diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs --- nsaserefpolicy/policy/mcs 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/mcs 2009-06-25 10:21:01.000000000 +0200 @@ -66,7 +66,7 @@ # # Note that getattr on files is always permitted. # -mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } +mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom } (( h1 dom h2 ) or ( t1 == mlsfilewrite )); mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } @@ -111,22 +111,22 @@ (( h1 dom h2 ) and ( l2 eq h2 )); # Access control for any database objects based on MCS rules. -mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param } +mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); -mlsconstrain db_table { drop setattr relabelfrom select update insert delete use } +mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } ( h1 dom h2 ); -mlsconstrain db_column { drop setattr relabelfrom select update insert use } +mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use } ( h1 dom h2 ); mlsconstrain db_tuple { relabelfrom select update delete use } ( h1 dom h2 ); -mlsconstrain db_procedure { execute install } +mlsconstrain db_procedure { drop getattr setattr execute install } ( h1 dom h2 ); -mlsconstrain db_blob { drop setattr relabelfrom read write } +mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); ') dnl end enable_mcs diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te 2009-06-25 10:21:01.000000000 +0200 @@ -1,5 +1,5 @@ -policy_module(certwatch, 1.3.0) +policy_module(certwatch, 1.3.1) ######################################## # @@ -28,7 +28,7 @@ fs_list_inotifyfs(certwatch_t) auth_manage_cache(certwatch_t) -auth_filetrans_cache(certwatch_t) +auth_var_filetrans_cache(certwatch_t) logging_send_syslog_msg(certwatch_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-06-25 10:21:01.000000000 +0200 @@ -68,10 +68,11 @@ files_list_all(prelink_t) files_getattr_all_files(prelink_t) files_write_non_security_dirs(prelink_t) -files_read_etc_files(prelink_t) -files_read_etc_runtime_files(prelink_t) +auth_read_all_files_except_shadow(prelink_t) files_dontaudit_read_all_symlinks(prelink_t) files_manage_usr_files(prelink_t) +# Delta RPMS +files_manage_var_files(prelink_t) files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -102,5 +103,9 @@ ') optional_policy(` + rpm_manage_tmp_files(prelink_t) +') + +optional_policy(` unconfined_domain(prelink_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-06-25 10:21:01.000000000 +0200 @@ -55,6 +55,7 @@ files_read_non_security_files(readahead_t) files_dontaudit_read_security_files(readahead_t) files_dontaudit_getattr_non_security_blk_files(readahead_t) +files_create_boot_flag(readahead_t) fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-06-25 10:21:01.000000000 +0200 @@ -470,6 +470,24 @@ ######################################## ## +## Manage RPM tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`rpm_manage_tmp_files',` + gen_require(` + type rpm_tmp_t; + ') + + manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) +') + +######################################## +## ## Do not audit attempts to read, ## write RPM tmp files ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.12/policy/modules/admin/shorewall.fc --- nsaserefpolicy/policy/modules/admin/shorewall.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/admin/shorewall.fc 2009-06-25 10:21:01.000000000 +0200 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) +/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) + +/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) +/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) + +/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0) +/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + +/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.12/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/admin/shorewall.if 2009-06-25 10:21:01.000000000 +0200 @@ -0,0 +1,166 @@ +## policy for shorewall + +######################################## +## +## Execute a domain transition to run shorewall. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`shorewall_domtrans',` + gen_require(` + type shorewall_t; + type shorewall_exec_t; + ') + + domtrans_pattern($1, shorewall_exec_t, shorewall_t) +') + +####################################### +## +## Read shorewall etc configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_read_etc',` + gen_require(` + type shorewall_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) +') + +####################################### +## +## Read shorewall PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_read_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +####################################### +## +## Read and write shorewall PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_rw_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +###################################### +## +## Read shorewall /var/lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_read_var_lib',` + gen_require(` + type shorewall_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## +## Read and write shorewall /var/lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_rw_var_lib',` + gen_require(` + type shorewall_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## +## All of the rules required to administrate +## an shorewall environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +# +interface(`shorewall_admin',` + gen_require(` + type shorewall_t, shorewall_var_run_t, shorewall_lock_t; + type shorewall_initrc_exec_t, shorewall_var_lib_t; + type shorewall_tmp_t; + ') + + allow $1 shorewall_t:process { ptrace signal_perms }; + ps_process_pattern($1, shorewall_t) + + init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, shorewall_etc_t) + + files_search_locks($1) + admin_pattern($1, shorewall_lock_t) + + files_search_pids($1) + admin_pattern($1, shorewall_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, shorewall_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, shorewall_tmp_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.12/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/admin/shorewall.te 2009-06-25 10:41:25.000000000 +0200 @@ -0,0 +1,103 @@ +policy_module(shorewall,1.0.0) + +######################################## +# +# Declarations +# + +type shorewall_t; +type shorewall_exec_t; +init_system_domain(shorewall_t, shorewall_exec_t) + +type shorewall_initrc_exec_t; +init_script_file(shorewall_initrc_exec_t) + +# etc files +type shorewall_etc_t; +files_config_file(shorewall_etc_t) + +# lock files +type shorewall_lock_t; +files_lock_file(shorewall_lock_t) + +# tmp files +type shorewall_tmp_t; +files_tmp_file(shorewall_tmp_t) + +# var/lib files +type shorewall_var_lib_t; +files_type(shorewall_var_lib_t) + +######################################## +# +# shorewall local policy +# + +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace}; +dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:process signal; + +allow shorewall_t self:fifo_file rw_fifo_file_perms; + +# etc file +read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) +list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) + +# lock files +manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t) +files_lock_filetrans(shorewall_t, shorewall_lock_t, file) + +# var/lib files for shorewall +exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) +manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) +manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) +files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file }) + +# tmp files for shorewall +manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t) +manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t) +files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(shorewall_t) +kernel_read_system_state(shorewall_t) +kernel_read_network_state(shorewall_t) +kernel_rw_net_sysctls(shorewall_t) + +corecmd_exec_bin(shorewall_t) +corecmd_exec_shell(shorewall_t) + +dev_read_urand(shorewall_t) + +fs_getattr_all_fs(shorewall_t) + +domain_read_all_domains_state(shorewall_t) + +files_getattr_kernel_modules(shorewall_t) +files_read_etc_files(shorewall_t) +files_read_usr_files(shorewall_t) +files_search_kernel_modules(shorewall_t) + +init_rw_utmp(shorewall_t) + +libs_use_ld_so(shorewall_t) +libs_use_shared_libs(shorewall_t) + +logging_send_syslog_msg(shorewall_t) + +miscfiles_read_localization(shorewall_t) + +userdom_dontaudit_list_admin_dir(shorewall_t) + +sysnet_domtrans_ifconfig(shorewall_t) +iptables_domtrans(shorewall_t) + +optional_policy(` + modutils_domtrans_insmod(shorewall_t) +') + +optional_policy(` + ulogd_search_log(shorewall_t) +') + +permissive shorewall_t; + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-06-25 10:21:01.000000000 +0200 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) +files_read_usr_symlinks(groupadd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(groupadd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc --- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc 2009-06-25 10:21:01.000000000 +0200 @@ -0,0 +1,4 @@ + +/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) + +/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if 2009-06-29 22:52:15.000000000 +0200 @@ -0,0 +1,96 @@ +## gitosis interface + +####################################### +## +## Execute a domain transition to run gitosis. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gitosis_domtrans',` + gen_require(` + type gitosis_t, gitosis_exec_t; + ') + + domtrans_pattern($1, gitosis_exec_t, gitosis_t) +') + +####################################### +## +## Execute gitosis-serve in the gitosis domain, and +## allow the specified role the gitosis domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the gitosis domain. +## +## +## +## +## The type of the role's terminal. +## +## +# +interface(`gitosis_run',` + gen_require(` + type gitosis_t; + ') + + gitosis_domtrans($1) + role $2 types gitosis_t; + allow gitosis_t $3:chr_file rw_term_perms; +') + +####################################### +## +## Allow the specified domain to read +## gitosis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitosis_read_var_lib',` + gen_require(` + type gitosis_var_lib_t; + + ') + + files_search_var_lib($1) + read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') + +###################################### +## +## Allow the specified domain to manage +## gitosis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gitosis_manage_var_lib',` + gen_require(` + type gitosis_var_lib_t; + + ') + + files_search_var_lib($1) + manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te --- nsaserefpolicy/policy/modules/apps/gitosis.te 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te 2009-06-25 10:21:01.000000000 +0200 @@ -0,0 +1,43 @@ +policy_module(gitosis,1.0.0) + +######################################## +# +# Declarations +# + +type gitosis_t; +type gitosis_exec_t; +application_domain(gitosis_t, gitosis_exec_t) +role system_r types gitosis_t; + +type gitosis_var_lib_t; +files_type(gitosis_var_lib_t) + +######################################## +# +# gitosis local policy +# + +allow gitosis_t self:fifo_file rw_fifo_file_perms; + +exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t) +manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t) +manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t) +manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t) + +corecmd_exec_bin(gitosis_t) +corecmd_exec_shell(gitosis_t) + +kernel_read_system_state(gitosis_t) + +files_read_usr_files(gitosis_t) +files_search_var_lib(gitosis_t) + +libs_use_ld_so(gitosis_t) +libs_use_shared_libs(gitosis_t) + +miscfiles_read_localization(gitosis_t) + +optional_policy(` + ssh_rw_pipes(gitosis_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-06-26 15:48:23.000000000 +0200 @@ -64,6 +64,7 @@ allow $1 mozilla_home_t:dir list_dir_perms; allow $1 mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; userdom_search_user_home_dirs($1) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te 2009-06-25 10:21:01.000000000 +0200 @@ -145,6 +145,7 @@ userdom_manage_user_tmp_dirs(mozilla_t) userdom_manage_user_tmp_files(mozilla_t) userdom_manage_user_tmp_sockets(mozilla_t) +userdom_use_user_ptys(mozilla_t) xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-06-25 10:21:01.000000000 +0200 @@ -1,2 +1,3 @@ /usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-06-25 10:21:01.000000000 +0200 @@ -88,11 +88,16 @@ ') optional_policy(` + dbus_system_bus_client(qemu_t) +') + +optional_policy(` samba_domtrans_smb(qemu_t) ') optional_policy(` virt_manage_images(qemu_t) + virt_append_log(qemu_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if 2009-06-25 10:21:01.000000000 +0200 @@ -3,73 +3,143 @@ ######################################## ## -## Execute a domain transition to run sandbox. +## Execute sandbox in the sandbox domain, and +## allow the specified role the sandbox domain. ## ## ## -## Domain allowed to transition. +## Domain allowed access +## +## +## +## +## The role to be allowed the sandbox domain. ## ## # -interface(`sandbox_domtrans',` +interface(`sandbox_transition',` gen_require(` - type sandbox_t; - type sandbox_exec_t; + type sandbox_xserver_t; + attribute sandbox_domain; ') - domtrans_pattern($1,sandbox_exec_t,sandbox_t) + allow $1 sandbox_domain:process transition; + dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; + role $2 types sandbox_domain; + role $2 types sandbox_xserver_t; ') - ######################################## ## -## Execute sandbox in the sandbox domain, and -## allow the specified role the sandbox domain. +## Creates types and rules for a basic +## qemu process domain. ## -## +## ## -## Domain allowed access -## -## -## -## -## The role to be allowed the sandbox domain. +## Prefix for the domain. ## ## # -interface(`sandbox_run',` +template(`sandbox_domain_template',` + gen_require(` - type sandbox_t; + attribute sandbox_domain; ') - sandbox_domtrans($1) - role $2 types sandbox_t; + type $1_t, sandbox_domain; + domain_type($1_t) + + type $1_file_t; + files_type($1_file_t) + + can_exec($1_t, $1_file_t) + manage_dirs_pattern($1_t, $1_file_t, $1_file_t) + manage_files_pattern($1_t, $1_file_t, $1_file_t) + manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) + manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) + manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) ') ######################################## ## -## Role access for sandbox +## Creates types and rules for a basic +## qemu process domain. ## -## +## ## -## Role allowed access +## Prefix for the domain. ## ## +# +template(`sandbox_x_domain_template',` + gen_require(` + type xserver_exec_t; + type sandbox_xserver_t; + attribute sandbox_domain, sandbox_x_domain; + ') + + sandbox_domain_template($1) + + + typeattribute $1_t sandbox_x_domain; + + # window manager + miscfiles_setattr_fonts($1_t) + allow $1_t self:capability setuid; + + type $1_client_t, sandbox_x_domain, sandbox_domain; + domain_type($1_client_t) + + type $1_client_tmpfs_t; + files_tmpfs_file($1_client_tmpfs_t) + + allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr }; + term_create_pty($1_client_t,sandbox_devpts_t) + + manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) + fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; + + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + allow $1_t sandbox_xserver_t:process sigkill; + + domtrans_pattern($1_t, $1_file_t, $1_client_t) + domain_entry_file($1_client_t, $1_file_t) + + manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) + manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) + manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) + allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms; + ps_process_pattern(sandbox_xserver_t, $1_client_t) + ps_process_pattern(sandbox_xserver_t, $1_t) + allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; + allow sandbox_xserver_t $1_t:shm rw_shm_perms; + + can_exec($1_client_t, $1_file_t) + manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) + manage_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) + manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) + +# permissive $1_client_t; +') + +######################################## +## +## allow domain to read, +## write sandbox_xserver tmp files +## ## ## -## User domain for the role +## Domain to not audit. ## ## # -interface(`sandbox_role',` +interface(`sandbox_rw_xserver_tmpfs_files',` gen_require(` - type sandbox_t; + type sandbox_xserver_tmpfs_t; ') - role $2 types sandbox_t; - - sandbox_domtrans($1) - - ps_process_pattern($2, sandbox_t) - allow $2 sandbox_t:process signal; + allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-06-25 10:21:01.000000000 +0200 @@ -1,18 +1,84 @@ policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; +attribute sandbox_x_domain; ######################################## # # Declarations # -type sandbox_t; -type sandbox_exec_t; -application_domain(sandbox_t, sandbox_exec_t) -init_daemon_domain(sandbox_t, sandbox_exec_t) -role system_r types sandbox_t; +sandbox_domain_template(sandbox) +sandbox_x_domain_template(sandbox_x) +sandbox_x_domain_template(sandbox_web) +sandbox_x_domain_template(sandbox_net) -type sandbox_file_t; -files_type(sandbox_file_t) +type sandbox_xserver_t; +domain_type(sandbox_xserver_t) +xserver_common_app(sandbox_xserver_t) +permissive sandbox_xserver_t; + +type sandbox_xserver_tmpfs_t; +files_tmpfs_file(sandbox_xserver_tmpfs_t) + +type sandbox_devpts_t; +term_pty(sandbox_devpts_t) +files_type(sandbox_devpts_t) + +######################################## +# +# sandbox xserver policy +# +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; +allow sandbox_xserver_t self:shm create_shm_perms; +allow sandbox_xserver_t self:tcp_socket create_socket_perms; + +manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +corecmd_exec_bin(sandbox_xserver_t) +corecmd_exec_shell(sandbox_xserver_t) + +corenet_all_recvfrom_unlabeled(sandbox_xserver_t) +corenet_all_recvfrom_netlabel(sandbox_xserver_t) +corenet_tcp_sendrecv_generic_if(sandbox_xserver_t) +corenet_udp_sendrecv_generic_if(sandbox_xserver_t) +corenet_tcp_sendrecv_generic_node(sandbox_xserver_t) +corenet_udp_sendrecv_generic_node(sandbox_xserver_t) +corenet_tcp_sendrecv_all_ports(sandbox_xserver_t) +corenet_udp_sendrecv_all_ports(sandbox_xserver_t) +corenet_tcp_bind_generic_node(sandbox_xserver_t) +corenet_tcp_bind_xserver_port(sandbox_xserver_t) +corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) +corenet_sendrecv_all_client_packets(sandbox_xserver_t) + +files_read_etc_files(sandbox_xserver_t) +files_read_usr_files(sandbox_xserver_t) +files_search_home(sandbox_xserver_t) +fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) + +miscfiles_read_fonts(sandbox_xserver_t) +miscfiles_read_localization(sandbox_xserver_t) + +kernel_read_system_state(sandbox_xserver_t) + +auth_use_nsswitch(sandbox_xserver_t) + +userdom_use_user_terminals(sandbox_xserver_t) + +xserver_entry_type(sandbox_xserver_t) + +optional_policy(` + dbus_system_bus_client(sandbox_xserver_t) + + optional_policy(` + hal_dbus_chat(sandbox_xserver_t) + ') +') ######################################## # @@ -20,21 +86,189 @@ # ## internal communication is often done using fifo and unix sockets. -allow sandbox_t self:fifo_file rw_file_perms; -allow sandbox_t self:unix_stream_socket create_stream_socket_perms; +allow sandbox_domain self:fifo_file rw_file_perms; +allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; + +files_rw_all_inherited_files(sandbox_domain) +files_entrypoint_all_files(sandbox_domain) + +miscfiles_read_localization(sandbox_domain) + +kernel_dontaudit_read_system_state(sandbox_domain) +corecmd_exec_all_executables(sandbox_domain) + + +######################################## +# +# sandbox_x_domain local policy +# +allow sandbox_x_domain self:process { signal_perms getsched setpgid }; +allow sandbox_x_domain self:shm create_shm_perms; +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; +allow sandbox_x_domain self:unix_dgram_socket create_socket_perms; +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) + +files_read_etc_files(sandbox_x_domain) +files_read_usr_files(sandbox_x_domain) +files_read_usr_symlinks(sandbox_x_domain) + +fs_getattr_tmpfs(sandbox_x_domain) +fs_getattr_xattr_fs(sandbox_x_domain) + +auth_dontaudit_read_login_records(sandbox_x_domain) + +init_read_utmp(sandbox_x_domain) + +term_getattr_pty_fs(sandbox_x_domain) +term_use_ptmx(sandbox_x_domain) + +logging_send_syslog_msg(sandbox_x_domain) + +miscfiles_read_fonts(sandbox_x_domain) + +optional_policy(` + gnome_read_gconf_config(sandbox_x_domain) +') + +optional_policy(` + cups_stream_connect(sandbox_x_domain) + cups_read_rw_config(sandbox_x_domain) +') + +######################################## +# +# sandbox_x_client_t local policy +# +allow sandbox_x_client_t self:tcp_socket create_socket_perms; +allow sandbox_x_client_t self:udp_socket create_socket_perms; +allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; +allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms; + +dev_read_rand(sandbox_x_client_t) + +corenet_tcp_connect_ipp_port(sandbox_x_client_t) + +auth_use_nsswitch(sandbox_x_client_t) + +dbus_system_bus_client(sandbox_x_client_t) +dbus_read_config(sandbox_x_client_t) +selinux_get_fs_mount(sandbox_x_client_t) +selinux_validate_context(sandbox_x_client_t) +selinux_compute_access_vector(sandbox_x_client_t) +selinux_compute_create_context(sandbox_x_client_t) +selinux_compute_relabel_context(sandbox_x_client_t) +selinux_compute_user_contexts(sandbox_x_client_t) +seutil_read_default_contexts(sandbox_x_client_t) + +optional_policy(` + hal_dbus_chat(sandbox_x_client_t) +') + +######################################## +# +# sandbox_web_client_t local policy +# +allow sandbox_web_client_t self:capability { setuid setgid }; +allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay; +allow sandbox_web_client_t self:process setsched; + +allow sandbox_web_client_t self:tcp_socket create_socket_perms; +allow sandbox_web_client_t self:udp_socket create_socket_perms; +allow sandbox_web_client_t self:dbus { acquire_svc send_msg }; +allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms; + +dev_read_rand(sandbox_web_client_t) + +# Browse the web, connect to printer +corenet_all_recvfrom_unlabeled(sandbox_web_client_t) +corenet_all_recvfrom_netlabel(sandbox_web_client_t) +corenet_tcp_sendrecv_generic_if(sandbox_web_client_t) +corenet_raw_sendrecv_generic_if(sandbox_web_client_t) +corenet_tcp_sendrecv_generic_node(sandbox_web_client_t) +corenet_raw_sendrecv_generic_node(sandbox_web_client_t) +corenet_tcp_sendrecv_http_port(sandbox_web_client_t) +corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t) +corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t) +corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t) +corenet_tcp_connect_http_port(sandbox_web_client_t) +corenet_tcp_connect_http_cache_port(sandbox_web_client_t) +corenet_tcp_connect_ftp_port(sandbox_web_client_t) +corenet_tcp_connect_ipp_port(sandbox_web_client_t) +corenet_tcp_connect_generic_port(sandbox_web_client_t) +corenet_sendrecv_http_client_packets(sandbox_web_client_t) +corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t) +corenet_sendrecv_ftp_client_packets(sandbox_web_client_t) +corenet_sendrecv_ipp_client_packets(sandbox_web_client_t) +corenet_sendrecv_generic_client_packets(sandbox_web_client_t) +# Should not need other ports +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t) +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t) +corenet_tcp_connect_speech_port(sandbox_web_client_t) + +auth_use_nsswitch(sandbox_web_client_t) + +dbus_system_bus_client(sandbox_web_client_t) +dbus_read_config(sandbox_web_client_t) +selinux_get_fs_mount(sandbox_web_client_t) +selinux_validate_context(sandbox_web_client_t) +selinux_compute_access_vector(sandbox_web_client_t) +selinux_compute_create_context(sandbox_web_client_t) +selinux_compute_relabel_context(sandbox_web_client_t) +selinux_compute_user_contexts(sandbox_web_client_t) +seutil_read_default_contexts(sandbox_web_client_t) + +optional_policy(` + nsplugin_read_rw_files(sandbox_web_client_t) + nsplugin_rw_exec(sandbox_web_client_t) +') + +optional_policy(` + hal_dbus_chat(sandbox_web_client_t) +') + +######################################## +# +# sandbox_net_client_t local policy +# +allow sandbox_net_client_t self:tcp_socket create_socket_perms; +allow sandbox_net_client_t self:udp_socket create_socket_perms; +allow sandbox_net_client_t self:dbus { acquire_svc send_msg }; +allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms; + +dev_read_rand(sandbox_net_client_t) -manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) +corenet_all_recvfrom_unlabeled(sandbox_net_client_t) +corenet_all_recvfrom_netlabel(sandbox_net_client_t) +corenet_tcp_sendrecv_generic_if(sandbox_net_client_t) +corenet_udp_sendrecv_generic_if(sandbox_net_client_t) +corenet_tcp_sendrecv_generic_node(sandbox_net_client_t) +corenet_udp_sendrecv_generic_node(sandbox_net_client_t) +corenet_tcp_sendrecv_all_ports(sandbox_net_client_t) +corenet_udp_sendrecv_all_ports(sandbox_net_client_t) +corenet_tcp_connect_all_ports(sandbox_net_client_t) +corenet_sendrecv_all_client_packets(sandbox_net_client_t) -files_rw_all_inherited_files(sandbox_t) -files_entrypoint_all_files(sandbox_t) +auth_use_nsswitch(sandbox_net_client_t) -libs_use_ld_so(sandbox_t) -libs_use_shared_libs(sandbox_t) +dbus_system_bus_client(sandbox_net_client_t) +dbus_read_config(sandbox_net_client_t) +selinux_get_fs_mount(sandbox_net_client_t) +selinux_validate_context(sandbox_net_client_t) +selinux_compute_access_vector(sandbox_net_client_t) +selinux_compute_create_context(sandbox_net_client_t) +selinux_compute_relabel_context(sandbox_net_client_t) +selinux_compute_user_contexts(sandbox_net_client_t) +seutil_read_default_contexts(sandbox_net_client_t) -miscfiles_read_localization(sandbox_t) +optional_policy(` + nsplugin_read_rw_files(sandbox_web_client_t) + nsplugin_rw_exec(sandbox_web_client_t) +') -userdom_use_user_ptys(sandbox_t) +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 21:54:49.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-06-25 10:21:01.000000000 +0200 @@ -63,6 +63,7 @@ ') /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-06-25 10:21:01.000000000 +0200 @@ -136,7 +136,7 @@ miscfiles_read_localization(vmware_host_t) -sysnet_dns_name_resolve(vmware_host_t) +auth_use_nsswitch(vmware_host_t) storage_getattr_fixed_disk_dev(vmware_host_t) @@ -160,6 +160,10 @@ xserver_common_app(vmware_host_t) ') +optional_policy(` + unconfined_domain(vmware_host_t) + unconfined_domain(vmware_t) +') ifdef(`TODO',` # VMWare need access to pcmcia devices for network diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-06-25 10:21:01.000000000 +0200 @@ -7,6 +7,7 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -69,6 +70,8 @@ /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0) +/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) @@ -145,6 +148,7 @@ /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -217,8 +221,11 @@ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-06-25 10:21:01.000000000 +0200 @@ -134,7 +134,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(lmtp, tcp,24,s0, udp,24,s0) -network_port(mail, tcp,2000,s0) +network_port(mail, tcp,2000,s0, tcp,3905,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-06-25 10:21:01.000000000 +0200 @@ -46,8 +46,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) +/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0) /dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) /dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) +/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-06-25 10:21:01.000000000 +0200 @@ -1727,6 +1727,133 @@ ######################################## ## +## Get the attributes of the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_ksm_dev',` + gen_require(` + type device_t, ksm_device_t; + ') + + getattr_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Set the attributes of the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_ksm_dev',` + gen_require(` + type device_t, ksm_device_t; + ') + + setattr_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Read the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_ksm',` + gen_require(` + type device_t, ksm_device_t; + ') + + read_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Read and write to ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_ksm',` + gen_require(` + type device_t, ksm_device_t; + ') + + rw_chr_files_pattern($1, device_t, ksm_device_t) +') + +###################################### +## +## Read the lirc device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + read_chr_files_pattern($1, device_t, lirc_device_t) +') + +###################################### +## +## Read and write the lirc device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + rw_chr_files_pattern($1, device_t, lirc_device_t) +') + +###################################### +## +## Automatic type transition to the type +## for lirc device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_filetrans_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + filetrans_pattern($1, device_t, lirc_device_t, chr_file) +') + +######################################## +## ## Read the lvm comtrol device. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-25 10:21:01.000000000 +0200 @@ -78,6 +78,13 @@ dev_node(ipmi_device_t) # +# ksm_device_t is the type of +# /dev/ksm +# +type ksm_device_t; +dev_node(ksm_device_t) + +# # Type for /dev/kmsg # type kmsg_device_t; @@ -91,6 +98,12 @@ dev_node(kvm_device_t) # +# Type for /dev/lirc +# +type lirc_device_t; +dev_node(lirc_device_t) + +# # Type for /dev/mapper/control # type lvm_control_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-25 10:21:01.000000000 +0200 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain domain_base_type($1) - - ifdef(`distro_redhat',` - optional_policy(` - unconfined_use_fds($1) - ') - ') - - # send init a sigchld and signull - optional_policy(` - init_sigchld($1) - init_signull($1) - ') - - # these seem questionable: - - optional_policy(` - rpm_use_fds($1) - rpm_read_pipes($1) - ') - - optional_policy(` - selinux_dontaudit_getattr_fs($1) - selinux_dontaudit_read_fs($1) - ') - - optional_policy(` - seutil_dontaudit_read_config($1) - ') ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-26 15:48:29.000000000 +0200 @@ -91,6 +91,9 @@ kernel_read_proc_symlinks(domain) kernel_read_crypto_sysctls(domain) +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) + # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring @@ -108,6 +111,15 @@ # list the root directory files_list_root(domain) +selinux_getattr_fs(domain) +selinux_search_fs(domain) +selinux_dontaudit_read_fs(domain) + +init_sigchld(domain) +init_signull(domain) + +seutil_dontaudit_read_config(domain) + tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs @@ -116,6 +128,12 @@ dev_read_urand(domain) ') +ifdef(`distro_redhat',` + optional_policy(` + unconfined_use_fds(domain) + ') +') + optional_policy(` afs_rw_cache(domain) ') @@ -125,6 +143,12 @@ libs_use_shared_libs(domain) ') +# these seem questionable: +optional_policy(` + rpm_use_fds(domain) + rpm_read_pipes(domain) +') + optional_policy(` setrans_translate_context(domain) ') @@ -152,8 +176,7 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; -allow unconfined_domain_type domain:dbus send_msg; -allow domain unconfined_domain_type:dbus send_msg; +allow unconfined_domain_type unconfined_domain_type:dbus send_msg; # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; @@ -185,7 +208,9 @@ ifdef(`hide_broken_symptoms',` fs_list_inotifyfs(domain) + dontaudit domain self:udp_socket listen; allow domain domain:key { link search }; + dbus_dontaudit_system_bus_rw_tcp_sockets(domain) ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-06-25 10:21:01.000000000 +0200 @@ -1953,6 +1953,7 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) + files_read_etc_runtime_files($1) ') ######################################## @@ -3734,6 +3735,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) + files_read_usr_src_files($1) ') ######################################## @@ -5224,6 +5226,7 @@ attribute file_type; ') + allow $1 file_type:dir search_dir_perms; allow $1 file_type:file { getattr read write append lock }; allow $1 file_type:fifo_file { getattr read write append ioctl lock }; allow $1 file_type:sock_file { getattr read write append ioctl lock }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-06-25 10:21:01.000000000 +0200 @@ -817,7 +817,7 @@ type proc_t; ') - dontaudit $1 proc_t:file { getattr read }; + dontaudit $1 proc_t:file { open getattr read }; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-06-25 10:21:01.000000000 +0200 @@ -571,6 +571,25 @@ dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') +####################################### +## +## Set the attributes of the tty device +## +## +## +## Domain allowed access. +## +## +# +interface(`term_setattr_controlling_term',` + gen_require(` + type devtty_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devtty_t:chr_file setattr; +') + ######################################## ## ## Read and write the controlling diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-25 10:21:01.000000000 +0200 @@ -44,6 +44,10 @@ ') optional_policy(` + postgresql_role(staff_r, staff_t) +') + +optional_policy(` secadm_role_change(staff_r) ') @@ -95,6 +99,10 @@ ') optional_policy(` + sandbox_transition(staff_t, staff_r) +') + +optional_policy(` screen_manage_var_run(staff_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-06-25 10:21:01.000000000 +0200 @@ -116,6 +116,41 @@ ######################################## ## +## Allow sysadm to execute all entrypoint files in +## a specified domain. This is an explicit transition, +## requiring the caller to use setexeccon(). +## +## +##

+## Allow sysadm to execute all entrypoint files in +## a specified domain. This is an explicit transition, +## requiring the caller to use setexeccon(). +##

+##

+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+## +## +## +## Domain allowed access. +## +## +# +interface(`sysadm_entry_spec_domtrans_to',` + gen_require(` + type sysadm_t; + ') + + domain_entry_file_spec_domtrans(sysadm_t, $1) + allow $1 sysadm_t:fd use; + allow $1 sysadm_t:fifo_file rw_file_perms; + allow $1 sysadm_t:process sigchld; +') + +######################################## +## ## Allow sysadm to execute a generic bin program in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-06-25 10:21:01.000000000 +0200 @@ -334,6 +334,10 @@ ') optional_policy(` + virt_stream_connect(sysadm_t) +') + +optional_policy(` yam_run(sysadm_t, sysadm_r) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-06-25 10:21:01.000000000 +0200 @@ -52,6 +52,8 @@ init_system_domain(unconfined_execmem_t, execmem_exec_t) role unconfined_r types unconfined_execmem_t; typealias execmem_exec_t alias unconfined_execmem_exec_t; +userdom_unpriv_usertype(unconfined, unconfined_execmem_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t) type unconfined_notrans_t; type unconfined_notrans_exec_t; @@ -253,6 +255,10 @@ ') optional_policy(` + ppp_run(unconfined_t, unconfined_r) +') + +optional_policy(` qemu_role_notrans(unconfined_r, unconfined_t) qemu_unconfined_role(unconfined_r) @@ -277,7 +283,7 @@ ') optional_policy(` - sandbox_run(unconfined_t, unconfined_r) + sandbox_transition(unconfined_t, unconfined_r) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-06-25 10:21:01.000000000 +0200 @@ -22,5 +22,9 @@ ') optional_policy(` + sandbox_transition(user_t, user_r) +') + +optional_policy(` setroubleshoot_dontaudit_stream_connect(user_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-06-25 10:21:01.000000000 +0200 @@ -98,4 +98,6 @@ /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.12/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2009-04-07 21:54:47.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/automount.if 2009-06-25 10:21:01.000000000 +0200 @@ -21,6 +21,25 @@ ######################################## ## +## Send automount a signal +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`automount_signal',` + gen_require(` + type automount_t; + ') + + allow $1 automount_t:process signal; +') + +######################################## +## ## Execute automount in the caller domain. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-06-29 13:28:59.000000000 +0200 @@ -24,7 +24,7 @@ # Local policy # -allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot }; +allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms getcap setcap }; allow avahi_t self:fifo_file rw_fifo_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-06-25 10:21:01.000000000 +0200 @@ -64,6 +64,7 @@ allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow bluetooth_t self:tcp_socket create_stream_socket_perms; allow bluetooth_t self:udp_socket create_socket_perms; +allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-06-25 10:21:01.000000000 +0200 @@ -14,7 +14,7 @@ files_pid_file(consolekit_var_run_t) type consolekit_log_t; -files_pid_file(consolekit_log_t) +logging_log_file(consolekit_log_t) ######################################## # @@ -50,6 +50,7 @@ files_read_usr_files(consolekit_t) # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) +files_search_all_mountpoints(consolekit_t) fs_list_inotifyfs(consolekit_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-06-25 10:21:01.000000000 +0200 @@ -163,27 +163,14 @@ # interface(`cron_unconfined_role',` gen_require(` - type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; + type unconfined_cronjob_t; ') - role $1 types { unconfined_cronjob_t admin_crontab_t }; + role $1 types unconfined_cronjob_t; # cronjob shows up in user ps ps_process_pattern($2, unconfined_cronjob_t) - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - - # crontab shows up in user ps - ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process signal; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(admin_crontab_t, $2) - #corecmd_shell_domtrans(admin_crontab_t, $2) - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - optional_policy(` gen_require(` class dbus send_msg; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-06-25 10:21:01.000000000 +0200 @@ -36,6 +36,8 @@ # keep as separate lines to ensure proper sorting /usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) /usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/lib/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/lib64/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-25 10:21:01.000000000 +0200 @@ -130,11 +130,13 @@ # Access files in /var/dcc. The map file can be updated allow dcc_client_t dcc_var_t:dir list_dir_perms; -read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) +manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) kernel_read_system_state(dcc_client_t) +fs_getattr_all_fs(dcc_client_t) + corenet_all_recvfrom_unlabeled(dcc_client_t) corenet_all_recvfrom_netlabel(dcc_client_t) corenet_udp_bind_generic_node(dcc_client_t) @@ -154,6 +156,10 @@ userdom_use_user_terminals(dcc_client_t) optional_policy(` + amavis_read_spool_files(dcc_client_t) +') + +optional_policy(` spamassassin_read_spamd_tmp_files(dcc_client_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.12/policy/modules/services/ddclient.if --- nsaserefpolicy/policy/modules/services/ddclient.if 2009-04-07 21:54:45.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/ddclient.if 2009-06-25 10:21:01.000000000 +0200 @@ -21,6 +21,31 @@ ######################################## ## +## Execute ddclient daemon on behalf of a user or staff type. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the ppp domain. +## +## +## +# +interface(`ddclient_run',` + gen_require(` + type ddclient_t; + ') + + ddclient_domtrans($1) + role $2 types ddclient_t; +') + +######################################## +## ## All of the rules required to administrate ## an ddclient environment ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-25 10:21:01.000000000 +0200 @@ -55,7 +55,7 @@ # # DeviceKit-Power local policy # -allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice }; +allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; @@ -77,6 +77,7 @@ kernel_rw_kernel_sysctl(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) +dev_read_input(devicekit_power_t) dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -107,6 +108,7 @@ ') optional_policy(` + polkit_dbus_chat(devicekit_power_t) polkit_domtrans_auth(devicekit_power_t) polkit_read_lib(devicekit_power_t) polkit_read_reload(devicekit_power_t) @@ -147,6 +149,7 @@ allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) @@ -199,6 +202,7 @@ ') optional_policy(` + polkit_dbus_chat(devicekit_disk_t) polkit_domtrans_auth(devicekit_disk_t) polkit_read_lib(devicekit_disk_t) polkit_read_reload(devicekit_disk_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-06-25 10:21:01.000000000 +0200 @@ -87,6 +87,10 @@ ') optional_policy(` + dbus_system_bus_client(dnsmasq_t) +') + +optional_policy(` tftp_read_content(dnsmasq_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te 2009-06-29 16:22:53.000000000 +0200 @@ -60,6 +60,8 @@ corenet_tcp_connect_all_ports(fetchmail_t) corenet_sendrecv_all_client_packets(fetchmail_t) +corecmd_exec_shell(fetchmail_t) + dev_read_sysfs(fetchmail_t) dev_read_rand(fetchmail_t) dev_read_urand(fetchmail_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-06-25 10:21:01.000000000 +0200 @@ -22,12 +22,15 @@ corecmd_search_bin(fprintd_t) +dev_list_usbfs(fprintd_t) dev_rw_generic_usb_dev(fprintd_t) dev_read_sysfs(fprintd_t) files_read_etc_files(fprintd_t) files_read_usr_files(fprintd_t) +kernel_read_system_state(fprintd_t) + auth_use_nsswitch(fprintd_t) miscfiles_read_localization(fprintd_t) @@ -40,9 +43,10 @@ ') optional_policy(` - polkit_read_reload(fprintd_t) - polkit_read_lib(fprintd_t) + polkit_dbus_chat(fprintd_t) polkit_domtrans_auth(fprintd_t) + polkit_read_lib(fprintd_t) + polkit_read_reload(fprintd_t) ') permissive fprintd_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-07-03 08:22:14.000000000 +0200 @@ -91,6 +91,9 @@ # allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; +ifdef(`hide_broken_symptoms', ` +allow ftpd_t self:capability { sys_admin }; +') dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process signal_perms; allow ftpd_t self:process { getcap setcap setsched setrlimit }; @@ -99,6 +102,7 @@ allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; +allow ftpd_t self:shm create_shm_perms; allow ftpd_t self:key manage_key_perms; allow ftpd_t ftpd_etc_t:file read_file_perms; @@ -129,8 +133,7 @@ allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; # Create and modify /var/log/xferlog. -allow ftpd_t xferlog_t:dir search_dir_perms; -allow ftpd_t xferlog_t:file manage_file_perms; +manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-06-25 10:21:01.000000000 +0200 @@ -44,6 +44,7 @@ ') optional_policy(` + polkit_dbus_chat(gnomeclock_t) polkit_domtrans_auth(gnomeclock_t) polkit_read_lib(gnomeclock_t) polkit_read_reload(gnomeclock_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.12/policy/modules/services/gpsd.fc --- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/gpsd.fc 2009-06-25 10:25:21.000000000 +0200 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) /usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) +/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.12/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/gpsd.te 2009-06-25 10:24:43.000000000 +0200 @@ -8,11 +9,17 @@ type gpsd_t; type gpsd_exec_t; application_domain(gpsd_t, gpsd_exec_t) -role system_r types gpsd_t; +init_daemon_domain(gpsd_t, gpsd_exec_t) + +type gpsd_initrc_exec_t; +init_script_file(gpsd_initrc_exec_t) type gpsd_tmpfs_t; files_tmpfs_file(gpsd_tmpfs_t) +type gpsd_var_run_t; +files_pid_file(gpsd_var_run_t) + ######################################## # # gpsd local policy @@ -28,6 +35,15 @@ manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) +manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) + +corenet_all_recvfrom_unlabeled(gpsd_t) +corenet_all_recvfrom_netlabel(gpsd_t) +corenet_tcp_sendrecv_generic_if(gpsd_t) +corenet_tcp_sendrecv_generic_node(gpsd_t) +corenet_tcp_sendrecv_all_ports(gpsd_t) corenet_tcp_bind_all_nodes(gpsd_t) corenet_tcp_bind_gpsd_port(gpsd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-06-25 10:21:01.000000000 +0200 @@ -162,6 +162,7 @@ fs_mount_dos_fs(hald_t) fs_unmount_dos_fs(hald_t) fs_manage_dos_files(hald_t) +fs_manage_fusefs_dirs(hald_t) files_getattr_all_mountpoints(hald_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-06-25 10:21:01.000000000 +0200 @@ -70,6 +70,7 @@ interface(`kerberos_use',` gen_require(` type krb5_conf_t, krb5kdc_conf_t; + type krb5_host_rcache_t; ') files_search_etc($1) @@ -101,6 +102,7 @@ corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) + allow $1 krb5_host_rcache_t:file getattr; ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-06-25 10:21:01.000000000 +0200 @@ -287,6 +287,11 @@ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) + +manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-06-25 10:21:01.000000000 +0200 @@ -45,6 +45,9 @@ dev_filetrans(lircd_t, lircd_sock_t, sock_file ) dev_read_generic_usb_dev(lircd_t) +dev_filetrans_lirc(lircd_t) +dev_rw_lirc(lircd_t) + logging_send_syslog_msg(lircd_t) files_read_etc_files(lircd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-06-25 10:21:01.000000000 +0200 @@ -197,6 +197,7 @@ type mailman_data_t; ') + list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-06-25 10:21:01.000000000 +0200 @@ -473,6 +473,7 @@ ') write_files_pattern($1, etc_mail_t, etc_mail_t) + allow $1 etc_mail_t:file setattr; ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-06-25 10:21:01.000000000 +0200 @@ -136,10 +136,12 @@ allow mysqld_safe_t self:capability { dac_override fowner chown }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; +allow mysqld_safe_t mysqld_var_run_t:sock_file unlink; + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -mysql_append_db_files(mysqld_safe_t) +mysql_manage_db_files(mysqld_safe_t) mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-06-26 15:48:39.000000000 +0200 @@ -72,8 +72,7 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) kernel_read_kernel_sysctls(ypbind_t) -kernel_list_proc(ypbind_t) -kernel_read_proc_symlinks(ypbind_t) +kernel_read_system_state(ypbind_t) corenet_all_recvfrom_unlabeled(ypbind_t) corenet_all_recvfrom_netlabel(ypbind_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.12/policy/modules/services/nslcd.fc --- nsaserefpolicy/policy/modules/services/nslcd.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/services/nslcd.fc 2009-06-25 10:21:01.000000000 +0200 @@ -0,0 +1,4 @@ +/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) +/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) +/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) +/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.12/policy/modules/services/nslcd.if --- nsaserefpolicy/policy/modules/services/nslcd.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/services/nslcd.if 2009-06-25 10:21:01.000000000 +0200 @@ -0,0 +1,145 @@ + +## policy for nslcd + +######################################## +## +## Execute a domain transition to run nslcd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`nslcd_domtrans',` + gen_require(` + type nslcd_t; + type nslcd_exec_t; + ') + + domtrans_pattern($1,nslcd_exec_t,nslcd_t) +') + + +######################################## +## +## Execute nslcd server in the nslcd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`nslcd_initrc_domtrans',` + gen_require(` + type nslcd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1,nslcd_initrc_exec_t) +') + +######################################## +## +## Read nslcd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nslcd_read_pid_files',` + gen_require(` + type nslcd_var_run_t; + ') + + files_search_pids($1) + allow $1 nslcd_var_run_t:file read_file_perms; +') + +######################################## +## +## Manage nslcd var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nslcd_manage_var_run',` + gen_require(` + type nslcd_var_run_t; + ') + + manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t) + manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) + manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) +') + + +######################################## +## +## All of the rules required to administrate +## an nslcd environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the nslcd domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`nslcd_admin',` + gen_require(` + type nslcd_t; + ') + + allow $1 nslcd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, nslcd_t, nslcd_t) + allow $1 nslcd_conf_t:file read_file_perms; + + gen_require(` + type nslcd_initrc_exec_t; + ') + + # Allow nslcd_t to restart the apache service + nslcd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nslcd_initrc_exec_t system_r; + allow $2 system_r; + + nslcd_manage_var_run($1) +') + + +######################################## +## +## Connect to nslcd over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`nslcd_use',` + gen_require(` + type nslcd_t, var_run_t, nslcd_var_run_t; + ') + +# list_dirs_pattern($1, var_run_t, nslcd_var_run_t) + write_sock_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) + allow $1 nslcd_t:unix_stream_socket connectto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.12/policy/modules/services/nslcd.te --- nsaserefpolicy/policy/modules/services/nslcd.te 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/services/nslcd.te 2009-06-25 10:21:01.000000000 +0200 @@ -0,0 +1,50 @@ +policy_module(nslcd,1.0.0) + +######################################## +# +# Declarations +# + +type nslcd_t; +type nslcd_exec_t; +init_daemon_domain(nslcd_t, nslcd_exec_t) + +#permissive nslcd_t; + +type nslcd_initrc_exec_t; +init_script_file(nslcd_initrc_exec_t) + +type nslcd_var_run_t; +files_pid_file(nslcd_var_run_t) + +type nslcd_conf_t; +files_type(nslcd_conf_t) +allow nslcd_t nslcd_conf_t:file read_file_perms; + +######################################## +# +# nslcd local policy +# + +allow nslcd_t self:capability { setgid setuid dac_override }; + +# Init script handling +domain_use_interactive_fds(nslcd_t) + +# internal communication is often done using fifo and unix sockets. +allow nslcd_t self:sock_file rw_file_perms; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; +allow nslcd_t self:process signal; + +files_read_etc_files(nslcd_t) + +miscfiles_read_localization(nslcd_t) + +manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir }) +allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms; + +auth_use_nsswitch(nslcd_t) + +logging_send_syslog_msg(nslcd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 21:54:45.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-25 10:21:01.000000000 +0200 @@ -28,6 +28,7 @@ allow pcscd_t self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) @@ -46,6 +47,8 @@ files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) +kernel_read_system_state(pcscd_t) + term_use_unallocated_ttys(pcscd_t) term_dontaudit_getattr_pty_dirs(pcscd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-06-25 10:21:01.000000000 +0200 @@ -2,7 +2,7 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) -/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) +/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0) /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-06-25 10:21:01.000000000 +0200 @@ -194,6 +194,7 @@ polkit_domtrans_auth($1) role $2 types polkit_auth_t; + polkit_dbus_chat($1) ') ####################################### @@ -217,6 +218,7 @@ polkit_run_grant($2, $1) polkit_read_lib($2) polkit_read_reload($2) + polkit_dbus_chat($2) ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-06-25 10:21:01.000000000 +0200 @@ -580,6 +580,25 @@ ######################################## ## +## Execute the master postqueue in the +## postfix_postqueue domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_domtrans_postqueue',` + gen_require(` + type postfix_postqueue_t, postfix_postqueue_exec_t; + ') + + domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) +') + +######################################## +## ## Execute the master postdrop in the ## postfix_postdrop domain. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-06-29 16:24:29.000000000 +0200 @@ -202,6 +202,7 @@ corenet_tcp_bind_generic_node(postgresql_t) corenet_tcp_bind_postgresql_port(postgresql_t) corenet_tcp_connect_auth_port(postgresql_t) +corenet_tcp_connect_postgresql_port(postgresql_t) corenet_sendrecv_postgresql_server_packets(postgresql_t) corenet_sendrecv_auth_client_packets(postgresql_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-06-25 10:21:01.000000000 +0200 @@ -177,10 +177,16 @@ interface(`ppp_run',` gen_require(` type pppd_t; + type pptp_t; ') ppp_domtrans($1) role $2 types pppd_t; + role $2 types pptp_t; + + optional_policy(` + ddclient_run(pppd_t, $2) + ') ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/privoxy.te 2009-06-25 10:21:01.000000000 +0200 @@ -48,8 +48,7 @@ files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) kernel_read_kernel_sysctls(privoxy_t) -kernel_list_proc(privoxy_t) -kernel_read_proc_symlinks(privoxy_t) +kernel_read_system_state(privoxy_t) corenet_all_recvfrom_unlabeled(privoxy_t) corenet_all_recvfrom_netlabel(privoxy_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-06-25 10:21:01.000000000 +0200 @@ -3,6 +3,8 @@ HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-06-25 10:21:01.000000000 +0200 @@ -97,6 +97,8 @@ kernel_read_kernel_sysctls(pyzor_t) kernel_read_system_state(pyzor_t) +fs_getattr_xattr_fs(pyzor_t) + corecmd_list_bin(pyzor_t) corecmd_getattr_bin_files(pyzor_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-06-25 10:21:01.000000000 +0200 @@ -95,6 +95,10 @@ userdom_signal_unpriv_users(rpcd_t) optional_policy(` + automount_signal(rpcd_t) +') + +optional_policy(` nis_read_ypserv_config(rpcd_t) ') @@ -214,6 +218,10 @@ ') optional_policy(` + automount_signal(gssd_t) +') + +optional_policy(` kerberos_keytab_template(gssd, gssd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-06-25 10:21:01.000000000 +0200 @@ -126,6 +126,8 @@ tunable_policy(`rsync_export_all_ro',` fs_read_noxattr_fs_files(rsync_t) + fs_read_nfs_files(rsync_t) + fs_read_cifs_files(rsync_t) auth_read_all_dirs_except_shadow(rsync_t) auth_read_all_files_except_shadow(rsync_t) auth_read_all_symlinks_except_shadow(rsync_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-06-25 10:21:01.000000000 +0200 @@ -148,6 +148,7 @@ optional_policy(` postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_postqueue(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-06-25 10:21:01.000000000 +0200 @@ -121,6 +121,10 @@ userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` + locate_read_lib_files(setroubleshootd_t) +') + +optional_policy(` dbus_system_bus_client(setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.12/policy/modules/services/shorewall.fc --- nsaserefpolicy/policy/modules/services/shorewall.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/shorewall.fc 1970-01-01 01:00:00.000000000 +0100 @@ -1,12 +0,0 @@ - -/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) -/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) - -/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) -/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) - -/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0) -/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) - -/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.12/policy/modules/services/shorewall.if --- nsaserefpolicy/policy/modules/services/shorewall.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/shorewall.if 1970-01-01 01:00:00.000000000 +0100 @@ -1,166 +0,0 @@ -## policy for shorewall - -######################################## -## -## Execute a domain transition to run shorewall. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`shorewall_domtrans',` - gen_require(` - type shorewall_t; - type shorewall_exec_t; - ') - - domtrans_pattern($1, shorewall_exec_t, shorewall_t) -') - -####################################### -## -## Read shorewall etc configuration files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_etc',` - gen_require(` - type shorewall_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) -') - -####################################### -## -## Read shorewall PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -####################################### -## -## Read and write shorewall PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_rw_pid_files',` - gen_require(` - type shorewall_var_run_t; - ') - - files_search_pids($1) - rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - -###################################### -## -## Read shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_read_var_lib',` - gen_require(` - type shorewall_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## -## Read and write shorewall /var/lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`shorewall_rw_var_lib',` - gen_require(` - type shorewall_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -') - -####################################### -## -## All of the rules required to administrate -## an shorewall environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -# -interface(`shorewall_admin',` - gen_require(` - type shorewall_t, shorewall_var_run_t, shorewall_lock_t; - type shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t; - ') - - allow $1 shorewall_t:process { ptrace signal_perms }; - ps_process_pattern($1, shorewall_t) - - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 shorewall_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, shorewall_etc_t) - - files_search_locks($1) - admin_pattern($1, shorewall_lock_t) - - files_search_pids($1) - admin_pattern($1, shorewall_var_run_t) - - files_search_var_lib($1) - admin_pattern($1, shorewall_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, shorewall_tmp_t) -') - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te --- nsaserefpolicy/policy/modules/services/shorewall.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 1970-01-01 01:00:00.000000000 +0100 @@ -1,102 +0,0 @@ -policy_module(shorewall,1.0.0) - -######################################## -# -# Declarations -# - -type shorewall_t; -type shorewall_exec_t; -init_daemon_domain(shorewall_t, shorewall_exec_t) - -type shorewall_initrc_exec_t; -init_script_file(shorewall_initrc_exec_t) - -# etc files -type shorewall_etc_t; -files_config_file(shorewall_etc_t) - -# lock files -type shorewall_lock_t; -files_lock_file(shorewall_lock_t) - -# tmp files -type shorewall_tmp_t; -files_tmp_file(shorewall_tmp_t) - -# var/lib files -type shorewall_var_lib_t; -files_type(shorewall_var_lib_t) - -######################################## -# -# shorewall local policy -# - -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace}; -dontaudit shorewall_t self:capability sys_tty_config; - -allow shorewall_t self:fifo_file rw_fifo_file_perms; - -# etc file -read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) -list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) - -# lock files -manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t) -files_lock_filetrans(shorewall_t, shorewall_lock_t, file) - -# var/lib files for shorewall -exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) -manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) -manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) -files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file }) - -# tmp files for shorewall -manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t) -manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t) -files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) - -kernel_read_kernel_sysctls(shorewall_t) -kernel_read_system_state(shorewall_t) -kernel_read_network_state(shorewall_t) -kernel_rw_net_sysctls(shorewall_t) - -corecmd_exec_bin(shorewall_t) -corecmd_exec_shell(shorewall_t) - -dev_read_urand(shorewall_t) - -fs_getattr_all_fs(shorewall_t) - -domain_read_all_domains_state(shorewall_t) - -files_getattr_kernel_modules(shorewall_t) -files_read_etc_files(shorewall_t) -files_read_usr_files(shorewall_t) -files_search_kernel_modules(shorewall_t) - -init_rw_utmp(shorewall_t) - -libs_use_ld_so(shorewall_t) -libs_use_shared_libs(shorewall_t) - -logging_send_syslog_msg(shorewall_t) - -miscfiles_read_localization(shorewall_t) - -userdom_dontaudit_list_admin_dir(shorewall_t) - -sysnet_domtrans_ifconfig(shorewall_t) -iptables_domtrans(shorewall_t) - -optional_policy(` - modutils_domtrans_insmod(shorewall_t) -') - -optional_policy(` - ulogd_search_log(shorewall_t) -') - -permissive shorewall_t; - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-06-25 10:21:01.000000000 +0200 @@ -1,3 +1,4 @@ +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-06-29 22:52:07.000000000 +0200 @@ -347,6 +347,10 @@ ') optional_policy(` + gitosis_manage_var_lib(sshd_t) +') + +optional_policy(` inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-06-25 10:21:01.000000000 +0200 @@ -95,6 +95,8 @@ files_search_home(uucpd_t) files_search_spool(uucpd_t) +term_setattr_controlling_term(uucpd_t) + auth_use_nsswitch(uucpd_t) logging_send_syslog_msg(uucpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-25 10:21:01.000000000 +0200 @@ -22,6 +22,13 @@ ## ##

+## Allow svirt to use usb devices +##

+## +gen_tunable(virt_use_usb, true) + +## +##

## Allow svirt to manage device configuration, (pci) ##

## @@ -95,6 +102,7 @@ manage_files_pattern(virtd_t, virt_image_t, virt_image_t) manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t) +read_lnk_files_pattern(virtd_t, virt_image_t, virt_image_t) allow virtd_t virt_image_t:file { relabelfrom relabelto }; allow virtd_t virt_image_t:blk_file { relabelfrom relabelto }; @@ -183,6 +191,7 @@ seutil_read_default_contexts(virtd_t) term_getattr_pty_fs(virtd_t) +term_use_generic_ptys(virtd_t) term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -214,6 +223,12 @@ fs_read_cifs_symlinks(virtd_t) ') +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(svirt_t) + fs_manage_dos_dirs(svirt_t) + fs_manage_dos_files(svirt_t) +') + optional_policy(` brctl_domtrans(virtd_t) ') @@ -307,6 +322,7 @@ manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) +read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) allow svirt_t svirt_image_t:dir search_dir_perms; manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) @@ -316,16 +332,17 @@ dontaudit svirt_t virt_content_t:file write_file_perms; dontaudit svirt_t virt_content_t:dir write; -storage_raw_write_removable_device(svirt_t) -storage_raw_read_removable_device(svirt_t) - userdom_search_user_home_content(svirt_t) userdom_read_all_users_state(svirt_t) append_files_pattern(svirt_t, virt_log_t, virt_log_t) +append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t) allow svirt_t self:udp_socket create_socket_perms; +corecmd_exec_bin(svirt_t) +corecmd_exec_shell(svirt_t) + corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) corenet_udp_sendrecv_all_ports(svirt_t) @@ -353,10 +370,6 @@ ') optional_policy(` - samba_domtrans_smb(svirt_t) -') - -optional_policy(` xen_rw_image_files(svirt_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/xserver.fc 2009-06-25 10:21:01.000000000 +0200 @@ -62,6 +62,7 @@ /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-06-25 10:21:01.000000000 +0200 @@ -861,6 +861,24 @@ ######################################## ## +## Make an X executable an entrypoint for the specified domain. +## +## +## +## The domain for which the shell is an entrypoint. +## +## +# +interface(`xserver_entry_type',` + gen_require(` + type xserver_exec_t; + ') + + domain_entry_file($1, xserver_exec_t) +') + +######################################## +## ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). @@ -1411,6 +1429,7 @@ xserver_read_xdm_tmp_files($1) xserver_xdm_stream_connect($1) xserver_setattr_xdm_tmp_dirs($1) + xserver_read_xdm_pid($1) allow $1 xdm_t:x_client { getattr destroy }; allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-06-25 10:21:01.000000000 +0200 @@ -370,8 +370,9 @@ manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + fs_getattr_all_fs(xdm_t) -fs_search_inotifyfs(xdm_t) +fs_list_inotifyfs(xdm_t) fs_read_noxattr_fs_files(xdm_t) manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) @@ -530,6 +531,7 @@ miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) miscfiles_manage_localization(xdm_t) +miscfiles_read_hwdata(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -538,6 +540,7 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) +userdom_manage_user_tmp_dirs(xdm_t) userdom_manage_user_tmp_sockets(xdm_t) userdom_manage_tmpfs_role(system_r, xdm_t) @@ -839,7 +842,6 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) -fs_list_inotifyfs(xdm_t) fs_rw_tmpfs_files(xserver_t) mls_xwin_read_to_clearance(xserver_t) @@ -931,6 +933,10 @@ ') optional_policy(` + sandbox_rw_xserver_tmpfs_files(xserver_t) +') + +optional_policy(` unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc 2009-06-25 10:21:01.000000000 +0200 @@ -24,6 +24,8 @@ /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) + /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -44,4 +46,3 @@ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-06-25 10:21:01.000000000 +0200 @@ -42,8 +42,7 @@ # interface(`auth_login_pgm_domain',` gen_require(` - type var_auth_t; - type auth_cache_t; + type var_auth_t, auth_cache_t; ') domain_type($1) @@ -77,6 +76,8 @@ # for SSP/ProPolice dev_read_urand($1) + # for encrypted homedir + dev_read_sysfs($1) # for fingerprint readers dev_rw_input_dev($1) dev_rw_generic_usb_dev($1) @@ -143,6 +144,11 @@ ') optional_policy(` + kerberos_manage_host_rcache($1) + kerberos_read_config($1) + ') + + optional_policy(` fprintd_dbus_chat($1) ') @@ -238,6 +244,96 @@ ######################################## ## +## Search authentication cache +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_search_cache',` + gen_require(` + type auth_cache_t; + ') + + allow $1 auth_cache_t:dir search_dir_perms; +') + +######################################## +## +## Read authentication cache +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_read_cache',` + gen_require(` + type auth_cache_t; + ') + + read_files_pattern($1, auth_cache_t, auth_cache_t) +') + +######################################## +## +## Read/Write authentication cache +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_rw_cache',` + gen_require(` + type auth_cache_t; + ') + + rw_files_pattern($1, auth_cache_t, auth_cache_t) +') + +######################################## +## +## Manage authentication cache +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_manage_cache',` + gen_require(` + type auth_cache_t; + ') + + manage_files_pattern($1, auth_cache_t, auth_cache_t) +') + +####################################### +## +## Automatic transition from cache_t to cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_var_filetrans_cache',` + gen_require(` + type auth_cache_t; + ') + + files_var_filetrans($1,auth_cache_t,{ file dir } ) +') + +######################################## +## ## Run unix_chkpwd to check a password. ## ## @@ -726,7 +822,7 @@ ######################################## ## -## Send signal to pam process +## Send generic signals to pam processes. ## ## ## @@ -1258,6 +1354,25 @@ ######################################## ## +## dontaudit read login records files (/var/log/wtmp). +## +## +## +## Domain allowed access. +## +## +## +# +interface(`auth_dontaudit_read_login_records',` + gen_require(` + type wtmp_t; + ') + + dontaudit $1 wtmp_t:file read_file_perms; +') + +######################################## +## ## Do not audit attempts to write to ## login records files. ## @@ -1415,6 +1530,10 @@ ') optional_policy(` + nslcd_use($1) + ') + + optional_policy(` sssd_stream_connect($1) ') @@ -1456,99 +1575,3 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') - -######################################## -## -## Search authentication cache -## -## -## -## Domain allowed access. -## -## -## -# -interface(`auth_search_cache',` - gen_require(` - type auth_cache_t; - ') - - allow $1 auth_cache_t:dir search_dir_perms; -') - -######################################## -## -## Read authentication cache -## -## -## -## Domain allowed access. -## -## -## -# -interface(`auth_read_cache',` - gen_require(` - type auth_cache_t; - ') - - read_files_pattern($1, auth_cache_t, auth_cache_t) -') - -######################################## -## -## Read/Write authentication cache -## -## -## -## Domain allowed access. -## -## -## -# -interface(`auth_rw_cache',` - gen_require(` - type auth_cache_t; - ') - - rw_files_pattern($1, auth_cache_t, auth_cache_t) -') -######################################## -## -## Manage authentication cache -## -## -## -## Domain allowed access. -## -## -## -# -interface(`auth_manage_cache',` - gen_require(` - type auth_cache_t; - ') - - manage_files_pattern($1, auth_cache_t, auth_cache_t) -') - -####################################### -## -## Automatic transition from cache_t to cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_filetrans_cache',` - gen_require(` - type auth_cache_t; - ') - - manage_files_pattern($1, auth_cache_t, auth_cache_t) - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - files_var_filetrans($1,auth_cache_t,{ file dir } ) -') - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/authlogin.te 2009-06-25 10:21:01.000000000 +0200 @@ -1,5 +1,5 @@ -policy_module(authlogin, 2.0.0) +policy_module(authlogin, 2.0.2) ######################################## # @@ -10,9 +10,12 @@ attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; +type auth_cache_t; +logging_log_file(auth_cache_t) + type chkpwd_t, can_read_shadow_passwords; type chkpwd_exec_t; -typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t }; +typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; application_domain(chkpwd_t, chkpwd_exec_t) role system_r types chkpwd_t; @@ -57,15 +60,13 @@ type updpwd_exec_t; domain_type(updpwd_t) domain_entry_file(updpwd_t,updpwd_exec_t) +domain_obj_id_change_exemption(updpwd_t) role system_r types updpwd_t; type utempter_t; type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) -type auth_cache_t; -logging_log_file(auth_cache_t) - # # var_auth_t is the type of /var/lib/auth, usually # used for auth data in pam_able @@ -180,11 +181,6 @@ logging_send_syslog_msg(pam_t) -userdom_write_user_tmp_files(pam_t) -userdom_delete_user_tmp_files(pam_t) -userdom_dontaudit_read_user_home_content_files(pam_t) -userdom_dontaudit_write_user_home_content_files(pam_t) - ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(pam_t) @@ -200,7 +196,7 @@ # PAM console local policy # -allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid }; +allow pam_console_t self:capability { chown fowner fsetid }; dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; @@ -218,8 +214,6 @@ dev_read_sysfs(pam_console_t) dev_getattr_apm_bios_dev(pam_console_t) dev_setattr_apm_bios_dev(pam_console_t) -dev_getattr_cpu_dev(pam_console_t) -dev_setattr_cpu_dev(pam_console_t) dev_getattr_dri_dev(pam_console_t) dev_setattr_dri_dev(pam_console_t) dev_getattr_input_dev(pam_console_t) @@ -244,10 +238,6 @@ dev_setattr_video_dev(pam_console_t) dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) - -dev_getattr_all_chr_files(pam_console_t) -dev_setattr_all_chr_files(pam_console_t) - dev_read_urand(pam_console_t) mls_file_read_all_levels(pam_console_t) @@ -329,6 +319,7 @@ # updpwd local policy # +allow updpwd_t self:capability { chown dac_override }; allow updpwd_t self:process setfscreate; allow updpwd_t self:fifo_file rw_fifo_file_perms; allow updpwd_t self:unix_stream_socket create_stream_socket_perms; @@ -336,6 +327,8 @@ kernel_read_system_state(updpwd_t) +dev_read_urand(updpwd_t) + files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-06-25 10:21:01.000000000 +0200 @@ -6,6 +6,8 @@ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0) + /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-06-25 10:21:01.000000000 +0200 @@ -285,6 +285,7 @@ kernel_dontaudit_getattr_message_if(initrc_t) kernel_stream_connect(initrc_t) files_read_kernel_modules(initrc_t) +files_read_config_files(initrc_t) files_read_kernel_symbol_table(initrc_t) files_exec_etc_files(initrc_t) @@ -750,6 +751,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) + mysql_read_config(initrc_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-06-25 10:21:01.000000000 +0200 @@ -1,5 +1,5 @@ -policy_module(ipsec, 1.9.0) +policy_module(ipsec, 1.9.1) ######################################## # @@ -53,7 +53,7 @@ # ipsec Local policy # -allow ipsec_t self:capability { net_admin dac_override dac_read_search }; +allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; dontaudit ipsec_t self:capability sys_tty_config; allow ipsec_t self:process { getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; @@ -67,7 +67,7 @@ read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) +manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) @@ -103,13 +103,11 @@ corenet_raw_sendrecv_all_nodes(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t) corenet_tcp_bind_all_nodes(ipsec_t) +corenet_udp_bind_all_nodes(ipsec_t) corenet_tcp_bind_reserved_port(ipsec_t) corenet_tcp_bind_isakmp_port(ipsec_t) - -corenet_udp_bind_all_nodes(ipsec_t) corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) - corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) @@ -130,7 +128,7 @@ files_read_etc_files(ipsec_t) files_read_usr_files(ipsec_t) -files_search_tmp(ipsec_t) +files_list_tmp(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -158,12 +156,12 @@ # allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; -allow ipsec_mgmt_t self:process { signal setrlimit }; +allow ipsec_mgmt_t self:process { signal setrlimit ptrace }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -allow ipsec_mgmt_t self:fifo_file rw_file_perms; +allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file) @@ -171,8 +169,6 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) -logging_send_syslog_msg(ipsec_mgmt_t) - manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) @@ -248,6 +244,8 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) +logging_send_syslog_msg(ipsec_mgmt_t) + miscfiles_read_localization(ipsec_mgmt_t) modutils_domtrans_insmod(ipsec_mgmt_t) @@ -284,6 +282,7 @@ allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; +allow racoon_t self:fifo_file rw_fifo_file_perms; # manage pid file manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) @@ -301,11 +300,21 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) +can_exec(racoon_t, racoon_exec_t) + +corecmd_exec_shell(racoon_t) +corecmd_exec_bin(racoon_t) + +sysnet_exec_ifconfig(racoon_t) + corenet_all_recvfrom_unlabeled(racoon_t) +corenet_tcp_sendrecv_all_if(racoon_t) +corenet_udp_sendrecv_all_if(racoon_t) +corenet_tcp_sendrecv_all_nodes(racoon_t) +corenet_udp_sendrecv_all_nodes(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) -corenet_udp_sendrecv_all_if(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) dev_read_urand(racoon_t) @@ -348,6 +357,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) +init_read_script_tmp_files(setkey_t) # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-06-25 10:21:01.000000000 +0200 @@ -69,6 +69,7 @@ dev_rw_sysfs(iscsid_t) domain_use_interactive_fds(iscsid_t) +domain_read_all_domains_state(iscsid_t) files_read_etc_files(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-29 14:16:57.000000000 +0200 @@ -139,6 +139,7 @@ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -190,6 +191,7 @@ /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -284,6 +286,7 @@ /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware +HOME_DIR/\.mozilla(/.*)?/plugins/np-vmware-vmrc-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -366,9 +369,10 @@ /usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) - +/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-06-25 10:21:01.000000000 +0200 @@ -211,6 +211,7 @@ # Sulogin local policy # +allow sulogin_t self:capability dac_override; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_file_perms; @@ -258,7 +259,10 @@ # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') -ifdef(`distro_redhat',`define(`sulogin_no_pam')') +ifdef(`distro_redhat',` + define(`sulogin_no_pam') + selinux_compute_user_contexts(sulogin_t) +') ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-06-25 10:21:01.000000000 +0200 @@ -45,7 +45,7 @@ # DHCP client local policy # allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config }; -dontaudit dhcpc_t self:capability sys_tty_config; +dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; allow dhcpc_t self:process { setfscreate ptrace signal_perms }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-25 10:21:01.000000000 +0200 @@ -112,6 +112,7 @@ fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) +fs_rw_anon_inodefs_files(udev_t) mcs_ptrace_all(udev_t) @@ -196,6 +197,10 @@ ') optional_policy(` + bluetooth_domtrans(udev_t) +') + +optional_policy(` brctl_domtrans(udev_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-06-25 10:21:01.000000000 +0200 @@ -627,12 +627,6 @@ ') optional_policy(` - devicekit_dbus_chat($1_usertype) - devicekit_power_dbus_chat($1_usertype) - devicekit_disk_dbus_chat($1_usertype) - ') - - optional_policy(` evolution_dbus_chat($1_usertype) evolution_alarm_dbus_chat($1_usertype) ') @@ -968,6 +962,16 @@ ') optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_power_dbus_chat($1_usertype) + devicekit_disk_dbus_chat($1_usertype) + ') + + optional_policy(` + gnomeclock_dbus_chat($1_usertype) + ') + + optional_policy(` gnome_manage_config($1_usertype) gnome_manage_gconf_home_files($1_usertype) gnome_read_gconf_config($1_usertype) @@ -1880,7 +1884,7 @@ type user_home_t; ') - allow $1 user_home_t:dir delete_file_perms; + allow $1 user_home_t:file delete_file_perms; ') ######################################## @@ -3317,10 +3321,6 @@ seutil_run_newrole($1_t, $1_r) optional_policy(` - gnomeclock_dbus_chat($1_t) - ') - - optional_policy(` kerneloops_dbus_chat($1_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-06-25 10:21:01.000000000 +0200 @@ -38,6 +38,7 @@ dev_read_sound(virtualdomain) dev_write_sound(virtualdomain) dev_rw_kvm(virtualdomain) +dev_rw_ksm(virtualdomain) dev_rw_qemu(virtualdomain) domain_use_interactive_fds(virtualdomain) @@ -63,10 +64,6 @@ miscfiles_read_localization(virtualdomain) optional_policy(` - dbus_system_bus_client(virtualdomain) -') - -optional_policy(` virt_read_config(virtualdomain) virt_read_lib_files(virtualdomain) virt_read_content(virtualdomain) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-06-25 10:21:01.000000000 +0200 @@ -419,6 +419,7 @@ kernel_read_xen_state(xm_ssh_t) kernel_write_xen_state(xm_ssh_t) +userdom_search_admin_dir(xm_ssh_t) #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t)