diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.13/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:system_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context 2009-02-10 15:07:15.000000000 +0100
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,6 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:initrc_su_t:s0 guest_r:guest_t:s0
+guest_r:guest_t:s0 guest_r:guest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,11 +1,7 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.5.13/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/seusers 2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,10 +1,12 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+system_r:initrc_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -6,4 +6,6 @@
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context 2009-02-10 15:07:15.000000000 +0100
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,8 +1,9 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,7 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.13/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:system_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-
-staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-
-sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,11 +1,11 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 user_r:user_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,7 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,4 @@
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+system_r:crond_t guest_r:guest_crond_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts
--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,11 +1,7 @@
system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-
#
# Uncomment if you want to automatically login as sysadm_r
#
-#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
system_r:remote_login_t staff_r:staff_t
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t staff_r:staff_crond_t
+system_r:crond_t staff_r:staff_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
system_r:local_login_t user_r:user_t
system_r:remote_login_t user_r:user_t
system_r:sshd_t user_r:user_t
-system_r:crond_t user_r:user_crond_t
+system_r:crond_t user_r:user_t
system_r:xdm_t user_r:user_t
user_r:user_su_t user_r:user_t
user_r:user_sudo_t user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.13/Makefile
--- nsaserefpolicy/Makefile 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/Makefile 2009-02-10 15:07:15.000000000 +0100
@@ -311,20 +311,22 @@
# parse-rolemap modulename,outputfile
define parse-rolemap
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ echo "" >> $2
+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# perrole-expansion modulename,outputfile
define perrole-expansion
- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
- $(call parse-rolemap-compat,$1,$2)
- $(verbose) echo "')" >> $2
+ echo "No longer doing perrole-expansion"
+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+# $(call parse-rolemap,$1,$2)
+# $(verbose) echo "')" >> $2
+
+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+# $(call parse-rolemap-compat,$1,$2)
+# $(verbose) echo "')" >> $2
endef
# create-base-per-role-tmpl modulenames,outputfile
@@ -523,6 +525,10 @@
@mkdir -p $(appdir)/users
$(verbose) $(INSTALL) -m 644 $^ $@
+$(appdir)/initrc_context: $(tmpdir)/initrc_context
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
+
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.5.13/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/man/man8/nfs_selinux.8 2009-02-10 15:07:15.000000000 +0100
@@ -1,24 +1,25 @@
-.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
.SH "NAME"
-nfs_selinux \- Security Enhanced Linux Policy for NFS
+nfs_selinux \- Security-Enhanced Linux Policy for NFS
.SH "DESCRIPTION"
-Security-Enhanced Linux secures the nfs server via flexible mandatory access
+Security-Enhanced Linux secures the NFS server via flexible mandatory access
control.
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux policy does not allow nfs to share files. If you want to
-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
+SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
.TP
setsebool -P nfs_export_all_ro 1
.TP
-If you want to share files read/write you must set the nfs_export_all_rw boolean.
+If you want to share NFS partitions, and allow read and write access to those NFS partitions, turn the nfs_export_all_rw boolean on:
.TP
setsebool -P nfs_export_all_rw 1
.TP
-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
+
+.TP
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
.TP
setsebool -P use_nfs_home_dirs 1
.TP
@@ -26,5 +27,5 @@
.SH AUTHOR
This manual page was written by Dan Walsh .
-.SH "SEE ALSpppO"
+.SH "SEE ALSO"
selinux(8), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.5.13/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2008-10-17 14:49:10.000000000 +0200
+++ serefpolicy-3.5.13/man/man8/samba_selinux.8 2009-02-10 15:07:15.000000000 +0100
@@ -14,11 +14,17 @@
.TP
chcon -t samba_share_t /var/eng
.TP
-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+.TP
+semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
+.TP
+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
.TP
-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
/var/eng(/.*)? system_u:object_r:samba_share_t
+.TP
+Run the restorecon command to apply the changes:
+.TP
+restorecon -R -v /var/eng/
.SH SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/flask/access_vectors 2009-02-10 15:07:15.000000000 +0100
@@ -616,6 +616,7 @@
nlmsg_write
nlmsg_relay
nlmsg_readpriv
+ nlmsg_tty_audit
}
class netlink_ip6fw_socket
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.13/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/global_tunables 2009-02-10 15:07:15.000000000 +0100
@@ -34,7 +34,7 @@
##
##
-## Enable polyinstantiated directory support.
+## Allow login programs to use polyinstantiated directories.
##
##
gen_tunable(allow_polyinstantiation,false)
@@ -61,15 +61,6 @@
##
##
-## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-##
-##
-gen_tunable(mail_read_content,false)
-
-##
-##
## Allow any files/directories to be exported read/write via NFS.
##
##
@@ -129,3 +120,12 @@
##
##
gen_tunable(write_untrusted_content,false)
+
+##
##
-## Run gconfd in the role-specfic gconfd domain.
+## Run gconfd in the role-specific gconfd domain.
##
##
## This is a templated interface, and should only
@@ -169,7 +186,7 @@
########################################
##
-## manage gnome homedir content (.config)
+## read gnome homedir content (.config)
##
##
##
@@ -183,11 +200,97 @@
##
##
#
+template(`gnome_read_gnome_config',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ read_files_pattern($2, gnome_home_t, gnome_home_t)
+')
+
+########################################
+##
+## manage gnome homedir content (.config)
+##
+##
+## nn
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
template(`gnome_manage_user_gnome_config',`
gen_require(`
- type $1_gnome_home_t;
+ type gnome_home_t;
+ ')
+
+ manage_dirs_pattern($2, gnome_home_t, gnome_home_t)
+ manage_files_pattern($2, gnome_home_t, gnome_home_t)
+ manage_lnk_files_pattern($2, gnome_home_t, gnome_home_t)
+')
+
+########################################
+##
+## Execute gconf programs in
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+########################################
+##
+## Read gconf home files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+##
+## Connect to gnome over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
+ type gnome_home_t;
')
- allow $2 $1_gnome_home_t:dir manage_dir_perms;
- allow $2 $1_gnome_home_t:file manage_file_perms;
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.13/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2009-02-10 15:07:15.000000000 +0100
@@ -8,8 +8,33 @@
attribute gnomedomain;
-type gconf_etc_t;
-files_type(gconf_etc_t)
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
+
+type gnome_home_t;
+userdom_user_home_type(gnome_home_t)
+userdom_user_home_content(user, gnome_home_t)
+
+type gconf_home_t;
+userdom_user_home_content(user, gconf_home_t)
+
+type gconf_tmp_t;
+files_tmp_file(gconf_tmp_t)
+
+typealias gnome_home_t alias unconfined_gnome_home_t;
+typealias gconf_home_t alias unconfined_gconf_home_t;
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+
+##############################
+#
+# Declarations
+#
+type gconfd_t, gnomedomain;
+application_domain(gconfd_t, gconfd_exec_t)
+role system_r types gconfd_exec_t;
+
+##############################
+#
+# Local Policy
+#
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.13/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gpg.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,9 +1,9 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
-/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.13/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2009-02-10 15:07:15.000000000 +0100
@@ -37,6 +37,9 @@
template(`gpg_per_role_template',`
gen_require(`
type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t;
+ type gpg_t, gpg_helper_t;
+ type gpg_agent_t, gpg_pinentry_t;
+ type gpg_agent_tmp_t, gpg_secret_t;
')
########################################
@@ -44,290 +47,61 @@
# Declarations
#
- type $1_gpg_t;
- application_domain($1_gpg_t, gpg_exec_t)
- role $3 types $1_gpg_t;
-
- type $1_gpg_agent_t;
- application_domain($1_gpg_agent_t, gpg_agent_exec_t)
- role $3 types $1_gpg_agent_t;
-
- type $1_gpg_agent_tmp_t;
- files_tmp_file($1_gpg_agent_tmp_t)
-
- type $1_gpg_secret_t;
- userdom_user_home_content($1, $1_gpg_secret_t)
-
- type $1_gpg_helper_t;
- application_domain($1_gpg_helper_t, gpg_helper_exec_t)
- role $3 types $1_gpg_helper_t;
-
- type $1_gpg_pinentry_t;
- application_domain($1_gpg_pinentry_t, pinentry_exec_t)
- role $3 types $1_gpg_pinentry_t;
+ typealias gpg_t alias $1_gpg_t;
+ role $3 types gpg_t;
- ########################################
- #
- # GPG local policy
- #
-
- allow $1_gpg_t self:capability { ipc_lock setuid };
- allow { $2 $1_gpg_t } $1_gpg_t:process signal;
- # setrlimit is for ulimit -c 0
- allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
- allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
- allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
- # transition from the gpg domain to the helper domain
- domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
-
- manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
- allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
- userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
-
- # transition from the userdomain to the derived domain
- domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
-
- # allow ps to show gpg
- ps_process_pattern($2, $1_gpg_t)
-
- corenet_all_recvfrom_unlabeled($1_gpg_t)
- corenet_all_recvfrom_netlabel($1_gpg_t)
- corenet_tcp_sendrecv_all_if($1_gpg_t)
- corenet_udp_sendrecv_all_if($1_gpg_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_t)
- corenet_udp_sendrecv_all_ports($1_gpg_t)
- corenet_tcp_connect_all_ports($1_gpg_t)
- corenet_sendrecv_all_client_packets($1_gpg_t)
-
- dev_read_rand($1_gpg_t)
- dev_read_urand($1_gpg_t)
-
- fs_getattr_xattr_fs($1_gpg_t)
-
- domain_use_interactive_fds($1_gpg_t)
-
- files_read_etc_files($1_gpg_t)
- files_read_usr_files($1_gpg_t)
- files_dontaudit_search_var($1_gpg_t)
-
- libs_use_shared_libs($1_gpg_t)
- libs_use_ld_so($1_gpg_t)
-
- miscfiles_read_localization($1_gpg_t)
-
- logging_send_syslog_msg($1_gpg_t)
-
- sysnet_read_config($1_gpg_t)
-
- userdom_use_user_terminals($1, $1_gpg_t)
+ typealias gpg_agent_t alias $1_gpg_agent_t;
+ role $3 types gpg_agent_t;
- optional_policy(`
- nis_use_ypbind($1_gpg_t)
- ')
-
- ifdef(`TODO',`
- # Read content to encrypt/decrypt/sign
- read_content($1_gpg_t, $1)
-
- # Write content to encrypt/decrypt/sign
- write_trusted($1_gpg_t, $1)
- ') dnl end TODO
-
- ########################################
- #
- # GPG helper local policy
- #
-
- # for helper programs (which automatically fetch keys)
- # Note: this is only tested with the hkp interface. If you use eg the
- # mail interface you will likely need additional permissions.
-
- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
-
- # communicate with the user
- allow $1_gpg_helper_t $2:fd use;
- allow $1_gpg_helper_t $2:fifo_file write;
-
- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+ typealias gpg_helper_t alias $1_gpg_helper_t;
+ role $3 types gpg_helper_t;
- corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
- corenet_all_recvfrom_netlabel($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
- corenet_raw_sendrecv_all_if($1_gpg_helper_t)
- corenet_udp_sendrecv_all_if($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_tcp_bind_all_nodes($1_gpg_helper_t)
- corenet_udp_bind_all_nodes($1_gpg_helper_t)
- corenet_tcp_connect_all_ports($1_gpg_helper_t)
-
- dev_read_urand($1_gpg_helper_t)
-
- files_read_etc_files($1_gpg_helper_t)
- # for nscd
- files_dontaudit_search_var($1_gpg_helper_t)
+ typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
+ role $3 types gpg_pinentry_t;
- libs_use_ld_so($1_gpg_helper_t)
- libs_use_shared_libs($1_gpg_helper_t)
+ typealias gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
+ typealias gpg_secret_t alias $1_gpg_secret_t;
- sysnet_read_config($1_gpg_helper_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_gpg_t)
- xserver_rw_xdm_pipes($1_gpg_t)
- ')
-
- ########################################
- #
- # GPG agent local policy
- #
+ # transition from the userdomain to the derived domain
+ domtrans_pattern($2, gpg_exec_t, gpg_t)
- # rlimit: gpg-agent wants to prevent coredumps
- allow $1_gpg_agent_t self:process setrlimit;
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
+ allow $2 gpg_t:process signal_perms;
- # Allow the gpg-agent to manage its tmp files (socket)
- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
- manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
+ # Thunderbird leaks descriptors
+ dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+ dontaudit gpg_t $2:udp_socket rw_socket_perms;
+ dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
+ dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
+ #Leaked File Descriptors
+ dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
- # allow gpg to connect to the gpg agent
- stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t)
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
# allow ps to show gpg-agent
ps_process_pattern($2, $1_gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
- allow $2 $1_gpg_agent_t:process { signal sigkill signull };
-
- # Allow the user to manage gpg-agent tmp files (socket)
- manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
-
- corecmd_search_bin($1_gpg_agent_t)
-
- domain_use_interactive_fds($1_gpg_agent_t)
-
- libs_use_ld_so($1_gpg_agent_t)
- libs_use_shared_libs($1_gpg_agent_t)
-
- miscfiles_read_localization($1_gpg_agent_t)
+ allow $2 gpg_agent_t:process signal_perms;
+ userdom_use_user_terminals($1, gpg_t)
# Write to the user domain tty.
- userdom_use_user_terminals($1, $1_gpg_agent_t)
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- userdom_search_user_home_dirs($1, $1_gpg_agent_t)
-
- tunable_policy(`gpg_agent_env_file',`
- # write ~/.gpg-agent-info or a similar to the users home dir
- # or subdir (gpg-agent --write-env-file option)
- #
- userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file)
- userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t)
- userdom_manage_user_home_content_files($1, $1_gpg_agent_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_gpg_agent_t)
- fs_manage_nfs_files($1_gpg_agent_t)
- fs_manage_nfs_symlinks($1_gpg_agent_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_gpg_agent_t)
- fs_manage_cifs_files($1_gpg_agent_t)
- fs_manage_cifs_symlinks($1_gpg_agent_t)
- ')
-
- ##############################
- #
- # Pinentry local policy
- #
-
- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
- # we need to allow gpg-agent to call pinentry so it can get the passphrase
- # from the user.
- domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
-
- # read /proc/meminfo
- kernel_read_system_state($1_gpg_pinentry_t)
+ userdom_use_user_terminals($1, gpg_agent_t)
- files_read_usr_files($1_gpg_pinentry_t)
- # read /etc/X11/qtrc
- files_read_etc_files($1_gpg_pinentry_t)
-
- libs_use_ld_so($1_gpg_pinentry_t)
- libs_use_shared_libs($1_gpg_pinentry_t)
-
- miscfiles_read_fonts($1_gpg_pinentry_t)
- miscfiles_read_localization($1_gpg_pinentry_t)
-
- # for .Xauthority
- userdom_read_user_home_content_files($1, $1_gpg_pinentry_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files($1_gpg_pinentry_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files($1_gpg_pinentry_t)
- ')
-
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
- ')
-
- ifdef(`TODO',`
- allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
- # wants to put some lock files into the user home dir, seems to work fine without
- dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
- dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
- tunable_policy(`use_nfs_home_dirs',`
- dontaudit $1_gpg_pinentry_t nfs_t:dir write;
- dontaudit $1_gpg_pinentry_t nfs_t:file write;
- ')
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+ allow gpg_helper_t $2:fifo_file rw_fifo_file_perms;
- tunable_policy(`use_samba_home_dirs',`
- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
- dontaudit $1_gpg_pinentry_t cifs_t:file write;
- ')
+ userdom_use_user_terminals($1, gpg_helper_t)
+ unprivuser_manage_home_content_files(gpg_helper_t)
- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
- ') dnl end TODO
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.13/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/gpg.te 2009-02-10 15:07:15.000000000 +0100
@@ -15,15 +15,255 @@
gen_tunable(gpg_agent_env_file, false)
# Type for gpg or pgp executables.
+type gpg_t;
type gpg_exec_t;
+application_domain(gpg_t, gpg_exec_t)
+
+type gpg_helper_t;
type gpg_helper_exec_t;
-application_executable_file(gpg_exec_t)
-application_executable_file(gpg_helper_exec_t)
+application_domain(gpg_helper_t, gpg_helper_exec_t)
# Type for the gpg-agent executable.
+type gpg_agent_t;
type gpg_agent_exec_t;
-application_executable_file(gpg_agent_exec_t)
+application_domain(gpg_agent_t, gpg_agent_exec_t)
# type for the pinentry executable
+type gpg_pinentry_t;
type pinentry_exec_t;
-application_executable_file(pinentry_exec_t)
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+
+type gpg_agent_tmp_t;
+files_tmp_file(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+userdom_user_home_content(user, gpg_secret_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+allow gpg_t self:process signal;
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { setrlimit getcap setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+allow gpg_t gpg_secret_t:dir create_dir_perms;
+
+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+
+kernel_read_sysctl(gpg_t)
+
+unprivuser_home_dir_filetrans_home_content(gpg_t, file)
+unprivuser_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+unprivuser_manage_home_content_files(gpg_t)
+unprivuser_manage_tmp_files(gpg_t)
+unprivuser_stream_connect(gpg_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_all_if(gpg_t)
+corenet_udp_sendrecv_all_if(gpg_t)
+corenet_tcp_sendrecv_all_nodes(gpg_t)
+corenet_udp_sendrecv_all_nodes(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+auth_use_nsswitch(gpg_t)
+
+libs_use_shared_libs(gpg_t)
+libs_use_ld_so(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+########################################
+#
+# GPG helper local policy
+#
+
+allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_all_if(gpg_helper_t)
+corenet_raw_sendrecv_all_if(gpg_helper_t)
+corenet_udp_sendrecv_all_if(gpg_helper_t)
+corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
+corenet_udp_sendrecv_all_nodes(gpg_helper_t)
+corenet_raw_sendrecv_all_nodes(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_all_nodes(gpg_helper_t)
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+
+fs_list_inotifyfs(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
+
+libs_use_ld_so(gpg_helper_t)
+libs_use_shared_libs(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
+')
+
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_t)
+ fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_t)
+ fs_manage_cifs_files(gpg_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+# allow gpg to connect to the gpg agent
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+corecmd_search_bin(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+libs_use_ld_so(gpg_agent_t)
+libs_use_shared_libs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+unprivuser_search_home_dirs(gpg_agent_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_agent_t)
+ fs_manage_nfs_files(gpg_agent_t)
+ fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_agent_t)
+ fs_manage_cifs_files(gpg_agent_t)
+ fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+ unprivuser_home_dir_filetrans_home_content(gpg_agent_t, file)
+ unprivuser_manage_home_content_dirs(gpg_agent_t)
+ unprivuser_manage_home_content_files(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+libs_use_ld_so(gpg_pinentry_t)
+libs_use_shared_libs(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+unprivuser_read_home_content_files(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm_xserver(gpg_pinentry_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.13/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2009-02-10 15:07:15.000000000 +0100
@@ -2,15 +2,16 @@
# /opt
#
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
#
# /usr
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +21,11 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.13/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/java.if 2009-02-10 15:07:15.000000000 +0100
@@ -32,7 +32,7 @@
##
##
#
-template(`java_per_role_template',`
+template(`java_plugin_per_role_template',`
gen_require(`
type java_exec_t;
')
@@ -57,18 +57,21 @@
# Local policy
#
- allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
+ allow $1_javaplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched };
allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
- allow $1_javaplugin_t self:tcp_socket create_socket_perms;
+ allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
+ allow $1_javaplugin_t $1_t:process signull;
+ allow $1_javaplugin_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_javaplugin_t:unix_stream_socket connectto;
allow $1_javaplugin_t $2:unix_stream_socket connectto;
- allow $1_javaplugin_t $2:unix_stream_socket { read write };
- userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
+ allow $1_javaplugin_t $2:tcp_socket { read write };
manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir })
+ allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
@@ -76,14 +79,9 @@
manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file })
- rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
- read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-
can_exec($1_javaplugin_t, java_exec_t)
- # The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
- allow $1_javaplugin_t $2:fd use;
+ domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
allow $1_javaplugin_t $2:process signull;
@@ -94,7 +92,7 @@
kernel_read_system_state($1_javaplugin_t)
# Search bin directory under javaplugin for javaplugin executable
- corecmd_search_bin($1_javaplugin_t)
+ corecmd_exec_bin($1_javaplugin_t)
corenet_all_recvfrom_unlabeled($1_javaplugin_t)
corenet_all_recvfrom_netlabel($1_javaplugin_t)
@@ -107,10 +105,12 @@
corenet_tcp_connect_all_ports($1_javaplugin_t)
corenet_sendrecv_all_client_packets($1_javaplugin_t)
+ dev_list_sysfs($1_javaplugin_t)
dev_read_sound($1_javaplugin_t)
dev_write_sound($1_javaplugin_t)
dev_read_urand($1_javaplugin_t)
dev_read_rand($1_javaplugin_t)
+ dev_write_rand($1_javaplugin_t)
files_read_etc_files($1_javaplugin_t)
files_read_usr_files($1_javaplugin_t)
@@ -122,6 +122,9 @@
fs_getattr_xattr_fs($1_javaplugin_t)
fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+ fs_getattr_tmpfs($1_javaplugin_t)
+
+ auth_use_nsswitch($1_javaplugin_t)
libs_use_ld_so($1_javaplugin_t)
libs_use_shared_libs($1_javaplugin_t)
@@ -132,23 +135,23 @@
# Read global fonts and font config
miscfiles_read_fonts($1_javaplugin_t)
- sysnet_read_config($1_javaplugin_t)
-
+ unprivuser_manage_home_content_files($1_javaplugin_t)
userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t)
userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t)
userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t)
- userdom_manage_user_home_content_dirs($1, $1_javaplugin_t)
- userdom_manage_user_home_content_files($1, $1_javaplugin_t)
- userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t)
- userdom_manage_user_home_content_pipes($1, $1_javaplugin_t)
- userdom_manage_user_home_content_sockets($1, $1_javaplugin_t)
- userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file })
+ unprivuser_manage_tmp_dirs($1_javaplugin_t)
+ unprivuser_manage_tmp_files($1_javaplugin_t)
+ unprivuser_manage_tmp_sockets($1_javaplugin_t)
+ userdom_read_user_tmpfs_files($1, $1_javaplugin_t)
+ unprivuser_manage_home_content_dirs($1_javaplugin_t)
+ unprivuser_manage_home_content_files($1_javaplugin_t)
+ unprivuser_manage_home_content_symlinks($1_javaplugin_t)
+ unprivuser_manage_home_content_pipes($1_javaplugin_t)
+ unprivuser_manage_home_content_sockets($1_javaplugin_t)
+ unprivuser_home_dir_filetrans_home_content($1_javaplugin_t, { file lnk_file sock_file fifo_file })
tunable_policy(`allow_java_execstack',`
allow $1_javaplugin_t self:process execstack;
-
- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-
libs_legacy_use_shared_libs($1_javaplugin_t)
libs_legacy_use_ld_so($1_javaplugin_t)
@@ -156,16 +159,63 @@
')
optional_policy(`
- nis_use_ypbind($1_javaplugin_t)
+ xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
')
- optional_policy(`
- nscd_socket_use($1_javaplugin_t)
')
- optional_policy(`
- xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
+#######################################
+##
+## The per role template for the java module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for java applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`java_per_role_template',`
+ gen_require(`
+ type java_exec_t;
')
+
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t, java_exec_t)
+ role $3 types $1_java_t;
+
+ domain_interactive_fd($1_java_t)
+
+ userdom_unpriv_usertype($1, $1_java_t)
+
+ allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
+ allow $2 $1_java_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $1_java_t $2:tcp_socket { read write };
+
+ domtrans_pattern($2, java_exec_t, $1_java_t)
+
+ dev_read_urand($1_java_t)
+ dev_read_rand($1_java_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
')
########################################
@@ -219,3 +269,85 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
+
+########################################
+##
+## Execute a java in the specified domain
+##
+##
+##
+## Execute the java command in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`java_spec_domtrans',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ domain_trans($1, java_exec_t, $2)
+ type_transition $1 java_exec_t:process $2;
+')
+
+########################################
+##
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the java domain.
+##
+##
+##
+##
+## The type of the terminal allow the java domain to use.
+##
+##
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Execute the java program in the java domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`java_exec',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ ca_exec($1, java_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.13/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/java.te 2009-02-10 15:07:15.000000000 +0100
@@ -6,16 +6,10 @@
# Declarations
#
-##
-##
-## Allow java executable stack
-##
-##
-gen_tunable(allow_java_execstack, false)
-
type java_t;
type java_exec_t;
init_system_domain(java_t, java_exec_t)
+typealias java_t alias unconfined_java_t;
########################################
#
@@ -23,11 +17,30 @@
#
# execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { getsched sigkill execheap execmem execstack };
+
+libs_legacy_use_shared_libs(java_t)
+optional_policy(`
init_dbus_chat_script(java_t)
+ optional_policy(`
+ hal_dbus_chat(java_t)
+ ')
optional_policy(`
- unconfined_domain_noaudit(java_t)
unconfined_dbus_chat(java_t)
')
+')
+
+optional_policy(`
+ rpm_domtrans(java_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(java_t)
+')
+
+optional_policy(`
+ xserver_rw_xdm_xserver_shm(java_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.13/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/livecd.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.13/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/livecd.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,56 @@
+
+## policy for livecd
+
+########################################
+##
+## Execute a domain transition to run livecd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`livecd_domtrans',`
+ gen_require(`
+ type livecd_t;
+ type livecd_exec_t;
+ ')
+
+ domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+
+########################################
+##
+## Execute livecd in the livecd domain, and
+## allow the specified role the livecd domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the livecd domain.
+##
+##
+##
+##
+## The type of the role's terminal.
+##
+##
+#
+interface(`livecd_run',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ livecd_domtrans($1)
+ role $2 types livecd_t;
+ allow livecd_t $3:chr_file rw_term_perms;
+
+ seutil_run_setfiles_mac(livecd_t, $2, $3)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.13/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/livecd.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,26 @@
+policy_module(livecd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+########################################
+#
+# livecd local policy
+#
+dontaudit livecd_t self:capability2 mac_admin;
+
+unconfined_domain_noaudit(livecd_t)
+domain_ptrace_all_domains(livecd_t)
+
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.13/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/loadkeys.te 2009-02-10 15:07:15.000000000 +0100
@@ -32,7 +32,6 @@
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
-init_dontaudit_use_fds(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
libs_use_ld_so(loadkeys_t)
@@ -45,3 +44,7 @@
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
+
+unprivuser_dontaudit_write_home_content_files(loadkeys_t)
+unprivuser_dontaudit_list_home_dirs(loadkeys_t)
+sysadm_dontaudit_list_home_dirs(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.13/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mono.if 2009-02-10 15:07:15.000000000 +0100
@@ -21,7 +21,106 @@
########################################
##
-## Execute the mono program in the caller domain.
+## Read and write to mono shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the mono domain.
+##
+##
+##
+##
+## The type of the terminal allow the mono domain to use.
+##
+##
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+ allow mono_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+##
+## The per role template for the mono module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for mono applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`mono_per_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t, mono_exec_t)
+ role $3 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+ allow $2 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+')
+
+########################################
+##
+## Execute the mono program in the mono domain.
##
##
##
@@ -31,7 +130,7 @@
#
interface(`mono_exec',`
gen_require(`
- type mono_t, mono_exec_t;
+ type mono_exec_t;
')
corecmd_search_bin($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.13/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mono.te 2009-02-10 15:07:15.000000000 +0100
@@ -15,7 +15,7 @@
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
@@ -46,3 +46,7 @@
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
')
+
+optional_policy(`
+ xserver_rw_xdm_xserver_shm(mono_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.13/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,8 +1,8 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
@@ -17,7 +17,6 @@
#
# /etc
#
-/etc/mozpluggerrc -- gen_context(system_u:object_r:mozilla_conf_t,s0)
#
# /lib
@@ -29,3 +28,5 @@
/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.13/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.if 2009-02-10 15:07:15.000000000 +0100
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
+ type mozilla_home_t, mozilla_tmp_t;
')
+ gen_tunable(browser_confine_$1, false)
+ gen_tunable(browser_write_$1_data, false)
########################################
#
@@ -45,36 +48,44 @@
application_domain($1_mozilla_t, mozilla_exec_t)
role $3 types $1_mozilla_t;
- type $1_mozilla_home_t alias $1_mozilla_rw_t;
- files_poly_member($1_mozilla_home_t)
- userdom_user_home_content($1, $1_mozilla_home_t)
-
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
+ typealias mozilla_home_t alias $1_mozilla_home_t;
+ typealias mozilla_tmp_t alias $1_mozilla_tmp_t;
+
+ ########################################
+ #
+ # Local booleans
+ #
+
########################################
#
# Local policy
#
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+ allow $1_mozilla_t self:process { ptrace sigkill signal signull setsched getsched setrlimit };
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
allow $1_mozilla_t self:socket create_socket_perms;
allow $1_mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
- allow $1_mozilla_t self:tcp_socket create_socket_perms;
- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+ allow $1_mozilla_t self:tcp_socket create_stream_socket_perms;
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
+ domain_read_all_domains_state($1_mozilla_t)
+
+ fs_getattr_tmpfs($1_mozilla_t)
+ fs_manage_tmpfs_files($1_mozilla_t)
+
# X access, Home files
- manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
+ manage_dirs_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($1_mozilla_t, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs($1, $1_mozilla_t)
# Mozpluggerrc
@@ -89,22 +100,47 @@
allow $2 $1_mozilla_t:unix_stream_socket connectto;
# X access, Home files
- manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-
- manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
allow $1_mozilla_t $2:process signull;
+ tunable_policy(`browser_confine_$1',`
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ ',`
+ can_exec($2, mozilla_exec_t)
+ ')
+
+ unprivuser_read_home_content_files($1_mozilla_t)
+ unprivuser_read_home_content_symlinks($1_mozilla_t)
+ unprivuser_read_tmp_files($1_mozilla_t)
+ unprivuser_manage_tmp_dirs($1_mozilla_t)
+ unprivuser_manage_tmp_files($1_mozilla_t)
+ unprivuser_manage_tmp_sockets($1_mozilla_t)
+ userdom_tmp_filetrans_user_tmp($1, $1_mozilla_t, { file dir sock_file })
+ userdom_read_user_tmpfs_files($1, $1_mozilla_t)
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mozilla_t)
+ fs_read_removable_files($1_mozilla_t)
+ fs_read_removable_symlinks($1_mozilla_t)
+ ')
+
+ tunable_policy(`browser_write_$1_data',`
+ unprivuser_manage_home_content_dirs($1_mozilla_t)
+ unprivuser_manage_home_content_files($1_mozilla_t)
+ unprivuser_manage_home_content_symlinks($1_mozilla_t)
+ unprivuser_manage_home_content_pipes($1_mozilla_t)
+ unprivuser_home_dir_filetrans_home_content($1_mozilla_t, { file dir lnk_file })
+ ',`
+ # helper apps will try to create .files
+ userdom_dontaudit_create_user_home_content_files($1, $1_mozilla_t)
+ userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_mozilla_home_t, dir)
+ ')
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
@@ -112,17 +148,20 @@
ps_process_pattern($2, $1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
+ kernel_read_fs_sysctls($1_mozilla_t)
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
- kernel_read_net_sysctls($1_mozilla_t)
+ kernel_dontaudit_read_system_state($1_mozilla_t)
+# kernel_read_system_state($1_mozilla_t)
+# kernel_read_net_sysctls($1_mozilla_t)
# Look for plugins
corecmd_list_bin($1_mozilla_t)
# for bash - old mozilla binary
corecmd_exec_shell($1_mozilla_t)
corecmd_exec_bin($1_mozilla_t)
+ application_exec($1_mozilla_t)
# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled($1_mozilla_t)
@@ -137,9 +176,9 @@
corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
corenet_tcp_connect_http_port($1_mozilla_t)
corenet_tcp_connect_http_cache_port($1_mozilla_t)
+ corenet_tcp_connect_flash_port($1_mozilla_t)
corenet_tcp_connect_ftp_port($1_mozilla_t)
corenet_tcp_connect_ipp_port($1_mozilla_t)
- corenet_tcp_connect_generic_port($1_mozilla_t)
corenet_sendrecv_http_client_packets($1_mozilla_t)
corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
corenet_sendrecv_ftp_client_packets($1_mozilla_t)
@@ -148,6 +187,7 @@
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
+ corenet_tcp_connect_speech_port($1_mozilla_t)
dev_read_urand($1_mozilla_t)
dev_read_rand($1_mozilla_t)
@@ -165,13 +205,28 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
+ files_dontaudit_list_non_security($1_mozilla_t)
+ files_dontaudit_getattr_non_security_files($1_mozilla_t)
+ files_dontaudit_getattr_non_security_symlinks($1_mozilla_t)
+ files_dontaudit_getattr_non_security_pipes($1_mozilla_t)
+ files_dontaudit_getattr_non_security_sockets($1_mozilla_t)
+
+ dev_dontaudit_getattr_all_blk_files($1_mozilla_t)
+ dev_dontaudit_getattr_all_chr_files($1_mozilla_t)
fs_search_auto_mountpoints($1_mozilla_t)
fs_list_inotifyfs($1_mozilla_t)
+ fs_manage_dos_dirs($1_mozilla_t)
+ fs_manage_dos_files($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
+ fs_read_noxattr_fs_files($1_mozilla_t)
+
+ selinux_dontaudit_getattr_fs($1_mozilla_t)
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
+ auth_use_nsswitch($1_mozilla_t)
+
libs_use_ld_so($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
@@ -180,17 +235,10 @@
miscfiles_read_fonts($1_mozilla_t)
miscfiles_read_localization($1_mozilla_t)
- # Browse the web, connect to printer
- sysnet_dns_name_resolve($1_mozilla_t)
- sysnet_read_config($1_mozilla_t)
-
- userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
- userdom_manage_user_home_content_files($1, $1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
- userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
- userdom_manage_user_tmp_files($1, $1_mozilla_t)
- userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
+ userdom_dontaudit_use_user_terminals($1, $1_mozilla_t)
+ xserver_read_xdm_pid($1_mozilla_t)
xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
@@ -211,131 +259,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_nfs_files($1_mozilla_t)
- fs_read_nfs_symlinks($1_mozilla_t)
-
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_nfs_files($1_mozilla_t)
- fs_dontaudit_list_nfs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_cifs_files($1_mozilla_t)
- fs_read_cifs_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_cifs_files($1_mozilla_t)
- fs_dontaudit_list_cifs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content',`
- userdom_list_user_tmp($1, $1_mozilla_t)
- userdom_read_user_tmp_files($1, $1_mozilla_t)
- userdom_read_user_tmp_symlinks($1, $1_mozilla_t)
- userdom_search_user_home_dirs($1, $1_mozilla_t)
- userdom_read_user_home_content_files($1, $1_mozilla_t)
- userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
-
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mozilla_t)
- fs_read_removable_files($1_mozilla_t)
- fs_read_removable_symlinks($1_mozilla_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_removable($1_mozilla_t)
- fs_dontaudit_read_removable_files($1_mozilla_t)
- userdom_dontaudit_list_user_tmp($1, $1_mozilla_t)
- userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
- userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_default_t',`
- files_list_default($1_mozilla_t)
- files_read_default_files($1_mozilla_t)
- files_read_default_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_read_default_files($1_mozilla_t)
- files_dontaudit_list_default($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_untrusted_content',`
- files_list_tmp($1_mozilla_t)
- files_list_home($1_mozilla_t)
- userdom_search_user_home_dirs($1, $1_mozilla_t)
-
- userdom_list_user_untrusted_content($1, $1_mozilla_t)
- userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
- userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
- userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t)
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
- userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t)
- userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
- ')
-
- # Save web pages
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
- fs_dontaudit_manage_nfs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
- fs_dontaudit_manage_cifs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mozilla_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file)
- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir)
-
- userdom_manage_user_untrusted_content_files($1, $1_mozilla_t)
- userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- files_dontaudit_list_tmp($1_mozilla_t)
-
- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t)
-
+ optional_policy(`
+ alsa_read_rw_config($1_mozilla_t)
')
optional_policy(`
@@ -350,57 +275,52 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
+ cups_stream_connect($1_mozilla_t)
')
optional_policy(`
dbus_system_bus_client_template($1_mozilla, $1_mozilla_t)
- dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t)
+# dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t)
+ dbus_chat_user_bus($1, $1_mozilla_t)
+ dbus_connectto_user_bus($1, $1_mozilla_t)
')
optional_policy(`
- gnome_stream_connect_gconf_template($1, $1_mozilla_t)
+ networkmanager_dbus_chat($1_mozilla_t)
')
optional_policy(`
- java_domtrans_user_javaplugin($1, $1_mozilla_t)
+ gnome_exec_gconf($1_mozilla_t)
+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
')
optional_policy(`
- lpd_domtrans_user_lpr($1, $1_mozilla_t)
+ java_plugin_per_role_template($1, $1_mozilla_t, $1_r)
')
+# optional_policy(`
+# openoffice_plugin_per_role_template($1, $1_mozilla_t, $1_r)
+# ')
+
optional_policy(`
- mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
- mplayer_read_user_home_files($1, $1_mozilla_t)
+ lpd_domtrans_user_lpr($1, $1_mozilla_t)
')
optional_policy(`
- nscd_socket_use($1_mozilla_t)
+ nsplugin_domtrans_user($1, $1_mozilla_t)
+ nsplugin_domtrans_user_config($1, $1_mozilla_t)
+ nsplugin_manage_home_files($1, $1_mozilla_t)
')
optional_policy(`
- thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
+ mplayer_domtrans_mplayer($1, $1_mozilla_t)
+ mplayer_read_user_home_files($1, $1_mozilla_t)
')
- ifdef(`TODO',`
- #NOTE commented out in strict.
- ######### Launch email client, and make webcal links work
- #ifdef(`evolution.te', `
- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
- #')
-
- # Macros for mozilla/mozilla (or other browser) domains.
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # GNOME integration
optional_policy(`
- gnome_application($1_mozilla, $1)
- gnome_file_dialog($1_mozilla, $1)
- ')
+ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
+
')
########################################
@@ -430,11 +350,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
- type $1_mozilla_home_t;
+ type mozilla_home_t;
')
- allow $2 $1_mozilla_home_t:dir list_dir_perms;
- allow $2 $1_mozilla_home_t:file read_file_perms;
+ allow $2 mozilla_home_t:dir list_dir_perms;
+ allow $2 mozilla_home_t:file read_file_perms;
')
########################################
@@ -464,11 +384,10 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
- type $1_mozilla_home_t;
+ type mozilla_home_t;
')
- allow $2 $1_mozilla_home_t:dir list_dir_perms;
- allow $2 $1_mozilla_home_t:file write;
+ write_files_pattern($2, mozilla_home_t, mozilla_home_t)
')
########################################
@@ -573,3 +492,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
+
+########################################
+##
+## mozilla connection template.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`mozilla_stream_connect_template',`
+ gen_require(`
+ type $1_mozilla_t;
+ ')
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.13/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.te 2009-02-10 15:07:15.000000000 +0100
@@ -6,15 +6,20 @@
# Declarations
#
-##
-##
-## Control mozilla content access
-##
-##
-gen_tunable(mozilla_read_content, false)
-
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
type mozilla_exec_t;
application_executable_file(mozilla_exec_t)
+
+type mozilla_home_t alias user_mozilla_rw_t;
+files_poly_member(mozilla_home_t)
+userdom_user_home_content(user, mozilla_home_t)
+
+type mozilla_tmp_t;
+files_tmp_file(mozilla_tmp_t)
+
+typealias mozilla_home_t alias unconfined_mozilla_home_t;
+typealias mozilla_tmp_t alias unconfined_mozilla_tmp_t;
+typealias mozilla_home_t alias user_mozilla_home_t;
+typealias mozilla_tmp_t alias user_mozilla_tmp_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,13 +1,9 @@
#
-# /etc
-#
-/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
-
-#
# /usr
#
+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.13/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.if 2009-02-10 15:07:15.000000000 +0100
@@ -34,7 +34,8 @@
#
template(`mplayer_per_role_template',`
gen_require(`
- type mencoder_exec_t, mplayer_exec_t, mplayer_etc_t;
+ type mencoder_exec_t, mplayer_exec_t;
+ type user_mplayer_home_t;
')
########################################
@@ -50,9 +51,7 @@
application_domain($1_mplayer_t, mplayer_exec_t)
role $3 types $1_mplayer_t;
- type $1_mplayer_home_t alias $1_mplayer_rw_t;
- files_poly_member($1_mplayer_home_t)
- userdom_user_home_content($1,$1_mplayer_home_t)
+ typealias mplayer_home_t alias $1_mplayer_home_t;
type $1_mplayer_tmpfs_t;
files_tmpfs_file($1_mplayer_tmpfs_t)
@@ -62,9 +61,9 @@
# mencoder local policy
#
- manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
+ manage_dirs_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern($1_mencoder_t, mplayer_home_t, mplayer_home_t)
# Read global config
allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
@@ -200,7 +199,7 @@
')
tunable_policy(`write_untrusted_content',`
- userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
+ unprivuser_manage_untrusted_content_files($1_mplayer_t)
')
# Save encoded files
@@ -255,9 +254,9 @@
allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
allow $1_mplayer_t self:sem create_sem_perms;
- manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
+ manage_dirs_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern($1_mplayer_t, mplayer_home_t, mplayer_home_t)
userdom_search_user_home_dirs($1, $1_mplayer_t)
manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
@@ -272,12 +271,12 @@
read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
# Home access
- manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+ manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
# domain transition
domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
@@ -307,6 +306,7 @@
dev_write_sound_mixer($1_mplayer_t)
# RTC clock
dev_read_realtime_clock($1_mplayer_t)
+ dev_read_urand($1_mplayer_t)
# Access to DVD/CD/V4L
storage_raw_read_removable_device($1_mplayer_t)
@@ -340,6 +340,7 @@
userdom_read_user_tmp_symlinks($1, $1_mplayer_t)
userdom_read_user_home_content_files($1, $1_mplayer_t)
userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
+ userdom_write_user_tmp_sockets($1, $1_mplayer_t)
xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
@@ -467,9 +468,11 @@
##
##
#
-template(`mplayer_domtrans_user_mplayer',`
+template(`mplayer_domtrans_mplayer',`
gen_require(`
- type $1_mplayer_t, mplayer_exec_t;
+ type mplayer_exec_t;
+ type $1_mplayer_t;
+
')
domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
@@ -477,6 +480,25 @@
########################################
##
+## Execute mplayer in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`mplayer_exec',`
+ gen_require(`
+ type mplayer_exec_t;
+ ')
+
+ can_exec($1, mplayer_exec_t)
+')
+
+########################################
+##
## Read mplayer per user homedir
##
##
@@ -502,8 +524,8 @@
#
template(`mplayer_read_user_home_files',`
gen_require(`
- type $1_mplayer_home_t;
+ type mplayer_home_t;
')
- read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+ read_files_pattern($2, mplayer_home_t, mplayer_home_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.13/policy/modules/apps/mplayer.te
--- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.te 2009-02-10 15:07:15.000000000 +0100
@@ -22,3 +22,7 @@
type mplayer_exec_t;
corecmd_executable_file(mplayer_exec_t)
application_executable_file(mplayer_exec_t)
+
+type mplayer_home_t alias user_mplayer_rw_t;
+userdom_user_home_content(user, mplayer_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,13 @@
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
+
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,318 @@
+
+## policy for nsplugin
+
+########################################
+##
+## Create, read, write, and delete
+## nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Manage nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for nsplugin web browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`nsplugin_per_role_template_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ role $3 types nsplugin_t;
+ role $3 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ #Leaked File Descriptors
+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+
+ userdom_use_user_terminals($1, nsplugin_t)
+ userdom_use_user_terminals($1, nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files($1, nsplugin_t)
+
+ optional_policy(`
+ dbus_dontaudit_connectto_user_bus($1, nsplugin_t)
+ ')
+
+ xserver_common_app($1, nsplugin_t)
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for nsplugin web browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`nsplugin_per_role_template',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_per_role_template_notrans($1, $2, $3)
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for nsplugin web browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_domtrans_user',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $2:process signal;
+')
+#######################################
+##
+## The per role template for the nsplugin module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for nsplugin web browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+interface(`nsplugin_domtrans_user_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+######################################
+##
+## Create, read, write, and delete
+## nsplugin home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_manage_home_files',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_files_pattern($2, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+##
+## Search nsplugin rw directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+##
+## Exec nsplugin rw files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,290 @@
+
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow nsplugin code to execmem/execstack
+##
+##
+gen_tunable(allow_nsplugin_execmem, false)
+
+##
+##
+## Allow nsplugin code to connect to unreserved ports
+##
+##
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(user, nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+domain_type(nsplugin_t)
+domain_entry_file(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+application_executable_file(nsplugin_exec_t)
+application_executable_file(nsplugin_config_exec_t)
+
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability sys_tty_config;
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
+userdom_manage_tmpfs(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_streaming_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_usr_files(nsplugin_t)
+files_read_etc_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_list_inotifyfs(nsplugin_t)
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_use_ld_so(nsplugin_t)
+libs_use_shared_libs(nsplugin_t)
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+
+unprivuser_manage_tmp_dirs(nsplugin_t)
+unprivuser_manage_tmp_files(nsplugin_t)
+unprivuser_manage_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
+unprivuser_read_tmpfs_files(nsplugin_t)
+unprivuser_rw_semaphores(nsplugin_t)
+unprivuser_delete_tmpfs_files(nsplugin_t)
+
+unprivuser_read_home_content_symlinks(nsplugin_t)
+unprivuser_read_home_content_files(nsplugin_t)
+unprivuser_read_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(user, nsplugin_t)
+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+')
+
+optional_policy(`
+ cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(nsplugin, nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_user_gnome_config(user, nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
+ allow nsplugin_t gnome_home_t:sock_file write;
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_t)
+ mozilla_write_user_home_files(user, nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(user, nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_signull(nsplugin_t)
+ unconfined_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm(nsplugin_t)
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
+ xserver_rw_xdm_xserver_shm(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_user_xauth(user, nsplugin_t)
+ xserver_read_user_iceauth(user, nsplugin_t)
+ xserver_use_user_fonts(user, nsplugin_t)
+ xserver_manage_home_fonts(nsplugin_t)
+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+fs_list_inotifyfs(nsplugin_config_t)
+fs_search_auto_mountpoints(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+libs_use_ld_so(nsplugin_config_t)
+libs_use_shared_libs(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_all_users_home_content(nsplugin_config_t)
+unprivuser_read_home_content_files(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_read_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
+ fs_read_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_read_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
+ fs_read_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_read_home_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_config_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type unconfined_mono_t;
+ ')
+ allow nsplugin_t unconfined_mono_t:process signull;
+')
+
+unconfined_execmem_exec(nsplugin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.13/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,106 @@
+## Openoffice
+
+#######################################
+##
+## The per role template for the openoffice module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for openoffice plugins that are executed by a browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+interface(`openoffice_plugin_per_role_template',`
+ gen_require(`
+ type openoffice_exec_t;
+ type $1_openoffice_t;
+ ')
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
+ allow $2 $1_openoffice_t:process { signal sigkill };
+')
+
+#######################################
+##
+## The per role template for the openoffice module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for openoffice applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`openoffice_per_role_template',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ type $1_openoffice_t;
+ domain_type($1_openoffice_t)
+ domain_entry_file($1_openoffice_t, openoffice_exec_t)
+ role $3 types $1_openoffice_t;
+
+ domain_interactive_fd($1_openoffice_t)
+
+ userdom_unpriv_usertype($1, $1_openoffice_t)
+ userdom_exec_user_home_content_files($1, $1_openoffice_t)
+
+ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+
+ allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $1_openoffice_t $2:tcp_socket { read write };
+
+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
+
+ dev_read_urand($1_openoffice_t)
+ dev_read_rand($1_openoffice_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+
+ allow $2 $1_openoffice_t:process { signal sigkill };
+ allow $1_openoffice_t $2:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.13/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,14 @@
+
+policy_module(openoffice, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc
--- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,2 +1,4 @@
/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.13/policy/modules/apps/podsleuth.if
--- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.if 2009-02-10 15:07:15.000000000 +0100
@@ -16,4 +16,38 @@
')
domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+ allow $1 podsleuth_t:process signal;
')
+
+
+########################################
+##
+## Execute podsleuth in the podsleuth domain, and
+## allow the specified role the podsleuth domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the podsleuth domain.
+##
+##
+##
+##
+## The type of the role's terminal.
+##
+##
+#
+interface(`podsleuth_run',`
+ gen_require(`
+ type podsleuth_t;
+ ')
+
+ podsleuth_domtrans($1)
+ role $2 types podsleuth_t;
+ dontaudit podsleuth_t $3:chr_file rw_term_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te 2009-02-10 15:07:15.000000000 +0100
@@ -11,24 +11,64 @@
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;
+type podsleuth_tmp_t;
+files_tmp_file(podsleuth_tmp_t)
+
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+
########################################
#
# podsleuth local policy
#
-
-allow podsleuth_t self:process { signal getsched execheap execmem };
+allow podsleuth_t self:capability { sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+allow podsleuth_t self:udp_socket create_socket_perms;
kernel_read_system_state(podsleuth_t)
+corecmd_exec_bin(podsleuth_t)
+corenet_tcp_connect_http_port(podsleuth_t)
+
dev_read_urand(podsleuth_t)
files_read_etc_files(podsleuth_t)
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+
+fs_mount_nfs(podsleuth_t)
+fs_unmount_nfs(podsleuth_t)
+fs_getattr_nfs(podsleuth_t)
+fs_read_nfs_files(podsleuth_t)
+fs_search_nfs(podsleuth_t)
+
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+storage_raw_rw_fixed_disk(podsleuth_t)
+
libs_use_ld_so(podsleuth_t)
libs_use_shared_libs(podsleuth_t)
+sysnet_dns_name_resolve(podsleuth_t)
+
miscfiles_read_localization(podsleuth_t)
dbus_system_bus_client_template(podsleuth, podsleuth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc 2009-02-25 19:55:15.000000000 +0100
@@ -1,2 +1,7 @@
/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:qemu_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2009-02-10 15:07:15.000000000 +0100
@@ -46,6 +46,96 @@
qemu_domtrans($1)
role $2 types qemu_t;
allow qemu_t $3:chr_file rw_file_perms;
+
+ optional_policy(`
+ samba_run_smb(qemu_t, $2, $3)
+ ')
+')
+
+#######################################
+##
+## The per role template for the qemu module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for qemu web browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`qemu_per_role_template_notrans',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ role $3 types qemu_t;
+
+ xserver_common_app($1, qemu_t)
+')
+
+
+#######################################
+##
+## The per role template for the qemu module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for qemu web browser.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`qemu_per_role_template',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ qemu_per_role_template_notrans($1, $2, $3)
+
+ domtrans_pattern($2, qemu_exec_t, qemu_t)
+ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
')
########################################
@@ -68,6 +158,64 @@
########################################
##
+## Set the schedule on qemu.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_setsched',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process setsched;
+')
+
+########################################
+##
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
+##
+##
+##
+## Execute qemu_exec_t
+## in the specified domain. This allows
+## the specified domain to qemu programs
+## on these filesystems in the specified
+## domain.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`qemu_spec_domtrans',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
+
+ allow $3 $1:fd use;
+ allow $3 $1:fifo_file rw_fifo_file_perms;
+ allow $3 $1:process sigchld;
+')
+
+########################################
+##
## Send a signal to qemu.
##
##
@@ -104,114 +252,191 @@
########################################
##
-## Execute a domain transition to run qemu unconfined.
+## Execute qemu programs in the qemu domain.
##
##
##
-## Domain allowed to transition.
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the PAM domain.
+##
+##
+##
+##
+## The type of the terminal allow the PAM domain to use.
##
##
#
-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_runas',`
gen_require(`
- type qemu_unconfined_t, qemu_exec_t;
+ type qemu_t;
')
- domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
+ qemu_domtrans($1)
+ allow qemu_t $3:chr_file rw_file_perms;
')
########################################
##
-## Creates types and rules for a basic
-## qemu process domain.
+## Execute qemu programs in the role.
##
-##
+##
##
-## Prefix for the domain.
+## The role to allow the PAM domain.
##
##
#
-template(`qemu_domain_template',`
+interface(`qemu_role',`
+ gen_require(`
+ type qemu_t;
+ ')
+ role $1 types qemu_t;
+')
- ##############################
- #
- # Local Policy
+########################################
+##
+## Execute qemu unconfined programs in the role.
+##
+##
+##
+## The role to allow the PAM domain.
+##
+##
#
+interface(`qemu_unconfined_role',`
+ gen_require(`
+ type qemu_unconfined_t;
+ ')
+ role $1 types qemu_unconfined_t;
+')
- type $1_t;
- domain_type($1_t)
-
- type $1_tmp_t;
- files_tmp_file($1_tmp_t)
- ##############################
- #
- # Local Policy
+########################################
+##
+## Execute a domain transition to run qemu.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
#
+interface(`qemu_domtrans_unconfined',`
+ gen_require(`
+ type qemu_unconfined_t, qemu_exec_t;
+ ')
- allow $1_t self:capability { dac_read_search dac_override };
- allow $1_t self:process { execstack execmem signal getsched };
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:tcp_socket create_stream_socket_perms;
+ domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
+')
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+########################################
+##
+## Execute qemu programs in the qemu unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the PAM domain.
+##
+##
+##
+##
+## The type of the terminal allow the PAM domain to use.
+##
+##
+#
+interface(`qemu_runas_unconfined',`
+ gen_require(`
+ type qemu_unconfined_t;
+ ')
- kernel_read_system_state($1_t)
+ qemu_domtrans_unconfined($1)
+ allow qemu_unconfined_t $3:chr_file rw_file_perms;
+')
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_vnc_port($1_t)
- corenet_rw_tun_tap_dev($1_t)
+########################################
+##
+## Manage qemu temporary dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_manage_tmp_dirs',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
-# dev_rw_kvm($1_t)
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
- domain_use_interactive_fds($1_t)
+########################################
+##
+## Manage qemu temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`qemu_manage_tmp_files',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
- files_read_etc_files($1_t)
- files_read_usr_files($1_t)
- files_read_var_files($1_t)
- files_search_all($1_t)
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
- fs_list_inotifyfs($1_t)
- fs_rw_anon_inodefs_files($1_t)
- fs_rw_tmpfs_files($1_t)
+########################################
+##
+## Creates types and rules for a basic
+## qemu process domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`qemu_domain_template',`
- storage_raw_write_removable_device($1_t)
- storage_raw_read_removable_device($1_t)
+ gen_require(`
+ attribute qemutype;
+ ')
- term_use_ptmx($1_t)
- term_getattr_pty_fs($1_t)
- term_use_generic_ptys($1_t)
+ type $1_t, qemutype;
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
+ type $1_tmp_t, qemutmpfile;
+ files_tmp_file($1_tmp_t)
- miscfiles_read_localization($1_t)
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
- sysnet_read_config($1_t)
+ type $1_image_t;
+ virt_image($1_image_t)
-# optional_policy(`
-# samba_domtrans_smb($1_t)
-# ')
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
- optional_policy(`
- virt_manage_images($1_t)
- virt_read_config($1_t)
- virt_read_lib_files($1_t)
- ')
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_t)
- xserver_read_xdm_tmp_files($1_t)
- xserver_read_xdm_pid($1_t)
-# xserver_xdm_rw_shm($1_t)
- ')
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+ fs_getattr_tmpfs($1_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2009-02-26 15:42:13.000000000 +0100
@@ -6,6 +6,9 @@
# Declarations
#
+attribute qemutype;
+attribute qemutmpfile;
+
##
##
## Allow qemu to connect fully to the network
@@ -13,16 +16,120 @@
##
gen_tunable(qemu_full_network, false)
+##
+##
+## Allow qemu to use cifs/Samba file systems
+##
+##
+gen_tunable(qemu_use_cifs, true)
+
+##
+##
+## Allow qemu to use nfs file systems
+##
+##
+gen_tunable(qemu_use_nfs, true)
+
+##
+##
+## Allow qemu to use usb devices
+##
+##
+gen_tunable(qemu_use_usb, true)
+
type qemu_exec_t;
qemu_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;
+type qemu_cache_t;
+files_type(qemu_cache_t)
+
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t)
+
+########################################
+#
+# qemu common policy
+#
+allow qemutype self:capability { dac_read_search dac_override };
+allow qemutype self:process { execstack execmem signal getsched signull };
+
+allow qemutype self:fifo_file rw_file_perms;
+allow qemutype self:shm create_shm_perms;
+allow qemutype self:unix_stream_socket create_stream_socket_perms;
+allow qemutype self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
+
+manage_dirs_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(qemu_t, qemu_var_run_t, { file dir })
+
+kernel_read_system_state(qemutype)
+
+corenet_all_recvfrom_unlabeled(qemutype)
+corenet_all_recvfrom_netlabel(qemutype)
+corenet_tcp_sendrecv_all_if(qemutype)
+corenet_tcp_sendrecv_all_nodes(qemutype)
+corenet_tcp_sendrecv_all_ports(qemutype)
+corenet_tcp_bind_all_nodes(qemutype)
+corenet_tcp_bind_vnc_port(qemutype)
+corenet_rw_tun_tap_dev(qemutype)
+
+dev_read_sound(qemutype)
+dev_write_sound(qemutype)
+dev_rw_kvm(qemutype)
+dev_rw_qemu(qemutype)
+
+domain_use_interactive_fds(qemutype)
+
+files_read_etc_files(qemutype)
+files_read_usr_files(qemutype)
+files_read_var_files(qemutype)
+files_search_all(qemutype)
+
+fs_list_inotifyfs(qemutype)
+fs_rw_anon_inodefs_files(qemutype)
+fs_rw_tmpfs_files(qemutype)
+
+term_use_ptmx(qemutype)
+term_getattr_pty_fs(qemutype)
+term_use_generic_ptys(qemutype)
+
+auth_use_nsswitch(qemutype)
+
+libs_use_ld_so(qemutype)
+libs_use_shared_libs(qemutype)
+
+miscfiles_read_localization(qemutype)
+
+optional_policy(`
+ virt_read_config(qemutype)
+ virt_read_lib_files(qemutype)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm_xserver(qemutype)
+ xserver_read_xdm_tmp_files(qemutype)
+ xserver_read_xdm_pid(qemutype)
+ xserver_rw_xdm_xserver_shm(qemutype)
+')
+
########################################
#
# qemu local policy
#
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+term_use_generic_ptys(qemu_t)
+term_use_ptmx(qemu_t)
+
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
@@ -35,6 +142,38 @@
corenet_tcp_connect_all_ports(qemu_t)
')
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+ samba_domtrans_smb(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_images(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
########################################
#
# qemu_unconfined local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,4 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,2 @@
+## system-config-samba policy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,62 @@
+policy_module(sambagui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smb(sambagui_t)
+samba_domtrans_nmb(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_search_usr(sambagui_t)
+
+fs_list_inotifyfs(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+
+libs_use_ld_so(sambagui_t)
+libs_use_shared_libs(sambagui_t)
+
+# reading shadow by pdbedit
+#auth_read_shadow(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+nscd_dontaudit_search_pid(sambagui_t)
+
+optional_policy(`
+ consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+ polkit_dbus_chat(sambagui_t)
+')
+
+permissive sambagui_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
#
# /home
#
-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.13/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/screen.if 2009-02-10 15:07:15.000000000 +0100
@@ -35,6 +35,7 @@
template(`screen_per_role_template',`
gen_require(`
type screen_dir_t, screen_exec_t;
+ type user_screen_ro_home_t;
')
########################################
@@ -50,8 +51,9 @@
type $1_screen_tmp_t;
files_tmp_file($1_screen_tmp_t)
- type $1_screen_ro_home_t;
- files_type($1_screen_ro_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_screen_ro_home_t alias $1_screen_ro_home_t;
+ ')
type $1_screen_var_run_t;
files_pid_file($1_screen_var_run_t)
@@ -81,9 +83,9 @@
filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
files_pid_filetrans($1_screen_t, screen_dir_t, dir)
- allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
- read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
- read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
+ allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms;
+ read_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
+ read_lnk_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
allow $1_screen_t $2:process signal;
@@ -91,12 +93,12 @@
allow $2 $1_screen_t:process signal;
allow $1_screen_t $2:process signal;
- manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+ manage_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+ manage_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+ manage_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+ relabel_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+ relabel_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+ relabel_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.13/policy/modules/apps/screen.te
--- nsaserefpolicy/policy/modules/apps/screen.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/screen.te 2009-02-10 15:07:15.000000000 +0100
@@ -11,3 +11,7 @@
type screen_exec_t;
application_executable_file(screen_exec_t)
+
+type user_screen_ro_home_t;
+userdom_user_home_content(user, user_screen_ro_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.5.13/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/slocate.te 2009-02-10 15:07:15.000000000 +0100
@@ -22,7 +22,7 @@
#
allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
-allow locate_t self:process { execmem execheap execstack };
+allow locate_t self:process { execmem execheap execstack signal };
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
@@ -46,6 +46,8 @@
fs_getattr_all_fs(locate_t)
fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
fs_list_all(locate_t)
fs_list_inotifyfs(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc
--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc 2009-02-10 15:07:15.000000000 +0100
@@ -3,4 +3,4 @@
#
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
-HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.13/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.if 2009-02-10 15:07:15.000000000 +0100
@@ -43,9 +43,9 @@
application_domain($1_thunderbird_t, thunderbird_exec_t)
role $3 types $1_thunderbird_t;
- type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
- files_poly_member($1_thunderbird_home_t)
- userdom_user_home_content($1, $1_thunderbird_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_thunderbird_home_t alias $1_thunderbird_home_t;
+ ')
type $1_thunderbird_tmpfs_t;
files_tmpfs_file($1_thunderbird_tmpfs_t)
@@ -64,9 +64,9 @@
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
# Access ~/.thunderbird
- manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
+ manage_dirs_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
+ manage_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
+ manage_lnk_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
userdom_search_user_home_dirs($1, $1_thunderbird_t)
manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
@@ -87,13 +87,13 @@
ps_process_pattern($2,$1_thunderbird_t)
# Access ~/.thunderbird
- manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-
- relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
+ manage_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+ manage_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+ manage_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+
+ relabel_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+ relabel_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+ relabel_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
@@ -153,10 +153,10 @@
miscfiles_read_fonts($1_thunderbird_t)
miscfiles_read_localization($1_thunderbird_t)
- userdom_manage_user_tmp_dirs($1, $1_thunderbird_t)
+ unprivuser_manage_tmp_dirs($1_thunderbird_t)
userdom_read_user_tmp_files($1, $1_thunderbird_t)
userdom_write_user_tmp_sockets($1, $1_thunderbird_t)
- userdom_manage_user_tmp_sockets($1, $1_thunderbird_t)
+ unprivuser_manage_tmp_sockets($1_thunderbird_t)
# .kde/....gtkrc
userdom_read_user_home_content_files($1, $1_thunderbird_t)
@@ -294,8 +294,8 @@
files_search_home($1_thunderbird_t)
files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file)
files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir)
- userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
+ unprivuser_manage_untrusted_content_files($1_thunderbird_t)
+ unprivuser_manage_untrusted_content_tmp_files($1_thunderbird_t)
userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.13/policy/modules/apps/thunderbird.te
--- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.te 2009-02-10 15:07:15.000000000 +0100
@@ -8,3 +8,7 @@
type thunderbird_exec_t;
application_executable_file(thunderbird_exec_t)
+
+type user_thunderbird_home_t alias user_thunderbird_rw_t;
+userdom_user_home_content(user, user_thunderbird_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.13/policy/modules/apps/tvtime.if
--- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.if 2009-02-10 15:07:15.000000000 +0100
@@ -35,6 +35,7 @@
template(`tvtime_per_role_template',`
gen_require(`
type tvtime_exec_t;
+ type user_tvtime_home_t, user_tvtime_tmp_t;
')
########################################
@@ -46,12 +47,10 @@
application_domain($1_tvtime_t, tvtime_exec_t)
role $3 types $1_tvtime_t;
- type $1_tvtime_home_t alias $1_tvtime_rw_t;
- userdom_user_home_content($1, $1_tvtime_home_t)
- files_poly_member($1_tvtime_home_t)
-
- type $1_tvtime_tmp_t;
- files_tmp_file($1_tvtime_tmp_t)
+ ifelse(`$1',`user',`',`
+ typealias user_tvtime_home_t alias $1_tvtime_home_t;
+ typealias user_tvtime_tmp_t alias $1_tvtime_tmp_t;
+ ')
type $1_tvtime_tmpfs_t;
files_tmpfs_file($1_tvtime_tmpfs_t)
@@ -67,14 +66,14 @@
allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
# X access, Home files
- manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
- userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir)
-
- manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
- manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir })
+ manage_dirs_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
+ manage_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
+ manage_lnk_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
+ userdom_user_home_dir_filetrans($1, $1_tvtime_t, user_tvtime_home_t, dir)
+
+ manage_dirs_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
+ manage_files_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
+ files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t, { file dir })
manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
@@ -86,12 +85,12 @@
domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
# X access, Home files
- manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+ manage_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+ manage_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+ manage_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+ relabel_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+ relabel_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+ relabel_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_tvtime_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.13/policy/modules/apps/tvtime.te
--- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.te 2009-02-10 15:07:15.000000000 +0100
@@ -11,3 +11,9 @@
type tvtime_dir_t;
files_pid_file(tvtime_dir_t)
+
+type user_tvtime_home_t alias user_tvtime_rw_t;
+userdom_user_home_content(user, user_tvtime_home_t)
+
+type user_tvtime_tmp_t;
+files_tmp_file(user_tvtime_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.13/policy/modules/apps/uml.fc
--- nsaserefpolicy/policy/modules/apps/uml.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/uml.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
#
# HOME_DIR/
#
-HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:user_uml_rw_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.13/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/vmware.fc 2009-02-11 10:10:27.000000000 +0100
@@ -1,9 +1,9 @@
#
# HOME_DIR/
#
-HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_home_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_home_t,s0)
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_home_t,s0)
#
# /etc
@@ -21,32 +21,26 @@
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
-/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-ifdef(`distro_redhat',`
-/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-')
-
/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
-
ifdef(`distro_gentoo',`
/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -63,6 +57,5 @@
')
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
-
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.13/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/vmware.if 2009-02-10 15:07:15.000000000 +0100
@@ -47,11 +47,8 @@
domain_entry_file($1_vmware_t, vmware_exec_t)
role $3 types $1_vmware_t;
- type $1_vmware_conf_t;
- userdom_user_home_content($1, $1_vmware_conf_t)
-
- type $1_vmware_file_t;
- userdom_user_home_content($1, $1_vmware_file_t)
+ typealias vmware_home_t alias $1_vmware_file_t;
+ typealias vmware_home_t alias $1_vmware_conf_t;
type $1_vmware_tmp_t;
files_tmp_file($1_vmware_tmp_t)
@@ -84,12 +81,9 @@
can_exec($1_vmware_t, vmware_exec_t)
- # User configuration files
- allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
-
# VMWare disks
- manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
- manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
+ manage_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
+ manage_lnk_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
allow $1_vmware_t $1_vmware_tmp_t:file execute;
manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.13/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/vmware.te 2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,9 @@
type vmware_exec_t;
corecmd_executable_file(vmware_exec_t)
+type vmware_home_t;
+userdom_user_home_content(user, vmware_home_t)
+
# VMWare host programs
type vmware_host_t;
type vmware_host_exec_t;
@@ -32,7 +35,7 @@
allow vmware_host_t self:capability { setgid setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
@@ -48,6 +51,8 @@
manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+files_search_home(vmware_host_t)
+
kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
@@ -108,3 +113,13 @@
optional_policy(`
udev_read_db(vmware_host_t)
')
+
+optional_policy(`
+ unconfined_domain(vmware_host_t)
+')
+
+optional_policy(`
+ xserver_rw_xdm_xserver_shm(vmware_host_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te 2009-02-10 15:07:15.000000000 +0100
@@ -68,6 +68,8 @@
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
+fs_rw_anon_inodefs_files(webalizer_t)
+fs_list_inotifyfs(webalizer_t)
files_read_etc_files(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wine.fc 2009-03-06 09:53:41.000000000 +0100
@@ -1,4 +1,15 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wine.if 2009-02-10 15:07:15.000000000 +0100
@@ -49,3 +49,53 @@
role $2 types wine_t;
allow wine_t $3:chr_file rw_term_perms;
')
+
+#######################################
+##
+## The per role template for the wine module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for wine applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`wine_per_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t, wine_exec_t)
+ role $3 types $1_wine_t;
+
+ domain_interactive_fd($1_wine_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+
+ allow $1_wine_t self:process { execheap execmem };
+
+ domtrans_pattern($2, wine_exec_t, $1_wine_t)
+
+ optional_policy(`
+ xserver_rw_xdm_xserver_shm($1_wine_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.13/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wine.te 2009-02-10 15:07:15.000000000 +0100
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
+role system_r types wine_t;
########################################
#
@@ -17,10 +18,17 @@
optional_policy(`
allow wine_t self:process { execstack execmem execheap };
+ domain_mmap_low_type(wine_t)
+ domain_mmap_low(wine_t)
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
+')
+
optional_policy(`
hal_dbus_chat(wine_t)
')
+
+optional_policy(`
+ xserver_rw_xdm_xserver_shm(wine_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.13/policy/modules/apps/wireshark.if
--- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/apps/wireshark.if 2009-02-10 15:07:15.000000000 +0100
@@ -134,7 +134,7 @@
sysnet_read_config($1_wireshark_t)
- userdom_manage_user_home_content_files($1, $1_wireshark_t)
+ unprivuser_manage_home_content_files($1_wireshark_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_wireshark_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.5.13/policy/modules/apps/wm.fc
--- nsaserefpolicy/policy/modules/apps/wm.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/wm.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,3 @@
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.5.13/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/wm.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,178 @@
+## Window Manager.
+
+#######################################
+##
+## Template to create types and rules common to
+## any window manager domains.
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The prefix of the X server domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`wm_domain_template',`
+ gen_require(`
+ type wm_exec_t;
+ type xserver_exec_t;
+ type tmpfs_t;
+ type proc_t;
+ type security_t, selinux_config_t;
+ type $1_t;
+ type $1_tmp_t;
+ type info_xproperty_t, xselection_t;
+ type $2_t, $2_xproperty_t, $2_input_xevent_t, $2_manage_xevent_t, $2_property_xevent_t;
+ type $2_focus_xevent_t, $2_client_xevent_t;
+ type $2_rootwindow_t, $2_xserver_t, $2_xserver_tmp_t;
+ type $1_xproperty_t;
+ type memory_device_t;
+ type output_xext_t;
+ type security_xext_t;
+ type $1_home_t;
+ type $1_tty_device_t;
+ type shell_exec_t;
+ type default_t;
+ type home_root_t;
+ type $1_home_dir_t;
+ type $2_home_t;
+
+ class x_colormap all_x_colormap_perms;
+ class x_device all_x_device_perms;
+ class x_drawable all_x_drawable_perms;
+ class x_property all_x_property_perms;
+ class x_server all_x_server_perms;
+ class x_resource all_x_resource_perms;
+ class x_screen all_x_screen_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
+ class x_event all_x_event_perms;
+ class x_selection all_x_selection_perms;
+ class x_extension all_x_extension_perms;
+ attribute $1_x_domain;
+ ')
+
+ type $1_wm_t;
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t,wm_exec_t)
+ role $1_r types $1_wm_t;
+
+ domtrans_pattern($1_t, wm_exec_t, $1_wm_t)
+
+ type $1_wm_tmpfs_t;
+# xserver_use($2, $1, $1_wm_t)
+ xserver_user_x_domain_template($1, $1_wm, $1_wm_t, $1_wm_tmpfs_t)
+
+ files_read_etc_files($1_wm_t)
+
+ libs_use_ld_so($1_wm_t)
+ libs_use_shared_libs($1_wm_t)
+
+ nscd_dontaudit_search_pid($1_wm_t)
+
+ miscfiles_read_localization($1_wm_t)
+
+ dev_read_urand($1_wm_t)
+
+ files_list_tmp($1_wm_t)
+
+ allow $1_wm_t proc_t:file { read getattr };
+
+ allow $1_wm_t info_xproperty_t:x_property { write create };
+
+ allow $1_wm_t self:process getsched;
+ allow $1_wm_t self:x_drawable blend;
+
+ allow $1_wm_t tmpfs_t:file { read write };
+
+ allow $1_wm_t usr_t:file { read getattr };
+ allow $1_wm_t usr_t:lnk_file read;
+
+ allow $1_wm_t $1_tmp_t:dir { write search setattr remove_name getattr add_name };
+ allow $1_wm_t $1_tmp_t:sock_file { write create unlink };
+
+ allow $1_wm_t $1_t:unix_stream_socket connectto;
+ allow $1_wm_t self:fifo_file { write read };
+
+
+ allow $1_wm_t $2_client_xevent_t:x_synthetic_event send;
+ allow $1_wm_t $2_focus_xevent_t:x_event receive;
+ allow $1_wm_t $2_input_xevent_t:x_event receive;
+ allow $1_wm_t $2_manage_xevent_t:x_event receive;
+ allow $1_wm_t $2_manage_xevent_t:x_synthetic_event { receive send };
+ allow $1_wm_t $2_property_xevent_t:x_event receive;
+ allow $1_wm_t $2_xproperty_t:x_property { read write destroy };
+ allow $1_wm_t $2_rootwindow_t:x_colormap { install uninstall use add_color remove_color read };
+ allow $1_wm_t $2_rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override };
+ allow $1_wm_t $2_xproperty_t:x_property { write read };
+ allow $1_wm_t $2_xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write };
+ allow $1_wm_t $2_xserver_t:x_resource { read write };
+ allow $1_wm_t $2_xserver_t:x_screen setattr;
+ allow $1_wm_t xselection_t:x_selection setattr;
+
+ allow $1_wm_t $2_t:x_drawable { get_property setattr show receive manage send read getattr list_child set_property };
+ allow $1_wm_t $2_t:x_resource { read write };
+
+ ifdef(`enable_mls',`
+ mls_file_read_all_levels($1_wm_t)
+ mls_file_write_all_levels($1_wm_t)
+
+ mls_xwin_read_all_levels($1_wm_t)
+ mls_xwin_write_all_levels($1_wm_t)
+
+ mls_fd_use_all_levels($1_wm_t)
+ ')
+
+ corecmd_exec_bin($1_wm_t)
+ can_exec($1_wm_t, { shell_exec_t })
+ domtrans_pattern($1_wm_t,bin_t,$1_t)
+
+ allow $1_t $1_wm_t:unix_stream_socket connectto;
+ allow $1_t $1_wm_t:x_drawable { receive get_property getattr list_child };
+
+ allow $1_t $1_wm_t:process signal;
+
+ optional_policy(`
+ dbus_system_bus_client_template($1_wm,$1_wm_t)
+ dbus_user_bus_client_template($1,$1_wm,$1_wm_t)
+ ')
+
+ allow $1_wm_t $1_home_t:dir { search getattr };
+ allow $1_wm_t $1_tty_device_t:chr_file { write read };
+ allow $1_wm_t $1_xproperty_t:x_property { read write destroy };
+ allow $1_wm_t default_t:dir search;
+ allow $1_wm_t home_root_t:dir search;
+ allow $1_wm_t $1_home_dir_t:dir search;
+ allow $1_wm_t $2_xserver_tmp_t:dir search;
+ allow $1_wm_t $2_xserver_tmp_t:lnk_file read;
+ allow $1_wm_t $1_home_dir_t:dir search_dir_perms;
+ manage_files_pattern($1_wm_t,$1_tmp_t,$1_tmp_t)
+ allow $1_wm_t $2_home_t:file { write read getattr };
+ allow $1_wm_t $2_xserver_t:unix_stream_socket connectto;
+ allow $1_wm_t $2_xserver_tmp_t:sock_file write;
+ manage_lnk_files_pattern($1_wm_t, $2_xserver_tmp_t, $2_xserver_tmp_t)
+ allow $1_wm_t security_xext_t:x_extension { query use };
+')
+
+########################################
+##
+## Execute the wm program in the wm domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`wm_exec',`
+ gen_require(`
+ type wm_exec_t;
+ ')
+
+ can_exec($1, wm_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.5.13/policy/modules/apps/wm.te
--- nsaserefpolicy/policy/modules/apps/wm.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/apps/wm.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,10 @@
+policy_module(wm,0.0.4)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+
+wm_domain_template(user,xdm)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-02-26 15:48:02.000000000 +0100
@@ -123,12 +123,17 @@
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
+
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/Adobe(/.*)?/sidecars(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /usr
#
@@ -176,6 +181,8 @@
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
+
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -184,10 +191,8 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -202,6 +207,7 @@
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -222,14 +228,15 @@
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/vmware-tools/sbin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
@@ -292,3 +299,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.13/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.if 2009-02-10 15:07:15.000000000 +0100
@@ -894,6 +894,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, chroot_exec_t)
+ allow $1 self:capability sys_chroot;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2009-02-10 15:07:15.000000000 +0100
@@ -1288,6 +1288,24 @@
########################################
##
+## Connect TCP sockets to all ports > 1024.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute port_type, reserved_port_type;
+ ')
+
+ allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+')
+
+########################################
+##
## Send and receive TCP network traffic on all reserved ports.
##
##
@@ -1441,10 +1459,11 @@
#
interface(`corenet_tcp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute port_type;
+ type hi_reserved_port_t, reserved_port_t;
')
- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
')
########################################
@@ -1459,10 +1478,11 @@
#
interface(`corenet_udp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute port_type;
+ type hi_reserved_port_t, reserved_port_t;
')
- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
')
########################################
@@ -1560,6 +1580,24 @@
########################################
##
+## Getattr the point-to-point device.
+##
+##
+##
+## The domain allowed access.
+##
+##
+#
+interface(`corenet_getattr_ppp_dev',`
+ gen_require(`
+ type ppp_device_t;
+ ')
+
+ allow $1 ppp_device_t:chr_file getattr;
+')
+
+########################################
+##
## Read and write the point-to-point device.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2009-02-10 15:07:15.000000000 +0100
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.10.0)
+policy_module(corenetwork, 1.10.2)
########################################
#
@@ -65,10 +65,13 @@
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
+network_port(afs_client, udp,7001,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
network_port(afs_vl, udp,7003,s0)
+network_port(agentx, udp,705,s0, tcp,705,s0)
+
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
@@ -79,26 +82,33 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+network_port(certmaster, tcp,51235,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
network_port(comsat, udp,512,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dccm, tcp,5679,s0, udp,5679,s0)
network_port(dbskkd, tcp,1178,s0)
-network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0)
+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
+network_port(ftps, tcp,990,s0, udp,990,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
@@ -109,6 +119,7 @@
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
+network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
@@ -117,6 +128,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(kismet, tcp,2501,s0)
+network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -126,6 +139,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
@@ -136,12 +150,21 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
+network_port(pingd, tcp,9125,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
+network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0)
+network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0)
network_port(postfix_policyd, tcp,10031,s0)
+network_port(pulseaudio, tcp,4713,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
@@ -159,9 +182,11 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
network_port(spamd, tcp,783,s0)
+network_port(speech, tcp,8036,s0)
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -170,14 +195,17 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(vnc, tcp,5900,s0)
network_port(wccp, udp,2048,s0)
-network_port(whois, tcp,43,s0, udp,43,s0)
+# Reserve 100 ports for vnc/virt machines
+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,7 +1,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/.* gen_context(system_u:object_r:device_t,s0)
-
+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -12,42 +12,59 @@
/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
@@ -69,14 +86,14 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
-/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -91,6 +108,7 @@
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
@@ -98,13 +116,25 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/m.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/pts(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2009-02-10 15:07:15.000000000 +0100
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
relabelfrom_files_pattern($1, device_t, device_node)
- relabelfrom_lnk_files_pattern($1, device_t, device_node)
+ relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
relabelfrom_fifo_files_pattern($1, device_t, device_node)
relabelfrom_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@@ -167,6 +167,25 @@
########################################
##
+## Manage of directories in /dev.
+##
+##
+##
+## Domain allowed to relabel.
+##
+##
+#
+interface(`dev_manage_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_dirs_pattern($1, device_t, device_t)
+')
+
+
+########################################
+##
## Delete a directory in the device directory.
##
##
@@ -381,6 +400,24 @@
getattr_chr_files_pattern($1, device_t, device_t)
')
+#######################################
+##
+## Allow setattr for generic character device files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, device_t)
+')
+
########################################
##
## Dontaudit getattr for generic character device files.
@@ -667,6 +704,7 @@
')
dontaudit $1 device_node:blk_file getattr;
+ dev_dontaudit_getattr_generic_blk_files($1)
')
########################################
@@ -704,6 +742,7 @@
')
dontaudit $1 device_node:chr_file getattr;
+ dev_dontaudit_getattr_generic_chr_files($1)
')
########################################
@@ -1160,6 +1199,25 @@
########################################
##
+## Set the attributes of the CPU
+## microcode and id interfaces.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_cpu_dev',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+##
## Read the CPU identity.
##
##
@@ -1958,6 +2016,42 @@
########################################
##
+## Get the attributes of the null device nodes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_null_dev',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+##
+## Set the attributes of the null device nodes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_null_dev',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+##
## Read and write to the null device (/dev/null).
##
##
@@ -2769,6 +2863,24 @@
########################################
##
+## Read generic the USB devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_read_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+##
## Read and write generic the USB devices.
##
##
@@ -2787,6 +2899,97 @@
########################################
##
+## Read and write generic the USB fifo files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_generic_usb_pipes',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Get the attributes of the kvm devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+##
+## Set the attributes of the kvm devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+##
+## Read the kvm devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_read_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+##
+## Read and write to kvm devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+##
## Mount a usbfs filesystem.
##
##
@@ -3322,3 +3525,242 @@
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+##
+## Get the attributes of the autofs device node.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_autofs_dev',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes of
+## the autofs device node.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
+ dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+##
+## Set the attributes of the autofs device node.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_autofs_dev',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+##
+## Do not audit attempts to set the attributes of
+## the autofs device node.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
+ dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+##
+## Read and write the autofs device.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_autofs',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+##
+## Get the attributes of the network control device
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_netcontrol',`
+ gen_require(`
+ type device_t, netcontrol_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+##
+## Read the network control identity.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_read_netcontrol',`
+ gen_require(`
+ type device_t, netcontrol_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+##
+## Read and write the the network control device.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_netcontrol',`
+ gen_require(`
+ type device_t, netcontrol_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+##
+## Get the attributes of the QEMU
+## microcode and id interfaces.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+##
+## Set the attributes of the QEMU
+## microcode and id interfaces.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+##
+## Read the QEMU device
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_read_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+##
+## Read and write the the QEMU device.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+#######################################
+##
+## Set the attributes of the tty device
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_tty',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ setattr_chr_files_pattern($1, devtty_t, devtty_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2009-02-10 15:07:15.000000000 +0100
@@ -32,6 +32,12 @@
type apm_bios_t;
dev_node(apm_bios_t)
+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
@@ -49,6 +55,12 @@
type cpu_device_t;
dev_node(cpu_device_t)
+#
+# network control devices
+#
+type netcontrol_device_t;
+dev_node(netcontrol_device_t)
+
# for the IBM zSeries z90crypt hardware ssl accelorator
type crypt_device_t;
dev_node(crypt_device_t)
@@ -66,12 +78,25 @@
dev_node(framebuf_device_t)
#
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
+#
# Type for /dev/kmsg
#
type kmsg_device_t;
dev_node(kmsg_device_t)
#
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+
+#
# Type for /dev/mapper/control
#
type lvm_control_t;
@@ -118,6 +143,12 @@
dev_node(nvram_device_t)
#
+# qemu control devices
+#
+type qemu_device_t;
+dev_node(qemu_device_t)
+
+#
# Type for /dev/pmu
#
type power_device_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.if 2009-02-10 15:07:15.000000000 +0100
@@ -1247,18 +1247,34 @@
##
##
#
-interface(`domain_mmap_low',`
+interface(`domain_mmap_low_type',`
gen_require(`
attribute mmap_low_domain_type;
')
- allow $1 self:memprotect mmap_zero;
-
typeattribute $1 mmap_low_domain_type;
')
########################################
##
+## Ability to mmap a low area of the address space,
+## as configured by /proc/sys/kernel/mmap_min_addr.
+## Preventing such mappings helps protect against
+## exploiting null deref bugs in the kernel.
+##
+##
+##
+## Domain allowed to mmap low memory.
+##
+##
+#
+interface(`domain_mmap_low',`
+
+ allow $1 self:memprotect mmap_zero;
+')
+
+########################################
+##
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2009-02-18 14:25:11.000000000 +0100
@@ -5,6 +5,13 @@
#
# Declarations
#
+##
+##
+## Allow all domains to use other domains file descriptors
+##
+##
+#
+gen_tunable(allow_domain_fd_use, true)
# Mark process types as domains
attribute domain;
@@ -80,11 +87,14 @@
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
+userdom_dontaudit_search_all_users_keys(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
@@ -113,6 +123,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_rw_xdm_home_files(domain)
')
########################################
@@ -131,6 +142,9 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
+allow unconfined_domain_type domain:dbus send_msg;
+allow domain unconfined_domain_type:dbus send_msg;
+
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -140,7 +154,7 @@
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
-allow unconfined_domain_type domain:file read_file_perms;
+allow unconfined_domain_type domain:file rw_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
@@ -148,3 +162,40 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
+')
+
+optional_policy(`
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
+ifdef(`hide_broken_symptoms',`
+ cron_dontaudit_rw_tcp_sockets(domain)
+ allow domain domain:key { link search };
+')
+')
+
+ifdef(`hide_broken_symptoms',`
+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
+')
+
+optional_policy(`
+ rpm_rw_pipes(domain)
+ rpm_dontaudit_use_script_fds(domain)
+ rpm_dontaudit_write_pid_files(domain)
+')
+
+optional_policy(`
+ rhgb_dontaudit_use_ptys(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.13/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/files.fc 2009-02-10 15:07:15.000000000 +0100
@@ -32,6 +32,7 @@
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/boot/lost\+found/.* <>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
#
# /emul
@@ -49,6 +50,7 @@
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/hosts.deny -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2009-02-10 15:07:15.000000000 +0100
@@ -110,6 +110,11 @@
##
#
interface(`files_config_file',`
+ gen_require(`
+ attribute etcfile;
+ ')
+
+ typeattribute $1 etcfile;
files_type($1)
')
@@ -928,8 +933,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -953,6 +958,32 @@
##
##
#
+interface(`files_rw_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ rw_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+##
+## Manage all files on the filesystem, except
+## the listed exceptions.
+##
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+##
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+##
+##
+##
+#
interface(`files_manage_all_files',`
gen_require(`
attribute file_type;
@@ -1060,6 +1091,24 @@
##
##
#
+interface(`files_relabel_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem { relabelfrom relabelto };
+')
+
+########################################
+##
+## Relabel a filesystem to the type of a file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
interface(`files_relabelto_all_file_type_fs',`
gen_require(`
attribute file_type;
@@ -1303,6 +1352,24 @@
########################################
##
+## Remove entries from the tmp directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
+')
+
+########################################
+##
## Unmount a rootfs filesystem.
##
##
@@ -1889,6 +1956,26 @@
########################################
##
+## Read config files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_config_files',`
+ gen_require(`
+ attribute etcfile;
+ ')
+
+ allow $1 etcfile:dir list_dir_perms;
+ read_files_pattern($1, etcfile, etcfile)
+ read_lnk_files_pattern($1, etcfile, etcfile)
+')
+
+########################################
+##
## Do not audit attempts to write generic files in /etc.
##
##
@@ -2224,6 +2311,49 @@
########################################
##
+## Delete directories on new filesystems
+## that have not yet been labeled.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_dirs_pattern($1, file_t, file_t)
+')
+
+########################################
+##
+## Delete files on new filesystems
+## that have not yet been labeled.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_files_pattern($1, file_t, file_t)
+ delete_lnk_files_pattern($1, file_t, file_t)
+ delete_fifo_files_pattern($1, file_t, file_t)
+ delete_sock_files_pattern($1, file_t, file_t)
+ delete_blk_files_pattern($1, file_t, file_t)
+ delete_chr_files_pattern($1, file_t, file_t)
+')
+
+########################################
+##
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
@@ -2744,6 +2874,24 @@
########################################
##
+## read files in /mnt.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_mnt_files',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ read_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+##
## Create, read, write, and delete symbolic links in /mnt.
##
##
@@ -3394,6 +3542,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
')
########################################
@@ -3471,6 +3621,47 @@
########################################
##
+## Delete generic directories in /usr in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ delete_dirs_pattern($1, usr_t, usr_t)
+')
+
+########################################
+##
+## Delete generic files in /usr in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ delete_files_pattern($1, usr_t, usr_t)
+ delete_lnk_files_pattern($1, usr_t, usr_t)
+ delete_fifo_files_pattern($1, usr_t, usr_t)
+ delete_sock_files_pattern($1, usr_t, usr_t)
+ delete_blk_files_pattern($1, usr_t, usr_t)
+ delete_chr_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+##
## Get the attributes of files in /usr.
##
##
@@ -3547,6 +3738,24 @@
########################################
##
+## dontaudit write of /usr files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_write_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:file write;
+')
+
+########################################
+##
## Relabel a file to the type used in /usr.
##
##
@@ -4433,6 +4642,25 @@
########################################
##
+## Read generic process ID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_generic_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ list_dirs_pattern($1,var_t,var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+##
## Read and write generic process ID files.
##
##
@@ -4761,12 +4989,14 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+ fs_mount_tmpfs($1)
+ fs_unmount_tmpfs($1)
+
ifdef(`distro_redhat',`
# namespace.init
files_search_home($1)
corecmd_exec_bin($1)
seutil_domtrans_setfiles($1)
- mount_domtrans($1)
')
')
@@ -4787,3 +5017,71 @@
typeattribute $1 files_unconfined_type;
')
+
+########################################
+##
+## Create a core files in /
+##
+##
+##
+## Create a core file in /,
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+##
+## Create a default directory in /
+##
+##
+##
+## Create a default_t direcrory in /
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ allow $1 default_t:dir create;
+ filetrans_pattern($1, root_t, default_t, dir)
+')
+
+########################################
+##
+## manage generic symbolic links
+## in the /var/run directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.13/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/files.te 2009-02-10 15:07:15.000000000 +0100
@@ -52,11 +52,14 @@
#
# etc_t is the type of the system etc directories.
#
-type etc_t;
+attribute etcfile;
+
+type etc_t, etcfile;
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+typealias etc_t alias gconf_etc_t;
#
# etc_runtime_t is the type of various
@@ -174,6 +177,7 @@
#
type var_run_t;
files_pid_file(var_run_t)
+files_mountpoint(var_run_t)
#
# var_spool_t is the type of /var/spool
@@ -197,10 +201,7 @@
#
# Rules for all tmp file types
#
-
-allow tmpfile tmp_t:filesystem associate;
-
-fs_associate_tmpfs(tmpfile)
+allow file_type tmp_t:filesystem associate;
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2009-02-10 15:07:15.000000000 +0100
@@ -535,6 +535,24 @@
########################################
##
+## Mounton a CIFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_mounton_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir mounton;
+')
+
+########################################
+##
## Remount a CIFS or SMB network filesystem.
## This allows some mount options to be changed.
##
@@ -737,6 +755,7 @@
attribute noxattrfs;
')
+ list_dirs_pattern($1, noxattrfs, noxattrfs)
read_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -779,6 +798,25 @@
########################################
##
## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read
## files on a CIFS or SMB filesystem.
##
##
@@ -955,6 +993,46 @@
########################################
##
+## Append files
+## on a CIFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_append_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ append_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+##
+## dontaudit Append files
+## on a CIFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_dontaudit_append_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file append;
+')
+
+########################################
+##
## Do not audit attempts to create, read,
## write, and delete files
## on a CIFS or SMB network filesystem.
@@ -1209,6 +1287,25 @@
########################################
##
+## Create, read, write, and delete dirs
+## on a DOS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_manage_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ manage_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+##
## Create, read, write, and delete files
## on a DOS filesystem.
##
@@ -1228,6 +1325,26 @@
########################################
##
+## Read and write files on hugetlbfs files
+## file systems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_hugetlbfs_files',`
+ gen_require(`
+ type hugetlbfs_t;
+
+ ')
+
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+##
## Read eventpollfs files.
##
##
@@ -1287,24 +1404,6 @@
########################################
##
-## Read and write hugetlbfs files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`fs_rw_hugetlbfs_files',`
- gen_require(`
- type hugetlbfs_t;
- ')
-
- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-')
-
-########################################
-##
## Search inotifyfs filesystem.
##
##
@@ -1478,6 +1577,24 @@
########################################
##
+## Mounton a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_mounton_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir mounton;
+')
+
+########################################
+##
## Remount a NFS filesystem. This allows
## some mount options to be changed.
##
@@ -1681,7 +1798,7 @@
type nfs_t;
')
- dontaudit $1 nfs_t:file { read write };
+ dontaudit $1 nfs_t:file rw_file_perms;
')
########################################
@@ -2002,6 +2119,47 @@
########################################
##
+## Append files
+## on a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ append_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+##
+## dontaudit Append files
+## on a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_dontaudit_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file append;
+')
+
+
+########################################
+##
## Do not audit attempts to create,
## read, write, and delete files
## on a NFS filesystem.
@@ -2996,6 +3154,7 @@
type tmpfs_t;
')
+ dontaudit $1 tmpfs_t:dir rw_dir_perms;
dontaudit $1 tmpfs_t:file rw_file_perms;
')
@@ -3132,6 +3291,25 @@
########################################
##
+## Read and write block nodes on removable filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_removable_blk_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:dir list_dir_perms;
+ rw_blk_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+##
## Relabel block nodes on tmpfs filesystems.
##
##
@@ -3317,6 +3495,7 @@
')
allow $1 filesystem_type:filesystem getattr;
+ files_getattr_all_file_type_fs($1)
')
########################################
@@ -3644,3 +3823,142 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
+
+########################################
+##
+## Search directories
+## on a FUSEFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_search_fusefs_dirs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_manage_fusefs_dirs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_manage_fusefs_dirs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_manage_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ manage_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+##
+## Read, a FUSEFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_read_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ read_files_pattern($1,fusefs_t,fusefs_t)
+')
+
+########################################
+##
+## Read symbolic links on a FUSEFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+
+########################################
+##
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_manage_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:file manage_file_perms;
+')
Binary files nsaserefpolicy/policy/modules/kernel/.filesystem.if.swp and serefpolicy-3.5.13/policy/modules/kernel/.filesystem.if.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2009-02-10 15:07:15.000000000 +0100
@@ -21,7 +21,7 @@
# Use xattrs for the following filesystem types.
# Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
@@ -76,6 +76,11 @@
allow cpusetfs_t self:filesystem associate;
genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+type ecryptfs_t;
+fs_noxattr_type(ecryptfs_t)
+files_mountpoint(ecryptfs_t)
+genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
+
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
@@ -141,6 +146,8 @@
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
type vxfs_t;
fs_noxattr_type(vxfs_t)
@@ -241,6 +248,8 @@
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2009-02-10 15:07:15.000000000 +0100
@@ -1198,6 +1198,7 @@
')
dontaudit $1 proc_type:dir list_dir_perms;
+ dontaudit $1 proc_type:file getattr;
')
########################################
@@ -1234,9 +1235,11 @@
interface(`kernel_read_sysctl',`
gen_require(`
type sysctl_t;
+ type proc_t;
')
list_dirs_pattern($1, proc_t, sysctl_t)
+ read_files_pattern($1, sysctl_t, sysctl_t)
')
########################################
@@ -1569,6 +1572,26 @@
########################################
##
+## Read generic crypto sysctls.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_read_crypto_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_crypto_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
+')
+
+########################################
+##
## Read generic kernel sysctls.
##
##
@@ -1768,6 +1791,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
+ dontaudit $1 sysctl_type:file read_file_perms;
')
########################################
@@ -2582,6 +2606,24 @@
########################################
##
+## Relabel to unlabeled context .
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_relabelto_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+##
## Unconfined access to kernel module resources.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2009-02-10 15:07:15.000000000 +0100
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
#
+# infinibandeventfs fs
+#
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
+#
# kvmFS
#
@@ -120,6 +129,10 @@
type sysctl_rpc_t, sysctl_type;
genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+# /proc/sys/crypto directory and files
+type sysctl_crypto_t, sysctl_type;
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
+
# /proc/sys/fs directory and files
type sysctl_fs_t, sysctl_type;
files_mountpoint(sysctl_fs_t)
@@ -160,6 +173,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -274,6 +288,8 @@
fs_rw_tmpfs_chr_files(kernel_t)
')
+unprivuser_home_dir_filetrans_home_content(kernel_t, { file dir })
+
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.13/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.if 2009-02-10 15:07:15.000000000 +0100
@@ -164,6 +164,7 @@
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
')
@@ -185,6 +186,7 @@
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
@@ -265,6 +267,34 @@
########################################
##
+## Allow caller to read the state of Booleans
+##
+##
+##
+## Allow caller read the state of Booleans
+##
+##
+##
+##
+## The process type allowed to set the Boolean.
+##
+##
+##
+#
+interface(`selinux_get_boolean',`
+ gen_require(`
+ type security_t;
+ attribute booleans_type;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file read_file_perms;
+')
+
+########################################
+##
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
##
@@ -288,11 +318,13 @@
interface(`selinux_set_boolean',`
gen_require(`
type security_t;
+ attribute booleans_type;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file { getattr read write };
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
@@ -510,3 +542,23 @@
typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+##
+## Generate a file context for a boolean type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute booleans_type;
+ ')
+
+ type $1, booleans_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.13/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.te 2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,7 @@
attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;
+attribute booleans_type;
#
# security_t is the target type when checking
@@ -23,6 +24,11 @@
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
+type boolean_t, booleans_type;
+fs_type(boolean_t)
+mls_trusted_object(boolean_t)
+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
+
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2009-02-10 15:07:15.000000000 +0100
@@ -36,7 +36,7 @@
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
ifdef(`distro_redhat', `
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.5.13/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.if 2009-02-18 14:54:06.000000000 +0100
@@ -207,6 +207,7 @@
dev_list_all_dev_nodes($1)
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.13/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/terminal.if 2009-02-10 15:07:15.000000000 +0100
@@ -250,9 +250,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -529,7 +531,7 @@
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
- allow $1 devpts_t:chr_file { rw_term_perms lock append };
+ allow $1 devpts_t:chr_file { rw_term_perms lock append open };
')
########################################
@@ -588,7 +590,7 @@
')
dev_list_all_dev_nodes($1)
- allow $1 ptmx_t:chr_file rw_file_perms;
+ allow $1 ptmx_t:chr_file { rw_file_perms open };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.13/policy/modules/roles/guest.fc
--- nsaserefpolicy/policy/modules/roles/guest.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/guest.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.13/policy/modules/roles/guest.if
--- nsaserefpolicy/policy/modules/roles/guest.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/guest.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,161 @@
+## Least privledge terminal user role
+
+########################################
+##
+## Change to the guest role.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+#
+template(`guest_role_change_template',`
+ userdom_role_change_template($1, guest)
+')
+
+########################################
+##
+## Change from the guest role.
+##
+##
+##
+## Change from the guest role to
+## the specified role.
+##
+##
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+#
+template(`guest_role_change_to_template',`
+ userdom_role_change_template(guest, $1)
+')
+
+########################################
+##
+## Search the guest users home directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`guest_search_home_dirs',`
+ gen_require(`
+ type guest_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 guest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to search the guest
+## users home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`guest_dontaudit_search_home_dirs',`
+ gen_require(`
+ type guest_home_dir_t;
+ ')
+
+ dontaudit $1 guest_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete guest
+## home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`guest_manage_home_dirs',`
+ gen_require(`
+ type guest_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 guest_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+##
+## Relabel to guest home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`guest_relabelto_home_dirs',`
+ gen_require(`
+ type guest_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 guest_home_dir_t:dir relabelto;
+')
+
+########################################
+##
+## Do not audit attempts to append to the guest
+## users home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`guest_dontaudit_append_home_content_files',`
+ gen_require(`
+ type guest_home_t;
+ ')
+
+ dontaudit $1 guest_home_t:file append;
+')
+
+########################################
+##
+## Read files in the guest users home directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`guest_read_home_content_files',`
+ gen_require(`
+ type guest_home_dir_t, guest_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { guest_home_dir_t guest_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t)
+ read_lnk_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.13/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/guest.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,36 @@
+
+policy_module(guest, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role xguest_r;
+
+userdom_restricted_user_template(guest)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+ java_per_role_template(guest, guest_t, guest_r)
+')
+
+optional_policy(`
+ mono_per_role_template(guest, guest_t, guest_r)
+')
+
+
+optional_policy(`
+ gen_require(`
+ type xguest_t;
+ role xguest_r;
+ ')
+
+ mozilla_per_role_template(xguest, xguest_t, xguest_r)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.13/policy/modules/roles/logadm.fc
--- nsaserefpolicy/policy/modules/roles/logadm.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/logadm.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.13/policy/modules/roles/logadm.if
--- nsaserefpolicy/policy/modules/roles/logadm.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/logadm.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,44 @@
+## Audit administrator role
+
+########################################
+##
+## Change to the generic user role.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+#
+template(`logadm_role_change_template',`
+ userdom_role_change_template($1, logadm)
+')
+
+########################################
+##
+## Change from the generic user role.
+##
+##
+##
+## Change from the generic user role to
+## the specified role.
+##
+##
+## This is a template to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+##
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+#
+template(`logadm_role_change_to_template',`
+ userdom_role_change_template(logadm, $1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.13/policy/modules/roles/logadm.te
--- nsaserefpolicy/policy/modules/roles/logadm.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/roles/logadm.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,20 @@
+
+policy_module(logadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role logadm_r;
+
+userdom_base_user_template(logadm)
+
+########################################
+#
+# logadmin local policy
+#
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/staff.te 2009-02-10 15:07:15.000000000 +0100
@@ -4,27 +4,79 @@
########################################
#
# Declarations
-#
+#
role staff_r;
-userdom_unpriv_user_template(staff)
+userdom_admin_login_user_template(staff)
########################################
#
# Local policy
#
+kernel_read_ring_buffer(staff_t)
+kernel_getattr_core_if(staff_t)
+kernel_getattr_message_if(staff_t)
+kernel_read_software_raid_state(staff_t)
+
+auth_domtrans_pam_console(staff_t)
+
+libs_manage_shared_libs(staff_t)
+
optional_policy(`
auditadm_role_change_template(staff)
')
optional_policy(`
+ kerneloops_manage_tmp_files(staff_t)
+')
+
+optional_policy(`
+ logadm_role_change_template(staff)
+')
+
+optional_policy(`
+ postgresql_userdom_template(staff, staff_t, staff_r)
+')
+
+optional_policy(`
secadm_role_change_template(staff)
')
optional_policy(`
+ ssh_per_role_template(staff, staff_t, staff_r)
+')
+
+optional_policy(`
sysadm_role_change_template(staff)
sysadm_dontaudit_use_terms(staff_t)
')
+optional_policy(`
+ usernetctl_run(staff_t, staff_r, { staff_devpts_t staff_tty_device_t })
+')
+
+optional_policy(`
+ unconfined_role_change_template(staff)
+')
+
+optional_policy(`
+ webadm_role_change_template(staff)
+')
+
+optional_policy(`
+ cron_admin_template(sysadm)
+')
+
+optional_policy(`
+ xguest_role_change_template(staff)
+')
+
+optional_policy(`
+ guest_role_change_template(staff)
+')
+
+optional_policy(`
+ unprivuser_role_change_template(staff)
+')
Binary files nsaserefpolicy/policy/modules/roles/.staff.te.swp and serefpolicy-3.5.13/policy/modules/roles/.staff.te.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2009-02-18 10:14:24.000000000 +0100
@@ -334,10 +334,10 @@
#
interface(`sysadm_getattr_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- allow $1 sysadm_home_dir_t:dir getattr;
+ allow $1 admin_home_t:dir getattr;
')
########################################
@@ -354,10 +354,29 @@
#
interface(`sysadm_dontaudit_getattr_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir getattr;
+ dontaudit $1 admin_home_t:dir getattr;
+')
+
+########################################
+##
+## Do not audit attempts to write to
+## sysadm users home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`sysadm_dontaudit_write_home_dirs',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir write;
')
########################################
@@ -372,10 +391,10 @@
#
interface(`sysadm_search_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- allow $1 sysadm_home_dir_t:dir search_dir_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
')
########################################
@@ -391,10 +410,10 @@
#
interface(`sysadm_dontaudit_search_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ dontaudit $1 admin_home_t:dir search_dir_perms;
')
########################################
@@ -409,10 +428,10 @@
#
interface(`sysadm_list_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- allow $1 sysadm_home_dir_t:dir list_dir_perms;
+ allow $1 admin_home_t:dir list_dir_perms;
')
########################################
@@ -428,10 +447,10 @@
#
interface(`sysadm_dontaudit_list_home_dirs',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+ dontaudit $1 admin_home_t:dir list_dir_perms;
')
########################################
@@ -458,10 +477,10 @@
#
interface(`sysadm_home_dir_filetrans',`
gen_require(`
- type sysadm_home_dir_t;
+ type admin_home_t;
')
- filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
+ filetrans_pattern($1, admin_home_t, $2, $3)
')
########################################
@@ -476,10 +495,10 @@
#
interface(`sysadm_search_home_content_dirs',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
')
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+ allow $1 admin_home_t:dir search_dir_perms;
')
########################################
@@ -494,13 +513,12 @@
#
interface(`sysadm_read_home_content_files',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
')
files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
- read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
- read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+ read_files_pattern($1, admin_home_t, admin_home_t)
+ read_lnk_files_pattern($1, admin_home_t, admin_home_t)
')
########################################
@@ -516,12 +534,52 @@
#
interface(`sysadm_dontaudit_read_home_content_files',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
')
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file read_file_perms;
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+
+')
+########################################
+##
+## Do not audit attempts to read sym links in the sysadm
+## home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`sysadm_dontaudit_read_home_sym_links',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+
+')
+
+######################################
+##
+## Do not audit attempts to manage files in the sysadm
+## home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`sysadm_dontaudit_manage_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir manage_dir_perms;
+ dontaudit $1 admin_home_t:file manage_file_perms;
+ dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms;
')
########################################
@@ -536,12 +594,12 @@
#
interface(`sysadm_read_tmp_files',`
gen_require(`
- type sysadm_tmp_t;
+ type user_tmp_t;
')
files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
- read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+ allow $1 user_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, user_tmp_t, user_tmp_t)
+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2009-02-10 15:07:15.000000000 +0100
@@ -15,7 +15,7 @@
role sysadm_r;
-userdom_admin_user_template(sysadm)
+userdom_admin_login_user_template(sysadm)
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
@@ -110,10 +110,6 @@
')
optional_policy(`
- cron_admin_template(sysadm)
-')
-
-optional_policy(`
cvs_exec(sysadm_t)
')
@@ -171,6 +167,10 @@
')
optional_policy(`
+ kerberos_exec_kadmind(sysadm_t)
+')
+
+optional_policy(`
kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
')
@@ -215,8 +215,8 @@
optional_policy(`
netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+# netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+# netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if
--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2009-02-10 15:07:15.000000000 +0100
@@ -62,6 +62,26 @@
files_home_filetrans($1, user_home_dir_t, dir)
')
+
+########################################
+##
+## Create generic user home directories
+## with automatic file type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_home_dir_filetrans',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, $2, $3)
+')
+
########################################
##
## Search generic user home directories.
@@ -77,6 +97,7 @@
type user_home_dir_t;
')
+ files_search_home($1)
allow $1 user_home_dir_t:dir search_dir_perms;
')
@@ -177,11 +198,29 @@
#
interface(`unprivuser_manage_home_content_dirs',`
gen_require(`
- type user_home_dir_t, user_home_t;
+ attribute user_home_dir_type, user_home_type;
')
files_search_home($1)
- manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ manage_dirs_pattern($1, { user_home_dir_type user_home_type }, user_home_type)
+')
+
+########################################
+##
+## Don't audit list on the user home subdirectory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_dontaudit_list_home_dirs',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
+ ')
+
+ dontaudit $1 { user_home_dir_t user_home_t }:dir list_dir_perms;
')
########################################
@@ -236,11 +275,30 @@
#
interface(`unprivuser_mmap_home_content_files',`
gen_require(`
- type user_home_t;
+ attribute user_home_type;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_type:file execute;
+')
+
+########################################
+##
+## Read link files in generic user home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_read_home_content_symlinks',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
')
files_search_home($1)
- allow $1 user_home_t:file execute;
+ read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
')
########################################
@@ -342,3 +400,542 @@
manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
')
+########################################
+##
+## Do not audit attempts to write user home files.
+##
+##
+##
+## Do not audit attempts to write user home files.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+template(`unprivuser_dontaudit_write_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file write;
+
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_rw_nfs_files($1)
+
+ fs_dontaudit_list_cifs($1)
+ fs_dontaudit_rw_cifs_files($1)
+')
+
+########################################
+##
+## Do not audit attempts to unlink user home files.
+##
+##
+##
+## Do not audit attempts to unlink user home files.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+template(`unprivuser_dontaudit_unlink_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file unlink;
+')
+
+########################################
+##
+## Do not audit attempts to manage users
+## temporary directories.
+##
+##
+##
+## Do not audit attempts to manage users
+## temporary directories.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+template(`unprivuser_dontaudit_manage_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir manage_dir_perms;
+')
+
+
+########################################
+##
+## Create, read, write, and delete user
+## temporary named sockets.
+##
+##
+##
+## Create, read, write, and delete user
+## temporary named sockets.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`unprivuser_manage_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
+## Read all unprivileged users files in /tmp
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_read_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ read_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
+## Write all unprivileged users files in /tmp
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_write_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
+## Write all unprivileged users files in /tmp
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_manage_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
+## Write all unprivileged users lnk_files in /tmp
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_manage_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
+## Do not audit attempts to relabel unpriv user
+## home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_dontaudit_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ dontaudit $1 user_home_type:file { relabelto relabelfrom };
+')
+
+########################################
+##
+## unlink all unprivileged users files in /tmp
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_unlink_tmp_files',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ files_delete_tmp_dir_entry($1)
+ allow $1 user_tmpfile:file unlink;
+')
+
+########################################
+##
+## Connect to unpriviledged users over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_stream_connect',`
+ gen_require(`
+ attribute user_tmpfile;
+ attribute userdomain;
+ ')
+
+ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
+')
+
+########################################
+##
+## Create, read, write, and delete user
+## temporary directories.
+##
+##
+##
+## Create, read, write, and delete user
+## temporary directories.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`unprivuser_manage_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
+## Create, read, write, and delete user
+## temporary named pipes.
+##
+##
+##
+## Create, read, write, and delete user
+## temporary named pipes.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`unprivuser_manage_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
+## Manage user untrusted files.
+##
+##
+##
+## Create, read, write, and delete untrusted files.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`unprivuser_manage_untrusted_content_files',`
+ gen_require(`
+ type user_untrusted_content_t;
+ ')
+
+ manage_files_pattern($1, user_untrusted_content_t, user_untrusted_content_t)
+')
+
+########################################
+##
+## Manage user untrusted tmp files.
+##
+##
+##
+## Create, read, write, and delete untrusted tmp files.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`unprivuser_manage_untrusted_content_tmp_files',`
+ gen_require(`
+ type user_untrusted_content_tmp_t;
+ ')
+
+ manage_files_pattern($1, user_untrusted_content_tmp_t, user_untrusted_content_tmp_t)
+')
+
+########################################
+##
+## RW unpriviledged user SysV sempaphores.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unprivuser_rw_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+##
+## Read user tmpfs files.
+##
+##
+##
+##
+## read user temporary file system files
+##
+##
+##
+##
##
## Allow Apache to modify public files
@@ -31,10 +33,17 @@
##
##
-## Allow Apache to use mod_auth_pam
+## Allow httpd scripts and modules execmem/execstack
##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_execmem, false)
+
+##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
+##
+gen_tunable(httpd_dbus_avahi, false)
##
##
@@ -45,7 +54,14 @@
##
##
-## Allow HTTPD scripts and modules to connect to the network using TCP.
+## Allow http daemon to send mail
+##
+##
+gen_tunable(httpd_can_sendmail, false)
+
+##
+##
+## Allow HTTPD scripts and modules to connect to the network
##
##
gen_tunable(httpd_can_network_connect, false)
@@ -109,14 +125,35 @@
##
gen_tunable(httpd_unified, false)
+##
+##
+## Allow httpd to access nfs file systems
+##
+##
+gen_tunable(httpd_use_nfs, false)
+
+##
+##
+## Allow httpd to access cifs file systems
+##
+##
+gen_tunable(httpd_use_cifs, false)
+
+##
+##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
+attribute httpd_ro_content;
+attribute httpd_rw_content;
attribute httpdcontent;
-attribute httpd_user_content_type;
# domains that can exec all users scripts
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
-attribute httpd_user_script_exec_type;
# user script domains
attribute httpd_script_domains;
@@ -141,6 +178,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
+type httpd_initrc_exec_t;
+init_script_file(httpd_initrc_exec_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -181,6 +221,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
+
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -202,12 +246,26 @@
prelink_object_file(httpd_modules_t)
')
+apache_content_template(user)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_script_rw_t httpdcontent;
+typeattribute httpd_user_script_ra_t httpdcontent;
+#typeattribute httpd_user_script_exec_t httpdcontent;
+userdom_user_home_content(user, httpd_user_content_t)
+userdom_user_home_content(user, httpd_user_htaccess_t)
+userdom_user_home_content(user, httpd_user_script_exec_t)
+userdom_user_home_content(user, httpd_user_script_ra_t)
+userdom_user_home_content(user, httpd_user_script_ro_t)
+userdom_user_home_content(user, httpd_user_script_rw_t)
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
+miscfiles_read_public_files(httpd_user_script_t)
+
########################################
#
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -249,6 +307,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -260,9 +319,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -278,6 +337,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
@@ -289,6 +349,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -299,6 +360,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_all_nodes(httpd_t)
+corenet_udp_bind_all_nodes(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
@@ -312,12 +374,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_list_inotifyfs(httpd_t)
+fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -334,7 +396,10 @@
# for tomcat
files_read_var_lib_symlinks(httpd_t)
-fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file })
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
@@ -351,18 +416,33 @@
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
+##
+##
+## Allow Apache to use mod_auth_pam
+##
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -370,20 +450,68 @@
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_send_mail(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
corenet_sendrecv_gopher_client_packets(httpd_t)
corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_sendrecv_http_client_packets(httpd_t)
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+
+ allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_script_ra_t,httpd_user_script_ra_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
+')
+
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -394,20 +522,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_t)
-')
-
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -441,8 +577,13 @@
')
optional_policy(`
- kerberos_use(httpd_t)
- kerberos_read_kdc_config(httpd_t)
+ dbus_system_bus_client_template(httpd, httpd_t)
+ tunable_policy(`httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
')
optional_policy(`
@@ -454,18 +595,13 @@
')
optional_policy(`
- # Allow httpd to work with mysql
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_t)
- ')
+ mysql_read_config(httpd_t)
')
optional_policy(`
nagios_read_config(httpd_t)
- nagios_domtrans_cgi(httpd_t)
')
optional_policy(`
@@ -475,6 +611,12 @@
openca_kill(httpd_t)
')
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
@@ -482,6 +624,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
+ postgresql_tcp_connect(httpd_sys_script_t)
')
')
@@ -490,6 +633,7 @@
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -519,9 +663,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
+ # cjp: this is redundant:
+ term_use_controlling_term(httpd_helper_t)
+
sysadm_use_terms(httpd_helper_t)
')
+optional_policy(`
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+
+ tunable_policy(`httpd_tty_comm',`
+ unconfined_use_terms(httpd_helper_t)
+ ')
+')
+
+
########################################
#
# Apache PHP script local policy
@@ -551,22 +714,30 @@
fs_search_auto_mountpoints(httpd_php_t)
+auth_use_nsswitch(httpd_php_t)
+
libs_exec_lib_files(httpd_php_t)
libs_use_ld_so(httpd_php_t)
libs_use_shared_libs(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
-optional_policy(`
- mysql_stream_connect(httpd_php_t)
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
')
optional_policy(`
- nis_use_ypbind(httpd_php_t)
+ postgresql_stream_connect(httpd_sys_script_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_php_t)
+ mysql_stream_connect(httpd_php_t)
+ mysql_read_config(httpd_php_t)
')
########################################
@@ -584,12 +755,14 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -597,10 +770,9 @@
dev_read_urand(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
+fs_read_iso9660_files(httpd_suexec_t)
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -616,6 +788,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -633,12 +806,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -647,6 +829,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
@@ -664,20 +852,20 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
########################################
#
# Apache system script local policy
#
+auth_use_nsswitch(httpd_sys_script_t)
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+apache_read_squirrelmail_data(httpd_sys_script_t)
+apache_append_squirrelmail_data(httpd_sys_script_t)
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -691,12 +879,27 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
+sysnet_read_config(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -704,6 +907,31 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+ corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -716,10 +944,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
-')
-
-optional_policy(`
- postgresql_stream_connect(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
')
########################################
@@ -727,6 +955,8 @@
# httpd_rotatelogs local policy
#
+allow httpd_rotatelogs_t self:capability dac_override;
+
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -741,3 +971,66 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
+
+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.13/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/apcupsd.fc 2009-02-10 15:07:15.000000000 +0100
@@ -4,6 +4,8 @@
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
')
+/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.13/policy/modules/services/arpwatch.fc
--- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
#
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.13/policy/modules/services/arpwatch.if
--- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2009-02-10 15:07:15.000000000 +0100
@@ -90,3 +90,45 @@
dontaudit $1 arpwatch_t:packet_socket { read write };
')
+
+########################################
+##
+## All of the rules required to administrate
+## an arpwatch environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the arpwatch domain.
+##
+##
+##
+#
+interface(`arpwatch_admin',`
+ gen_require(`
+ type arpwatch_t, arpwatch_tmp_t;
+ type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_initrc_exec_t;
+ ')
+
+ allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, arpwatch_t)
+
+ init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 arpwatch_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, arpwatch_tmp_t)
+
+ files_list_var($1)
+ admin_pattern($1, arpwatch_data_t)
+
+ files_list_pids($1)
+ admin_pattern($1, arpwatch_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.13/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.te 2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
type arpwatch_data_t;
files_type(arpwatch_data_t)
+type arpwatch_initrc_exec_t;
+init_script_file(arpwatch_initrc_exec_t)
+
type arpwatch_tmp_t;
files_tmp_file(arpwatch_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.13/policy/modules/services/asterisk.fc
--- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/asterisk.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,5 @@
/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0)
+/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.13/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/asterisk.if 2009-02-10 15:07:15.000000000 +0100
@@ -1 +1,54 @@
## Asterisk IP telephony server
+
+########################################
+##
+## All of the rules required to administrate
+## an asterisk environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the asterisk domain.
+##
+##
+##
+#
+interface(`asterisk_admin',`
+ gen_require(`
+ type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
+ type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
+ type asterisk_var_lib_t;
+ type asterisk_initrc_exec_t;
+ ')
+
+ allow $1 asterisk_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, asterisk_t)
+
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 asterisk_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, asterisk_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, asterisk_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, asterisk_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, asterisk_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, asterisk_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, asterisk_var_run_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.13/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/asterisk.te 2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
type asterisk_etc_t;
files_config_file(asterisk_etc_t)
+type asterisk_initrc_exec_t;
+init_script_file(asterisk_initrc_exec_t)
+
type asterisk_log_t;
logging_log_file(asterisk_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.fc serefpolicy-3.5.13/policy/modules/services/audioentropy.fc
--- nsaserefpolicy/policy/modules/services/audioentropy.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.fc 2009-02-10 15:07:15.000000000 +0100
@@ -2,3 +2,5 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+
+/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.5.13/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.te 2009-02-10 15:07:15.000000000 +0100
@@ -35,6 +35,7 @@
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
dev_read_sound(entropyd_t)
+dev_write_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.13/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/automount.te 2009-02-10 15:07:15.000000000 +0100
@@ -64,6 +64,7 @@
kernel_read_network_state(automount_t)
kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
+fs_read_nfs_files(automount_t)
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
@@ -71,6 +72,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
@@ -100,6 +102,7 @@
corenet_udp_bind_all_rpc_ports(automount_t)
dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
# for SSP
dev_read_rand(automount_t)
dev_read_urand(automount_t)
@@ -145,6 +148,7 @@
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
+mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
@@ -159,7 +163,7 @@
')
optional_policy(`
- kerberos_read_keytab(automount_t)
+ kerberos_keytab_template(automount, automount_t)
kerberos_read_config(automount_t)
kerberos_dontaudit_write_config(automount_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.13/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/avahi.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,5 +1,9 @@
+/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
+
+/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.13/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/avahi.if 2009-02-10 15:07:15.000000000 +0100
@@ -2,6 +2,103 @@
########################################
##
+## Execute avahi server in the avahi domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`avahi_domtrans',`
+ gen_require(`
+ type avahi_exec_t;
+ type avahi_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, avahi_exec_t, avahi_t)
+')
+
+########################################
+##
+## Execute avahi server in the avahi domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`avahi_initrc_domtrans',`
+ gen_require(`
+ type avahi_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+')
+
+########################################
+##
+## Send avahi a sigkill
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`avahi_sigkill',`
+ gen_require(`
+ type avahi_t;
+ ')
+
+ allow $1 avahi_t:process sigkill;
+')
+
+########################################
+##
+## Send avahi a signal
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`avahi_signal',`
+ gen_require(`
+ type avahi_t;
+ ')
+
+ allow $1 avahi_t:process signal;
+')
+
+########################################
+##
+## Send avahi a signull
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`avahi_signull',`
+ gen_require(`
+ type avahi_t;
+ ')
+
+ allow $1 avahi_t:process signull;
+')
+
+########################################
+##
## Send and receive messages from
## avahi over dbus.
##
@@ -57,3 +154,38 @@
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an avahi environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the avahi domain.
+##
+##
+##
+#
+interface(`avahi_admin',`
+ gen_require(`
+ type avahi_t, avahi_var_run_t;
+ type avahi_initrc_exec_t;
+ ')
+
+ allow $1 avahi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, avahi_t)
+
+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 avahi_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, avahi_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.13/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/avahi.te 2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,12 @@
type avahi_exec_t;
init_daemon_domain(avahi_t, avahi_exec_t)
+type avahi_initrc_exec_t;
+init_script_file(avahi_initrc_exec_t)
+
+type avahi_var_lib_t;
+files_pid_file(avahi_var_lib_t)
+
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
@@ -20,13 +26,18 @@
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
-allow avahi_t self:process { setrlimit signal_perms setcap };
+allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow avahi_t self:unix_dgram_socket create_socket_perms;
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
+files_search_var_lib(avahi_t)
+manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
+
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
allow avahi_t avahi_var_run_t:dir setattr;
@@ -76,6 +87,7 @@
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
+miscfiles_read_certs(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
@@ -86,6 +98,7 @@
dbus_connect_system_bus(avahi_t)
init_dbus_chat_script(avahi_t)
+ dbus_system_domain(avahi_t, avahi_exec_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.13/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bind.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,17 +1,22 @@
-/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.13/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bind.if 2009-02-10 15:07:15.000000000 +0100
@@ -38,6 +38,42 @@
########################################
##
+## Send signulls to BIND.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_signull',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signull;
+')
+
+########################################
+##
+## Send sigkills to BIND.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_sigkill',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process sigkill;
+')
+
+########################################
+##
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
##
@@ -257,6 +293,25 @@
########################################
##
+## Execute bind server in the bind domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
+ type bind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, bind_initrc_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an bind environment
##
@@ -267,19 +322,18 @@
##
##
##
-## Role allowed access.
-##
-##
-##
-##
-## The type of the terminal.
+## The role to be allowed to manage the bind domain.
##
##
##
#
interface(`bind_admin',`
gen_require(`
- type named_t, ndc_t;
+ type named_t, named_tmp_t, named_log_t;
+ type named_conf_t, named_var_lib_t, named_var_run_t;
+ type named_cache_t, named_zone_t;
+ type dnssec_t, ndc_t;
+ type named_initrc_exec_t;
')
allow $1 named_t:process { ptrace signal_perms };
@@ -289,4 +343,28 @@
ps_process_pattern($1, ndc_t)
bind_run_ndc($1, $2, $3)
+
+ bind_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 named_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, named_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, named_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, named_conf_t)
+
+ admin_pattern($1, named_cache_t)
+ admin_pattern($1, named_zone_t)
+ admin_pattern($1, dnssec_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, named_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2009-02-10 15:07:15.000000000 +0100
@@ -173,7 +173,7 @@
')
optional_policy(`
- kerberos_use(named_t)
+ kerberos_keytab_template(named, named_t)
')
optional_policy(`
@@ -247,6 +247,8 @@
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
+term_dontaudit_use_console(ndc_t)
+
# for /etc/rndc.key
ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.13/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc 2009-02-10 15:07:15.000000000 +0100
@@ -3,6 +3,9 @@
#
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
+/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
#
# /usr
@@ -16,9 +19,11 @@
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
#
# /var
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.13/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.if 2009-02-10 15:07:15.000000000 +0100
@@ -226,3 +226,56 @@
dontaudit $1 bluetooth_helper_domain:dir search;
dontaudit $1 bluetooth_helper_domain:file { read getattr };
')
+
+########################################
+##
+## All of the rules required to administrate
+## an bluetooth environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the bluetooth domain.
+##
+##
+##
+#
+interface(`bluetooth_admin',`
+ gen_require(`
+ type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+ type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_conf_t, bluetooth_conf_rw_t;
+ type bluetooth_initrc_exec_t;
+ ')
+
+ allow $1 bluetooth_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bluetooth_t)
+
+ init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bluetooth_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, bluetooth_tmp_t)
+
+ files_list_var($1)
+ admin_pattern($1, bluetooth_lock_t)
+
+ files_list_etc($1)
+ admin_pattern($1, bluetooth_conf_t)
+ admin_pattern($1, bluetooth_conf_rw_t)
+
+ files_list_spool($1)
+ admin_pattern($1, bluetooth_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, bluetooth_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, bluetooth_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2009-02-10 15:07:15.000000000 +0100
@@ -20,6 +20,9 @@
type bluetooth_helper_exec_t;
application_executable_file(bluetooth_helper_exec_t)
+type bluetooth_initrc_exec_t;
+init_script_file(bluetooth_initrc_exec_t)
+
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
@@ -37,14 +40,14 @@
# Bluetooth services local policy
#
-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
@@ -76,6 +79,7 @@
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
+kernel_read_network_state(bluetooth_t)
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
@@ -92,6 +96,7 @@
dev_rw_usbfs(bluetooth_t)
dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
+dev_rw_input_dev(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@@ -110,6 +115,8 @@
files_read_etc_runtime_files(bluetooth_t)
files_read_usr_files(bluetooth_t)
+auth_use_nsswitch(bluetooth_t)
+
libs_use_ld_so(bluetooth_t)
libs_use_shared_libs(bluetooth_t)
@@ -117,21 +124,24 @@
miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
-
-sysnet_read_config(bluetooth_t)
+miscfiles_read_hwdata(bluetooth_t)
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-
sysadm_dontaudit_use_ptys(bluetooth_t)
sysadm_dontaudit_search_home_dirs(bluetooth_t)
optional_policy(`
dbus_system_bus_client_template(bluetooth, bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
+ dbus_system_domain(bluetooth_t, bluetooth_exec_t)
+
+ optional_policy(`
+ cups_dbus_chat(bluetooth_t)
')
optional_policy(`
- nis_use_ypbind(bluetooth_t)
+ hal_dbus_chat(bluetooth_t)
+ ')
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
+
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if
--- nsaserefpolicy/policy/modules/services/certmaster.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.if 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,128 @@
+## policy for certmaster
+
+########################################
+##
+## Execute a domain transition to run certmaster.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`certmaster_domtrans',`
+ gen_require(`
+ type certmaster_t, certmaster_exec_t;
+ ')
+
+ domain_auto_trans($1,certmaster_exec_t,certmaster_t)
+
+ allow certmaster_t $1:fd use;
+ allow certmaster_t $1:fifo_file rw_file_perms;
+ allow certmaster_t $1:process sigchld;
+')
+
+#######################################
+##
+## read
+## certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_read_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+#######################################
+##
+## Append to certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_append_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+#######################################
+##
+## Create, read, write, and delete
+## certmaster logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmaster_manage_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an snort environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the syslog domain.
+##
+##
+##
+#
+interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t;
+ type certmaster_initrc_exec_t;
+ ')
+
+ allow $1 certmaster_t:process { ptrace signal_perms };
+ ps_process_pattern($1, certmaster_t)
+
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ miscfiles_manage_cert_dirs($1)
+ miscfiles_manage_cert_files($1)
+
+ admin_pattern($1, certmaster_etc_rw_t)
+
+ files_list_pids($1)
+ admin_pattern($1, certmaster_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, certmaster_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, certmaster_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2009-02-10 15:07:15.000000000 +0100
@@ -0,0 +1,81 @@
+policy_module(certmaster,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# type and domain for certmaster
+type certmaster_t;
+type certmaster_exec_t;
+init_daemon_domain(certmaster_t, certmaster_exec_t)
+
+type certmaster_initrc_exec_t;
+init_script_file(certmaster_initrc_exec_t)
+
+# var/lib files
+type certmaster_var_lib_t;
+files_type(certmaster_var_lib_t)
+
+# config files
+type certmaster_etc_rw_t;
+files_config_file(certmaster_etc_rw_t)
+
+# log files
+type certmaster_var_log_t;
+logging_log_file(certmaster_var_log_t)
+
+# pid files
+type certmaster_var_run_t;
+files_pid_file(certmaster_var_run_t)
+
+###########################################
+#
+# certmaster local policy
+#
+allow certmaster_t self:capability sys_tty_config;
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
+
+# config files
+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t)
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+
+# var/lib files for certmaster
+manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
+manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
+files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir })
+
+# log files
+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+logging_log_filetrans(certmaster_t,certmaster_var_log_t, file )
+
+# pid file
+manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
+files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file })
+
+corecmd_search_bin(certmaster_t)
+corecmd_getattr_bin_files(certmaster_t)
+
+# network
+corenet_tcp_bind_inaddr_any_node(certmaster_t)
+corenet_tcp_bind_certmaster_port(certmaster_t)
+
+files_search_etc(certmaster_t)
+files_list_var(certmaster_t)
+files_search_var_lib(certmaster_t)
+
+# read meminfo
+kernel_read_system_state(certmaster_t)
+
+auth_use_nsswitch(certmaster_t)
+
+libs_use_ld_so(certmaster_t)
+libs_use_shared_libs(certmaster_t)
+
+miscfiles_read_localization(certmaster_t)
+
+miscfiles_manage_cert_dirs(certmaster_t)
+miscfiles_manage_cert_files(certmaster_t)
+
+permissive certmaster_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.13/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/clamav.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,20 +1,22 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.13/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/clamav.if 2009-02-10 15:07:15.000000000 +0100
@@ -38,6 +38,27 @@
########################################
##
+## Allow the specified domain to append
+## to clamav log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_append_log',`
+ gen_require(`
+ type clamav_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 clamav_log_t:dir list_dir_perms;
+ append_files_pattern($1, clamav_log_t, clamav_log_t)
+')
+
+########################################
+##
## Read clamav configuration files.
##
##
@@ -91,3 +112,87 @@
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')
+
+########################################
+##
+## Execute clamscan without a transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_exec_clamscan',`
+ gen_require(`
+ type clamscan_exec_t;
+ ')
+
+ can_exec($1, clamscan_exec_t)
+
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an clamav environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the clamav domain.
+##
+##
+##
+#
+interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t;
+ type clamd_var_run_t;
+
+ type clamscan_t, clamscan_tmp_t;
+
+ type freshclam_t, freshclam_var_log_t;
+
+ type clamd_initrc_exec_t;
+ ')
+
+ allow $1 clamd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamd_t)
+
+ allow $1 clamscan_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process { ptrace signal_perms };
+ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, clamd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, clamd_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, clamd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, clamd_var_run_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.13/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2009-02-10 15:07:15.000000000 +0100
@@ -13,7 +13,10 @@
# configuration files
type clamd_etc_t;
-files_type(clamd_etc_t)
+files_config_file(clamd_etc_t)
+
+type clamd_initrc_exec_t;
+init_script_file(clamd_initrc_exec_t)
# tmp files
type clamd_tmp_t;
@@ -87,6 +90,9 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
@@ -97,6 +103,8 @@
corenet_tcp_bind_all_nodes(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
+corenet_tcp_bind_generic_port(clamd_t)
+corenet_tcp_connect_generic_port(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -120,11 +128,19 @@
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
amavis_create_pid_files(clamd_t)
+ amavis_rw_pid_files(clamd_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(clamd_t)
')
########################################
@@ -172,6 +188,7 @@
domain_use_interactive_fds(freshclam_t)
+files_search_var_lib(freshclam_t)
files_read_etc_files(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
@@ -197,7 +214,7 @@
allow clamscan_t self:fifo_file rw_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
-allow clamscan_t self:tcp_socket { listen accept };
+allow clamscan_t self:tcp_socket create_stream_socket_perms;
# configuration files
allow clamscan_t clamd_etc_t:dir list_dir_perms;
@@ -213,6 +230,14 @@
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+corenet_all_recvfrom_unlabeled(clamscan_t)
+corenet_all_recvfrom_netlabel(clamscan_t)
+corenet_tcp_sendrecv_all_if(clamscan_t)
+corenet_tcp_sendrecv_all_nodes(clamscan_t)
+corenet_tcp_sendrecv_all_ports(clamscan_t)
+corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_connect_clamd_port(clamscan_t)
+
kernel_read_kernel_sysctls(clamscan_t)
files_read_etc_files(clamscan_t)
@@ -230,6 +255,12 @@
clamav_stream_connect(clamscan_t)
+mta_send_mail(clamscan_t)
+
optional_policy(`
apache_read_sys_content(clamscan_t)
')
+
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.13/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,6 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2009-02-10 15:07:15.000000000 +0100
@@ -38,3 +38,24 @@
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
')
+
+########################################
+##
+## Read consolekit log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.13/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.te 2009-02-10 15:07:15.000000000 +0100
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_log_t;
+files_pid_file(consolekit_log_t)
+
########################################
#
# consolekit local policy
@@ -24,20 +27,27 @@
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
allow consolekit_t self:unix_dgram_socket create_socket_perms;
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+
+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file)
+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })
kernel_read_system_state(consolekit_t)
corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)
dev_read_urand(consolekit_t)
dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_etc_files(consolekit_t)
+files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
@@ -47,16 +57,37 @@
auth_use_nsswitch(consolekit_t)
+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+init_chat(consolekit_t)
+
libs_use_ld_so(consolekit_t)
libs_use_shared_libs(consolekit_t)
+logging_send_syslog_msg(consolekit_t)
+
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
+unprivuser_dontaudit_read_home_content_files(consolekit_t)
+
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
optional_policy(`
- dbus_system_bus_client_template(consolekit, consolekit_t)
- dbus_connect_system_bus(consolekit_t)
+ cron_read_system_job_lib_files(consolekit_t)
+')
+optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+ optional_policy(`
hal_dbus_chat(consolekit_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(consolekit_t)
+ ')
optional_policy(`
unconfined_dbus_chat(consolekit_t)
@@ -64,6 +95,33 @@
')
optional_policy(`
+ polkit_domtrans_auth(consolekit_t)
+ polkit_read_lib(consolekit_t)
+')
+
+optional_policy(`
xserver_read_all_users_xauth(consolekit_t)
xserver_stream_connect_xdm_xserver(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
')
+
+optional_policy(`
+ #reading .Xauthity
+ unconfined_ptrace(consolekit_t)
+ unconfined_stream_connect(consolekit_t)
+')
+
+optional_policy(`
+ unprivuser_read_tmp_files(consolekit_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_list_nfs(consolekit_t)
+ fs_dontaudit_rw_nfs_files(consolekit_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_list_cifs(consolekit_t)
+ fs_dontaudit_rw_cifs_files(consolekit_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.13/policy/modules/services/courier.fc
--- nsaserefpolicy/policy/modules/services/courier.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/courier.fc 2009-02-10 15:07:15.000000000 +0100
@@ -19,5 +19,5 @@
/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
-
/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
+/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.5.13/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/courier.if 2009-02-10 15:07:15.000000000 +0100
@@ -180,6 +180,25 @@
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
+#######################################
+##
+## Read courier spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`courier_read_spool_files',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
########################################
##
## Read and write to courier spool pipes.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.13/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/courier.te 2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,7 @@
type courier_etc_t;
files_config_file(courier_etc_t)
+mta_system_content(courier_etc_t)
courier_domain_template(pcp)
@@ -73,6 +74,9 @@
sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
+files_search_spool(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+
########################################
#
# Calendar (PCP) local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.13/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2009-02-10 15:07:15.000000000 +0100
@@ -17,9 +17,10 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+
/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/[^/]* -- <>
+/var/spool/at[^/]* -- <>
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -45,3 +46,8 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2009-02-10 15:07:15.000000000 +0100
@@ -35,39 +35,25 @@
#
template(`cron_per_role_template',`
gen_require(`
+ class context contains;
attribute cron_spool_type;
type crond_t, cron_spool_t, crontab_exec_t;
- class dbus send_msg;
+ type crond_var_run_t;
')
+ typealias $1_t alias $1_crond_t;
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
+ mta_system_content($1_cron_spool_t)
- type $1_crond_t;
- domain_type($1_crond_t)
- domain_cron_exemption_target($1_crond_t)
- corecmd_shell_entry_type($1_crond_t)
- role $3 types $1_crond_t;
+ domain_cron_exemption_target($1_t)
+ corecmd_shell_entry_type($1_t)
type $1_crontab_t;
application_domain($1_crontab_t, crontab_exec_t)
role $3 types $1_crontab_t;
- type $1_crontab_tmp_t;
- files_tmp_file($1_crontab_tmp_t)
-
- ##############################
- #
- # $1_crond_t local policy
- #
-
- allow $1_crond_t self:capability dac_override;
- allow $1_crond_t self:process { signal_perms setsched };
- allow $1_crond_t self:fifo_file rw_fifo_file_perms;
- allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -75,116 +61,23 @@
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
- allow $1_crond_t $1_cron_spool_t:file entrypoint;
+ allow $1_t $1_cron_spool_t:file entrypoint;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
- allow crond_t $1_crond_t:process transition;
- dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t $1_crond_t:fd use;
- allow $1_crond_t crond_t:fd use;
- allow $1_crond_t crond_t:fifo_file rw_file_perms;
- allow $1_crond_t crond_t:process sigchld;
-
- kernel_read_system_state($1_crond_t)
- kernel_read_kernel_sysctls($1_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot($1_crond_t)
-
- corenet_all_recvfrom_unlabeled($1_crond_t)
- corenet_all_recvfrom_netlabel($1_crond_t)
- corenet_tcp_sendrecv_all_if($1_crond_t)
- corenet_udp_sendrecv_all_if($1_crond_t)
- corenet_tcp_sendrecv_all_nodes($1_crond_t)
- corenet_udp_sendrecv_all_nodes($1_crond_t)
- corenet_tcp_sendrecv_all_ports($1_crond_t)
- corenet_udp_sendrecv_all_ports($1_crond_t)
- corenet_tcp_connect_all_ports($1_crond_t)
- corenet_sendrecv_all_client_packets($1_crond_t)
-
- dev_read_urand($1_crond_t)
-
- fs_getattr_all_fs($1_crond_t)
-
- corecmd_exec_all_executables($1_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state($1_crond_t)
- domain_dontaudit_getattr_all_domains($1_crond_t)
-
- files_read_usr_files($1_crond_t)
- files_exec_etc_files($1_crond_t)
- # for nscd:
- files_dontaudit_search_pids($1_crond_t)
-
- libs_use_ld_so($1_crond_t)
- libs_use_shared_libs($1_crond_t)
- libs_exec_lib_files($1_crond_t)
- libs_exec_ld_so($1_crond_t)
-
- files_read_etc_runtime_files($1_crond_t)
- files_read_var_files($1_crond_t)
- files_search_spool($1_crond_t)
-
- logging_search_logs($1_crond_t)
-
- seutil_read_config($1_crond_t)
-
- miscfiles_read_localization($1_crond_t)
-
- userdom_manage_user_tmp_files($1, $1_crond_t)
- userdom_manage_user_tmp_symlinks($1, $1_crond_t)
- userdom_manage_user_tmp_pipes($1, $1_crond_t)
- userdom_manage_user_tmp_sockets($1, $1_crond_t)
- # Run scripts in user home directory and access shared libs.
- userdom_exec_user_home_content_files($1, $1_crond_t)
- # Access user files and dirs.
-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
- userdom_manage_user_home_content_files($1, $1_crond_t)
- userdom_manage_user_home_content_symlinks($1, $1_crond_t)
- userdom_manage_user_home_content_pipes($1, $1_crond_t)
- userdom_manage_user_home_content_sockets($1, $1_crond_t)
-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+ allow crond_t $1_t:process transition;
+ dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh };
+ allow crond_t $1_t:fd use;
+ allow $1_t crond_t:fd use;
+ allow $1_t crond_t:fifo_file rw_file_perms;
+ allow $1_t crond_t:process sigchld;
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file manage_file_perms;
')
- # need a per-role version of this:
- #optional_policy(`
- # mono_domtrans($1_crond_t)
- #')
-
- optional_policy(`
- dbus_stub($1_crond_t)
-
- allow $1_crond_t $2:dbus send_msg;
- ')
-
- optional_policy(`
- nis_use_ypbind($1_crond_t)
- ')
-
- ifdef(`TODO',`
- optional_policy(`
- create_dir_file($1_crond_t, httpd_$1_content_t)
- ')
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
-
- ifdef(`mta.te', `
- domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
- allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms;
-
- # $1_mail_t should only be reading from the cron fifo not needing to write
- dontaudit $1_mail_t crond_t:fifo_file write;
- allow mta_user_agent $1_crond_t:fd use;
- ')
- ') dnl endif TODO
-
##############################
#
# $1_crontab_t local policy
@@ -192,23 +85,27 @@
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_crontab_t self:process signal_perms;
+ allow $1_crontab_t self:process { signal_perms setsched };
+ allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
+ allow $1_crontab_t crond_t:process signal;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
+ auth_run_chk_passwd($1_crontab_t, $3, { $1_devpts_t $1_tty_device_t })
# crontab shows up in user ps
ps_process_pattern($2, $1_crontab_t)
+ init_dontaudit_write_utmp($1_crontab_t)
+ init_read_utmp($1_crontab_t)
+
# for ^Z
allow $2 $1_crontab_t:process signal;
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
- allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, file)
-
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t)
filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file)
@@ -216,6 +113,7 @@
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
+ read_files_pattern($1_crontab_t, crond_var_run_t,crond_var_run_t)
kernel_read_system_state($1_crontab_t)
@@ -227,27 +125,33 @@
# Run helper programs as the user domain
corecmd_bin_domtrans($1_crontab_t, $2)
corecmd_shell_domtrans($1_crontab_t, $2)
+ allow $2 $1_crontab_t:process sigchld;
domain_use_interactive_fds($1_crontab_t)
files_read_etc_files($1_crontab_t)
files_dontaudit_search_pids($1_crontab_t)
+ auth_use_nsswitch($1_crontab_t)
+
libs_use_ld_so($1_crontab_t)
libs_use_shared_libs($1_crontab_t)
logging_send_syslog_msg($1_crontab_t)
+ logging_send_audit_msgs($1_crontab_t)
+ logging_set_loginuid($1_crontab_t)
miscfiles_read_localization($1_crontab_t)
seutil_read_config($1_crontab_t)
- userdom_manage_user_tmp_dirs($1, $1_crontab_t)
- userdom_manage_user_tmp_files($1, $1_crontab_t)
+ unprivuser_manage_tmp_dirs($1_crontab_t)
+ unprivuser_manage_tmp_files($1_crontab_t)
# Access terminals.
userdom_use_user_terminals($1, $1_crontab_t)
# Read user crontabs
userdom_read_user_home_content_files($1, $1_crontab_t)
+ userdom_transition_user_tmp($1, $1_crontab_t, { lnk_file file dir fifo_file })
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
@@ -286,14 +190,12 @@
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
- type $1_crontab_t, $1_crond_t;
+ type $1_crontab_t;
')
# Allow our crontab domain to unlink a user cron spool file.
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
- logging_read_generic_logs($1_crond_t)
-
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
@@ -339,7 +241,7 @@
allow $1 system_crond_t:fifo_file rw_file_perms;
allow $1 system_crond_t:process sigchld;
- allow $1 crond_t:fifo_file rw_file_perms;
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
@@ -421,6 +323,24 @@
########################################
##
+## Allow read/write unix stream sockets from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_rw_system_stream_sockets',`
+ gen_require(`
+ type system_crond_t;
+ ')
+
+ allow $1 system_crond_t:unix_stream_socket { read write };
+')
+
+########################################
+##
## Read and write a cron daemon unnamed pipe.
##
##
@@ -439,7 +359,7 @@
########################################
##
-## Read, and write cron daemon TCP sockets.
+## Dontaudit Read, and write cron daemon TCP sockets.
##
##
##
@@ -447,7 +367,7 @@
##
##
#
-interface(`cron_rw_tcp_sockets',`
+interface(`cron_dontaudit_rw_tcp_sockets',`
gen_require(`
type crond_t;
')
@@ -559,11 +479,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_crond_tmp_t;
+ type system_crond_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_crond_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
@@ -584,3 +507,64 @@
dontaudit $1 system_crond_tmp_t:file append;
')
+
+
+########################################
+##
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_crond_tmp_t;
+ type cron_var_run_t;
+ type system_crond_var_run_t;
+ ')
+
+ dontaudit $1 system_crond_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+##
+## Read temporary files from the system cron jobs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_crond_var_lib_t;
+ ')
+
+
+ read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t)
+')
+
+########################################
+##
+## Manage pid files used by cron
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_pid_files',`
+ gen_require(`
+ type crond_var_run_t;
+ ')
+
+
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cron.te 2009-03-05 13:23:48.000000000 +0100
@@ -12,14 +12,6 @@
##
##
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-##
-##
-gen_tunable(cron_can_relabel, false)
-
-##
-##
## Enable extra rules in the cron domain
## to support fcron.
##
@@ -38,6 +30,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
+# var/lib files
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -50,6 +46,8 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
@@ -71,6 +69,12 @@
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
+type system_crond_var_lib_t;
+files_type(system_crond_var_lib_t)
+
+type system_crond_var_run_t;
+files_pid_file(system_crond_var_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
@@ -80,7 +84,7 @@
# Cron Local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -99,15 +103,14 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -133,6 +136,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
@@ -142,13 +147,17 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
+#init_spec_domtrans_script(crond_t)
+init_domtrans_script(system_crond_t)
auth_use_nsswitch(crond_t)
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
+logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -161,6 +170,7 @@
userdom_list_all_users_home_dirs(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -180,21 +190,45 @@
')
')
+tunable_policy(`allow_polyinstantiation',`
+ allow crond_t self:capability fowner;
+ files_search_tmp(crond_t)
+ files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
+ amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_dbus_chat(system_crond_t)
')
optional_policy(`
@@ -236,6 +270,9 @@
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file)
+allow system_crond_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_crond_t, cron_var_run_t, file)
+
allow system_crond_t system_cron_spool_t:file read_file_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
@@ -267,9 +304,13 @@
filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file })
files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file)
+# var/lib files for system_crond
+files_search_var_lib(system_crond_t)
+manage_files_pattern(system_crond_t, system_crond_var_lib_t, system_crond_var_lib_t)
+
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir list_dir_perms;
-allow system_crond_t cron_spool_t:file read_file_perms;
+allow system_crond_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
@@ -323,7 +364,8 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_telinit(system_crond_t)
+init_spec_domtrans_script(system_crond_t)
auth_use_nsswitch(system_crond_t)
@@ -333,6 +375,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
+logging_send_audit_msgs(system_crond_t)
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
@@ -348,18 +391,6 @@
')
')
-tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_crond_t)
-',`
- selinux_get_fs_mount(system_crond_t)
- selinux_validate_context(system_crond_t)
- selinux_compute_access_vector(system_crond_t)
- selinux_compute_create_context(system_crond_t)
- selinux_compute_relabel_context(system_crond_t)
- selinux_compute_user_contexts(system_crond_t)
- seutil_read_file_contexts(system_crond_t)
-')
-
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
@@ -383,11 +414,20 @@
')
optional_policy(`
+ lpd_list_spool(system_crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(system_crond_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_crond_t)
')
optional_policy(`
mta_send_mail(system_crond_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -415,8 +455,7 @@
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_crond_t)
+ spamassassin_manage_lib_files(system_crond_t)
')
optional_policy(`
@@ -424,15 +463,12 @@
')
optional_policy(`
+ unconfined_dbus_send(crond_t)
+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_crond_t)
-
- userdom_priveleged_home_dir_manager(system_crond_t)
')
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_crond_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_crond_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
+optional_policy(`
+ userdom_priveleged_home_dir_manager(system_crond_t)
')
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2009-02-10 15:07:15.000000000 +0100
@@ -5,27 +5,38 @@
/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -33,7 +44,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -43,10 +54,19 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.13/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cups.if 2009-02-10 15:07:15.000000000 +0100
@@ -20,6 +20,30 @@
########################################
##
+## Setup cups to transtion to the cups backend domain
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`cups_backend',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ domtrans_pattern(cupsd_t, $2, $1)
+
+ allow cupsd_t $1:process signal;
+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+ cups_read_config($1)
+ cups_append_log($1)
+')
+
+########################################
+##
## Connect to cupsd over an unix domain stream socket.
##
##
@@ -212,6 +236,25 @@
########################################
##
+## Append cups log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_append_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, cupsd_log_t, cupsd_log_t)
+')
+
+########################################
+##
## Write cups log files.
##
##
@@ -247,3 +290,66 @@
files_search_pids($1)
stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an cups environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the cups domain.
+##
+##
+##
+#
+interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+ type cupsd_var_run_t, ptal_etc_t;
+ type ptal_var_run_t, hplip_var_run_t;
+ type cupsd_initrc_exec_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cupsd_t)
+
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cupsd_tmp_t)
+
+ admin_pattern($1, cupsd_lpd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, cupsd_etc_t)
+
+ admin_pattern($1, ptal_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, cupsd_spool_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, cupsd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cupsd_var_run_t)
+
+ admin_pattern($1, ptal_var_run_t)
+
+ admin_pattern($1, cupsd_config_var_run_t)
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+ admin_pattern($1, hplip_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2009-02-10 15:07:15.000000000 +0100
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
+type cupsd_lock_t;
+files_lock_file(cupsd_lock_t)
+
type cupsd_log_t;
logging_log_file(cupsd_log_t)
@@ -48,6 +57,10 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
+# For CUPS to run as a backend
+cups_backend(hplip_t, hplip_exec_t)
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
type hplip_etc_t;
files_config_file(hplip_etc_t)
@@ -65,6 +78,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
+type cups_pdf_t;
+type cups_pdf_exec_t;
+domain_type(cups_pdf_t)
+domain_entry_file(cups_pdf_t, cups_pdf_exec_t)
+cups_backend(cups_pdf_t, cups_pdf_exec_t)
+role system_r types cups_pdf_t;
+
+type cups_pdf_tmp_t;
+files_tmp_file(cups_pdf_tmp_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
@@ -79,13 +102,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -97,6 +121,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
+
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -104,8 +131,11 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
+allow cupsd_t cupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
allow cupsd_t cupsd_log_t:dir setattr;
@@ -116,13 +146,20 @@
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+# This whole section needs to be moved to a smbspool policy
+# smbspool seems to be iterating through all existing tmp files.
+# Looking for kerberos files
+files_getattr_all_tmp_files(cupsd_t)
+userdom_read_unpriv_users_tmp_files(cupsd_t)
+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+
allow cupsd_t cupsd_var_run_t:dir setattr;
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-
+allow cupsd_t hplip_t:process {signal sigkill };
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -149,44 +186,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
+dev_rw_input_dev(cupsd_t) #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-auth_domtrans_chk_passwd(cupsd_t)
-auth_dontaudit_read_pam_pid(cupsd_t)
-
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
+files_list_spool(cupsd_t)
files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
-files_search_var_lib(cupsd_t)
+files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
@@ -195,15 +237,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
-# smbspool seems to be iterating through all existing tmp files.
-# redhat bug #214953
-# cjp: this might be a broken behavior
-files_dontaudit_getattr_all_tmp_files(cupsd_t)
selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
init_exec_script_files(cupsd_t)
+init_read_utmp(cupsd_t)
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
@@ -219,17 +262,21 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
-sysnet_read_config(cupsd_t)
-
+files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
+lpd_relabel_spool(cupsd_t)
ifdef(`enable_mls',`
- lpd_relabel_spool(cupsd_t)
+ mls_trusted_object(cupsd_var_run_t)
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh)
')
optional_policy(`
@@ -246,8 +293,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
+ ')
')
optional_policy(`
@@ -263,6 +318,10 @@
')
optional_policy(`
+ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -281,7 +340,7 @@
# Cups configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown sys_tty_config };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -313,7 +372,7 @@
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
kernel_read_system_state(cupsd_config_t)
-kernel_read_kernel_sysctls(cupsd_config_t)
+kernel_read_all_sysctls(cupsd_config_t)
corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
@@ -326,6 +385,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -343,7 +403,7 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
-init_getattr_script_files(cupsd_config_t)
+init_getattr_all_script_files(cupsd_config_t)
auth_use_nsswitch(cupsd_config_t)
@@ -353,6 +413,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
@@ -365,14 +426,16 @@
sysadm_dontaudit_search_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
- init_getattr_script_files(cupsd_config_t)
-
optional_policy(`
rpm_read_db(cupsd_config_t)
')
')
optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -388,6 +451,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -500,7 +564,11 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
-allow hplip_t cupsd_etc_t:dir search;
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
+
cups_stream_connect(hplip_t)
@@ -509,6 +577,8 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
@@ -538,7 +608,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
+
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
@@ -552,6 +623,8 @@
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
+
libs_use_ld_so(hplip_t)
libs_use_shared_libs(hplip_t)
@@ -564,12 +637,14 @@
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
-lpd_read_config(cupsd_t)
+lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
sysadm_dontaudit_search_home_dirs(hplip_t)
optional_policy(`
dbus_system_bus_client_template(hplip, hplip_t)
+ dbus_connect_system_bus(hplip_t)
')
optional_policy(`
@@ -651,3 +726,55 @@
optional_policy(`
udev_read_db(ptal_t)
')
+
+########################################
+#
+# cups_pdf local policy
+#
+
+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
+
+allow cups_pdf_t self:fifo_file rw_file_perms;
+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(cups_pdf_t)
+files_read_usr_files(cups_pdf_t)
+
+kernel_read_system_state(cups_pdf_t)
+
+auth_use_nsswitch(cups_pdf_t)
+
+libs_use_ld_so(cups_pdf_t)
+libs_use_shared_libs(cups_pdf_t)
+
+corecmd_exec_shell(cups_pdf_t)
+corecmd_exec_bin(cups_pdf_t)
+
+miscfiles_read_localization(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+
+unprivuser_home_filetrans_home_dir(cups_pdf_t)
+unprivuser_manage_home_content_dirs(cups_pdf_t)
+unprivuser_manage_home_content_files(cups_pdf_t)
+
+lpd_manage_spool(cups_pdf_t)
+
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+miscfiles_read_fonts(cups_pdf_t)
+
+sysadm_dontaudit_read_home_content_files(cups_pdf_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(cups_pdf_t)
+ fs_manage_cifs_files(cups_pdf_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.13/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cvs.te 2009-02-10 15:07:15.000000000 +0100
@@ -115,4 +115,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1 +1,6 @@
/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.5.13/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/cyrus.te 2009-02-10 15:07:15.000000000 +0100
@@ -141,6 +141,7 @@
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2009-02-10 15:07:15.000000000 +0100
@@ -4,6 +4,9 @@
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2009-02-10 15:07:15.000000000 +0100
@@ -53,19 +53,19 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
class dbus { send_msg acquire_svc };
+ attribute dbusd_unconfined;
+ attribute dbusd_userbus;
')
##############################
#
# Delcarations
#
- type $1_dbusd_t;
+ type $1_dbusd_t, dbusd_userbus;
domain_type($1_dbusd_t)
domain_entry_file($1_dbusd_t, system_dbusd_exec_t)
role $3 types $1_dbusd_t;
- type $1_dbusd_$1_t;
-
type $1_dbusd_tmp_t;
files_tmp_file($1_dbusd_tmp_t)
@@ -84,14 +84,19 @@
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+ allow dbusd_unconfined $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t dbusd_unconfined:dbus send_msg;
+
# For connecting to the bus
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+ allow $2 $1_dbusd_t:unix_stream_socket { rw_socket_perms connectto };
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
+ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
# SE-DBus specific permissions
- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t $2:dbus send_msg;
+ allow $2 $2:dbus send_msg;
+ allow $2 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -102,10 +107,9 @@
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
- allow $2 $1_dbusd_t:process { sigkill signal };
+ allow $2 $1_dbusd_t:process { getattr ptrace signal_perms };
- # cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $2)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -115,8 +119,8 @@
kernel_read_kernel_sysctls($1_dbusd_t)
corecmd_list_bin($1_dbusd_t)
- corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
+ corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
@@ -139,6 +143,7 @@
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
+ fs_list_inotifyfs($1_dbusd_t)
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
@@ -161,12 +166,24 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
- userdom_read_user_home_content_files($1, $1_dbusd_t)
+ sysadm_dontaudit_search_home_dirs($1_dbusd_t)
+ unprivuser_read_home_content_files($1_dbusd_t)
+ unprivuser_dontaudit_append_home_content_files($1_dbusd_t)
+ term_dontaudit_use_all_user_ptys($1_dbusd_t)
+ term_dontaudit_use_all_user_ttys($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
')
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_dbusd_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files($1_dbusd_t)
+ ')
+
tunable_policy(`read_default_t',`
files_list_default($1_dbusd_t)
files_read_default_files($1_dbusd_t)
@@ -180,9 +197,17 @@
')
optional_policy(`
+ gnome_read_gnome_config($1, $1_dbusd_t)
+ gnome_read_gconf_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
+ xserver_dontaudit_xdm_lib_search($1_dbusd_t)
+ xserver_rw_xdm_home_files($1_dbusd_t)
')
+
')
#######################################
@@ -207,14 +232,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
+ attribute dbusd_unconfined;
')
-# type $1_dbusd_system_t;
-# type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
-
# SE-DBus specific permissions
-# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
- allow $2 { system_dbusd_t self }:dbus send_msg;
+ allow $2 { system_dbusd_t $2 dbusd_unconfined }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $2:dbus send_msg;
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
@@ -223,6 +246,10 @@
files_search_pids($2)
stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($2)
+
+ optional_policy(`
+ rpm_script_dbus_chat($2)
+ ')
')
#######################################
@@ -251,18 +278,16 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
+ attribute dbusd_unconfined;
class dbus send_msg;
')
-# type $2_dbusd_$1_t;
-# type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
-
# SE-DBus specific permissions
-# allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
allow $3 { $1_dbusd_t self }:dbus send_msg;
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
+ allow dbusd_unconfined $1_dbusd_t:dbus *;
')
########################################
@@ -292,6 +317,55 @@
########################################
##
+## connectto a message on user/application specific DBUS.
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`dbus_connectto_user_bus',`
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Chat on user/application specific DBUS.
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`dbus_chat_user_bus',`
+ gen_require(`
+ type $1_t;
+ type $1_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_dbusd_t:dbus send_msg;
+ allow $1_dbusd_t $2:dbus send_msg;
+ allow $2 $1_t:dbus send_msg;
+ allow $1_t $2:dbus send_msg;
+')
+
+########################################
+##
## Read dbus configuration.
##
##
@@ -366,3 +440,120 @@
allow $1 system_dbusd_t:dbus *;
')
+
+########################################
+##
+## Allow unconfined access to the system DBUS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')
+
+########################################
+##
+## Create a domain for processes
+## which can be started by the system dbus
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
+ dbus_system_bus_client_template($1, $1)
+ dbus_connect_system_bus($1)
+
+ ifdef(`hide_broken_symptoms', `
+ dbus_dontaudit_rw_system_selinux_socket($1)
+ ');
+')
+
+########################################
+##
+## Dontaudit Read, and write system dbus TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+##
+## connectto a message on user/application specific DBUS.
+##
+##
+##
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`dbus_dontaudit_connectto_user_bus',`
+ gen_require(`
+ attribute dbusd_userbus;
+ ')
+
+
+ dontaudit $2 dbusd_userbus:unix_stream_socket connectto;
+')
+
+########################################
+##
+## dontaudit attempts to use system_dbus_t selinux_socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dbus_dontaudit_rw_system_selinux_socket',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dbus.te 2009-02-10 15:07:15.000000000 +0100
@@ -9,9 +9,11 @@
#
# Delcarations
#
+attribute dbusd_unconfined;
+attribute dbusd_userbus;
type dbusd_etc_t alias etc_dbusd_t;
-files_type(dbusd_etc_t)
+files_config_file(dbusd_etc_t)
type system_dbusd_t alias dbusd_t;
type system_dbusd_exec_t;
@@ -21,11 +23,23 @@
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
-files_pid_file(system_dbusd_var_lib_t)
+files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(system_dbusd_t, system_dbusd_exec_t,s0 - mls_systemhigh)
+ mls_fd_use_all_levels(system_dbusd_t)
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+ mls_socket_write_all_levels(system_dbusd_t)
+')
+
##############################
#
# Local policy
@@ -35,7 +49,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:process { getattr signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -43,6 +57,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+can_exec(system_dbusd_t, system_dbusd_exec_t)
+
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -65,6 +81,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
@@ -81,7 +99,6 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_exec_bin(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
@@ -91,6 +108,9 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_dbus_chat_script(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
@@ -122,9 +142,38 @@
')
optional_policy(`
+ consolekit_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(system_dbusd_t)
+ polkit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
optional_policy(`
udev_read_db(system_dbusd_t)
')
+
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_xdm_xserver_shm(unconfined_dbusd_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.13/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dcc.if 2009-02-10 15:07:15.000000000 +0100
@@ -72,6 +72,24 @@
########################################
##
+## Send a signal to the dcc_client.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dcc_signal_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ allow $1 dcc_client_t:process signal;
+')
+
+########################################
+##
## Execute dcc_client in the dcc_client domain, and
## allow the specified role the dcc_client domain.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.13/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2009-02-10 15:07:15.000000000 +0100
@@ -105,6 +105,8 @@
files_read_etc_files(cdcc_t)
files_read_etc_runtime_files(cdcc_t)
+auth_use_nsswitch(cdcc_t)
+
libs_use_ld_so(cdcc_t)
libs_use_shared_libs(cdcc_t)
@@ -112,19 +114,12 @@
miscfiles_read_localization(cdcc_t)
-sysnet_read_config(cdcc_t)
-sysnet_dns_name_resolve(cdcc_t)
-
-optional_policy(`
- nscd_socket_use(cdcc_t)
-')
-
########################################
#
# dcc procmail interface local policy
#
-allow dcc_client_t self:capability setuid;
+allow dcc_client_t self:capability { setgid setuid };
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
@@ -141,6 +136,7 @@
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_bind_all_nodes(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
@@ -148,6 +144,10 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
+kernel_read_system_state(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
+
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
@@ -155,11 +155,8 @@
miscfiles_read_localization(dcc_client_t)
-sysnet_read_config(dcc_client_t)
-sysnet_dns_name_resolve(dcc_client_t)
-
optional_policy(`
- nscd_socket_use(dcc_client_t)
+ spamassassin_read_spamd_tmp_files(dcc_client_t)
')
########################################
@@ -191,6 +188,8 @@
files_read_etc_files(dcc_dbclean_t)
files_read_etc_runtime_files(dcc_dbclean_t)
+auth_use_nsswitch(dcc_dbclean_t)
+
libs_use_ld_so(dcc_dbclean_t)
libs_use_shared_libs(dcc_dbclean_t)
@@ -198,13 +197,6 @@
miscfiles_read_localization(dcc_dbclean_t)
-sysnet_read_config(dcc_dbclean_t)
-sysnet_dns_name_resolve(dcc_dbclean_t)
-
-optional_policy(`
- nscd_socket_use(dcc_dbclean_t)
-')
-
########################################
#
# Server daemon local policy
@@ -262,6 +254,8 @@
fs_getattr_all_fs(dccd_t)
fs_search_auto_mountpoints(dccd_t)
+auth_use_nsswitch(dccd_t)
+
libs_use_ld_so(dccd_t)
libs_use_shared_libs(dccd_t)
@@ -277,10 +271,6 @@
sysadm_dontaudit_search_home_dirs(dccd_t)
optional_policy(`
- nscd_socket_use(dccd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dccd_t)
')
@@ -336,6 +326,8 @@
fs_getattr_all_fs(dccifd_t)
fs_search_auto_mountpoints(dccifd_t)
+auth_use_nsswitch(dccifd_t)
+
libs_use_ld_so(dccifd_t)
libs_use_shared_libs(dccifd_t)
@@ -343,18 +335,10 @@
miscfiles_read_localization(dccifd_t)
-sysnet_read_config(dccifd_t)
-sysnet_dns_name_resolve(dccifd_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-
sysadm_dontaudit_search_home_dirs(dccifd_t)
optional_policy(`
- nscd_socket_use(dccifd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dccifd_t)
')
@@ -409,6 +393,8 @@
fs_getattr_all_fs(dccm_t)
fs_search_auto_mountpoints(dccm_t)
+auth_use_nsswitch(dccm_t)
+
libs_use_ld_so(dccm_t)
libs_use_shared_libs(dccm_t)
@@ -416,18 +402,10 @@
miscfiles_read_localization(dccm_t)
-sysnet_read_config(dccm_t)
-sysnet_dns_name_resolve(dccm_t)
-
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-
sysadm_dontaudit_search_home_dirs(dccm_t)
optional_policy(`
- nscd_socket_use(dccm_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dccm_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.13/policy/modules/services/dhcp.fc
--- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dhcp.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.13/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dhcp.if 2009-02-10 15:07:15.000000000 +0100
@@ -19,3 +19,63 @@
sysnet_search_dhcp_state($1)
allow $1 dhcpd_state_t:file setattr;
')
+
+########################################
+##
+## Execute dhcp server in the dhcp domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dhcpd_initrc_domtrans',`
+ gen_require(`
+ type dhcpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an dhcp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dhcp domain.
+##
+##
+##
+#
+interface(`dhcpd_admin',`
+ gen_require(`
+ type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
+ type dhcpd_var_run_t;
+ type dhcpd_initrc_exec_t;
+ ')
+
+ allow $1 dhcpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dhcpd_t)
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dhcpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, dhcpd_tmp_t)
+
+ admin_pattern($1, dhcpd_state_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dhcpd_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.13/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dhcp.te 2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,9 @@
type dhcpd_exec_t;
init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+type dhcpd_initrc_exec_t;
+init_script_file(dhcpd_initrc_exec_t)
+
type dhcpd_state_t;
files_type(dhcpd_state_t)
@@ -24,13 +27,12 @@
# Local policy
#
-allow dhcpd_t self:capability net_raw;
+allow dhcpd_t self:capability { net_raw sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
allow dhcpd_t self:tcp_socket create_stream_socket_perms;
allow dhcpd_t self:udp_socket create_socket_perms;
# Allow dhcpd_t to use packet sockets
@@ -51,6 +53,7 @@
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
corenet_all_recvfrom_unlabeled(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
@@ -88,6 +91,8 @@
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
+auth_use_nsswitch(dhcpd_t)
+
libs_use_ld_so(dhcpd_t)
libs_use_shared_libs(dhcpd_t)
@@ -95,7 +100,6 @@
miscfiles_read_localization(dhcpd_t)
-sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
@@ -117,14 +121,6 @@
')
optional_policy(`
- nis_use_ypbind(dhcpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(dhcpd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dhcpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc 2009-02-10 15:07:15.000000000 +0100
@@ -1,4 +1,7 @@
+/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2009-02-10 15:07:15.000000000 +0100
@@ -1 +1,175 @@
## dnsmasq DNS forwarder and DHCP server
+
+########################################
+##
+## Execute dnsmasq server in the dnsmasq domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dnsmasq_domtrans',`
+ gen_require(`
+ type dnsmasq_exec_t;
+ type dnsmasq_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+')
+
+########################################
+##
+## Execute dnsmasq server in the dnsmasq domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dnsmasq_initrc_domtrans',`
+ gen_require(`
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+')
+
+########################################
+##
+## Send dnsmasq a signal
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`dnsmasq_signal',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process signal;
+')
+
+
+########################################
+##
+## Send dnsmasq a signull
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_signull',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process signull;
+')
+
+########################################
+##
+## Send dnsmasq a sigkill
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_sigkill',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process sigkill;
+')
+
+########################################
+##
+## Delete dnsmasq pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+##
+## Read dnsmasq pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_read_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an dnsmasq environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dnsmasq domain.
+##
+##
+##
+#
+interface(`dnsmasq_admin',`
+ gen_require(`
+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ allow $1 dnsmasq_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dnsmasq_t)
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dnsmasq_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, dnsmasq_lease_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dnsmasq_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2009-02-10 15:07:15.000000000 +0100
@@ -10,6 +10,9 @@
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
+type dnsmasq_initrc_exec_t;
+init_script_file(dnsmasq_initrc_exec_t)
+
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@@ -23,7 +26,7 @@
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
-allow dnsmasq_t self:process { setcap signal_perms };
+allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
@@ -32,7 +35,7 @@
allow dnsmasq_t self:rawip_socket create_socket_perms;
# dhcp leases
-allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
@@ -55,8 +58,7 @@
corenet_tcp_bind_all_nodes(dnsmasq_t)
corenet_udp_bind_all_nodes(dnsmasq_t)
corenet_tcp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_dhcpd_port(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
@@ -67,10 +69,13 @@
# allow access to dnsmasq.conf
files_read_etc_files(dnsmasq_t)
+files_read_etc_runtime_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)
+auth_use_nsswitch(dnsmasq_t)
+
libs_use_ld_so(dnsmasq_t)
libs_use_shared_libs(dnsmasq_t)
@@ -78,14 +83,12 @@
miscfiles_read_localization(dnsmasq_t)
-sysnet_read_config(dnsmasq_t)
-
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
sysadm_dontaudit_search_home_dirs(dnsmasq_t)
optional_policy(`
- nis_use_ypbind(dnsmasq_t)
+ cron_manage_pid_files(dnsmasq_t)
')
optional_policy(`
@@ -95,3 +98,8 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
+
+optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+ virt_manage_pid_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.13/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.fc 2009-02-10 15:07:15.000000000 +0100
@@ -6,6 +6,7 @@
/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
#
# /usr
@@ -17,23 +18,22 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
')
#
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
-/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-
-
-
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.13/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.if 2009-02-10 15:07:15.000000000 +0100
@@ -21,7 +21,46 @@
########################################
##
-## Do not audit attempts to delete dovecot lib files.
+## Connect to dovecot auth unix domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`dovecot_auth_stream_connect',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ allow $1 dovecot_var_run_t:dir search;
+ allow $1 dovecot_var_run_t:sock_file write;
+ allow $1 dovecot_auth_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Execute dovecot_deliver in the dovecot_deliver domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
+#######################################
+##
+## Do not audit attempts to d`elete dovecot lib files.
##
##
##
@@ -36,3 +75,60 @@
dontaudit $1 dovecot_var_lib_t:file unlink;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an dovecot environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dovecot domain.
+##
+##
+##
+#
+interface(`dovecot_admin',`
+ gen_require(`
+ type dovecot_t, dovecot_etc_t, dovecot_log_t;
+ type dovecot_spool_t, dovecot_var_lib_t;
+ type dovecot_var_run_t;
+
+ type dovecot_cert_t, dovecot_passwd_t;
+ type dovecot_initrc_exec_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dovecot_t)
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dovecot_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, dovecot_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2009-03-06 09:53:17.000000000 +0100
@@ -15,12 +15,21 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
type dovecot_passwd_t;
files_type(dovecot_passwd_t)
@@ -31,9 +40,15 @@
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
########################################
#
# dovecot local policy
@@ -85,6 +100,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
@@ -98,7 +114,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
-files_getattr_all_mountpoints(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
init_getattr_utmp(dovecot_t)
@@ -120,7 +136,7 @@
sysadm_dontaudit_search_home_dirs(dovecot_t)
optional_policy(`
- kerberos_use(dovecot_t)
+ kerberos_keytab_template(dovecot, dovecot_t)
')
optional_policy(`
@@ -140,25 +156,40 @@
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { setgid setuid };
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+read_files_pattern(dovecot_auth_t,dovecot_passwd_t,dovecot_passwd_t)
+#allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
+
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+
+# log files
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_auth_stream_connect(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
@@ -167,6 +198,7 @@
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
@@ -185,5 +217,59 @@
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
+userdom_read_unpriv_users_tmp_files(dovecot_auth_t)
+userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t)
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+manage_dirs_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t)
+manage_lnk_files_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t)
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
+fs_getattr_all_fs(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_auth_stream_connect(dovecot_deliver_t)
+
+userdom_priveleged_home_dir_manager(dovecot_deliver_t)
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.13/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/exim.if 2009-02-10 15:07:15.000000000 +0100
@@ -97,6 +97,26 @@
########################################
##
+## Allow the specified domain to manage exim's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`exim_manage_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ manage_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
## Allow the specified domain to append
## exim log files.
##
@@ -154,3 +174,23 @@
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
')
+
+########################################
+##
+## Create, read, write, and delete
+## exim spool dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`exim_manage_spool_dirs',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.13/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/exim.te 2009-02-10 15:07:15.000000000 +0100
@@ -21,9 +21,20 @@
##
gen_tunable(exim_manage_user_files, false)
+##
+##
+## Allow exim to connect to databases (postgres, mysql)
+##
+##
+gen_tunable(exim_can_connect_db, false)
+
type exim_t;
type exim_exec_t;
init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_agent_executable(exim_exec_t)
type exim_log_t;
logging_log_file(exim_log_t)
@@ -42,10 +53,12 @@
# exim local policy
#
-allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
can_exec(exim_t,exim_exec_t)
@@ -66,12 +79,15 @@
files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
kernel_read_kernel_sysctls(exim_t)
-
kernel_dontaudit_read_system_state(exim_t)
+kernel_read_network_state(exim_t)
corecmd_search_bin(exim_t)
corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
+corenet_udp_sendrecv_all_if(exim_t)
+corenet_udp_sendrecv_all_nodes(exim_t)
corenet_tcp_sendrecv_all_if(exim_t)
corenet_tcp_sendrecv_all_nodes(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
@@ -82,6 +98,8 @@
corenet_tcp_connect_smtp_port(exim_t)
corenet_tcp_connect_ldap_port(exim_t)
corenet_tcp_connect_inetd_child_port(exim_t)
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
dev_read_rand(exim_t)
dev_read_urand(exim_t)
@@ -89,7 +107,10 @@
# Init script handling
domain_use_interactive_fds(exim_t)
+files_search_usr(exim_t)
+files_search_var(exim_t)
files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
auth_use_nsswitch(exim_t)
@@ -99,23 +120,86 @@
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
+miscfiles_read_certs(exim_t)
-sysnet_dns_name_resolve(exim_t)
+fs_getattr_xattr_fs(exim_t)
+fs_list_inotifyfs(exim_t)
unprivuser_dontaudit_search_home_dirs(exim_t)
mta_read_aliases(exim_t)
-mta_rw_spool(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
sysadm_dontaudit_search_home_dirs(exim_t)
tunable_policy(`exim_read_user_files',`
- userdom_read_unpriv_users_home_content_files(exim_t)
- userdom_read_unpriv_users_tmp_files(exim_t)
+ unprivuser_read_home_content_files(exim_t)
+ unprivuser_read_tmp_files(exim_t)
')
tunable_policy(`exim_manage_user_files',`
- userdom_manage_unpriv_users_home_content_dirs(exim_t)
- userdom_read_unpriv_users_tmp_files(exim_t)
- userdom_write_unpriv_users_tmp_files(exim_t)
+ unprivuser_manage_home_content_dirs(exim_t)
+ unprivuser_read_tmp_files(exim_t)
+ unprivuser_write_tmp_files(exim_t)
+')
+
+tunable_policy(`exim_can_connect_db',`
+ corenet_tcp_connect_mysqld_port(exim_t)
+ corenet_sendrecv_mysqld_client_packets(exim_t)
+ corenet_tcp_connect_postgresql_port(exim_t)
+ corenet_sendrecv_postgresql_client_packets(exim_t)
+')
+
+optional_policy(`
+ dovecot_auth_stream_connect(exim_t)
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ postgresql_stream_connect(exim_t)
+')
+')
+
+optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+')
+
+optional_policy(`
+ mailman_read_data_files(exim_t)
+ mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+ procmail_domtrans(exim_t)
+')
+
+optional_policy(`
+ sasl_connect(exim_t)
+')
+
+optional_policy(`
+ cron_read_pipes(exim_t)
+ cron_rw_system_job_pipes(exim_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
+ clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.fc serefpolicy-3.5.13/policy/modules/services/fetchmail.fc
--- nsaserefpolicy/policy/modules/services/fetchmail.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.fc 2009-03-05 15:02:41.000000000 +0100
@@ -11,9 +11,11 @@
/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0)
+
#
# /var
#
+/var/log/fetchmail\.log -- gen_context(system_u:object_r:fetchmail_log_t,s0)
/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.13/policy/modules/services/fetchmail.if
--- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.if 2009-03-05 15:06:34.000000000 +0100
@@ -1,5 +1,25 @@
## Remote-mail retrieval and forwarding utility
+#######################################
+##
+## Allow the specified domain to append
+## fetchmail log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`fetchmail_append_log',`
+ gen_require(`
+ type fetchmail_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, fetchmail_log_t, fetchmail_log_t)
+')
+
########################################
##
## All of the rules required to administrate
@@ -21,10 +41,10 @@
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
- manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t)
+ admin_pattern($1, fetchmail_etc_t)
- manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t)
+ admin_pattern($1, fetchmail_uidl_cache_t)
files_list_pids($1)
- manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t)
+ admin_pattern($1, fetchmail_var_run_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.13/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.te 2009-03-05 15:01:19.000000000 +0100
@@ -19,6 +19,9 @@
type fetchmail_uidl_cache_t;
files_type(fetchmail_uidl_cache_t)
+type fetchmail_log_t;
+logging_log_file(fetchmail_log_t)
+
########################################
#
# Local policy
@@ -40,6 +43,9 @@
manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file)
+manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+logging_log_filetrans(fetchmail_t,fetchmail_log_t,file)
+
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
kernel_getattr_proc_files(fetchmail_t)
@@ -91,6 +97,10 @@
')
optional_policy(`
+ sendmail_manage_log(fetchmail_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(fetchmail_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2009-03-05 13:32:40.000000000 +0100
@@ -26,7 +26,7 @@
##
##
## Allow ftp servers to use cifs
-## used for public file transfer services.
+## for public file transfer services.
##
##
gen_tunable(allow_ftpd_use_cifs, false)
@@ -34,7 +34,7 @@
##
##
## Allow ftp servers to use nfs
-## used for public file transfer services.
+## for public file transfer services.
##
##
gen_tunable(allow_ftpd_use_nfs, false)
@@ -46,6 +46,14 @@
##
gen_tunable(ftp_home_dir, false)
+##