diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.18/Makefile
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
+++ serefpolicy-3.7.18/Makefile 2010-04-08 15:25:23.000000000 -0400
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.18/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.18/policy/global_tunables 2010-04-08 15:25:24.000000000 -0400
@@ -61,15 +61,6 @@
##
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-##
## Allow any files/directories to be exported read/write via NFS.
##
+## Allow direct login to the console device. Required for System 390 +##
+##+## Allow certain domains to map low memory in the kernel +##
+##+## This template creates a derived domains which are used +## for execmem applications. +##
+##+## Allow the Irssi IRC Client to connect to any port, +## and to bind to any unreserved port. +##
+##+## Execute a mozilla_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Execute a mplayer_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## This template creates a derived domains which are used +## for nsplugin web browser. +##
+##+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##
+##+## Execute a nsplugin_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Allow nsplugin code to execmem/execstack +##
+##+## Allow nsplugin code to connect to unreserved ports +##
+##+## This template creates a derived domains which are used +## for java applications. +##
+##+## Execute a openoffice_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Execute qemu_exec_t +## in the specified domain. This allows +## the specified domain to qemu programs +## on these filesystems in the specified +## domain. +##
+##+## This template creates a derived domains which are used +## for consolehelper applications. +##
+##+## Ignore wine mmap_zero errors +##
+##+## Allow all domains to use other domains file descriptors +##
+##+## Allow all domains to have the kernel load modules +##
+##+## Allow shared library text relocations in tmp files. +##
+##+## This is added to support java policy. +##
+##+## Create a core file in /, +##
+##+## Create a default_t direcrory +##
+##+## Change from the unconfineduser role to +## the specified role. +##
+##+## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##
+##+## Allow unconfined to execute the specified program in +## the specified domain. +##
+##+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##
+##+## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +##
+##+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##
+##+## Do not audit attempts to read or write +## unconfined domain tcp sockets. +##
+##+## This interface was added due to a broken +## symptom in ldconfig. +##
+##+## Do not audit attempts to read or write +## unconfined domain packet sockets. +##
+##+## This interface was added due to a broken +## symptom. +##
+##+## Transition to confined nsplugin domains from unconfined user +##
+##+## Allow a user to login as an unconfined domain +##
+##+## Transition to confined qemu domains from unconfined user +##
+##-## Allow xguest to configure Network Manager +## Allow xguest to configure Network Manager and connect to apache ports ##
#### Allow Apache to modify public files ## used for public file transfer services. Directories/Files must -## be labeled public_content_rw_t. +## be labeled public_rw_content_t. ##
##+## Allow httpd scripts and modules execmem/execstack +##
+#### Allow httpd to use built in scripting (usually php) ##
##+## Allow HTTPD scripts and modules to connect to cobbler over the network. +##
+#### Allow HTTPD scripts and modules to connect to databases over the network. ##
##+## Allow httpd to read user content +##
+#### Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##
##+## Allow Apache to execute tmp content. +##
+#### Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. @@ -143,6 +173,13 @@ ##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. +##
+##+## Allow Apache to use mod_auth_pam +##
+##+## cgrulesengd is a daemon, which distributes processes +## to control groups. When any process changes its +## effective UID or GID, cgred inspects list of +## rules loaded from cgrules.conf file and moves the +## process to the appropriate control group. +##
+##+## The list of rules is read during the daemon startup and +## are cached in daemons memory. The daemon reloads the +## list of rules when it receives SIGUSR2 signal. +##
+##+## Allow clamd to use JIT compiler +##
+##+## DenyHosts is a script intended to be run by Linux +## system administrators to help thwart SSH server attacks +## (also known as dictionary based attacks and brute force +## attacks). +##
+##+## Allow ftp servers to use connect to mysql database +##
+#### Allow ftp to read and write files in the user home directories ##
##+## Allow anon internal-sftp to upload files, used for +## public file transfer services. Directories must be labeled +## public_content_rw_t. +##
+##+## Allow sftp-internal to login to local users and +## read/write all files on the system, governed by DAC. +##
+##+## Allow interlnal-sftp to read and write files +## in the user ssh home directories. +##
+##+## Allow sftp-internal to read and write files +## in the user home directories +##
+##+## A really simple TCP git daemon that normally listens on +## port DEFAULT_GIT_PORT aka 9418. It waits for a +## connection asking for a service, and will serve that +## service if it is enabled. +##
+##+## Allow Git daemon system to search home directories. +##
+##+## Allow Git daemon system to access cifs file systems. +##
+##+## Allow Git daemon system to access nfs file systems. +##
+##+## Allow Git daemon session to bind +## tcp sockets to all unreserved ports. +##
+##+## Allow fenced domain to connect to the network using TCP. +##
+##+## Allow confined applications to use nscd shared memory. +##
+##+## Allow postfix_local domain full write access to mail_spool directories +## +##
+##+## Allow rgmanager domain to connect to the network using TCP. +##
+##+## Allow fenced domain to connect to the network using TCP. +##
+##+## Allow rsync to run as a client +##
+#### Allow rsync to export any files/directories read only. ##
##+## Allow samba to export ntfs/fusefs volumes. +##
+##+## Allow squid to run as a transparent proxy (TPROXY) +##
+##-## Allow virt to manage device configuration, (pci) -##
-#### Allow virt to use usb devices ##
##+## Allows XServer to execute writable memory +##
+#### Allow xdm logins as sysadm ##
##+## Execute a init script in a specified role +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Allow all daemons the ability to read/write terminals +##
+##+## Allow all daemons to write corefiles to / +##
+##+## Execute dhclient script in a specified role +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##-## Allow unconfined to execute the specified program in -## the specified domain. -##
-##-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##
-##-## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -##
-##-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##
-##-## Do not audit attempts to read or write -## unconfined domain tcp sockets. -##
-##-## This interface was added due to a broken -## symptom in ldconfig. -##
-##+## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. +##
+##+## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. +##
+##-## Allow users to read system messages. -##
-#### Allow user to r/w files on filesystems ## that do not have extended attributes (FAT, CDROM, FLOPPY) ##
@@ -54,11 +47,20 @@ # all user domains attribute userdomain; +attribute userhomereader; +attribute userhomewriter; + # unprivileged user domains attribute unpriv_userdomain; -attribute untrusted_content_type; -attribute untrusted_content_tmp_type; +# unprivileged user domains +attribute user_home_type; + +type admin_home_t; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) @@ -72,6 +74,7 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; +typeattribute user_home_t user_home_type; userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) @@ -97,3 +100,29 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + +type home_cert_t, user_home_type; +files_type(home_cert_t) +ubac_constrained(home_cert_t) + +tunable_policy(`allow_console_login',` + term_use_console(userdomain) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(userhomereader) + fs_read_nfs_files(userhomereader) + fs_read_nfs_symlinks(userhomereader) + fs_read_nfs_named_sockets(userhomereader) + fs_read_nfs_named_pipes(userhomereader) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(userhomereader) + fs_read_cifs_files(userhomereader) + fs_read_cifs_symlinks(userhomereader) + fs_read_cifs_named_sockets(userhomereader) + fs_read_cifs_named_pipes(userhomereader) +') + +allow userdomain userdomain:process signull; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.18/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2010-03-23 10:55:15.000000000 -0400 +++ serefpolicy-3.7.18/policy/modules/system/xen.if 2010-04-08 15:25:24.000000000 -0400 @@ -213,8 +213,9 @@ interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; + attribute xm_transition_domain; ') - + typeattribute $1 xm_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.18/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-03-23 10:55:15.000000000 -0400 +++ serefpolicy-3.7.18/policy/modules/system/xen.te 2010-04-08 15:25:24.000000000 -0400 @@ -5,6 +5,7 @@ # # Declarations # +attribute xm_transition_domain; ##@@ -347,6 +348,7 @@ files_read_usr_files(xenstored_t) +fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) @@ -438,6 +440,12 @@ ') optional_policy(` + vhostmd_rw_tmpfs_files(xm_t) + vhostmd_stream_connect(xm_t) + vhostmd_dontaudit_rw_stream_connect(xm_t) +') + +optional_policy(` virt_domtrans(xm_t) virt_manage_images(xm_t) virt_manage_config(xm_t) @@ -454,11 +462,14 @@ kernel_read_xen_state(xm_ssh_t) kernel_write_xen_state(xm_ssh_t) + dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_inherited_fifo_file_perms; files_search_tmp(xm_ssh_t) fs_manage_xenfs_dirs(xm_ssh_t) fs_manage_xenfs_files(xm_ssh_t) + userdom_search_admin_dir(xm_ssh_t) + #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.18/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.18/policy/support/misc_patterns.spt 2010-04-08 15:25:24.000000000 -0400 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; allow $3 $1:process sigchld; ') @@ -34,8 +34,12 @@ domain_auto_transition_pattern($1,$2,$3) allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; allow $3 $1:process sigchld; + + ifdef(`hide_broken_symptoms', ` + dontaudit $3 $1:socket_class_set { read write }; + ') ') # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.18/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-03-04 11:44:07.000000000 -0500 +++ serefpolicy-3.7.18/policy/support/obj_perm_sets.spt 2010-04-08 15:25:24.000000000 -0400 @@ -28,7 +28,7 @@ # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') # @@ -105,7 +105,7 @@ # # Permissions for using sockets. # -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') +define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') # # Permissions for creating and using sockets. @@ -199,12 +199,14 @@ # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') -define(`read_file_perms',`{ getattr open read lock ioctl }') +define(`read_inherited_file_perms',`{ getattr read ioctl lock }') +define(`read_file_perms',`{ open read_inherited_file_perms }') define(`mmap_file_perms',`{ getattr open read execute ioctl }') define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') define(`append_file_perms',`{ getattr open append lock ioctl }') define(`write_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_file_perms',`{ open rw_inherited_file_perms }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') @@ -225,7 +227,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') +define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') @@ -238,7 +240,8 @@ define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') @@ -271,7 +274,8 @@ define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') @@ -288,7 +292,8 @@ define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') @@ -305,7 +310,8 @@ # # Use (read and write) terminals # -define(`rw_term_perms', `{ getattr open read write ioctl }') +define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }') +define(`rw_term_perms', `{ open rw_inherited_term_perms }') # # Sockets @@ -317,3 +323,14 @@ # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') + +# +# All +# +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } +') + +define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.18/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 +++ serefpolicy-3.7.18/policy/users 2010-04-08 15:25:23.000000000 -0400 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # -# Note: Identities without a prefix will not be listed +# Note: Identities without a prefix wil not be listed # in the users_extra file used by genhomedircon. # @@ -15,7 +15,7 @@ # and a user process should never be assigned the system user # identity. # -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(system_u,, system_r unconfined_u, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. @@ -38,8 +35,4 @@ # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # -ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)