconfined_sendmail_t) + unconfined_domain(unconfined_sendmail_t) +') -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.12/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.12/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.if 2009-04-07 16:01:44.000000000 -0400 @@ -16,8 +16,8 @@ ') files_search_pids($1) - allow $1 setroubleshoot_var_run_t:sock_file write; - allow $1 setroubleshootd_t:unix_stream_socket connectto; + stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) + allow $1 setroubleshoot_var_run_t:sock_file read; ') ######################################## @@ -36,6 +36,69 @@ type setroubleshootd_t, setroubleshoot_var_run_t; ') - dontaudit $1 setroubleshoot_var_run_t:sock_file write; + dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; ') + +######################################## +## +## Send and receive messages from +## setroubleshoot over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`setroubleshoot_dbus_chat',` + gen_require(` + type setroubleshootd_t; + class dbus send_msg; + ') + + allow $1 setroubleshootd_t:dbus send_msg; + allow setroubleshootd_t $1:dbus send_msg; +') + +######################################## +## +## All of the rules required to administrate +## an setroubleshoot environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the setroubleshoot domain. +## +## +## +# +interface(`setroubleshoot_admin',` + gen_require(` + type setroubleshootd_t, setroubleshoot_log_t; + type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + type setroubleshoot_initrc_exec_t; + ') + + allow $1 setroubleshootd_t:process { ptrace signal_perms }; + ps_process_pattern($1, setroubleshootd_t) + + init_labeled_script_domtrans($1, setroubleshoot_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 setroubleshoot_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, setroubleshoot_log_t) + + files_list_var_lib($1) + admin_pattern($1, setroubleshoot_var_lib_t) + + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-04-07 16:01:44.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) +type setroubleshoot_initrc_exec_t; +init_script_file(setroubleshoot_initrc_exec_t) + type setroubleshoot_var_lib_t; files_type(setroubleshoot_var_lib_t) @@ -27,8 +30,10 @@ # setroubleshootd local policy # -allow setroubleshootd_t self:capability { dac_override sys_tty_config }; -allow setroubleshootd_t self:process { signull signal getattr getsched }; +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run +allow setroubleshootd_t self:process { execmem execstack }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -52,7 +57,10 @@ kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) +kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) +kernel_read_unlabeled_state(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) @@ -68,16 +76,24 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) +dev_getattr_all_blk_files(setroubleshootd_t) +dev_getattr_all_chr_files(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) -files_getattr_all_dirs(setroubleshootd_t) +files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) +files_getattr_all_pipes(setroubleshootd_t) +files_getattr_all_sockets(setroubleshootd_t) fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) +fs_read_fusefs_symlinks(setroubleshootd_t) +fs_dontaudit_read_nfs_files(setroubleshootd_t) +fs_dontaudit_read_cifs_files(setroubleshootd_t) +fs_list_inotifyfs(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) @@ -94,22 +110,24 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) +logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) - -sysnet_read_config(setroubleshootd_t) +seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` dbus_system_bus_client(setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) + dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') optional_policy(` + rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-04-07 16:01:44.000000000 -0400 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) +ifdef(`enable_mls',` + init_ranged_daemon_domain(fsdaemon_t,fsdaemon_exec_t,mls_systemhigh) +') + ######################################## # # Local policy @@ -26,7 +30,7 @@ allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; dontaudit fsdaemon_t self:capability sys_tty_config; -allow fsdaemon_t self:process signal_perms; +allow fsdaemon_t self:process { signal_perms setfscreate }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; allow fsdaemon_t self:unix_dgram_socket create_socket_perms; allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; @@ -52,6 +56,7 @@ corenet_udp_sendrecv_generic_node(fsdaemon_t) corenet_udp_sendrecv_all_ports(fsdaemon_t) +dev_delete_generic_dirs(fsdaemon_t) dev_read_sysfs(fsdaemon_t) dev_read_urand(fsdaemon_t) @@ -67,9 +72,11 @@ mls_file_read_all_levels(fsdaemon_t) +storage_dev_filetrans_fixed_disk(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) +storage_manage_fixed_disk(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t) @@ -80,6 +87,8 @@ miscfiles_read_localization(fsdaemon_t) +selinux_validate_context(fsdaemon_t) + sysnet_dns_name_resolve(fsdaemon_t) userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) @@ -91,6 +100,7 @@ optional_policy(` seutil_sigchld_newrole(fsdaemon_t) + seutil_read_file_contexts(fsdaemon_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.12/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/snmp.fc 2009-04-07 16:01:44.000000000 -0400 @@ -20,5 +20,5 @@ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.12/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/snmp.te 2009-04-07 16:01:44.000000000 -0400 @@ -71,6 +71,7 @@ corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) corenet_sendrecv_snmp_server_packets(snmpd_t) +corenet_tcp_connect_agentx_port(snmpd_t) dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.12/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/snort.te 2009-04-07 16:01:44.000000000 -0400 @@ -56,6 +56,7 @@ files_pid_filetrans(snort_t, snort_var_run_t, file) kernel_read_kernel_sysctls(snort_t) +kernel_read_sysctl(snort_t) kernel_list_proc(snort_t) kernel_read_proc_symlinks(snort_t) kernel_dontaudit_read_system_state(snort_t) @@ -70,6 +71,7 @@ corenet_raw_sendrecv_generic_node(snort_t) corenet_tcp_sendrecv_all_ports(snort_t) corenet_udp_sendrecv_all_ports(snort_t) +corenet_tcp_connect_prelude_port(snort_t) dev_read_sysfs(snort_t) dev_read_rand(snort_t) @@ -94,6 +96,13 @@ userdom_dontaudit_use_unpriv_user_fds(snort_t) userdom_dontaudit_search_user_home_dirs(snort_t) +# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager +sysnet_dns_name_resolve(snort_t) + +optional_policy(` + prelude_manage_spool(snort_t) +') + optional_policy(` seutil_sigchld_newrole(snort_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,15 +1,24 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) +/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/spamd -- gen_context(system_u:object_r:spamassassin_exec_t,s0) /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) +/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.12/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.if 2009-04-07 16:01:44.000000000 -0400 @@ -111,6 +111,7 @@ ') domtrans_pattern($1, spamc_exec_t, spamc_t) + allow $1 spamc_exec_t:file ioctl; ') ######################################## @@ -166,6 +167,7 @@ ') files_search_var_lib($1) + list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') @@ -225,3 +227,69 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') + +######################################## +## +## Connect to run spamd. +## +## +## +## Domain allowed to connect. +## +## +# +interface(`spamd_stream_connect',` + gen_require(` + type spamd_t, spamd_var_run_t; + ') + + stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + +######################################## +## +## All of the rules required to administrate +## an spamassassin environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the spamassassin domain. +## +## +## +# +interface(`spamassassin_spamd_admin',` + gen_require(` + type spamd_t, spamd_tmp_t, spamd_log_t; + type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; + type spamd_initrc_exec_t; + ') + + allow $1 spamd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, spamd_t, spamd_t) + + init_labeled_script_domtrans($1, spamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 spamd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, spamd_tmp_t) + + logging_list_logs($1) + admin_pattern($1, spamd_log_t) + + files_list_spool($1) + admin_pattern($1, spamd_spool_t) + + files_list_var_lib($1) + admin_pattern($1, spamd_var_lib_t) + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-16 11:03:14.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) +ifdef(`distro_redhat',` +# spamassassin client executable +type spamc_t; +type spamc_exec_t; +application_domain(spamc_t, spamc_exec_t) +role system_r types spamc_t; + +type spamd_etc_t; +files_config_file(spamd_etc_t) + +typealias spamc_exec_t alias spamassassin_exec_t; +typealias spamc_t alias spamassassin_t; + +type spamc_home_t; +userdom_user_home_content(spamc_home_t) +typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; +typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; +typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; +typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; + +type spamc_tmp_t; +files_tmp_file(spamc_tmp_t) +typealias spamc_tmp_t alias spamassassin_tmp_t; +typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; +typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; + +typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; +typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; +', ` type spamassassin_t; type spamassassin_exec_t; typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; @@ -51,11 +80,18 @@ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; files_tmp_file(spamc_tmp_t) ubac_constrained(spamc_tmp_t) +') type spamd_t; type spamd_exec_t; init_daemon_domain(spamd_t, spamd_exec_t) +type spamd_initrc_exec_t; +init_script_file(spamd_initrc_exec_t) + +type spamd_log_t; +logging_log_file(spamd_log_t) + type spamd_spool_t; files_type(spamd_spool_t) @@ -159,6 +195,7 @@ corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) + corenet_udp_bind_generic_node(spamassassin_t) sysnet_read_config(spamassassin_t) ') @@ -216,16 +253,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; +corenet_all_recvfrom_unlabeled(spamc_t) +corenet_all_recvfrom_netlabel(spamc_t) +corenet_tcp_sendrecv_generic_if(spamc_t) +corenet_tcp_sendrecv_generic_node(spamc_t) +corenet_tcp_connect_spamd_port(spamc_t) + manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) +manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) +userdom_append_user_home_content_files(spamc_t) + # Allow connecting to a local spamd allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; +spamd_stream_connect(spamc_t) kernel_read_kernel_sysctls(spamc_t) +kernel_read_system_state(spamc_t) corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) @@ -255,9 +308,15 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) +files_list_var_lib(spamc_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +fs_search_auto_mountpoints(spamc_t) logging_send_syslog_msg(spamc_t) +auth_use_nsswitch(spamc_t) + miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: @@ -265,31 +324,35 @@ sysnet_read_config(spamc_t) -# cjp: this should probably be removed: -tunable_policy(`read_default_t',` - files_list_default(spamc_t) - files_read_default_files(spamc_t) - files_read_default_symlinks(spamc_t) - files_read_default_sockets(spamc_t) - files_read_default_pipes(spamc_t) +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamc_t) + fs_manage_nfs_files(spamc_t) + fs_manage_nfs_symlinks(spamc_t) ') -optional_policy(` - # Allow connection to spamd socket above - evolution_stream_connect(spamc_t) +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamc_t) + fs_manage_cifs_files(spamc_t) + fs_manage_cifs_symlinks(spamc_t) ') optional_policy(` - nis_use_ypbind(spamc_t) + # Allow connection to spamd socket above + evolution_stream_connect(spamc_t) ') optional_policy(` - nscd_socket_use(spamc_t) + postfix_domtrans_postdrop(spamc_t) + postfix_search_spool(spamc_t) + postfix_rw_local_pipes(spamc_t) ') optional_policy(` + mta_send_mail(spamc_t) mta_read_config(spamc_t) + mta_read_queue(spamc_t) sendmail_stub(spamc_t) + sendmail_rw_pipes(spamc_t) ') ######################################## @@ -301,7 +364,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; +allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; @@ -317,10 +380,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; -allow spamd_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) +logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) +manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) @@ -329,10 +395,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; -read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) +manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) @@ -382,22 +449,27 @@ init_dontaudit_rw_utmp(spamd_t) +auth_use_nsswitch(spamd_t) + logging_send_syslog_msg(spamd_t) miscfiles_read_localization(spamd_t) -sysnet_read_config(spamd_t) -sysnet_use_ldap(spamd_t) -sysnet_dns_name_resolve(spamd_t) - userdom_use_unpriv_users_fds(spamd_t) userdom_search_user_home_dirs(spamd_t) +optional_policy(` + exim_manage_spool_dirs(spamd_t) + exim_manage_spool_files(spamd_t) +') + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamd_t) fs_manage_nfs_files(spamd_t) ') tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamd_t) fs_manage_cifs_files(spamd_t) ') @@ -415,6 +487,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) + dcc_signal_client(spamd_t) dcc_stream_connect_dccifd(spamd_t) ') @@ -424,10 +497,6 @@ ') optional_policy(` - nis_use_ypbind(spamd_t) -') - -optional_policy(` postfix_read_config(spamd_t) ') @@ -442,6 +511,10 @@ optional_policy(` razor_domtrans(spamd_t) + razor_read_lib_files(spamd_t) + tunable_policy(`spamd_enable_home_dirs',` + razor_manage_user_home_files(spamd_t) + ') ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.12/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2008-10-08 19:00:27.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/squid.fc 2009-04-07 16:01:44.000000000 -0400 @@ -6,7 +6,11 @@ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + /var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) +/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) + /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.12/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/squid.if 2009-04-07 16:01:44.000000000 -0400 @@ -21,6 +21,25 @@ ######################################## ## +## Execute squid +## +## +## +## The type of the process performing this action. +## +## +# +interface(`squid_exec',` + gen_require(` + type squid_exec_t; + ') + + can_exec($1, squid_exec_t) +') + + +######################################## +## ## Send generic signals to squid. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-04-07 16:01:44.000000000 -0400 @@ -118,6 +118,9 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) +#squid requires the following when run in diskd mode, the recommended setting +fs_rw_tmpfs_files(squid_t) +fs_list_inotifyfs(squid_t) selinux_dontaudit_getattr_dir(squid_t) @@ -185,8 +188,3 @@ optional_policy(` udev_read_db(squid_t) ') - -ifdef(`TODO',` -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.12/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ssh.fc 2009-04-07 16:01:44.000000000 -0400 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-21 13:22:50.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; + type home_ssh_t; ') ############################## @@ -47,9 +48,6 @@ application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; - type $1_home_ssh_t; - files_type($1_home_ssh_t) - ############################## # # Client local policy @@ -65,8 +63,7 @@ allow $1_ssh_t self:sem create_sem_perms; allow $1_ssh_t self:msgq create_msgq_perms; allow $1_ssh_t self:msg { send receive }; - allow $1_ssh_t self:tcp_socket create_socket_perms; - allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; + allow $1_ssh_t self:tcp_socket create_stream_socket_perms; # for rsync allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; @@ -93,20 +90,21 @@ ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config - manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) - manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) - manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) + manage_files_pattern($2, home_ssh_t, home_ssh_t) + manage_lnk_files_pattern($2, home_ssh_t, home_ssh_t) + manage_sock_files_pattern($2, home_ssh_t, home_ssh_t) # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) - read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) + manage_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t) + read_lnk_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t) # ssh servers can read the user keys and config - allow ssh_server $1_home_ssh_t:dir list_dir_perms; - read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) - read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) + allow ssh_server home_ssh_t:dir list_dir_perms; + read_files_pattern(ssh_server, home_ssh_t, home_ssh_t) + read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t) kernel_read_kernel_sysctls($1_ssh_t) + kernel_read_system_state($1_ssh_t) corenet_all_recvfrom_unlabeled($1_ssh_t) corenet_all_recvfrom_netlabel($1_ssh_t) @@ -115,6 +113,8 @@ corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) + corenet_tcp_bind_generic_node($1_ssh_t) + corenet_tcp_bind_all_unreserved_ports($1_ssh_t) dev_read_urand($1_ssh_t) @@ -132,6 +132,10 @@ files_read_etc_runtime_files($1_ssh_t) files_read_etc_files($1_ssh_t) files_read_var_files($1_ssh_t) + # Required for FreeNX + files_read_var_lib_symlinks($1_t) + + auth_use_nsswitch($1_ssh_t) logging_send_syslog_msg($1_ssh_t) logging_read_generic_logs($1_ssh_t) @@ -140,9 +144,6 @@ seutil_read_config($1_ssh_t) - sysnet_read_config($1_ssh_t) - sysnet_dns_name_resolve($1_ssh_t) - tunable_policy(`read_default_t',` files_list_default($1_ssh_t) files_read_default_files($1_ssh_t) @@ -154,14 +155,6 @@ optional_policy(` kerberos_use($1_ssh_t) ') - - optional_policy(` - nis_use_ypbind($1_ssh_t) - ') - - optional_policy(` - nscd_socket_use($1_ssh_t) - ') ') ####################################### @@ -194,13 +187,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { signal setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) @@ -214,6 +208,7 @@ allow $1_t sshd_key_t:file read_file_perms; kernel_read_kernel_sysctls($1_t) + kernel_read_network_state($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) @@ -229,7 +224,12 @@ corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) + corenet_sendrecv_ssh_server_packets($1_t) + # -R qualifier corenet_sendrecv_ssh_server_packets($1_t) + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) fs_dontaudit_getattr_all_fs($1_t) @@ -254,9 +254,14 @@ userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) + + # Allow checking users mail at login + mta_getattr_spool($1_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) + fs_read_nfs_symlinks($1_t) ') tunable_policy(`use_samba_home_dirs',` @@ -265,11 +270,7 @@ optional_policy(` kerberos_use($1_t) - ') - - optional_policy(` - # Allow checking users mail at login - mta_getattr_spool($1_t) + kerberos_manage_host_rcache($1_t) ') optional_policy(` @@ -454,6 +455,24 @@ ######################################## ## +## Send a generic signal to the ssh server. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_signal',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:process signal; +') + +######################################## +## ## Read a ssh server unnamed pipe. ## ## @@ -611,3 +630,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') + +####################################### +## +## Delete from the ssh temp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_delete_tmp',` + gen_require(` + type sshd_tmp_t; + ') + + files_search_tmp($1) + delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) +') + +######################################## +## +## Execute the ssh agent client in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_agent_exec',` + gen_require(` + type ssh_agent_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ssh_agent_exec_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-04-07 16:01:44.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) +type sshd_tmpfs_t; +files_tmpfs_file(sshd_tmpfs_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') @@ -75,7 +78,7 @@ ubac_constrained(ssh_tmpfs_t) type home_ssh_t; -typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; +typealias home_ssh_t alias { ssh_home_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; files_type(home_ssh_t) userdom_user_home_content(home_ssh_t) @@ -95,8 +98,7 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; -allow ssh_t self:tcp_socket create_socket_perms; -allow ssh_t self:netlink_route_socket r_netlink_socket_perms; +allow ssh_t self:tcp_socket create_stream_socket_perms; # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; @@ -115,6 +117,7 @@ manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) +userdom_stream_connect(ssh_t) # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) @@ -131,6 +134,7 @@ read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t) kernel_read_kernel_sysctls(ssh_t) +kernel_read_system_state(ssh_t) corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_netlabel(ssh_t) @@ -139,6 +143,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) +corenet_tcp_bind_generic_node(ssh_t) +corenet_tcp_bind_all_unreserved_ports(ssh_t) dev_read_urand(ssh_t) @@ -160,19 +166,19 @@ logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) +auth_use_nsswitch(ssh_t) + miscfiles_read_localization(ssh_t) seutil_read_config(ssh_t) -sysnet_read_config(ssh_t) -sysnet_dns_name_resolve(ssh_t) - userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) # needs to read krb tgt userdom_read_user_tmp_files(ssh_t) +userdom_read_user_home_content_symlinks(ssh_t) tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) @@ -202,23 +208,13 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port(ssh_t) -') - -optional_policy(` - kerberos_use(ssh_t) -') - -optional_policy(` - nis_use_ypbind(ssh_t) -') - -optional_policy(` - nscd_socket_use(ssh_t) + corenet_tcp_bind_generic_node(ssh_t) ') optional_policy(` xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) xserver_domtrans_xauth(ssh_t) + xserver_stream_connect(ssh_t) ') ######################################## @@ -310,6 +306,8 @@ kernel_search_key(sshd_t) kernel_link_key(sshd_t) +fs_list_inotifyfs(sshd_t) + term_use_all_user_ptys(sshd_t) term_setattr_all_user_ptys(sshd_t) term_relabelto_all_user_ptys(sshd_t) @@ -318,16 +316,30 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +userdom_read_user_home_content_files(sshd_t) +userdom_read_user_home_content_symlinks(sshd_t) +userdom_search_admin_dir(sshd_t) + +manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t) +fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to # display the tty. # some versions of sshd on the new SE Linux require setattr - userdom_spec_domtrans_all_users(sshd_t) userdom_signal_all_users(sshd_t) -',` +') + userdom_spec_domtrans_unpriv_users(sshd_t) userdom_signal_unpriv_users(sshd_t) + +optional_policy(` + kerberos_keytab_template(sshd, sshd_t) +') + +optional_policy(` + xserver_getattr_xauth(sshd_t) ') optional_policy(` @@ -349,7 +361,11 @@ ') optional_policy(` - unconfined_domain(sshd_t) + usermanage_domtrans_passwd(sshd_t) + usermanage_read_crack_db(sshd_t) +') + +optional_policy(` unconfined_shell_domtrans(sshd_t) ') @@ -408,6 +424,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) +auth_use_nsswitch(ssh_keygen_t) + logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/sssd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,6 @@ + +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + +/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.12/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/sssd.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,249 @@ + +## policy for sssd + +######################################## +## +## Execute a domain transition to run sssd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`sssd_domtrans',` + gen_require(` + type sssd_t; + type sssd_exec_t; + ') + + domtrans_pattern($1,sssd_exec_t,sssd_t) +') + + +######################################## +## +## Execute sssd server in the sssd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`sssd_initrc_domtrans',` + gen_require(` + type sssd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1,sssd_initrc_exec_t) +') + +######################################## +## +## Read sssd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_read_pid_files',` + gen_require(` + type sssd_var_run_t; + ') + + files_search_pids($1) + allow $1 sssd_var_run_t:file read_file_perms; +') + +######################################## +## +## Manage sssd var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_manage_var_run',` + gen_require(` + type sssd_var_run_t; + ') + + manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t) + manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t) + manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t) +') + + +######################################## +## +## Search sssd lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_search_lib',` + gen_require(` + type sssd_var_lib_t; + ') + + allow $1 sssd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read sssd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_read_lib_files',` + gen_require(` + type sssd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## sssd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_manage_lib_files',` + gen_require(` + type sssd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) +') + +######################################## +## +## Manage sssd var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_manage_var_lib',` + gen_require(` + type sssd_var_lib_t; + ') + + manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t) + manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) + manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) +') + + +######################################## +## +## Send and receive messages from +## sssd over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_dbus_chat',` + gen_require(` + type sssd_t; + class dbus send_msg; + ') + + allow $1 sssd_t:dbus send_msg; + allow sssd_t $1:dbus send_msg; +') + + +######################################## +## +## Connect to sssd over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_stream_connect',` + gen_require(` + type sssd_t, sssd_var_lib_t; + ') + + files_search_pids($1) + write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + allow $1 sssd_t:unix_stream_socket connectto; +') + +######################################## +## +## All of the rules required to administrate +## an sssd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the sssd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`sssd_admin',` + gen_require(` + type sssd_t; + ') + + allow $1 sssd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, sssd_t, sssd_t) + + + gen_require(` + type sssd_initrc_exec_t; + ') + + # Allow sssd_t to restart the apache service + sssd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sssd_initrc_exec_t system_r; + allow $2 system_r; + + sssd_manage_var_run($1) + + sssd_manage_var_lib($1) + +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-14 08:14:52.000000000 -0400 @@ -0,0 +1,70 @@ +policy_module(sssd,1.0.0) + +######################################## +# +# Declarations +# + +type sssd_t; +type sssd_exec_t; +init_daemon_domain(sssd_t, sssd_exec_t) + +permissive sssd_t; + +type sssd_initrc_exec_t; +init_script_file(sssd_initrc_exec_t) + +type sssd_var_run_t; +files_pid_file(sssd_var_run_t) + +type sssd_var_lib_t; +files_type(sssd_var_lib_t) + +######################################## +# +# sssd local policy +# +allow sssd_t self:capability sys_nice; +allow sssd_t self:process { setsched signal getsched }; +allow sssd_t tmp_t:dir { read getattr open }; + +# Init script handling +domain_use_interactive_fds(sssd_t) + +# internal communication is often done using fifo and unix sockets. +allow sssd_t self:process signal; +allow sssd_t self:fifo_file rw_file_perms; +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir }) + +manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) + +corecmd_exec_bin(sssd_t) + +dev_read_urand(sssd_t) + +kernel_read_system_state(sssd_t) + +files_list_tmp(sssd_t) +files_read_etc_files(sssd_t) +files_read_usr_files(sssd_t) + +auth_use_nsswitch(sssd_t) +auth_domtrans_chk_passwd(sssd_t) +auth_domtrans_upd_passwd(sssd_t) + +logging_send_syslog_msg(sssd_t) +logging_send_audit_msgs(sssd_t) + +miscfiles_read_localization(sssd_t) + +optional_policy(` + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.12/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2008-11-11 16:13:45.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/tftp.if 2009-04-07 16:01:44.000000000 -0400 @@ -2,6 +2,24 @@ ######################################## ## +## Read tftp content +## +## +## +## Domain allowed access. +## +## +# +interface(`tftp_read_content',` + gen_require(` + type tftpdir_t; + ') + + read_files_pattern($1, tftpdir_t, tftpdir_t) +') + +######################################## +## ## All of the rules required to administrate ## an tftp environment ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.12/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/tor.te 2009-04-07 16:01:44.000000000 -0400 @@ -34,7 +34,7 @@ # tor local policy # -allow tor_t self:capability { setgid setuid }; +allow tor_t self:capability { setgid setuid sys_tty_config }; allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.12/policy/modules/services/ulogd.fc --- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ulogd.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) + +/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) + +/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) + +/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.12/policy/modules/services/ulogd.if --- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,127 @@ +## policy for ulogd + +######################################## +## +## Execute a domain transition to run ulogd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ulogd_domtrans',` + gen_require(` + type ulogd_t, ulogd_exec_t; + ') + + domtrans_pattern($1,ulogd_exec_t,ulogd_t) +') + +######################################## +## +## Allow the specified domain to read +## ulogd configuration files. +## +## +## +## Domain allowed access. +## +## +## +## +# +interface(`ulogd_read_config',` + gen_require(` + type ulogd_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) +') + +######################################## +## +## Allow the specified domain to read ulogd's log files. +## +## +## +## Domain allowed access. +## +## +## +## +# +interface(`ulogd_read_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir list_dir_perms; + read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) +') + +######################################## +## +## Allow the specified domain to append to ulogd's log files. +## +## +## +## Domain allowed access. +## +## +## +## +# +interface(`ulogd_append_log',` + gen_require(` + type ulogd_var_log_t; + ') + + logging_search_logs($1) + allow $1 ulogd_var_log_t:dir list_dir_perms; + allow $1 ulogd_var_log_t:file append_file_perms; +') + +######################################## +## +## All of the rules required to administrate +## an ulogd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +# +interface(`ulogd_admin',` + gen_require(` + type ulogd_t, ulogd_etc_t; + type ulogd_var_log_t, ulogd_initrc_exec_t; + type ulogd_modules_t; + ') + + allow $1 ulogd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ulogd_t) + + init_labeled_script_domtrans($1, ulogd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ulogd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, ulogd_etc_t) + + logging_list_logs($1) + admin_pattern($1, ulogd_var_log_t) + + files_search_usr($1) + admin_pattern($1, ulogd_modules_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.12/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ulogd.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(ulogd,1.0.0) + +######################################## +# +# Declarations +# + +type ulogd_t; +type ulogd_exec_t; +init_daemon_domain(ulogd_t, ulogd_exec_t) + +type ulogd_initrc_exec_t; +init_script_file(ulogd_initrc_exec_t) + +# /usr/lib files +type ulogd_modules_t; +files_type(ulogd_modules_t) + +# config files +type ulogd_etc_t; +files_type(ulogd_etc_t) + +# log files +type ulogd_var_log_t; +logging_log_file(ulogd_var_log_t) + +######################################## + +# +# ulogd local policy +# + +allow ulogd_t self:capability net_admin; +allow ulogd_t self:netlink_nflog_socket create_socket_perms; + +# config files +read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) + +# modules for ulogd +list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t) +mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) + +# log files +manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) +logging_log_filetrans(ulogd_t,ulogd_var_log_t, file ) + +files_search_etc(ulogd_t) + +miscfiles_read_localization(ulogd_t) + +permissive ulogd_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-04-07 16:01:44.000000000 -0400 @@ -129,6 +129,7 @@ optional_policy(` mta_send_mail(uux_t) mta_read_queue(uux_t) + sendmail_rw_unix_stream_sockets(uux_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/virt.fc 2009-04-07 16:01:44.000000000 -0400 @@ -8,5 +8,16 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.12/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-20 08:00:16.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## ## -## Make the specified type usable as a virt image -## -## -## -## Type to be used as a virtual image -## -## -# -interface(`virt_image',` - gen_require(` - attribute virt_image_type; - ') - - typeattribute $1 virt_image_type; - files_type($1) - - # virt images can be assigned to blk devices - dev_node($1) -') - -######################################## -## ## Execute a domain transition to run virt. ## ## @@ -117,12 +95,12 @@ ') files_search_pids($1) - allow $1 virt_var_run_t:file read_file_perms; + read_files_pattern($1, virt_var_run_t, virt_var_run_t) ') ######################################## ## -## Manage virt pid files. +## Manage virt PID files. ## ## ## @@ -135,6 +113,7 @@ type virt_var_run_t; ') + files_search_pids($1) manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ') @@ -272,11 +251,7 @@ ') virt_search_lib($1) - allow $1 virt_image_t:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_t, virt_image_t) - manage_files_pattern($1, virt_image_t, virt_image_t) - read_lnk_files_pattern($1, virt_image_t, virt_image_t) - rw_blk_files_pattern($1, virt_image_t, virt_image_t) + virtual_manage_image($1) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) @@ -293,6 +268,41 @@ ######################################## ## +## Allow domain to manage virt image files +## +## +## +## Domain to not audit. +## +## +# +interface(`virt_read_content',` + gen_require(` + type virt_content_t; + ') + + virt_search_lib($1) + allow $1 virt_content_t:dir list_dir_perms; + list_dirs_pattern($1, virt_content_t, virt_content_t) + read_files_pattern($1, virt_content_t, virt_content_t) + read_lnk_files_pattern($1, virt_content_t, virt_content_t) + rw_blk_files_pattern($1, virt_content_t, virt_content_t) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## ## All of the rules required to administrate ## an virt environment ## @@ -327,3 +337,53 @@ virt_manage_log($1) ') + +######################################## +## +## Creates types and rules for a basic +## qemu process domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`virt_domain_template',` + + type $1_t; + virtual_domain($1_t) + + type $1_tmp_t; + files_tmp_file($1_tmp_t) + + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + + type $1_image_t; + virtual_image($1_image_t) + + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) + rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + fs_getattr_tmpfs($1_t) + + fs_read_noxattr_fs_files($1_t) + fs_dontaudit_write_noxattr_fs_files($1_t) + + optional_policy(` + xserver_common_app($1_t) + ') +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-20 07:48:51.000000000 -0400 @@ -8,19 +8,24 @@ ## ##

-## Allow virt to manage nfs files +## Allow svirt to manage nfs files ##

##
gen_tunable(virt_use_nfs, false) ## ##

-## Allow virt to manage cifs files +## Allow svirt to manage cifs files ##

##
gen_tunable(virt_use_samba, false) -attribute virt_image_type; +## +##

+## Allow svirt to user serial/parallell communication ports +##

+##
+gen_tunable(virt_use_comm, false) type virt_etc_t; files_config_file(virt_etc_t) @@ -29,8 +34,12 @@ files_type(virt_etc_rw_t) # virt Image files -type virt_image_t, virt_image_type; # customizable -virt_image(virt_image_t) +type virt_image_t; # customizable +virtual_image(virt_image_t) + +# virt Image files +type virt_content_t; +virtual_image(virt_content_t) type virt_log_t; logging_log_file(virt_log_t) @@ -48,17 +57,39 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mls_systemhigh) +') + +virt_domain_template(svirt) +role system_r types svirt_t; + +type svirt_cache_t; +files_type(svirt_cache_t) + +type svirt_var_run_t; +files_pid_file(svirt_var_run_t) + ######################################## # # virtd local policy # -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; -allow virtd_t self:process { getsched sigkill signal execmem }; +allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:process { getsched sigkill signal signull execmem setexec setfscreate setsched }; allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; +manage_files_pattern(virtd_t, virt_image_t, virt_image_t) +manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t) +allow virtd_t virt_image_t:file { relabelfrom relabelto }; +allow virtd_t virt_image_t:blk_file { relabelfrom relabelto }; + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -67,7 +98,11 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) -manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +virtual_manage_image(virtd_t) +virtual_image_relabel(virtd_t) + +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) @@ -86,6 +121,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) +kernel_search_debugfs(virtd_t) corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) @@ -96,7 +132,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) -#corenet_tcp_bind_virt_port(virtd_t) +corenet_tcp_bind_virt_port(virtd_t) corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) @@ -104,21 +140,39 @@ dev_read_sysfs(virtd_t) dev_read_rand(virtd_t) +dev_rw_kvm(virtd_t) +dev_getattr_all_chr_files(virtd_t) # Init script handling domain_use_interactive_fds(virtd_t) +domain_read_all_domains_state(virtd_t) +domain_obj_id_change_exemption(virtd_t) +domain_subj_id_change_exemption(virtd_t) files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) +files_read_usr_files(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) -files_list_kernel_modules(virtd_t) +files_read_kernel_modules(virtd_t) +files_read_usr_src_files(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall +files_manage_etc_files(virtd_t) + +modutils_read_module_deps(virtd_t) fs_list_auto_mountpoints(virtd_t) +fs_getattr_xattr_fs(virtd_t) +fs_rw_anon_inodefs_files(virtd_t) +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) storage_raw_write_removable_device(virtd_t) storage_raw_read_removable_device(virtd_t) +seutil_read_default_contexts(virtd_t) + term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) @@ -129,6 +183,13 @@ logging_send_syslog_msg(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) + +virtual_transition(virtd_t) + +userdom_dontaudit_list_admin_dir(virtd_t) +userdom_getattr_all_users(virtd_t) +userdom_search_user_home_content(virtd_t) userdom_read_all_users_state(virtd_t) tunable_policy(`virt_use_nfs',` @@ -167,22 +228,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) + dnsmasq_read_pid_files(virtd_t) + dnsmasq_signull(virtd_t) ') optional_policy(` iptables_domtrans(virtd_t) ') -#optional_policy(` -# polkit_domtrans_auth(virtd_t) -# polkit_domtrans_resolve(virtd_t) -#') +optional_policy(` + kerberos_keytab_template(virtd, virtd_t) +') + +optional_policy(` + lvm_domtrans(virtd_t) +') optional_policy(` - qemu_domtrans(virtd_t) + polkit_domtrans_auth(virtd_t) + polkit_domtrans_resolve(virtd_t) + polkit_read_lib(virtd_t) +') + +optional_policy(` + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) qemu_kill(virtd_t) + qemu_setsched(virtd_t) ') optional_policy(` @@ -198,5 +271,80 @@ ') optional_policy(` - unconfined_domain(virtd_t) + udev_domtrans(virtd_t) +') + +#optional_policy(` +# unconfined_domain(virtd_t) +#') + +manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) + +permissive virtd_t; + +######################################## +# +# svirt local policy +# +manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) + +manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) +manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) +manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) +files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) + +allow svirt_t svirt_image_t:dir search_dir_perms; +manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) +manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) + +list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_t, virt_content_t, virt_content_t) +dontaudit svirt_t virt_content_t:file write_file_perms; +dontaudit svirt_t virt_content_t:dir write; + +storage_raw_write_removable_device(svirt_t) +storage_raw_read_removable_device(svirt_t) + +userdom_search_user_home_content(svirt_t) +userdom_read_all_users_state(svirt_t) + +append_files_pattern(svirt_t, virt_log_t, virt_log_t) + +allow svirt_t self:udp_socket create_socket_perms; + +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) +corenet_udp_bind_generic_node(svirt_t) +corenet_udp_bind_all_ports(svirt_t) +corenet_tcp_bind_all_ports(svirt_t) + +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(svirt_t) + dev_rw_printer(svirt_t) +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_t) + fs_manage_nfs_files(svirt_t) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(svirt_t) + fs_manage_cifs_files(svirt_t) +') + +optional_policy(` + samba_domtrans_smb(svirt_t) +') + +optional_policy(` + xen_rw_image_files(svirt_t) +') + +optional_policy(` + xen_rw_image_files(svirt_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/w3c.te 2009-04-07 16:01:44.000000000 -0400 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) +type httpd_w3c_validator_tmp_t; +files_tmp_file(httpd_w3c_validator_tmp_t) + ######################################## # # Local policy # +manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) +manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) +files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) + corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/xserver.fc 2009-04-07 16:01:44.000000000 -0400 @@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) +/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) # # /dev # @@ -32,11 +36,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) -ifdef(`distro_redhat',` -/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -') - # # /opt # @@ -61,6 +60,7 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -89,16 +89,26 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + +/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-15 07:58:56.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; - xserver_common_x_domain_template(user, $2) + xserver_common_app($2) ############################## # @@ -115,7 +115,8 @@ # write: gnome-settings-daemon RANDR:SelectInput # setattr: gnome-settings-daemon X11:GrabKey # manage: metacity X11:ChangeWindowAttributes - allow $2 rootwindow_t:x_drawable { read write manage setattr }; + allow $2 rootwindow_t:x_drawable { read write manage get_property getattr setattr }; + allow $2 $2:x_drawable all_x_drawable_perms; # setattr: metacity X11:InstallColormap allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; @@ -156,7 +157,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file { getattr read }; + allow $1 xserver_tmp_t:file read_file_perms; # Client read xserver shm allow $1 xserver_t:fd use; @@ -219,12 +220,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file - allow $1 xauth_home_t:file { getattr read }; - allow $1 iceauth_home_t:file { getattr read }; + allow $1 xauth_home_t:file read_file_perms; + allow $1 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file { getattr read write ioctl }; + allow $1 xdm_t:fifo_file rw_fifo_file_perms; allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; @@ -278,7 +279,6 @@ type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; - attribute x_domain; attribute xproperty_type; attribute xevent_type; attribute input_xevent_type; @@ -287,6 +287,8 @@ class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; + class x_selection all_x_selection_perms; + type xselection_t; ') ############################## @@ -294,20 +296,11 @@ # Local Policy # - # Type attributes - typeattribute $2 x_domain; - # X Properties # can read and write client properties allow $2 $1_xproperty_t:x_property { create destroy read write append }; type_transition $2 xproperty_t:x_property $1_xproperty_t; - # X Windows - # new windows have the domain type - type_transition $2 rootwindow_t:x_drawable $2; - - # X Input - # can receive own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; @@ -320,8 +313,10 @@ type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; type_transition $2 client_xevent_t:x_event $1_client_xevent_t; type_transition $2 xevent_t:x_event $1_default_xevent_t; - # can send ICCCM events to myself + allow $2 $1_manage_xevent_t:x_synthetic_event send; + + xserver_common_app($2) ') ####################################### @@ -397,11 +392,12 @@ gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + class x_screen all_x_screen_perms; ') - allow $2 self:shm create_shm_perms; - allow $2 self:unix_dgram_socket create_socket_perms; - allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; + allow $2 $2:shm create_shm_perms; + allow $2 $2:unix_dgram_socket create_socket_perms; + allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; @@ -409,7 +405,7 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_t:fifo_file rw_fifo_file_perms; allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -437,6 +433,10 @@ allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + + allow $2 xserver_t:x_screen { saver_hide saver_show }; + + xserver_use_xdm($2) ') ######################################## @@ -639,7 +639,7 @@ type xdm_t; ') - allow $1 xdm_t:fifo_file { getattr read write }; + allow $1 xdm_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -738,6 +738,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + allow $1 xdm_tmp_t:sock_file unlink; ') ######################################## @@ -756,7 +757,26 @@ ') files_search_pids($1) - allow $1 xdm_var_run_t:file read_file_perms; + read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) +') + +######################################## +## +## Manage XDM pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xdm_pid',` + gen_require(` + type xdm_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ') ######################################## @@ -779,6 +799,50 @@ ######################################## ## +## Read XDM var lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xdm_lib_files',` + gen_require(` + type xdm_var_lib_t; + ') + + manage_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) + read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) +') + +######################################## +## +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the xserver domain. +## +## +# +interface(`xserver_run',` + gen_require(` + type xserver_t; + ') + + xserver_domtrans($1) + role $2 types xserver_t; +') + +######################################## +## ## Make an X session script an entrypoint for the specified domain. ## ## @@ -872,6 +936,27 @@ ######################################## ## +## Allow append the xdm +## log files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_xdm_append_log',` + gen_require(` + type xdm_log_t; + attribute xdmhomewriter; + ') + + typeattribute $1 xdmhomewriter; + append_files_pattern($1, xdm_log_t, xdm_log_t) +') + +######################################## +## ## Do not audit attempts to write the X server ## log files. ## @@ -1018,10 +1103,11 @@ # interface(`xserver_domtrans',` gen_require(` - type xserver_t, xserver_exec_t; + type xserver_t, xserver_exec_t, xdm_t; ') allow $1 xserver_t:process siginh; + allow xdm_t $1:process sigchld; domtrans_pattern($1, xserver_exec_t, xserver_t) ') @@ -1159,6 +1245,275 @@ ######################################## ## +## Read xserver files created in /var/run +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_pid',` + gen_require(` + type xserver_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## +## +## Execute xserver files created in /var/run +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_exec_pid',` + gen_require(` + type xserver_var_run_t; + ') + + files_search_pids($1) + exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## +## +## Write xserver files created in /var/run +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_write_pid',` + gen_require(` + type xserver_var_run_t; + ') + + files_search_pids($1) + write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) +') + +######################################## +## +## Read user homedir fonts. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`xserver_manage_home_fonts',` + gen_require(` + type user_fonts_t; + type user_fonts_config_t; + ') + + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + manage_files_pattern($1, user_fonts_t, user_fonts_t) + manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') + +######################################## +## +## Read user homedir fonts. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`xserver_read_home_fonts',` + gen_require(` + type user_fonts_t; + ') + + read_files_pattern($1, user_fonts_t, user_fonts_t) + read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) +') + +######################################## +## +## write to .xsession-errors file +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xdm_home_files',` + gen_require(` + type xdm_home_t; + ') + + allow $1 xdm_home_t:file rw_file_perms; +') + +######################################## +## +## Dontaudit write to .xsession-errors file +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_dontaudit_rw_xdm_home_files',` + gen_require(` + type xdm_home_t; + ') + + dontaudit $1 xdm_home_t:file rw_file_perms; +') + + +####################################### +## +## Interface to provide X object permissions on a given X server to +## an X client domain. Provides the minimal set required by a basic +## X client application. +## +## +## +## Client domain allowed access. +## +## +# +interface(`xserver_use_xdm',` + gen_require(` + type xdm_t, xdm_tmp_t; + type xdm_xproperty_t; + class x_client all_x_client_perms; + class x_drawable all_x_drawable_perms; + class x_property all_x_property_perms; + ') + + allow $1 xdm_t:fd use; + allow $1 xdm_t:fifo_file rw_fifo_file_perms; + dontaudit $1 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. + xserver_stream_connect_xdm($1) + xserver_read_xdm_tmp_files($1) + xserver_xdm_stream_connect($1) + xserver_setattr_xdm_tmp_dirs($1) + + allow $1 xdm_t:x_client { getattr destroy }; + allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; + allow $1 xdm_xproperty_t:x_property { write read }; + +') + +######################################## +## +## Get the attributes of xauth executable +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_getattr_xauth',` + gen_require(` + type xauth_exec_t; + ') + + allow $1 xauth_exec_t:file getattr; +') + +######################################## +## +## Read a user Iceauthority domain. +## +## +## +## Domain allowed access. +## +## +# +template(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; + ') + + # Read .Iceauthority file + allow $1 iceauth_home_t:file read_file_perms; +') + +######################################## +## +## Connect to apmd over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_stream_connect',` + gen_require(` + type xdm_t, xdm_var_run_t; + ') + + files_search_pids($1) + allow $1 xdm_var_run_t:sock_file write; + allow $1 xdm_t:unix_stream_socket connectto; +') + +######################################## +## +## Manage the xdm_spool files +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_manage_spool',` + gen_require(` + type xdm_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, xdm_spool_t, xdm_spool_t) +') + +######################################## +## +## Ptrace XDM +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_ptrace_xdm',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:process ptrace; +') + +######################################## +## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. @@ -1172,7 +1527,102 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; + attribute x_domain; ') typeattribute $1 xserver_unconfined_type; + typeattribute $1 x_domain; +') + +######################################## +## +## Rules required for using the X Windows server +## and environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_communicate',` + gen_require(` + class x_drawable all_x_drawable_perms; + class x_resource all_x_resource_perms; ') + + allow $1 $2:x_drawable all_x_drawable_perms; + allow $2 $1:x_drawable all_x_drawable_perms; + allow $1 $2:x_resource all_x_resource_perms; + allow $2 $1:x_resource all_x_resource_perms; +') + +####################################### +## +## Interface to provide X object permissions on a given X server to +## an X client domain. Provides the minimal set required by a basic +## X client application. +## +## +## +## Client domain allowed access. +## +## +# +interface(`xserver_common_app',` + + gen_require(` + attribute x_domain; + attribute xevent_type; + type xselection_t, rootwindow_t; + type user_xproperty_t, xproperty_t; + class x_property all_x_property_perms; + class x_selection all_x_selection_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; + ') + + # Type attributes + typeattribute $1 x_domain; + + allow $1 xselection_t:x_selection setattr; + allow $1 user_xproperty_t:x_property { write read destroy }; + allow $1 xproperty_t:x_property all_x_property_perms; + + # X Windows + # new windows have the domain type + type_transition $1 rootwindow_t:x_drawable $1; + + # X Input + # can receive own events + allow $1 xevent_type:{ x_event x_synthetic_event } { receive send }; + xserver_communicate($1, $1) + xserver_use_xdm($1) +') + +######################################## +## +## Send and receive messages from +## xdm over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_dbus_chat',` + gen_require(` + type xdm_t; + class dbus send_msg; + ') + + allow $1 xdm_t:dbus send_msg; + allow xdm_t $1:dbus send_msg; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-14 12:39:57.000000000 -0400 @@ -34,6 +34,13 @@ ## ##

+## Allows XServer to execute writable memory +##

+##
+gen_tunable(allow_xserver_execmem, false) + +## +##

## Allow xdm logins as sysadm ##

##
@@ -46,6 +53,7 @@ ## gen_tunable(xserver_object_manager, false) +attribute xdmhomewriter; attribute input_xevent_type; attribute xserver_unconfined_type; attribute x_domain; @@ -65,14 +73,14 @@ type iceauth_t; type iceauth_exec_t; -typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; +typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t }; typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; application_domain(iceauth_t, iceauth_exec_t) ubac_constrained(iceauth_t) type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; -typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; +typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; files_poly_member(iceauth_home_t) userdom_user_home_content(iceauth_home_t) @@ -112,17 +120,17 @@ typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; type user_fonts_t; -typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; -typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; +typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t }; +typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t }; userdom_user_home_content(user_fonts_t) type user_fonts_cache_t; -typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; +typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t }; typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; userdom_user_home_content(user_fonts_cache_t) type user_fonts_config_t; -typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; +typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t }; typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; userdom_user_home_content(user_fonts_config_t) @@ -134,18 +142,18 @@ type xauth_t; type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; -typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; +typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t }; application_domain(xauth_t, xauth_exec_t) ubac_constrained(xauth_t) type xauth_home_t; typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; -typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; +typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t }; files_poly_member(xauth_home_t) userdom_user_home_content(xauth_home_t) type xauth_tmp_t; -typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; +typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t }; typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) @@ -166,7 +174,10 @@ files_lock_file(xdm_lock_t) type xdm_rw_etc_t; -files_type(xdm_rw_etc_t) +files_config_file(xdm_rw_etc_t) + +type xdm_spool_t; +files_type(xdm_spool_t) type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -174,6 +185,12 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) +type xserver_var_lib_t; +files_type(xserver_var_lib_t) + +type xserver_var_run_t; +files_pid_file(xserver_var_run_t) + type xdm_tmp_t; files_tmp_file(xdm_tmp_t) typealias xdm_tmp_t alias ice_tmp_t; @@ -181,6 +198,12 @@ type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) +type xdm_home_t; +userdom_user_home_content(xdm_home_t) + +type xdm_log_t; +logging_log_file(xdm_log_t) + # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) @@ -189,7 +212,7 @@ type xserver_t; type xserver_exec_t; typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; -typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t }; +typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm,xdm_t) init_system_domain(xserver_t, xserver_exec_t) @@ -197,12 +220,12 @@ type xserver_tmp_t; typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t }; +typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; files_tmp_file(xserver_tmp_t) ubac_constrained(xserver_tmp_t) type xserver_tmpfs_t; -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; +typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) @@ -250,19 +273,21 @@ # Xauth local policy # +allow xauth_t self:capability dac_override; allow xauth_t self:process signal; allow xauth_t self:unix_stream_socket create_stream_socket_perms; allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) +userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) + +manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) +manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) -allow xdm_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) - domain_use_interactive_fds(xauth_t) files_read_etc_files(xauth_t) @@ -300,13 +325,14 @@ # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; +allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace }; +allow xdm_t self:process { getattr getcap setcap }; allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket create_socket_perms; +allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; @@ -314,6 +340,11 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) + +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) @@ -329,22 +360,38 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_getattr_all_fs(xdm_t) +fs_search_inotifyfs(xdm_t) +fs_read_noxattr_fs_files(xdm_t) + +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) + +files_search_spool(xdm_t) +manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) +manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) +# Read machine-id +files_read_var_lib_files(xdm_t) manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; @@ -358,6 +405,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; +read_files_pattern(xdm_t, xserver_t, xserver_t) # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) @@ -366,10 +414,14 @@ delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) +manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +logging_log_filetrans(xdm_t, xdm_log_t, file) + manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xdm_t, xserver_log_t, file) kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) @@ -389,11 +441,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) +corenet_udp_bind_xdmcp_port(xdm_t) corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t corenet_dontaudit_tcp_bind_all_ports(xdm_t) +dev_rwx_zero(xdm_t) dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) @@ -401,6 +455,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) +dev_rw_input_dev(xdm_t) dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) @@ -413,14 +468,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) -dev_getattr_sound_dev(xdm_t) -dev_setattr_sound_dev(xdm_t) +dev_read_sound(xdm_t) +dev_write_sound(xdm_t) dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) +dev_getattr_null_dev(xdm_t) +dev_setattr_null_dev(xdm_t) domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) +domain_dontaudit_ptrace_all_domains(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t) @@ -431,9 +489,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) +files_dontaudit_getattr_boot_dirs(xdm_t) +files_dontaudit_write_usr_files(xdm_t) fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) +fs_rw_anon_inodefs_files(xdm_t) +fs_mount_tmpfs(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) @@ -442,6 +504,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) +storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) @@ -450,6 +513,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) +auth_signal_pam(xdm_t) auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) @@ -460,10 +524,10 @@ logging_read_generic_logs(xdm_t) +miscfiles_dontaudit_write_fonts(xdm_t) miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) - -sysnet_read_config(xdm_t) +miscfiles_manage_localization(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -472,6 +536,8 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) +userdom_manage_user_tmp_sockets(xdm_t) +userdom_manage_tmpfs_role(system_r, xdm_t) xserver_rw_session(xdm_t,xdm_tmpfs_t) xserver_unconfined(xdm_t) @@ -504,10 +570,12 @@ optional_policy(` alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) ') optional_policy(` consolekit_dbus_chat(xdm_t) + consolekit_read_log(xdm_t) ') optional_policy(` @@ -515,12 +583,45 @@ ') optional_policy(` + # Use dbus to start other processes as xdm_t + dbus_role_template(xdm, system_r, xdm_t) + + dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; + + corecmd_bin_entry_type(xdm_t) + + dbus_system_bus_client(xdm_t) + + optional_policy(` + bluetooth_dbus_chat(xdm_t) + ') + + optional_policy(` + devicekit_power_dbus_chat(xdm_t) + ') + + optional_policy(` + hal_dbus_chat(xdm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') + +') + + +optional_policy(` # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) ') optional_policy(` + gnome_read_gconf_config(xdm_t) +') + +optional_policy(` hostname_exec(xdm_t) ') @@ -542,6 +643,23 @@ ') optional_policy(` + polkit_domtrans_auth(xdm_t) + polkit_read_lib(xdm_t) + polkit_read_reload(xdm_t) +') + +optional_policy(` + pulseaudio_exec(xdm_t) +') + +# On crash gdm execs gdb to dump stack +optional_policy(` + rpm_exec(xdm_t) + rpm_read_db(xdm_t) + rpm_dontaudit_manage_db(xdm_t) +') + +optional_policy(` seutil_sigchld_newrole(xdm_t) ') @@ -550,8 +668,9 @@ ') optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) + unconfined_shell_domtrans(xdm_t) + unconfined_signal(xdm_t) +') ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; @@ -560,7 +679,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') -') optional_policy(` userhelper_dontaudit_search_config(xdm_t) @@ -571,6 +689,10 @@ ') optional_policy(` + wm_exec(xdm_t) +') + +optional_policy(` xfs_stream_connect(xdm_t) ') @@ -587,7 +709,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; @@ -602,9 +724,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; +allow xserver_t self:netlink_selinux_socket create_socket_perms; # Device rules allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; +allow x_domain xserver_t:x_screen getattr; allow xserver_t { input_xevent_t input_xevent_type }:x_event send; @@ -622,7 +746,7 @@ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) -filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) +#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) @@ -635,9 +759,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) +manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) + +manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xserver_t, xserver_var_run_t, { dir file }) + # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) +manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) @@ -680,9 +814,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) +dev_read_raw_memory(xserver_t) +dev_write_raw_memory(xserver_t) dev_rwx_zero(xserver_t) +domain_mmap_low_type(xserver_t) domain_mmap_low(xserver_t) +domain_dontaudit_read_all_domains_state(xserver_t) +domain_signal_all_domains(xserver_t) files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) @@ -697,8 +836,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) +fs_list_inotifyfs(xdm_t) +fs_rw_tmpfs_files(xserver_t) mls_xwin_read_to_clearance(xserver_t) +mls_process_write_to_clearance(xserver_t) +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) @@ -720,6 +864,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) +miscfiles_read_hwdata(xserver_t) modutils_domtrans_insmod(xserver_t) @@ -742,7 +887,7 @@ ') ifdef(`enable_mls',` - range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; +# range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') @@ -774,12 +919,16 @@ ') optional_policy(` + devicekit_power_signal(xserver_t) +') + +optional_policy(` rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') optional_policy(` - unconfined_domain_noaudit(xserver_t) + unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') @@ -806,7 +955,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; -allow xserver_t xdm_var_run_t:file read_file_perms; +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) @@ -827,9 +976,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) +userdom_read_all_users_state(xserver_t) xserver_use_user_fonts(xserver_t) +optional_policy(` + userhelper_search_config(xserver_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) @@ -844,11 +998,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) + + optional_policy(` hal_dbus_chat(xserver_t) ') +') optional_policy(` - resmgr_stream_connect(xdm_t) + mono_rw_shm(xserver_t) ') optional_policy(` @@ -856,6 +1013,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') +optional_policy(` + rpm_dontaudit_rw_shm(xserver_t) + rpm_rw_tmpfs_files(xserver_t) +') + ######################################## # # Rules common to all X window domains @@ -881,6 +1043,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; +allow x_domain xserver_t:x_device { manage force_cursor }; + # can mess with own clients allow x_domain self:x_client { manage destroy }; @@ -905,6 +1069,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; +allow x_domain x_domain:x_drawable { get_property getattr list_child }; + # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; @@ -972,17 +1138,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -ifdef(`TODO',` -tunable_policy(`allow_polyinstantiation',` -# xdm needs access for linking .X11-unix to poly /tmp -allow xdm_t polymember:dir { add_name remove_name write }; -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; +allow xserver_unconfined_type self:x_drawable all_x_drawable_perms; +allow xserver_unconfined_type self:x_screen all_x_screen_perms; +allow xserver_unconfined_type self:x_gc all_x_gc_perms; +allow xserver_unconfined_type self:x_font all_x_font_perms; +allow xserver_unconfined_type self:x_colormap all_x_colormap_perms; +allow xserver_unconfined_type self:x_property all_x_property_perms; +allow xserver_unconfined_type self:x_selection all_x_selection_perms; +allow xserver_unconfined_type self:x_cursor all_x_cursor_perms; +allow xserver_unconfined_type self:x_client all_x_client_perms; +allow xserver_unconfined_type self:x_device all_x_device_perms; +allow xserver_unconfined_type self:x_server all_x_server_perms; +allow xserver_unconfined_type self:x_extension all_x_extension_perms; +allow xserver_unconfined_type self:x_resource all_x_resource_perms; +allow xserver_unconfined_type self:x_event all_x_event_perms; +allow xserver_unconfined_type self:x_synthetic_event all_x_synthetic_event_perms; + +optional_policy(` + unconfined_rw_shm(xserver_t) + unconfined_execmem_rw_shm(xserver_t) + + # xserver signals unconfined user on startx + unconfined_signal(xserver_t) + unconfined_getpgid(xserver_t) +') + +tunable_policy(`allow_xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; +') + +# Hack to handle the problem of using the nvidia blobs +tunable_policy(`allow_execmem',` + allow xdm_t self:process execmem; +') + +tunable_policy(`allow_execstack',` + allow xdm_t self:process { execstack execmem }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files(xdmhomewriter) +') + +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) ') -# -# Wants to delete .xsession-errors file -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.12/policy/modules/services/zosremote.if --- nsaserefpolicy/policy/modules/services/zosremote.if 2009-03-20 12:39:39.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/zosremote.if 2009-04-07 16:01:44.000000000 -0400 @@ -12,7 +12,7 @@ # interface(`zosremote_domtrans',` gen_require(` - type zos_remote_t, type zos_remote_exec_t; + type zos_remote_t, zos_remote_exec_t; ') domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.12/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/application.te 2009-04-07 16:01:44.000000000 -0400 @@ -7,8 +7,18 @@ # Executables to be run by user attribute application_exec_type; +userdom_append_user_home_content_files(application_domain_type) +userdom_write_user_tmp_files(application_domain_type) +logging_rw_all_logs(application_domain_type) + +files_dontaudit_search_all_dirs(application_domain_type) + optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) ') +optional_policy(` + sudo_sigchld(application_domain_type) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc 2009-04-07 16:01:44.000000000 -0400 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) -/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) -/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) - /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` @@ -40,6 +38,10 @@ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) - /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-04-14 08:11:17.000000000 -0400 @@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t; + type auth_cache_t; ') domain_type($1) + domain_poly($1) + domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) role system_r types $1; + # Needed for pam_selinux_permit to cleanup properly + domain_read_all_domains_state($1) + domain_kill_all_domains($1) + + # pam_keyring + allow $1 self:capability ipc_lock; + allow $1 self:process setkeycreate; + allow $1 self:key manage_key_perms; + userdom_manage_all_users_keys($1) + files_list_var_lib($1) manage_files_pattern($1, var_auth_t, var_auth_t) # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) + manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + manage_files_pattern($1, auth_cache_t, auth_cache_t) + manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) + files_var_filetrans($1, auth_cache_t, dir) + # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers @@ -90,6 +108,7 @@ auth_rw_faillog($1) auth_exec_pam($1) auth_use_nsswitch($1) + auth_manage_pam_pid($1) init_rw_utmp($1) @@ -100,11 +119,40 @@ seutil_read_config($1) seutil_read_default_contexts($1) - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) + userdom_set_rlimitnh($1) + userdom_read_user_home_content_symlinks($1) + userdom_delete_user_tmp_files($1) + userdom_search_admin_dir($1) + + optional_policy(` + afs_rw_udp_sockets($1) + ') + + optional_policy(` + dbus_system_bus_client($1) + optional_policy(` + oddjob_dbus_chat($1) + oddjob_domtrans_mkhomedir($1) ') ') + optional_policy(` + corecmd_exec_bin($1) + storage_getattr_fixed_disk_dev($1) + mount_domtrans($1) + ') + + optional_policy(` + nis_authenticate($1) + ') + + optional_policy(` + ssh_agent_exec($1) + userdom_read_user_home_content_files($1) + ') + +') + ######################################## ## ## Use the login program as an entry point program. @@ -197,8 +245,11 @@ interface(`auth_domtrans_chk_passwd',` gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; + type auth_cache_t; ') + allow $1 auth_cache_t:dir search_dir_perms; + corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) @@ -207,19 +258,16 @@ dev_read_rand($1) dev_read_urand($1) + auth_use_nsswitch($1) + auth_rw_faillog($1) + logging_send_audit_msgs($1) miscfiles_read_certs($1) - sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) - - optional_policy(` - kerberos_use($1) - ') - optional_policy(` - nis_use_ypbind($1) + kerberos_read_keytab($1) + kerberos_connect_524($1) ') optional_policy(` @@ -230,6 +278,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') + auth_domtrans_upd_passwd($1) +') + +######################################## +## +## Run unix_chkpwd to check a password. +## Stripped down version to be called within boolean +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_domtrans_chkpwd',` + gen_require(` + type chkpwd_t, chkpwd_exec_t, shadow_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) + dontaudit $1 shadow_t:file { getattr read }; + auth_domtrans_upd_passwd($1) ') ######################################## @@ -254,6 +325,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; + auth_run_upd_passwd($1, $2) ') ######################################## @@ -650,7 +722,7 @@ ######################################## ## -## Execute pam programs in the pam domain. +## Send signal to pam process ## ## ## @@ -1031,6 +1103,32 @@ ######################################## ## +## rw all files on the filesystem, except +## the shadow passwords and listed exceptions. +## +## +## +## The type of the domain perfoming this action. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# + +interface(`auth_rw_all_files_except_shadow',` + gen_require(` + type shadow_t; + ') + + files_rw_all_files($1,$2 -shadow_t) +') + +######################################## +## ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## @@ -1297,6 +1395,14 @@ ') optional_policy(` + ldap_stream_connect($1) + ') + + optional_policy(` + kerberos_use($1) + ') + + optional_policy(` nis_use_ypbind($1) ') @@ -1305,8 +1411,13 @@ ') optional_policy(` + sssd_stream_connect($1) + ') + + optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) + samba_dontaudit_write_var_files($1) ') ') @@ -1341,3 +1452,99 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') + +######################################## +## +## Search authentication cache +## +## +## +## Domain allowed access. +## +## +## +# +interface(`auth_search_cache',` + gen_require(` + type auth_cache_t; + ') + + allow $1 auth_cache_t:dir search_dir_perms; +') + +######################################## +## +## Read authentication cache +## +## +## +## Domain allowed access. +## +## +## +# +interface(`auth_read_cache',` + gen_require(` + type auth_cache_t; + ') + + read_files_pattern($1, auth_cache_t, auth_cache_t) +') + +######################################## +## +## Read/Write authentication cache +## +## +## +## Domain allowed access. +## +## +## +# +interface(`auth_rw_cache',` + gen_require(` + type auth_cache_t; + ') + + rw_files_pattern($1, auth_cache_t, auth_cache_t) +') +######################################## +## +## Manage authentication cache +## +## +## +## Domain allowed access. +## +## +## +# +interface(`auth_manage_cache',` + gen_require(` + type auth_cache_t; + ') + + manage_files_pattern($1, auth_cache_t, auth_cache_t) +') + +####################################### +## +## Automatic transition from cache_t to cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_filetrans_cache',` + gen_require(` + type auth_cache_t; + ') + + manage_files_pattern($1, auth_cache_t, auth_cache_t) + manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + files_var_filetrans($1,auth_cache_t,{ file dir } ) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/authlogin.te 2009-04-07 16:01:44.000000000 -0400 @@ -12,7 +12,7 @@ type chkpwd_t, can_read_shadow_passwords; type chkpwd_exec_t; -typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; +typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t }; typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; application_domain(chkpwd_t, chkpwd_exec_t) role system_r types chkpwd_t; @@ -63,6 +63,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) +type auth_cache_t; +logging_log_file(auth_cache_t) + # # var_auth_t is the type of /var/lib/auth, usually # used for auth data in pam_able @@ -121,9 +124,18 @@ ') optional_policy(` + # apache leaks file descriptors + apache_dontaudit_rw_tcp_sockets(chkpwd_t) +') + +optional_policy(` kerberos_use(chkpwd_t) ') +optional_policy(` + nis_authenticate(chkpwd_t) +') + ######################################## # # PAM local policy @@ -168,6 +180,11 @@ logging_send_syslog_msg(pam_t) +userdom_write_user_tmp_files(pam_t) +userdom_delete_user_tmp_files(pam_t) +userdom_dontaudit_read_user_home_content_files(pam_t) +userdom_dontaudit_write_user_home_content_files(pam_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(pam_t) @@ -183,7 +200,7 @@ # PAM console local policy # -allow pam_console_t self:capability { chown fowner fsetid }; +allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid }; dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; @@ -201,6 +218,8 @@ dev_read_sysfs(pam_console_t) dev_getattr_apm_bios_dev(pam_console_t) dev_setattr_apm_bios_dev(pam_console_t) +dev_getattr_cpu_dev(pam_console_t) +dev_setattr_cpu_dev(pam_console_t) dev_getattr_dri_dev(pam_console_t) dev_setattr_dri_dev(pam_console_t) dev_getattr_input_dev(pam_console_t) @@ -225,6 +244,10 @@ dev_setattr_video_dev(pam_console_t) dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) + +dev_getattr_all_chr_files(pam_console_t) +dev_setattr_all_chr_files(pam_console_t) + dev_read_urand(pam_console_t) mls_file_read_all_levels(pam_console_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.12/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/fstools.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -21,7 +20,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.12/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/fstools.te 2009-04-07 16:01:44.000000000 -0400 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) +fs_manage_nfs_files(fsadm_t) + +fs_manage_cifs_files(fsadm_t) + mls_file_read_all_levels(fsadm_t) mls_file_write_all_levels(fsadm_t) @@ -150,8 +154,7 @@ seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) -userdom_use_unpriv_users_fds(fsadm_t) +term_use_all_terms(fsadm_t) ifdef(`distro_redhat',` optional_policy(` @@ -188,4 +191,6 @@ optional_policy(` xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.12/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/hostname.te 2009-04-07 16:01:44.000000000 -0400 @@ -8,7 +8,9 @@ type hostname_t; type hostname_exec_t; -init_system_domain(hostname_t,hostname_exec_t) + +#dont transition from initrc +application_domain(hostname_t, hostname_exec_t) role system_r types hostname_t; ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-04-07 16:01:44.000000000 -0400 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0) -/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -45,6 +44,8 @@ /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) + # # /var # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-17 11:04:53.000000000 -0400 @@ -280,6 +280,36 @@ kernel_dontaudit_use_fds($1) ') ') + + userdom_dontaudit_search_user_home_dirs($1) + userdom_dontaudit_rw_stream($1) + + tunable_policy(`allow_daemons_use_tty',` + term_use_all_user_ttys($1) + term_use_all_user_ptys($1) + ',` + term_dontaudit_use_all_user_ttys($1) + term_dontaudit_use_all_user_ptys($1) + ') + + # these apps are often redirect output to random log files + logging_rw_all_logs($1) + + optional_policy(` + cron_rw_pipes($1) + ') + + optional_policy(` + xserver_rw_xdm_home_files($1) + ') + + optional_policy(` + unconfined_dontaudit_rw_pipes($1) + unconfined_dontaudit_rw_stream($1) + userdom_dontaudit_read_user_tmp_files($1) + ') + + init_rw_script_stream_sockets($1) ') ######################################## @@ -546,7 +576,7 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; + init_chat($1) ') ') @@ -619,18 +649,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; ') files_list_etc($1) - spec_domtrans_pattern($1,initrc_exec_t,initrc_t) + spec_domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') ') @@ -646,23 +677,43 @@ # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; ') files_list_etc($1) - domtrans_pattern($1,initrc_exec_t,initrc_t) + domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') ') ######################################## ## +## Execute a file in a bin directory +## in the initrc_t domain +## +## +## +## Domain allowed access. +## +## +# +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; + ') + + corecmd_bin_domtrans($1, initrc_t) +') + +######################################## +## ## Execute a init script in a specified domain. ## ## @@ -1291,6 +1342,25 @@ ######################################## ## +## Read init script temporary data. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_script_tmp_files',` + gen_require(` + type initrc_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) +') + +######################################## +## ## Create files in a init script ## temporary data directory. ## @@ -1521,3 +1591,51 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') + +######################################## +## +## Transition to system_r when execute an init script +## +## +##

+## Execute a init script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Role to transition from. +## +## +# +interface(`init_script_role_transition',` + gen_require(` + attribute init_script_file_type; + ') + + role_transition $1 init_script_file_type system_r; +') + +######################################## +## +## Send and receive unix_stream_messages with +## init +## +## +## +## Domain allowed access. +## +## +# +interface(`init_chat',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-21 14:07:27.000000000 -0400 @@ -17,6 +17,20 @@ ##
gen_tunable(init_upstart,false) +## +##

+## Allow all daemons the ability to read/write terminals +##

+##
+gen_tunable(allow_daemons_use_tty, false) + +## +##

+## Allow all daemons to write corefiles to / +##

+##
+gen_tunable(allow_daemons_dump_core, false) + # used for direct running of init scripts # by admin domains attribute direct_run_init; @@ -88,7 +102,7 @@ # # Use capabilities. old rule: -allow init_t self:capability ~sys_module; +allow init_t self:capability ~{ audit_control audit_write sys_module }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -101,7 +115,7 @@ # Re-exec itself can_exec(init_t,init_exec_t) -allow init_t initrc_t:unix_stream_socket connectto; +allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; @@ -117,6 +131,8 @@ kernel_read_system_state(init_t) kernel_share_state(init_t) +fs_list_inotifyfs(init_t) + corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) @@ -167,6 +183,8 @@ miscfiles_read_localization(init_t) +allow init_t self:process setsched; + ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') @@ -189,6 +207,14 @@ ') optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) +') + +optional_policy(` nscd_socket_use(init_t) ') @@ -202,9 +228,10 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; +allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; +allow initrc_t self:key { search }; # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; @@ -217,7 +244,8 @@ term_create_pty(initrc_t,initrc_devpts_t) # Going to single user mode -init_exec(initrc_t) +init_telinit(initrc_t) +init_chat(initrc_t) can_exec(initrc_t, init_script_file_type) @@ -230,10 +258,16 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t,initrc_var_run_t,file) +files_manage_generic_pids_symlinks(initrc_t) can_exec(initrc_t,initrc_tmp_t) -allow initrc_t initrc_tmp_t:file manage_file_perms; -allow initrc_t initrc_tmp_t:dir manage_dir_perms; +allow initrc_t initrc_tmp_t:file relabel_file_perms; +manage_chr_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) @@ -249,15 +283,19 @@ kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) +kernel_stream_connect(initrc_t) +files_read_kernel_modules(initrc_t) files_read_kernel_symbol_table(initrc_t) +files_exec_etc_files(initrc_t) +fs_list_inotifyfs(initrc_t) corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -corenet_tcp_sendrecv_all_if(initrc_t) -corenet_udp_sendrecv_all_if(initrc_t) -corenet_tcp_sendrecv_all_nodes(initrc_t) -corenet_udp_sendrecv_all_nodes(initrc_t) +corenet_tcp_sendrecv_generic_if(initrc_t) +corenet_udp_sendrecv_generic_if(initrc_t) +corenet_tcp_sendrecv_generic_node(initrc_t) +corenet_udp_sendrecv_generic_node(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) @@ -270,16 +308,19 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) +dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) -dev_read_lvm_control(initrc_t) +dev_rw_lvm_control(initrc_t) dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) # Wants to remove udev.tbl: dev_delete_generic_symlinks(initrc_t) +dev_getattr_all_blk_files(initrc_t) +dev_getattr_all_chr_files(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs @@ -328,7 +369,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -domain_dontaudit_ptrace_all_domains(initrc_t) +domain_ptrace_all_domains(initrc_t) domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: @@ -343,14 +384,14 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) -files_delete_all_locks(initrc_t) +files_manage_all_locks(initrc_t) +files_manage_boot_files(initrc_t) files_read_all_pids(initrc_t) files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) files_manage_etc_runtime_files(initrc_t) files_etc_filetrans_etc_runtime(initrc_t,file) -files_manage_generic_locks(initrc_t) files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) @@ -366,7 +407,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) +libs_exec_ld_so(initrc_t) +logging_send_audit_msgs(initrc_t) logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) @@ -451,7 +494,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd - kernel_dontaudit_use_fds(initrc_t) + kernel_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) @@ -465,6 +508,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) + files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory @@ -498,6 +542,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) + rpc_manage_nfs_state_data(initrc_t) ') optional_policy(` @@ -516,6 +561,33 @@ ') ') +domain_dontaudit_use_interactive_fds(daemon) + +userdom_dontaudit_list_admin_dir(daemon) + +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) + term_use_all_user_ttys(daemon) + term_use_all_user_ptys(daemon) +',` + term_dontaudit_use_unallocated_ttys(daemon) + term_dontaudit_use_generic_ptys(daemon) + term_dontaudit_use_all_user_ttys(daemon) + term_dontaudit_use_all_user_ptys(daemon) + ') + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`allow_daemons_dump_core',` + files_dump_core(daemon) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) + unconfined_dontaudit_rw_stream(daemon) + userdom_dontaudit_read_user_tmp_files(daemon) +') + optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) @@ -570,6 +642,10 @@ dbus_read_config(initrc_t) optional_policy(` + consolekit_dbus_chat(initrc_t) + ') + + optional_policy(` networkmanager_dbus_chat(initrc_t) ') ') @@ -591,6 +667,10 @@ ') optional_policy(` + hal_write_log(initrc_t) +') + +optional_policy(` dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc @@ -647,6 +727,11 @@ ') optional_policy(` + iscsi_stream_connect(initrc_t) + iscsi_read_lib_files(initrc_t) +') + +optional_policy(` mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') @@ -655,12 +740,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') -# cjp: require doesnt work in the else of optionals :\ -# this also would result in a type transition -# conflict if sendmail is enabled -#optional_policy(`',` -# mta_send_mail(initrc_t) -#') optional_policy(` ifdef(`distro_redhat',` @@ -719,8 +798,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) - # why is this needed: - rpm_manage_db(initrc_t) ') optional_policy(` @@ -733,10 +810,12 @@ squid_manage_logs(initrc_t) ') +ifdef(`enabled_mls',` optional_policy(` # allow init scripts to su su_restricted_domain_template(initrc,initrc_t,system_r) ') +') optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) @@ -754,6 +833,11 @@ uml_setattr_util_sockets(initrc_t) ') +# Cron jobs used to start and stop services +optional_policy(` + cron_rw_pipes(daemon) +') + optional_policy(` unconfined_domain(initrc_t) @@ -765,6 +849,13 @@ optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t) +') + +optional_policy(` + rpm_delete_db(initrc_t) ') optional_policy(` @@ -790,3 +881,35 @@ optional_policy(` zebra_read_config(initrc_t) ') + +userdom_append_user_home_content_files(daemon) +userdom_write_user_tmp_files(daemon) +userdom_dontaudit_rw_stream(daemon) + +logging_append_all_logs(daemon) + +optional_policy(` + # sudo service restart causes this + unconfined_signull(daemon) +') + + +optional_policy(` + rpm_dontaudit_rw_pipes(daemon) +') + +optional_policy(` + xserver_rw_xdm_home_files(daemon) + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(daemon) + ') + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(daemon) + ') +') + +init_rw_script_stream_sockets(daemon) + +optional_policy(` + fail2ban_read_lib_files(daemon) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(ipsec, 1.9.1) +policy_module(ipsec, 1.9.0) ######################################## # @@ -103,11 +103,13 @@ corenet_raw_sendrecv_all_nodes(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t) corenet_tcp_bind_all_nodes(ipsec_t) -corenet_udp_bind_all_nodes(ipsec_t) corenet_tcp_bind_reserved_port(ipsec_t) corenet_tcp_bind_isakmp_port(ipsec_t) + +corenet_udp_bind_all_nodes(ipsec_t) corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) + corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) @@ -167,6 +169,8 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) +logging_send_syslog_msg(ipsec_mgmt_t) + manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) @@ -242,8 +246,6 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) -logging_send_syslog_msg(ipsec_mgmt_t) - miscfiles_read_localization(ipsec_mgmt_t) modutils_domtrans_insmod(ipsec_mgmt_t) @@ -298,13 +300,10 @@ kernel_read_network_state(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) -corenet_tcp_sendrecv_all_if(racoon_t) -corenet_udp_sendrecv_all_if(racoon_t) -corenet_tcp_sendrecv_all_nodes(racoon_t) -corenet_udp_sendrecv_all_nodes(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) +corenet_udp_sendrecv_all_if(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) dev_read_urand(racoon_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-14 10:54:45.000000000 -0400 @@ -1,9 +1,12 @@ /sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-04-07 16:01:44.000000000 -0400 @@ -53,6 +53,7 @@ mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) +term_use_all_terms(iptables_t) domain_use_interactive_fds(iptables_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.12/policy/modules/system/iscsi.if --- nsaserefpolicy/policy/modules/system/iscsi.if 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/iscsi.if 2009-04-17 07:27:34.000000000 -0400 @@ -17,3 +17,43 @@ domtrans_pattern($1,iscsid_exec_t,iscsid_t) ') + +######################################## +## +## Read iscsi lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`iscsi_read_lib_files',` + gen_require(` + type iscsi_var_lib_t; + ') + + read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) + allow $1 iscsi_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Connect to ISCSI using a unix domain stream socket. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`iscsi_stream_connect',` + gen_require(` + type iscsid_t, iscsi_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-21 13:55:23.000000000 -0400 @@ -55,6 +55,7 @@ files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) kernel_read_system_state(iscsid_t) +kernel_search_debugfs(iscsid_t) corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) @@ -73,6 +74,6 @@ logging_send_syslog_msg(iscsid_t) -miscfiles_read_localization(iscsid_t) +auth_use_nsswitch(iscsid_t) -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-04-16 13:27:53.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt # +/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) + ifdef(`distro_gentoo',` # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) @@ -84,12 +87,14 @@ ifdef(`distro_redhat',` /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ') @@ -103,6 +108,7 @@ # /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) @@ -115,24 +121,34 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -168,7 +184,8 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -187,12 +204,15 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -233,7 +253,7 @@ /usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -246,12 +266,13 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -267,6 +288,9 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -291,6 +315,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) +/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) ') dnl end distro_redhat # @@ -303,6 +329,8 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) +/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') @@ -310,3 +338,37 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.12/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/libraries.te 2009-04-07 16:01:44.000000000 -0400 @@ -52,11 +52,11 @@ # ldconfig local policy # -allow ldconfig_t self:capability sys_chroot; +allow ldconfig_t self:capability { dac_override sys_chroot }; manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) @@ -70,8 +70,11 @@ fs_getattr_xattr_fs(ldconfig_t) +corecmd_search_bin(ldconfig_t) + domain_use_interactive_fds(ldconfig_t) +files_search_home(ldconfig_t) files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_search_tmp(ldconfig_t) @@ -80,6 +83,7 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) +init_read_script_tmp_files(ldconfig_t) miscfiles_read_localization(ldconfig_t) @@ -94,6 +98,10 @@ ') ') +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) +userdom_manage_user_tmp_symlinks(ldconfig_t) + ifdef(`hide_broken_symptoms',` optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) @@ -116,4 +124,10 @@ # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) + # smart package manager needs the following for the same reason + rpm_rw_tmp_files(ldconfig_t) +') + +optional_policy(` + unconfined_domain(ldconfig_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-04-07 16:01:44.000000000 -0400 @@ -67,6 +67,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) +dev_rw_generic_usb_dev(local_login_t) dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) @@ -100,7 +101,6 @@ auth_rw_login_records(local_login_t) auth_rw_faillog(local_login_t) -auth_manage_pam_pid(local_login_t) auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) @@ -160,6 +160,11 @@ fs_read_cifs_symlinks(local_login_t) ') +tunable_policy(`allow_console_login',` + term_relabel_console(local_login_t) + term_setattr_console(local_login_t) +') + optional_policy(` alsa_domtrans(local_login_t) ') @@ -189,7 +194,7 @@ ') optional_policy(` - unconfined_domain(local_login_t) + unconfined_shell_domtrans(local_login_t) ') optional_policy(` @@ -235,17 +240,25 @@ seutil_read_default_contexts(sulogin_t) auth_read_shadow(sulogin_t) +auth_use_nsswitch(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) +ifdef(`enable_mls',` sysadm_shell_domtrans(sulogin_t) +',` + optional_policy(` + unconfined_shell_domtrans(sulogin_t) + ') +') # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') +ifdef(`distro_redhat',`define(`sulogin_no_pam')') ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; @@ -260,10 +273,4 @@ selinux_compute_user_contexts(sulogin_t) ') -optional_policy(` - nis_use_ypbind(sulogin_t) -') -optional_policy(` - nscd_socket_use(sulogin_t) -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2009-04-07 16:01:44.000000000 -0400 @@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') -/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) -/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) -/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) -/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) +/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) +/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) +/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) +/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-04-07 16:01:44.000000000 -0400 @@ -623,7 +623,7 @@ ') files_search_var($1) - append_files_pattern($1, var_log_t, logfile) + append_files_pattern($1, logfile, logfile) ') ######################################## @@ -707,6 +707,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) + allow $1 logfile:dir { relabelfrom relabelto }; + allow $1 logfile:file { relabelfrom relabelto }; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-21 14:01:28.000000000 -0400 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; allow auditd_t self:unix_dgram_socket create_socket_perms; -allow auditd_t self:fifo_file rw_file_perms; +allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; @@ -179,6 +179,8 @@ logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) +auth_use_nsswitch(auditd_t) + miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) @@ -215,9 +217,9 @@ # audit dispatcher local policy # -allow audisp_t self:capability sys_nice; -allow audisp_t self:process setsched; -allow audisp_t self:fifo_file rw_file_perms; +allow audisp_t self:capability { dac_override sys_nice }; +allow audisp_t self:process { signal_perms setsched }; +allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; @@ -226,13 +228,18 @@ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) -corecmd_search_bin(audisp_t) +corecmd_exec_bin(audisp_t) +corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) files_read_etc_files(audisp_t) +files_read_etc_runtime_files(audisp_t) mls_file_write_all_levels(audisp_t) +mls_dbus_send_all_levels(audisp_t) + +auth_use_nsswitch(audisp_t) logging_send_syslog_msg(audisp_t) @@ -240,6 +247,14 @@ sysnet_dns_name_resolve(audisp_t) +optional_policy(` + dbus_system_bus_client(audisp_t) + + optional_policy(` + setroubleshoot_dbus_chat(audisp_t) + ') +') + ######################################## # # Audit remote logger local policy @@ -253,11 +268,16 @@ corenet_tcp_sendrecv_generic_node(audisp_remote_t) corenet_tcp_connect_audit_port(audisp_remote_t) corenet_sendrecv_audit_client_packets(audisp_remote_t) +corenet_tcp_bind_audit_port(audisp_remote_t) +corenet_tcp_sendrecv_all_ports(audisp_remote_t) +corenet_tcp_bind_generic_node(audisp_remote_t) files_read_etc_files(audisp_remote_t) logging_send_syslog_msg(audisp_remote_t) +auth_use_nsswitch(audisp_remote_t) + miscfiles_read_localization(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t) @@ -337,7 +357,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; -allow syslogd_t self:fifo_file rw_file_perms; +allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.12/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/lvm.fc 2009-04-07 16:01:44.000000000 -0400 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -97,3 +98,4 @@ /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.12/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-21 14:01:57.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) +type clvmd_initrc_exec_t; +init_script_file(clvmd_initrc_exec_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -22,7 +25,7 @@ role system_r types lvm_t; type lvm_etc_t; -files_type(lvm_etc_t) +files_config_file(lvm_etc_t) type lvm_lock_t; files_lock_file(lvm_lock_t) @@ -44,9 +47,9 @@ # Cluster LVM daemon local policy # -allow clvmd_t self:capability { sys_admin mknod }; +allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; -allow clvmd_t self:process signal_perms; +allow clvmd_t self:process { signal_perms setsched }; dontaudit clvmd_t self:process ptrace; allow clvmd_t self:socket create_socket_perms; allow clvmd_t self:fifo_file rw_fifo_file_perms; @@ -54,6 +57,8 @@ allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; +init_dontaudit_getattr_initctl(clvmd_t) + manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t) files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) @@ -85,10 +90,15 @@ corenet_sendrecv_generic_server_packets(clvmd_t) dev_read_sysfs(clvmd_t) +dev_manage_generic_symlinks(clvmd_t) +dev_relabel_generic_dev_dirs(clvmd_t) +dev_manage_generic_blk_files(clvmd_t) dev_manage_generic_chr_files(clvmd_t) dev_rw_lvm_control(clvmd_t) dev_dontaudit_getattr_all_blk_files(clvmd_t) dev_dontaudit_getattr_all_chr_files(clvmd_t) +dev_create_generic_dirs(clvmd_t) +dev_delete_generic_dirs(clvmd_t) files_read_etc_files(clvmd_t) files_list_usr(clvmd_t) @@ -97,11 +107,15 @@ fs_search_auto_mountpoints(clvmd_t) fs_dontaudit_list_tmpfs(clvmd_t) fs_dontaudit_read_removable_files(clvmd_t) +fs_rw_anon_inodefs_files(clvmd_t) storage_dontaudit_getattr_removable_dev(clvmd_t) +storage_dev_filetrans_fixed_disk(clvmd_t) +storage_manage_fixed_disk(clvmd_t) domain_use_interactive_fds(clvmd_t) +storage_relabel_fixed_disk(clvmd_t) storage_raw_read_fixed_disk(clvmd_t) auth_use_nsswitch(clvmd_t) @@ -112,6 +126,9 @@ seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) +seutil_read_config(clvmd_t) +seutil_read_file_contexts(clvmd_t) +seutil_search_default_contexts(clvmd_t) userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_user_home_dirs(clvmd_t) @@ -124,6 +141,14 @@ ') optional_policy(` + dbus_system_bus_client(lvm_t) + + optional_policy(` + hal_dbus_chat(lvm_t) + ') +') + +optional_policy(` gpm_dontaudit_getattr_gpmctl(clvmd_t) ') @@ -133,6 +158,14 @@ ') optional_policy(` + unconfined_domain(clvmd_t) +') + +optional_policy(` + unconfined_domain(lvm_t) +') + +optional_policy(` udev_read_db(clvmd_t) ') @@ -143,17 +176,19 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; +allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; +# lvm needs net_admin for multipath dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; allow lvm_t self:file rw_file_perms; -allow lvm_t self:fifo_file rw_file_perms; +allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; -allow lvm_t clvmd_t:unix_stream_socket connectto; +allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) @@ -185,6 +220,7 @@ manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) files_etc_filetrans(lvm_t,lvm_metadata_t,file) +files_search_mnt(lvm_t) kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) @@ -192,6 +228,8 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) +kernel_use_fds(lvm_t) +kernel_search_debugfs(lvm_t) selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) @@ -221,6 +259,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) +dev_rw_generic_files(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) @@ -228,6 +267,7 @@ fs_read_tmpfs_symlinks(lvm_t) fs_dontaudit_read_removable_files(lvm_t) fs_dontaudit_getattr_tmpfs_files(lvm_t) +fs_rw_anon_inodefs_files(lvm_t) storage_relabel_fixed_disk(lvm_t) storage_dontaudit_read_removable_device(lvm_t) @@ -239,20 +279,28 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) +mls_file_read_all_levels(lvm_t) +mls_file_write_to_clearance(lvm_t) + +term_use_all_terms(lvm_t) corecmd_exec_bin(lvm_t) corecmd_exec_shell(lvm_t) domain_use_interactive_fds(lvm_t) +domain_read_all_domains_state(lvm_t) +files_read_usr_files(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) +files_dontaudit_getattr_tmpfs_files(lvm_t) init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) +init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -283,5 +331,22 @@ ') optional_policy(` + modutils_domtrans_insmod(lvm_t) +') + +optional_policy(` + rpm_manage_script_tmp_files(lvm_t) +') + +optional_policy(` udev_read_db(lvm_t) ') + +optional_policy(` + unconfined_domain(lvm_t) +') + +optional_policy(` + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-04-07 16:01:44.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_tty_config }; +allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; @@ -55,6 +55,7 @@ kernel_load_module(insmod_t) kernel_read_system_state(insmod_t) +kernel_read_network_state(insmod_t) kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) @@ -63,6 +64,7 @@ kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) +kernel_setsched(insmod_t) files_read_kernel_modules(insmod_t) # for locking: (cjp: ????) @@ -76,11 +78,10 @@ dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) -# cjp: why is this needed? insmod cannot mounton any dir -# and it also transitions to mount -dev_mount_usbfs(insmod_t) +dev_create_generic_chr_files(insmod_t) fs_getattr_xattr_fs(insmod_t) +fs_dontaudit_use_tmpfs_chr_dev(insmod_t) corecmd_exec_bin(insmod_t) corecmd_exec_shell(insmod_t) @@ -101,6 +102,8 @@ init_use_fds(insmod_t) init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) +init_spec_domtrans_script(insmod_t) +init_rw_script_tmp_files(insmod_t) logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) @@ -109,19 +112,30 @@ seutil_read_file_contexts(insmod_t) -userdom_use_user_terminals(insmod_t) +term_use_all_terms(insmod_t) +userdom_dontaudit_search_user_home_dirs(insmod_t) -ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(insmod_t) ') -') if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) } optional_policy(` + alsa_domtrans(insmod_t) +') + +optional_policy(` + firstboot_dontaudit_rw_pipes(insmod_t) +') + +optional_policy(` + hal_write_log(insmod_t) +') + +optional_policy(` hotplug_search_config(insmod_t) ') @@ -154,6 +168,7 @@ optional_policy(` rpm_rw_pipes(insmod_t) + rpm_read_script_tmp_files(insmod_t) ') optional_policy(` @@ -184,6 +199,7 @@ files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) +files_delete_kernel_modules(depmod_t) fs_getattr_xattr_fs(depmod_t) @@ -214,7 +230,13 @@ ') optional_policy(` + # Read System.map from home directories. + unconfined_domain(depmod_t) +') + +optional_policy(` rpm_rw_pipes(depmod_t) + rpm_manage_script_tmp_files(depmod_t) ') ################################# diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.12/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/mount.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,9 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/mount.if 2009-04-07 16:01:44.000000000 -0400 @@ -43,9 +43,11 @@ mount_domtrans($1) role $2 types mount_t; + #Leaked File Descriptors + dontaudit mount_t $1:unix_stream_socket rw_socket_perms; optional_policy(` - samba_run_smbmount($1, $2) + samba_run_smbmount($1, $2, $3) ') ') @@ -159,3 +161,21 @@ mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ') + +######################################## +## +## Send signal to mount process +## +## +## +## The type of the process performing this action. +## +## +# +interface(`mount_signal',` + gen_require(` + type mount_t; + ') + + allow $1 mount_t:process signal; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-04-09 05:37:08.000000000 -0400 @@ -18,17 +18,21 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; +typealias mount_t alias mount_ntfs_t; +typealias mount_exec_t alias mount_ntfs_exec_t; + type mount_loopback_t; # customizable files_type(mount_loopback_t) type mount_tmp_t; files_tmp_file(mount_tmp_t) -# causes problems with interfaces when -# this is optionally declared in monolithic -# policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t,mount_exec_t) +role system_r types unconfined_mount_t; + +type mount_var_run_t; +files_pid_file(mount_var_run_t) ######################################## # @@ -36,7 +40,8 @@ # # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:process { ptrace signal }; allow mount_t mount_loopback_t:file read_file_perms; @@ -47,12 +52,25 @@ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) +files_pid_filetrans(mount_t,mount_var_run_t,dir) +files_var_filetrans(mount_t,mount_var_run_t,dir) + +# In order to mount reiserfs_t +kernel_list_unlabeled(mount_t) kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) kernel_dontaudit_getattr_core_if(mount_t) +kernel_search_debugfs(mount_t) +kernel_setsched(mount_t) +kernel_use_fds(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) +dev_read_rand(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) @@ -62,16 +80,19 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) +storage_rw_fuse(mount_t) -fs_getattr_xattr_fs(mount_t) -fs_getattr_cifs(mount_t) +fs_list_all(mount_t) +fs_getattr_all_fs(mount_t) fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) -fs_list_auto_mountpoints(mount_t) fs_rw_tmpfs_chr_files(mount_t) +fs_manage_tmpfs_dirs(mount_t) fs_read_tmpfs_symlinks(mount_t) +fs_read_fusefs_files(mount_t) +fs_manage_nfs_dirs(mount_t) term_use_all_terms(mount_t) @@ -79,6 +100,7 @@ corecmd_exec_bin(mount_t) domain_use_interactive_fds(mount_t) +domain_dontaudit_search_all_domains_state(mount_t) files_search_all(mount_t) files_read_etc_files(mount_t) @@ -87,7 +109,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: -files_relabelto_all_file_type_fs(mount_t) +files_relabel_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type @@ -100,6 +122,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) +init_stream_connect_script(mount_t) +init_rw_script_stream_sockets(mount_t) auth_use_nsswitch(mount_t) @@ -116,6 +140,7 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) ifdef(`distro_redhat',` optional_policy(` @@ -133,7 +158,7 @@ tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) - auth_read_all_files_except_shadow(mount_t) + auth_rw_all_files_except_shadow(mount_t) files_mounton_non_security(mount_t) ') @@ -141,16 +166,16 @@ # for nfs corenet_all_recvfrom_unlabeled(mount_t) corenet_all_recvfrom_netlabel(mount_t) - corenet_tcp_sendrecv_all_if(mount_t) - corenet_raw_sendrecv_all_if(mount_t) - corenet_udp_sendrecv_all_if(mount_t) - corenet_tcp_sendrecv_all_nodes(mount_t) - corenet_raw_sendrecv_all_nodes(mount_t) - corenet_udp_sendrecv_all_nodes(mount_t) + corenet_tcp_sendrecv_generic_if(mount_t) + corenet_raw_sendrecv_generic_if(mount_t) + corenet_udp_sendrecv_generic_if(mount_t) + corenet_tcp_sendrecv_generic_node(mount_t) + corenet_raw_sendrecv_generic_node(mount_t) + corenet_udp_sendrecv_generic_node(mount_t) corenet_tcp_sendrecv_all_ports(mount_t) corenet_udp_sendrecv_all_ports(mount_t) - corenet_tcp_bind_all_nodes(mount_t) - corenet_udp_bind_all_nodes(mount_t) + corenet_tcp_bind_generic_node(mount_t) + corenet_udp_bind_generic_node(mount_t) corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) @@ -164,6 +189,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) + + rpc_domtrans_rpcd(mount_t) ') optional_policy(` @@ -171,6 +198,15 @@ ') optional_policy(` + dbus_system_bus_client(mount_t) + + optional_policy(` + hal_dbus_chat(mount_t) + ') +') + + +optional_policy(` ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) @@ -178,6 +214,11 @@ ') ') +# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 +optional_policy(` + lvm_domtrans(mount_t) +') + # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) @@ -185,14 +226,24 @@ optional_policy(` samba_domtrans_smbmount(mount_t) + samba_read_config(mount_t) ') ######################################## # -# Unconfined mount local policy +# ntfs local policy # +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; + +corecmd_exec_shell(mount_t) + +modutils_domtrans_insmod(mount_t) optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t,file) - unconfined_domain(unconfined_mount_t) + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_rw_pipes(mount_t) ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.12/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.fc 2009-04-07 16:01:44.000000000 -0400 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) -/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) -/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) # # /root @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) -/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) @@ -46,3 +46,11 @@ # /var/run # /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) + +# +# /var/lib +# +/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.12/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.if 2009-04-09 09:12:25.000000000 -0400 @@ -535,6 +535,53 @@ ######################################## ## +## Execute setfiles in the setfiles domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_domtrans_setfiles_mac',` + gen_require(` + type setfiles_mac_t, setfiles_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) +') + +######################################## +## +## Execute setfiles in the setfiles_mac domain, and +## allow the specified role the setfiles_mac domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the setfiles_mac domain. +## +## +## +# +interface(`seutil_run_setfiles_mac',` + gen_require(` + type setfiles_mac_t; + ') + + seutil_domtrans_setfiles_mac($1) + role $2 types setfiles_mac_t; +') + +######################################## +## ## Execute setfiles in the caller domain. ## ## @@ -680,6 +727,7 @@ ') files_search_etc($1) + manage_dirs_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1,selinux_config_t,selinux_config_t) read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) ') @@ -999,6 +1047,26 @@ ######################################## ## +## Execute a domain transition to run setsebool. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`seutil_domtrans_setsebool',` + gen_require(` + type setsebool_t, setsebool_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setsebool_exec_t, setsebool_t) +') + +######################################## +## ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. @@ -1010,7 +1078,7 @@ ## ## ## -## The role to be allowed the checkpolicy domain. +## The role to be allowed the semanage domain. ## ## ## @@ -1028,6 +1096,33 @@ ######################################## ## +## Execute setsebool in the semanage domain, and +## allow the specified role the semanage domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the setsebool domain. +## +## +## +# +interface(`seutil_run_setsebool',` + gen_require(` + type semanage_t; + ') + + seutil_domtrans_setsebool($1) + role $2 types setsebool_t; +') + +######################################## +## ## Full management of the semanage ## module store. ## @@ -1139,3 +1234,255 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') + +####################################### +## +## The per role template for the setsebool module. +## +## +##

+## This template creates a derived domains which are used +## for setsebool plugins that are executed by a browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`seutil_setsebool_per_role_template',` + gen_require(` + type setsebool_exec_t; + ') + + type $1_setsebool_t; + domain_type($1_setsebool_t) + domain_entry_file($1_setsebool_t, setsebool_exec_t) + role $3 types $1_setsebool_t; + + files_search_usr($2) + corecmd_search_bin($2) + domtrans_pattern($2, setsebool_exec_t, $1_setsebool_t) + seutil_semanage_policy($1_setsebool_t) + + # Need to define per type booleans + selinux_set_all_booleans($1_setsebool_t) + + # Bug in semanage + seutil_domtrans_setfiles($1_setsebool_t) + seutil_manage_file_contexts($1_setsebool_t) + seutil_manage_default_contexts($1_setsebool_t) + seutil_manage_config($1_setsebool_t) +') + +####################################### +## +## All rules necessary to run semanage command +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_semanage_policy',` + gen_require(` + type semanage_tmp_t; + type policy_config_t; + ') + allow $1 self:capability { dac_override sys_resource }; + dontaudit $1 self:capability sys_tty_config; + allow $1 self:process signal; + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + logging_send_audit_msgs($1) + + # Running genhomedircon requires this for finding all users + auth_use_nsswitch($1) + + allow $1 policy_config_t:file { read write }; + + allow $1 semanage_tmp_t:dir manage_dir_perms; + allow $1 semanage_tmp_t:file manage_file_perms; + files_tmp_filetrans($1, semanage_tmp_t, { file dir }) + + kernel_read_system_state($1) + kernel_read_kernel_sysctls($1) + + corecmd_exec_bin($1) + corecmd_exec_shell($1) + + dev_read_urand($1) + + domain_use_interactive_fds($1) + + files_read_etc_files($1) + files_read_etc_runtime_files($1) + files_read_usr_files($1) + files_list_pids($1) + fs_list_inotifyfs($1) + fs_getattr_all_fs($1) + + mls_file_write_all_levels($1) + mls_file_read_all_levels($1) + + selinux_getattr_fs($1) + selinux_validate_context($1) + selinux_get_enforce_mode($1) + + term_use_all_terms($1) + + locallogin_use_fds($1) + + logging_send_syslog_msg($1) + + miscfiles_read_localization($1) + + seutil_search_default_contexts($1) + seutil_domtrans_loadpolicy($1) + seutil_read_config($1) + seutil_manage_bin_policy($1) + seutil_use_newrole_fds($1) + seutil_manage_module_store($1) + seutil_get_semanage_trans_lock($1) + seutil_get_semanage_read_lock($1) + + userdom_dontaudit_write_user_home_content_files($1) + + optional_policy(` + rpm_dontaudit_rw_tmp_files($1) + rpm_dontaudit_rw_pipes($1) + ') +') + + +####################################### +## +## All rules necessary to run setfiles command +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_setfiles',` + +allow $1 self:capability { dac_override dac_read_search fowner }; +dontaudit $1 self:capability sys_tty_config; +allow $1 self:fifo_file rw_file_perms; +dontaudit $1 self:dir relabelfrom; +dontaudit $1 self:file relabelfrom; +dontaudit $1 self:lnk_file relabelfrom; + + +allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; +allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; +allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; + +logging_send_audit_msgs($1) + +kernel_read_system_state($1) +kernel_relabelfrom_unlabeled_dirs($1) +kernel_relabelfrom_unlabeled_files($1) +kernel_relabelfrom_unlabeled_symlinks($1) +kernel_relabelfrom_unlabeled_pipes($1) +kernel_relabelfrom_unlabeled_sockets($1) +kernel_use_fds($1) +kernel_rw_pipes($1) +kernel_rw_unix_dgram_sockets($1) +kernel_dontaudit_list_all_proc($1) +kernel_read_all_sysctls($1) +kernel_read_network_state_symlinks($1) + +dev_relabel_all_dev_nodes($1) + +domain_use_interactive_fds($1) +domain_read_all_domains_state($1) + +files_read_etc_runtime_files($1) +files_read_etc_files($1) +files_list_all($1) +files_relabel_all_files($1) +files_list_isid_type_dirs($1) +files_read_isid_type_files($1) +files_dontaudit_read_all_symlinks($1) + +fs_getattr_xattr_fs($1) +fs_list_all($1) +fs_getattr_all_files($1) +fs_search_auto_mountpoints($1) +fs_relabelfrom_noxattr_fs($1) + +mls_file_read_all_levels($1) +mls_file_write_all_levels($1) +mls_file_upgrade($1) +mls_file_downgrade($1) + +selinux_validate_context($1) +selinux_compute_access_vector($1) +selinux_compute_create_context($1) +selinux_compute_relabel_context($1) +selinux_compute_user_contexts($1) + +term_use_all_terms($1) + +# this is to satisfy the assertion: +auth_relabelto_shadow($1) + +init_use_fds($1) +init_use_script_fds($1) +init_use_script_ptys($1) +init_exec_script_files($1) + +logging_send_syslog_msg($1) + +miscfiles_read_localization($1) + +seutil_libselinux_linked($1) + +userdom_use_all_users_fds($1) +# for config files in a home directory +userdom_read_user_home_content_files($1) + +ifdef(`distro_debian',` + # udev tmpfs is populated with static device nodes + # and then relabeled afterwards; thus + # /dev/console has the tmpfs type + fs_rw_tmpfs_chr_files($1) +') + +ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files($1) + fs_rw_tmpfs_blk_files($1) + fs_relabel_tmpfs_blk_file($1) + fs_relabel_tmpfs_chr_file($1) +') + +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain($1) + ') +') + +optional_policy(` + hotplug_use_fds($1) +') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.12/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te 2009-04-07 16:01:44.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) +type selinux_var_lib_t; +files_type(selinux_var_lib_t) + type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) @@ -58,8 +61,9 @@ # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # -type policy_config_t; -files_type(policy_config_t) +#type policy_config_t; +#files_type(policy_config_t) +typealias semanage_store_t alias policy_config_t; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -75,7 +79,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) -role system_r types restorecond_t; type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) @@ -92,6 +95,10 @@ domain_interactive_fd(semanage_t) role system_r types semanage_t; +type setsebool_t; +type setsebool_exec_t; +init_system_domain(setsebool_t, setsebool_exec_t) + type semanage_store_t; files_type(semanage_store_t) @@ -109,6 +116,11 @@ init_system_domain(setfiles_t,setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) +type setfiles_mac_t; +domain_type(setfiles_mac_t) +domain_entry_file(setfiles_mac_t, setfiles_exec_t) +domain_obj_id_change_exemption(setfiles_mac_t) + ######################################## # # Checkpolicy local policy @@ -166,6 +178,7 @@ files_read_etc_runtime_files(load_policy_t) fs_getattr_xattr_fs(load_policy_t) +fs_list_inotifyfs(load_policy_t) mls_file_read_all_levels(load_policy_t) @@ -191,15 +204,6 @@ ') ') -ifdef(`hide_broken_symptoms',` - # cjp: cover up stray file descriptors. - dontaudit load_policy_t selinux_config_t:file write; - - optional_policy(` - unconfined_dontaudit_read_pipes(load_policy_t) - ') -') - ######################################## # # Newrole local policy @@ -217,7 +221,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(newrole_t) read_files_pattern(newrole_t,default_context_t,default_context_t) read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) @@ -270,12 +274,14 @@ init_rw_utmp(newrole_t) init_use_fds(newrole_t) +logging_send_audit_msgs(newrole_t) logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) seutil_libselinux_linked(newrole_t) +userdom_use_unpriv_users_fds(newrole_t) # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) @@ -336,6 +342,8 @@ seutil_libselinux_linked(restorecond_t) +userdom_read_user_home_content_symlinks(restorecond_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) @@ -354,7 +362,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; -allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(run_init_t) # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit @@ -383,10 +391,10 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) -auth_domtrans_upd_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) + # for utmp init_rw_utmp(run_init_t) @@ -406,6 +414,10 @@ ') ') +optional_policy(` + rpm_domtrans(run_init_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) @@ -421,61 +433,22 @@ # semodule local policy # -allow semanage_t self:capability { dac_override audit_write }; -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; -allow semanage_t policy_config_t:file rw_file_perms; +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) - -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) -files_list_pids(semanage_t) - -mls_file_write_all_levels(semanage_t) -mls_file_read_all_levels(semanage_t) - -selinux_validate_context(semanage_t) -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: selinux_set_all_booleans(semanage_t) +can_exec(semanage_t, semanage_exec_t) -term_use_all_terms(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) seutil_domtrans_setfiles(semanage_t) -seutil_domtrans_loadpolicy(semanage_t) -seutil_manage_bin_policy(semanage_t) -seutil_use_newrole_fds(semanage_t) -seutil_manage_module_store(semanage_t) -seutil_get_semanage_trans_lock(semanage_t) -seutil_get_semanage_read_lock(semanage_t) + # netfilter_contexts: seutil_manage_default_contexts(semanage_t) @@ -484,12 +457,23 @@ files_read_var_lib_symlinks(semanage_t) ') +optional_policy(` + setrans_initrc_domtrans(semanage_t) + domain_system_change_exemption(semanage_t) + consoletype_exec(semanage_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(semanage_t) ') ') +optional_policy(` + #signal mcstrans on reload + init_spec_domtrans_script(semanage_t) +') + # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files @@ -499,111 +483,36 @@ userdom_read_user_tmp_files(semanage_t) ') -######################################## +userdom_search_admin_dir(semanage_t) + +####################################n#### # -# Setfiles local policy +# setsebool local policy # +seutil_semanage_policy(setsebool_t) +selinux_set_all_booleans(setsebool_t) -allow setfiles_t self:capability { dac_override dac_read_search fowner }; -dontaudit setfiles_t self:capability sys_tty_config; -allow setfiles_t self:fifo_file rw_file_perms; - -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; - -kernel_read_system_state(setfiles_t) -kernel_relabelfrom_unlabeled_dirs(setfiles_t) -kernel_relabelfrom_unlabeled_files(setfiles_t) -kernel_relabelfrom_unlabeled_symlinks(setfiles_t) -kernel_relabelfrom_unlabeled_pipes(setfiles_t) -kernel_relabelfrom_unlabeled_sockets(setfiles_t) -kernel_use_fds(setfiles_t) -kernel_rw_pipes(setfiles_t) -kernel_rw_unix_dgram_sockets(setfiles_t) -kernel_dontaudit_list_all_proc(setfiles_t) -kernel_dontaudit_list_all_sysctls(setfiles_t) - -dev_relabel_all_dev_nodes(setfiles_t) - -domain_use_interactive_fds(setfiles_t) -domain_dontaudit_search_all_domains_state(setfiles_t) - -files_read_etc_runtime_files(setfiles_t) -files_read_etc_files(setfiles_t) -files_list_all(setfiles_t) -files_relabel_all_files(setfiles_t) - -fs_getattr_xattr_fs(setfiles_t) -fs_list_all(setfiles_t) -fs_search_auto_mountpoints(setfiles_t) -fs_relabelfrom_noxattr_fs(setfiles_t) - -mls_file_read_all_levels(setfiles_t) -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) - -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) -selinux_compute_relabel_context(setfiles_t) -selinux_compute_user_contexts(setfiles_t) - -term_use_all_user_ttys(setfiles_t) -term_use_all_user_ptys(setfiles_t) -term_use_unallocated_ttys(setfiles_t) - -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) - -init_use_fds(setfiles_t) -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) - -logging_send_syslog_msg(setfiles_t) - -miscfiles_read_localization(setfiles_t) - -seutil_libselinux_linked(setfiles_t) - -userdom_use_all_users_fds(setfiles_t) -# for config files in a home directory -userdom_read_user_home_content_files(setfiles_t) - -ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes - # and then relabeled afterwards; thus - # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) -') +init_dontaudit_use_fds(setsebool_t) -ifdef(`distro_redhat', ` - fs_rw_tmpfs_chr_files(setfiles_t) - fs_rw_tmpfs_blk_files(setfiles_t) - fs_relabel_tmpfs_blk_file(setfiles_t) - fs_relabel_tmpfs_chr_file(setfiles_t) -') +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(setfiles_t) - ') -') +######################################## +# +# Setfiles local policy +# -ifdef(`hide_broken_symptoms',` - optional_policy(` - udev_dontaudit_rw_dgram_sockets(setfiles_t) - ') +seutil_setfiles(setfiles_t) +# During boot in Rawhide +term_use_generic_ptys(setfiles_t) - # cjp: cover up stray file descriptors. - optional_policy(` - unconfined_dontaudit_read_pipes(setfiles_t) - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') -') +seutil_setfiles(setfiles_mac_t) +allow setfiles_mac_t self:capability2 mac_admin; +kernel_relabelto_unlabeled(setfiles_mac_t) optional_policy(` - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.12/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/setrans.if 2009-04-07 16:01:44.000000000 -0400 @@ -21,3 +21,23 @@ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) ') + +######################################## +## +## Execute setrans server in the setrans domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`setrans_initrc_domtrans',` + gen_require(` + type setrans_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, setrans_initrc_exec_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.12/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.fc 2009-04-07 16:01:44.000000000 -0400 @@ -11,8 +11,12 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -20,6 +24,8 @@ ifdef(`distro_redhat',` /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') # @@ -57,3 +63,5 @@ ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-07 16:01:44.000000000 -0400 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) role $2 types dhcpc_t; + + sysnet_run_ifconfig(dhcpc_t, $2) + + modutils_run_insmod(dhcpc_t, $2) + + optional_policy(` + consoletype_run(dhcpc_t, $2) + ') + optional_policy(` + hostname_run(dhcpc_t, $2) + ') + + optional_policy(` + netutils_run_ping(dhcpc_t, $2) + ') + optional_policy(` + netutils_run(dhcpc_t, $2) + ') + optional_policy(` + networkmanager_run(dhcpc_t, $2) + ') + + optional_policy(` + nis_run_ypbind(dhcpc_t, $2) + ') + + optional_policy(` + nscd_run(dhcpc_t, $2) + ') + optional_policy(` + ntp_run(dhcpc_t, $2) + ') + seutil_run_setfiles(dhcpc_t, $2) ') ######################################## @@ -192,7 +225,25 @@ type dhcpc_state_t; ') - allow $1 dhcpc_state_t:file read_file_perms; + read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) +') + +####################################### +## +## Delete the dhcp client state files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`sysnet_delete_dhcpc_state',` + gen_require(` + type dhcpc_state_t; + ') + + delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') ####################################### @@ -230,7 +281,7 @@ ') files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; + read_files_pattern($1, net_conf_t, net_conf_t) ') ####################################### @@ -323,7 +374,8 @@ type net_conf_t; ') - allow $1 net_conf_t:file manage_file_perms; + allow $1 net_conf_t:dir list_dir_perms; + manage_files_pattern($1, net_conf_t, net_conf_t) ') ####################################### @@ -541,6 +593,7 @@ type net_conf_t; ') + allow $1 self:netlink_route_socket r_netlink_socket_perms; allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; @@ -557,6 +610,14 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; + + optional_policy(` + avahi_stream_connect($1) + ') + + optional_policy(` + nscd_socket_use($1) + ') ') ######################################## @@ -586,6 +647,8 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; + # LDAP Configuration using encrypted requires + dev_read_urand($1) ') ######################################## @@ -620,3 +683,49 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; ') + +######################################## +## +## Do not audit attempts to use +## the dhcp file descriptors. +## +## +## +## The domain sending the SIGCHLD. +## +## +# +interface(`sysnet_dontaudit_dhcpc_use_fds',` + gen_require(` + type dhcpc_t; + ') + + dontaudit $1 dhcpc_t:fd use; +') + +######################################## +## +## Transition to system_r when execute an dhclient script +## +## +##

+## Execute dhclient script in a specified role +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Role to transition from. +## +## +interface(`sysnet_role_transition_dhcpc',` + gen_require(` + type dhcpc_exec_t; + ') + + role_transition $1 dhcpc_exec_t system_r; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-07 16:01:44.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; +type dhcpc_helper_exec_t; +init_script_file(dhcpc_helper_exec_t) + type dhcpc_state_t; files_type(dhcpc_state_t) @@ -41,21 +44,22 @@ # # DHCP client local policy # -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config }; dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process signal_perms; -allow dhcpc_t self:fifo_file rw_file_perms; +allow dhcpc_t self:process { setfscreate ptrace signal_perms }; +allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; allow dhcpc_t self:udp_socket create_socket_perms; allow dhcpc_t self:packet_socket create_socket_perms; -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; +allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; allow dhcpc_t dhcp_etc_t:dir list_dir_perms; read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) +allow dhcpc_t dhcp_state_t:file read_file_perms; manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) @@ -65,7 +69,7 @@ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. -allow dhcpc_t net_conf_t:file manage_file_perms; +sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t,net_conf_t,file) # create temp files @@ -116,7 +120,7 @@ corecmd_exec_shell(dhcpc_t) domain_use_interactive_fds(dhcpc_t) -domain_dontaudit_list_all_domains_state(dhcpc_t) +domain_dontaudit_read_all_domains_state(dhcpc_t) files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) @@ -183,25 +187,23 @@ ') optional_policy(` - nis_use_ypbind(dhcpc_t) - nis_signal_ypbind(dhcpc_t) - nis_read_ypbind_pid(dhcpc_t) - nis_delete_ypbind_pid(dhcpc_t) + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) +') - # dhclient sometimes starts ypbind - init_exec_script_files(dhcpc_t) - nis_domtrans_ypbind(dhcpc_t) +optional_policy(` + nis_ypbind_initrc_domtrans(dhcpc_t) + nis_read_ypbind_pid(dhcpc_t) ') optional_policy(` + nscd_initrc_domtrans(dhcpc_t) nscd_domtrans(dhcpc_t) nscd_read_pid(dhcpc_t) ') optional_policy(` - # dhclient sometimes starts ntpd - init_exec_script_files(dhcpc_t) - ntp_domtrans(dhcpc_t) + ntp_initrc_domtrans(dhcpc_t) ') optional_policy(` @@ -212,6 +214,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) + seutil_domtrans_setfiles(dhcpc_t) ') optional_policy(` @@ -223,6 +226,10 @@ ') optional_policy(` + vmware_append_log(dhcpc_t) +') + +optional_policy(` kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) @@ -236,7 +243,6 @@ allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; -dontaudit ifconfig_t self:capability sys_module; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; @@ -250,6 +256,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; +allow ifconfig_t net_conf_t:file read_file_perms; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -259,13 +266,20 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; + +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + files_read_etc_files(ifconfig_t); +files_read_etc_runtime_files(ifconfig_t); kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) +kernel_search_debugfs(ifconfig_t) kernel_rw_net_sysctls(ifconfig_t) +# This should be put inside a boolean, but can not because of attributes +kernel_load_module(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -276,8 +290,13 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) +selinux_dontaudit_getattr_fs(ifconfig_t) + +term_dontaudit_use_console(ifconfig_t) term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t) +term_dontaudit_use_ptmx(ifconfig_t) +term_dontaudit_use_generic_ptys(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -296,6 +315,8 @@ seutil_use_runinit_fds(ifconfig_t) +sysnet_dns_name_resolve(ifconfig_t) + userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) @@ -332,6 +353,14 @@ ') optional_policy(` + unconfined_dontaudit_rw_pipes(ifconfig_t) +') + +optional_policy(` + vmware_append_log(ifconfig_t) +') + +optional_policy(` kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-21 14:41:11.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; +allow udev_t self:netlink_socket create_socket_perms; allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) @@ -140,6 +141,7 @@ logging_send_audit_msgs(udev_t) miscfiles_read_localization(udev_t) +miscfiles_read_hwdata(udev_t) modutils_domtrans_insmod(udev_t) # read modules.inputmap: @@ -210,6 +212,11 @@ ') optional_policy(` + devicekit_read_pid_files(udev_t) + devicekit_dgram_send(udev_t) +') + +optional_policy(` lvm_domtrans(udev_t) ') @@ -219,6 +226,7 @@ optional_policy(` hal_dgram_send(udev_t) + hal_rw_dgram_sockets(udev_t) ') optional_policy(` @@ -242,6 +250,10 @@ ') optional_policy(` + rpm_search_log(udev_t) +') + +optional_policy(` kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.12/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/unconfined.fc 2009-04-09 04:45:11.000000000 -0400 @@ -1,16 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) -# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) - -/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - -/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.12/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-15 10:11:28.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` gen_require(` - type unconfined_t; class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. - allow $1 self:capability *; + allow $1 self:capability all_capabilities; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. @@ -27,12 +26,13 @@ # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; + allow $1 self:dir rw_dir_perms; # Userland object managers - allow $1 self:nscd *; - allow $1 self:dbus *; - allow $1 self:passwd *; - allow $1 self:association *; + allow $1 self:nscd all_nscd_perms; + allow $1 self:dbus all_dbus_perms; + allow $1 self:passwd all_passwd_perms; + allow $1 self:association all_association_perms; kernel_unconfined($1) corenet_unconfined($1) @@ -44,6 +44,16 @@ fs_unconfined($1) selinux_unconfined($1) + domain_mmap_low_type($1) + + mls_file_read_all_levels($1) + + ubac_process_exempt($1) + + tunable_policy(`allow_unconfined_mmap_low',` + domain_mmap_low($1) + ') + tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; @@ -57,8 +67,8 @@ tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; - # execstack implies execmem; - allow $1 self:process { execstack execmem }; + # execstack implies execmem; Bugzilla #211271 + allow $1 self:process { execmem execstack }; # auditallow $1 self:process execstack; ') @@ -69,6 +79,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) + dbus_unconfined($1) ') optional_policy(` @@ -111,6 +122,10 @@ ## # interface(`unconfined_domain',` + gen_require(` + attribute unconfined_services; + ') + unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` @@ -173,411 +188,3 @@ refpolicywarn(`$0($1) has been deprecated.') ') -######################################## -## -## Transition to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_domtrans',` - gen_require(` - type unconfined_t, unconfined_exec_t; - ') - - domtrans_pattern($1,unconfined_exec_t,unconfined_t) -') - -######################################## -## -## Execute specified programs in the unconfined domain. -## -## -## -## The type of the process performing this action. -## -## -## -## -## The role to allow the unconfined domain. -## -## -# -interface(`unconfined_run',` - gen_require(` - type unconfined_t; - ') - - unconfined_domtrans($1) - role $2 types unconfined_t; -') - -######################################## -## -## Transition to the unconfined domain by executing a shell. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_shell_domtrans',` - gen_require(` - type unconfined_t; - ') - - corecmd_shell_domtrans($1,unconfined_t) - allow unconfined_t $1:fd use; - allow unconfined_t $1:fifo_file rw_file_perms; - allow unconfined_t $1:process sigchld; -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_domtrans_to',` - gen_require(` - type unconfined_t; - ') - - domtrans_pattern(unconfined_t,$2,$1) -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-##
-## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_run_to',` - gen_require(` - type unconfined_t; - role unconfined_r; - ') - - domtrans_pattern(unconfined_t,$2,$1) - role unconfined_r types $1; - userdom_use_user_terminals($1) -') - -######################################## -## -## Inherit file descriptors from the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_use_fds',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_sigchld',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process sigchld; -') - -######################################## -## -## Send a SIGNULL signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signull',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signull; -') - -######################################## -## -## Send generic signals to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signal',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signal; -') - -######################################## -## -## Read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_read_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dontaudit_read_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file read; -') - -######################################## -## -## Read and write unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## unconfined domain unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file rw_file_perms; -') - -######################################## -## -## Connect to the unconfined domain using -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_stream_connect',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:unix_stream_socket connectto; -') - -######################################## -## -## Do not audit attempts to read or write -## unconfined domain tcp sockets. -## -## -##

-## Do not audit attempts to read or write -## unconfined domain tcp sockets. -##

-##

-## This interface was added due to a broken -## symptom in ldconfig. -##

-##
-## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_tcp_sockets',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:tcp_socket { read write }; -') - -######################################## -## -## Create keys for the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_create_keys',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:key create; -') - -######################################## -## -## Send messages to the unconfined domain over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_send',` - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; -') - -######################################## -## -## Send and receive messages from -## unconfined_t over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_chat',` - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; -') - -######################################## -## -## Connect to the the unconfined DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_dbus_connect',` - gen_require(` - type unconfined_t; - class dbus acquire_svc; - ') - - allow $1 unconfined_t:dbus acquire_svc; -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.12/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-09 04:23:28.000000000 -0400 @@ -5,227 +5,6 @@ # # Declarations # +attribute unconfined_services; -# usage in this module of types created by these -# calls is not correct, however we dont currently -# have another method to add access to these types -userdom_base_user_template(unconfined) -userdom_manage_home_role(unconfined_r, unconfined_t) -userdom_manage_tmp_role(unconfined_r, unconfined_t) -userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) - -type unconfined_execmem_t; -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -role unconfined_r types unconfined_execmem_t; - -######################################## -# -# Local policy -# - -domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) - -files_create_boot_flag(unconfined_t) - -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) - -init_run_daemon(unconfined_t, unconfined_r) - -libs_run_ldconfig(unconfined_t, unconfined_r) - -logging_send_syslog_msg(unconfined_t) -logging_run_auditctl(unconfined_t, unconfined_r) - -mount_run_unconfined(unconfined_t, unconfined_r) - -seutil_run_setfiles(unconfined_t, unconfined_r) -seutil_run_semanage(unconfined_t, unconfined_r) - -unconfined_domain(unconfined_t) - -userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) - -ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r) - seutil_init_script_run_runinit(unconfined_t, unconfined_r) -') - -optional_policy(` - ada_domtrans(unconfined_t) -') - -optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) -') - -optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r) -') - -optional_policy(` - bootloader_run(unconfined_t, unconfined_r) -') - -optional_policy(` - cron_unconfined_role(unconfined_r, unconfined_t) -') - -optional_policy(` - init_dbus_chat_script(unconfined_t) - - dbus_stub(unconfined_t) - - optional_policy(` - avahi_dbus_chat(unconfined_t) - ') - - optional_policy(` - bluetooth_dbus_chat(unconfined_t) - ') - - optional_policy(` - consolekit_dbus_chat(unconfined_t) - ') - - optional_policy(` - cups_dbus_chat_config(unconfined_t) - ') - - optional_policy(` - hal_dbus_chat(unconfined_t) - ') - - optional_policy(` - networkmanager_dbus_chat(unconfined_t) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') -') - -optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') - -optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') - -optional_policy(` - inn_domtrans(unconfined_t) -') - -optional_policy(` - java_domtrans_unconfined(unconfined_t) -') - -optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -') - -optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -') - -optional_policy(` - mono_domtrans(unconfined_t) -') - -optional_policy(` - mta_role(unconfined_r, unconfined_t) -') - -optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) -') - -optional_policy(` - prelink_run(unconfined_t, unconfined_r) -') - -optional_policy(` - portmap_run_helper(unconfined_t, unconfined_r) -') - -optional_policy(` - postfix_run_map(unconfined_t, unconfined_r) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) -') - -optional_policy(` - pyzor_role(unconfined_r, unconfined_t) -') - -optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) -') - -optional_policy(` - rpm_run(unconfined_t, unconfined_r) -') - -optional_policy(` - samba_run_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) -') - -optional_policy(` - spamassassin_role(unconfined_r, unconfined_t) -') - -optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r) - sysnet_dbus_chat_dhcpc(unconfined_t) -') - -optional_policy(` - tzdata_run(unconfined_t, unconfined_r) -') - -optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) -') - -optional_policy(` - vpn_run(unconfined_t, unconfined_r) -') - -optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') - -optional_policy(` - wine_domtrans(unconfined_t) -') - -optional_policy(` - xserver_domtrans(unconfined_t) -') - -######################################## -# -# Unconfined Execmem Local policy -# - -allow unconfined_execmem_t self:process { execstack execmem }; -unconfined_domain_noaudit(unconfined_execmem_t) - -optional_policy(` - dbus_stub(unconfined_execmem_t) - - init_dbus_chat_script(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) - - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.12/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,4 +1,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-20 08:25:48.000000000 -0400 @@ -30,8 +30,9 @@ ') attribute $1_file_type; + attribute $1_usertype; - type $1_t, userdomain; + type $1_t, userdomain, $1_usertype; domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) @@ -41,71 +42,85 @@ allow system_r $1_r; term_user_pty($1_t, user_devpts_t) - term_user_tty($1_t, user_tty_device_t) - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:context contains; - dontaudit $1_t self:socket create; + allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_t:key { create view read write search link setattr }; + + allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; + allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; + allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_usertype $1_usertype:shm create_shm_perms; + allow $1_usertype $1_usertype:sem create_sem_perms; + allow $1_usertype $1_usertype:msgq create_msgq_perms; + allow $1_usertype $1_usertype:msg { send receive }; + allow $1_usertype $1_usertype:context contains; + dontaudit $1_usertype $1_usertype:socket create; - allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; - term_create_pty($1_t, user_devpts_t) + allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; + term_create_pty($1_usertype, user_devpts_t) # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_devpts_t:chr_file ioctl; + dontaudit $1_usertype user_devpts_t:chr_file ioctl; - allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; + allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_tty_device_t:chr_file ioctl; + dontaudit $1_usertype user_tty_device_t:chr_file ioctl; + + application_exec_all($1_usertype) + + files_exec_usr_files($1_t) - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_files($1_t) - kernel_dontaudit_getattr_unlabeled_symlinks($1_t) - kernel_dontaudit_getattr_unlabeled_pipes($1_t) - kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t) + kernel_read_kernel_sysctls($1_usertype) + kernel_read_all_sysctls($1_usertype) + kernel_dontaudit_list_unlabeled($1_usertype) + kernel_dontaudit_getattr_unlabeled_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) + kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) + kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) + kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) + kernel_dontaudit_list_proc($1_usertype) - dev_dontaudit_getattr_all_blk_files($1_t) - dev_dontaudit_getattr_all_chr_files($1_t) + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) + dev_getattr_mtrr_dev($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_t) - domain_dontaudit_getattr_all_domains($1_t) - domain_dontaudit_getsession_all_domains($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_read_usr_files($1_t) + domain_dontaudit_read_all_domains_state($1_usertype) + domain_dontaudit_getattr_all_domains($1_usertype) + domain_dontaudit_getsession_all_domains($1_usertype) + + files_read_etc_files($1_usertype) + files_read_mnt_files($1_usertype) + files_read_etc_runtime_files($1_usertype) + files_read_usr_files($1_usertype) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. - files_list_world_readable($1_t) - files_read_world_readable_files($1_t) - files_read_world_readable_symlinks($1_t) - files_read_world_readable_pipes($1_t) - files_read_world_readable_sockets($1_t) + files_list_world_readable($1_usertype) + files_read_world_readable_files($1_usertype) + files_read_world_readable_symlinks($1_usertype) + files_read_world_readable_pipes($1_usertype) + files_read_world_readable_sockets($1_usertype) # old broswer_domain(): - files_dontaudit_list_non_security($1_t) - files_dontaudit_getattr_non_security_files($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) - - libs_exec_ld_so($1_t) - - miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) - - sysnet_read_config($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_all_files($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype) + files_dontaudit_getattr_non_security_pipes($1_usertype) + files_dontaudit_getattr_non_security_sockets($1_usertype) + + storage_rw_fuse($1_usertype) + + auth_use_nsswitch($1_usertype) + + libs_exec_ld_so($1_usertype) + + miscfiles_read_certs($1_usertype) + miscfiles_read_localization($1_usertype) + miscfiles_read_man_pages($1_usertype) + miscfiles_read_public_files($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. @@ -116,6 +131,12 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_delete_tmp($1_t) + ssh_signal($1_t) + ') ') ####################################### @@ -147,6 +168,7 @@ interface(`userdom_ro_home_role',` gen_require(` type user_home_t, user_home_dir_t; + attribute userhomereader; ') role $1 types { user_home_t user_home_dir_t }; @@ -157,6 +179,7 @@ # type_member $2 user_home_dir_t:dir user_home_dir_t; + typeattribute $2 userhomereader; # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; @@ -168,27 +191,6 @@ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($2) - fs_read_nfs_files($2) - fs_read_nfs_symlinks($2) - fs_read_nfs_named_sockets($2) - fs_read_nfs_named_pipes($2) - ',` - fs_dontaudit_list_nfs($2) - fs_dontaudit_read_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($2) - fs_read_cifs_files($2) - fs_read_cifs_symlinks($2) - fs_read_cifs_named_sockets($2) - fs_read_cifs_named_pipes($2) - ',` - fs_dontaudit_list_cifs($2) - fs_dontaudit_read_cifs_files($2) - ') ') ####################################### @@ -220,9 +222,10 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; + attribute user_home_type; ') - role $1 types { user_home_t user_home_dir_t }; + role $1 types { user_home_type user_home_dir_t }; ############################## # @@ -232,17 +235,20 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory + allow $2 user_home_t:dir mounton; allow $2 user_home_t:file entrypoint; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) + + allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) @@ -250,25 +256,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` + fs_mount_nfs($2) + fs_mounton_nfs($2) fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) fs_manage_nfs_symlinks($2) fs_manage_nfs_named_sockets($2) fs_manage_nfs_named_pipes($2) - ',` - fs_dontaudit_manage_nfs_dirs($2) - fs_dontaudit_manage_nfs_files($2) ') tunable_policy(`use_samba_home_dirs',` + fs_mount_cifs($2) + fs_mounton_cifs($2) fs_manage_cifs_dirs($2) fs_manage_cifs_files($2) fs_manage_cifs_symlinks($2) fs_manage_cifs_named_sockets($2) fs_manage_cifs_named_pipes($2) - ',` - fs_dontaudit_manage_cifs_dirs($2) - fs_dontaudit_manage_cifs_files($2) ') ') @@ -303,6 +307,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + relabel_files_pattern($2, user_tmp_t, user_tmp_t) ') ####################################### @@ -322,6 +327,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) + dontaudit $1 user_tmp_t:sock_file execute; files_search_tmp($1) ') @@ -368,46 +374,41 @@ ####################################### ## -## The template allowing the user basic +## The interface allowing the user basic ## network permissions ## -## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The user domain ## ## ## # -template(`userdom_basic_networking_template',` - gen_require(` - type $1_t; - ') - - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; +interface(`userdom_basic_networking',` - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_connect_all_ports($1) + corenet_sendrecv_all_client_packets($1) optional_policy(` - init_tcp_recvfrom_all_daemons($1_t) - init_udp_recvfrom_all_daemons($1_t) + init_tcp_recvfrom_all_daemons($1) + init_udp_recvfrom_all_daemons($1) ') optional_policy(` - ipsec_match_default_spd($1_t) + ipsec_match_default_spd($1) ') + ') ####################################### @@ -420,34 +421,43 @@ ## is the prefix for user_t). ##
## -## +## # -template(`userdom_xwindows_client_template',` +interface(`userdom_xwindows_client',` gen_require(` - type $1_t, user_tmpfs_t; + type user_tmpfs_t; ') - dev_rw_xserver_misc($1_t) - dev_rw_power_management($1_t) - dev_read_input($1_t) - dev_read_misc($1_t) - dev_write_misc($1_t) + dev_rwx_zero($1) + dev_rw_xserver_misc($1) + dev_rw_power_management($1) + dev_read_input($1) + dev_read_misc($1) + dev_write_misc($1) # open office is looking for the following - dev_getattr_agp_dev($1_t) - dev_dontaudit_rw_dri($1_t) + dev_getattr_agp_dev($1) + dev_dontaudit_rw_dri($1) # GNOME checks for usb and other devices: - dev_rw_usbfs($1_t) + dev_rw_usbfs($1) + dev_rw_generic_usb_dev($1) - xserver_user_client($1_t, user_tmpfs_t) - xserver_xsession_entry_type($1_t) - xserver_dontaudit_write_log($1_t) - xserver_stream_connect_xdm($1_t) + miscfiles_dontaudit_write_fonts($1) + + optional_policy(` + xserver_user_client($1, user_tmpfs_t) + xserver_xsession_entry_type($1) + xserver_dontaudit_write_log($1) + xserver_stream_connect_xdm($1) # certain apps want to read xdm.pid file - xserver_read_xdm_pid($1_t) + xserver_read_xdm_pid($1) # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($1_t) + xserver_create_xdm_tmp_sockets($1) # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($1_t) + xserver_manage_xdm_tmp_files($1) + xserver_stream_connect($1) + xserver_xdm_dbus_chat($1) + ') + ') ####################################### @@ -497,11 +507,7 @@ attribute unpriv_userdomain; ') - userdom_basic_networking_template($1) - - optional_policy(` - userdom_xwindows_client_template($1) - ') + userdom_basic_networking($1_usertype) ############################## # @@ -512,189 +518,200 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - allow $1_t unpriv_userdomain:fd use; + allow $1_usertype unpriv_userdomain:fd use; - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_net_sysctls($1_t) + kernel_read_system_state($1_usertype) + kernel_read_network_state($1_usertype) + kernel_read_net_sysctls($1_usertype) # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_t) + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) + kernel_read_device_sysctls($1_usertype) - corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) - corenet_udp_bind_generic_node($1_t) - corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) - dev_read_rand($1_t) - dev_write_sound($1_t) - dev_read_sound($1_t) - dev_read_sound_mixer($1_t) - dev_write_sound_mixer($1_t) - - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) + files_search_locks($1_usertype) # Check to see if cdrom is mounted - files_search_mnt($1_t) + files_search_mnt($1_usertype) # cjp: perhaps should cut back on file reads: - files_read_var_files($1_t) - files_read_var_symlinks($1_t) - files_read_generic_spool($1_t) - files_read_var_lib_files($1_t) + files_read_var_files($1_usertype) + files_read_var_symlinks($1_usertype) + files_read_generic_spool($1_usertype) + files_read_var_lib_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) + files_read_config_files($1_usertype) + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) # cjp: some of this probably can be removed - selinux_get_fs_mount($1_t) - selinux_validate_context($1_t) - selinux_compute_access_vector($1_t) - selinux_compute_create_context($1_t) - selinux_compute_relabel_context($1_t) - selinux_compute_user_contexts($1_t) + selinux_get_fs_mount($1_usertype) + selinux_validate_context($1_usertype) + selinux_compute_access_vector($1_usertype) + selinux_compute_create_context($1_usertype) + selinux_compute_relabel_context($1_usertype) + selinux_compute_user_contexts($1_usertype) # for eject - storage_getattr_fixed_disk_dev($1_t) + storage_getattr_fixed_disk_dev($1_usertype) - auth_use_nsswitch($1_t) - auth_read_login_records($1_t) - auth_search_pam_console_data($1_t) + auth_read_login_records($1_usertype) auth_run_pam($1_t,$1_r) auth_run_utempter($1_t,$1_r) - init_read_utmp($1_t) + init_read_utmp($1_usertype) - seutil_read_file_contexts($1_t) - seutil_read_default_contexts($1_t) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) seutil_run_newrole($1_t,$1_r) seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) + seutil_exec_setfiles($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. seutil_dontaudit_signal_newrole($1_t) tunable_policy(`read_default_t',` - files_list_default($1_t) - files_read_default_files($1_t) - files_read_default_symlinks($1_t) - files_read_default_sockets($1_t) - files_read_default_pipes($1_t) + files_list_default($1_usertype) + files_read_default_files($1_usertype) + files_read_default_symlinks($1_usertype) + files_read_default_sockets($1_usertype) + files_read_default_pipes($1_usertype) ') tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) - ') - - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_user_ttys($1_t) + dev_read_mouse($1_usertype) ') optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) ') optional_policy(` # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) + canna_stream_connect($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; optional_policy(` - bluetooth_dbus_chat($1_t) + avahi_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) + bluetooth_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_power_dbus_chat($1_usertype) + devicekit_disk_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) - ') + evolution_dbus_chat($1_usertype) + evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + hal_dbus_chat($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) + networkmanager_dbus_chat($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) + vpnc_dbus_chat($1_usertype) + ') ') - # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) ') optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) + locate_read_lib_files($1_usertype) ') + + # for running depmod as part of the kernel packaging process + optional_policy(` + modutils_read_module_config($1_usertype) ') optional_policy(` - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) + mta_rw_spool($1_usertype) + mta_manage_queue($1_usertype) ') optional_policy(` - pcscd_read_pub_files($1_t) - pcscd_stream_connect($1_t) + nsplugin_role($1_r, $1_usertype) ') optional_policy(` tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + postgresql_stream_connect($1_usertype) ') ') optional_policy(` - resmgr_stream_connect($1_t) + # to allow monitoring of pcmcia status + pcmcia_read_pid($1_usertype) + ') + + optional_policy(` + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) + resmgr_stream_connect($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) + samba_stream_connect_winbind($1_usertype) ') optional_policy(` - usernetctl_run($1_t,$1_r) + slrnpull_search_spool($1_usertype) ') + ') ####################################### @@ -722,13 +739,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) + ') + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') + ') userdom_change_password_template($1) @@ -746,70 +776,71 @@ allow $1_t self:context contains; - kernel_dontaudit_read_system_state($1_t) + kernel_dontaudit_read_system_state($1_usertype) - dev_read_sysfs($1_t) - dev_read_urand($1_t) + dev_read_sysfs($1_usertype) + dev_read_urand($1_usertype) - domain_use_interactive_fds($1_t) + domain_use_interactive_fds($1_usertype) # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) + domain_dontaudit_exec_all_entry_files($1_usertype) - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) + files_dontaudit_list_default($1_usertype) + files_dontaudit_read_default_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) - fs_get_all_fs_quotas($1_t) - fs_getattr_all_fs($1_t) - fs_getattr_all_dirs($1_t) - fs_search_auto_mountpoints($1_t) - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + fs_rw_anon_inodefs_files($1_usertype) auth_dontaudit_write_login_records($1_t) - - application_exec_all($1_t) + auth_rw_cache($1_t) # The library functions always try to open read-write first, # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_t) + init_dontaudit_rw_utmp($1_usertype) # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) + init_dontaudit_use_fds($1_usertype) + init_dontaudit_use_script_fds($1_usertype) - libs_exec_lib_files($1_t) + libs_exec_lib_files($1_usertype) - logging_dontaudit_getattr_all_logs($1_t) + logging_dontaudit_getattr_all_logs($1_usertype) - miscfiles_read_man_pages($1_t) # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) - seutil_read_config($1_t) + seutil_read_config($1_usertype) + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) + ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) + kerberos_use($1_usertype) + kerberos_connect_524($1_usertype) ') optional_policy(` - kerberos_use($1_t) + mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) + quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) + rpm_read_db($1_usertype) + rpm_dontaudit_manage_db($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) + oddjob_run_mkhomedir($1_t, $1_r) ') ') @@ -846,6 +877,28 @@ # Local policy # + tunable_policy(`user_rw_noexattrfile',` + fs_manage_noxattr_fs_files($1_usertype) + fs_manage_noxattr_fs_dirs($1_usertype) + fs_manage_dos_dirs($1_usertype) + fs_manage_dos_files($1_usertype) + ') + + optional_policy(` + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + consolekit_dbus_chat($1_usertype) + ') + + optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) + ') + ') + optional_policy(` loadkeys_run($1_t,$1_r) ') @@ -876,7 +929,7 @@ userdom_restricted_user_template($1) - userdom_xwindows_client_template($1) + userdom_xwindows_client($1_usertype) ############################## # @@ -884,14 +937,19 @@ # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) + + xserver_role($1_r, $1_t) + xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_t) + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this + dev_read_rand($1_usertype) - logging_send_syslog_msg($1_t) + logging_send_syslog_msg($1_usertype) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain @@ -899,28 +957,33 @@ selinux_get_enforce_mode($1_t) optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) + apache_role($1_r, $1_usertype) + ') optional_policy(` - consolekit_dbus_chat($1_t) + gnome_manage_config($1_usertype) + gnome_manage_gconf_home_files($1_usertype) + gnome_read_gconf_config($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) + openoffice_role_template($1, $1_r, $1_usertype) ') + + optional_policy(` + polkit_role($1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) + pulseaudio_role($1_r, $1_usertype) ') optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) + wm_role_template($1, $1_r, $1_usertype) ') ') @@ -954,8 +1017,8 @@ # Declarations # + userdom_restricted_xwindows_user_template($1) # Inherit rules for ordinary users. - userdom_restricted_user_template($1) userdom_common_user_template($1) ############################## @@ -964,11 +1027,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here - corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) +# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) - files_exec_usr_files($1_t) + storage_rw_fuse($1_t) + # cjp: why? files_read_kernel_symbol_table($1_t) @@ -986,37 +1050,55 @@ ') ') - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` - kernel_dontaudit_read_ring_buffer($1_t) - ') - # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_nodes($1_usertype) + corenet_tcp_bind_all_unreserved_ports($1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) + cdrecord_role($1_r, $1_t) ') optional_policy(` - postgresql_role($1_r,$1_t) + cron_role($1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) + games_rw_data($1_usertype) ') optional_policy(` - setroubleshoot_stream_connect($1_t) + gpg_role($1_r, $1_usertype) + ') + + optional_policy(` + gpm_stream_connect($1_usertype) + ') + + optional_policy(` + java_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + mono_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + mount_run($1_t, $1_r) + ') + + optional_policy(` + postfix_run_postdrop($1_t, $1_r) + ') + + # Run pppd in pppd_t by default for user + optional_policy(` + ppp_run_cond($1_t, $1_r) ') + ') ####################################### @@ -1050,7 +1132,7 @@ # template(`userdom_admin_user_template',` gen_require(` - class passwd { passwd chfn chsh rootok }; + class passwd { passwd chfn chsh rootok crontab }; ') ############################## @@ -1059,8 +1141,7 @@ # # Inherit rules for ordinary users. - userdom_login_user_template($1) - userdom_common_user_template($1) + userdom_unpriv_user_template($1) domain_obj_id_change_exemption($1_t) role system_r types $1_t; @@ -1083,7 +1164,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; + # Manipulate other users crontab. + allow $1_t self:passwd crontab; kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) @@ -1099,6 +1181,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) + kernel_signal($1_t) corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels @@ -1106,8 +1189,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) - # for lsof - dev_getattr_mtrr_dev($1_t) # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) @@ -1162,20 +1243,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) - userdom_manage_user_home_content_dirs($1_t) - userdom_manage_user_home_content_files($1_t) - userdom_manage_user_home_content_symlinks($1_t) - userdom_manage_user_home_content_pipes($1_t) - userdom_manage_user_home_content_sockets($1_t) - userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) - - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - ',` - fs_read_noxattr_fs_files($1_t) - ') - optional_policy(` postgresql_unconfined($1_t) ') @@ -1221,6 +1288,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) + files_create_default_dir($1) # Necessary for managing /boot/efi fs_manage_dos_files($1) @@ -1286,11 +1354,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; + attribute user_home_type; ') allow $1 user_home_t:filesystem associate; files_type($1) ubac_constrained($1) + + files_poly_member($1) + typeattribute $1 user_home_type; ') ######################################## @@ -1387,7 +1459,7 @@ ######################################## ## -## Search user home directories. +## dontaudit Search user home directories. ## ## ## @@ -1420,6 +1492,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') ') ######################################## @@ -1435,9 +1515,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; + type user_home_t; ') dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_t:dir list_dir_perms; ') ######################################## @@ -1494,6 +1576,25 @@ allow $1 user_home_dir_t:dir relabelto; ') + +######################################## +## +## Relabel to user home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabelto_user_home_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file relabelto; +') + ######################################## ## ## Create directories in the home dir root with @@ -1568,6 +1669,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; + fs_dontaudit_list_nfs($1) + fs_dontaudit_list_cifs($1) ') ######################################## @@ -1643,6 +1746,7 @@ type user_home_dir_t, user_home_t; ') + list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') @@ -1741,30 +1845,80 @@ ######################################## ## -## Execute user home files. +## Delete user home subdirectory symbolic links. ## ## ## ## Domain allowed access. ## ## -## # -interface(`userdom_exec_user_home_content_files',` +interface(`userdom_delete_user_home_content_symlinks',` gen_require(` - type user_home_dir_t, user_home_t; + type user_home_t; ') - files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow $1 user_home_t:lnk_file delete_lnk_file_perms; +') - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +######################################## +## +## Delete files +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_home_content_files',` + gen_require(` + type user_home_t; ') - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) + allow $1 user_home_t:dir delete_file_perms; +') + +######################################## +## +## Dontaudit Delete files +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_delete_user_home_content_files',` + gen_require(` + type user_home_t; ') + + allow $1 user_home_t:dir delete_file_perms; +') + +######################################## +## +## Execute user home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_exec_user_home_content_files',` + gen_require(` + type user_home_dir_t; + attribute user_home_type; + ') + + files_search_home($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') ######################################## @@ -1787,6 +1941,46 @@ ######################################## ## +## Delete directories +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_home_content_dirs',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:dir delete_dir_perms; +') + +######################################## +## +## Append files +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_append_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + append_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) +') + +######################################## +## ## Create, read, write, and delete files ## in a user home subdirectory. ## @@ -1799,6 +1993,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; + attribute userhomewriter; ') manage_files_pattern($1, user_home_t, user_home_t) @@ -2328,7 +2523,7 @@ ######################################## ## -## Read user tmpfs files. +## Read/Write user tmpfs files. ## ## ## @@ -2814,12 +3009,12 @@ type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) ') ######################################## ## -## Do not audit attempts to use user ttys. +## Delete all users files in /tmp ## ## ## @@ -2827,17 +3022,17 @@ ## ## # -interface(`userdom_dontaudit_use_user_ttys',` +interface(`userdom_delete_user_tmp_files',` gen_require(` - type user_tty_device_t; + type user_tmp_t; ') - dontaudit $1 user_tty_device_t:chr_file rw_file_perms; + allow $1 user_tmp_t:file delete_file_perms; ') ######################################## ## -## Read the process state of all user domains. +## Do not audit attempts to use user ttys. ## ## ## @@ -2845,12 +3040,31 @@ ## ## # -interface(`userdom_read_all_users_state',` +interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + dontaudit $1 user_tty_device_t:chr_file rw_file_perms; +') + +######################################## +## +## Read the process state of all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_all_users_state',` gen_require(` attribute userdomain; ') read_files_pattern($1,userdomain,userdomain) + read_lnk_files_pattern($1,userdomain,userdomain) kernel_search_proc($1) ') @@ -2981,3 +3195,481 @@ allow $1 userdomain:dbus send_msg; ') + +######################################## +## +## Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_set_rlimitnh',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process rlimitinh; +') + +######################################## +## +## Define this type as a Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_unpriv_usertype',` + gen_require(` + attribute unpriv_userdomain, userdomain; + attribute $1_usertype; + ') + typeattribute $2 $1_usertype; + typeattribute $2 unpriv_userdomain; + typeattribute $2 userdomain; + + ubac_constrained($2) +') + + +####################################### +## +## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. +## +## +##

+## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. +##

+##

+## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +# +template(`userdom_admin_login_user_template',` + + userdom_admin_user_template($1) + + domain_read_all_domains_state($1_t) + domain_getattr_all_domains($1_t) + domain_obj_id_change_exemption($1_t) + + files_read_kernel_modules($1_t) + + kernel_read_fs_sysctls($1_t) + + modutils_read_module_config($1_t) + modutils_read_module_deps($1_t) + + miscfiles_read_hwdata($1_t) + + sudo_role_template($1, $1_r, $1_t) + + seutil_run_newrole($1_t, $1_r) + + optional_policy(` + gnomeclock_dbus_chat($1_t) + ') + + optional_policy(` + kerneloops_dbus_chat($1_t) + ') + + optional_policy(` + rpm_dbus_chat($1_usertype) + ') + + optional_policy(` + setroubleshoot_stream_connect($1_t) + setroubleshoot_dbus_chat($1_t) + ') +') + +######################################## +## +## Connect to users over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_stream_connect',` + gen_require(` + type user_tmp_t; + attribute userdomain; + ') + + stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) +') + +######################################## +## +## Ptrace user domains. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_ptrace_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process ptrace; +') + +######################################## +## +## dontaudit Search /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## +## dontaudit list /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## +## Allow Search /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## +## RW unpriviledged user SysV sempaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_semaphores',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:sem rw_sem_perms; +') + +######################################## +## +## Add attrinute admin domain +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_admin',` + gen_require(` + attribute admin_userdomain; + ') + + typeattribute $1 admin_userdomain; +') + +######################################## +## +## Send a message to unpriv users over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dgram_send',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:unix_dgram_socket sendto; +') + +####################################### +## +## Allow execmod on files in homedirectory +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_execmod_user_home_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file execmod; +') + +######################################## +## +## Execute user home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_exec_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + exec_files_pattern($1, admin_home_t, admin_home_t) +') + + +####################################### +## +## Manage all files/directories in the homedir +## +## +## +## The user domain +## +## +## +# +interface(`userdom_manage_user_home_content',` + gen_require(` + type user_home_dir_t; + attribute user_home_type; + ') + + files_list_home($1) + manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + +') + + +######################################## +## +## Create objects in a user home directory +## with an automatic type transition to +## the user home file type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`userdom_user_home_dir_filetrans_pattern',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + type_transition $1 user_home_dir_t:$2 user_home_t; +') + +######################################## +## +## Create objects in the /root directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`userdom_admin_home_dir_filetrans',` + gen_require(` + type admin_home_t; + ') + + filetrans_pattern($1, admin_home_t, $2, $3) +') + +######################################## +## +## Send signull to unprivileged user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_signull_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:process signull; +') + +######################################## +## +## Read user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + allow $1 user_tmpfs_t:dir list_dir_perms; + fs_search_tmpfs($1) +') + +######################################## +## +## Write all users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + write_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## +## Manage keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key manage_key_perms; +') + + +######################################## +## +## Do not audit attempts to read and write +## unserdomain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_rw_stream',` + gen_require(` + attribute userdomain; + ') + + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-04-07 16:01:44.000000000 -0400 @@ -8,13 +8,6 @@ ## ##

-## Allow users to connect to mysql -##

-##
-gen_tunable(allow_user_mysql_connect,false) - -## -##

## Allow users to connect to PostgreSQL ##

##
@@ -29,13 +22,6 @@ ## ##

-## Allow users to read system messages. -##

-##
-gen_tunable(user_dmesg,false) - -## -##

## Allow user to r/w files on filesystems ## that do not have extended attributes (FAT, CDROM, FLOPPY) ##

@@ -52,11 +38,20 @@ # all user domains attribute userdomain; +attribute userhomereader; +attribute userhomewriter; + # unprivileged user domains attribute unpriv_userdomain; -attribute untrusted_content_type; -attribute untrusted_content_tmp_type; +# unprivileged user domains +attribute user_home_type; + +type admin_home_t; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) @@ -70,6 +65,7 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; +typeattribute user_home_t user_home_type; userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) @@ -95,3 +91,23 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + +tunable_policy(`allow_console_login',` + term_use_console(userdomain) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(userhomereader) + fs_read_nfs_files(userhomereader) + fs_read_nfs_symlinks(userhomereader) + fs_read_nfs_named_sockets(userhomereader) + fs_read_nfs_named_pipes(userhomereader) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(userhomereader) + fs_read_cifs_files(userhomereader) + fs_read_cifs_symlinks(userhomereader) + fs_read_cifs_named_sockets(userhomereader) + fs_read_cifs_named_pipes(userhomereader) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.12/policy/modules/system/virtual.fc --- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/virtual.fc 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1 @@ +# No application file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-20 07:58:28.000000000 -0400 @@ -0,0 +1,114 @@ +## Virtual machine emulator and virtualizer + +######################################## +## +## Make the specified type a virtual domain +## +## +##

+## Make the specified type a virtual domain +##

+##

+## Gives the basic access required for a virtual operatins system +##

+##
+## +## +## Type granted access +## +## +# +interface(`virtual_domain',` + gen_require(` + attribute virtualdomain; + ') + + typeattribute $1 virtualdomain; + + # start with basic domain + domain_type($1) + + # could be started by libvirt + domain_user_exemption_target($1) +') + +######################################## +## +## Make the specified type usable as a virtual os image +## +## +## +## Type to be used as a virtual image +## +## +# +interface(`virtual_image',` + gen_require(` + attribute virtual_image_type; + ') + + typeattribute $1 virtual_image_type; + files_type($1) + + # virt images can be assigned to blk devices + dev_node($1) +') + +######################################## +## +## Allow domain to manage virt image files +## +## +## +## Domain to not audit. +## +## +# +interface(`virtual_manage_image',` + gen_require(` + attribute virtual_image_type; + ') + + manage_dirs_pattern($1, virtual_image_type, virtual_image_type) + manage_files_pattern($1, virtual_image_type, virtual_image_type) + manage_lnk_files_pattern($1, virtual_image_type, virtual_image_type) + rw_blk_files_pattern($1, virtual_image_type, virtual_image_type) +') + +######################################## +## +## Allow domain to relabel virt image files +## +## +## +## Domain to not audit. +## +## +# +interface(`virtual_image_relabel',` + gen_require(` + attribute virtual_image_type; + ') + + allow $1 virtual_image_type:file { relabelfrom relabelto }; + allow $1 virtual_image_type:blk_file { relabelfrom relabelto }; +') + +######################################## +## +## Allow domain to transition and control virtualdomain +## +## +## +## Domain to not audit. +## +## +# +interface(`virtual_transition',` + gen_require(` + attribute virtualdomain; + ') + + allow $1 virtualdomain:process { setsched transition signal signull sigkill }; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-04-07 16:01:44.000000000 -0400 @@ -0,0 +1,80 @@ + +policy_module(virtualization, 1.1.2) + +######################################## +# +# Declarations +# + +attribute virtualseparateddomain; +attribute virtualdomain; +attribute virtual_image_type; + +######################################## +# +# qemu common policy +# + +allow virtualdomain self:capability { kill dac_read_search dac_override }; +allow virtualdomain self:process { execstack execmem signal getsched signull }; + +allow virtualdomain self:fifo_file rw_file_perms; +allow virtualdomain self:shm create_shm_perms; +allow virtualdomain self:unix_stream_socket create_stream_socket_perms; +allow virtualdomain self:unix_dgram_socket { create_socket_perms sendto }; +allow virtualdomain self:tcp_socket create_stream_socket_perms; + +kernel_read_system_state(virtualdomain) + +corenet_all_recvfrom_unlabeled(virtualdomain) +corenet_all_recvfrom_netlabel(virtualdomain) +corenet_tcp_sendrecv_generic_if(virtualdomain) +corenet_tcp_sendrecv_generic_node(virtualdomain) +corenet_tcp_sendrecv_all_ports(virtualdomain) +corenet_tcp_bind_generic_node(virtualdomain) +corenet_tcp_bind_vnc_port(virtualdomain) +corenet_rw_tun_tap_dev(virtualdomain) + +dev_read_sound(virtualdomain) +dev_write_sound(virtualdomain) +dev_rw_kvm(virtualdomain) +dev_rw_qemu(virtualdomain) + +domain_use_interactive_fds(virtualdomain) + +files_read_etc_files(virtualdomain) +files_read_usr_files(virtualdomain) +files_read_var_files(virtualdomain) +files_search_all(virtualdomain) + +fs_list_inotifyfs(virtualdomain) +fs_rw_anon_inodefs_files(virtualdomain) +fs_rw_tmpfs_files(virtualdomain) + +term_use_all_terms(virtualdomain) +term_getattr_pty_fs(virtualdomain) +term_use_generic_ptys(virtualdomain) +term_use_ptmx(virtualdomain) + +auth_use_nsswitch(virtualdomain) + +logging_send_syslog_msg(virtualdomain) + +miscfiles_read_localization(virtualdomain) + +optional_policy(` + dbus_system_bus_client(virtualdomain) +') + +optional_policy(` + virt_read_config(virtualdomain) + virt_read_lib_files(virtualdomain) + virt_read_content(virtualdomain) +') + +optional_policy(` + xserver_stream_connect(virtualdomain) + xserver_read_xdm_tmp_files(virtualdomain) + xserver_read_xdm_pid(virtualdomain) + xserver_rw_shm(virtualdomain) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.12/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/xen.fc 2009-04-07 16:01:44.000000000 -0400 @@ -1,32 +1,31 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) +/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) + /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) -ifdef(`distro_debian',` -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -',` /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) -') /var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) +/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) +/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.12/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/xen.if 2009-04-07 16:01:44.000000000 -0400 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` gen_require(` - type xend_t, xend_var_run_t; + type xend_t, xend_var_run_t, xend_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t) + + files_search_var_lib($1) + stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) ') ######################################## @@ -191,3 +194,46 @@ domtrans_pattern($1,xm_exec_t,xm_t) ') + +######################################## +## +## Allow the specified domain to read/write +## xend image files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`xen_rw_image_files',` + gen_require(` + type xen_image_t, xend_var_lib_t; + ') + + files_list_var_lib($1) + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1, xen_image_t, xen_image_t) +') + +####################################### +## +## Connect to evtchnd over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`evtchnd_stream_connect',` + gen_require(` + type evtchnd_var_run_t, evtchnd_t; + ') + + allow $1 evtchnd_t:unix_stream_socket connectto; + allow $1 evtchnd_var_run_t:sock_file { getattr write }; + files_search_pids($1) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-20 07:59:14.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # +## +##

+## Allow xen to manage nfs files +##

+##
+gen_tunable(xen_use_nfs, false) + # console ptys type xen_devpts_t; term_pty(xen_devpts_t); @@ -42,25 +49,31 @@ # pid files type xend_var_run_t; files_pid_file(xend_var_run_t) +files_mountpoint(xend_var_run_t) type xenstored_t; type xenstored_exec_t; -domain_type(xenstored_t) -domain_entry_file(xenstored_t,xenstored_exec_t) -role system_r types xenstored_t; +init_daemon_domain(xenstored_t, xenstored_exec_t) + +# tmp files +type xenstored_tmp_t; +files_tmp_file(xenstored_tmp_t) # var/lib files type xenstored_var_lib_t; files_type(xenstored_var_lib_t) +# log files +type xenstored_var_log_t; +logging_log_file(xenstored_var_log_t) + # pid files type xenstored_var_run_t; files_pid_file(xenstored_var_run_t) type xenconsoled_t; type xenconsoled_exec_t; -domain_type(xenconsoled_t) -domain_entry_file(xenconsoled_t,xenconsoled_exec_t) +init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) role system_r types xenconsoled_t; # pid files @@ -72,6 +85,18 @@ domain_type(xm_t) init_system_domain(xm_t, xm_exec_t) +type evtchnd_t; +type evtchnd_exec_t; +init_daemon_domain(evtchnd_t, evtchnd_exec_t) + +# log files +type evtchnd_var_log_t; +logging_log_file(evtchnd_var_log_t) + +# pid files +type evtchnd_var_run_t; +files_pid_file(evtchnd_var_run_t) + ######################################## # # xend local policy @@ -95,7 +120,7 @@ read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t) rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t) -allow xend_t xenctl_t:fifo_file manage_file_perms; +allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(xend_t, xenctl_t, fifo_file) manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t) @@ -103,14 +128,14 @@ files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) # pid file -allow xend_t xend_var_run_t:dir setattr; +manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t) -files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file }) +files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) # log files -allow xend_t xend_var_log_t:dir setattr; +manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t) logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) @@ -122,12 +147,13 @@ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) +init_stream_connect_script(xend_t) + # transition to store domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) # transition to console -domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) -allow xenconsoled_t xend_t:fd use; +domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) kernel_read_kernel_sysctls(xend_t) kernel_read_system_state(xend_t) @@ -173,6 +199,7 @@ files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t,file) files_read_usr_files(xend_t) +files_read_default_symlinks(xend_t) storage_raw_read_fixed_disk(xend_t) storage_raw_write_fixed_disk(xend_t) @@ -208,6 +235,10 @@ netutils_domtrans(xend_t) optional_policy(` + brctl_domtrans(xend_t) +') + +optional_policy(` consoletype_exec(xend_t) ') @@ -239,6 +270,8 @@ files_read_usr_files(xenconsoled_t) +fs_list_tmpfs(xenconsoled_t) + term_create_pty(xenconsoled_t,xen_devpts_t); term_use_generic_ptys(xenconsoled_t) term_use_console(xenconsoled_t) @@ -248,7 +281,7 @@ miscfiles_read_localization(xenconsoled_t) -xen_append_log(xenconsoled_t) +xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) ######################################## @@ -256,21 +289,34 @@ # Xen store local policy # -allow xenstored_t self:capability { dac_override mknod ipc_lock }; +allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource }; allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; +manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) + # pid file manage_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) manage_sock_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t) files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) +# log files +manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) + # var/lib files for xenstored manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t) files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file }) +# write and connect to evtchnd socket +evtchnd_stream_connect(xenstored_t) + kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) @@ -312,18 +358,21 @@ manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) +manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; allow xm_t xen_image_t:file read_file_perms; allow xm_t xen_image_t:blk_file read_blk_file_perms; -kernel_read_system_state(xm_t) kernel_read_kernel_sysctls(xm_t) +kernel_read_sysctl(xm_t) +kernel_read_system_state(xm_t) kernel_read_xen_state(xm_t) kernel_write_xen_state(xm_t) corecmd_exec_bin(xm_t) +corecmd_exec_shell(xm_t) corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_generic_node(xm_t) @@ -339,15 +388,58 @@ storage_raw_read_fixed_disk(xm_t) +fs_getattr_all_fs(xm_t) + term_use_all_terms(xm_t) +init_stream_connect_script(xm_t) init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) miscfiles_read_localization(xm_t) -sysnet_read_config(xm_t) +sysnet_dns_name_resolve(xm_t) xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) + +optional_policy(` + virt_manage_images(xm_t) + virt_stream_connect(xm_t) +') + +#Should have a boolean wrapping these +fs_list_auto_mountpoints(xend_t) +files_search_mnt(xend_t) +fs_getattr_all_fs(xend_t) +fs_read_dos_files(xend_t) + +tunable_policy(`xen_use_nfs',` + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) +') + +optional_policy(` + unconfined_domain(xend_t) +') + +####################################### +# +# evtchnd local policy +# + +# pid file +manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t) +manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t) +files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + +# log files +manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +manage_files_pattern(evtchnd_t,evtchnd_var_log_t,evtchnd_var_log_t) +logging_log_filetrans(evtchnd_t,evtchnd_var_log_t,{ file dir }) + +libs_use_ld_so(evtchnd_t) +libs_use_shared_libs(evtchnd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/ipc_patterns.spt serefpolicy-3.6.12/policy/support/ipc_patterns.spt --- nsaserefpolicy/policy/support/ipc_patterns.spt 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/support/ipc_patterns.spt 2009-04-07 16:01:44.000000000 -0400 @@ -3,12 +3,12 @@ # define(`stream_connect_pattern',` allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file write_sock_file_perms; + allow $1 $3:sock_file { getattr write }; allow $1 $4:unix_stream_socket connectto; ') define(`dgram_send_pattern',` allow $1 $2:dir search_dir_perms; - allow $1 $3:sock_file write_sock_file_perms; + allow $1 $3:sock_file { getattr write }; allow $1 $4:unix_dgram_socket sendto; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.12/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400 +++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-07 16:01:44.000000000 -0400 @@ -225,7 +225,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read getattr setattr unlink rename }') +define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') @@ -312,3 +312,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') + +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } +') + +define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.12/policy/users --- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 +++ serefpolicy-3.6.12/policy/users 2009-04-07 16:01:44.000000000 -0400 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. @@ -38,8 +35,4 @@ # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # -ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.12/Rules.modular --- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/Rules.modular 2009-04-07 16:01:44.000000000 -0400 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(call perrole-expansion,$(basename $(@F)),$@.role) - $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) +# $(call perrole-expansion,$(basename $(@F)),$@.role) + $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ $(tmpdir)/%.mod.fc: $(m4support) %.fc @@ -129,7 +129,7 @@ @test -d $(tmpdir) || mkdir -p $(tmpdir) # define all available object classes $(verbose) $(genperm) $(avs) $(secclass) > $@ - $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) +# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy @@ -146,7 +146,7 @@ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy $(tmpdir)/rolemap.conf: $(rolemap) $(verbose) echo "" > $@ - $(call parse-rolemap,base,$@) +# $(call parse-rolemap,base,$@) $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.12/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.12/support/Makefile.devel 2009-04-07 16:01:44.000000000 -0400 @@ -185,8 +185,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" @test -d $(@D) || mkdir -p $(@D) - $(call peruser-expansion,$(basename $(@F)),$@.role) - $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) + $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ tmp/%.mod.fc: $(m4support) %.fc