diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/x_contexts serefpolicy-3.6.32/config/appconfig-mcs/x_contexts
--- nsaserefpolicy/config/appconfig-mcs/x_contexts 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/config/appconfig-mcs/x_contexts 2010-03-03 10:39:47.565861817 +0100
@@ -13,7 +13,7 @@
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
-client * system_u:object_r:remote_xclient_t:s0
+client * system_u:object_r:remote_t:s0
#
@@ -27,25 +27,10 @@
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
-property XFree86_VT system_u:object_r:info_xproperty_t:s0
-property XFree86_DDC_EDID1_RAWDATA system_u:object_r:info_xproperty_t:s0
-property RESOURCE_MANAGER system_u:object_r:info_xproperty_t:s0
-property SCREEN_RESOURCES system_u:object_r:info_xproperty_t:s0
-property _MIT_PRIORITY_COLORS system_u:object_r:info_xproperty_t:s0
-property AT_SPI_IOR system_u:object_r:info_xproperty_t:s0
-property _SELINUX_CLIENT_CONTEXT system_u:object_r:info_xproperty_t:s0
-property _NET_WORKAREA system_u:object_r:info_xproperty_t:s0
-property _XKB_RULES_NAMES system_u:object_r:info_xproperty_t:s0
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
# Clipboard and selection properties
-property CUT_BUFFER0 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER1 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER2 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER3 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER4 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER5 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER6 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER7 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
# Default fallback type
property * system_u:object_r:xproperty_t:s0
@@ -61,57 +46,11 @@
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
-# Standard extensions
-extension BIG-REQUESTS system_u:object_r:std_xext_t:s0
-extension SHAPE system_u:object_r:std_xext_t:s0
-extension SYNC system_u:object_r:std_xext_t:s0
-extension XC-MISC system_u:object_r:std_xext_t:s0
-extension XFIXES system_u:object_r:std_xext_t:s0
-extension XInputExtension system_u:object_r:std_xext_t:s0
-extension XKEYBOARD system_u:object_r:std_xext_t:s0
-extension DAMAGE system_u:object_r:std_xext_t:s0
-extension RENDER system_u:object_r:std_xext_t:s0
-extension XINERAMA system_u:object_r:std_xext_t:s0
-
-# Direct hardware access extensions
-extension XFree86-DGA system_u:object_r:directhw_xext_t:s0
-extension XFree86-VidModeExtension system_u:object_r:directhw_xext_t:s0
-
-# Screen management and multihead extensions
-extension RANDR system_u:object_r:output_xext_t:s0
-extension Composite system_u:object_r:output_xext_t:s0
-
-# Screensaver, power management extensions
-extension DPMS system_u:object_r:screensaver_xext_t:s0
-extension MIT-SCREEN-SAVER system_u:object_r:screensaver_xext_t:s0
-
-# Shared memory extensions
-extension MIT-SHM system_u:object_r:shmem_xext_t:s0
-extension XFree86-Bigfont system_u:object_r:shmem_xext_t:s0
-
-# Accelerated graphics, OpenGL, direct rendering extensions
-extension GLX system_u:object_r:accelgraphics_xext_t:s0
-extension NV-CONTROL system_u:object_r:accelgraphics_xext_t:s0
-extension NV-GLX system_u:object_r:accelgraphics_xext_t:s0
-extension NVIDIA-GLX system_u:object_r:accelgraphics_xext_t:s0
-
-# Debugging, testing, and recording extensions
-extension RECORD system_u:object_r:debug_xext_t:s0
-extension X-Resource system_u:object_r:debug_xext_t:s0
-extension XTEST system_u:object_r:debug_xext_t:s0
-
-# Security-related extensions
-extension SECURITY system_u:object_r:security_xext_t:s0
-extension SELinux system_u:object_r:security_xext_t:s0
-extension XAccessControlExtension system_u:object_r:security_xext_t:s0
-extension XC-APPGROUP system_u:object_r:security_xext_t:s0
-
-# Video extensions
-extension XVideo system_u:object_r:video_xext_t:s0
-extension XVideo-MotionCompensation system_u:object_r:video_xext_t:s0
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t:s0
-# Default fallback type
-extension * system_u:object_r:xext_t:s0
+# Standard extensions
+extension * system_u:object_r:xextension_t:s0
#
@@ -124,8 +63,6 @@
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
-selection XA_PRIMARY system_u:object_r:clipboard_xselection_t:s0
-selection XA_SECONDARY system_u:object_r:clipboard_xselection_t:s0
selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
@@ -149,7 +86,6 @@
event X11:ButtonPress system_u:object_r:input_xevent_t:s0
event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
event X11:MotionNotify system_u:object_r:input_xevent_t:s0
-event X11:SelectionNotify system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
@@ -159,36 +95,11 @@
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
-# Focus events
-event X11:FocusIn system_u:object_r:focus_xevent_t:s0
-event X11:FocusOut system_u:object_r:focus_xevent_t:s0
-event X11:EnterNotify system_u:object_r:focus_xevent_t:s0
-event X11:LeaveNotify system_u:object_r:focus_xevent_t:s0
-
-# Property events
-event X11:PropertyNotify system_u:object_r:property_xevent_t:s0
-
# Client message events
event X11:ClientMessage system_u:object_r:client_xevent_t:s0
-
-# Manager events
-event X11:ConfigureRequest system_u:object_r:manage_xevent_t:s0
-event X11:ResizeRequest system_u:object_r:manage_xevent_t:s0
-event X11:MapRequest system_u:object_r:manage_xevent_t:s0
-event X11:CirculateRequest system_u:object_r:manage_xevent_t:s0
-event X11:CreateNotify system_u:object_r:manage_xevent_t:s0
-event X11:DestroyNotify system_u:object_r:manage_xevent_t:s0
-event X11:MapNotify system_u:object_r:manage_xevent_t:s0
-event X11:UnmapNotify system_u:object_r:manage_xevent_t:s0
-event X11:ReparentNotify system_u:object_r:manage_xevent_t:s0
-event X11:ConfigureNotify system_u:object_r:manage_xevent_t:s0
-event X11:GravityNotify system_u:object_r:manage_xevent_t:s0
-event X11:CirculateNotify system_u:object_r:manage_xevent_t:s0
-event X11:Expose system_u:object_r:manage_xevent_t:s0
-event X11:VisibilityNotify system_u:object_r:manage_xevent_t:s0
-
-# Unknown events (that are not registered in the X server's name database)
-event <unknown> system_u:object_r:unknown_xevent_t:s0
+event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
# Default fallback type
event * system_u:object_r:xevent_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/x_contexts serefpolicy-3.6.32/config/appconfig-mls/x_contexts
--- nsaserefpolicy/config/appconfig-mls/x_contexts 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/config/appconfig-mls/x_contexts 2010-03-03 10:39:47.576877249 +0100
@@ -13,7 +13,7 @@
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
-client * system_u:object_r:remote_xclient_t:s0
+client * system_u:object_r:remote_t:s0
#
@@ -27,25 +27,10 @@
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
-property XFree86_VT system_u:object_r:info_xproperty_t:s0
-property XFree86_DDC_EDID1_RAWDATA system_u:object_r:info_xproperty_t:s0
-property RESOURCE_MANAGER system_u:object_r:info_xproperty_t:s0
-property SCREEN_RESOURCES system_u:object_r:info_xproperty_t:s0
-property _MIT_PRIORITY_COLORS system_u:object_r:info_xproperty_t:s0
-property AT_SPI_IOR system_u:object_r:info_xproperty_t:s0
-property _SELINUX_CLIENT_CONTEXT system_u:object_r:info_xproperty_t:s0
-property _NET_WORKAREA system_u:object_r:info_xproperty_t:s0
-property _XKB_RULES_NAMES system_u:object_r:info_xproperty_t:s0
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
# Clipboard and selection properties
-property CUT_BUFFER0 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER1 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER2 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER3 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER4 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER5 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER6 system_u:object_r:clipboard_xproperty_t:s0
-property CUT_BUFFER7 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
# Default fallback type
property * system_u:object_r:xproperty_t:s0
@@ -61,57 +46,11 @@
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
-# Standard extensions
-extension BIG-REQUESTS system_u:object_r:std_xext_t:s0
-extension SHAPE system_u:object_r:std_xext_t:s0
-extension SYNC system_u:object_r:std_xext_t:s0
-extension XC-MISC system_u:object_r:std_xext_t:s0
-extension XFIXES system_u:object_r:std_xext_t:s0
-extension XInputExtension system_u:object_r:std_xext_t:s0
-extension XKEYBOARD system_u:object_r:std_xext_t:s0
-extension DAMAGE system_u:object_r:std_xext_t:s0
-extension RENDER system_u:object_r:std_xext_t:s0
-extension XINERAMA system_u:object_r:std_xext_t:s0
-
-# Direct hardware access extensions
-extension XFree86-DGA system_u:object_r:directhw_xext_t:s0
-extension XFree86-VidModeExtension system_u:object_r:directhw_xext_t:s0
-
-# Screen management and multihead extensions
-extension RANDR system_u:object_r:output_xext_t:s0
-extension Composite system_u:object_r:output_xext_t:s0
-
-# Screensaver, power management extensions
-extension DPMS system_u:object_r:screensaver_xext_t:s0
-extension MIT-SCREEN-SAVER system_u:object_r:screensaver_xext_t:s0
-
-# Shared memory extensions
-extension MIT-SHM system_u:object_r:shmem_xext_t:s0
-extension XFree86-Bigfont system_u:object_r:shmem_xext_t:s0
-
-# Accelerated graphics, OpenGL, direct rendering extensions
-extension GLX system_u:object_r:accelgraphics_xext_t:s0
-extension NV-CONTROL system_u:object_r:accelgraphics_xext_t:s0
-extension NV-GLX system_u:object_r:accelgraphics_xext_t:s0
-extension NVIDIA-GLX system_u:object_r:accelgraphics_xext_t:s0
-
-# Debugging, testing, and recording extensions
-extension RECORD system_u:object_r:debug_xext_t:s0
-extension X-Resource system_u:object_r:debug_xext_t:s0
-extension XTEST system_u:object_r:debug_xext_t:s0
-
-# Security-related extensions
-extension SECURITY system_u:object_r:security_xext_t:s0
-extension SELinux system_u:object_r:security_xext_t:s0
-extension XAccessControlExtension system_u:object_r:security_xext_t:s0
-extension XC-APPGROUP system_u:object_r:security_xext_t:s0
-
-# Video extensions
-extension XVideo system_u:object_r:video_xext_t:s0
-extension XVideo-MotionCompensation system_u:object_r:video_xext_t:s0
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t:s0
-# Default fallback type
-extension * system_u:object_r:xext_t:s0
+# Standard extensions
+extension * system_u:object_r:xextension_t:s0
#
@@ -124,8 +63,6 @@
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
-selection XA_PRIMARY system_u:object_r:clipboard_xselection_t:s0
-selection XA_SECONDARY system_u:object_r:clipboard_xselection_t:s0
selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
@@ -149,7 +86,6 @@
event X11:ButtonPress system_u:object_r:input_xevent_t:s0
event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
event X11:MotionNotify system_u:object_r:input_xevent_t:s0
-event X11:SelectionNotify system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
@@ -159,36 +95,11 @@
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
-# Focus events
-event X11:FocusIn system_u:object_r:focus_xevent_t:s0
-event X11:FocusOut system_u:object_r:focus_xevent_t:s0
-event X11:EnterNotify system_u:object_r:focus_xevent_t:s0
-event X11:LeaveNotify system_u:object_r:focus_xevent_t:s0
-
-# Property events
-event X11:PropertyNotify system_u:object_r:property_xevent_t:s0
-
# Client message events
event X11:ClientMessage system_u:object_r:client_xevent_t:s0
-
-# Manager events
-event X11:ConfigureRequest system_u:object_r:manage_xevent_t:s0
-event X11:ResizeRequest system_u:object_r:manage_xevent_t:s0
-event X11:MapRequest system_u:object_r:manage_xevent_t:s0
-event X11:CirculateRequest system_u:object_r:manage_xevent_t:s0
-event X11:CreateNotify system_u:object_r:manage_xevent_t:s0
-event X11:DestroyNotify system_u:object_r:manage_xevent_t:s0
-event X11:MapNotify system_u:object_r:manage_xevent_t:s0
-event X11:UnmapNotify system_u:object_r:manage_xevent_t:s0
-event X11:ReparentNotify system_u:object_r:manage_xevent_t:s0
-event X11:ConfigureNotify system_u:object_r:manage_xevent_t:s0
-event X11:GravityNotify system_u:object_r:manage_xevent_t:s0
-event X11:CirculateNotify system_u:object_r:manage_xevent_t:s0
-event X11:Expose system_u:object_r:manage_xevent_t:s0
-event X11:VisibilityNotify system_u:object_r:manage_xevent_t:s0
-
-# Unknown events (that are not registered in the X server's name database)
-event <unknown> system_u:object_r:unknown_xevent_t:s0
+event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
# Default fallback type
event * system_u:object_r:xevent_t:s0
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/x_contexts serefpolicy-3.6.32/config/appconfig-standard/x_contexts
--- nsaserefpolicy/config/appconfig-standard/x_contexts 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/config/appconfig-standard/x_contexts 2010-03-03 10:39:47.579611725 +0100
@@ -13,7 +13,7 @@
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
-client * system_u:object_r:remote_xclient_t
+client * system_u:object_r:remote_t
#
@@ -27,25 +27,10 @@
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
-property XFree86_VT system_u:object_r:info_xproperty_t
-property XFree86_DDC_EDID1_RAWDATA system_u:object_r:info_xproperty_t
-property RESOURCE_MANAGER system_u:object_r:info_xproperty_t
-property SCREEN_RESOURCES system_u:object_r:info_xproperty_t
-property _MIT_PRIORITY_COLORS system_u:object_r:info_xproperty_t
-property AT_SPI_IOR system_u:object_r:info_xproperty_t
-property _SELINUX_CLIENT_CONTEXT system_u:object_r:info_xproperty_t
-property _NET_WORKAREA system_u:object_r:info_xproperty_t
-property _XKB_RULES_NAMES system_u:object_r:info_xproperty_t
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t
# Clipboard and selection properties
-property CUT_BUFFER0 system_u:object_r:clipboard_xproperty_t
-property CUT_BUFFER1 system_u:object_r:clipboard_xproperty_t
-property CUT_BUFFER2 system_u:object_r:clipboard_xproperty_t
-property CUT_BUFFER3 system_u:object_r:clipboard_xproperty_t
-property CUT_BUFFER4 system_u:object_r:clipboard_xproperty_t
-property CUT_BUFFER5 system_u:object_r:clipboard_xproperty_t
-property CUT_BUFFER6 system_u:object_r:clipboard_xproperty_t
-property CUT_BUFFER7 system_u:object_r:clipboard_xproperty_t
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t
# Default fallback type
property * system_u:object_r:xproperty_t
@@ -61,57 +46,11 @@
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
-# Standard extensions
-extension BIG-REQUESTS system_u:object_r:std_xext_t
-extension SHAPE system_u:object_r:std_xext_t
-extension SYNC system_u:object_r:std_xext_t
-extension XC-MISC system_u:object_r:std_xext_t
-extension XFIXES system_u:object_r:std_xext_t
-extension XInputExtension system_u:object_r:std_xext_t
-extension XKEYBOARD system_u:object_r:std_xext_t
-extension DAMAGE system_u:object_r:std_xext_t
-extension RENDER system_u:object_r:std_xext_t
-extension XINERAMA system_u:object_r:std_xext_t
-
-# Direct hardware access extensions
-extension XFree86-DGA system_u:object_r:directhw_xext_t
-extension XFree86-VidModeExtension system_u:object_r:directhw_xext_t
-
-# Screen management and multihead extensions
-extension RANDR system_u:object_r:output_xext_t
-extension Composite system_u:object_r:output_xext_t
-
-# Screensaver, power management extensions
-extension DPMS system_u:object_r:screensaver_xext_t
-extension MIT-SCREEN-SAVER system_u:object_r:screensaver_xext_t
-
-# Shared memory extensions
-extension MIT-SHM system_u:object_r:shmem_xext_t
-extension XFree86-Bigfont system_u:object_r:shmem_xext_t
-
-# Accelerated graphics, OpenGL, direct rendering extensions
-extension GLX system_u:object_r:accelgraphics_xext_t
-extension NV-CONTROL system_u:object_r:accelgraphics_xext_t
-extension NV-GLX system_u:object_r:accelgraphics_xext_t
-extension NVIDIA-GLX system_u:object_r:accelgraphics_xext_t
-
-# Debugging, testing, and recording extensions
-extension RECORD system_u:object_r:debug_xext_t
-extension X-Resource system_u:object_r:debug_xext_t
-extension XTEST system_u:object_r:debug_xext_t
-
-# Security-related extensions
-extension SECURITY system_u:object_r:security_xext_t
-extension SELinux system_u:object_r:security_xext_t
-extension XAccessControlExtension system_u:object_r:security_xext_t
-extension XC-APPGROUP system_u:object_r:security_xext_t
-
-# Video extensions
-extension XVideo system_u:object_r:video_xext_t
-extension XVideo-MotionCompensation system_u:object_r:video_xext_t
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t
-# Default fallback type
-extension * system_u:object_r:xext_t
+# Standard extensions
+extension * system_u:object_r:xextension_t
#
@@ -124,8 +63,6 @@
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
-selection XA_PRIMARY system_u:object_r:clipboard_xselection_t
-selection XA_SECONDARY system_u:object_r:clipboard_xselection_t
selection PRIMARY system_u:object_r:clipboard_xselection_t
selection CLIPBOARD system_u:object_r:clipboard_xselection_t
@@ -149,7 +86,6 @@
event X11:ButtonPress system_u:object_r:input_xevent_t
event X11:ButtonRelease system_u:object_r:input_xevent_t
event X11:MotionNotify system_u:object_r:input_xevent_t
-event X11:SelectionNotify system_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t
@@ -159,36 +95,11 @@
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t
-# Focus events
-event X11:FocusIn system_u:object_r:focus_xevent_t
-event X11:FocusOut system_u:object_r:focus_xevent_t
-event X11:EnterNotify system_u:object_r:focus_xevent_t
-event X11:LeaveNotify system_u:object_r:focus_xevent_t
-
-# Property events
-event X11:PropertyNotify system_u:object_r:property_xevent_t
-
# Client message events
event X11:ClientMessage system_u:object_r:client_xevent_t
-
-# Manager events
-event X11:ConfigureRequest system_u:object_r:manage_xevent_t
-event X11:ResizeRequest system_u:object_r:manage_xevent_t
-event X11:MapRequest system_u:object_r:manage_xevent_t
-event X11:CirculateRequest system_u:object_r:manage_xevent_t
-event X11:CreateNotify system_u:object_r:manage_xevent_t
-event X11:DestroyNotify system_u:object_r:manage_xevent_t
-event X11:MapNotify system_u:object_r:manage_xevent_t
-event X11:UnmapNotify system_u:object_r:manage_xevent_t
-event X11:ReparentNotify system_u:object_r:manage_xevent_t
-event X11:ConfigureNotify system_u:object_r:manage_xevent_t
-event X11:GravityNotify system_u:object_r:manage_xevent_t
-event X11:CirculateNotify system_u:object_r:manage_xevent_t
-event X11:Expose system_u:object_r:manage_xevent_t
-event X11:VisibilityNotify system_u:object_r:manage_xevent_t
-
-# Unknown events (that are not registered in the X server's name database)
-event <unknown> system_u:object_r:unknown_xevent_t
+event X11:SelectionNotify system_u:object_r:client_xevent_t
+event X11:UnmapNotify system_u:object_r:client_xevent_t
+event X11:ConfigureNotify system_u:object_r:client_xevent_t
# Default fallback type
event * system_u:object_r:xevent_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.32/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2010-01-18 18:24:22.532789358 +0100
+++ serefpolicy-3.6.32/policy/flask/access_vectors 2010-03-03 10:39:47.581611826 +0100
@@ -94,6 +94,33 @@
}
#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
@@ -526,27 +553,7 @@
}
class x_device
-{
- getattr
- setattr
- use
- read
- write
- getfocus
- setfocus
- bell
- force_cursor
- freeze
- grab
- manage
- list_property
- get_property
- set_property
- add
- remove
- create
- destroy
-}
+inherits x_device
class x_server
{
@@ -803,3 +810,9 @@
class tun_socket
inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-3.6.32/policy/flask/security_classes
--- nsaserefpolicy/policy/flask/security_classes 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/flask/security_classes 2010-03-03 10:39:47.582624099 +0100
@@ -121,4 +121,8 @@
class tun_socket
+# Still More SE-X Windows stuff
+class x_pointer # userspace
+class x_keyboard # userspace
+
# FLASK
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.32/policy/mcs
--- nsaserefpolicy/policy/mcs 2010-01-18 18:24:22.535791555 +0100
+++ serefpolicy-3.6.32/policy/mcs 2010-04-22 18:07:54.688859476 +0200
@@ -64,30 +64,33 @@
# the high range of the file. We use the high range of the process so
# that processes can always simply run at s0.
#
-# Note that getattr on files is always permitted.
-#
-mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
- (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
+# Note:
+# - getattr on dirs/files is not constrained.
+# - /proc/pid operations are not constrained.
+
+mlsconstrain file { read ioctl lock execute execute_no_trans }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain file { write setattr append unlink link rename }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+mlsconstrain dir { search read ioctl lock }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
- ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
-
-# At this time we do not restrict "ps" type operations via MCS. This
-# will probably change in future.
-mlsconstrain file { read }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+ (( h1 dom h2 ) and ( l2 eq h2 ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
- (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
+ ( h1 dom h2 );
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
- ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite ));
+ (( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.32/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2010-01-18 18:24:22.536797130 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/alsa.te 2010-03-30 09:07:39.038611245 +0200
@@ -52,6 +52,8 @@
files_read_usr_files(alsa_t)
term_use_console(alsa_t)
+term_dontaudit_use_generic_ptys(alsa_t)
+term_dontaudit_use_all_ptys(alsa_t)
auth_use_nsswitch(alsa_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.6.32/policy/modules/admin/consoletype.if
--- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/admin/consoletype.if 2010-02-21 19:47:22.082308968 +0100
@@ -19,6 +19,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, consoletype_exec_t, consoletype_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit consoletype_t $1:socket_class_set { read write };
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2010-01-18 18:24:22.545542516 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2010-02-03 20:56:22.897834567 +0100
@@ -1,4 +1,3 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-01-18 18:24:22.549542536 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-03-23 12:54:39.594390458 +0100
@@ -108,6 +108,7 @@
init_domtrans_script(logrotate_t)
logging_manage_all_logs(logrotate_t)
+logging_send_audit_msgs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
@@ -155,9 +156,7 @@
')
optional_policy(`
- asterisk_exec(logrotate_t)
- asterisk_stream_connect(logrotate_t)
- asterisk_manage_lib_files(logrotate_t)
+ asterisk_domtrans(logrotate_t)
')
optional_policy(`
@@ -215,5 +214,13 @@
')
optional_policy(`
+ sssd_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ su_exec(logrotate_t)
+')
+
+optional_policy(`
varnishd_manage_log(logrotate_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-01-18 18:24:22.550542523 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2010-02-17 16:16:54.606863741 +0100
@@ -103,6 +103,11 @@
mta_send_mail(logwatch_t)
+ifdef(`hide_broken_symptoms',`
+ #Bugzilla 554754
+ files_dontaudit_write_etc_dirs(logwatch_t)
+')
+
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
files_getattr_all_file_type_fs(logwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.6.32/policy/modules/admin/mcelog.fc
--- nsaserefpolicy/policy/modules/admin/mcelog.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.fc 2010-02-03 17:54:52.841394806 +0100
@@ -0,0 +1,2 @@
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.6.32/policy/modules/admin/mcelog.if
--- nsaserefpolicy/policy/modules/admin/mcelog.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.if 2010-02-03 17:55:31.442144688 +0100
@@ -0,0 +1,20 @@
+
+## <summary>policy for mcelog</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run mcelog.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mcelog_domtrans',`
+ gen_require(`
+ type mcelog_t, mcelog_exec_t;
+ ')
+
+ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.6.32/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te 2010-04-16 09:32:17.185614930 +0200
@@ -0,0 +1,33 @@
+
+policy_module(mcelog,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcelog_t;
+type mcelog_exec_t;
+application_domain(mcelog_t, mcelog_exec_t)
+cron_system_entry(mcelog_t, mcelog_exec_t)
+
+permissive mcelog_t;
+
+########################################
+#
+# mcelog local policy
+#
+allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
+dev_read_raw_memory(mcelog_t)
+dev_read_kmsg(mcelog_t)
+
+files_read_etc_files(mcelog_t)
+
+mls_file_read_all_levels(mcelog_t)
+
+miscfiles_read_localization(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.6.32/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/admin/netutils.fc 2010-02-21 19:56:24.909309647 +0100
@@ -10,5 +11,6 @@
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-03-01 13:34:16.025492348 +0100
@@ -132,6 +132,8 @@
kernel_read_system_state(ping_t)
+term_use_all_terms(ping_t)
+
auth_use_nsswitch(ping_t)
logging_send_syslog_msg(ping_t)
@@ -158,6 +160,10 @@
')
optional_policy(`
+ nagios_rw_inerited_tmp_files(ping_t)
+')
+
+optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-03-26 07:56:32.448610343 +0100
@@ -108,6 +108,7 @@
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
userdom_manage_user_home_content(prelink_t)
optional_policy(`
@@ -156,6 +157,8 @@
files_search_var_lib(prelink_cron_system_t)
files_search_var_log(prelink_cron_system_t)
+files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+
init_chat(prelink_cron_system_t)
init_exec(prelink_cron_system_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.6.32/policy/modules/admin/quota.te
--- nsaserefpolicy/policy/modules/admin/quota.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/admin/quota.te 2010-02-11 17:52:39.497458571 +0100
@@ -39,6 +39,7 @@
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
+kernel_setsched(quota_t)
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2010-01-18 18:24:22.565530533 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/readahead.te 2010-03-23 13:15:01.443641158 +0100
@@ -62,12 +62,15 @@
fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
+fs_read_cgroup_files(readahead_t)
+fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
mls_file_read_all_levels(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-01-18 18:24:22.567540216 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-05-05 14:53:13.095879968 +0200
@@ -14,12 +14,14 @@
gen_require(`
type rpm_t, rpm_exec_t;
type debuginfo_exec_t;
+ attribute rpm_transition_domain;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+ typeattribute $1 rpm_transition_domain;
')
########################################
@@ -189,22 +191,23 @@
type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
')
- dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
- dontaudit $1 rpm_t:tcp_socket rw_socket_perms;
- dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms;
+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 rpm_t:tcp_socket { read write };
+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
dontaudit $1 rpm_t:shm rw_shm_perms;
dontaudit $1 rpm_script_t:fd use;
- dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
- dontaudit $1 rpm_var_run_t:file write_file_perms;
+ dontaudit $1 rpm_var_run_t:file write;
- dontaudit $1 rpm_tmp_t:file rw_file_perms;
+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
- dontaudit $1 rpm_tmpfs_t:file write_file_perms;
- dontaudit $1 rpm_script_tmp_t:file write_file_perms;
- dontaudit $1 rpm_var_lib_t:file { read write };
- dontaudit $1 rpm_var_cache_t:file { read write };
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
')
########################################
@@ -273,6 +276,26 @@
#####################################
## <summary>
## Allow the specified domain to append
+## to rpm tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_append_tmp',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to append
## to rpm log files.
## </summary>
## <param name="domain">
@@ -599,8 +622,10 @@
interface(`rpm_transition_script',`
gen_require(`
type rpm_script_t;
+ attribute rpm_transition_domain;
')
+ typeattribute $1 rpm_transition_domain;
allow $1 rpm_script_t:process transition;
allow $1 rpm_script_t:fd use;
@@ -627,3 +652,20 @@
allow $1 rpm_t:process signull;
')
+########################################
+## <summary>
+## Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_inherited_fifo',`
+ gen_require(`
+ attribute rpm_transition_domain;
+ ')
+
+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-01-18 18:24:22.568530565 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2010-02-26 16:50:05.472606689 +0100
@@ -1,6 +1,8 @@
policy_module(rpm, 1.10.0)
+attribute rpm_transition_domain;
+
########################################
#
# Declarations
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.32/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-01-18 18:24:22.571542610 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.te 2010-04-13 14:13:03.163602020 +0200
@@ -90,6 +90,10 @@
userdom_dontaudit_list_admin_dir(shorewall_t)
optional_policy(`
+ hostname_exec(shorewall_t)
+')
+
+optional_policy(`
iptables_domtrans(shorewall_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.6.32/policy/modules/admin/shutdown.fc
--- nsaserefpolicy/policy/modules/admin/shutdown.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/shutdown.fc 2010-03-11 21:20:40.173442296 +0100
@@ -0,0 +1,5 @@
+/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
+
+/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.6.32/policy/modules/admin/shutdown.if
--- nsaserefpolicy/policy/modules/admin/shutdown.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/shutdown.if 2010-03-11 21:27:17.562510150 +0100
@@ -0,0 +1,100 @@
+
+## <summary>policy for shutdown</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shutdown_domtrans',`
+ gen_require(`
+ type shutdown_t, shutdown_exec_t;
+ ')
+
+ domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit shutdown_t $1:socket_class_set { read write };
+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
+ ')
+')
+
+
+########################################
+## <summary>
+## Execute shutdown in the shutdown domain, and
+## allow the specified role the shutdown domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the shutdown domain.
+## </summary>
+## </param>
+#
+interface(`shutdown_run',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ shutdown_domtrans($1)
+ role $2 types shutdown_t;
+')
+
+########################################
+## <summary>
+## Role access for shutdown
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`shutdown_role',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ role $1 types shutdown_t;
+
+ shutdown_domtrans($2)
+
+ ps_process_pattern($2, shutdown_t)
+ allow $2 shutdown_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## shutdown over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_dbus_chat',`
+ gen_require(`
+ type shutdown_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 shutdown_t:dbus send_msg;
+ allow shutdown_t $1:dbus send_msg;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.6.32/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/shutdown.te 2010-03-18 13:34:32.775764351 +0100
@@ -0,0 +1,57 @@
+policy_module(shutdown,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shutdown_t;
+type shutdown_exec_t;
+application_domain(shutdown_t, shutdown_exec_t)
+role system_r types shutdown_t;
+
+type shutdown_etc_t;
+files_config_file(shutdown_etc_t)
+
+type shutdown_var_run_t;
+files_pid_file(shutdown_var_run_t)
+
+permissive shutdown_t;
+
+########################################
+#
+# shutdown local policy
+#
+
+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
+allow shutdown_t self:process { fork signal };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
+files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+
+manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
+files_read_etc_files(shutdown_t)
+files_read_generic_pids(shutdown_t)
+
+term_use_all_terms(shutdown_t)
+
+auth_use_nsswitch(shutdown_t)
+auth_write_login_records(shutdown_t)
+
+init_dontaudit_write_utmp(shutdown_t)
+init_read_utmp(shutdown_t)
+init_telinit(shutdown_t)
+
+logging_send_audit_msgs(shutdown_t)
+
+miscfiles_read_localization(shutdown_t)
+
+optional_policy(`
+ dbus_system_bus_client(shutdown_t)
+ dbus_connect_system_bus(shutdown_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-01-18 18:24:22.573543214 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2010-01-25 11:03:49.548441857 +0100
@@ -48,6 +48,8 @@
files_read_etc_files(smoltclient_t)
files_read_usr_files(smoltclient_t)
+logging_send_syslog_msg(smoltclient_t)
+
miscfiles_read_localization(smoltclient_t)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.32/policy/modules/admin/tzdata.te
--- nsaserefpolicy/policy/modules/admin/tzdata.te 2010-01-18 18:24:22.575546401 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/tzdata.te 2010-04-08 10:43:55.344115415 +0200
@@ -18,6 +18,7 @@
files_read_etc_files(tzdata_t)
files_search_spool(tzdata_t)
+files_dontaudit_rw_tmp_files(tzdata_t)
fs_getattr_xattr_fs(tzdata_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-01-18 18:24:22.584530156 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2010-03-04 16:57:21.397534068 +0100
@@ -122,6 +122,10 @@
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
+optional_policy(`
+ nx_exec_server(chfn_t)
+')
+
########################################
#
# Crack local policy
@@ -252,7 +256,7 @@
# Passwd local policy
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
@@ -427,7 +431,7 @@
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.32/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-01-18 18:24:22.585539991 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/vbetool.te 2010-02-25 10:44:22.592616500 +0100
@@ -6,6 +6,15 @@
# Declarations
#
+## <desc>
+## <p>
+## Ignore vbetool mmap_zero errors
+## </p>
+## </desc>
+#
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
+
type vbetool_t;
type vbetool_exec_t;
init_system_domain(vbetool_t, vbetool_exec_t)
@@ -34,6 +43,10 @@
miscfiles_read_localization(vbetool_t)
+tunable_policy(`vbetool_mmap_zero_ignore',`
+ dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
optional_policy(`
hal_rw_pid_files(vbetool_t)
hal_write_log(vbetool_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.6.32/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/admin/vpn.if 2010-05-21 14:13:45.300140025 +0200
@@ -119,3 +119,21 @@
allow $1 vpnc_t:dbus send_msg;
allow vpnc_t $1:dbus send_msg;
')
+
+#######################################
+## <summary>
+## Relabelfrom from vpnc socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_relabelfrom_tun_socket',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:tun_socket relabelfrom;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.6.32/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-01-18 18:24:22.585539991 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/vpn.te 2010-03-09 17:28:45.666384350 +0100
@@ -31,7 +31,7 @@
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t self:tun_socket create;
+allow vpnc_t self:tun_socket create_socket_perms;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
@@ -117,3 +117,8 @@
networkmanager_dbus_chat(vpnc_t)
')
')
+
+optional_policy(`
+ networkmanager_attach_tun_iface(vpnc_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.6.32/policy/modules/apps/cdrecord.te
--- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/cdrecord.te 2010-02-09 09:59:13.342615577 +0100
@@ -32,6 +32,8 @@
allow cdrecord_t self:unix_dgram_socket create_socket_perms;
allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+corecmd_exec_bin(cdrecord_t)
+
# allow searching for cdrom-drive
dev_list_all_dev_nodes(cdrecord_t)
dev_read_sysfs(cdrecord_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.6.32/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 2010-01-18 18:24:22.587539966 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/chrome.fc 2010-04-07 10:02:28.578626587 +0200
@@ -1,2 +1,4 @@
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.32/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 2010-01-18 18:24:22.587539966 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2010-03-18 13:26:17.264514490 +0100
@@ -18,8 +18,11 @@
domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
ps_process_pattern(chrome_sandbox_t, $1)
-')
+ ifdef(`hide_broken_symptoms', `
+ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
+ ')
+')
########################################
## <summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-04-13 15:01:31.593601647 +0200
@@ -23,8 +23,7 @@
#
# chrome_sandbox local policy
#
-allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid };
-dontaudit chrome_sandbox_t self:capability { sys_ptrace };
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
allow chrome_sandbox_t self:fifo_file manage_file_perms;
allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
@@ -45,9 +44,14 @@
domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
dev_read_urand(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
userdom_rw_user_tmpfs_files(chrome_sandbox_t)
userdom_use_user_ptys(chrome_sandbox_t)
@@ -59,15 +63,17 @@
miscfiles_read_fonts(chrome_sandbox_t)
optional_policy(`
- gnome_write_inherited_config(chrome_sandbox_t)
+ execmem_exec(chrome_sandbox_t)
')
optional_policy(`
- execmem_exec(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_list_home_config(chrome_sandbox_t)
')
optional_policy(`
- xserver_read_home_fonts(chrome_sandbox_t)
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
')
tunable_policy(`use_nfs_home_dirs',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 2010-01-18 18:24:22.590539929 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-11 22:17:04.177894107 +0100
@@ -74,7 +74,15 @@
')
optional_policy(`
- xserver_common_app($1_execmem_t)
+ nsplugin_rw_shm($1_execmem_t)
+ nsplugin_rw_semaphores($1_execmem_t)
+ ')
+
+ optional_policy(`
+ mozilla_exec_domtrans($3, $1_execmem_t)
+ ')
+
+ optional_policy(`
xserver_role($2, $1_execmem_t)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 2010-01-18 18:24:22.593530742 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2010-02-21 23:44:58.357559518 +0100
@@ -53,12 +53,18 @@
nscd_dontaudit_search_pid(firewallgui_t)
nscd_socket_use(firewallgui_t)
+logging_send_syslog_msg(firewallgui_t)
+
miscfiles_read_localization(firewallgui_t)
iptables_domtrans(firewallgui_t)
iptables_initrc_domtrans(firewallgui_t)
optional_policy(`
+ gnome_read_gconf_home_files(firewallgui_t)
+')
+
+optional_policy(`
policykit_dbus_chat(firewallgui_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-02-03 10:39:06.085145272 +0100
@@ -3,6 +3,15 @@
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+
+/root/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.Xdefaults -- gen_context(system_u:object_r:gnome_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-03-18 14:18:03.800514373 +0100
@@ -72,6 +72,24 @@
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
+#######################################
+## <summary>
+## Dontaudit search gnome homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_search_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
+')
+
########################################
## <summary>
## manage gnome homedir content (.config)
@@ -84,12 +102,12 @@
#
interface(`gnome_manage_config',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- allow $1 gnome_home_t:dir manage_dir_perms;
- allow $1 gnome_home_t:file manage_file_perms;
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms;
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
userdom_search_user_home_dirs($1)
')
@@ -129,17 +147,17 @@
#
template(`gnome_read_config',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
')
########################################
## <summary>
-## read gconf config files
+## Read gconf config files
## </summary>
## <param name="userdomain_prefix">
## <summary>
@@ -219,6 +237,24 @@
read_files_pattern($1, gconf_home_t, gconf_home_t)
')
+#######################################
+## <summary>
+## Append gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
########################################
## <summary>
## manage gconf home files
@@ -238,6 +274,24 @@
manage_files_pattern($1, gconf_home_t, gconf_home_t)
')
+#######################################
+## <summary>
+## Read gnome homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_list_home_config',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ allow $1 gnome_home_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Connect to gnome over an unix stream socket.
@@ -255,11 +309,29 @@
#
interface(`gnome_stream_connect',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
# Connect to pulseaudit server
- stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+#######################################
+## <summary>
+## Read/Write all inherited gnome home config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
')
########################################
@@ -274,8 +346,9 @@
#
interface(`gnome_write_inherited_config',`
gen_require(`
- type gnome_home_t;
+ attribute gnome_home_type;
')
- allow $1 gnome_home_t:file rw_inherited_file_perms;
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-01-18 18:24:22.596529936 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-02-03 22:11:10.235822052 +0100
@@ -7,11 +7,12 @@
#
attribute gnomedomain;
+attribute gnome_home_type;
type gconf_etc_t;
files_config_file(gconf_etc_t)
-type gconf_home_t;
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,12 +32,15 @@
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
type gconfdefaultsm_t;
type gconfdefaultsm_exec_t;
dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc 2010-01-19 12:03:52.541857693 +0100
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2010-01-18 18:24:22.605530382 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-04-16 09:30:55.883864721 +0200
@@ -111,11 +111,7 @@
mta_write_config(gpg_t)
userdom_use_user_terminals(gpg_t)
-
-optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
-')
+userdom_stream_connect(gpg_t)
########################################
#
@@ -156,6 +152,7 @@
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -185,6 +182,8 @@
# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
@@ -205,6 +204,7 @@
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
domain_use_interactive_fds(gpg_agent_t)
@@ -271,6 +271,6 @@
')
optional_policy(`
- xserver_common_app(gpg_pinentry_t)
+ xserver_stream_connect(gpg_pinentry_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2010-01-18 18:24:22.607530707 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2010-05-05 14:55:46.648641964 +0200
@@ -196,7 +196,6 @@
files_execmod_all_files($1_java_t)
optional_policy(`
- xserver_common_app($1_java_t)
xserver_role($1_r, $1_java_t)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-01-18 18:24:22.608531393 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2010-05-05 14:55:01.693628197 +0200
@@ -131,7 +131,6 @@
')
optional_policy(`
- xserver_common_app(java_t)
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 2010-01-18 18:24:22.610530600 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2010-02-08 11:58:12.837586833 +0100
@@ -56,6 +56,10 @@
userdom_dontaudit_search_admin_dir(kdumpgui_t)
optional_policy(`
+ gnome_dontaudit_search_config(kdumpgui_t)
+')
+
+optional_policy(`
dev_rw_lvm_control(kdumpgui_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.32/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 2010-01-18 18:24:22.611539946 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/livecd.if 2010-03-30 08:54:31.398627128 +0200
@@ -46,7 +46,60 @@
role $2 types livecd_t;
seutil_run_setfiles_mac(livecd_t, $2)
- usermanage_run_passwd(livecd_t, $2)
- usermanage_run_chfn(livecd_t, $2)
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a livecd leaks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_dontaudit_leaks',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write livecd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 livecd_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow read and write access to livecd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_semaphores',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ allow $1 livecd_t:sem { unix_read unix_write associate read write };
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.32/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 2010-01-18 18:24:22.612541540 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/livecd.te 2010-03-30 08:54:31.406873151 +0200
@@ -10,19 +10,26 @@
application_domain(livecd_t, livecd_exec_t)
role system_r types livecd_t;
+type livecd_tmp_t;
+files_tmp_file(livecd_tmp_t)
+
########################################
#
# livecd local policy
#
+allow livecd_t self:passwd { passwd chfn chsh };
dontaudit livecd_t self:capability2 mac_admin;
unconfined_domain_noaudit(livecd_t)
domain_ptrace_all_domains(livecd_t)
+manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
optional_policy(`
hal_dbus_chat(livecd_t)
')
seutil_domtrans_setfiles_mac(livecd_t)
-allow livecd_t self:passwd { passwd chfn chsh };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2010-01-18 18:24:22.615530188 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2010-04-22 18:24:07.182611127 +0200
@@ -113,6 +113,10 @@
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1_t $1_mono_t:socket_class_set { read write };
+ ')
+
optional_policy(`
xserver_role($1_r, $1_mono_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-18 18:24:22.616539953 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-18 18:27:02.741544960 +0100
@@ -11,6 +11,7 @@
/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-01-18 18:24:22.624530355 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2010-03-11 22:16:08.809566699 +0100
@@ -210,3 +210,39 @@
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
+
+#######################################
+## <summary>
+## Execute mozilla_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a mozilla_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`mozilla_exec_domtrans',`
+ gen_require(`
+ type mozilla_exec_t;
+ ')
+
+ allow $2 mozilla_exec_t:file entrypoint;
+ domtrans_pattern($1, mozilla_exec_t, $2)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 2010-01-18 18:24:22.626536127 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2010-01-21 18:31:18.271612626 +0100
@@ -1,6 +1,5 @@
HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
-HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 2010-01-18 18:24:22.627530248 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2010-03-15 11:21:13.428614633 +0100
@@ -130,8 +132,6 @@
optional_policy(`
pulseaudio_role($1, nsplugin_t)
')
-
- xserver_communicate(nsplugin_t, $2)
')
#######################################
@@ -169,7 +169,7 @@
domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
')
-#######################################
+######################################
## <summary>
## The per role template for the nsplugin module.
## </summary>
@@ -321,3 +322,39 @@
allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
')
+
+########################################
+## <summary>
+## Read and write to nsplugin shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_shm',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+## <summary>
+## Allow read and write access to nsplugin semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_semaphores',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 2010-01-18 18:24:22.628540083 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2010-03-10 15:58:15.169618442 +0100
@@ -182,6 +182,10 @@
')
optional_policy(`
+ pulseaudio_manage_home(nsplugin_t)
+')
+
+optional_policy(`
unconfined_execmem_signull(nsplugin_t)
')
@@ -190,13 +194,13 @@
type user_tmpfs_t;
')
xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
- xserver_common_app(nsplugin_t)
xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
xserver_read_xdm_tmp_files(nsplugin_t)
xserver_read_user_xauth(nsplugin_t)
xserver_read_user_iceauth(nsplugin_t)
xserver_use_user_fonts(nsplugin_t)
- xserver_manage_home_fonts(nsplugin_t)
+ xserver_rw_inherited_user_fonts(nsplugin_t)
')
########################################
@@ -273,7 +277,7 @@
domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
optional_policy(`
- xserver_read_home_fonts(nsplugin_config_t)
+ xserver_use_user_fonts(nsplugin_config_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.32/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 2010-01-18 18:24:22.629540210 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/openoffice.if 2010-03-03 10:39:47.593622978 +0100
@@ -87,7 +87,6 @@
allow $3 $1_openoffice_t:process { signal sigkill };
allow $1_openoffice_t $3:unix_stream_socket connectto;
optional_policy(`
- xserver_common_app($1_openoffice_t)
xserver_common_x_domain_template($1, $1_openoffice_t)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-01-18 18:24:22.631540185 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2010-01-19 11:53:14.080857057 +0100
@@ -73,6 +73,7 @@
sysnet_dns_name_resolve(podsleuth_t)
+userdom_read_user_tmpfs_files(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.32/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/ptchown.te 2010-03-08 12:56:34.687874102 +0100
@@ -23,6 +23,7 @@
fs_rw_anon_inodefs_files(ptchown_t)
+term_getattr_all_ptys(ptchown_t)
term_setattr_generic_ptys(ptchown_t)
term_setattr_all_user_ptys(ptchown_t)
term_use_generic_ptys(ptchown_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc 2010-05-11 15:15:30.272625684 +0200
@@ -1 +1,9 @@
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+/var/lib/mpd(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-01-18 18:24:22.632542198 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-03-15 12:23:36.288864417 +0100
@@ -18,7 +18,7 @@
interface(`pulseaudio_role',`
gen_require(`
type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
- class dbus { send_msg };
+ class dbus { acquire_svc send_msg };
')
role $1 types pulseaudio_t;
@@ -29,7 +29,7 @@
ps_process_pattern($2, pulseaudio_t)
allow pulseaudio_t $2:process { signal signull };
- allow $2 pulseaudio_t:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
ps_process_pattern(pulseaudio_t, $2)
allow pulseaudio_t $2:unix_stream_socket connectto;
@@ -127,7 +127,7 @@
########################################
## <summary>
-## pulsaudio connection template.
+## read pulseaudio homedir content
## </summary>
## <param name="user_domain">
## <summary>
@@ -135,12 +135,72 @@
## </summary>
## </param>
#
+template(`pulseaudio_read_home',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ list_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## manage pulseaudio homedir content
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`pulseaudio_manage_home',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## Allow domain to setattr on pulseaudio homedir
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`pulseaudio_setattr_home_dir',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ allow $1 pulseaudio_home_t:dir setattr;
+')
+
+#####################################
+## <summary>
+## Connect to pulseaudio over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t;
+ type pulseaudio_t, pulseaudio_var_run_t;
')
+ files_search_pids($1)
allow $1 pulseaudio_t:process signull;
allow pulseaudio_t $1:process signull;
- allow $1 pulseaudio_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-04-21 14:10:04.244409189 +0200
@@ -1,5 +1,5 @@
-policy_module(pulseaudio, 1.0.1)
+policy_module(pulseaudio, 1.1.1)
########################################
#
@@ -8,14 +8,28 @@
type pulseaudio_t;
type pulseaudio_exec_t;
+init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmpfs_t;
+files_tmpfs_file(pulseaudio_tmpfs_t)
+
+type pulseaudio_var_lib_t;
+files_type(pulseaudio_var_lib_t)
+
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+
########################################
#
# pulseaudio local policy
#
+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -24,6 +38,19 @@
allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+userdom_search_user_home_dirs(pulseaudio_t)
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+
can_exec(pulseaudio_t, pulseaudio_exec_t)
kernel_getattr_proc(pulseaudio_t)
@@ -54,8 +81,8 @@
fs_getattr_tmpfs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
-term_use_all_user_ttys(pulseaudio_t)
-term_use_all_user_ptys(pulseaudio_t)
+term_use_all_ttys(pulseaudio_t)
+term_use_all_ptys(pulseaudio_t)
auth_use_nsswitch(pulseaudio_t)
@@ -63,6 +90,8 @@
miscfiles_read_localization(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
+
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
')
@@ -72,6 +101,8 @@
')
optional_policy(`
+ dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
+
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
@@ -105,10 +136,13 @@
optional_policy(`
udev_read_db(pulseaudio_t)
+ udev_read_state(pulseaudio_t)
')
optional_policy(`
+ xserver_stream_connect(pulseaudio_t)
xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
- xserver_common_app(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.32/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-01-18 18:24:22.644530315 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2010-02-26 17:10:10.725606301 +0100
@@ -116,6 +116,7 @@
domain_type(qemu_unconfined_t)
unconfined_domain_noaudit(qemu_unconfined_t)
userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t)
+ userdom_unpriv_usertype(unconfined,qemu_unconfined_t)
application_type(qemu_unconfined_t)
role unconfined_r types qemu_unconfined_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 2010-01-18 18:24:22.646540277 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2010-02-08 10:39:43.173336716 +0100
@@ -52,6 +52,10 @@
userdom_dontaudit_search_admin_dir(sambagui_t)
optional_policy(`
+ gnome_dontaudit_search_config(sambagui_t)
+')
+
+optional_policy(`
consoletype_exec(sambagui_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-04-13 14:58:43.176867747 +0200
@@ -29,7 +29,7 @@
dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
role $2 types sandbox_domain;
allow sandbox_domain $1:process sigchld;
- allow sandbox_domain $1:fifo_file rw_fifo_file_perms;
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
allow $1 sandbox_x_domain:process { signal_perms transition };
dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
@@ -37,7 +37,7 @@
role $2 types sandbox_x_domain;
role $2 types sandbox_xserver_t;
allow $1 sandbox_xserver_t:process signal_perms;
- dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
allow sandbox_xserver_t $1:unix_stream_socket { read write };
@@ -45,9 +45,10 @@
allow sandbox_x_domain $1:process { sigchld signal };
allow sandbox_x_domain sandbox_x_domain:process signal;
# Dontaudit leaked file descriptors
- dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -79,6 +80,8 @@
type $1_t, sandbox_domain;
domain_type($1_t)
+ mls_rangetrans_target($1_t)
+
type $1_file_t, sandbox_file_type;
files_type($1_file_t)
@@ -103,9 +106,10 @@
#
template(`sandbox_x_domain_template',`
gen_require(`
- type xserver_exec_t;
+ type xserver_exec_t, sandbox_devpts_t;
type sandbox_xserver_t;
attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_file_type;
')
type $1_t, sandbox_x_domain;
@@ -121,8 +125,13 @@
manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+ type $1_devpts_t;
+ term_pty($1_devpts_t)
+ term_create_pty($1_t, $1_devpts_t)
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+
# window manager
- miscfiles_setattr_fonts_dirs($1_t)
+ miscfiles_setattr_fonts_cache_dirs($1_t)
allow $1_t self:capability setuid;
type $1_client_t, sandbox_x_domain;
@@ -156,6 +165,8 @@
ps_process_pattern(sandbox_xserver_t, $1_t)
allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
can_exec($1_client_t, $1_file_t)
manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
@@ -163,10 +174,6 @@
manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
-
- optional_policy(`
- xserver_common_app($1_t)
- ')
')
########################################
@@ -176,7 +183,7 @@
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access
## </summary>
## </param>
#
@@ -187,3 +194,94 @@
allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## Delete sandbox sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_sock_files',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## Allow domain to set the attributes
+## of the sandbox directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_setattr_dirs',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ allow $1 sandbox_file_type:dir setattr;
+')
+
+########################################
+## <summary>
+## allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## allow domain to list sandbox dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_list',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ allow $1 sandbox_file_type:dir list_dir_perms;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-04-13 14:57:35.509601481 +0200
@@ -10,14 +10,15 @@
#
sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
sandbox_x_domain_template(sandbox_x)
sandbox_x_domain_template(sandbox_web)
sandbox_x_domain_template(sandbox_net)
type sandbox_xserver_t;
domain_type(sandbox_xserver_t)
-xserver_common_app(sandbox_xserver_t)
permissive sandbox_xserver_t;
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
type sandbox_xserver_tmpfs_t;
files_tmpfs_file(sandbox_xserver_tmpfs_t)
@@ -81,6 +82,7 @@
logging_send_audit_msgs(sandbox_xserver_t)
userdom_use_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
xserver_entry_type(sandbox_xserver_t)
@@ -92,10 +94,6 @@
')
')
-optional_policy(`
- xserver_common_app(sandbox_xserver_t)
-')
-
########################################
#
# sandbox local policy
@@ -103,17 +101,26 @@
## internal communication is often done using fifo and unix sockets.
allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
+allow sandbox_domain self:msgq create_msgq_perms;
allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
-allow sandbox_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
gen_require(`
type usr_t, lib_t, locale_t;
attribute exec_type;
')
-files_rw_all_inherited_files(sandbox_domain, -exec_type -usr_t -lib_t -locale_t )
+files_rw_all_inherited_files(sandbox_domain, -exec_type -etc_t -usr_t -lib_t -locale_t )
files_entrypoint_all_files(sandbox_domain)
+files_read_etc_files(sandbox_domain)
+files_read_usr_files(sandbox_domain)
+
miscfiles_read_localization(sandbox_domain)
kernel_dontaudit_read_system_state(sandbox_domain)
@@ -125,14 +132,19 @@
#
# sandbox_x_domain local policy
#
-## internal communication is often done using fifo and unix sockets.
+
allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
allow sandbox_x_domain self:shm create_shm_perms;
allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
-allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -161,14 +173,14 @@
auth_dontaudit_read_login_records(sandbox_x_domain)
auth_dontaudit_write_login_records(sandbox_x_domain)
-#auth_use_nsswitch(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
auth_search_pam_console_data(sandbox_x_domain)
init_read_utmp(sandbox_x_domain)
init_dontaudit_write_utmp(sandbox_x_domain)
miscfiles_read_localization(sandbox_x_domain)
-miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
term_getattr_pty_fs(sandbox_x_domain)
term_use_ptmx(sandbox_x_domain)
@@ -179,12 +191,24 @@
miscfiles_read_fonts(sandbox_x_domain)
optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
gnome_read_gconf_config(sandbox_x_domain)
')
optional_policy(`
- cups_stream_connect(sandbox_x_domain)
- cups_read_rw_config(sandbox_x_domain)
+ nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_search_lib(sandbox_x_domain)
')
userdom_dontaudit_use_user_terminals(sandbox_x_domain)
@@ -207,10 +231,8 @@
corenet_tcp_connect_ipp_port(sandbox_x_client_t)
-#auth_use_nsswitch(sandbox_x_client_t)
+auth_use_nsswitch(sandbox_x_client_t)
-dbus_system_bus_client(sandbox_x_client_t)
-dbus_read_config(sandbox_x_client_t)
selinux_get_fs_mount(sandbox_x_client_t)
selinux_validate_context(sandbox_x_client_t)
selinux_compute_access_vector(sandbox_x_client_t)
@@ -239,6 +261,8 @@
kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
dev_read_rand(sandbox_web_client_t)
+dev_write_sound(sandbox_web_client_t)
+dev_read_sound(sandbox_web_client_t)
# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
@@ -249,14 +273,18 @@
corenet_raw_sendrecv_all_nodes(sandbox_web_client_t)
corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
+corenet_tcp_connect_flash_port(sandbox_web_client_t)
corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_streaming_port(sandbox_web_client_t)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t)
corenet_tcp_connect_http_port(sandbox_web_client_t)
corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
corenet_tcp_connect_ftp_port(sandbox_web_client_t)
corenet_tcp_connect_ipp_port(sandbox_web_client_t)
corenet_tcp_connect_generic_port(sandbox_web_client_t)
corenet_tcp_connect_soundd_port(sandbox_web_client_t)
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
corenet_sendrecv_http_client_packets(sandbox_web_client_t)
corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
@@ -265,9 +293,8 @@
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
-corenet_tcp_connect_speech_port(sandbox_web_client_t)
-#auth_use_nsswitch(sandbox_web_client_t)
+auth_use_nsswitch(sandbox_web_client_t)
dbus_system_bus_client(sandbox_web_client_t)
dbus_read_config(sandbox_web_client_t)
@@ -279,6 +306,8 @@
selinux_compute_user_contexts(sandbox_web_client_t)
seutil_read_default_contexts(sandbox_web_client_t)
+userdom_rw_user_tmpfs_files(sandbox_web_client_t)
+
optional_policy(`
nsplugin_read_rw_files(sandbox_web_client_t)
nsplugin_rw_exec(sandbox_web_client_t)
@@ -310,7 +339,7 @@
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
-#auth_use_nsswitch(sandbox_net_client_t)
+auth_use_nsswitch(sandbox_net_client_t)
dbus_system_bus_client(sandbox_net_client_t)
dbus_read_config(sandbox_net_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.32/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2010-01-18 18:24:22.654539968 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/slocate.te 2010-03-18 17:36:13.695514634 +0100
@@ -31,6 +31,7 @@
kernel_read_system_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
corecmd_exec_bin(locate_t)
@@ -44,6 +45,8 @@
files_read_etc_runtime_files(locate_t)
files_read_etc_files(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
fs_getattr_all_fs(locate_t)
fs_getattr_all_files(locate_t)
fs_getattr_all_pipes(locate_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/vmware.if 2010-01-25 17:40:10.448685801 +0100
@@ -30,6 +30,24 @@
allow $2 vmware_t:process signal;
')
+#######################################
+## <summary>
+## Execute vmware host executables
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_exec_host',`
+ gen_require(`
+ type vmware_host_exec_t;
+ ')
+
+ can_exec($1, vmware_host_exec_t)
+')
+
########################################
## <summary>
## Read VMWare system configuration files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-01-18 18:24:22.655542539 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2010-04-13 14:17:51.582850944 +0200
@@ -32,6 +32,10 @@
type vmware_host_pid_t alias vmware_var_run_t;
files_pid_file(vmware_host_pid_t)
+type vmware_host_tmp_t;
+files_tmp_file(vmware_host_tmp_t)
+ubac_constrained(vmware_host_tmp_t)
+
type vmware_log_t;
typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
@@ -77,7 +81,10 @@
allow vmware_host_t self:rawip_socket create_socket_perms;
allow vmware_host_t self:tcp_socket create_socket_perms;
+can_exec(vmware_host_t, vmware_host_exec_t)
+
# cjp: the ro and rw files should be split up
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
@@ -87,6 +94,11 @@
manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
+
kernel_read_kernel_sysctls(vmware_host_t)
kernel_read_system_state(vmware_host_t)
@@ -110,6 +122,7 @@
corecmd_exec_bin(vmware_host_t)
corecmd_exec_shell(vmware_host_t)
+dev_rw_generic_chr_files(vmware_host_t)
dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
@@ -157,7 +170,6 @@
optional_policy(`
xserver_read_tmp_files(vmware_host_t)
xserver_read_xdm_pid(vmware_host_t)
- xserver_common_app(vmware_host_t)
')
ifdef(`TODO',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-18 18:24:22.657540000 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-03-03 10:39:47.597611866 +0100
@@ -143,6 +143,10 @@
userdom_unpriv_usertype($1, $1_wine_t)
userdom_manage_tmpfs_role($2, $1_wine_t)
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
domain_mmap_low_type($1_wine_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low($1_wine_t)
@@ -154,7 +158,6 @@
corecmd_bin_domtrans($1_wine_t, $1_t)
optional_policy(`
- xserver_common_app($1_wine_t)
xserver_role($1_r, $1_wine_t)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-18 18:24:22.664530344 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-03-05 09:36:04.095822776 +0100
@@ -6,6 +6,15 @@
# Declarations
#
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors
+## </p>
+## </desc>
+#
+gen_tunable(wine_mmap_zero_ignore, false)
+
+
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
@@ -29,6 +38,11 @@
manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
+
+
domain_mmap_low_type(wine_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low(wine_t)
@@ -43,12 +57,10 @@
')
optional_policy(`
- unconfined_domain(wine_t)
+ unconfined_domain_noaudit(wine_t)
')
optional_policy(`
- xserver_common_app(wine_t)
xserver_read_xdm_pid(wine_t)
- xserver_common_app(wine_t)
xserver_rw_shm(wine_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.32/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/wm.if 2010-03-05 09:36:04.100821613 +0100
@@ -30,6 +30,7 @@
template(`wm_role_template',`
gen_require(`
type wm_exec_t;
+ class dbus send_msg;
')
type $1_wm_t;
@@ -42,6 +43,12 @@
allow $1_wm_t self:shm create_shm_perms;
allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $3 $1_wm_t:process signal;
+ allow $1_wm_t $3:process signull;
+
+ allow $1_wm_t $3:dbus send_msg;
+ allow $3 $1_wm_t:dbus send_msg;
domtrans_pattern($3, wm_exec_t, $1_wm_t)
@@ -55,6 +62,8 @@
files_read_etc_files($1_wm_t)
files_read_usr_files($1_wm_t)
+ fs_getattr_tmpfs($1_wm_t)
+
mls_file_read_all_levels($1_wm_t)
mls_file_write_all_levels($1_wm_t)
mls_xwin_read_all_levels($1_wm_t)
@@ -72,11 +81,18 @@
optional_policy(`
dbus_system_bus_client($1_wm_t)
+ dbus_session_bus_client($1_wm_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect($1_wm_t)
')
optional_policy(`
xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
')
+
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-04-16 09:19:46.149614555 +0200
@@ -166,6 +166,7 @@
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -218,8 +219,11 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
-/usr/share/cluster/ocf-shellfunc -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
@@ -237,6 +241,7 @@
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -299,6 +304,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in 2010-03-30 08:54:31.459610926 +0200
@@ -140,11 +140,38 @@
########################################
## <summary>
-## Send and receive TCP network traffic on the generic interfaces.
+## Send and receive TCP network traffic on generic interfaces.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive TCP network
+## traffic on generic network interfaces.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_node()</li>
+## <li>corenet_tcp_sendrecv_all_ports()</li>
+## <li>corenet_tcp_connect_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@@ -233,13 +260,39 @@
########################################
## <summary>
-## Send and Receive UDP network traffic on generic interfaces.
+## Send and receive UDP network traffic on generic interfaces.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive UDP network
+## traffic on generic network interfaces.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_udp_sendrecv_generic_node()</li>
+## <li>corenet_udp_sendrecv_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to send to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:udp_socket create_socket_perms;
+## corenet_udp_sendrecv_generic_if(myclient_t)
+## corenet_udp_sendrecv_generic_node(myclient_t)
+## corenet_udp_sendrecv_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="both" weight="10"/>
#
interface(`corenet_udp_sendrecv_generic_if',`
corenet_udp_send_generic_if($1)
@@ -491,11 +544,39 @@
## <summary>
## Send and receive TCP network traffic on generic nodes.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive TCP network
+## traffic to/from generic network nodes (hostnames/networks).
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_if()</li>
+## <li>corenet_tcp_sendrecv_all_ports()</li>
+## <li>corenet_tcp_connect_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_generic_node',`
gen_require(`
@@ -545,11 +626,37 @@
## <summary>
## Send and receive UDP network traffic on generic nodes.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive UDP network
+## traffic to/from generic network nodes (hostnames/networks).
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_udp_sendrecv_generic_if()</li>
+## <li>corenet_udp_sendrecv_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to send to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:udp_socket create_socket_perms;
+## corenet_udp_sendrecv_generic_if(myclient_t)
+## corenet_udp_sendrecv_generic_node(myclient_t)
+## corenet_udp_sendrecv_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="both" weight="10"/>
#
interface(`corenet_udp_sendrecv_generic_node',`
corenet_udp_send_generic_node($1)
@@ -611,11 +718,26 @@
## <summary>
## Bind TCP sockets to generic nodes.
## </summary>
+## <desc>
+## <p>
+## Bind TCP sockets to generic nodes. This is
+## necessary for binding a socket so it
+## can be used for servers to listen
+## for incoming connections.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_udp_bind_generic_node()</li>
+## </ul>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="1"/>
#
interface(`corenet_tcp_bind_generic_node',`
gen_require(`
@@ -629,11 +751,26 @@
## <summary>
## Bind UDP sockets to generic nodes.
## </summary>
+## <desc>
+## <p>
+## Bind UDP sockets to generic nodes. This is
+## necessary for binding a socket so it
+## can be used for servers to listen
+## for incoming connections.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_tcp_bind_generic_node()</li>
+## </ul>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="1"/>
#
interface(`corenet_udp_bind_generic_node',`
gen_require(`
@@ -1112,11 +1249,37 @@
## <summary>
## Send and receive TCP network traffic on all ports.
## </summary>
+## <desc>
+## <p>
+## Send and receive TCP network traffic on all ports.
+## Related interfaces:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_if()</li>
+## <li>corenet_tcp_sendrecv_generic_node()</li>
+## <li>corenet_tcp_connect_all_ports()</li>
+## <li>corenet_tcp_bind_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_all_ports',`
gen_require(`
@@ -1166,11 +1329,35 @@
## <summary>
## Send and receive UDP network traffic on all ports.
## </summary>
+## <desc>
+## <p>
+## Send and receive UDP network traffic on all ports.
+## Related interfaces:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_udp_sendrecv_generic_if()</li>
+## <li>corenet_udp_sendrecv_generic_node()</li>
+## <li>corenet_udp_bind_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to send to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:udp_socket create_socket_perms;
+## corenet_udp_sendrecv_generic_if(myclient_t)
+## corenet_udp_sendrecv_generic_node(myclient_t)
+## corenet_udp_sendrecv_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="both" weight="10"/>
#
interface(`corenet_udp_sendrecv_all_ports',`
corenet_udp_send_all_ports($1)
@@ -1255,11 +1442,39 @@
## <summary>
## Connect TCP sockets to all ports.
## </summary>
+## <desc>
+## <p>
+## Connect TCP sockets to all ports
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_if()</li>
+## <li>corenet_tcp_sendrecv_generic_node()</li>
+## <li>corenet_tcp_sendrecv_all_ports()</li>
+## <li>corenet_tcp_bind_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="write" weight="1"/>
#
interface(`corenet_tcp_connect_all_ports',`
gen_require(`
@@ -1705,6 +1920,25 @@
########################################
## <summary>
+## Do not audit attempts to read or write the TUN/TAP
+## virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_rw_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dontaudit $1 tun_tap_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
## Getattr the point-to-point device.
## </summary>
## <param name="domain">
@@ -2207,11 +2441,23 @@
## <summary>
## Receive packets from an unlabeled connection.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to receive packets from an
+## unlabeled connection. On machines that do not utilize
+## labeled networking, this will be required on all
+## networking domains. On machines tha do utilize
+## labeled networking, this will be required for any
+## networking domain that is allowed to receive
+## network traffic that does not have a label.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
@@ -2229,11 +2475,22 @@
## <summary>
## Receive packets from a NetLabel connection.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to receive NetLabel
+## network traffic, which utilizes the Commercial IP
+## Security Option (CIPSO) to set the MLS level
+## of the network packets. This is required for
+## all networking domains that receive NetLabel
+## network traffic.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_netlabel',`
gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-05-21 13:29:04.023389987 +0200
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.13.0)
+policy_module(corenetwork, 1.13.10)
########################################
#
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)
+mls_trusted_object(tun_tap_device_t)
########################################
#
@@ -71,58 +72,58 @@
network_port(afs_pt, udp,7002,s0)
network_port(afs_vl, udp,7003,s0)
network_port(agentx, udp,705,s0, tcp,705,s0)
-network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
-network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
+network_port(amqp, tcp,5671,s0, udp,5671,s0, tcp,5672,s0, udp,5672,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+network_port(boinc, tcp,31416,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
+network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
-network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
+network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+network_port(cobbler, tcp,25151,s0)
+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
-network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
-portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
+network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
-network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmap, tcp,135,s0, udp,135,s0)
network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
-network_port(ftp, tcp,21,s0)
+network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
-network_port(ftps, tcp,990,s0, udp,990,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hddtemp, tcp,7634,s0)
-network_port(howl, tcp,5353,s0, udp,5353,s0)
+network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
-portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
-network_port(chronyd, udp,323,s0)
+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
-network_port(ipp, tcp,631,s0, udp,631,s0)
-portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
-portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
@@ -145,10 +146,12 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
network_port(munin, tcp,4949,s0, udp,4949,s0)
-network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
-portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntp, udp,123,s0)
@@ -195,7 +198,7 @@
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
@@ -205,29 +208,27 @@
network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
+network_port(sype, tcp,9911,s0, udp,9911,s0)
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
-network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
+network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
+network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
-network_port(ups, tcp,3493,s0)
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
-network_port(virt_migration, tcp,49152,s0)
-portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0)
-network_port(vnc, tcp,5900,s0)
-# Reserve 100 ports for vnc/virt machines
-portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
+network_port(virt_migration, tcp,49152-49216,s0)
+network_port(vnc, tcp,5900-5999,s0)
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
-network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
+network_port(xserver, tcp,6000-6020,s0)
+network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
@@ -249,9 +250,8 @@
# nodes in net_contexts or net_contexts.mls.
#
type node_t, node_type;
-sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
-
typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
+sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.m4 2010-04-16 10:38:54.979614631 +0200
@@ -6,6 +6,16 @@
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
#
+# range_start(num)
+#
+# return the low port in a range.
+#
+# range_start(600) returns "600"
+# range_start(1200-1600) returns "1200"
+#
+define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))')
+
+#
# build_option(option_name,true,[false])
#
# makes an ifdef. hacky quoting changes because with
@@ -67,11 +77,10 @@
declare_nodes($1_node_t,shift($*))
')
-define(`declare_ports',`dnl
-ifelse(eval($3 < 1024),1,`
-typeattribute $1 reserved_port_type;
#bindresvport in glibc starts searching for reserved ports at 600
-ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+define(`declare_ports',`dnl
+ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
+ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
',`dnl')
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
@@ -84,7 +93,7 @@
type $1_port_t, port_type;
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
-declare_ports($1_port_t,shift($*))
+declare_ports($1_port_t,shift($*))dnl
')
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-03-15 10:19:23.322613725 +0100
@@ -64,6 +64,7 @@
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
@@ -83,6 +84,7 @@
/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
@@ -101,9 +103,12 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-04-13 15:11:45.584851392 +0200
@@ -29,14 +29,39 @@
########################################
## <summary>
-## Make the passed in type a type appropriate for
-## use on device nodes (usually files in /dev).
+## Make the specified type usable for device
+## nodes in a filesystem.
## </summary>
-## <param name="object_type">
+## <desc>
+## <p>
+## Make the specified type usable for device nodes
+## in a filesystem. Types used for device nodes that
+## do not use this interface, or an interface that
+## calls this one, will have unexpected behaviors
+## while the system is running.
+## </p>
+## <p>
+## Example:
+## </p>
+## <p>
+## type mydev_t;
+## dev_node(mydev_t)
+## allow mydomain_t mydev_t:chr_file read_chr_file_perms;
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>term_tty()</li>
+## <li>term_pty()</li>
+## </ul>
+## </desc>
+## <param name="type">
## <summary>
-## The object type that will be used on device nodes.
+## Type to be used for device nodes.
## </summary>
## </param>
+## <infoflow type="none"/>
#
interface(`dev_node',`
gen_require(`
@@ -147,6 +172,24 @@
########################################
## <summary>
+## Add entries to directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to add entries.
+## </summary>
+## </param>
+#
+interface(`dev_remove_entry_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
## Create a directory in the device directory.
## </summary>
## <param name="domain">
@@ -436,6 +479,24 @@
########################################
## <summary>
+## Read and write generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
## </summary>
@@ -873,6 +934,42 @@
########################################
## <summary>
+## rw all inherited character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## rw all inherited blk device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
+')
+
+########################################
+## <summary>
## Delete all block device files.
## </summary>
## <param name="domain">
@@ -1398,6 +1495,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
+#######################################
+## <summary>
+## Set the attributes of the dlm control devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_dlm_control',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+## <summary>
+## Read and write the the dlm control device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_dlm_control',`
+ gen_require(`
+ type device_t, dlm_control_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
########################################
## <summary>
## getattr the dri devices.
@@ -1728,6 +1861,24 @@
########################################
## <summary>
+## Write to the kernel messages device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_kmsg',`
+ gen_require(`
+ type device_t, kmsg_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
@@ -1925,9 +2076,9 @@
filetrans_pattern($1, device_t, lirc_device_t, chr_file)
')
-########################################
+#######################################
## <summary>
-## Read the lvm comtrol device.
+## Getattr the lvm comtrol device.
## </summary>
## <param name="domain">
## <summary>
@@ -1935,17 +2086,17 @@
## </summary>
## </param>
#
-interface(`dev_read_lvm_control',`
+interface(`dev_getattr_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
- read_chr_files_pattern($1, device_t, lvm_control_t)
+ getattr_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
## <summary>
-## Read and write the lvm control device.
+## Read the lvm comtrol device.
## </summary>
## <param name="domain">
## <summary>
@@ -1953,17 +2104,17 @@
## </summary>
## </param>
#
-interface(`dev_rw_lvm_control',`
+interface(`dev_read_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
- rw_chr_files_pattern($1, device_t, lvm_control_t)
+ read_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
## <summary>
-## Delete the lvm control device.
+## Read and write the lvm control device.
## </summary>
## <param name="domain">
## <summary>
@@ -1971,12 +2122,12 @@
## </summary>
## </param>
#
-interface(`dev_delete_lvm_control_dev',`
+interface(`dev_rw_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
- delete_chr_files_pattern($1, device_t, lvm_control_t)
+ rw_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
@@ -1997,10 +2148,9 @@
dontaudit $1 lvm_control_t:chr_file rw_file_perms;
')
-
########################################
## <summary>
-## dontaudit getattr raw memory devices (e.g. /dev/mem).
+## Delete the lvm control device.
## </summary>
## <param name="domain">
## <summary>
@@ -2008,12 +2158,12 @@
## </summary>
## </param>
#
-interface(`dev_dontaudit_getattr_memory_dev',`
+interface(`dev_delete_lvm_control_dev',`
gen_require(`
- type memory_device_t;
+ type device_t, lvm_control_t;
')
- dontaudit $1 memory_device_t:chr_file getattr;
+ delete_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
@@ -2026,12 +2176,12 @@
## </summary>
## </param>
#
-interface(`dev_dontaudit_read_memory_dev',`
+interface(`dev_dontaudit_getattr_memory_dev',`
gen_require(`
type memory_device_t;
')
- dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+ dontaudit $1 memory_device_t:chr_file getattr;
')
########################################
@@ -2058,6 +2208,25 @@
########################################
## <summary>
+## Do not audit attempts to read raw memory devices
+## (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_raw_memory',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
## Write raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
@@ -2468,6 +2637,26 @@
########################################
## <summary>
+## Do not audit attempts to write the memory type
+## range registers (MTRR).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_mtrr',`
+ gen_require(`
+ type mtrr_device_t;
+ ')
+
+ dontaudit $1 mtrr_device_t:chr_file write;
+ dontaudit $1 mtrr_device_t:file write;
+')
+
+########################################
+## <summary>
## Read and write the memory type range registers (MTRR).
## </summary>
## <param name="domain">
@@ -2590,8 +2779,7 @@
type device_t, null_device_t;
')
- allow $1 device_t:dir del_entry_dir_perms;
- allow $1 null_device_t:chr_file unlink;
+ delete_chr_files_pattern($1, device_t, null_device_t)
')
########################################
@@ -2835,13 +3023,28 @@
########################################
## <summary>
## Read from random number generator
-## devices (e.g., /dev/random)
+## devices (e.g., /dev/random).
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read from random number
+## generator devices (e.g., /dev/random). Typically this is
+## used in situations when a cryptographically secure random
+## number is needed.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>dev_read_urand()</li>
+## </ul>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="10"/>
#
interface(`dev_read_rand',`
gen_require(`
@@ -3383,13 +3586,22 @@
########################################
## <summary>
-## Allow caller to read hardware state information.
+## Read hardware state information.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read the contents of
+## the sysfs filesystem. This filesystem contains
+## information, parameters, and other settings on the
+## hardware installed on the system.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
-## The process type reading hardware state information.
+## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="10"/>
#
interface(`dev_read_sysfs',`
gen_require(`
@@ -3425,13 +3637,54 @@
########################################
## <summary>
-## Read from pseudo random devices (e.g., /dev/urandom)
+## Associate a file to a sysfs filesystem.
## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the file to be associated to sysfs.
+## </summary>
+## </param>
+#
+interface(`dev_associate_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Read from pseudo random number generator devices (e.g., /dev/urandom).
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read from pseudo random number
+## generator devices (e.g., /dev/urandom). Typically this is
+## used in situations when a cryptographically secure random
+## number is not necessarily needed. One example is the Stack
+## Smashing Protector (SSP, formerly known as ProPolice) support
+## that may be compiled into programs.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>dev_read_rand()</li>
+## </ul>
+## <p>
+## Related tunable:
+## </p>
+## <ul>
+## <li>global_ssp</li>
+## </ul>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="10"/>
#
interface(`dev_read_urand',`
gen_require(`
@@ -3553,6 +3806,24 @@
########################################
## <summary>
+## Read USB monitor devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_usbmon_dev',`
+ gen_require(`
+ type device_t, usbmon_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
+########################################
+## <summary>
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
@@ -3741,6 +4012,24 @@
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
+######################################
+## <summary>
+## Read and write userio device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+ gen_require(`
+ type device_t, userio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-03-01 13:31:38.484740499 +0100
@@ -1,5 +1,5 @@
-policy_module(devices, 1.8.2)
+policy_module(devices, 1.9.2)
########################################
#
@@ -59,6 +59,12 @@
type crypt_device_t;
dev_node(crypt_device_t)
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
type dri_device_t;
dev_node(dri_device_t)
@@ -84,8 +90,7 @@
dev_node(kmsg_device_t)
#
-# ksm_device_t is the type of
-# /dev/ksm
+# ksm_device_t is the type of /dev/ksm
#
type ksm_device_t;
dev_node(ksm_device_t)
@@ -233,6 +238,18 @@
type usb_device_t;
dev_node(usb_device_t)
+#
+# usb_device_t is the type for /dev/usbmon
+#
+type usbmon_device_t;
+dev_node(usbmon_device_t)
+
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
@@ -278,5 +295,5 @@
#
allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-01-18 18:24:22.683530317 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-03-08 13:17:11.540614796 +0100
@@ -543,7 +543,7 @@
########################################
## <summary>
-## Get the attributes of all domains of all domains.
+## Get the attributes of all domains.
## </summary>
## <param name="domain">
## <summary>
@@ -718,10 +718,6 @@
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
dontaudit $1 domain:file read_file_perms;
-
- # cjp: these should be removed:
- dontaudit $1 domain:sock_file read_sock_file_perms;
- dontaudit $1 domain:fifo_file read_fifo_file_perms;
')
########################################
@@ -763,6 +759,24 @@
########################################
## <summary>
+## Get the process group ID of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getpgid_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getpgid;
+')
+
+########################################
+## <summary>
## Get the scheduler information of all domains.
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-01-18 18:24:22.685530781 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-03-02 17:30:45.367615524 +0100
@@ -105,8 +105,10 @@
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
+kernel_dontaudit_search_debugfs(domain)
+
# create child processes in the domain
-allow domain self:process { fork sigchld };
+allow domain self:process { fork getsched sigchld };
# Use trusted objects in /dev
dev_rw_null(domain)
@@ -216,8 +218,10 @@
optional_policy(`
rpm_use_fds(domain)
rpm_read_pipes(domain)
+ rpm_append_tmp(domain)
rpm_dontaudit_leaks(domain)
rpm_read_script_tmp_files(domain)
+ rpm_inherited_fifo(domain)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-02-21 20:44:28.920309784 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-04-13 15:27:35.562850211 +0200
@@ -100,7 +100,7 @@
# HOME_ROOT
# expanded by genhomedircon
#
-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
@@ -151,6 +151,10 @@
/net -d gen_context(system_u:object_r:mnt_t,s0)
#
+# /nsr
+#
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+#
# /opt
#
/opt -d gen_context(system_u:object_r:usr_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-21 20:44:28.921325502 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-04-23 07:41:58.899496269 +0200
@@ -1152,6 +1152,102 @@
allow $1 file_type:filesystem unmount;
')
+#############################################
+## <summary>
+## Manage all configuration directories on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_dirs_pattern($1, configfile, configfile)
+')
+
+#########################################
+## <summary>
+## Relabel configuration directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_dirs_pattern($1, configfile, configfile)
+')
+
+########################################
+## <summary>
+## Read config files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ allow $1 configfile:dir list_dir_perms;
+ read_files_pattern($1, configfile, configfile)
+ read_lnk_files_pattern($1, configfile, configfile)
+')
+
+###########################################
+## <summary>
+## Manage all configuration files on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_files_pattern($1, configfile, configfile)
+')
+
+#######################################
+## <summary>
+## Relabel configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_files_pattern($1, configfile, configfile)
+')
+
########################################
## <summary>
## Mount a filesystem on all mount points.
@@ -1478,6 +1574,24 @@
########################################
## <summary>
+## List the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Create directories in /boot
## </summary>
## <param name="domain">
@@ -1772,7 +1886,8 @@
########################################
## <summary>
-## Manage a filesystem on a directory with the default file type.
+## Create, read, write, and delete directories with
+## the default file type.
## </summary>
## <param name="domain">
## <summary>
@@ -1780,13 +1895,12 @@
## </summary>
## </param>
#
-interface(`files_manage_default',`
+interface(`files_manage_default_dirs',`
gen_require(`
type default_t;
')
manage_dirs_pattern($1, default_t, default_t)
- manage_files_pattern($1, default_t, default_t)
')
########################################
@@ -1865,6 +1979,25 @@
########################################
## <summary>
+## Create, read, write, and delete files with
+## the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ manage_files_pattern($1, default_t, default_t)
+')
+
+########################################
+## <summary>
## Read symbolic links with the default file type.
## </summary>
## <param name="domain">
@@ -1991,7 +2124,7 @@
########################################
## <summary>
-## Read generic files in /etc.
+## Do not audit attempts to write to /etc dirs.
## </summary>
## <param name="domain">
## <summary>
@@ -1999,21 +2132,36 @@
## </summary>
## </param>
#
-interface(`files_read_etc_files',`
+interface(`files_dontaudit_write_etc_dirs',`
gen_require(`
type etc_t;
')
- allow $1 etc_t:dir list_dir_perms;
- read_files_pattern($1, etc_t, etc_t)
- read_lnk_files_pattern($1, etc_t, etc_t)
- files_read_etc_runtime_files($1)
- files_read_config_files($1)
+ dontaudit $1 etc_t:dir write;
+')
+
+##########################################
+## <summary>
+## Manage generic directories in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ manage_dirs_pattern($1, etc_t, etc_t)
')
########################################
## <summary>
-## Read config files in /etc.
+## Read generic files in /etc.
## </summary>
## <param name="domain">
## <summary>
@@ -2021,14 +2169,16 @@
## </summary>
## </param>
#
-interface(`files_read_config_files',`
+interface(`files_read_etc_files',`
gen_require(`
- attribute configfile;
+ type etc_t;
')
- allow $1 configfile:dir list_dir_perms;
- read_files_pattern($1, configfile, configfile)
- read_lnk_files_pattern($1, configfile, configfile)
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
+ files_read_etc_runtime_files($1)
+ files_read_config_files($1)
')
########################################
@@ -2276,8 +2426,8 @@
')
allow $1 etc_t:dir list_dir_perms;
- read_files_pattern($1, etc_runtime_t, etc_runtime_t)
- read_lnk_files_pattern($1, etc_runtime_t, etc_runtime_t)
+ read_files_pattern($1, etc_t, etc_runtime_t)
+ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
')
########################################
@@ -2654,6 +2804,7 @@
')
allow $1 home_root_t:dir getattr;
+ allow $1 home_root_t:lnk_file getattr;
')
########################################
@@ -2674,6 +2825,7 @@
')
dontaudit $1 home_root_t:dir getattr;
+ dontaudit $1 home_root_t:lnk_file getattr;
')
########################################
@@ -2692,6 +2844,7 @@
')
allow $1 home_root_t:dir search_dir_perms;
+ allow $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -2711,6 +2864,7 @@
')
dontaudit $1 home_root_t:dir search_dir_perms;
+ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -2730,6 +2884,7 @@
')
dontaudit $1 home_root_t:dir list_dir_perms;
+ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -2748,6 +2903,25 @@
')
allow $1 home_root_t:dir list_dir_perms;
+ allow $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+## Relabel to user home root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir relabelto;
')
########################################
@@ -3480,6 +3654,24 @@
read_files_pattern($1, tmp_t, tmp_t)
')
+#######################################
+## <summary>
+## dontaudit Read and write files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Manage temporary directories in /tmp.
@@ -3598,26 +3790,25 @@
########################################
## <summary>
-## Do not audit attempts to get the attributes
-## of all tmp files.
+## List all tmp directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`files_dontaudit_getattr_all_tmp_files',`
+interface(`files_list_all_tmp',`
gen_require(`
attribute tmpfile;
')
- dontaudit $1 tmpfile:file getattr;
+ allow $1 tmpfile:dir list_dir_perms;
')
########################################
## <summary>
-## Allow attempts to get the attributes
+## Do not audit attempts to get the attributes
## of all tmp files.
## </summary>
## <param name="domain">
@@ -3626,18 +3817,18 @@
## </summary>
## </param>
#
-interface(`files_getattr_all_tmp_files',`
+interface(`files_dontaudit_getattr_all_tmp_files',`
gen_require(`
attribute tmpfile;
')
- allow $1 tmpfile:file getattr;
+ dontaudit $1 tmpfile:file getattr;
')
########################################
## <summary>
-## Do not audit attempts to get the attributes
-## of all tmp sock_file.
+## Allow attempts to get the attributes
+## of all tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -3645,30 +3836,31 @@
## </summary>
## </param>
#
-interface(`files_dontaudit_getattr_all_tmp_sockets',`
+interface(`files_getattr_all_tmp_files',`
gen_require(`
attribute tmpfile;
')
- dontaudit $1 tmpfile:sock_file getattr;
+ allow $1 tmpfile:file getattr;
')
########################################
## <summary>
-## List all tmp directories.
+## Do not audit attempts to get the attributes
+## of all tmp sock_file.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain not to audit.
## </summary>
## </param>
#
-interface(`files_list_all_tmp',`
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
gen_require(`
attribute tmpfile;
')
- allow $1 tmppfile:dir list_dir_perms;
+ dontaudit $1 tmpfile:sock_file getattr;
')
########################################
@@ -4438,7 +4630,7 @@
########################################
## <summary>
-## Set the attributes of the /var/run directory.
+## Search the /var/lib directory.
## </summary>
## <param name="domain">
## <summary>
@@ -4446,17 +4638,17 @@
## </summary>
## </param>
#
-interface(`files_setattr_pid_dirs',`
+interface(`files_search_var_lib',`
gen_require(`
- type var_run_t;
+ type var_t, var_lib_t;
')
- allow $1 var_run_t:dir setattr;
+ search_dirs_pattern($1, var_t, var_lib_t)
')
########################################
## <summary>
-## Search the /var/lib directory.
+## List the contents of the /var/lib directory.
## </summary>
## <param name="domain">
## <summary>
@@ -4464,17 +4656,17 @@
## </summary>
## </param>
#
-interface(`files_search_var_lib',`
+interface(`files_list_var_lib',`
gen_require(`
type var_t, var_lib_t;
')
- search_dirs_pattern($1, var_t, var_lib_t)
+ list_dirs_pattern($1, var_t, var_lib_t)
')
-########################################
+###########################################
## <summary>
-## List the contents of the /var/lib directory.
+## Read-write /var/lib directories
## </summary>
## <param name="domain">
## <summary>
@@ -4482,12 +4674,12 @@
## </summary>
## </param>
#
-interface(`files_list_var_lib',`
+interface(`files_rw_var_lib_dirs',`
gen_require(`
- type var_t, var_lib_t;
+ type var_lib_t;
')
- list_dirs_pattern($1, var_t, var_lib_t)
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
########################################
@@ -4846,6 +5038,25 @@
search_dirs_pattern($1, var_t, var_run_t)
')
+#######################################
+## <summary>
+## Create generic pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_var_run_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search
@@ -4970,9 +5181,9 @@
rw_files_pattern($1, var_run_t, var_run_t)
')
-#######################################
+########################################
## <summary>
-## Create generic pid directory.
+## Do not audit attempts to getattr daemon runtime data files.
## </summary>
## <param name="domain">
## <summary>
@@ -4980,13 +5191,12 @@
## </summary>
## </param>
#
-interface(`files_create_var_run_dirs',`
+interface(`files_dontaudit_getattr_all_pids',`
gen_require(`
- type var_t, var_run_t;
+ attribute pidfile;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir create_dir_perms;
+ dontaudit $1 pidfile:file getattr;
')
########################################
@@ -5009,24 +5219,6 @@
########################################
## <summary>
-## Do not audit attempts to getattr daemon runtime data files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_dontaudit_getattr_all_pids',`
- gen_require(`
- attribute pidfile;
- ')
-
- dontaudit $1 pidfile:file getattr;
-')
-
-########################################
-## <summary>
## Do not audit attempts to ioctl daemon runtime data files.
## </summary>
## <param name="domain">
@@ -5131,6 +5323,24 @@
########################################
## <summary>
+## Set the attributes of the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir setattr;
+')
+
+########################################
+## <summary>
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
@@ -5537,3 +5747,23 @@
dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_leaks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.32/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-21 20:44:28.935574123 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2010-03-05 16:29:41.548811715 +0100
@@ -1,5 +1,5 @@
-policy_module(files, 1.12.0)
+policy_module(files, 1.12.2)
########################################
#
@@ -11,6 +11,8 @@
attribute lockfile;
attribute mountpoint;
attribute pidfile;
+attribute etcfile;
+attribute configfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
@@ -53,9 +55,6 @@
#
# etc_t is the type of the system etc directories.
#
-attribute etcfile;
-attribute configfile;
-
type etc_t, configfile;
files_type(etc_t)
# compatibility aliases for removed types:
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-03-23 13:14:01.858389781 +0100
@@ -988,6 +988,25 @@
exec_files_pattern($1, cifs_t, cifs_t)
')
+######################################
+## <summary>
+## Make general progams in cifs an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_cifs_entry_type',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file entrypoint;
+')
+
########################################
## <summary>
## Create, read, write, and delete directories
@@ -1632,6 +1651,36 @@
########################################
## <summary>
+## Create an object in a hugetlbfs filesystem, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`fs_hugetlbfs_filetrans',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $2 hugetlbfs_t:filesystem associate;
+ filetrans_pattern($1, hugetlbfs_t, $2, $3)
+')
+
+########################################
+## <summary>
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
@@ -1668,6 +1717,24 @@
########################################
## <summary>
+## Dontaudit List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Mount an iso9660 filesystem, which
## is usually used on CDs.
## </summary>
@@ -2010,6 +2077,25 @@
exec_files_pattern($1, nfs_t, nfs_t)
')
+######################################
+## <summary>
+## Make general progams in nfs an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file entrypoint;
+')
+
########################################
## <summary>
## Append files
@@ -3186,6 +3272,24 @@
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
')
+#######################################
+## <summary>
+## dontaudit Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
########################################
## <summary>
## Mount a tmpfs filesystem.
@@ -3496,6 +3600,24 @@
########################################
## <summary>
+## Read generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Read and write generic tmpfs files.
## </summary>
## <param name="domain">
@@ -3722,7 +3844,7 @@
########################################
## <summary>
-## Mount a XENFS filesystem.
+## Search the XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -3730,17 +3852,17 @@
## </summary>
## </param>
#
-interface(`fs_mount_xenfs',`
+interface(`fs_search_xenfs',`
gen_require(`
type xenfs_t;
')
- allow $1 xenfs_t:filesystem mount;
+ allow $1 xenfs_t:dir search_dir_perms;
')
########################################
## <summary>
-## Search the XENFS filesystem.
+## Mount a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
@@ -3748,12 +3870,12 @@
## </summary>
## </param>
#
-interface(`fs_search_xenfs',`
+interface(`fs_mount_xenfs',`
gen_require(`
type xenfs_t;
')
- allow $1 xenfs_t:dir search_dir_perms;
+ allow $1 xenfs_t:filesystem mount;
')
########################################
@@ -3891,6 +4013,44 @@
allow $1 filesystem_type:filesystem unmount;
')
+######################################
+## <summary>
+## Get the attributes of all block files
+## with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_blk_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:blk_file getattr;
+')
+
+#####################################
+## <summary>
+## Get the attributes of all character files
+## with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_chr_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:chr_file getattr;
+')
+
########################################
## <summary>
## Get the attributes of all persistent
@@ -4297,6 +4457,26 @@
########################################
## <summary>
+## Read files on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ read_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## Read and write files on cgroup
## file systems.
## </summary>
@@ -4409,3 +4589,23 @@
write_files_pattern($1, cgroup_t, cgroup_t)
')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked filesystems files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_leaks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-01-18 18:24:22.705531020 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2010-02-11 20:29:53.802696084 +0100
@@ -1,5 +1,5 @@
-policy_module(filesystem, 1.12.0)
+policy_module(filesystem, 1.12.1)
########################################
#
@@ -178,6 +178,11 @@
allow tmpfs_t noxattrfs:filesystem associate;
+type xenfs_t;
+fs_noxattr_type(xenfs_t)
+files_mountpoint(xenfs_t)
+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+
##############################
#
# Filesystems without extended attribute support
@@ -260,11 +265,6 @@
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
-type xenfs_t;
-fs_noxattr_type(xenfs_t)
-files_mountpoint(xenfs_t)
-genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
-
########################################
#
# Rules for all filesystem types
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-01-18 18:24:22.708530703 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2010-04-02 14:36:27.722599933 +0200
@@ -610,6 +610,24 @@
search_dirs_pattern($1, debugfs_t, debugfs_t)
')
+#######################################
+## <summary>
+## dontaudit search the contents of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ dontaudit $1 debugfs_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Read information from the debugging filesystem.
@@ -2063,6 +2081,24 @@
dontaudit $1 unlabeled_t:dir list_dir_perms;
')
+#######################################
+## <summary>
+## Read and write unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Read and write unlabeled directories.
@@ -2732,3 +2768,21 @@
allow $1 kernel_t:unix_stream_socket connectto;
')
+
+#######################################
+## <summary>
+## Send a kill signal to kernel processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sigkill',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process sigkill;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if serefpolicy-3.6.32/policy/modules/kernel/mcs.if
--- nsaserefpolicy/policy/modules/kernel/mcs.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/kernel/mcs.if 2010-04-22 18:28:30.008859987 +0200
@@ -3,6 +3,46 @@
## Contains attributes used in MCS policy.
## </required>
+#######################################
+## <summary>
+## This domain is allowed to read files and directories
+## regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_read_all',`
+ gen_require(`
+ attribute mcsreadall;
+ ')
+
+ typeattribute $1 mcsreadall;
+')
+
+#######################################
+## <summary>
+## This domain is allowed to write files and directories
+## regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_write_all',`
+ gen_require(`
+ attribute mcswriteall;
+ ')
+
+ typeattribute $1 mcswriteall;
+')
+
########################################
## <summary>
## This domain is allowed to sigkill and sigstop
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-3.6.32/policy/modules/kernel/mcs.te
--- nsaserefpolicy/policy/modules/kernel/mcs.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/kernel/mcs.te 2010-04-22 18:28:45.940609483 +0200
@@ -9,3 +9,5 @@
attribute mcskillall;
attribute mcsptraceall;
attribute mcssetcats;
+attribute mcswriteall;
+attribute mcsreadall;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-01-18 18:24:22.714539638 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/storage.if 2010-04-08 11:06:41.815365567 +0200
@@ -535,6 +535,26 @@
########################################
## <summary>
+## Do not audit attempts made by the caller to write
+## removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_write_removable_device',`
+ gen_require(`
+ type removable_device_t;
+
+ ')
+
+ dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
## Allow the caller to set the attributes of removable
## devices device nodes.
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-01-18 18:24:22.716539752 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-02-26 09:33:59.084547345 +0100
@@ -241,6 +241,25 @@
########################################
## <summary>
+## Do not audit attempts to read from the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_dontaudit_read_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dontaudit $1 console_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
## Read from and write to the console.
## </summary>
## <param name="domain">
@@ -273,11 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
- type tty_device_t;
')
+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+ term_dontaudit_use_unallocated_ttys($1)
+ term_dontaudit_use_generic_ptys($1)
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -654,6 +673,126 @@
########################################
## <summary>
+## Relabel to all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabelto_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ allow $1 ptynode:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Write to all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ptynode:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 ptynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write any ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Relabel from and to all pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ relabel_chr_files_pattern($1, devpts_t, ptynode)
+')
+
+########################################
+## <summary>
+## Get the attributes of all user
+## pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read and
## write the pty multiplexor (/dev/ptmx).
## </summary>
@@ -673,7 +812,7 @@
########################################
## <summary>
-## Get the attributes of all user
+## Get the attributes of all
## pty device nodes.
## </summary>
## <param name="domain">
@@ -683,7 +822,7 @@
## </param>
## <rolecap/>
#
-interface(`term_getattr_all_user_ptys',`
+interface(`term_getattr_all_ptys',`
gen_require(`
attribute ptynode;
type devpts_t;
@@ -697,6 +836,26 @@
########################################
## <summary>
## Do not audit attempts to get the
+## attributes of any pty
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dontaudit $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
## attributes of any user pty
## device nodes.
## </summary>
@@ -1098,6 +1257,25 @@
allow $1 ttynode:chr_file getattr;
')
+#######################################
+## <summary>
+## Relabel from and to all tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file { relabelfrom relabelto };
+')
+
########################################
## <summary>
## Do not audit attempts to get the
@@ -1142,6 +1320,26 @@
########################################
## <summary>
+## Set the attributes of all tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file setattr;
+')
+
+########################################
+## <summary>
## Relabel from and to all user
## user tty device nodes.
## </summary>
@@ -1201,6 +1399,45 @@
########################################
## <summary>
+## Read and write all ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## any ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dontaudit $1 ttynode:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write
## any user ttys.
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.32/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/roles/auditadm.te 2010-02-26 17:30:38.456615603 +0100
@@ -33,6 +33,8 @@
seutil_run_runinit(auditadm_t, auditadm_r)
seutil_read_bin_policy(auditadm_t)
+userdom_dontaudit_search_admin_dir(auditadm_t)
+
optional_policy(`
consoletype_exec(auditadm_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.6.32/policy/modules/roles/secadm.te
--- nsaserefpolicy/policy/modules/roles/secadm.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/roles/secadm.te 2010-02-26 17:31:00.881606103 +0100
@@ -40,6 +40,8 @@
logging_read_generic_logs(secadm_t)
logging_read_audit_config(secadm_t)
+userdom_dontaudit_search_admin_dir(secadm_t)
+
optional_policy(`
aide_run(secadm_t, secadm_r)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-04-16 09:26:27.070614882 +0200
@@ -23,9 +23,15 @@
kernel_getattr_message_if(staff_t)
kernel_read_software_raid_state(staff_t)
+fs_exec_noxattr(staff_t)
+
auth_domtrans_pam_console(staff_t)
+init_dbus_chat_script(staff_t)
+
seutil_run_newrole(staff_t, staff_r)
+seutil_read_module_store(staff_t)
+
netutils_run_ping(staff_t, staff_r)
optional_policy(`
@@ -76,20 +82,20 @@
webadm_role_change(staff_r)
')
-domain_read_all_domains_state(staff_t)
-domain_getattr_all_domains(staff_t)
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
domain_obj_id_change_exemption(staff_t)
-files_read_kernel_modules(staff_t)
+files_read_kernel_modules(staff_usertype)
-kernel_read_fs_sysctls(staff_t)
+kernel_read_fs_sysctls(staff_usertype)
-modutils_read_module_config(staff_t)
-modutils_read_module_deps(staff_t)
+modutils_read_module_config(staff_usertype)
+modutils_read_module_deps(staff_usertype)
-miscfiles_read_hwdata(staff_t)
+miscfiles_read_hwdata(staff_usertype)
-term_use_unallocated_ttys(staff_t)
+term_use_unallocated_ttys(staff_usertype)
optional_policy(`
gnomeclock_dbus_chat(staff_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-01-18 18:24:22.719529727 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2010-03-11 21:20:40.181057088 +0100
@@ -29,6 +29,7 @@
corecmd_exec_shell(sysadm_t)
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
@@ -129,6 +130,10 @@
')
optional_policy(`
+ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
@@ -217,6 +222,7 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
+ mount_run_showmount(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -314,7 +320,11 @@
')
optional_policy(`
- tzdata_domtrans(sysadm_t)
+ shutdown_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tzdata_run(sysadm_t, sysadm_r)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-02-02 10:47:12.668175161 +0100
@@ -2,7 +2,10 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-05-05 15:46:53.873628549 +0200
@@ -39,6 +39,8 @@
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
domain_user_exemption_target(unconfined_t)
allow system_r unconfined_r;
@@ -148,6 +150,10 @@
')
optional_policy(`
+ lvm_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
networkmanager_dbus_chat(unconfined_usertype)
')
@@ -171,7 +177,7 @@
optional_policy(`
xserver_rw_shm(unconfined_usertype)
xserver_run_xauth(unconfined_usertype, unconfined_r)
- xserver_xdm_dbus_chat(unconfined_usertype)
+ xserver_dbus_chat_xdm(unconfined_usertype)
')
')
@@ -268,6 +274,7 @@
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
+ userdom_unpriv_usertype(unconfined, unconfined_java_t)
optional_policy(`
rpm_domtrans(unconfined_java_t)
@@ -344,7 +351,11 @@
')
optional_policy(`
- tzdata_run(unconfined_t, unconfined_r)
+ shutdown_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ tzdata_run(unconfined_usertype, unconfined_r)
')
optional_policy(`
@@ -405,7 +416,7 @@
type unconfined_execmem_t;
type nsplugin_exec_t;
')
- domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+ #domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-01-18 18:24:22.723539874 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2010-03-23 13:11:59.616406881 +0100
@@ -13,6 +13,8 @@
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
+
optional_policy(`
kerneloops_dontaudit_dbus_chat(user_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-03-15 10:36:16.988623468 +0100
@@ -15,7 +15,7 @@
## <desc>
## <p>
-## Allow xguest to configure Network Manager
+## Allow xguest to configure Network Manager and connect to apache ports
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)
@@ -55,6 +55,10 @@
allow xguest_t self:process execmem;
+tunable_policy(`allow_execstack',`
+ allow xguest_t self:process execstack;
+')
+
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
@@ -100,6 +104,7 @@
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
networkmanager_read_var_lib_files(xguest_t)
+ kernel_read_network_state(xguest_usertype)
corenet_tcp_connect_pulseaudio_port(xguest_usertype)
corenet_all_recvfrom_unlabeled(xguest_usertype)
corenet_all_recvfrom_netlabel(xguest_usertype)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100
@@ -35,6 +35,11 @@
')
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit abrt_helper_t $1:socket_class_set { read write };
+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+ ')
')
######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-04-16 09:34:12.464614739 +0200
@@ -96,16 +96,19 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
+dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_memory_dev(abrt_t)
+dev_dontaudit_read_raw_memory(abrt_t)
+domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
files_read_var_lib_files(abrt_t)
+files_read_var_symlinks(abrt_t)
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
@@ -119,6 +122,7 @@
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
+fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
@@ -173,9 +177,23 @@
')
optional_policy(`
+ sosreport_domtrans(abrt_t)
+')
+
+optional_policy(`
sssd_stream_connect(abrt_t)
')
+ifdef(`hide_broken_symptoms', `
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
+')
+
permissive abrt_t;
########################################
@@ -183,7 +201,7 @@
# abrt--helper local policy
#
-allow abrt_helper_t self:capability { chown setgid };
+allow abrt_helper_t self:capability { chown setgid sys_nice };
allow abrt_helper_t self:process signal;
read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
@@ -200,10 +218,16 @@
files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)
+fs_getattr_all_fs(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
+term_dontaudit_use_all_ttys(abrt_helper_t)
+term_dontaudit_use_all_ptys(abrt_helper_t)
+
auth_use_nsswitch(abrt_helper_t)
+logging_send_syslog_msg(abrt_helper_t)
+
miscfiles_read_localization(abrt_helper_t)
userdom_dontaudit_use_user_terminals(abrt_helper_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2010-01-18 18:24:22.729540009 +0100
+++ serefpolicy-3.6.32/policy/modules/services/afs.te 2010-04-13 14:21:06.657602292 +0200
@@ -1,5 +1,5 @@
-policy_module(afs, 1.5.0)
+policy_module(afs, 1.5.1)
########################################
#
@@ -72,7 +72,7 @@
#
allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
-allow afs_t self:process setsched;
+allow afs_t self:process { fork setsched signal };
allow afs_t self:udp_socket create_socket_perms;
allow afs_t self:fifo_file rw_file_perms;
allow afs_t self:unix_stream_socket create_stream_socket_perms;
@@ -88,6 +88,7 @@
fs_getattr_xattr_fs(afs_t)
fs_mount_nfs(afs_t)
+fs_read_nfs_symlinks(afs_t)
kernel_rw_afs_state(afs_t)
@@ -105,6 +106,12 @@
miscfiles_read_localization(afs_t)
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms', `
+ kernel_rw_unlabeled_files(afs_t)
+')
+
########################################
#
# AFS bossserver local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.6.32/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 2010-01-18 18:24:22.729540009 +0100
+++ serefpolicy-3.6.32/policy/modules/services/aisexec.fc 2010-02-17 15:26:59.638613137 +0100
@@ -8,5 +8,3 @@
/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
-
-/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.32/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 2010-01-18 18:24:22.731542358 +0100
+++ serefpolicy-3.6.32/policy/modules/services/aisexec.te 2010-02-17 12:12:36.836863654 +0100
@@ -75,8 +75,6 @@
corenet_tcp_bind_reserved_port(aisexec_t)
corenet_udp_bind_cluster_port(aisexec_t)
-ccs_stream_connect(aisexec_t)
-
corecmd_exec_bin(aisexec_t)
kernel_read_system_state(aisexec_t)
@@ -95,6 +93,11 @@
logging_send_syslog_msg(aisexec_t)
+optional_policy(`
+ ccs_stream_connect(aisexec_t)
+')
+
+optional_policy(`
# to communication with RHCS
dlm_controld_manage_tmpfs_files(aisexec_t)
dlm_controld_rw_semaphores(aisexec_t)
@@ -109,4 +112,5 @@
groupd_manage_tmpfs_files(aisexec_t)
groupd_rw_semaphores(aisexec_t)
groupd_rw_shm(aisexec_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.32/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2010-01-18 18:24:22.732530124 +0100
+++ serefpolicy-3.6.32/policy/modules/services/amavis.te 2010-02-01 21:16:32.215094407 +0100
@@ -138,6 +138,7 @@
auth_dontaudit_read_shadow(amavis_t)
+init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-03-23 13:02:01.304641071 +0100
@@ -8,10 +8,12 @@
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -47,6 +49,7 @@
/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
@@ -66,11 +69,14 @@
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+#/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
@@ -82,6 +88,8 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -108,6 +116,7 @@
/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
+/var/lib/smokeping(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-05-11 17:59:31.278624767 +0200
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
')
#This type is for webpages
type httpd_$1_content_t;
@@ -55,6 +56,7 @@
allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
allow httpd_$1_script_t httpd_t:fifo_file write;
@@ -123,6 +125,8 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
')
tunable_policy(`httpd_enable_cgi',`
@@ -833,6 +837,27 @@
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
+#######################################
+## <summary>
+## Allow the specified domain to list
+## apache system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ files_search_var($1)
+')
+
########################################
## <summary>
## Allow the specified domain to manage
@@ -1112,6 +1137,45 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
+#######################################
+## <summary>
+## Allow the specified domain to read
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit attempts to write
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_write_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file write;
+')
+
########################################
## <summary>
## Execute CGI in the specified domain.
@@ -1167,6 +1231,29 @@
allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
')
+#######################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+')
+
+
+
########################################
## <summary>
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-04-06 08:21:30.569541120 +0200
@@ -67,6 +67,13 @@
## <desc>
## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
+## <desc>
+## <p>
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
@@ -309,7 +316,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -351,7 +358,8 @@
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
+manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -363,10 +371,10 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
-setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
+files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -400,7 +408,9 @@
dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
+fs_list_inotifyfs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -458,6 +468,7 @@
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
')
## <desc>
@@ -483,8 +494,14 @@
corenet_tcp_connect_pop_port(httpd_t)
corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
- mta_send_mail(httpd_sys_script_t)
mta_signal(httpd_t)
+
+ corenet_tcp_connect_smtp_port(httpd_sys_script_t)
+ corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_pop_port(httpd_sys_script_t)
+ corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
+ mta_send_mail(httpd_sys_script_t)
+ mta_signal(httpd_sys_script_t)
')
tunable_policy(`httpd_can_network_relay',`
@@ -588,6 +605,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
optional_policy(`
@@ -612,6 +632,11 @@
avahi_dbus_chat(httpd_t)
')
')
+
+optional_policy(`
+ gitosis_read_var_lib(httpd_t)
+')
+
optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
')
@@ -756,8 +781,14 @@
corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
corenet_tcp_connect_mysqld_port(httpd_suexec_t)
corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
-')
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+')
optional_policy(`
mysql_stream_connect(httpd_php_t)
@@ -895,6 +926,9 @@
sysnet_read_config(httpd_sys_script_t)
+logging_inherit_append_all_logs(httpd_sys_script_t)
+logging_send_syslog_msg(httpd_sys_script_t)
+
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
@@ -906,6 +940,7 @@
fs_manage_nfs_files(httpd_sys_script_t)
fs_manage_nfs_symlinks(httpd_sys_script_t)
fs_exec_nfs_files(httpd_sys_script_t)
+ fs_nfs_entry_type(httpd_sys_script_t)
fs_manage_nfs_dirs(httpd_suexec_t)
fs_manage_nfs_files(httpd_suexec_t)
@@ -945,6 +979,7 @@
fs_manage_cifs_files(httpd_suexec_t)
fs_manage_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
+ fs_cifs_entry_type(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-03-15 10:39:23.254614082 +0100
@@ -31,7 +31,7 @@
#
allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-allow apcupsd_t self:process signal;
+allow apcupsd_t self:process { signal signull };
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
@@ -99,6 +99,10 @@
mta_system_content(apcupsd_tmp_t)
')
+optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+')
+
########################################
#
# apcupsd_cgi Declarations
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-01-18 18:24:22.741530430 +0100
+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-02-11 20:25:58.833441037 +0100
@@ -64,6 +64,8 @@
corenet_udp_sendrecv_all_ports(arpwatch_t)
dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
+dev_rw_generic_usb_dev(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2010-01-18 18:24:22.741530430 +0100
+++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2010-03-18 15:26:43.834514737 +0100
@@ -20,6 +20,25 @@
stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
')
+#####################################
+## <summary>
+## Execute asterisk in the asterisk domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`asterisk_domtrans',`
+ gen_require(`
+ type asterisk_t, asterisk_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, asterisk_exec_t, asterisk_t)
+')
+
######################################
## <summary>
## Execute asterisk
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-01-18 18:24:22.742540405 +0100
+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-04-06 08:36:26.295539661 +0200
@@ -104,6 +104,8 @@
corenet_udp_bind_generic_node(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_asterisk_port(asterisk_t)
+corenet_tcp_bind_sip_port(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
corenet_udp_bind_sip_port(asterisk_t)
corenet_sendrecv_asterisk_server_packets(asterisk_t)
# for VOIP voice channels.
@@ -128,6 +130,7 @@
files_read_usr_files(asterisk_t)
fs_getattr_all_fs(asterisk_t)
+fs_list_inotifyfs(asterisk_t)
fs_search_auto_mountpoints(asterisk_t)
auth_use_nsswitch(asterisk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 21:19:40.967763409 +0100
@@ -6,4 +6,4 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.32/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/avahi.if 2010-03-15 12:20:34.422613978 +0100
@@ -92,6 +92,7 @@
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
+ allow avahi_t $1:file read;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.32/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-18 18:24:22.744530603 +0100
+++ serefpolicy-3.6.32/policy/modules/services/avahi.te 2010-05-11 15:12:00.780625139 +0200
@@ -104,6 +104,10 @@
')
optional_policy(`
+ networkmanager_dbus_chat(avahi_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-01-18 18:24:22.745530450 +0100
+++ serefpolicy-3.6.32/policy/modules/services/bind.if 2010-03-01 15:52:05.256741085 +0100
@@ -290,6 +290,25 @@
read_files_pattern($1, named_zone_t, named_zone_t)
')
+#######################################
+## <summary>
+## Manage BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
########################################
## <summary>
## Send and receive datagrams to and from named. (Deprecated)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-18 18:24:22.747539993 +0100
+++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2010-03-15 10:10:44.978613858 +0100
@@ -54,7 +54,7 @@
# Bluetooth services local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc 2010-03-01 09:30:08.471741607 +0100
@@ -0,0 +1,28 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.6.32/policy/modules/services/cachefilesd.if
--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.if 2010-03-01 09:30:08.471741607 +0100
@@ -0,0 +1,41 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+
+## <summary>policy for cachefilesd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run cachefilesd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cachefilesd_domtrans',`
+ gen_require(`
+ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
+ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
+
+ allow $1 cachefilesd_t:fd use;
+ allow cachefilesd_t $1:fd use;
+ allow cachefilesd_t $1:fifo_file rw_file_perms;
+ allow cachefilesd_t $1:process sigchld;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.6.32/policy/modules/services/cachefilesd.te
--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.te 2010-03-01 09:30:08.471741607 +0100
@@ -0,0 +1,146 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd,1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+require { type kernel_t; }
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+domain_type(cachefilesd_t)
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+rpm_use_script_fds(cachefilesd_t)
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+libs_use_ld_so(cachefilesd_t)
+libs_use_shared_libs(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_file(cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms;
+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
+
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+allow cachefiles_kernel_t initrc_t:process sigchld;
+
+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-01-18 18:24:22.749530749 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ccs.te 2010-02-17 15:18:32.630863465 +0100
@@ -74,8 +74,6 @@
manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
-aisexec_stream_connect(ccs_t)
-
kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
@@ -117,5 +115,9 @@
')
optional_policy(`
+ aisexec_stream_connect(ccs_t)
+ corosync_stream_connect(ccs_t)
+')
+optional_policy(`
unconfined_use_fds(ccs_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-01-18 18:24:22.753540198 +0100
+++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc 2010-02-02 18:56:12.191317011 +0100
@@ -1,4 +1,6 @@
+/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.6.32/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-01-18 18:24:22.754542770 +0100
+++ serefpolicy-3.6.32/policy/modules/services/chronyd.if 2010-05-05 13:39:25.638629347 +0200
@@ -56,6 +56,28 @@
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
+########################################
+## <summary>
+## Read and write chronyd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_rw_shm',`
+ gen_require(`
+ type chronyd_t, chronyd_tmpfs_t;
+ ')
+
+ allow $1 chronyd_t:shm rw_shm_perms;
+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
####################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-01-18 18:24:22.755539963 +0100
+++ serefpolicy-3.6.32/policy/modules/services/chronyd.te 2010-05-05 13:34:27.856629876 +0200
@@ -12,6 +12,12 @@
type chronyd_initrc_exec_t;
init_script_file(chronyd_initrc_exec_t)
+type chronyd_keys_t;
+files_type(chronyd_keys_t)
+
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
# var/lib files
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -30,11 +36,18 @@
# chronyd local policy
#
-allow chronyd_t self:capability { setuid setgid sys_time };
-allow chronyd_t self:process { getcap setcap };
+allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:process { getcap setcap setrlimit };
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:shm create_shm_perms;
+
+allow chronyd_t chronyd_keys_t:file read_file_perms;
+
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
# chronyd var/lib files
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -64,4 +77,7 @@
miscfiles_read_localization(chronyd_t)
-permissive chronyd_t;
+optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.32/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-18 18:24:22.756540300 +0100
+++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2010-05-21 13:23:07.973140539 +0200
@@ -57,6 +57,8 @@
#
allow clamd_t self:capability { kill setgid setuid dac_override };
+dontaudit clamd_t self:capability sys_tty_config;
+
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100
+++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100
@@ -42,26 +42,6 @@
#####################################
## <summary>
-## Manage clogd tmpfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`clogd_manage_tmpfs_files',`
- gen_require(`
- type clogd_tmpfs_t;
- ')
-
- fs_search_tmpfs($1)
- manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
- manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
-')
-
-#####################################
-## <summary>
## Allow read and write access to clogd semaphores.
## </summary>
## <param name="domain">
@@ -94,5 +74,9 @@
')
allow $1 clogd_t:shm { rw_shm_perms destroy };
+ allow $1 clogd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+ read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+ fs_search_tmpfs($1)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.32/policy/modules/services/clogd.te
--- nsaserefpolicy/policy/modules/services/clogd.te 2010-01-18 18:24:22.758539996 +0100
+++ serefpolicy-3.6.32/policy/modules/services/clogd.te 2010-02-17 15:17:36.815613535 +0100
@@ -41,8 +41,6 @@
manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
files_pid_filetrans(clogd_t,clogd_var_run_t, { file })
-aisexec_stream_connect(clogd_t)
-
dev_manage_generic_blk_files(clogd_t)
storage_raw_read_fixed_disk(clogd_t)
@@ -56,6 +54,11 @@
miscfiles_read_localization(clogd_t)
optional_policy(`
+ aisexec_stream_connect(clogd_t)
+ corosync_stream_connect(clogd_t)
+')
+
+optional_policy(`
dev_read_lvm_control(clogd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.32/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-01-18 18:24:22.758539996 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2010-03-01 09:49:55.450759811 +0100
@@ -1,2 +1,7 @@
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.32/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-01-18 18:24:22.759530345 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2010-03-01 09:49:55.450759811 +0100
@@ -1,10 +1,111 @@
+## <summary>Cobbler installation server.</summary>
+## <desc>
+## <p>
+## Cobbler is a Linux installation server that allows for
+## rapid setup of network installation environments. It
+## glues together and automates many associated Linux
+## tasks so you do not have to hop between lots of various
+## commands and applications when rolling out new systems,
+## and, in some cases, changing existing ones.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute a domain transition to run cobblerd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cobblerd_domtrans',`
+ gen_require(`
+ type cobblerd_t, cobblerd_exec_t;
+ ')
+
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+')
+
+########################################
+## <summary>
+## Execute cobblerd server in the cobblerd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`cobblerd_initrc_domtrans',`
+ gen_require(`
+ type cobblerd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read Cobbler content in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_read_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_dontaudit_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+')
+
+########################################
## <summary>
-## Cobbler var_lib_t
+## Search cobbler dirs in /var/lib
## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_search_lib',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
########################################
## <summary>
-## Read cobbler lib files.
+## Read cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
@@ -18,7 +119,6 @@
')
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- allow $1 cobbler_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
')
@@ -22,10 +122,9 @@
files_search_var_lib($1)
')
-
########################################
## <summary>
-## Read cobbler lib files.
+## Manage cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
@@ -33,12 +132,55 @@
## </summary>
## </param>
#
-interface(`cobbler_search_lib',`
+interface(`cobbler_manage_lib_files',`
gen_require(`
type cobbler_var_lib_t;
')
- allow $1 cobbler_var_lib_t:dir search_dir_perms;
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cobblerd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cobblerd_admin',`
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+ type cobbler_etc_t;
+ type httpd_cobbler_content_rw_t;
+ ')
+
+ allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, cobblerd_t, cobblerd_t)
+
+ files_search_etc($1)
+ admin_pattern($1, cobbler_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
+
+ files_search_var_log($1)
+ admin_pattern($1, cobbler_var_log_t)
+
+ admin_pattern($1, httpd_cobbler_content_rw_t)
+
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-01-18 18:24:22.760530473 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-05-05 13:28:18.436628603 +0200
@@ -1,5 +1,135 @@
-policy_module(cobbler, 1.10.0)
+policy_module(cobbler, 1.0.0)
+
+########################################
+#
+# Cobbler personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(cobbler_anon_write, false)
+
+type cobblerd_t;
+type cobblerd_exec_t;
+init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+
+permissive cobblerd_t;
+
+type cobblerd_initrc_exec_t;
+init_script_file(cobblerd_initrc_exec_t)
+
+type cobbler_etc_t;
+files_config_file(cobbler_etc_t)
+
+type cobbler_var_log_t;
+logging_log_file(cobbler_var_log_t)
type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)
+
+########################################
+#
+# Cobbler personal policy.
+#
+
+allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:process { getsched setsched signal };
+allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+
+list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+
+manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+
+append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
+kernel_read_system_state(cobblerd_t)
+
+corecmd_exec_bin(cobblerd_t)
+corecmd_exec_shell(cobblerd_t)
+
+corenet_all_recvfrom_netlabel(cobblerd_t)
+corenet_all_recvfrom_unlabeled(cobblerd_t)
+corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+corenet_tcp_bind_cobbler_port(cobblerd_t)
+corenet_tcp_bind_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_if(cobblerd_t)
+corenet_tcp_sendrecv_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_port(cobblerd_t)
+
+dev_read_urand(cobblerd_t)
+
+# read /etc/nsswitch.conf
+files_read_etc_files(cobblerd_t)
+files_read_usr_files(cobblerd_t)
+files_list_boot(cobblerd_t)
+files_list_tmp(cobblerd_t)
+
+miscfiles_read_localization(cobblerd_t)
+miscfiles_read_public_files(cobblerd_t)
+
+sysnet_read_config(cobblerd_t)
+sysnet_rw_dhcp_config(cobblerd_t)
+sysnet_write_config(cobblerd_t)
+
+tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files(cobblerd_t)
+')
+
+optional_policy(`
+ apache_read_sys_content(cobblerd_t)
+')
+
+optional_policy(`
+ bind_read_config(cobblerd_t)
+ bind_write_config(cobblerd_t)
+ bind_domtrans_ndc(cobblerd_t)
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
+')
+
+optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
+')
+
+optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
+')
+
+optional_policy(`
+ rpm_exec(cobblerd_t)
+')
+
+optional_policy(`
+ rsync_read_config(cobblerd_t)
+ rsync_write_config(cobblerd_t)
+')
+
+optional_policy(`
+ tftp_manage_rw_content(cobblerd_t)
+')
+
+########################################
+#
+# Cobbler web local policy.
+#
+
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100
+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-03-11 21:20:40.181057088 +0100
@@ -16,6 +16,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
########################################
#
# consolekit local policy
@@ -80,13 +83,11 @@
hal_ptrace(consolekit_t)
tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_list_nfs(consolekit_t)
- fs_dontaudit_rw_nfs_files(consolekit_t)
+ fs_read_nfs_files(consolekit_t)
')
tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_list_cifs(consolekit_t)
- fs_dontaudit_rw_cifs_files(consolekit_t)
+ fs_read_cifs_files(consolekit_t)
')
optional_policy(`
@@ -116,12 +117,16 @@
')
optional_policy(`
+ shutdown_domtrans(consolekit_t)
+')
+
+optional_policy(`
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
- xserver_common_app(consolekit_t)
- xserver_ptrace_xdm(consolekit_t)
- xserver_common_app(consolekit_t)
+ xserver_non_drawing_client(consolekit_t)
corenet_tcp_connect_xserver_port(consolekit_t)
+ xserver_stream_connect(consolekit_t)
+ xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.32/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 2010-01-18 18:24:22.762530308 +0100
+++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2010-03-08 16:04:18.113614620 +0100
@@ -4,10 +4,11 @@
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
+/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-01-18 18:24:22.764539991 +0100
+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-03-08 16:05:31.170864569 +0100
@@ -38,7 +38,7 @@
#
allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
+allow corosync_t self:process { setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
@@ -46,6 +46,8 @@
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
+can_exec(corosync_t,corosync_exec_t)
+
# tmp files
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
@@ -72,14 +74,19 @@
files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
+
+domain_read_all_domains_state(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
dev_read_urand(corosync_t)
files_manage_mounttab(corosync_t)
+files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -92,6 +99,7 @@
userdom_rw_user_tmpfs_files(corosync_t)
+optional_policy(`
# to communication with RHCS
dlm_controld_manage_tmpfs_files(corosync_t)
dlm_controld_rw_semaphores(corosync_t)
@@ -101,6 +109,11 @@
gfs_controld_manage_tmpfs_files(corosync_t)
gfs_controld_rw_semaphores(corosync_t)
+')
+
+optional_policy(`
+ rgmanager_manage_tmpfs_files(corosync_t)
+')
optional_policy(`
ccs_read_config(corosync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.32/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2010-01-18 18:24:22.767542328 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cron.if 2010-03-23 13:24:45.468390265 +0100
@@ -462,6 +462,24 @@
allow $1 cron_spool_t:dir search_dir_perms;
')
+#######################################
+## <summary>
+## Read and write inherited user spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+ type user_cron_spool_t;
+ ')
+
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
########################################
## <summary>
## Manage pid files used by cron
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-01-18 18:24:22.769530360 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-02-11 12:37:32.141868288 +0100
@@ -268,6 +268,11 @@
')
optional_policy(`
+ djbdns_search_key_tinydns(crond_t)
+ djbdns_link_key_tinydns(crond_t)
+')
+
+optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
@@ -323,6 +328,10 @@
udev_read_db(crond_t)
')
+optional_policy(`
+ mta_system_content(crond_var_run_t)
+')
+
########################################
#
# System cron process domain
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-03-05 15:20:55.192561142 +0100
@@ -265,6 +265,7 @@
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
miscfiles_setattr_fonts_dirs(cupsd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_t)
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
@@ -430,10 +431,12 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_read_all_users_state(cupsd_config_t)
userdom_rw_user_tmp_files(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
+gnome_dontaudit_search_config(cupsd_config_t)
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -555,6 +558,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
@@ -567,7 +571,7 @@
# cups_pdf local policy
#
-allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
+allow cups_pdf_t self:capability { chown fsetid fowner setuid setgid dac_override };
allow cups_pdf_t self:fifo_file rw_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
@@ -578,6 +582,7 @@
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
fs_rw_anon_inodefs_files(cups_pdf_t)
+fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -689,6 +694,7 @@
domain_use_interactive_fds(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2010-01-18 18:24:22.774530577 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-03-03 10:39:47.602620848 +0100
@@ -165,10 +165,6 @@
optional_policy(`
hal_dbus_chat($1_dbusd_t)
')
-
- optional_policy(`
- xserver_use_xdm($1_dbusd_t)
- ')
')
#######################################
@@ -375,6 +371,9 @@
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
+ ps_process_pattern(system_dbusd_t, $1)
+
+ userdom_read_all_users_state($1)
userdom_dontaudit_search_admin_dir($1)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.32/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-18 18:24:22.776530971 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dcc.te 2010-02-23 16:38:38.729526813 +0100
@@ -81,7 +81,7 @@
# dcc daemon controller local policy
#
-allow cdcc_t self:capability setuid;
+allow cdcc_t self:capability { setgid setuid };
allow cdcc_t self:unix_dgram_socket create_socket_perms;
allow cdcc_t self:udp_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.6.32/policy/modules/services/denyhosts.fc
--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/denyhosts.fc 2010-04-13 14:45:02.621657560 +0200
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
+
+/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t, s0)
+
+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
+/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.6.32/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/denyhosts.if 2010-04-13 14:45:02.622619355 +0200
@@ -0,0 +1,87 @@
+## <summary>Deny Hosts.</summary>
+## <desc>
+## <p>
+## DenyHosts is a script intended to be run by Linux
+## system administrators to help thwart SSH server attacks
+## (also known as dictionary based attacks and brute force
+## attacks).
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute a domain transition to run denyhosts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`denyhosts_domtrans', `
+ gen_require(`
+ type denyhosts_t, denyhosts_exec_t;
+ ')
+
+ domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
+')
+
+########################################
+## <summary>
+## Execute denyhost server in the denyhost domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`denyhosts_initrc_domtrans', `
+ gen_require(`
+ type denyhosts_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an denyhosts environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`denyhosts_admin', `
+ gen_require(`
+ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+ ')
+
+ allow $1 denyhosts_t:process { ptrace signal_perms getattr };
+
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, denyhosts_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, denyhosts_var_lib_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
+
+ files_search_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.6.32/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/denyhosts.te 2010-05-21 13:28:34.975140060 +0200
@@ -0,0 +1,76 @@
+
+policy_module(denyhosts, 1.0.0)
+
+########################################
+#
+# DenyHosts personal declarations.
+#
+
+type denyhosts_t;
+type denyhosts_exec_t;
+init_daemon_domain(denyhosts_t, denyhosts_exec_t)
+
+type denyhosts_initrc_exec_t;
+init_script_file(denyhosts_initrc_exec_t)
+
+type denyhosts_var_lib_t;
+files_type(denyhosts_var_lib_t)
+
+type denyhosts_var_lock_t;
+files_lock_file(denyhosts_var_lock_t)
+
+type denyhosts_var_log_t;
+logging_log_file(denyhosts_var_log_t)
+
+########################################
+#
+# DenyHosts personal policy.
+#
+
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
+files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
+
+manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
+
+append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+corecmd_exec_bin(denyhosts_t)
+
+corenet_all_recvfrom_unlabeled(denyhosts_t)
+corenet_all_recvfrom_netlabel(denyhosts_t)
+corenet_tcp_sendrecv_generic_if(denyhosts_t)
+corenet_tcp_sendrecv_generic_node(denyhosts_t)
+corenet_tcp_bind_generic_node(denyhosts_t)
+corenet_sendrecv_smtp_client_packets(denyhosts_t)
+corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_tcp_connect_sype_port(denyhosts_t)
+
+dev_read_urand(denyhosts_t)
+
+kernel_read_system_state(denyhosts_t)
+
+files_read_etc_files(denyhosts_t)
+
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
+
+miscfiles_read_localization(denyhosts_t)
+
+sysnet_manage_config(denyhosts_t)
+sysnet_etc_filetrans_config(denyhosts_t)
+
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.32/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2010-01-18 18:24:22.778530038 +0100
+++ serefpolicy-3.6.32/policy/modules/services/devicekit.fc 2010-02-26 09:34:03.326558032 +0100
@@ -1,8 +1,12 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-01-18 18:24:22.780530921 +0100
+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2010-03-02 17:01:05.295607149 +0100
@@ -62,8 +62,8 @@
# DeviceKit disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
-allow devicekit_disk_t self:process signal_perms;
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -82,6 +82,7 @@
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
+kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
kernel_read_system_state(devicekit_disk_t)
kernel_request_load_module(devicekit_disk_t)
@@ -96,12 +97,14 @@
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
+dev_getattr_mtrr_dev(devicekit_disk_t)
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
domain_getattr_all_stream_sockets(devicekit_disk_t)
domain_read_all_domains_state(devicekit_disk_t)
+files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
files_getattr_all_mountpoints(devicekit_disk_t)
files_getattr_all_files(devicekit_disk_t)
@@ -122,6 +125,9 @@
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
+mls_file_read_all_levels(devicekit_disk_t)
+mls_file_write_to_clearance(devicekit_disk_t)
+
term_use_all_terms(devicekit_disk_t)
auth_use_nsswitch(devicekit_disk_t)
@@ -182,6 +188,7 @@
#
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:process getsched;
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -205,6 +212,7 @@
dev_read_input(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -220,6 +228,8 @@
miscfiles_read_localization(devicekit_power_t)
+sysnet_domtrans_ifconfig(devicekit_power_t)
+
sysnet_read_config(devicekit_power_t)
sysnet_read_dhcp_config(devicekit_power_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.32/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/dhcp.if 2010-03-01 15:53:56.974502467 +0100
@@ -2,6 +2,25 @@
########################################
## <summary>
+## Transition to dhcpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dhcpd_domtrans',`
+ gen_require(`
+ type dhcpd_t, dhcpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
+')
+
+########################################
+## <summary>
## Set the attributes of the DCHP
## server state files.
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.6.32/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/dhcp.te 2010-03-01 09:56:40.715740296 +0100
@@ -112,6 +112,10 @@
')
optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-11 12:35:57.243619172 +0100
@@ -26,6 +26,8 @@
daemontools_read_svc(djbdns_$1_t)
allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+ allow djbdns_$1_t self:process signal;
+ allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
allow djbdns_$1_t self:udp_socket create_socket_perms;
@@ -50,3 +52,39 @@
files_search_var(djbdns_$1_t)
')
+
+######################################
+## <summary>
+## Allow search the djbdns-tinydns key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`djbdns_search_key_tinydns',`
+ gen_require(`
+ type djbdns_tinydns_t;
+ ')
+
+ allow $1 djbdns_tinydns_t:key search;
+')
+
+######################################
+## <summary>
+## Allow link to the djbdns-tinydns key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`djbdns_link_key_tinydns',`
+ gen_require(`
+ type djbdns_tinydn_t;
+ ')
+
+ allow $1 djbdns_tinydn_t:key link;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.6.32/policy/modules/services/djbdns.te
--- nsaserefpolicy/policy/modules/services/djbdns.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/djbdns.te 2010-02-11 14:26:09.789868676 +0100
@@ -42,3 +42,11 @@
files_search_var(djbdns_axfrdns_t)
ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+
+#####################################
+#
+# Local policy for djbdns_tinydns_t
+#
+
+init_dontaudit_use_script_fds(djbdns_tinydns_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.32/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.fc 2010-02-12 17:25:06.991714829 +0100
@@ -5,5 +5,7 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/log/dnsmasq\.log -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.32/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.if 2010-03-01 15:57:23.556490055 +0100
@@ -96,6 +96,44 @@
allow $1 dnsmasq_t:process sigkill;
')
+#######################################
+## <summary>
+## Read dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_read_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Write to dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_write_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
########################################
## <summary>
## Delete dnsmasq pid files
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.32/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-01-18 18:24:22.780530921 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.te 2010-02-12 17:24:31.727729095 +0100
@@ -16,6 +16,9 @@
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
+type dnsmasq_var_log_t;
+logging_log_file(dnsmasq_var_log_t)
+
type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)
@@ -24,7 +27,7 @@
# Local policy
#
-allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
+allow dnsmasq_t self:capability { dac_override chown net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +41,9 @@
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-02-08 11:55:25.971336166 +0100
@@ -82,6 +82,7 @@
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
@@ -94,6 +95,7 @@
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
+corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
@@ -277,6 +279,8 @@
')
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(dovecot_deliver_t)
+ fs_manage_nfs_dirs(dovecot_t)
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_t)
@@ -284,6 +288,8 @@
')
tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(dovecot_deliver_t)
+ fs_manage_cifs_dirs(dovecot_t)
fs_manage_cifs_files(dovecot_deliver_t)
fs_manage_cifs_symlinks(dovecot_deliver_t)
fs_manage_cifs_files(dovecot_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.32/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/exim.if 2010-02-15 12:36:35.630568574 +0100
@@ -18,6 +18,24 @@
domtrans_pattern($1, exim_exec_t, exim_t)
')
+###################################
+## <summary>
+## Execute the exim in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_exec',`
+ gen_require(`
+ type exim_exec_t;
+ ')
+
+ can_exec($1, exim_exec_t)
+')
+
########################################
## <summary>
## Do not audit attempts to read,
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-18 18:24:22.784531151 +0100
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-18 18:27:02.761531161 +0100
@@ -138,6 +138,24 @@
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
+#######################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.6.32/policy/modules/services/ftp.fc
--- nsaserefpolicy/policy/modules/services/ftp.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ftp.fc 2010-02-16 17:34:27.415598063 +0100
@@ -22,7 +22,7 @@
#
# /var
#
-/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0)
+/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-02-08 00:21:16.418154590 +0100
@@ -115,6 +115,43 @@
role $2 types ftpdctl_t;
')
+######################################
+## <summary>
+## Allow domain dyntransition to sftpd-anon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd_anon',`
+ gen_require(`
+ type sftpd_anon_t;
+ ')
+
+ allow $1 sftpd_anon_t:process dyntransition;
+')
+
+######################################
+## <summary>
+## Allow domain dyntransition to sftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd',`
+ gen_require(`
+ type sftpd_t;
+ ')
+
+ allow $1 sftpd_t:process dyntransition;
+ allow sftpd_t $1:process sigchld;
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-18 18:24:22.787539983 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-02-16 17:41:51.446598108 +0100
@@ -53,6 +53,39 @@
## </desc>
gen_tunable(ftp_home_dir, false)
+## <desc>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(sftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(sftp_enable_homedirs, false)
+
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t, ftpd_exec_t)
@@ -93,6 +126,14 @@
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
')
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
+type sftpd_anon_t;
+domain_type(sftpd_anon_t)
+role system_r types sftpd_anon_t;
+
########################################
#
# ftpd local policy
@@ -101,7 +142,7 @@
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
-allow ftpd_t self:process { getcap setcap setsched setrlimit };
+allow ftpd_t self:process { getpgid getcap setcap setsched setrlimit };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -342,3 +383,76 @@
files_read_etc_files(ftpdctl_t)
userdom_use_user_terminals(ftpdctl_t)
+
+#######################################
+#
+# sftpd-anon local policy
+#
+
+files_read_etc_files(sftpd_anon_t)
+
+miscfiles_read_public_files(sftpd_anon_t)
+
+tunable_policy(`sftpd_anon_write',`
+ miscfiles_manage_public_files(sftpd_anon_t)
+')
+
+#######################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
+ ssh_manage_user_home_files(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(sftpd_t)
+ userdom_read_user_home_content_files(sftpd_t)
+ userdom_manage_user_home_content(sftpd_t)
+
+ auth_read_all_dirs_except_shadow(sftpd_t)
+ auth_read_all_files_except_shadow(sftpd_t)
+ auth_read_all_symlinks_except_shadow(sftpd_t)
+', `
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+')
+
+tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(sftpd_t)
+ fs_manage_nfs_files(sftpd_t)
+ fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_dirs(sftpd_t)
+ fs_manage_cifs_files(sftpd_t)
+ fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(sftpd_t)
+ fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2010-01-18 18:24:22.788540040 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.fc 2010-02-09 12:46:59.674881314 +0100
@@ -1,9 +1,16 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0)
-/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
-# Conflict with Fedora cgit fc spec.
-/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_content_rw_t,s0)
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2010-01-18 18:24:22.789540167 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.if 2010-02-09 12:46:59.675881993 +0100
@@ -1,4 +1,4 @@
-## <summary>Git daemon is a really simple server for Git repositories.</summary>
+## <summary>Git - Fast Version Control System.</summary>
## <desc>
## <p>
## A really simple TCP git daemon that normally listens on
@@ -6,27 +6,6 @@
## connection asking for a service, and will serve that
## service if it is enabled.
## </p>
-## <p>
-## It verifies that the directory has the magic file
-## git-daemon-export-ok, and it will refuse to export any
-## git directory that has not explicitly been marked for
-## export this way (unless the --export-all parameter is
-## specified). If you pass some directory paths as
-## git-daemon arguments, you can further restrict the
-## offers to a whitelist comprising of those.
-## </p>
-## <p>
-## By default, only upload-pack service is enabled, which
-## serves git-fetch-pack and git-ls-remote clients, which
-## are invoked from git-fetch, git-pull, and git-clone.
-## </p>
-## <p>
-## This is ideally suited for read-only updates, i.e.,
-## pulling from git repositories.
-## </p>
-## <p>
-## An upload-archive also exists to serve git-archive.
-## </p>
## </desc>
#######################################
@@ -46,50 +25,172 @@
#
interface(`git_session_role', `
gen_require(`
- type gitd_session_t, gitd_exec_t, git_home_t;
+ type git_session_t, gitd_exec_t;
')
########################################
#
- # Git daemon session data declarations.
+ # Git daemon session shared declarations.
#
- ## <desc>
- ## <p>
- ## Allow transitions to the Git daemon
- ## session domain.
- ## </p>
- ## </desc>
- gen_tunable(gitd_session_transition, false)
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Git daemon session shared policy.
+ #
+
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for Git
+## daemon shared repository content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`git_content_template',`
- role $1 types gitd_session_t;
+ gen_require(`
+ attribute git_system_content;
+ attribute git_content;
+ ')
########################################
#
- # Git daemon session data policy.
+ # Git daemon content shared declarations.
+ #
+
+ type git_$1_content_t, git_system_content, git_content;
+ files_type(git_$1_content_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for Git
+## daemon shared repository roles.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
#
+template(`git_role_template',`
- tunable_policy(`gitd_session_transition', `
- domtrans_pattern($2, gitd_exec_t, gitd_session_t)
- ', `
- can_exec($2, gitd_exec_t)
+ gen_require(`
+ class context contains;
+ role system_r;
')
- allow $2 gitd_session_t:process { ptrace signal_perms };
- ps_process_pattern($2, gitd_session_t)
+ ########################################
+ #
+ # Git daemon role shared declarations.
+ #
+
+ attribute $1_usertype;
- exec_files_pattern($2, git_home_t, git_home_t)
- manage_dirs_pattern($2, git_home_t, git_home_t)
- manage_files_pattern($2, git_home_t, git_home_t)
+ type $1_t;
+ userdom_unpriv_usertype($1, $1_t)
+ domain_type($1_t)
- relabel_dirs_pattern($2, git_home_t, git_home_t)
- relabel_files_pattern($2, git_home_t, git_home_t)
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ ########################################
+ #
+ # Git daemon role shared policy.
+ #
+
+ allow $1_t self:context contains;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ corecmd_exec_bin($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_shell_entry_type($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_user_exemption_target($1_t)
+
+ kernel_read_system_state($1_t)
+
+ files_read_etc_files($1_t)
+ files_dontaudit_search_home($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ git_rwx_generic_system_content($1_t)
+
+ ssh_rw_stream_sockets($1_t)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1_t)
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1_t)
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
+ ')
+
+ optional_policy(`
+ nscd_read_pid($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Allow specified domain access to the
+## specified Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## Type of the object that access is allowed to.
+## </summary>
+## </param>
+#
+interface(`git_content_delegation',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ exec_files_pattern($1, $2, $2)
+ manage_dirs_pattern($1, $2, $2)
+ manage_files_pattern($1, $2, $2)
+ files_search_var($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
')
########################################
## <summary>
-## Allow the specified domain to execute
-## Git daemon data files.
+## Allow the specified domain to manage
+## and execute all Git daemon content.
## </summary>
## <param name="domain">
## <summary>
@@ -98,19 +199,46 @@
## </param>
## <rolecap/>
#
-interface(`git_execute_data_files', `
+interface(`git_rwx_all_content',`
gen_require(`
- type git_data_t;
+ attribute git_content;
')
- exec_files_pattern($1, git_data_t, git_data_t)
+ exec_files_pattern($1, git_content, git_content)
+ manage_dirs_pattern($1, git_content, git_content)
+ manage_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
files_search_var($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
')
########################################
## <summary>
## Allow the specified domain to manage
-## Git daemon data content.
+## and execute all Git daemon system content.
## </summary>
## <param name="domain">
## <summary>
@@ -119,20 +247,33 @@
## </param>
## <rolecap/>
#
-interface(`git_manage_data_content', `
+interface(`git_rwx_all_system_content',`
gen_require(`
- type git_data_t;
+ attribute git_system_content;
')
- manage_dirs_pattern($1, git_data_t, git_data_t)
- manage_files_pattern($1, git_data_t, git_data_t)
+ exec_files_pattern($1, git_system_content, git_system_content)
+ manage_dirs_pattern($1, git_system_content, git_system_content)
+ manage_files_pattern($1, git_system_content, git_system_content)
files_search_var($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
')
########################################
## <summary>
## Allow the specified domain to manage
-## Git daemon home content.
+## and execute Git daemon generic system content.
## </summary>
## <param name="domain">
## <summary>
@@ -141,20 +282,33 @@
## </param>
## <rolecap/>
#
-interface(`git_manage_home_content', `
+interface(`git_rwx_generic_system_content',`
gen_require(`
- type git_home_t;
+ type git_system_content_t;
+ ')
+
+ exec_files_pattern($1, git_system_content_t, git_system_content_t)
+ manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ manage_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
')
- manage_dirs_pattern($1, git_home_t, git_home_t)
- manage_files_pattern($1, git_home_t, git_home_t)
- files_search_home($1)
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
')
########################################
## <summary>
## Allow the specified domain to read
-## Git daemon home content.
+## all Git daemon content files.
## </summary>
## <param name="domain">
## <summary>
@@ -163,20 +317,41 @@
## </param>
## <rolecap/>
#
-interface(`git_read_home_content', `
+interface(`git_read_all_content_files',`
gen_require(`
- type git_home_t;
+ attribute git_content;
+ ')
+
+ list_dirs_pattern($1, git_content, git_content)
+ read_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
')
- list_dirs_pattern($1, git_home_t, git_home_t)
- read_files_pattern($1, git_home_t, git_home_t)
- files_search_home($1)
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
')
########################################
## <summary>
## Allow the specified domain to read
-## Git daemon data content.
+## Git daemon session content files.
## </summary>
## <param name="domain">
## <summary>
@@ -185,20 +360,30 @@
## </param>
## <rolecap/>
#
-interface(`git_read_data_content', `
+interface(`git_read_session_content_files',`
gen_require(`
- type git_data_t;
+ type git_session_content_t;
')
- list_dirs_pattern($1, git_data_t, git_data_t)
- read_files_pattern($1, git_data_t, git_data_t)
- files_search_var($1)
+ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ read_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
')
########################################
## <summary>
-## Allow the specified domain to relabel
-## Git daemon data content.
+## Allow the specified domain to read
+## all Git daemon system content files.
## </summary>
## <param name="domain">
## <summary>
@@ -207,20 +392,30 @@
## </param>
## <rolecap/>
#
-interface(`git_relabel_data_content', `
+interface(`git_read_all_system_content_files',`
gen_require(`
- type git_data_t;
+ attribute git_system_content;
')
- relabel_dirs_pattern($1, git_data_t, git_data_t)
- relabel_files_pattern($1, git_data_t, git_data_t)
- files_search_var($1)
+ list_dirs_pattern($1, git_system_content, git_system_content)
+ read_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
')
########################################
## <summary>
-## Allow the specified domain to relabel
-## Git daemon home content.
+## Allow the specified domain to read
+## Git daemon generic system content files.
## </summary>
## <param name="domain">
## <summary>
@@ -229,57 +424,112 @@
## </param>
## <rolecap/>
#
-interface(`git_relabel_home_content', `
+interface(`git_read_generic_system_content_files',`
gen_require(`
- type git_home_t;
+ type git_system_content_t;
')
- relabel_dirs_pattern($1, git_home_t, git_home_t)
- relabel_files_pattern($1, git_home_t, git_home_t)
- files_search_home($1)
+ list_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ read_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
')
########################################
## <summary>
-## All of the rules required to administrate an
-## Git daemon system environment
+## Allow the specified domain to relabel
+## all Git daemon content.
## </summary>
-## <param name="userdomain_prefix">
+## <param name="domain">
## <summary>
-## Prefix of the domain. Example, user would be
-## the prefix for the user_t domain.
+## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
+#
+interface(`git_relabel_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ relabel_dirs_pattern($1, git_content, git_content)
+ relabel_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## all Git daemon system content.
+## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <rolecap/>
+#
+interface(`git_relabel_all_system_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ relabel_dirs_pattern($1, git_system_content, git_system_content)
+ relabel_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+')
+
+########################################
## <summary>
-## The role to be allowed to manage the Git daemon domain.
+## Allow the specified domain to relabel
+## Git daemon generic system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
-interface(`git_system_admin', `
+interface(`git_relabel_generic_system_content',`
gen_require(`
- type gitd_t, gitd_exec_t;
+ type git_system_content_t;
')
- allow $1 gitd_t:process { getattr ptrace signal_perms };
- ps_process_pattern($1, gitd_t)
-
- kernel_search_proc($1)
-
- manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
-
- # This will not work since git-shell needs to execute gitd content thus public content files.
- # There is currently no clean way to execute public content files.
- # miscfiles_manage_public_files($1)
+ relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ relabel_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+')
- git_manage_data_content($1)
- git_relabel_data_content($1)
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Git daemon session content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`git_relabel_session_content',`
+ gen_require(`
+ type git_session_content_t;
+ ')
- seutil_domtrans_setfiles($1)
+ relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ relabel_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-02-09 12:46:59.675881993 +0100
@@ -1,13 +1,5 @@
-policy_module(git, 1.0)
-
-attribute gitd_type;
-attribute git_content_type;
-
-########################################
-#
-# Git daemon system private declarations.
-#
+policy_module(git, 1.0.3)
## <desc>
## <p>
@@ -34,20 +26,29 @@
#
# Git daemon global private declarations.
#
+
+attribute git_domains;
+attribute git_system_content;
+attribute git_content;
+
type gitd_exec_t;
-type gitd_t, gitd_type;
-inetd_service_domain(gitd_t, gitd_exec_t)
-role system_r types gitd_t;
+########################################
+#
+# Git daemon system private declarations.
+#
-type git_data_t, git_content_type;
-files_type(git_data_t)
+type git_system_t, git_domains;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
-permissive gitd_t;
+type git_system_content_t, git_system_content, git_content;
+files_type(git_system_content_t)
+typealias git_system_content_t alias git_data_t;
########################################
#
-# Git daemon session session private declarations.
+# Git daemon session private declarations.
#
## <desc>
@@ -58,85 +59,82 @@
## </desc>
gen_tunable(git_session_bind_all_unreserved_ports, false)
-type gitd_session_t, gitd_type;
-application_domain(gitd_session_t, gitd_exec_t)
-ubac_constrained(gitd_session_t)
-
-type git_home_t, git_content_type;
-userdom_user_home_content(git_home_t)
+type git_session_t, git_domains;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
-permissive gitd_session_t;
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
########################################
#
# Git daemon global private policy.
#
-allow gitd_type self:fifo_file rw_fifo_file_perms;
-allow gitd_type self:tcp_socket create_socket_perms;
-allow gitd_type self:udp_socket create_socket_perms;
-allow gitd_type self:unix_dgram_socket create_socket_perms;
+allow git_domains self:fifo_file rw_fifo_file_perms;
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
+allow git_domains self:tcp_socket { create_socket_perms listen };
+allow git_domains self:udp_socket create_socket_perms;
+allow git_domains self:unix_dgram_socket create_socket_perms;
-corenet_all_recvfrom_netlabel(gitd_type)
-corenet_all_recvfrom_unlabeled(gitd_type)
+corenet_all_recvfrom_netlabel(git_domains)
+corenet_all_recvfrom_unlabeled(git_domains)
-corenet_tcp_sendrecv_all_if(gitd_type)
-corenet_tcp_sendrecv_all_nodes(gitd_type)
-corenet_tcp_sendrecv_all_ports(gitd_type)
+corenet_tcp_bind_generic_node(git_domains)
-corenet_tcp_bind_all_nodes(gitd_type)
-corenet_tcp_bind_git_port(gitd_type)
+corenet_tcp_sendrecv_generic_if(git_domains)
+corenet_tcp_sendrecv_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_port(git_domains)
-corecmd_exec_bin(gitd_type)
+corenet_tcp_bind_git_port(git_domains)
+corenet_sendrecv_git_server_packets(git_domains)
-files_read_etc_files(gitd_type)
-files_read_usr_files(gitd_type)
+corecmd_exec_bin(git_domains)
-fs_search_auto_mountpoints(gitd_type)
+files_read_etc_files(git_domains)
+files_read_usr_files(git_domains)
-kernel_read_system_state(gitd_type)
+fs_search_auto_mountpoints(git_domains)
-logging_send_syslog_msg(gitd_type)
+kernel_read_system_state(git_domains)
-auth_use_nsswitch(gitd_type)
+auth_use_nsswitch(git_domains)
-miscfiles_read_localization(gitd_type)
+logging_send_syslog_msg(git_domains)
+
+miscfiles_read_localization(git_domains)
########################################
#
# Git daemon system repository private policy.
#
-list_dirs_pattern(gitd_t, git_content_type, git_content_type)
-read_files_pattern(gitd_t, git_content_type, git_content_type)
-files_search_var(gitd_t)
-
-# This will not work since git-shell needs to execute gitd content thus public content files.
-# There is currently no clean way to execute public content files.
-# miscfiles_read_public_files(gitd_t)
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var(git_system_t)
tunable_policy(`git_system_enable_homedirs', `
- userdom_search_user_home_dirs(gitd_t)
+ userdom_search_user_home_dirs(git_system_t)
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
- fs_list_nfs(gitd_t)
- fs_read_nfs_files(gitd_t)
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
')
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
- fs_list_cifs(gitd_t)
- fs_read_cifs_files(gitd_t)
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_cifs', `
- fs_list_cifs(gitd_t)
- fs_read_cifs_files(gitd_t)
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_nfs', `
- fs_list_nfs(gitd_t)
- fs_read_nfs_files(gitd_t)
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
')
########################################
@@ -144,24 +142,24 @@
# Git daemon session repository private policy.
#
-list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
-read_files_pattern(gitd_session_t, git_home_t, git_home_t)
-userdom_search_user_home_dirs(gitd_session_t)
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
-userdom_use_user_terminals(gitd_session_t)
+userdom_use_user_terminals(git_session_t)
tunable_policy(`git_session_bind_all_unreserved_ports', `
- corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
')
tunable_policy(`use_nfs_home_dirs', `
- fs_list_nfs(gitd_session_t)
- fs_read_nfs_files(gitd_session_t)
+ fs_list_nfs(git_session_t)
+ fs_read_nfs_files(git_session_t)
')
tunable_policy(`use_samba_home_dirs', `
- fs_list_cifs(gitd_session_t)
- fs_read_cifs_files(gitd_session_t)
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
')
########################################
@@ -169,5 +167,16 @@
# cgi git Declarations
#
+optional_policy(`
apache_content_template(git)
-git_read_data_content(httpd_git_script_t)
+ git_read_session_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
+
+########################################
+#
+# Git-shell private policy.
+#
+
+#git_role_template(git_shell)
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.fc serefpolicy-3.6.32/policy/modules/services/gpm.fc
--- nsaserefpolicy/policy/modules/services/gpm.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/gpm.fc 2010-02-16 22:45:57.818609498 +0100
@@ -5,3 +5,5 @@
/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0)
/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
+
+/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.32/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 2010-01-18 18:24:22.792542645 +0100
+++ serefpolicy-3.6.32/policy/modules/services/gpsd.if 2010-05-05 13:38:54.252629406 +0200
@@ -64,24 +64,3 @@
read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
fs_search_tmpfs($1)
')
-
-########################################
-## <summary>
-## Read/write gpsd tmpfs files.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-#
-interface(`gpsd_rw_tmpfs_files',`
- gen_require(`
- type gpsd_tmpfs_t;
- ')
-
- fs_search_tmpfs($1)
- allow $1 gpsd_tmpfs_t:dir list_dir_perms;
- rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
- read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.32/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-18 18:24:22.793530130 +0100
+++ serefpolicy-3.6.32/policy/modules/services/gpsd.te 2010-05-05 13:35:00.486880002 +0200
@@ -57,6 +57,10 @@
miscfiles_read_localization(gpsd_t)
optional_policy(`
+ chronyd_rw_shm(gpsd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(gpsd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2010-01-18 18:24:22.794542550 +0100
+++ serefpolicy-3.6.32/policy/modules/services/hal.if 2010-04-21 14:18:06.698657484 +0200
@@ -357,6 +357,24 @@
allow $1 hald_var_run_t:file read_file_perms;
')
+#######################################
+## <summary>
+## dontaudit read hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_read_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ dontaudit $1 hald_var_run_t:file read_file_perms;
+')
+
########################################
## <summary>
## Read/Write hald PID files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100
+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-04-02 10:03:49.167852833 +0200
@@ -1,5 +1,5 @@
-policy_module(hal, 1.12.0)
+policy_module(hal, 1.12.1)
########################################
#
@@ -64,9 +64,9 @@
#
# execute openvt which needs setuid
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice sys_resource dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
-allow hald_t self:process { getattr signal_perms };
+allow hald_t self:process { getsched getattr signal_perms };
allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -121,6 +121,7 @@
corenet_udp_sendrecv_all_ports(hald_t)
dev_rw_usbfs(hald_t)
+dev_read_rand(hald_t)
dev_read_urand(hald_t)
dev_read_input(hald_t)
dev_read_mouse(hald_t)
@@ -128,6 +129,7 @@
dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_files(hald_t)
+dev_manage_generic_blk_files(hald_t)
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
@@ -165,7 +167,6 @@
fs_unmount_dos_fs(hald_t)
fs_manage_dos_files(hald_t)
fs_manage_fusefs_dirs(hald_t)
-fs_manage_fusefs_files(hald_t)
fs_rw_removable_blk_files(hald_t)
files_getattr_all_mountpoints(hald_t)
@@ -186,7 +187,7 @@
# hal_probe_serial causes these
term_setattr_unallocated_ttys(hald_t)
-term_dontaudit_use_unallocated_ttys(hald_t)
+term_use_unallocated_ttys(hald_t)
auth_use_nsswitch(hald_t)
@@ -215,9 +216,9 @@
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
+sysnet_read_config(hald_t)
sysnet_domtrans_dhcpc(hald_t)
sysnet_domtrans_ifconfig(hald_t)
-sysnet_read_config(hald_t)
sysnet_read_dhcp_config(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
@@ -272,6 +273,10 @@
')
optional_policy(`
+ gnome_read_config(hald_t)
+')
+
+optional_policy(`
gpm_dontaudit_getattr_gpmctl(hald_t)
')
@@ -322,11 +327,19 @@
')
optional_policy(`
+ shutdown_domtrans(hald_t)
+')
+
+optional_policy(`
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
optional_policy(`
+ usbmuxd_stream_connect(hald_t)
+')
+
+optional_policy(`
updfstab_domtrans(hald_t)
')
@@ -483,9 +496,10 @@
#
# Local hald dccm policy
#
-allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
+
allow hald_dccm_t self:capability { chown net_bind_service };
allow hald_dccm_t self:process getsched;
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -508,11 +522,9 @@
write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
-dev_read_urand(hald_dccm_t)
-
kernel_search_network_sysctl(hald_dccm_t)
-hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+dev_read_urand(hald_dccm_t)
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
@@ -525,7 +537,7 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
-corenet_tcp_bind_ftps_port(hald_dccm_t)
+corenet_tcp_bind_ftp_port(hald_dccm_t)
corenet_tcp_bind_dccm_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
@@ -534,6 +546,8 @@
miscfiles_read_localization(hald_dccm_t)
+hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+
optional_policy(`
dbus_system_bus_client(hald_dccm_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.6.32/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/inn.te 2010-04-13 18:06:53.669607083 +0200
@@ -104,6 +104,8 @@
sysnet_read_config(innd_t)
+userdom_dgram_send(innd_t)
+userdom_stream_connect(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-03-23 14:22:58.173641069 +0100
@@ -85,7 +85,7 @@
seutil_dontaudit_read_file_contexts($1)
optional_policy(`
- sssd_read_config_files($1)
+ sssd_read_public_files($1)
')
tunable_policy(`allow_kerberos',`
@@ -197,6 +197,25 @@
allow $1 krb5_keytab_t:file read_file_perms;
')
+#######################################
+## <summary>
+## Read/Write the kerberos key table.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_rw_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file rw_file_perms;
+')
+
########################################
## <summary>
## Create a derived type for kerberos keytab
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.6.32/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-01-18 18:24:22.803539923 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.te 2010-05-05 13:04:10.736879272 +0200
@@ -21,13 +21,10 @@
#
# ksmtuned local policy
#
-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
-
-# Init script handling
-domain_use_interactive_fds(ksmtuned_t)
-# internal communication is often done using fifo and unix sockets.
+allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
allow ksmtuned_t self:fifo_file rw_file_perms;
+
allow ksmtuned_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
@@ -43,4 +40,6 @@
files_read_etc_files(ksmtuned_t)
+term_use_all_terms(ksmtuned_t)
+
miscfiles_read_localization(ksmtuned_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-02-23 14:49:51.037529698 +0100
@@ -1,5 +1,7 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -15,3 +17,4 @@
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.6.32/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2010-01-18 18:24:22.804529993 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ldap.if 2010-04-22 18:18:40.382610878 +0200
@@ -109,6 +109,30 @@
files_search_pids($1)
allow $1 slapd_var_run_t:sock_file write;
allow $1 slapd_t:unix_stream_socket connectto;
+
+ optional_policy(`
+ ldap_stream_connect_dirsrv($1)
+ ')
+')
+
+#######################################
+## <summary>
+## Connect to dirsrv over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_stream_connect_dirsrv',`
+ gen_require(`
+ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 dirsrv_var_run_t:sock_file write;
+ allow $1 dirsrv_t:unix_stream_socket connectto;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-03-09 15:08:52.333753712 +0100
@@ -28,9 +28,15 @@
type slapd_replog_t;
files_type(slapd_replog_t)
+type slapd_log_t;
+logging_log_file(slapd_log_t)
+
type slapd_tmp_t;
files_tmp_file(slapd_tmp_t)
+type slapd_tmpfs_t;
+files_tmpfs_file(slapd_tmpfs_t)
+
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
@@ -68,10 +74,17 @@
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
+
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/likewise.fc serefpolicy-3.6.32/policy/modules/services/likewise.fc
--- nsaserefpolicy/policy/modules/services/likewise.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/likewise.fc 2010-03-23 14:08:50.367656942 +0100
@@ -0,0 +1,54 @@
+/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
+/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
+
+/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
+/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/likewise.if serefpolicy-3.6.32/policy/modules/services/likewise.if
--- nsaserefpolicy/policy/modules/services/likewise.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/likewise.if 2010-03-23 14:08:50.368390916 +0100
@@ -0,0 +1,105 @@
+## <summary>Likewise Active Directory support for UNIX.</summary>
+## <desc>
+## <p>
+## Likewise Open is a free, open source application that joins Linux, Unix,
+## and Mac machines to Microsoft Active Directory to securely authenticate
+## users with their domain credentials.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## The template to define a likewise domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new likewise daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The type of daemon to be used.
+## </summary>
+## </param>
+#
+template(`likewise_domain_template',`
+
+ gen_require(`
+ attribute likewise_domains;
+ type likewise_var_lib_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
+
+ typeattribute $1_t likewise_domains;
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ type $1_var_socket_t;
+ files_type($1_var_socket_t)
+
+ type $1_var_lib_t;
+ files_type($1_var_lib_t)
+
+ ####################################
+ #
+ # Local Policy
+ #
+
+ allow $1_t self:process { signal_perms getsched setsched };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ allow $1_t likewise_var_lib_t:dir setattr;
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+
+ manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
+ filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)
+
+ manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
+ filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_read_etc_files($1_t)
+ files_search_var_lib($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+## Connect to lsassd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lsassd',`
+ gen_require(`
+ type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/likewise.te serefpolicy-3.6.32/policy/modules/services/likewise.te
--- nsaserefpolicy/policy/modules/services/likewise.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/likewise.te 2010-03-23 14:18:31.864391648 +0100
@@ -0,0 +1,247 @@
+
+policy_module(likewise, 1.0.0)
+
+#################################
+#
+# Declarations
+#
+
+attribute likewise_domains;
+
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+likewise_domain_template(dcerpcd)
+permissive dcerpcd_t;
+
+likewise_domain_template(eventlogd)
+permissive eventlogd_t;
+
+likewise_domain_template(lsassd)
+permissive lsassd_t;
+
+type lsassd_tmp_t;
+files_tmp_file(lsassd_tmp_t)
+
+likewise_domain_template(lwiod)
+permissive lwiod_t;
+
+likewise_domain_template(lwregd)
+permissive lwregd_t;
+
+likewise_domain_template(lwsmd)
+permissive lwsmd_t;
+
+likewise_domain_template(netlogond)
+permissive netlogond_t;
+
+likewise_domain_template(srvsvcd)
+permissive srvsvcd_t;
+
+#################################
+#
+# Likewise dcerpcd personal policy
+#
+
+stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(dcerpcd_t)
+corenet_all_recvfrom_unlabeled(dcerpcd_t)
+corenet_sendrecv_generic_client_packets(dcerpcd_t)
+corenet_sendrecv_generic_server_packets(dcerpcd_t)
+corenet_tcp_sendrecv_generic_if(dcerpcd_t)
+corenet_tcp_sendrecv_generic_node(dcerpcd_t)
+corenet_tcp_sendrecv_generic_port(dcerpcd_t)
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_epmap_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_epmap_port(dcerpcd_t)
+corenet_udp_sendrecv_generic_if(dcerpcd_t)
+corenet_udp_sendrecv_generic_node(dcerpcd_t)
+corenet_udp_sendrecv_generic_port(dcerpcd_t)
+
+#################################
+#
+# Likewise Auditing and Logging service policy
+#
+
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(eventlogd_t)
+corenet_all_recvfrom_unlabeled(eventlogd_t)
+corenet_sendrecv_generic_server_packets(eventlogd_t)
+corenet_tcp_sendrecv_generic_if(eventlogd_t)
+corenet_tcp_sendrecv_generic_node(eventlogd_t)
+corenet_tcp_sendrecv_generic_port(eventlogd_t)
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_if(eventlogd_t)
+corenet_udp_sendrecv_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_port(eventlogd_t)
+
+#################################
+#
+# Likewise Authentication service local policy
+#
+
+allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+
+manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)
+
+manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t);
+files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)
+
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+corecmd_exec_bin(lsassd_t)
+corecmd_exec_shell(lsassd_t)
+
+corenet_all_recvfrom_netlabel(lsassd_t)
+corenet_all_recvfrom_unlabeled(lsassd_t)
+corenet_tcp_sendrecv_generic_if(lsassd_t)
+corenet_tcp_sendrecv_generic_node(lsassd_t)
+corenet_tcp_sendrecv_generic_port(lsassd_t)
+corenet_tcp_bind_generic_node(lsassd_t)
+corenet_tcp_connect_epmap_port(lsassd_t)
+corenet_tcp_sendrecv_epmap_port(lsassd_t)
+
+domain_obj_id_change_exemption(lsassd_t)
+
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+files_relabelto_home(lsassd_t)
+
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, lsassd_t)
+
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_home_role(system_r, lsassd_t)
+
+optional_policy(`
+ kerberos_rw_keytab(lsassd_t)
+ kerberos_use(lsassd_t)
+')
+
+#################################
+#
+# Likewise I/O service local policy
+#
+
+allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+
+corenet_all_recvfrom_netlabel(lwiod_t)
+corenet_all_recvfrom_unlabeled(lwiod_t)
+corenet_sendrecv_smbd_server_packets(lwiod_t)
+corenet_sendrecv_smbd_client_packets(lwiod_t)
+corenet_tcp_sendrecv_generic_if(lwiod_t)
+corenet_tcp_sendrecv_generic_node(lwiod_t)
+corenet_tcp_sendrecv_generic_port(lwiod_t)
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+
+sysnet_read_config(lwiod_t)
+
+optional_policy(`
+ kerberos_rw_config(lwiod_t)
+ kerberos_use(lwiod_t)
+')
+
+#################################
+#
+# Likewise Service Manager service local policy
+#
+
+allow lwsmd_t likewise_domains:process signal;
+
+domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
+domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
+domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
+domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
+domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
+domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
+domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)
+
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+#################################
+#
+# Likewise DC location service local policy
+#
+
+allow netlogond_t self:capability {dac_override};
+
+manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+
+stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+#################################
+#
+# Likewise Srv service local policy
+#
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(srvsvcd_t)
+corenet_all_recvfrom_unlabeled(srvsvcd_t)
+corenet_sendrecv_generic_server_packets(srvsvcd_t)
+corenet_tcp_sendrecv_generic_if(srvsvcd_t)
+corenet_tcp_sendrecv_generic_node(srvsvcd_t)
+corenet_tcp_sendrecv_generic_port(srvsvcd_t)
+corenet_tcp_bind_generic_node(srvsvcd_t)
+
+optional_policy(`
+ kerberos_use(srvsvcd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-18 18:24:22.806540025 +0100
+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-05-05 13:42:46.172629066 +0200
@@ -1,5 +1,5 @@
-policy_module(lircd, 1.0.0)
+policy_module(lircd, 1.0.1)
########################################
#
@@ -24,9 +24,10 @@
# lircd local policy
#
-allow lircd_t self:process signal;
+allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:process { fork signal };
allow lircd_t self:unix_dgram_socket create_socket_perms;
-allow lircd_t self:fifo_file rw_file_perms;
+allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
# etc file
@@ -45,7 +46,7 @@
# /dev/lircd socket
dev_filetrans(lircd_t, lircd_var_run_t, sock_file )
-dev_read_generic_usb_dev(lircd_t)
+dev_rw_generic_usb_dev(lircd_t)
dev_read_mouse(lircd_t)
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100
@@ -55,6 +55,7 @@
apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+ apache_dontaudit_leaks(mailman_cgi_t)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100
@@ -1,5 +1,5 @@
-policy_module(memcached, 1.1.0)
+policy_module(memcached, 1.1.1)
########################################
#
@@ -22,9 +22,12 @@
#
allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { fork setrlimit signal_perms };
allow memcached_t self:tcp_socket create_stream_socket_perms;
allow memcached_t self:udp_socket { create_socket_perms listen };
allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
corenet_all_recvfrom_unlabeled(memcached_t)
corenet_udp_sendrecv_generic_if(memcached_t)
@@ -42,12 +45,15 @@
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
-files_read_etc_files(memcached_t)
-
+kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
+files_read_etc_files(memcached_t)
+
auth_use_nsswitch(memcached_t)
miscfiles_read_localization(memcached_t)
-sysnet_dns_name_resolve(memcached_t)
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-01-18 18:24:22.810530337 +0100
+++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2010-02-16 17:07:08.660598103 +0100
@@ -16,7 +16,7 @@
#
# ModemManager local policy
#
-allow modemmanager_t self:capability { sys_admin sys_tty_config };
+allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
allow modemmanager_t self:process signal;
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-18 18:24:22.812540439 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-05-05 13:09:11.543628812 +0200
@@ -383,6 +383,9 @@
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+ ifdef(`hide_broken_symptoms', `
+ dontaudit system_mail_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -786,6 +789,25 @@
allow $1 mqueue_spool_t:dir search_dir_perms;
')
+#####################################
+## <summary>
+## List the mail queue.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_list_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
#######################################
## <summary>
## Read the mail queue.
@@ -902,3 +924,22 @@
allow $1 system_mail_t:process signal;
')
+
+#######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_leaks_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ dontaudit $1 system_mail_t:fifo_file write;
+ dontaudit $1 system_mail_t:tcp_socket { read write };
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-05-11 15:20:17.046875252 +0200
@@ -94,6 +94,7 @@
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
+ apache_dontaudit_write_tmp_files(system_mail_t)
')
optional_policy(`
@@ -132,6 +133,7 @@
optional_policy(`
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
')
optional_policy(`
@@ -148,6 +150,10 @@
')
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
+')
+
+optional_policy(`
nagios_read_tmp_files(system_mail_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.32/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2010-01-18 18:24:22.814530636 +0100
+++ serefpolicy-3.6.32/policy/modules/services/munin.fc 2010-04-13 14:26:18.277602306 +0200
@@ -6,6 +6,61 @@
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+# disk plugins
+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
+/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
+
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
+
+# services plugins
+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/named -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
+
+# system plugins
+/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/load -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+/usr/share/munin/plugins/users -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
+
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.32/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/munin.if 2010-04-13 15:08:54.365612326 +0200
@@ -43,6 +43,24 @@
files_search_etc($1)
')
+#####################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_leaks',`
+ gen_require(`
+ type munin_t;
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
+')
+
#######################################
## <summary>
## Append to the munin log.
@@ -102,6 +120,54 @@
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
')
+######################################
+## <summary>
+## Create a set of derived types for various
+## munin plugins,
+## </summary>
+## <param name="plugins_group_name">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`munin_plugin_template',`
+
+ gen_require(`
+ type munin_t, munin_exec_t;
+ type munin_etc_t;
+ ')
+
+ type munin_$1_plugin_t;
+ type munin_$1_plugin_exec_t;
+ application_domain(munin_$1_plugin_t, munin_$1_plugin_exec_t)
+ role system_r types munin_$1_plugin_t;
+
+ type munin_$1_plugin_tmp_t;
+ files_tmp_file(munin_$1_plugin_tmp_t)
+
+ allow munin_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t)
+ manage_dirs_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t)
+ files_tmp_filetrans(munin_$1_plugin_t, munin_$1_plugin_tmp_t, { dir file })
+
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
+ domtrans_pattern(munin_t, munin_$1_plugin_exec_t, munin_$1_plugin_t)
+
+ allow munin_$1_plugin_t munin_exec_t:file read_file_perms;
+ allow munin_$1_plugin_t munin_t:tcp_socket rw_socket_perms;
+
+ read_lnk_files_pattern(munin_$1_plugin_t, munin_etc_t, munin_etc_t)
+
+ kernel_read_system_state(munin_$1_plugin_t)
+
+ corecmd_exec_bin(munin_$1_plugin_t)
+
+ miscfiles_read_localization(munin_$1_plugin_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100
+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-05-21 13:20:57.917140425 +0200
@@ -28,6 +28,20 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
+# munin plugins declaration
+
+munin_plugin_template(disk)
+permissive munin_disk_plugin_t;
+
+munin_plugin_template(mail)
+permissive munin_mail_plugin_t;
+
+munin_plugin_template(services)
+permissive munin_services_plugin_t;
+
+munin_plugin_template(system)
+permissive munin_system_plugin_t;
+
########################################
#
# Local policy
@@ -134,6 +148,7 @@
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
+ mta_list_queue(munin_t)
mta_read_queue(munin_t)
')
@@ -166,3 +181,153 @@
optional_policy(`
udev_read_db(munin_t)
')
+
+###################################
+#
+# local policy for disk plugins
+#
+
+allow munin_disk_plugin_t self:tcp_socket create_stream_socket_perms;
+
+rw_files_pattern(munin_disk_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+corenet_tcp_connect_hddtemp_port(munin_disk_plugin_t)
+
+corecmd_exec_shell(munin_disk_plugin_t)
+
+files_read_etc_files(munin_disk_plugin_t)
+files_read_etc_runtime_files(munin_disk_plugin_t)
+
+fs_getattr_all_fs(munin_disk_plugin_t)
+
+dev_getattr_lvm_control(munin_disk_plugin_t)
+
+dev_read_sysfs(munin_disk_plugin_t)
+dev_read_urand(munin_disk_plugin_t)
+
+storage_getattr_fixed_disk_dev(munin_disk_plugin_t)
+
+sysnet_read_config(munin_disk_plugin_t)
+
+optional_policy(`
+ hddtemp_exec(munin_disk_plugin_t)
+')
+
+optional_policy(`
+ fstools_exec(munin_disk_plugin_t)
+')
+
+####################################
+#
+# local policy for mail plugins
+#
+
+allow munin_mail_plugin_t self:capability dac_override;
+
+rw_files_pattern(munin_mail_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+dev_read_urand(munin_mail_plugin_t)
+
+files_read_etc_files(munin_mail_plugin_t)
+
+fs_getattr_all_fs(munin_mail_plugin_t)
+
+logging_read_generic_logs(munin_mail_plugin_t)
+
+mta_read_config(munin_mail_plugin_t)
+mta_send_mail(munin_mail_plugin_t)
+mta_list_queue(munin_mail_plugin_t)
+mta_read_queue(munin_mail_plugin_t)
+
+optional_policy(`
+ postfix_read_config(munin_mail_plugin_t)
+ postfix_list_spool(munin_mail_plugin_t)
+ postfix_getattr_spool_files(munin_mail_plugin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(munin_mail_plugin_t)
+')
+
+###################################
+#
+# local policy for service plugins
+#
+
+allow munin_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow munin_services_plugin_t self:udp_socket create_socket_perms;
+allow munin_services_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_connect_all_ports(munin_services_plugin_t)
+corenet_tcp_connect_http_port(munin_services_plugin_t)
+
+corecmd_exec_shell(munin_services_plugin_t)
+
+dev_read_urand(munin_services_plugin_t)
+dev_read_rand(munin_services_plugin_t)
+
+fs_getattr_all_fs(munin_services_plugin_t)
+
+files_read_etc_files(munin_services_plugin_t)
+
+sysnet_read_config(munin_services_plugin_t)
+
+optional_policy(`
+ cups_stream_connect(munin_services_plugin_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(munin_services_plugin_t)
+')
+
+optional_policy(`
+ mysql_read_config(munin_services_plugin_t)
+ mysql_stream_connect(munin_services_plugin_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(munin_services_plugin_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(munin_services_plugin_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(munin_services_plugin_t)
+')
+
+optional_policy(`
+ varnishd_read_lib_files(munin_services_plugin_t)
+')
+
+##################################
+#
+# local policy for system plugins
+#
+
+allow munin_system_plugin_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(munin_system_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+kernel_read_network_state(munin_system_plugin_t)
+kernel_read_all_sysctls(munin_system_plugin_t)
+
+corecmd_exec_shell(munin_system_plugin_t)
+
+files_read_etc_files(munin_system_plugin_t)
+
+fs_getattr_all_fs(munin_system_plugin_t)
+
+dev_read_sysfs(munin_system_plugin_t)
+dev_read_urand(munin_system_plugin_t)
+
+domain_read_all_domains_state(munin_system_plugin_t)
+
+term_getattr_all_ptys(munin_system_plugin_t)
+
+# needed by users plugin
+init_read_utmp(munin_system_plugin_t)
+
+sysnet_exec_ifconfig(munin_system_plugin_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-03-23 12:51:57.104389985 +0100
@@ -44,7 +44,7 @@
# Local policy
#
-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+allow mysqld_t self:capability { dac_override setgid setuid sys_resource ipc_lock net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -56,6 +56,7 @@
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
allow mysqld_t mysqld_etc_t:file read_file_perms;
@@ -145,8 +146,12 @@
allow mysqld_safe_t self:capability { kill dac_override fowner chown };
dontaudit mysqld_safe_t self:capability sys_ptrace;
+allow mysqld_safe_t self:process { setsched getsched };
+
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_safe_t mysqld_t:process signal_perms;
+
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -156,6 +161,7 @@
domain_read_all_domains_state(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-02-15 12:58:59.258318229 +0100
@@ -23,30 +23,68 @@
/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-
+# admin plugins
+/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+# mail plugins
+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
# system plugins
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
# services plugins
/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-03-01 16:06:40.837490351 +0100
@@ -119,6 +119,26 @@
read_files_pattern($1, nagios_log_t, nagios_log_t)
')
+#######################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_rw_inerited_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
+')
+
########################################
## <summary>
## Create a set of derived types for various
@@ -134,6 +154,7 @@
gen_require(`
type nagios_t, nrpe_t;
+ type nagios_log_t, nagios_tmp_t;
')
type nagios_$1_plugin_t;
@@ -150,8 +171,15 @@
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+ allow nagios_t nagios_$1_plugin_t:process signal_perms;
+
+ allow nagios_$1_plugin_t nagios_tmp_t:file rw_inherited_file_perms;
+
# cjp: leaked file descriptor
dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
+ files_search_tmp(nagios_$1_plugin_t)
miscfiles_read_localization(nagios_$1_plugin_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-03-19 07:58:48.047611543 +0100
@@ -45,10 +45,18 @@
type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)
+# creates nagios_admin_plugin_exec_t for executable
+# and nagios_admin_plugin_t for domain
+nagios_plugin_template(admin)
+
# creates nagios_checkdisk_plugin_exec_t for executable
# and nagios_checkdisk_plugin_t for domain
nagios_plugin_template(checkdisk)
+# creates nagios_mail_plugin_exec_t for executable
+# and nagios_mail_plugin_t for domain
+nagios_plugin_template(mail)
+
# creates nagios_services_plugin_exec_t for executable
# and nagios_services_plugin_t for domain
nagios_plugin_template(services)
@@ -66,7 +74,9 @@
unconfined_domain(nagios_unconfined_plugin_t)
')
+permissive nagios_admin_plugin_t;
permissive nagios_checkdisk_plugin_t;
+permissive nagios_mail_plugin_t;
permissive nagios_services_plugin_t;
permissive nagios_system_plugin_t;
@@ -82,9 +92,6 @@
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;
-# needed by command.cfg
-can_exec(nagios_t, nagios_checkdisk_plugin_exec_t)
-
read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms;
@@ -100,7 +107,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
-rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -118,6 +126,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
@@ -253,6 +264,11 @@
')
optional_policy(`
+ mta_dontaudit_leaks_system_mail(nrpe_t)
+ mta_send_mail(nrpe_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(nrpe_t)
')
@@ -264,6 +280,66 @@
udev_read_db(nrpe_t)
')
+#####################################
+#
+# local policy for admin check plugins
+#
+
+corecmd_read_bin_files(nagios_admin_plugin_t)
+corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+dev_read_urand(nagios_admin_plugin_t)
+
+files_read_etc_files(nagios_admin_plugin_t)
+
+# for check_file_age plugin
+files_getattr_all_dirs(nagios_admin_plugin_t)
+files_getattr_all_files(nagios_admin_plugin_t)
+files_getattr_all_symlinks(nagios_admin_plugin_t)
+files_getattr_all_pipes(nagios_admin_plugin_t)
+files_getattr_all_sockets(nagios_admin_plugin_t)
+files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+dev_getattr_all_chr_files(nagios_admin_plugin_t)
+dev_getattr_all_blk_files(nagios_admin_plugin_t)
+
+######################################
+#
+# local policy for mail check plugins
+#
+
+allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(nagios_mail_plugin_t)
+kernel_read_kernel_sysctls(nagios_mail_plugin_t)
+
+corecmd_read_bin_files(nagios_mail_plugin_t)
+corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+
+dev_read_urand(nagios_mail_plugin_t)
+
+files_read_etc_files(nagios_mail_plugin_t)
+
+libs_use_lib_files(nagios_mail_plugin_t)
+libs_use_ld_so(nagios_mail_plugin_t)
+
+logging_send_syslog_msg(nagios_mail_plugin_t)
+
+sysnet_read_config(nagios_mail_plugin_t)
+
+nscd_dontaudit_search_pid(nagios_mail_plugin_t)
+
+optional_policy(`
+ mta_send_mail(nagios_mail_plugin_t)
+')
+
+optional_policy(`
+ postfix_stream_connect_master(nagios_mail_plugin_t)
+ posftix_exec_postqueue(nagios_mail_plugin_t)
+')
######################################
#
@@ -290,6 +366,8 @@
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+kernel_read_system_state(nagios_services_plugin_t)
+
corecmd_exec_bin(nagios_services_plugin_t)
corenet_tcp_connect_all_ports(nagios_services_plugin_t)
@@ -315,6 +393,10 @@
mysql_stream_connect(nagios_services_plugin_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
+')
+
######################################
#
# local policy for system check plugins
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2010-02-01 18:05:10.499091573 +0100
@@ -17,6 +17,7 @@
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wicd.* gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.32/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-01-18 18:24:22.824530931 +0100
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2010-03-09 17:28:17.089383297 +0100
@@ -199,3 +199,22 @@
role $2 types NetworkManager_t;
')
+#######################################
+## <summary>
+## Allow caller to relabel tun_socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_attach_tun_iface',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-01-18 18:24:22.825542512 +0100
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-05-21 14:13:59.753140461 +0200
@@ -45,12 +45,14 @@
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -180,7 +182,7 @@
')
optional_policy(`
- consoletype_exec(NetworkManager_t)
+ consoletype_domtrans(NetworkManager_t)
')
optional_policy(`
@@ -269,6 +271,7 @@
optional_policy(`
vpn_domtrans(NetworkManager_t)
vpn_kill(NetworkManager_t)
+ vpn_relabelfrom_tun_socket(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2010-01-18 18:24:22.826540614 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2010-01-29 09:57:02.171614102 +0100
@@ -14,3 +14,8 @@
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+
+/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2010-01-18 18:24:22.828542614 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nis.te 2010-02-16 16:52:00.477848263 +0100
@@ -47,6 +47,9 @@
type ypxfr_exec_t;
init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+type ypxfr_var_run_t;
+files_pid_file(ypxfr_var_run_t)
+
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
@@ -56,7 +59,7 @@
dontaudit ypbind_t self:capability { net_admin sys_tty_config };
allow ypbind_t self:fifo_file rw_fifo_file_perms;
-allow ypbind_t self:process signal_perms;
+allow ypbind_t self:process { signal_perms getsched };
allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
@@ -312,6 +315,9 @@
allow ypxfr_t ypserv_conf_t:file read_file_perms;
+manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
+files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
+
corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.32/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-18 18:24:22.834540025 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ntp.te 2010-05-05 13:39:16.557631066 +0200
@@ -97,6 +97,7 @@
dev_read_sysfs(ntpd_t)
# for SSP
dev_read_urand(ntpd_t)
+dev_rw_realtime_clock(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
@@ -134,7 +135,6 @@
optional_policy(`
gpsd_rw_shm(ntpd_t)
- gpsd_rw_tmpfs_files(ntpd_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-01-18 18:24:22.836530501 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nut.te 2010-03-15 12:18:24.764614391 +0100
@@ -96,9 +96,6 @@
kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
-# creates /etc/killpower
-#files_manage_etc_files(nut_upsmon_t)
-
# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
@@ -118,6 +115,12 @@
init_rw_utmp(nut_upsmon_t)
init_telinit(nut_upsmon_t)
+mta_send_mail(nut_upsmon_t)
+
+optional_policy(`
+ shutdown_domtrans(nut_upsmon_t)
+')
+
########################################
#
# Local policy for upsdrvctl
@@ -140,7 +143,6 @@
files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
# /sbin/upsdrvctl executes other drivers
-# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
corecmd_exec_bin(nut_upsdrvctl_t)
corecmd_exec_sbin(nut_upsdrvctl_t)
@@ -177,7 +179,6 @@
corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
-# corenet_tcp_connect_generic_port(httpd_nutups_cgi_script_t)
corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100
@@ -18,6 +18,24 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
+#######################################
+## <summary>
+## Execute the NX server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_exec_server',`
+ gen_require(`
+ type nx_server_exec_t;
+ ')
+
+ can_exec($1, nx_server_exec_t)
+')
+
########################################
## <summary>
## Read nx home directory content
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-04-21 14:15:29.816658068 +0200
@@ -36,6 +36,9 @@
type openvpn_var_run_t;
files_pid_file(openvpn_var_run_t)
+type openvpn_tmp_t;
+files_tmp_file(openvpn_tmp_t)
+
########################################
#
# openvpn local policy
@@ -65,6 +68,9 @@
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
@@ -85,6 +91,7 @@
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
@@ -102,6 +109,9 @@
auth_use_pam(openvpn_t)
+init_read_utmp(openvpn_t)
+init_dontaudit_write_utmp(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -112,6 +122,7 @@
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
+userdom_read_home_certs(openvpn_t)
userdom_use_user_terminals(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.6.32/policy/modules/services/plymouthd.fc
--- nsaserefpolicy/policy/modules/services/plymouthd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouthd.fc 2010-03-03 10:39:47.602620848 +0100
@@ -0,0 +1,9 @@
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
+
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0)
+
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.6.32/policy/modules/services/plymouthd.if
--- nsaserefpolicy/policy/modules/services/plymouthd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouthd.if 2010-03-03 10:39:47.604621019 +0100
@@ -0,0 +1,322 @@
+## <summary>policy for plymouthd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans', `
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+## Execute the plymoth daemon in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec', `
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+
+ can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the plymoth command in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec_plymouth', `
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+
+ can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans_plymouth', `
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+
+########################################
+## <summary>
+## Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_pid_files', `
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 plymouthd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_var_run', `
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_lib', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage plymouthd var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_var_lib', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_spool', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ allow $1 plymouthd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_spool_files', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_spool_files', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage plymouthd spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_spool', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+ manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an plymouthd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouthd_admin', `
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, plymouthd_t, plymouthd_t)
+
+ plymouthd_manage_var_run($1)
+
+ plymouthd_manage_var_lib($1)
+
+ plymouthd_manage_spool($1)
+')
+
+########################################
+## <summary>
+## Allow domain to Stream socket connect
+## to Plymouth daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_stream_connect', `
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.6.32/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouthd.te 2010-05-05 14:14:20.776880043 +0200
@@ -0,0 +1,108 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
+#
+# Plymouthd private declarations
+#
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+########################################
+#
+# Plymouth private declarations
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+role system_r types plymouth_t;
+
+########################################
+#
+# Plymouthd private policy
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process signal;
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_read_framebuffer(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_manage_fonts_cache(plymouthd_t)
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
+
+########################################
+#
+# Plymouth private policy
+#
+
+allow plymouth_t self:process { signal };
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+kernel_stream_connect(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+optional_policy(`
+ lvm_domtrans(plymouth_t)
+')
+
+ifdef(`hide_broken_symptoms', `
+optional_policy(`
+ hal_dontaudit_write_log(plymouth_t)
+ hal_dontaudit_rw_pipes(plymouth_t)
+
+ pppd_dontaudit_rw_packet_sockets(plymouth_t)
+')
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.6.32/policy/modules/services/plymouth.fc
--- nsaserefpolicy/policy/modules/services/plymouth.fc 2010-01-18 18:24:22.846530865 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouth.fc 1970-01-01 01:00:00.000000000 +0100
@@ -1,5 +0,0 @@
-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0)
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 2010-01-18 18:24:22.847540282 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 1970-01-01 01:00:00.000000000 +0100
@@ -1,304 +0,0 @@
-## <summary>policy for plymouthd</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run plymouthd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`plymouth_domtrans', `
- gen_require(`
- type plymouthd_t, plymouthd_exec_t;
- ')
-
- domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
-')
-
-########################################
-## <summary>
-## Execute a plymoth command in the current domain
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`plymouth_exec_plymouth', `
- gen_require(`
- type plymouth_exec_t;
- ')
-
- can_exec($1, plymouth_exec_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to run plymouthd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`plymouth_domtrans_plymouth', `
- gen_require(`
- type plymouth_t, plymouth_exec_t;
- ')
-
- domtrans_pattern($1, plymouth_exec_t, plymouth_t)
-')
-
-
-########################################
-## <summary>
-## Read plymouthd PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_read_pid_files', `
- gen_require(`
- type plymouthd_var_run_t;
- ')
-
- files_search_pids($1)
- allow $1 plymouthd_var_run_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-## Manage plymouthd var_run files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_manage_var_run', `
- gen_require(`
- type plymouthd_var_run_t;
- ')
-
- manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
- manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
- manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
-')
-
-
-########################################
-## <summary>
-## Search plymouthd lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_search_lib', `
- gen_require(`
- type plymouthd_var_lib_t;
- ')
-
- allow $1 plymouthd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Read plymouthd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_read_lib_files', `
- gen_require(`
- type plymouthd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## plymouthd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_manage_lib_files', `
- gen_require(`
- type plymouthd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage plymouthd var_lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_manage_var_lib', `
- gen_require(`
- type plymouthd_var_lib_t;
- ')
-
- manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
- manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
- manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
-')
-
-
-########################################
-## <summary>
-## Search plymouthd spool directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_search_spool', `
- gen_require(`
- type plymouthd_spool_t;
- ')
-
- allow $1 plymouthd_spool_t:dir search_dir_perms;
- files_search_spool($1)
-')
-
-########################################
-## <summary>
-## Read plymouthd spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_read_spool_files', `
- gen_require(`
- type plymouthd_spool_t;
- ')
-
- files_search_spool($1)
- read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## plymouthd spool files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_manage_spool_files', `
- gen_require(`
- type plymouthd_spool_t;
- ')
-
- files_search_spool($1)
- manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
-')
-
-########################################
-## <summary>
-## Allow domain to manage plymouthd spool files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-#
-interface(`plymouth_manage_spool', `
- gen_require(`
- type plymouthd_spool_t;
- ')
-
- manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
- manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
- manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an plymouthd environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`plymouth_admin', `
- gen_require(`
- type plymouthd_t;
- ')
-
- allow $1 plymouthd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, plymouthd_t, plymouthd_t)
-
- plymouthd_manage_var_run($1)
-
- plymouthd_manage_var_lib($1)
-
- plymouthd_manage_spool($1)
-')
-
-########################################
-## <summary>
-## Allow domain to Stream socket connect
-## to Plymouth daemon.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`plymouth_stream_connect', `
- gen_require(`
- type plymouthd_t;
- ')
-
- allow $1 plymouthd_t:unix_stream_socket connectto;
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-policy_module(plymouthd, 1.0.0)
-
-########################################
-#
-# Plymouthd private declarations
-#
-
-type plymouthd_t;
-type plymouthd_exec_t;
-init_daemon_domain(plymouthd_t, plymouthd_exec_t)
-
-permissive plymouthd_t;
-
-type plymouthd_var_run_t;
-files_pid_file(plymouthd_var_run_t)
-
-type plymouthd_var_lib_t;
-files_type(plymouthd_var_lib_t)
-
-type plymouthd_spool_t;
-files_type(plymouthd_spool_t)
-
-########################################
-#
-# Plymouth private declarations
-#
-
-type plymouth_t;
-type plymouth_exec_t;
-init_daemon_domain(plymouth_t, plymouth_exec_t)
-
-permissive plymouth_t;
-
-########################################
-#
-# Plymouthd private policy
-#
-
-allow plymouthd_t self:capability { sys_admin sys_tty_config };
-allow plymouthd_t self:process { signal };
-allow plymouthd_t self:fifo_file rw_fifo_file_perms;
-allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
-
-kernel_read_system_state(plymouthd_t)
-kernel_request_load_module(plymouthd_t)
-kernel_change_ring_buffer_level(plymouthd_t)
-
-dev_rw_dri(plymouthd_t)
-dev_read_sysfs(plymouthd_t)
-dev_read_framebuffer(plymouthd_t)
-dev_write_framebuffer(plymouthd_t)
-
-domain_use_interactive_fds(plymouthd_t)
-
-files_read_etc_files(plymouthd_t)
-files_read_usr_files(plymouthd_t)
-
-miscfiles_read_localization(plymouthd_t)
-miscfiles_read_fonts(plymouthd_t)
-
-manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
-
-manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
-manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
-files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
-
-manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
-manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
-manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
-files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
-
-########################################
-#
-# Plymouth private policy
-#
-
-allow plymouth_t self:process { signal };
-allow plymouth_t self:fifo_file rw_file_perms;
-allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
-
-kernel_stream_connect(plymouth_t)
-
-domain_use_interactive_fds(plymouth_t)
-
-files_read_etc_files(plymouth_t)
-
-miscfiles_read_localization(plymouth_t)
-
-plymouth_stream_connect(plymouth_t)
-
-optional_policy(`
- lvm_domtrans(plymouth_t)
-')
-
-ifdef(`hide_broken_symptoms', `
-optional_policy(`
- hal_dontaudit_write_log(plymouth_t)
- hal_dontaudit_rw_pipes(plymouth_t)
-')
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100
+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-04-22 18:10:13.476860158 +0200
@@ -1,5 +1,5 @@
-policy_module(policykit, 1.0.1)
+policy_module(policykit, 1.1.0)
########################################
#
@@ -36,8 +36,8 @@
# policykit local policy
#
-allow policykit_t self:capability { setgid setuid sys_ptrace };
-allow policykit_t self:process { getsched getattr };
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
+allow policykit_t self:process { getsched getattr signal };
allow policykit_t self:fifo_file rw_fifo_file_perms;
allow policykit_t self:unix_dgram_socket create_socket_perms;
@@ -61,9 +61,9 @@
kernel_read_system_state(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
-files_dontaudit_search_all_mountpoints(policykit_t)
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
+files_dontaudit_search_all_mountpoints(policykit_t)
fs_list_inotifyfs(policykit_t)
@@ -89,14 +89,18 @@
')
')
+optional_policy(`
+ gnome_read_config(policykit_t)
+')
+
########################################
#
# polkit_auth local policy
#
allow policykit_auth_t self:capability { setgid setuid };
-dontaudit policykit_auth_t self:capability { sys_tty_config };
-allow policykit_auth_t self:process { getattr getsched };
+dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:process { getattr getsched signal };
allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
@@ -115,6 +119,10 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+
+dev_read_video_dev(policykit_auth_t)
+
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
files_search_home(policykit_auth_t)
@@ -129,8 +137,11 @@
miscfiles_read_localization(policykit_auth_t)
miscfiles_read_fonts(policykit_auth_t)
+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
optional_policy(`
dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.32/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-01-18 18:24:22.853540347 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.if 2010-02-15 12:27:32.822569677 +0100
@@ -395,6 +395,25 @@
can_exec($1, postfix_master_exec_t)
')
+#######################################
+## <summary>
+## Connect to postfix master process using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_stream_connect_master',`
+ gen_require(`
+ type postfix_master_t, postfix_public_t;
+ ')
+
+stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
+')
+
########################################
## <summary>
## Create a named socket in a postfix private directory.
@@ -604,6 +623,24 @@
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
')
+#######################################
+## <summary>
+## Execute the master postqueue in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`posftix_exec_postqueue',`
+ gen_require(`
+ type postfix_postqueue_exec_t;
+ ')
+
+ can_exec($1, postfix_postqueue_exec_t)
+')
+
########################################
## <summary>
## Execute the master postdrop in the
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-03-15 12:17:32.531614479 +0100
@@ -307,6 +307,8 @@
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
+# Handle vacation script
+mta_send_mail(postfix_local_t)
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -443,6 +445,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
+ spamassassin_kill_client(postfix_pipe_t)
')
optional_policy(`
@@ -459,6 +462,8 @@
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
@@ -486,7 +491,7 @@
')
optional_policy(`
- sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
')
optional_policy(`
@@ -573,6 +578,8 @@
# Postfix smtp delivery local policy
#
+allow postfix_smtp_t self:capability { sys_chroot };
+
# connect to master process
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.32/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ppp.fc 2010-02-01 15:04:13.696080784 +0100
@@ -3,6 +3,8 @@
#
/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.32/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 18:24:22.859530983 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ppp.if 2010-05-05 14:14:40.154879579 +0200
@@ -339,6 +339,26 @@
init_labeled_script_domtrans($1, pppd_initrc_exec_t)
')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## pppd packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`pppd_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ dontaudit $1 pppd_t:packet_socket { read write };
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-03-26 07:52:50.814601031 +0100
@@ -71,7 +71,7 @@
# PPPD Local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -122,9 +122,11 @@
kernel_read_network_state(pppd_t)
kernel_request_load_module(pppd_t)
+dev_getattr_modem_dev(pppd_t)
dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
+dev_rw_modem(pppd_t)
corenet_all_recvfrom_unlabeled(pppd_t)
corenet_all_recvfrom_netlabel(pppd_t)
@@ -167,6 +169,7 @@
auth_use_nsswitch(pppd_t)
+logging_send_audit_msgs(pppd_t)
logging_send_syslog_msg(pppd_t)
miscfiles_read_localization(pppd_t)
@@ -192,6 +195,10 @@
')
optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(pppd_t)
+')
+
+optional_policy(`
mta_send_mail(pppd_t)
mta_system_content(pppd_etc_t)
mta_system_content(pppd_etc_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2010-01-18 18:24:22.861530469 +0100
+++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2010-01-26 15:37:38.488473779 +0100
@@ -250,6 +250,8 @@
files_read_etc_files(prelude_lml_t)
files_read_etc_runtime_files(prelude_lml_t)
+fs_getattr_all_fs(prelude_lml_t)
+fs_list_inotifyfs(prelude_lml_t)
fs_rw_anon_inodefs_files(prelude_lml_t)
auth_use_nsswitch(prelude_lml_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.if serefpolicy-3.6.32/policy/modules/services/qmail.if
--- nsaserefpolicy/policy/modules/services/qmail.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/qmail.if 2010-02-15 12:32:28.414320834 +0100
@@ -99,6 +99,24 @@
')
')
+#####################################
+## <summary>
+## Execute the qmail_queue in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qmail_exec_queue',`
+ gen_require(`
+ type qmail_queue_exec_t;
+ ')
+
+ can_exec($1, qmail_queue_exec_t)
+')
+
########################################
## <summary>
## Read qmail configuration files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.6.32/policy/modules/services/qpidd.fc
--- nsaserefpolicy/policy/modules/services/qpidd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/qpidd.fc 2010-03-23 13:40:07.842390658 +0100
@@ -0,0 +1,9 @@
+
+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
+
+/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0)
+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.6.32/policy/modules/services/qpidd.if
--- nsaserefpolicy/policy/modules/services/qpidd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/qpidd.if 2010-03-23 13:40:07.842390658 +0100
@@ -0,0 +1,236 @@
+
+## <summary>policy for qpidd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run qpidd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qpidd_domtrans',`
+ gen_require(`
+ type qpidd_t, qpidd_exec_t;
+ ')
+
+ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+')
+
+
+########################################
+## <summary>
+## Execute qpidd server in the qpidd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`qpidd_initrc_domtrans',`
+ gen_require(`
+ type qpidd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read qpidd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_read_pid_files',`
+ gen_require(`
+ type qpidd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage qpidd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_manage_var_run',`
+ gen_require(`
+ type qpidd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+')
+
+
+########################################
+## <summary>
+## Search qpidd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_search_lib',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read qpidd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_read_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## qpidd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_manage_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage qpidd var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_manage_var_lib',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an qpidd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`qpidd_admin',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, qpidd_t, qpidd_t)
+
+
+ gen_require(`
+ type qpidd_initrc_exec_t;
+ ')
+
+ # Allow qpidd_t to restart the apache service
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ qpidd_manage_var_run($1)
+
+ qpidd_manage_var_lib($1)
+
+')
+
+#####################################
+## <summary>
+## Allow read and write access to qpidd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Read and write to qpidd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.6.32/policy/modules/services/qpidd.te
--- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/qpidd.te 2010-03-23 13:40:07.843391010 +0100
@@ -0,0 +1,61 @@
+policy_module(qpidd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type qpidd_t;
+type qpidd_exec_t;
+init_daemon_domain(qpidd_t, qpidd_exec_t)
+
+permissive qpidd_t;
+
+type qpidd_initrc_exec_t;
+init_script_file(qpidd_initrc_exec_t)
+
+type qpidd_var_run_t;
+files_pid_file(qpidd_var_run_t)
+
+type qpidd_var_lib_t;
+files_type(qpidd_var_lib_t)
+
+########################################
+#
+# qpidd local policy
+#
+
+allow qpidd_t self:process signull;
+allow qpidd_t self:fifo_file rw_fifo_file_perms;
+allow qpidd_t self:sem create_sem_perms;
+allow qpidd_t self:shm create_shm_perms;
+allow qpidd_t self:tcp_socket create_stream_socket_perms;
+allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } )
+
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
+
+kernel_read_system_state(qpidd_t)
+
+corenet_all_recvfrom_unlabeled(qpidd_t)
+corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
+corenet_tcp_sendrecv_generic_if(qpidd_t)
+corenet_tcp_sendrecv_generic_node(qpidd_t)
+corenet_tcp_sendrecv_all_ports(qpidd_t)
+corenet_tcp_bind_amqp_port(qpidd_t)
+
+dev_read_urand(qpidd_t)
+
+files_read_etc_files(qpidd_t)
+
+logging_send_syslog_msg(qpidd_t)
+
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-01-18 18:24:22.870539995 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-02-23 19:35:04.211525807 +0100
@@ -16,7 +16,7 @@
')
corecmd_search_bin($1)
- domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+ domtrans_pattern($1,rgmanager_exec_t,rgmanager_t)
')
@@ -57,3 +57,41 @@
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
')
+#######################################
+## <summary>
+## Read/write rgmanager tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_tmpfs_files',`
+ gen_require(`
+ type rgmanager_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+ manage_lnk_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+')
+
+######################################
+## <summary>
+## Allow manage rgmanager tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_tmp_files',`
+ gen_require(`
+ type rgmanager_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-03-01 09:17:31.825491287 +0100
@@ -22,6 +22,9 @@
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
# log files
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
@@ -36,8 +39,9 @@
# rgmanager local policy
#
-allow rgmanager_t self:capability { sys_nice ipc_lock };
+allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
dontaudit rgmanager_t self:capability { sys_ptrace };
+
allow rgmanager_t self:process { setsched signal };
dontaudit rgmanager_t self:process { ptrace };
@@ -51,6 +55,10 @@
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
+
# log files
manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
@@ -60,35 +68,44 @@
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
-aisexec_stream_connect(rgmanager_t)
-groupd_stream_connect(rgmanager_t)
-
corecmd_exec_bin(rgmanager_t)
corecmd_exec_sbin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
+corecmd_exec_ls(rgmanager_t)
consoletype_exec(rgmanager_t)
kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
+kernel_read_system_state(rgmanager_t)
+kernel_rw_rpc_sysctls(rgmanager_t)
+kernel_sigkill(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
+kernel_search_network_state(rgmanager_t)
-fs_getattr_xattr_fs(rgmanager_t)
+fs_getattr_all_fs(rgmanager_t)
# need to write to /dev/misc/dlm-control
-dev_manage_generic_chr_files(rgmanager_t)
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
+storage_raw_read_fixed_disk(rgmanager_t)
+
# needed by resources scripts
auth_read_all_files_except_shadow(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
-files_list_all(rgmanager_t)
-files_getattr_all_symlinks(rgmanager_t)
-
files_create_var_run_dirs(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
+files_manage_isid_type_dirs(rgmanager_t)
fs_getattr_xattr_fs(rgmanager_t)
@@ -104,11 +121,18 @@
miscfiles_read_localization(rgmanager_t)
+mount_domtrans(rgmanager_t)
+
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
')
# rgmanager can run resource scripts
+optional_policy(`
+ aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
+ groupd_stream_connect(rgmanager_t)
+')
optional_policy(`
apache_domtrans(rgmanager_t)
@@ -158,11 +182,16 @@
')
optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
+')
+
+optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t)
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
+ rpc_manage_nfs_state_data(rgmanager_t)
')
optional_policy(`
@@ -183,5 +212,16 @@
udev_read_db(rgmanager_t)
')
+optional_policy(`
+ unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
+ virt_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-01-18 18:24:22.872542275 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-17 15:54:23.838864423 +0100
@@ -1,19 +1,20 @@
-/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
-/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.32/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-01-18 18:24:22.873540027 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.if 2010-02-21 18:55:41.750325266 +0100
@@ -1,5 +1,63 @@
## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## cluster init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`rhcs_domain_template',`
+
+ gen_require(`
+ attribute cluster_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, cluster_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ # log files
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
+ # pid files
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ ##############################
+ #
+ # $1_t local policy
+ #
+ #
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file })
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+
+ manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
+ manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
+ logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file })
+
+')
+
######################################
## <summary>
## Execute a domain transition to run groupd.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-05-05 15:00:49.174628912 +0200
@@ -1,5 +1,5 @@
-policy_module(rhcs,1.0.0)
+policy_module(rhcs,1.1.0)
########################################
#
@@ -13,125 +13,44 @@
## </desc>
gen_tunable(fenced_can_network_connect, false)
-type dlm_controld_t;
-type dlm_controld_exec_t;
-init_daemon_domain(dlm_controld_t, dlm_controld_exec_t)
+attribute cluster_domain;
-# log files
-type dlm_controld_var_log_t;
-logging_log_file(dlm_controld_var_log_t)
+rhcs_domain_template(dlm_controld)
-# pid files
-type dlm_controld_var_run_t;
-files_pid_file(dlm_controld_var_run_t)
-
-type dlm_controld_tmpfs_t;
-files_tmpfs_file(dlm_controld_tmpfs_t)
-
-
-type fenced_t;
-type fenced_exec_t;
-init_daemon_domain(fenced_t, fenced_exec_t)
+rhcs_domain_template(fenced)
# tmp files
type fenced_tmp_t;
files_tmp_file(fenced_tmp_t)
-type fenced_tmpfs_t;
-files_tmpfs_file(fenced_tmpfs_t)
-
-# log files
-type fenced_var_log_t;
-logging_log_file(fenced_var_log_t)
-
-# pid files
-type fenced_var_run_t;
-files_pid_file(fenced_var_run_t)
-
-type gfs_controld_t;
-type gfs_controld_exec_t;
-init_daemon_domain(gfs_controld_t, gfs_controld_exec_t)
-
-# log files
-type gfs_controld_var_log_t;
-logging_log_file(gfs_controld_var_log_t)
+type fenced_lock_t;
+files_lock_file(fenced_lock_t)
-# pid files
-type gfs_controld_var_run_t;
-files_pid_file(gfs_controld_var_run_t)
+rhcs_domain_template(gfs_controld)
-type gfs_controld_tmpfs_t;
-files_tmpfs_file(gfs_controld_tmpfs_t)
+rhcs_domain_template(groupd)
-
-type groupd_t;
-type groupd_exec_t;
-init_daemon_domain(groupd_t, groupd_exec_t)
-
-# log files
-type groupd_var_log_t;
-logging_log_file(groupd_var_log_t)
-
-# pid files
-type groupd_var_run_t;
-files_pid_file(groupd_var_run_t)
-
-type groupd_tmpfs_t;
-files_tmpfs_file(groupd_tmpfs_t)
-
-type qdiskd_t;
-type qdiskd_exec_t;
-init_daemon_domain(qdiskd_t, qdiskd_exec_t)
-
-type qdiskd_tmpfs_t;
-files_tmpfs_file(qdiskd_tmpfs_t)
+rhcs_domain_template(qdiskd)
# var/lib files
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
-# log files
-type qdiskd_var_log_t;
-logging_log_file(qdiskd_var_log_t)
-
-# pid files
-type qdiskd_var_run_t;
-files_pid_file(qdiskd_var_run_t)
-
#####################################
#
# dlm_controld local policy
#
-allow dlm_controld_t self:capability { net_admin sys_admin sys_nice sys_resource };
-allow dlm_controld_t self:process setsched;
+allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
-allow dlm_controld_t self:sem create_sem_perms;
-allow dlm_controld_t self:fifo_file rw_fifo_file_perms;
-allow dlm_controld_t self:unix_stream_socket { create_stream_socket_perms };
-allow dlm_controld_t self:unix_dgram_socket { create_socket_perms };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file })
-
-# log files
-manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t)
-logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file })
-
-# pid files
-manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
-manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
-files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file })
-
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-aisexec_stream_connect(dlm_controld_t)
-ccs_stream_connect(dlm_controld_t)
-groupd_stream_connect(dlm_controld_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(dlm_controld_t)
+dev_rw_dlm_control(dlm_controld_t)
dev_rw_sysfs(dlm_controld_t)
fs_manage_configfs_files(dlm_controld_t)
@@ -139,25 +58,14 @@
init_rw_script_tmp_files(dlm_controld_t)
-libs_use_ld_so(dlm_controld_t)
-libs_use_shared_libs(dlm_controld_t)
-
-logging_send_syslog_msg(dlm_controld_t)
-
-miscfiles_read_localization(dlm_controld_t)
-
#######################################
#
# fenced local policy
#
-allow fenced_t self:capability { sys_nice sys_rawio sys_resource };
-allow fenced_t self:process { setsched getsched };
+allow fenced_t self:capability { sys_rawio sys_resource };
+allow fenced_t self:process getsched;
-allow fenced_t self:fifo_file rw_fifo_file_perms;
-allow fenced_t self:sem create_sem_perms;
-allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow fenced_t self:unix_dgram_socket create_socket_perms;
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
@@ -166,27 +74,20 @@
# tmp files
manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir })
+manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
-manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
-manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
-fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file })
-
-# log files
-manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t)
-logging_log_filetrans(fenced_t,fenced_var_log_t,{ file })
-
-# pid file
-manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t)
-manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
-manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
-files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file })
+manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
+files_lock_filetrans(fenced_t,fenced_lock_t,file)
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-aisexec_stream_connect(fenced_t)
-ccs_stream_connect(fenced_t)
+
+kernel_read_system_state(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
corecmd_exec_bin(fenced_t)
+corecmd_exec_shell(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -195,19 +96,13 @@
storage_raw_write_fixed_disk(fenced_t)
storage_raw_read_removable_device(fenced_t)
+term_getattr_pty_fs(fenced_t)
term_use_ptmx(fenced_t)
auth_use_nsswitch(fenced_t)
files_read_usr_symlinks(fenced_t)
-libs_use_ld_so(fenced_t)
-libs_use_shared_libs(fenced_t)
-
-logging_send_syslog_msg(fenced_t)
-
-miscfiles_read_localization(fenced_t)
-
tunable_policy(`fenced_can_network_connect',`
corenet_tcp_connect_all_ports(fenced_t)
')
@@ -217,10 +112,6 @@
')
optional_policy(`
- corosync_stream_connect(fenced_t)
-')
-
-optional_policy(`
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
@@ -230,53 +121,26 @@
# gfs_controld local policy
#
-allow gfs_controld_t self:capability { net_admin sys_nice sys_resource };
-allow gfs_controld_t self:process setsched;
+allow gfs_controld_t self:capability { net_admin sys_resource };
-allow gfs_controld_t self:sem create_sem_perms;
allow gfs_controld_t self:shm create_shm_perms;
-allow gfs_controld_t self:fifo_file rw_fifo_file_perms;
-allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms };
-allow gfs_controld_t self:unix_dgram_socket { create_socket_perms };
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file })
-
-# log files
-manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t)
-logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file })
-
-# pid files
-manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
-manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
-files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file })
-
-stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
-
-aisexec_stream_connect(gfs_controld_t)
-ccs_stream_connect(gfs_controld_t)
-groupd_stream_connect(gfs_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(gfs_controld_t)
storage_getattr_removable_dev(gfs_controld_t)
-dev_manage_generic_chr_files(gfs_controld_t)
-#dev_read_sysfs(gfs_controld_t)
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+
dev_rw_sysfs(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
-libs_use_ld_so(gfs_controld_t)
-libs_use_shared_libs(gfs_controld_t)
-
-logging_send_syslog_msg(gfs_controld_t)
-
-miscfiles_read_localization(gfs_controld_t)
-
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
@@ -290,78 +154,29 @@
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
-allow groupd_t self:sem create_sem_perms;
allow groupd_t self:shm create_shm_perms;
-allow groupd_t self:fifo_file rw_fifo_file_perms;
-allow groupd_t self:unix_stream_socket create_stream_socket_perms;
-allow groupd_t self:unix_dgram_socket create_socket_perms;
-
-manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
-manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
-fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file })
-
-# log files
-manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t)
-logging_log_filetrans(groupd_t,groupd_var_log_t,{ file })
-
-# pid files
-manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
-manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
-files_pid_filetrans(groupd_t, groupd_var_run_t, { file })
-
-aisexec_stream_connect(groupd_t)
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-libs_use_ld_so(groupd_t)
-libs_use_shared_libs(groupd_t)
-
-logging_send_syslog_msg(groupd_t)
-
-miscfiles_read_localization(groupd_t)
-
init_rw_script_tmp_files(groupd_t)
-logging_send_syslog_msg(groupd_t)
-
######################################
#
# qdiskd local policy
#
-allow qdiskd_t self:capability { sys_nice ipc_lock };
-allow qdiskd_t self:process setsched;
+allow qdiskd_t self:capability { ipc_lock sys_boot };
-allow qdiskd_t self:sem create_sem_perms;
+allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-allow qdiskd_t self:udp_socket create_socket_perms;
-allow qdiskd_t self:unix_dgram_socket create_socket_perms;
-allow qdiskd_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file })
-# log files
-manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
-manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
-logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file })
-
-manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
-manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
-fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file })
-
-# pid files
-manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
-manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
-files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file })
-
-aisexec_stream_connect(qdiskd_t)
-ccs_stream_connect(qdiskd_t)
-
corecmd_getattr_sbin_files(qdiskd_t)
corecmd_exec_shell(qdiskd_t)
@@ -391,13 +206,6 @@
files_read_etc_files(qdiskd_t)
-libs_use_ld_so(qdiskd_t)
-libs_use_shared_libs(qdiskd_t)
-
-logging_send_syslog_msg(qdiskd_t)
-
-miscfiles_read_localization(qdiskd_t)
-
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
@@ -406,5 +214,28 @@
udev_read_db(qdiskd_t)
')
+#####################################
+#
+# rhcs domains common policy
+#
+
+allow cluster_domain self:capability { sys_nice };
+allow cluster_domain self:process setsched;
+allow cluster_domain self:sem create_sem_perms;
+allow cluster_domain self:fifo_file rw_fifo_file_perms;
+allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+libs_use_ld_so(cluster_domain)
+libs_use_shared_libs(cluster_domain)
+
+logging_send_syslog_msg(cluster_domain)
+
+miscfiles_read_localization(cluster_domain)
+
+optional_policy(`
+ corosync_stream_connect(cluster_domain)
+ ccs_stream_connect(cluster_domain)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.32/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2010-02-21 20:45:42.344558749 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2010-03-04 15:06:20.190593823 +0100
@@ -214,6 +214,8 @@
files_read_etc_files(ricci_modcluster_t)
files_search_usr(ricci_modcluster_t)
+auth_use_nsswitch(ricci_modclusterd_t)
+
init_exec(ricci_modcluster_t)
init_domtrans_script(ricci_modcluster_t)
@@ -231,6 +233,7 @@
optional_policy(`
aisexec_stream_connect(ricci_modcluster_t)
+ corosync_stream_connect(ricci_modcluster_t)
')
optional_policy(`
@@ -319,6 +322,7 @@
optional_policy(`
aisexec_stream_connect(ricci_modclusterd_t)
+ corosync_stream_connect(ricci_modclusterd_t)
')
optional_policy(`
@@ -462,7 +466,8 @@
files_create_default_dir(ricci_modstorage_t)
files_mounton_default(ricci_modstorage_t)
-files_manage_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
storage_raw_read_fixed_disk(ricci_modstorage_t)
@@ -482,6 +487,7 @@
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
+ corosync_stream_connect(ricci_modstorage_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-01-18 18:24:22.879530454 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2010-02-23 19:16:59.984776521 +0100
@@ -413,5 +413,6 @@
')
files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2010-01-18 18:24:22.880531210 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2010-02-23 18:51:13.680527323 +0100
@@ -82,6 +82,8 @@
files_manage_mounttab(rpcd_t)
files_getattr_all_dirs(rpcd_t)
+files_read_isid_type_files(rpcd_t)
+files_read_default_files(rpcd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
@@ -100,6 +102,8 @@
userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
+
optional_policy(`
automount_signal(rpcd_t)
automount_dontaudit_write_pipes(rpcd_t)
@@ -113,6 +117,10 @@
domain_unconfined_signal(rpcd_t)
')
+optional_policy(`
+ rgmanager_manage_tmp_files(rpcd_t)
+')
+
########################################
#
# NFSD local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.6.32/policy/modules/services/rsync.if
--- nsaserefpolicy/policy/modules/services/rsync.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/rsync.if 2010-03-01 16:02:14.881494801 +0100
@@ -103,3 +103,41 @@
can_exec($1, rsync_exec_t)
')
+
+#######################################
+## <summary>
+## Read rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`rsync_read_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Write to rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed.
+## </summary>
+## </param>
+#
+interface(`rsync_write_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.32/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2010-01-18 18:24:22.881530638 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rsync.te 2010-03-26 07:50:02.122850866 +0100
@@ -124,6 +124,7 @@
')
tunable_policy(`rsync_export_all_ro',`
+ files_getattr_all_pipes(rsync_t)
fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-03-18 14:27:30.841764712 +0100
@@ -208,7 +208,7 @@
files_read_usr_symlinks(samba_net_t)
auth_use_nsswitch(samba_net_t)
-auth_rw_cache(samba_net_t)
+auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -231,7 +231,7 @@
#
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner setgid setuid sys_chroot sys_nice sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -286,6 +286,8 @@
allow smbd_t winbind_t:process { signal signull };
+allow smbd_t swat_t:process signal;
+
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
@@ -313,6 +315,8 @@
corenet_tcp_connect_ipp_port(smbd_t)
corenet_tcp_connect_smbd_port(smbd_t)
+dev_getattr_all_blk_files(smbd_t)
+dev_getattr_all_chr_files(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
@@ -327,6 +331,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
+auth_manage_cache(smbd_t)
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
@@ -350,7 +355,7 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
-userdom_dontaudit_search_user_home_dirs(smbd_t)
+userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
usermanage_read_crack_db(smbd_t)
@@ -485,6 +490,8 @@
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t swat_t:process signal;
+
allow nmbd_t smbcontrol_t:process signal;
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +668,7 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
+samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
@@ -693,6 +701,8 @@
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
+allow swat_t winbind_t:process { signal signull };
+
allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
@@ -828,7 +838,9 @@
corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
+corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -838,7 +850,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
-auth_rw_cache(winbind_t)
+auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.32/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2010-01-18 18:24:22.887530493 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sasl.te 2010-03-30 08:55:29.818860362 +0200
@@ -50,6 +50,8 @@
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
+corecmd_exec_bin(saslauthd_t)
+
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-02-09 15:04:54.083866070 +0100
@@ -30,7 +30,7 @@
#
allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process { setpgid setrlimit signal signull };
+allow sendmail_t self:process { setpgid setsched setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -136,6 +136,8 @@
optional_policy(`
fail2ban_read_lib_files(sendmail_t)
+ fail2ban_rw_stream_sockets(sendmail_t)
+
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-01-18 18:24:22.891530024 +0100
+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2010-02-03 22:59:41.283821731 +0100
@@ -177,6 +177,10 @@
userdom_signull_unpriv_users(setroubleshoot_fixit_t)
optional_policy(`
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-04-08 10:56:56.414115509 +0200
@@ -25,9 +25,9 @@
#
# Local policy
#
-allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -72,6 +72,7 @@
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
+corenet_tcp_connect_snmp_port(snmpd_t)
corenet_tcp_bind_agentx_port(snmpd_t)
corenet_udp_bind_agentx_port(snmpd_t)
@@ -98,6 +99,7 @@
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
+storage_dontaudit_write_removable_device(snmpd_t)
auth_use_nsswitch(snmpd_t)
auth_read_all_dirs_except_shadow(snmpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2010-01-18 18:24:22.893530558 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snort.te 2010-04-16 09:28:27.075614947 +0200
@@ -58,6 +58,7 @@
kernel_dontaudit_read_system_state(snort_t)
kernel_list_proc(snort_t)
+kernel_read_network_state(snort_t)
kernel_read_kernel_sysctls(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_read_sysctl(snort_t)
@@ -78,6 +79,8 @@
dev_read_sysfs(snort_t)
dev_read_rand(snort_t)
dev_read_urand(snort_t)
+dev_read_usbmon_dev(snort_t)
+dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100
@@ -267,6 +267,24 @@
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
+######################################
+## <summary>
+## Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+ gen_require(`
+ type spamc_t;
+ ')
+
+ allow $1 spamc_t:process sigkill;
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-01-18 18:24:22.896530172 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2010-02-09 12:37:21.512866130 +0100
@@ -147,6 +147,8 @@
kernel_read_kernel_sysctls(spamassassin_t)
+corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
+
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -470,6 +473,10 @@
userdom_search_user_home_dirs(spamd_t)
optional_policy(`
+ dcc_domtrans_cdcc(spamd_t)
+')
+
+optional_policy(`
exim_manage_spool_dirs(spamd_t)
exim_manage_spool_files(spamd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.32/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2010-01-18 18:24:22.897529880 +0100
+++ serefpolicy-3.6.32/policy/modules/services/squid.te 2010-03-18 14:31:45.784764437 +0100
@@ -14,6 +14,13 @@
## </desc>
gen_tunable(squid_connect_any, false)
+## <desc>
+## <p>
+## Allow squid to run as a transparent proxy (TPROXY)
+## </p>
+## </desc>
+gen_tunable(squid_use_tproxy, false)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -161,6 +168,11 @@
corenet_sendrecv_all_packets(squid_t)
')
+tunable_policy(`squid_use_tproxy',`
+ allow squid_t self:capability net_admin;
+ corenet_tcp_bind_netport_port(squid_t)
+')
+
optional_policy(`
apache_content_template(squid)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 18:24:22.898539086 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2010-02-23 16:04:29.107525602 +0100
@@ -177,7 +177,7 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
@@ -393,6 +393,7 @@
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
+ miscfiles_read_certs($1_ssh_agent_t)
seutil_dontaudit_read_config($1_ssh_agent_t)
@@ -400,6 +401,7 @@
userdom_use_user_terminals($1_ssh_agent_t)
# for the transition back to normal privs upon exec
+ userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
allow $3 $1_ssh_agent_t:fd use;
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-03-03 10:40:17.330611966 +0100
@@ -8,31 +8,6 @@
## <desc>
## <p>
-## Allow sftp to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_anon_write, false)
-
-## <desc>
-## <p>
-## Allow sftp to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_full_access, false)
-
-## <desc>
-## <p>
-## Allow interlnal-sftp to read and write files
-## in the user ssh home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_ssh_home_dir, false)
-
-## <desc>
-## <p>
## allow host key based authentication
## </p>
## </desc>
@@ -69,10 +44,6 @@
type sshd_tmpfs_t;
files_tmpfs_file(sshd_tmpfs_t)
-type sftpd_t;
-domain_type(sftpd_t)
-role system_r types sftpd_t;
-
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
@@ -209,6 +180,7 @@
# needs to read krb tgt
userdom_read_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@@ -236,7 +208,6 @@
optional_policy(`
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
xserver_domtrans_xauth(ssh_t)
- xserver_common_app(ssh_t)
')
########################################
@@ -365,7 +337,12 @@
')
optional_policy(`
- xserver_getattr_xauth(sshd_t)
+ ftp_dyntransition_sftpd(sshd_t)
+ ftp_dyntransition_sftpd_anon(sshd_t)
+')
+
+optional_policy(`
+ xserver_domtrans_xauth(sshd_t)
')
optional_policy(`
@@ -468,49 +445,3 @@
udev_read_db(ssh_keygen_t)
')
-#######################################
-#
-# sftp Local policy
-#
-
-allow ssh_server sftpd_t:process dyntransition;
-
-ssh_sigchld(sftpd_t)
-
-files_read_all_files(sftpd_t)
-files_read_all_symlinks(sftpd_t)
-
-fs_read_noxattr_fs_files(sftpd_t)
-fs_read_nfs_files(sftpd_t)
-fs_read_cifs_files(sftpd_t)
-
-# allow access to /home by default
-userdom_manage_user_home_content_dirs(sftpd_t)
-userdom_manage_user_home_content_files(sftpd_t)
-userdom_manage_user_home_content_symlinks(sftpd_t)
-
-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
-
-tunable_policy(`allow_sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`allow_sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
-')
-
-tunable_policy(`sftpd_ssh_home_dir',`
- ssh_manage_user_home_files(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(sftpd_t)
- fs_manage_nfs_files(sftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-18 18:24:22.900529842 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-03-11 17:03:12.375269132 +0100
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-19 17:08:45.945631552 +0100
@@ -12,8 +12,7 @@
#
interface(`sssd_domtrans',`
gen_require(`
- type sssd_t;
- type sssd_exec_t;
+ type sssd_t, sssd_exec_t;
')
domtrans_pattern($1, sssd_exec_t, sssd_t)
@@ -26,7 +25,7 @@
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -40,6 +39,25 @@
########################################
## <summary>
+## Read sssd public files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
## Read sssd PID files.
## </summary>
## <param name="domain">
@@ -59,7 +77,7 @@
########################################
## <summary>
-## Manage sssd var_run files.
+## Read sssd config files.
## </summary>
## <param name="domain">
## <summary>
@@ -67,18 +85,18 @@
## </summary>
## </param>
#
-interface(`sssd_manage_pids',`
+interface(`sssd_read_config_files',`
gen_require(`
- type sssd_var_run_t;
+ type sssd_config_t;
')
- manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
- manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_config_t, sssd_config_t)
')
########################################
## <summary>
-## Search sssd lib directories.
+## Manage sssd var_run files.
## </summary>
## <param name="domain">
## <summary>
@@ -86,18 +104,18 @@
## </summary>
## </param>
#
-interface(`sssd_search_lib',`
+interface(`sssd_manage_pids',`
gen_require(`
- type sssd_var_lib_t;
+ type sssd_var_run_t;
')
- allow $1 sssd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
########################################
## <summary>
-## Read sssd lib files.
+## Search sssd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -105,18 +123,18 @@
## </summary>
## </param>
#
-interface(`sssd_read_lib_files',`
+interface(`sssd_search_lib',`
gen_require(`
type sssd_var_lib_t;
')
+ allow $1 sssd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
- read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
## <summary>
-## Read sssd config files.
+## dontaudit search sssd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -124,19 +142,18 @@
## </summary>
## </param>
#
-interface(`sssd_read_config_files',`
+interface(`sssd_dontaudit_search_lib',`
gen_require(`
- type sssd_config_t;
+ type sssd_var_lib_t;
')
- sssd_search_lib($1)
- read_files_pattern($1, sssd_config_t, sssd_config_t)
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Create, read, write, and delete
-## sssd lib files.
+## Read sssd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -144,18 +161,19 @@
## </summary>
## </param>
#
-interface(`sssd_manage_lib_files',`
+interface(`sssd_read_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
## <summary>
-## Manage sssd var_lib files.
+## Create, read, write, and delete
+## sssd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -163,17 +181,15 @@
## </summary>
## </param>
#
-interface(`sssd_manage_var_lib',`
+interface(`sssd_manage_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
- manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+ files_search_var_lib($1)
manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
- manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
')
-
########################################
## <summary>
## Send and receive messages from
@@ -238,16 +254,13 @@
#
interface(`sssd_admin',`
gen_require(`
- type sssd_t;
+ type sssd_t, sssd_public_t;
+ type sssd_initrc_exec_t;
')
allow $1 sssd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sssd_t, sssd_t)
- gen_require(`
- type sssd_initrc_exec_t;
- ')
-
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
domain_system_change_exemption($1)
@@ -257,4 +270,6 @@
sssd_manage_pids($1)
sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2010-03-23 13:30:20.793390574 +0100
@@ -1,5 +1,5 @@
-policy_module(sssd, 1.0.0)
+policy_module(sssd, 1.0.1)
########################################
#
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -31,6 +34,9 @@
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -43,8 +49,6 @@
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
-fs_list_inotifyfs(sssd_t)
-
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
@@ -58,6 +62,10 @@
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
+fs_list_inotifyfs(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
@@ -69,9 +77,13 @@
miscfiles_read_localization(sssd_t)
-userdom_manage_tmp_role(system_t, sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
')
+
+optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.32/policy/modules/services/tftp.if
--- nsaserefpolicy/policy/modules/services/tftp.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.if 2010-03-01 15:59:20.787741600 +0100
@@ -18,6 +18,26 @@
read_files_pattern($1, tftpdir_t, tftpdir_t)
')
+#######################################
+## <summary>
+## Manage tftp /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_manage_rw_content',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100
@@ -50,6 +50,7 @@
manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+kernel_read_system_state(tftpd_t)
kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-01-18 18:24:22.905534669 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tgtd.te 2010-05-11 15:13:48.864626103 +0200
@@ -62,7 +62,10 @@
files_read_etc_files(tgtd_t)
+fs_read_anon_inodefs_files(tgtd_t)
+
storage_getattr_fixed_disk_dev(tgtd_t)
+storage_manage_fixed_disk(tgtd_t)
logging_send_syslog_msg(tgtd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.6.32/policy/modules/services/tor.fc
--- nsaserefpolicy/policy/modules/services/tor.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tor.fc 2010-03-10 16:38:05.232617583 +0100
@@ -5,5 +5,6 @@
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0)
/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc
--- nsaserefpolicy/policy/modules/services/tuned.fc 2010-01-18 18:24:22.907534364 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2010-02-03 17:28:43.165143461 +0100
@@ -3,4 +3,7 @@
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2010-01-18 18:24:22.909530847 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-15 12:09:29.413328973 +0100
@@ -13,6 +13,9 @@
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
+type tuned_log_t;
+logging_log_file(tuned_log_t)
+
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
@@ -26,6 +29,10 @@
dontaudit tuned_t self:capability { dac_override sys_tty_config };
allow tuned_t self:fifo_file rw_fifo_file_perms;
+manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file)
+
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
files_pid_filetrans(tuned_t, tuned_var_run_t, { file })
@@ -36,7 +43,7 @@
kernel_read_system_state(tuned_t)
dev_read_sysfs(tuned_t)
-
+dev_read_urand(tuned_t)
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
@@ -46,8 +53,14 @@
userdom_dontaudit_search_user_home_dirs(tuned_t)
+logging_send_syslog_msg(tuned_t)
+
miscfiles_read_localization(tuned_t)
+optional_policy(`
+ gnome_dontaudit_search_config(tuned_t)
+')
+
# to allow disk tuning
optional_policy(`
fstools_domtrans(tuned_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.6.32/policy/modules/services/ucspitcp.te
--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ucspitcp.te 2010-02-11 14:18:05.345868624 +0100
@@ -92,3 +92,8 @@
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
daemontools_read_svc(ucspitcp_t)
')
+
+optional_policy(`
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc 2010-02-02 19:00:16.333067308 +0100
@@ -0,0 +1,6 @@
+
+/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+
+/var/run/usbmuxd\.lock -- gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.6.32/policy/modules/services/usbmuxd.if
--- nsaserefpolicy/policy/modules/services/usbmuxd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.if 2010-02-02 19:06:22.735067968 +0100
@@ -0,0 +1,64 @@
+## <summary>Daemon for communicating with Apple's iPod Touch and iPhone</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run usbmuxd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usbmuxd_domtrans',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_exec_t;
+ ')
+
+ domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
+')
+
+#######################################
+## <summary>
+## Execute usbmuxd in the usbmuxd domain, and
+## allow the specified role the usbmuxd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the usbmuxd domain.
+## </summary>
+## </param>
+#
+interface(`usbmuxd_run',`
+ gen_require(`
+ type usbmuxd_t;
+ ')
+
+ usbmuxd_domtrans($1)
+ role $2 types usbmuxd_t;
+')
+
+#####################################
+## <summary>
+## Connect to usbmuxd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usbmuxd_stream_connect',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-03-09 16:49:50.347389389 +0100
@@ -0,0 +1,51 @@
+
+policy_module(usbmuxd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmuxd_t;
+type usbmuxd_exec_t;
+application_domain(usbmuxd_t, usbmuxd_exec_t)
+role system_r types usbmuxd_t;
+
+type usbmuxd_var_run_t;
+files_pid_file(usbmuxd_var_run_t)
+
+permissive usbmuxd_t;
+
+########################################
+#
+# usbmuxd local policy
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
+allow usbmuxd_t self:process { fork signal signull };
+
+# Init script handling
+domain_use_interactive_fds(usbmuxd_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(usbmuxd_t)
+kernel_read_kernel_sysctls(usbmuxd_t)
+
+dev_rw_generic_usb_dev(usbmuxd_t)
+dev_read_sysfs(usbmuxd_t)
+
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
+
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.6.32/policy/modules/services/varnishd.if
--- nsaserefpolicy/policy/modules/services/varnishd.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/varnishd.if 2010-04-13 14:36:06.397612500 +0200
@@ -113,6 +113,25 @@
manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
')
+#####################################
+## <summary>
+## Read varnish lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`varnishd_read_lib_files',`
+ gen_require(`
+ type varnishd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
+')
+
######################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-04-06 08:25:52.847789753 +0200
@@ -118,6 +118,7 @@
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
@@ -194,6 +195,7 @@
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
########################################
@@ -444,6 +446,9 @@
domain_user_exemption_target($1_t)
+ type $1_devpts_t;
+ term_pty($1_devpts_t)
+
type $1_tmp_t;
files_tmp_file($1_tmp_t)
@@ -453,13 +458,18 @@
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
+ dev_associate_sysfs($1_image_t)
type $1_var_run_t;
files_pid_file($1_var_run_t)
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+ term_create_pty($1_t, $1_devpts_t)
+
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
manage_files_pattern($1_t, $1_image_t, $1_image_t)
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
@@ -486,7 +496,6 @@
optional_policy(`
xserver_rw_shm($1_t)
- xserver_common_app($1_t)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-03-23 13:23:37.331641076 +0100
@@ -1,5 +1,5 @@
-policy_module(virt, 1.2.1)
+policy_module(virt, 1.3.0)
########################################
#
@@ -29,6 +29,13 @@
## <desc>
## <p>
+## Allow virt to manage device configuration, (pci)
+## </p>
+## </desc>
+gen_tunable(virt_use_sysfs, false)
+
+## <desc>
+## <p>
## Allow virt to use usb devices
## </p>
## </desc>
@@ -226,7 +233,7 @@
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
-userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_list_admin_dir(virtd_t)
userdom_getattr_all_users(virtd_t)
userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
@@ -246,6 +253,10 @@
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_sysfs',`
+ dev_rw_sysfs(svirt_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
@@ -337,6 +348,7 @@
allow svirt_t svirt_image_t:dir search_dir_perms;
manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
read_files_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -370,6 +382,7 @@
tunable_policy(`virt_use_fusefs',`
fs_read_fusefs_files(svirt_t)
+ fs_read_fusefs_symlinks(svirt_t)
')
tunable_policy(`virt_use_nfs',`
@@ -429,11 +442,13 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
+dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
-dev_write_sound(virt_domain)
+dev_read_urand(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
+dev_write_sound(virt_domain)
domain_use_interactive_fds(virt_domain)
@@ -446,6 +461,11 @@
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
+# we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
+
+
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-18 13:45:28.425514615 +0100
@@ -51,17 +51,17 @@
# /tmp
#
-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.ICE-unix/.* -s <<none>>
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix/.* -s <<none>>
+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
#
# /usr
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -102,6 +102,7 @@
/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -114,9 +115,12 @@
/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
@@ -125,6 +129,8 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
-
/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-01-18 18:24:22.920530710 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2010-03-09 15:10:08.558503370 +0100
@@ -19,27 +19,9 @@
interface(`xserver_restricted_role',`
gen_require(`
type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
- type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
type iceauth_t, iceauth_exec_t, iceauth_home_t;
type xauth_t, xauth_exec_t, xauth_home_t;
-
- type info_xproperty_t, rootwindow_t;
-
- class x_drawable all_x_drawable_perms;
- class x_screen all_x_screen_perms;
- class x_gc all_x_gc_perms;
- class x_font all_x_font_perms;
- class x_colormap all_x_colormap_perms;
- class x_property all_x_property_perms;
- class x_selection all_x_selection_perms;
- class x_cursor all_x_cursor_perms;
- class x_client all_x_client_perms;
- class x_device all_x_device_perms;
- class x_server all_x_server_perms;
- class x_extension all_x_extension_perms;
- class x_resource all_x_resource_perms;
- class x_event all_x_event_perms;
- class x_synthetic_event all_x_synthetic_event_perms;
')
role $1 types { xserver_t xauth_t iceauth_t };
@@ -49,7 +31,7 @@
allow xserver_t $2:shm rw_shm_perms;
domtrans_pattern($2, xserver_exec_t, xserver_t)
- allow xserver_t $2:process signal;
+ allow xserver_t $2:process { getpgid signal };
allow xserver_t $2:shm rw_shm_perms;
@@ -63,6 +45,7 @@
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow $2 xserver_tmp_t:sock_file unlink;
files_search_tmp($2)
# Communicate via System V shared memory.
@@ -75,10 +58,7 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
ifdef(`hide_broken_symptoms', `
- dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
- dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
- dontaudit iceauth_t $2:udp_socket rw_socket_perms;
- fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ dontaudit iceauth_t $2:socket_class_set { read write };
')
allow $2 iceauth_home_t:file read_file_perms;
@@ -96,9 +76,10 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
- allow $2 xserver_tmp_t:dir search;
- allow $2 xserver_tmp_t:sock_file { read write };
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+ allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
+ dontaudit $2 xdm_tmp_t:dir setattr;
# Client read xserver shm
allow $2 xserver_t:fd use;
@@ -119,6 +100,7 @@
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
+ miscfiles_setattr_fonts_cache_dirs($2)
xserver_common_x_domain_template(user, $2)
xserver_xsession_entry_type($2)
@@ -136,37 +118,6 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
-
- ##############################
- #
- # User X object manager local policy
- #
-
- # manage: xhost X11:ChangeHosts
- # freeze: metacity X11:GrabKey
- # force_cursor: metacity X11:GrabPointer
- allow $2 xserver_t:x_device { manage freeze force_cursor };
-
- # gnome-settings-daemon XKEYBOARD:SetControls
- allow $2 xserver_t:x_server manage;
-
- # gnome-settings-daemon RANDR:SelectInput
- allow $2 xserver_t:x_resource write;
-
- # metacity X11:InstallColormap X11:UninstallColormap
- allow $2 rootwindow_t:x_colormap { install uninstall };
-
- # read: gnome-settings-daemon RANDR:GetScreenSizeRange
- # write: gnome-settings-daemon RANDR:SelectInput
- # setattr: gnome-settings-daemon X11:GrabKey
- # manage: metacity X11:ChangeWindowAttributes
- allow $2 rootwindow_t:x_drawable { read write manage setattr };
-
- # setattr: metacity X11:InstallColormap
- allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr };
-
- # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
- allow $2 info_xproperty_t:x_property { create append write };
')
########################################
@@ -189,6 +140,7 @@
gen_require(`
type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ class x_screen all_x_screen_perms;
')
xserver_restricted_role($1, $2)
@@ -218,7 +170,7 @@
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
- xserver_common_app($2)
+ allow $2 xserver_t:x_screen { saver_hide saver_setattr saver_show };
')
#######################################
@@ -290,6 +242,37 @@
#######################################
## <summary>
+## Create non-drawing client sessions on an X server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_non_drawing_client',`
+ gen_require(`
+ class x_drawable { getattr get_property };
+ class x_extension { query use };
+ class x_gc { create setattr };
+ class x_property read;
+
+ type xserver_t, xdm_var_run_t;
+ type xextension_t, xproperty_t, root_xdrawable_t;
+ ')
+
+ allow $1 self:x_gc { create setattr };
+
+ allow $1 xdm_var_run_t:dir search;
+ allow $1 xserver_t:unix_stream_socket connectto;
+
+ allow $1 xextension_t:x_extension { query use };
+ allow $1 root_xdrawable_t:x_drawable { getattr get_property };
+ allow $1 xproperty_t:x_property read;
+')
+
+#######################################
+## <summary>
## Create full client sessions
## on a user X server.
## </summary>
@@ -307,7 +290,7 @@
interface(`xserver_user_client',`
refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
- type xdm_t, xserver_tmp_t;
+ type xdm_t, xdm_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
@@ -321,9 +304,9 @@
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file rw_fifo_file_perms;
- allow $1 xserver_tmp_t:dir search;
- allow $1 xserver_tmp_t:sock_file { read write };
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 xdm_tmp_t:dir search;
+ allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
# Allow connections to X server.
@@ -367,24 +350,24 @@
#
template(`xserver_common_x_domain_template',`
gen_require(`
- type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t;
- type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t;
- type $1_client_xevent_t;
-
- type rootwindow_t, xproperty_t;
- type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
+ type root_xdrawable_t;
+ type xproperty_t, $1_xproperty_t;
type xevent_t, client_xevent_t;
+ type input_xevent_t, $1_input_xevent_t;
- attribute xproperty_type;
- attribute xevent_type;
+ attribute x_domain;
+ attribute xdrawable_type, xcolormap_type;
attribute input_xevent_type;
class x_drawable all_x_drawable_perms;
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
- class x_selection all_x_selection_perms;
- type xselection_t;
+ class x_client destroy;
+ class x_server manage;
+ class x_pointer manage;
+ class x_keyboard { read manage };
+ type xdm_t, xserver_t;
')
##############################
@@ -392,27 +375,38 @@
# Local Policy
#
+ # Type attributes
+ typeattribute $2 x_domain;
+ typeattribute $2 xdrawable_type, xcolormap_type;
+
# X Properties
- # can read and write client properties
- allow $2 $1_xproperty_t:x_property { create destroy read write append };
- type_transition $2 xproperty_t:x_property $1_xproperty_t;
+ # disable property transitions for the time being.
+# type_transition $2 xproperty_t:x_property $1_xproperty_t;
- allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
- allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
- allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
- allow $2 $1_manage_xevent_t:{ x_event x_synthetic_event } receive;
- allow $2 $1_default_xevent_t:{ x_event x_synthetic_event } receive;
- allow $2 $1_client_xevent_t:{ x_event x_synthetic_event } receive;
+ # X Windows
+ # new windows have the domain type
+ type_transition $2 root_xdrawable_t:x_drawable $2;
+
+ # X Input
+ # distinguish input events
type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
- type_transition $2 property_xevent_t:x_event $1_property_xevent_t;
- type_transition $2 focus_xevent_t:x_event $1_focus_xevent_t;
- type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
- type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
- type_transition $2 xevent_t:x_event $1_default_xevent_t;
+ # can send own events
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
+ # can receive own events
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ # can receive default events
+ allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+ # dont audit send failures
+ dontaudit $2 input_xevent_type:x_event send;
- allow $2 $1_manage_xevent_t:x_synthetic_event send;
+ allow $2 xdm_t:x_drawable { read add_child };
+ allow $2 xdm_t:x_client destroy;
- xserver_common_app($2)
+ allow $2 root_xdrawable_t:x_drawable write;
+ allow $2 xserver_t:x_server manage;
+ allow $2 xserver_t:x_pointer manage;
+ allow $2 xserver_t:x_keyboard { read manage };
')
#######################################
@@ -438,27 +432,12 @@
#
# Types for properties
- type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type;
+ type $1_xproperty_t, xproperty_type;
ubac_constrained($1_xproperty_t)
# Types for events
type $1_input_xevent_t, input_xevent_type, xevent_type;
ubac_constrained($1_input_xevent_t)
-
- type $1_property_xevent_t, xevent_type;
- ubac_constrained($1_property_xevent_t)
-
- type $1_focus_xevent_t, xevent_type;
- ubac_constrained($1_focus_xevent_t)
-
- type $1_manage_xevent_t, xevent_type;
- ubac_constrained($1_manage_xevent_t)
-
- type $1_default_xevent_t, xevent_type;
- ubac_constrained($1_default_xevent_t)
-
- type $1_client_xevent_t, xevent_type;
- ubac_constrained($1_client_xevent_t)
')
#######################################
@@ -486,14 +465,13 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
- type xdm_t, xserver_tmp_t;
+ type xdm_t, xdm_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
- class x_screen all_x_screen_perms;
')
- allow $2 $2:shm create_shm_perms;
- allow $2 $2:unix_dgram_socket create_socket_perms;
- allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms };
+ allow $2 self:shm create_shm_perms;
+ allow $2 self:unix_dgram_socket create_socket_perms;
+ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
@@ -501,9 +479,9 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file rw_fifo_file_perms;
- allow $2 xserver_tmp_t:dir search_dir_perms;
- allow $2 xserver_tmp_t:sock_file { read write };
+ allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+ allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
@@ -519,6 +497,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_pid($2)
# X object manager
xserver_object_types_template($1)
@@ -529,10 +508,6 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
-
- allow $2 xserver_t:x_screen { saver_hide saver_show };
-
- xserver_use_xdm($2)
')
########################################
@@ -592,11 +567,8 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
-
ifdef(`hide_broken_symptoms', `
- dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
- dontaudit xauth_t $1:tcp_socket rw_socket_perms;
- dontaudit xauth_t $1:udp_socket rw_socket_perms;
+ dontaudit xauth_t $1:socket_class_set { read write };
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
')
')
@@ -652,6 +624,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
+ xserver_read_xdm_pid($1)
')
########################################
@@ -742,7 +715,7 @@
type xdm_t;
')
- allow $1 xdm_t:fifo_file rw_fifo_file_perms;
+ allow $1 xdm_t:fifo_file { getattr read write };
')
########################################
@@ -778,11 +751,11 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xserver_tmp_t;
+ type xdm_t, xdm_tmp_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xdm_t)
+ stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
')
########################################
@@ -816,10 +789,10 @@
#
interface(`xserver_setattr_xdm_tmp_dirs',`
gen_require(`
- type xserver_tmp_t;
+ type xdm_tmp_t;
')
- allow $1 xserver_tmp_t:dir setattr;
+ allow $1 xdm_tmp_t:dir setattr;
')
########################################
@@ -835,13 +808,12 @@
#
interface(`xserver_create_xdm_tmp_sockets',`
gen_require(`
- type xserver_tmp_t;
+ type xdm_tmp_t;
')
files_search_tmp($1)
- allow $1 xserver_tmp_t:dir list_dir_perms;
- create_sock_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
- allow $1 xserver_tmp_t:sock_file unlink;
+ allow $1 xdm_tmp_t:dir list_dir_perms;
+ create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
########################################
@@ -865,43 +837,6 @@
########################################
## <summary>
-## Manage XDM pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_manage_xdm_pid',`
- gen_require(`
- type xdm_var_run_t;
- ')
-
- files_search_pids($1)
- manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
-')
-
-########################################
-## <summary>
-## Search XDM var lib dirs.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_search_xdm_lib',`
- gen_require(`
- type xdm_var_lib_t;
- ')
-
- allow $1 xdm_var_lib_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
## Read XDM var lib files.
## </summary>
## <param name="domain">
@@ -920,75 +855,6 @@
########################################
## <summary>
-## Read XDM var lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_manage_xdm_lib_files',`
- gen_require(`
- type xdm_var_lib_t;
- ')
-
- manage_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
- read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
-')
-
-########################################
-## <summary>
-## Execute xsever in the xserver domain, and
-## allow the specified role the xserver domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the xserver domain.
-## </summary>
-## </param>
-#
-interface(`xserver_run',`
- gen_require(`
- type xserver_t;
- ')
-
- xserver_domtrans($1)
- role $2 types xserver_t;
-')
-
-########################################
-## <summary>
-## Execute xsever in the xserver domain, and
-## allow the specified role the xserver domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of the process performing this action.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the xserver domain.
-## </summary>
-## </param>
-#
-interface(`xserver_run_xauth',`
- gen_require(`
- type xauth_t;
- ')
-
- xserver_domtrans_xauth($1)
- role $2 types xauth_t;
-')
-
-########################################
-## <summary>
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1007,24 +873,6 @@
########################################
## <summary>
-## Make an X executable an entrypoint for the specified domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain for which the shell is an entrypoint.
-## </summary>
-## </param>
-#
-interface(`xserver_entry_type',`
- gen_require(`
- type xserver_exec_t;
- ')
-
- domain_entry_file($1, xserver_exec_t)
-')
-
-########################################
-## <summary>
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
@@ -1100,27 +948,6 @@
########################################
## <summary>
-## Allow append the xdm
-## log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_xdm_append_log',`
- gen_require(`
- type xdm_log_t;
- attribute xdmhomewriter;
- ')
-
- typeattribute $1 xdmhomewriter;
- append_files_pattern($1, xdm_log_t, xdm_log_t)
-')
-
-########################################
-## <summary>
## Do not audit attempts to write the X server
## log files.
## </summary>
@@ -1174,11 +1001,11 @@
#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
- type xserver_tmp_t;
+ type xdm_tmp_t;
')
files_search_tmp($1)
- read_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
########################################
@@ -1193,11 +1020,11 @@
#
interface(`xserver_dontaudit_read_xdm_tmp_files',`
gen_require(`
- type xserver_tmp_t;
+ type xdm_tmp_t;
')
- dontaudit $1 xserver_tmp_t:dir search_dir_perms;
- dontaudit $1 xserver_tmp_t:file read_file_perms;
+ dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+ dontaudit $1 xdm_tmp_t:file read_file_perms;
')
########################################
@@ -1212,11 +1039,11 @@
#
interface(`xserver_rw_xdm_tmp_files',`
gen_require(`
- type xserver_tmp_t;
+ type xdm_tmp_t;
')
- allow $1 xserver_tmp_t:dir search_dir_perms;
- allow $1 xserver_tmp_t:file rw_file_perms;
+ allow $1 xdm_tmp_t:dir search_dir_perms;
+ allow $1 xdm_tmp_t:file rw_file_perms;
')
########################################
@@ -1231,10 +1058,10 @@
#
interface(`xserver_manage_xdm_tmp_files',`
gen_require(`
- type xserver_tmp_t;
+ type xdm_tmp_t;
')
- manage_files_pattern($1, xserver_tmp_t, xserver_tmp_t)
+ manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
########################################
@@ -1249,10 +1076,10 @@
#
interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
gen_require(`
- type xserver_tmp_t;
+ type xdm_tmp_t;
')
- dontaudit $1 xserver_tmp_t:sock_file getattr;
+ dontaudit $1 xdm_tmp_t:sock_file getattr;
')
########################################
@@ -1267,11 +1094,10 @@
#
interface(`xserver_domtrans',`
gen_require(`
- type xserver_t, xserver_exec_t, xdm_t;
+ type xserver_t, xserver_exec_t;
')
allow $1 xserver_t:process siginh;
- allow xdm_t $1:process sigchld;
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
@@ -1409,7 +1235,9 @@
########################################
## <summary>
-## Read xserver files created in /var/run
+## Interface to provide X object permissions on a given X server to
+## an X client domain. Gives the domain permission to read the
+## virtual core keyboard and virtual core pointer devices.
## </summary>
## <param name="domain">
## <summary>
@@ -1417,18 +1245,33 @@
## </summary>
## </param>
#
-interface(`xserver_read_pid',`
+interface(`xserver_manage_core_devices',`
gen_require(`
- type xserver_var_run_t;
+ type xserver_t;
+ class x_device all_x_device_perms;
+ class x_pointer all_x_pointer_perms;
+ class x_keyboard all_x_keyboard_perms;
+ class x_screen all_x_screen_perms;
+ class x_drawable { manage };
+ type root_xdrawable_t;
+ attribute x_domain;
+ class x_drawable { read manage setattr show };
+ class x_resource { write read };
')
- files_search_pids($1)
- read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+ allow $1 xserver_t:{ x_screen } setattr;
+
+ allow $1 x_domain:x_drawable { read manage setattr show };
+ allow $1 x_domain:x_resource { write read };
+ allow $1 root_xdrawable_t:x_drawable manage;
')
########################################
## <summary>
-## Execute xserver files created in /var/run
+## Interface to provide X object permissions on a given X server to
+## an X client domain. Gives the domain complete control over the
+## display.
## </summary>
## <param name="domain">
## <summary>
@@ -1436,81 +1279,95 @@
## </summary>
## </param>
#
-interface(`xserver_exec_pid',`
+interface(`xserver_unconfined',`
gen_require(`
- type xserver_var_run_t;
+ attribute x_domain;
+ attribute xserver_unconfined_type;
')
- files_search_pids($1)
- exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+ typeattribute $1 x_domain;
+ typeattribute $1 xserver_unconfined_type;
')
########################################
## <summary>
-## Write xserver files created in /var/run
+## Dontaudit append to .xsession-errors file
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit
## </summary>
## </param>
#
-interface(`xserver_write_pid',`
+interface(`xserver_dontaudit_append_xdm_home_files',`
gen_require(`
- type xserver_var_run_t;
+ type xdm_home_t;
+ type xserver_tmp_t;
')
- files_search_pids($1)
- write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
+ dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files($1)
+ ')
')
########################################
## <summary>
-## Read user homedir fonts.
+## append to .xsession-errors file
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit
## </summary>
## </param>
-## <rolecap/>
#
-interface(`xserver_manage_home_fonts',`
+interface(`xserver_append_xdm_home_files',`
gen_require(`
- type user_fonts_t;
- type user_fonts_config_t;
+ type xdm_home_t;
+ type xserver_tmp_t;
')
- manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
- manage_files_pattern($1, user_fonts_t, user_fonts_t)
- manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+ allow $1 xdm_home_t:file append_file_perms;
+ allow $1 xserver_tmp_t:file append_file_perms;
- manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files($1)
+ ')
')
########################################
## <summary>
-## Read user homedir fonts.
+## Manage the xdm_spool files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`xserver_read_home_fonts',`
+interface(`xserver_xdm_manage_spool',`
gen_require(`
- type user_fonts_t;
+ type xdm_spool_t;
')
- read_files_pattern($1, user_fonts_t, user_fonts_t)
- read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+ files_search_spool($1)
+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
')
########################################
## <summary>
-## write to .xsession-errors file
+## Send and receive messages from
+## xdm over dbus.
## </summary>
## <param name="domain">
## <summary>
@@ -1518,127 +1375,92 @@
## </summary>
## </param>
#
-interface(`xserver_rw_xdm_home_files',`
+interface(`xserver_dbus_chat_xdm',`
gen_require(`
- type xdm_home_t;
+ type xdm_t;
+ class dbus send_msg;
')
- allow $1 xdm_home_t:file rw_inherited_file_perms;
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
')
########################################
## <summary>
-## Dontaudit append to .xsession-errors file
+## Read xserver files created in /var/run
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`xserver_dontaudit_append_xdm_home_files',`
+interface(`xserver_read_pid',`
gen_require(`
- type xdm_home_t;
- type xserver_tmp_t;
- ')
-
- dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
- dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms;
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_rw_nfs_files($1)
+ type xserver_var_run_t;
')
- tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_rw_cifs_files($1)
- ')
+ files_search_pids($1)
+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
')
########################################
## <summary>
-## append to .xsession-errors file
+## Execute xserver files created in /var/run
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`xserver_append_xdm_home_files',`
+interface(`xserver_exec_pid',`
gen_require(`
- type xdm_home_t;
- type xserver_tmp_t;
- ')
-
- allow $1 xdm_home_t:file append_file_perms;
- allow $1 xserver_tmp_t:file append_file_perms;
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_append_nfs_files($1)
+ type xserver_var_run_t;
')
- tunable_policy(`use_samba_home_dirs',`
- fs_append_cifs_files($1)
- ')
+ files_search_pids($1)
+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
')
-
-#######################################
+########################################
## <summary>
-## Interface to provide X object permissions on a given X server to
-## an X client domain. Provides the minimal set required by a basic
-## X client application.
+## Write xserver files created in /var/run
## </summary>
## <param name="domain">
## <summary>
-## Client domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`xserver_use_xdm',`
+interface(`xserver_write_pid',`
gen_require(`
- type xdm_t, xserver_tmp_t;
- type xdm_xproperty_t;
- type xdm_home_t;
- class x_client all_x_client_perms;
- class x_drawable all_x_drawable_perms;
- class x_property all_x_property_perms;
+ type xserver_var_run_t;
')
- allow $1 xdm_t:fd use;
- allow $1 xdm_t:fifo_file rw_fifo_file_perms;
- dontaudit $1 xdm_t:tcp_socket { read write };
-
- # Allow connections to X server.
- xserver_stream_connect_xdm($1)
- xserver_read_xdm_tmp_files($1)
- xserver_xdm_stream_connect($1)
- xserver_setattr_xdm_tmp_dirs($1)
- xserver_read_xdm_pid($1)
- xserver_search_xdm_lib($1)
-
- allow $1 xdm_t:x_client { getattr destroy };
- allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
- allow $1 xdm_xproperty_t:x_property { write read };
- allow $1 xdm_home_t:file append_file_perms;
+ files_search_pids($1)
+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
')
########################################
## <summary>
-## Get the attributes of xauth executable
+## Allow append the xdm
+## log files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit
## </summary>
## </param>
#
-interface(`xserver_getattr_xauth',`
+interface(`xserver_xdm_append_log',`
gen_require(`
- type xauth_exec_t;
+ type xdm_log_t;
+ attribute xdmhomewriter;
')
- allow $1 xauth_exec_t:file getattr;
+ typeattribute $1 xdmhomewriter;
+ append_files_pattern($1, xdm_log_t, xdm_log_t)
')
########################################
@@ -1662,27 +1484,30 @@
########################################
## <summary>
-## Connect to apmd over an unix stream socket.
+## Read user homedir fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`xserver_xdm_stream_connect',`
+interface(`xserver_rw_inherited_user_fonts',`
gen_require(`
- type xdm_t, xdm_var_run_t;
+ type user_fonts_t;
+ type user_fonts_config_t;
')
- files_search_pids($1)
- allow $1 xdm_var_run_t:sock_file write;
- allow $1 xdm_t:unix_stream_socket connectto;
+ allow $1 user_fonts_t:file rw_inherited_file_perms;
+ allow $1 user_fonts_t:file read_lnk_file_perms;
+
+ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Manage the xdm_spool files
+## Search XDM var lib dirs.
## </summary>
## <param name="domain">
## <summary>
@@ -1690,145 +1515,102 @@
## </summary>
## </param>
#
-interface(`xserver_xdm_manage_spool',`
+interface(`xserver_search_xdm_lib',`
gen_require(`
- type xdm_spool_t;
- ')
-
- files_search_spool($1)
- manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+ type xdm_var_lib_t;
')
-########################################
-## <summary>
-## Ptrace XDM
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit
-## </summary>
-## </param>
-#
-interface(`xserver_ptrace_xdm',`
- gen_require(`
- type xdm_t;
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
')
- allow $1 xdm_t:process ptrace;
-')
########################################
## <summary>
-## Interface to provide X object permissions on a given X server to
-## an X client domain. Gives the domain complete control over the
-## display.
+## Make an X executable an entrypoint for the specified domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The domain for which the shell is an entrypoint.
## </summary>
## </param>
#
-interface(`xserver_unconfined',`
+interface(`xserver_entry_type',`
gen_require(`
- attribute xserver_unconfined_type;
- attribute x_domain;
+ type xserver_exec_t;
')
- typeattribute $1 xserver_unconfined_type;
- typeattribute $1 x_domain;
+ domain_entry_file($1, xserver_exec_t)
')
########################################
## <summary>
-## Rules required for using the X Windows server
-## and environment.
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The type of the process performing this action.
## </summary>
## </param>
-## <param name="domain">
+## <param name="role">
## <summary>
-## Domain allowed access.
+## The role to be allowed the xserver domain.
## </summary>
## </param>
#
-interface(`xserver_communicate',`
+interface(`xserver_run',`
gen_require(`
- class x_drawable all_x_drawable_perms;
- class x_resource all_x_resource_perms;
+ type xserver_t;
')
- allow $1 $2:x_drawable all_x_drawable_perms;
- allow $2 $1:x_drawable all_x_drawable_perms;
- allow $1 $2:x_resource all_x_resource_perms;
- allow $2 $1:x_resource all_x_resource_perms;
+ xserver_domtrans($1)
+ role $2 types xserver_t;
')
-#######################################
+########################################
## <summary>
-## Interface to provide X object permissions on a given X server to
-## an X client domain. Provides the minimal set required by a basic
-## X client application.
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
## </summary>
## <param name="domain">
## <summary>
-## Client domain allowed access.
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
## </summary>
## </param>
#
-interface(`xserver_common_app',`
-
+interface(`xserver_run_xauth',`
gen_require(`
- attribute x_domain;
- attribute xevent_type;
- type xselection_t, rootwindow_t;
- type user_xproperty_t, xproperty_t;
- class x_property all_x_property_perms;
- class x_selection all_x_selection_perms;
- class x_event all_x_event_perms;
- class x_synthetic_event all_x_synthetic_event_perms;
+ type xauth_t;
')
- # Type attributes
- typeattribute $1 x_domain;
-
- allow $1 xselection_t:x_selection setattr;
- allow $1 user_xproperty_t:x_property { write read destroy };
- allow $1 xproperty_t:x_property all_x_property_perms;
-
- # X Windows
- # new windows have the domain type
- type_transition $1 rootwindow_t:x_drawable $1;
-
- # X Input
- # can receive own events
- allow $1 xevent_type:{ x_event x_synthetic_event } { receive send };
- xserver_communicate($1, $1)
- xserver_stream_connect($1)
- xserver_use_xdm($1)
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
')
-
########################################
## <summary>
-## Send and receive messages from
-## xdm over dbus.
+## Read user homedir fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`xserver_xdm_dbus_chat',`
+interface(`xserver_manage_home_fonts',`
gen_require(`
- type xdm_t;
- class dbus send_msg;
+ type user_fonts_t;
+ type user_fonts_config_t;
')
- allow $1 xdm_t:dbus send_msg;
- allow xdm_t $1:dbus send_msg;
-')
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ manage_files_pattern($1, user_fonts_t, user_fonts_t)
+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-05-05 15:11:20.701878862 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.2.3)
+policy_module(xserver, 3.3.2)
gen_require(`
class x_drawable all_x_drawable_perms;
@@ -12,6 +12,8 @@
class x_cursor all_x_cursor_perms;
class x_client all_x_client_perms;
class x_device all_x_device_perms;
+ class x_pointer all_x_pointer_perms;
+ class x_keyboard all_x_keyboard_perms;
class x_server all_x_server_perms;
class x_extension all_x_extension_perms;
class x_resource all_x_resource_perms;
@@ -54,56 +56,58 @@
gen_tunable(xserver_object_manager, false)
attribute xdmhomewriter;
-attribute input_xevent_type;
-attribute xserver_unconfined_type;
-attribute x_domain;
attribute x_userdomain;
-attribute xproperty_type;
-attribute xselection_type;
-attribute xextension_type;
+
+attribute x_domain;
+
+# X Events
attribute xevent_type;
+attribute input_xevent_type;
+type xevent_t, xevent_type;
+typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t };
+typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
+typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t };
+typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
+typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t };
+typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
+typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t };
+typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
-type accelgraphics_xext_t, xextension_type;
type client_xevent_t, xevent_type;
+typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t };
+typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
+
+type input_xevent_t, xevent_type, input_xevent_type;
+
+# X Extensions
+attribute xextension_type;
+type xextension_t, xextension_type;
+type security_xextension_t, xextension_type;
+
+# X Properties
+attribute xproperty_type;
+type xproperty_t, xproperty_type;
+type seclabel_xproperty_t, xproperty_type;
type clipboard_xproperty_t, xproperty_type;
-type clipboard_xselection_t, xselection_type;
-type debug_xext_t, xextension_type;
-type directhw_xext_t alias disallowed_xext_t, xextension_type;
-type focus_xevent_t, xevent_type;
-type iceauth_t;
-type iceauth_exec_t;
-typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t };
-typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
-application_domain(iceauth_t, iceauth_exec_t)
-ubac_constrained(iceauth_t)
+# X Selections
+attribute xselection_type;
+type xselection_t, xselection_type;
+type clipboard_xselection_t, xselection_type;
+#type settings_xselection_t, xselection_type;
+#type dbus_xselection_t, xselection_type;
-type iceauth_home_t;
-typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
-typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t };
-files_poly_member(iceauth_home_t)
-userdom_user_home_content(iceauth_home_t)
+# X Drawables
+attribute xdrawable_type;
+attribute xcolormap_type;
+type root_xdrawable_t, xdrawable_type;
+type root_xcolormap_t, xcolormap_type;
-type info_xproperty_t, xproperty_type;
-type input_xevent_t, xevent_type;
-type manage_xevent_t, xevent_type;
-type output_xext_t, xextension_type;
-type property_xevent_t, xevent_type;
-type remote_xclient_t;
-
-type rootwindow_t;
-typealias rootwindow_t alias { user_rootwindow_t staff_rootwindow_t sysadm_rootwindow_t };
-typealias rootwindow_t alias { auditadm_rootwindow_t secadm_rootwindow_t };
-ubac_constrained(rootwindow_t)
-
-type screensaver_xext_t, xextension_type;
-type security_xext_t, xextension_type;
-type shmem_xext_t, xextension_type;
-type std_xext_t, xextension_type;
-type video_xext_t, xextension_type;
-type unknown_xevent_t, xevent_type;
+attribute xserver_unconfined_type;
+xserver_object_types_template(root)
xserver_object_types_template(user)
+
typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
@@ -108,52 +112,63 @@
typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
-typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t };
-typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
-typealias user_focus_xevent_t alias { staff_focus_xevent_t sysadm_focus_xevent_t };
-typealias user_focus_xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
-typealias user_manage_xevent_t alias { staff_manage_xevent_t sysadm_manage_xevent_t };
-typealias user_manage_xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
-typealias user_default_xevent_t alias { staff_default_xevent_t sysadm_default_xevent_t };
-typealias user_default_xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
-typealias user_client_xevent_t alias { staff_client_xevent_t sysadm_client_xevent_t };
-typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
+
+type remote_t;
+xserver_object_types_template(remote)
+xserver_common_x_domain_template(remote,remote_t)
type user_fonts_t;
-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t };
-typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t };
+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
+typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
userdom_user_home_content(user_fonts_t)
type user_fonts_cache_t;
-typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t };
+typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
+;
userdom_user_home_content(user_fonts_cache_t)
type user_fonts_config_t;
-typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t };
+typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
userdom_user_home_content(user_fonts_config_t)
-type xevent_t alias default_xevent_t, xevent_type;
-type xext_t alias unknown_xext_t, xextension_type;
-type xproperty_t alias default_xproperty_t, xproperty_type;
-type xselection_t alias default_xselection_t, xselection_type;
+type iceauth_t;
+type iceauth_exec_t;
+typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { xguest_iceauth_t };
+typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+application_domain(iceauth_t, iceauth_exec_t)
+ubac_constrained(iceauth_t)
+
+type iceauth_home_t;
+typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+typealias iceauth_home_t alias { xguest_iceauth_home_t };
+files_poly_member(iceauth_home_t)
+userdom_user_home_content(iceauth_home_t)
type xauth_t;
type xauth_exec_t;
typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
-typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t };
+typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
application_domain(xauth_t, xauth_exec_t)
ubac_constrained(xauth_t)
type xauth_home_t;
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
-typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t };
+typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
files_poly_member(xauth_home_t)
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
-typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t };
+typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
@@ -168,7 +183,9 @@
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
-init_daemon_domain(xdm_t, xdm_exec_t)
+init_system_domain(xdm_t, xdm_exec_t)
+xserver_object_types_template(xdm)
+xserver_common_x_domain_template(xdm, xdm_t)
type xdm_lock_t;
files_lock_file(xdm_lock_t)
@@ -191,6 +208,12 @@
type xserver_var_run_t;
files_pid_file(xserver_var_run_t)
+type xdm_tmp_t;
+files_tmp_file(xdm_tmp_t)
+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+ubac_constrained(xdm_tmp_t)
+
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
@@ -209,17 +232,9 @@
type xserver_exec_t;
typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
-xserver_object_types_template(xdm)
-xserver_common_x_domain_template(xdm, xdm_t)
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
-type xserver_tmp_t;
-typealias xserver_tmp_t alias { xdm_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
-
type xserver_tmpfs_t;
typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
@@ -269,9 +284,11 @@
')
ifdef(`hide_broken_symptoms', `
+ dev_dontaudit_read_urand(iceauth_t)
dev_dontaudit_rw_dri(iceauth_t)
dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
fs_list_inotifyfs(iceauth_t)
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
term_dontaudit_use_unallocated_ttys(iceauth_t)
optional_policy(`
@@ -289,6 +306,9 @@
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
allow xauth_t xdm_t:process sigchld;
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_xserver_port(xauth_t)
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
@@ -301,15 +321,21 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-domain_use_interactive_fds(xauth_t)
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-dev_rw_xserver_misc(xauth_t)
+kernel_read_system_state(xauth_t)
+
+domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
files_read_etc_files(xauth_t)
files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
+fs_dontaudit_leaks(xauth_t)
fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
@@ -325,12 +351,15 @@
ifdef(`hide_broken_symptoms', `
userdom_manage_user_home_content_files(xauth_t)
userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+ miscfiles_read_fonts(xauth_t)
')
xserver_rw_xdm_tmp_files(xauth_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(xauth_t)
+ fs_read_nfs_symlinks(xauth_t)
')
tunable_policy(`use_samba_home_dirs',`
@@ -340,7 +369,6 @@
ifdef(`hide_broken_symptoms', `
term_dontaudit_use_unallocated_ttys(xauth_t)
dev_dontaudit_rw_dri(xauth_t)
- dev_dontaudit_rw_generic_dev_nodes(xauth_t)
')
optional_policy(`
@@ -394,12 +422,12 @@
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
-manage_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
-manage_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
-manage_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
-files_tmp_filetrans(xdm_t, xserver_tmp_t, { file dir sock_file })
-relabelfrom_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
-relabelfrom_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -433,7 +461,7 @@
manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
-allow xdm_t xserver_t:process signal;
+allow xdm_t xserver_t:process { signal signull };
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
@@ -504,7 +532,7 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
-dev_getattr_video_dev(xdm_t)
+dev_read_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -549,8 +577,11 @@
storage_dontaudit_rw_fuse(xdm_t)
term_setattr_console(xdm_t)
+term_use_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
term_setattr_unallocated_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
+term_relabel_all_ttys(xdm_t)
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
@@ -566,7 +597,6 @@
logging_read_generic_logs(xdm_t)
-miscfiles_dontaudit_write_fonts(xdm_t)
miscfiles_search_man_pages(xdm_t)
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
@@ -583,6 +613,7 @@
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_files(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
@@ -635,6 +666,7 @@
dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
xserver_xdm_append_log(xdm_dbusd_t)
+ xserver_read_xdm_pid(xdm_dbusd_t)
corecmd_bin_entry_type(xdm_t)
@@ -667,7 +699,9 @@
')
optional_policy(`
+ gnome_append_gconf_home_files(xdm_t)
gnome_read_gconf_config(xdm_t)
+ gnome_read_config(xdm_t)
')
optional_policy(`
@@ -685,11 +719,6 @@
optional_policy(`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool_files(xdm_t)
- mta_dontaudit_read_spool_symlinks(xdm_t)
-')
-
-optional_policy(`
- resmgr_stream_connect(xdm_t)
')
optional_policy(`
@@ -705,13 +734,18 @@
')
optional_policy(`
- plymouth_search_spool(xdm_t)
- plymouth_exec_plymouth(xdm_t)
+ plymouthd_search_spool(xdm_t)
+ plymouthd_exec_plymouth(xdm_t)
')
optional_policy(`
pulseaudio_exec(xdm_t)
pulseaudio_dbus_chat(xdm_t)
+ pulseaudio_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ resmgr_stream_connect(xdm_t)
')
# On crash gdm execs gdb to dump stack
@@ -726,6 +760,10 @@
')
optional_policy(`
+ shutdown_domtrans(xdm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
@@ -767,6 +805,14 @@
# X server local policy
#
+# X Object Manager rules
+type_transition xserver_t xserver_t:x_drawable root_xdrawable_t;
+type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+
+allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+allow xserver_t input_xevent_t:x_event send;
+
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
@@ -802,18 +848,12 @@
allow xserver_t xauth_home_t:file read_file_perms;
-# Labeling rules for root windows and colormaps
-type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
-
-allow xserver_t { rootwindow_t x_domain }:x_drawable send;
-allow xserver_t x_domain:shm rw_shm_perms;
-
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
-#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file)
+filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -907,6 +947,7 @@
mls_process_write_to_clearance(xserver_t)
mls_file_read_to_clearance(xserver_t)
mls_file_write_all_levels(xserver_t)
+mls_file_upgrade(xserver_t)
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
@@ -928,13 +969,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
-miscfiles_dontaudit_write_fonts(xserver_t)
miscfiles_read_hwdata(xserver_t)
modutils_domtrans_insmod(xserver_t)
# read x_contexts
seutil_read_default_contexts(xserver_t)
+seutil_read_config(xserver_t)
+seutil_read_file_contexts(xserver_t)
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
@@ -952,7 +994,7 @@
')
ifdef(`enable_mls',`
-# range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
+ range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
@@ -961,15 +1003,17 @@
# but typeattribute doesnt work in conditionals
allow xserver_t xserver_t:x_server *;
- allow xserver_t { x_domain rootwindow_t }:x_drawable *;
+ allow xserver_t { x_domain root_xdrawable_t }:x_drawable *;
allow xserver_t xserver_t:x_screen *;
allow xserver_t x_domain:x_gc *;
- allow xserver_t { x_domain rootwindow_t }:x_colormap *;
+ allow xserver_t { x_domain root_xcolormap_t }:x_colormap *;
allow xserver_t xproperty_type:x_property *;
allow xserver_t xselection_type:x_selection *;
allow xserver_t x_domain:x_cursor *;
- allow xserver_t { x_domain remote_xclient_t }:x_client *;
+ allow xserver_t x_domain:x_client *;
allow xserver_t { x_domain xserver_t }:x_device *;
+ allow xserver_t { x_domain xserver_t }:x_pointer *;
+ allow xserver_t { x_domain xserver_t }:x_keyboard *;
allow xserver_t xextension_type:x_extension *;
allow xserver_t { x_domain xserver_t }:x_resource *;
allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
@@ -1016,6 +1060,7 @@
# cjp: when xdm is configurable via tunable these
# rules will be enabled only when xdm is enabled
+ps_process_pattern(xserver_t, xdm_t)
allow xserver_t xdm_t:process { signal getpgid };
allow xserver_t xdm_t:shm rw_shm_perms;
@@ -1027,9 +1072,9 @@
read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
-manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-manage_lnk_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
@@ -1088,136 +1133,139 @@
#
# Hacks
-# everyone can get the input focus of everyone else
-# this is a fundamental brokenness in the X protocol
-allow x_domain { x_domain xserver_t }:x_device getfocus;
-# everyone can grab the server
-# everyone does it, it is basically a free DOS attack
-allow x_domain xserver_t:x_server grab;
-# everyone can get the font path, etc.
-# this could leak out sensitive information
-allow x_domain xserver_t:x_server getattr;
# everyone can do override-redirect windows.
# this could be used to spoof labels
allow x_domain self:x_drawable override;
-# everyone can receive management events on the root window
-# allows to know when new windows appear, among other things
-allow x_domain manage_xevent_t:x_event receive;
+# firefox gets nosy with other people's windows
+allow x_domain x_domain:x_drawable { list_child receive };
# X Server
-# can read server-owned resources
-allow x_domain xserver_t:x_resource read;
-allow x_domain xserver_t:x_device { manage force_cursor };
-
+# can get X server attributes
+allow x_domain xserver_t:x_server getattr;
+# can grab the server
+allow x_domain xserver_t:x_server grab;
+# can read and write server-owned generic resources
+allow x_domain xserver_t:x_resource { read write };
# can mess with own clients
-allow x_domain self:x_client { manage destroy };
+allow x_domain self:x_client { getattr manage destroy };
# X Protocol Extensions
-allow x_domain std_xext_t:x_extension { query use };
-allow x_domain shmem_xext_t:x_extension { query use };
-dontaudit x_domain xextension_type:x_extension { query use };
+allow x_domain xextension_t:x_extension { query use };
+allow x_domain security_xextension_t:x_extension { query use };
# X Properties
-# can read and write cut buffers
-allow x_domain clipboard_xproperty_t:x_property { create read write append };
-# can read info properties
-allow x_domain info_xproperty_t:x_property read;
# can change properties of root window
-allow x_domain rootwindow_t:x_drawable { list_property get_property set_property };
-# can change properties of own windows
+allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property };
+# can change properties of my own windows
allow x_domain self:x_drawable { list_property get_property set_property };
+# can read and write cut buffers
+allow x_domain clipboard_xproperty_t:x_property { create read write append };
+# can read security labels
+allow x_domain seclabel_xproperty_t:x_property { getattr read };
+# can change all other properties
+allow x_domain xproperty_t:x_property { getattr create read write append destroy };
# X Windows
# operations allowed on root windows
-allow x_domain rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
+allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-
-allow x_domain x_domain:x_drawable { get_property getattr list_child };
+allow x_domain self:x_drawable { blend };
+# operations allowed on all windows
+allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
# X Colormaps
# can use the default colormap
-allow x_domain rootwindow_t:x_colormap { read use add_color };
+allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall };
+# can create and use colormaps
+allow x_domain self:x_colormap *;
+
+# X Devices
+# operations allowed on my own devices
+allow x_domain self:{ x_device x_pointer x_keyboard } *;
+# operations allowed on generic devices
+allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+# operations allowed on core keyboard
+allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab };
+# operations allowed on core pointer
+allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+
+# all devices can generate input events
+allow x_domain root_xdrawable_t:x_drawable send;
+allow x_domain x_domain:x_drawable send;
+allow x_domain input_xevent_t:x_event send;
+
+# dontaudit keyloggers repeatedly polling
+#dontaudit x_domain xserver_t:x_keyboard read;
# X Input
-# can receive certain root window events
-allow x_domain focus_xevent_t:x_event receive;
-allow x_domain property_xevent_t:x_event receive;
-allow x_domain client_xevent_t:x_synthetic_event receive;
-allow x_domain manage_xevent_t:x_synthetic_event receive;
+# can receive default events
+allow x_domain xevent_t:{ x_event x_synthetic_event } receive;
+# can receive ICCCM events
+allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive;
# can send ICCCM events to the root window
-allow x_domain manage_xevent_t:x_synthetic_event send;
allow x_domain client_xevent_t:x_synthetic_event send;
+# can receive root window input events
+allow x_domain root_input_xevent_t:x_event receive;
+
# X Selections
# can use the clipboard
allow x_domain clipboard_xselection_t:x_selection { getattr setattr read };
-# can query all other selections
-allow x_domain xselection_t:x_selection { getattr read };
+# can use default selections
+allow x_domain xselection_t:x_selection { getattr setattr read };
# Other X Objects
# can create and use cursors
allow x_domain self:x_cursor *;
# can create and use graphics contexts
allow x_domain self:x_gc *;
-# can create and use colormaps
-allow x_domain self:x_colormap *;
# can read and write own objects
allow x_domain self:x_resource { read write };
+# can mess with the screensaver
+allow x_domain xserver_t:x_screen { getattr saver_getattr };
+
+########################################
+#
+# Rules for unconfined access to this module
+#
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
allow x_domain xserver_t:x_server *;
- allow x_domain { x_domain rootwindow_t }:x_drawable *;
+ allow x_domain xdrawable_type:x_drawable *;
allow x_domain xserver_t:x_screen *;
allow x_domain x_domain:x_gc *;
- allow x_domain { x_domain rootwindow_t }:x_colormap *;
+ allow x_domain xcolormap_type:x_colormap *;
allow x_domain xproperty_type:x_property *;
allow x_domain xselection_type:x_selection *;
allow x_domain x_domain:x_cursor *;
- allow x_domain { x_domain remote_xclient_t }:x_client *;
+ allow x_domain x_domain:x_client *;
allow x_domain { x_domain xserver_t }:x_device *;
+ allow x_domain { x_domain xserver_t }:x_pointer *;
+ allow x_domain { x_domain xserver_t }:x_keyboard *;
allow x_domain xextension_type:x_extension *;
allow x_domain { x_domain xserver_t }:x_resource *;
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
-########################################
-#
-# Rules for unconfined access to this module
-#
-
allow xserver_unconfined_type xserver_t:x_server *;
-allow xserver_unconfined_type { x_domain rootwindow_t }:x_drawable *;
+allow xserver_unconfined_type xdrawable_type:x_drawable *;
allow xserver_unconfined_type xserver_t:x_screen *;
allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type { x_domain rootwindow_t }:x_colormap *;
+allow xserver_unconfined_type xcolormap_type:x_colormap *;
allow xserver_unconfined_type xproperty_type:x_property *;
allow xserver_unconfined_type xselection_type:x_selection *;
allow xserver_unconfined_type x_domain:x_cursor *;
-allow xserver_unconfined_type { x_domain remote_xclient_t }:x_client *;
+allow xserver_unconfined_type x_domain:x_client *;
allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-allow xserver_unconfined_type self:x_drawable all_x_drawable_perms;
-allow xserver_unconfined_type self:x_screen all_x_screen_perms;
-allow xserver_unconfined_type self:x_gc all_x_gc_perms;
-allow xserver_unconfined_type self:x_font all_x_font_perms;
-allow xserver_unconfined_type self:x_colormap all_x_colormap_perms;
-allow xserver_unconfined_type self:x_property all_x_property_perms;
-allow xserver_unconfined_type self:x_selection all_x_selection_perms;
-allow xserver_unconfined_type self:x_cursor all_x_cursor_perms;
-allow xserver_unconfined_type self:x_client all_x_client_perms;
-allow xserver_unconfined_type self:x_device all_x_device_perms;
-allow xserver_unconfined_type self:x_server all_x_server_perms;
-allow xserver_unconfined_type self:x_extension all_x_extension_perms;
-allow xserver_unconfined_type self:x_resource all_x_resource_perms;
-allow xserver_unconfined_type self:x_event all_x_event_perms;
-allow xserver_unconfined_type self:x_synthetic_event all_x_synthetic_event_perms;
-
optional_policy(`
unconfined_rw_shm(xserver_t)
unconfined_execmem_rw_shm(xserver_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2010-01-18 18:24:22.925530368 +0100
+++ serefpolicy-3.6.32/policy/modules/system/application.te 2010-03-23 13:29:29.184391011 +0100
@@ -1,5 +1,5 @@
-policy_module(application, 1.1.0)
+policy_module(application, 1.1.1)
# Attribute of user applications
attribute application_domain_type;
@@ -7,14 +7,22 @@
# Executables to be run by user
attribute application_exec_type;
-userdom_append_user_home_content_files(application_domain_type)
-userdom_write_user_tmp_files(application_domain_type)
-logging_rw_all_logs(application_domain_type)
+userdom_inherit_append_user_home_content_files(application_domain_type)
userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
files_dontaudit_search_all_dirs(application_domain_type)
optional_policy(`
+ afs_rw_udp_sockets(application_domain_type)
+')
+
+optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type)
+')
+
+optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-01-18 18:24:22.928540458 +0100
+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2010-03-23 14:10:50.121406254 +0100
@@ -1542,6 +1542,10 @@
')
optional_policy(`
+ likewise_stream_connect_lsassd($1)
+ ')
+
+ optional_policy(`
kerberos_use($1)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.6.32/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/daemontools.if 2010-02-11 14:55:16.780616974 +0100
@@ -71,6 +71,32 @@
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')
+#######################################
+## <summary>
+## Execute svc_start in the svc_start domain, and
+## allow the specified role the svc_start domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the svc_start domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemonstools_run_start',`
+ gen_require(`
+ type svc_start_t;
+ ')
+
+ daemontools_domtrans_start($1)
+ role $2 types svc_start_t;
+')
+
########################################
## <summary>
## Execute in the svc_run_t domain.
@@ -127,6 +153,24 @@
allow $1 svc_svc_t:file read_file_perms;
')
+#######################################
+## <summary>
+## Search svc_svc_t directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_search_svc_dir',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Allow a domain to create svc_svc_t files.
@@ -148,3 +192,21 @@
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file { read create };
')
+
+#####################################
+## <summary>
+## Send a SIGCHLD signal to svc_run domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_sigchld_run',`
+ gen_require(`
+ type svc_run_t;
+ ')
+
+ allow $1 svc_run_t:process sigchld;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.6.32/policy/modules/system/daemontools.te
--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/daemontools.te 2010-02-11 14:40:01.632617547 +0100
@@ -39,7 +39,10 @@
# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+term_write_console(svc_multilog_t)
+
init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
# writes to /var/log/*/*
logging_manage_generic_logs(svc_multilog_t)
@@ -53,7 +56,7 @@
# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
#
-allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource};
allow svc_run_t self:process setrlimit;
allow svc_run_t self:fifo_file rw_fifo_file_perms;
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
@@ -65,6 +68,10 @@
kernel_read_system_state(svc_run_t)
+dev_read_urand(svc_run_t)
+
+term_write_console(svc_run_t)
+
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
@@ -89,21 +96,36 @@
# ie svc, svscan, supervise ...
#
-allow svc_start_t svc_run_t:process signal;
+allow svc_start_t svc_run_t:process { signal setrlimit };
allow svc_start_t self:fifo_file rw_fifo_file_perms;
allow svc_start_t self:capability kill;
+allow svc_start_t self:tcp_socket create_stream_socket_perms;
allow svc_start_t self:unix_stream_socket create_socket_perms;
can_exec(svc_start_t, svc_start_exec_t)
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
+
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
files_read_etc_files(svc_start_t)
files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
+logging_send_syslog_msg(svc_start_t)
+
+miscfiles_read_localization(svc_start_t)
+
daemontools_domtrans_run(svc_start_t)
daemontools_manage_svc(svc_start_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100
+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-02-23 18:55:42.216525227 +0100
@@ -18,6 +18,7 @@
/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -38,6 +39,7 @@
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.32/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hostname.te 2010-05-21 13:24:52.670390563 +0200
@@ -27,15 +27,18 @@
dev_read_sysfs(hostname_t)
+domain_dontaudit_leaks(hostname_t)
domain_use_interactive_fds(hostname_t)
files_read_etc_files(hostname_t)
+files_dontaudit_leaks(hostname_t)
files_dontaudit_search_var(hostname_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_leaks(hostname_t)
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
@@ -59,5 +62,9 @@
')
optional_policy(`
+ nis_use_ypbind(hostname_t)
+')
+
+optional_policy(`
unconfined_dontaudit_rw_pipes(hostname_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100
@@ -125,6 +125,10 @@
')
optional_policy(`
+ brctl_domtrans(hotplug_t)
+')
+
+optional_policy(`
consoletype_exec(hotplug_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-04-02 10:00:49.830602804 +0200
@@ -165,6 +165,7 @@
type init_t;
role system_r;
attribute daemon;
+ attribute initrc_transition_domain;
')
typeattribute $1 daemon;
@@ -180,6 +181,8 @@
# Handle upstart direct transition to a executable
domtrans_pattern(init_t,$2,$1)
allow init_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
# daemons started from init will
# inherit fds from init for the console
@@ -273,6 +276,7 @@
gen_require(`
type initrc_t;
role system_r;
+ attribute initrc_transition_domain;
')
application_domain($1,$2)
@@ -281,6 +285,8 @@
domtrans_pattern(initrc_t,$2,$1)
allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
@@ -292,6 +298,7 @@
userdom_dontaudit_search_user_home_dirs($1)
userdom_dontaudit_rw_stream($1)
+ userdom_dontaudit_write_user_tmp_files($1)
tunable_policy(`allow_daemons_use_tty',`
term_use_all_user_ttys($1)
@@ -309,7 +316,7 @@
')
optional_policy(`
- xserver_rw_xdm_home_files($1)
+ xserver_dontaudit_append_xdm_home_files($1)
')
optional_policy(`
@@ -554,7 +561,7 @@
')
dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file write;
+ allow $1 initctl_t:fifo_file write_file_perms;
')
########################################
@@ -775,8 +782,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
+ attribute initrc_transition_domain;
')
+ typeattribute $1 initrc_transition_domain;
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
@@ -1544,7 +1553,7 @@
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
@@ -1686,3 +1695,26 @@
allow $1 initrc_t:sem rw_sem_perms;
')
+#######################################
+## <summary>
+## Dontaudit read and write an leaked init scrip file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_script_leaks',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:tcp_socket { read write };
+ dontaudit $1 initrc_t:udp_socket { read write };
+ dontaudit $1 initrc_t:unix_dgram_socket { read write };
+ dontaudit $1 initrc_t:unix_stream_socket { read write };
+ dontaudit $1 initrc_t:shm rw_shm_perms;
+ init_dontaudit_use_script_ptys($1)
+ init_dontaudit_use_script_fds($1)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-05-05 13:58:31.862629041 +0200
@@ -40,6 +40,7 @@
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
# Mark process types as daemons
attribute daemon;
@@ -47,7 +48,7 @@
#
# init_t is the domain of the init process.
#
-type init_t;
+type init_t, initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
@@ -118,6 +119,7 @@
allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
@@ -138,6 +140,7 @@
dev_read_sysfs(init_t)
+domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
@@ -191,6 +194,7 @@
')
ifdef(`distro_redhat',`
+ fs_read_tmpfs_symlinks(init_t)
fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -204,6 +208,11 @@
')
optional_policy(`
+ # webmin seems to cause this.
+ apache_search_sys_content(daemon)
+')
+
+optional_policy(`
auth_rw_login_records(init_t)
')
@@ -212,6 +221,11 @@
')
optional_policy(`
+ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
+')
+
+optional_policy(`
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
@@ -224,6 +238,10 @@
')
optional_policy(`
+ sssd_stream_connect(init_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')
@@ -312,6 +330,7 @@
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
+dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
dev_rw_sysfs(initrc_t)
@@ -531,6 +550,7 @@
# Needs to cp localtime to /var dirs
files_write_var_dirs(initrc_t)
+ fs_read_tmpfs_symlinks(initrc_t)
fs_rw_tmpfs_chr_files(initrc_t)
storage_manage_fixed_disk(initrc_t)
@@ -584,6 +604,7 @@
domain_dontaudit_use_interactive_fds(daemon)
userdom_dontaudit_list_admin_dir(daemon)
+userdom_dontaudit_search_user_tmp(daemon)
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
@@ -795,6 +816,10 @@
')
optional_policy(`
+ pulseaudio_stream_connect(initrc_t)
+')
+
+optional_policy(`
quota_manage_flags(initrc_t)
')
@@ -868,10 +893,12 @@
# Cron jobs used to start and stop services
optional_policy(`
cron_rw_pipes(daemon)
+ cron_rw_inherited_user_spool_files(daemon)
')
optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -885,6 +912,9 @@
# Allow SELinux aware applications to request rpm_script_t execution
rpm_transition_script(initrc_t)
+ optional_policy(`
+ rtkit_daemon_system_domain(initrc_t)
+ ')
optional_policy(`
gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-01-18 18:24:22.939530053 +0100
+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-03-08 12:57:11.225864570 +0100
@@ -182,9 +182,9 @@
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
+allow ipsec_mgmt_t self:process { getsched setsched signal setrlimit ptrace };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -206,6 +206,10 @@
allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
@@ -215,6 +219,8 @@
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -241,6 +247,7 @@
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
+files_read_usr_files(ipsec_mgmt_t)
# the default updown script wants to run route
# the ipsec wrapper wants to run /usr/bin/logger (should we put
@@ -253,7 +260,7 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
+domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-02-15 18:56:51.198318435 +0100
@@ -17,6 +17,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, iptables_exec_t, iptables_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit iptables_t $1:socket_class_set { read write };
+ ')
')
#####################################
@@ -67,6 +71,12 @@
optional_policy(`
modutils_run_insmod(iptables_t, $2)
')
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit iptables_t $1:unix_stream_socket rw_socket_perms;
+ dontaudit iptables_t $1:tcp_socket rw_socket_perms;
+ dontaudit iptables_t $1:udp_socket rw_socket_perms;
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-10 13:59:49.976859557 +0100
@@ -52,6 +52,7 @@
kernel_use_fds(iptables_t)
corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -71,6 +72,7 @@
auth_use_nsswitch(iptables_t)
+init_dontaudit_script_leaks(iptables_t)
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
@@ -87,6 +89,10 @@
userdom_use_user_terminals(iptables_t)
userdom_use_all_users_fds(iptables_t)
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_write_mtrr(iptables_t)
+')
+
optional_policy(`
fail2ban_append_log(iptables_t)
fail2ban_dontaudit_leaks(iptables_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-02-02 15:17:13.812067843 +0100
@@ -1,5 +1,8 @@
+
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-02-02 15:08:50.761068281 +0100
@@ -14,6 +14,9 @@
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
+type iscsi_log_t;
+logging_log_file(iscsi_log_t)
+
type iscsi_tmp_t;
files_tmp_file(iscsi_tmp_t)
@@ -35,10 +38,13 @@
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t self:netlink_socket create_socket_perms;
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
allow iscsid_t self:tcp_socket create_stream_socket_perms;
+can_exec(iscsid_t, iscsid_exec_t)
+
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
@@ -51,6 +57,9 @@
read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
files_search_var_lib(iscsid_t)
+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -67,6 +76,7 @@
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-05-21 14:17:19.115390020 +0200
@@ -69,6 +69,8 @@
/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? gen_context(system_u:object_r:textrel_shlib_t,s0)
+
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
@@ -120,6 +122,8 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nsr/(.*/)?.*\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133,7 +137,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -245,8 +249,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -333,6 +341,8 @@
/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -377,9 +387,6 @@
/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -396,10 +403,8 @@
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -432,9 +437,26 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/autodesk/maya2010-x64/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/real/RealPlayer/plugins/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/transcode/filter_yuvdenoise\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/zend/lib/apache2/libphp.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100
+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-03-09 15:11:11.342502914 +0100
@@ -34,8 +34,7 @@
#
allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
@@ -75,6 +74,7 @@
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
dev_rw_generic_usb_dev(local_login_t)
+dev_read_video_dev(local_login_t)
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
@@ -113,11 +113,11 @@
storage_dontaudit_getattr_removable_dev(local_login_t)
storage_dontaudit_setattr_removable_dev(local_login_t)
-term_use_all_user_ttys(local_login_t)
+term_use_all_ttys(local_login_t)
term_use_unallocated_ttys(local_login_t)
term_relabel_unallocated_ttys(local_login_t)
-term_relabel_all_user_ttys(local_login_t)
-term_setattr_all_user_ttys(local_login_t)
+term_relabel_all_ttys(local_login_t)
+term_setattr_all_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
auth_rw_login_records(local_login_t)
@@ -207,7 +207,7 @@
allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
-allow sulogin_t self:fifo_file rw_file_perms;
+allow sulogin_t self:fifo_file rw_fifo_file_perms;
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
@@ -241,6 +241,9 @@
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
+
ifdef(`enable_mls',`
sysadm_shell_domtrans(sulogin_t)
',`
@@ -252,13 +255,10 @@
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
-ifdef(`distro_redhat',`
- define(`sulogin_no_pam')
- selinux_compute_user_contexts(sulogin_t)
-')
-ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
+
+ifdef(`sulogin_no_pam', `
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-04-13 15:28:25.428850067 +0200
@@ -6,6 +6,8 @@
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
@@ -24,6 +26,8 @@
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -63,9 +67,14 @@
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-01-18 18:24:22.950540043 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.if 2010-02-09 12:55:48.458629829 +0100
@@ -641,6 +641,24 @@
append_files_pattern($1, logfile, logfile)
')
+######################################
+## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append };
+')
+
########################################
## <summary>
## Read all log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-26 09:34:26.434798847 +0100
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
+kernel_setsched(auditctl_t)
domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)
@@ -236,6 +237,7 @@
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
+mls_file_read_all_levels(audisp_t)
mls_file_write_all_levels(audisp_t)
mls_dbus_send_all_levels(audisp_t)
@@ -489,6 +491,10 @@
')
optional_policy(`
+ mysql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
postgresql_stream_connect(syslogd_t)
')
@@ -497,6 +503,10 @@
')
optional_policy(`
+ daemontools_search_svc_dir(syslogd_t)
+')
+
+optional_policy(`
udev_read_db(syslogd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.32/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/lvm.fc 2010-02-26 09:34:31.069828424 +0100
@@ -28,6 +28,7 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
#
# /sbin
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.6.32/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2010-01-18 18:24:22.952542532 +0100
+++ serefpolicy-3.6.32/policy/modules/system/lvm.if 2010-03-09 15:41:07.772503258 +0100
@@ -58,10 +58,14 @@
interface(`lvm_run',`
gen_require(`
type lvm_t;
+ type clvmd_t;
')
lvm_domtrans($1)
role $2 types lvm_t;
+ role $2 types clvmd_t;
+
+ modutils_run_insmod(lvm_t, $2)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-01-18 18:24:22.953540006 +0100
+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2010-03-09 15:12:07.296752851 +0100
@@ -143,6 +143,7 @@
optional_policy(`
aisexec_stream_connect(clvmd_t)
+ corosync_stream_connect(clvmd_t)
')
optional_policy(`
@@ -175,6 +176,7 @@
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
+allow lvm_t self:sem create_sem_perms;
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
@@ -222,6 +224,7 @@
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
+kernel_request_load_module(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -260,7 +263,7 @@
files_dontaudit_search_isid_type_dirs(lvm_t)
files_dontaudit_getattr_tmpfs_files(lvm_t)
-fs_getattr_xattr_fs(lvm_t)
+fs_getattr_all_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
@@ -317,6 +320,7 @@
optional_policy(`
aisexec_stream_connect(lvm_t)
+ corosync_stream_connect(lvm_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-01-18 18:24:22.954530704 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2010-05-11 16:38:38.894623751 +0200
@@ -71,10 +71,17 @@
/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
ifdef(`distro_debian',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
@@ -618,3 +618,40 @@
manage_lnk_files_pattern($1, locale_t, locale_t)
')
+#######################################
+## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
+
+#######################################
+## <summary>
+## Dontaudit attempts to set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-01-18 18:24:22.959530712 +0100
+++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-03-01 09:21:42.982491122 +0100
@@ -131,6 +131,7 @@
kernel_read_debugfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
+kernel_request_load_module(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
kernel_setsched(insmod_t)
@@ -165,6 +166,7 @@
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_search_rpc(insmod_t)
fs_mount_rpc_pipefs(insmod_t)
init_rw_initctl(insmod_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-01-18 18:24:22.960539988 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-03-09 16:47:39.693634416 +0100
@@ -17,6 +17,10 @@
domtrans_pattern($1, mount_exec_t, mount_t)
mount_domtrans_fusermount($1)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit mount_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -37,6 +41,24 @@
domtrans_pattern($1, fusermount_exec_t, mount_t)
')
+#######################################
+## <summary>
+## Execute a domain transition to run showmount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_showmount',`
+ gen_require(`
+ type showmount_t, showmount_exec_t;
+ ')
+
+ domtrans_pattern($1, showmount_exec_t, showmount_t)
+')
+
########################################
## <summary>
## Execute fusermount.
@@ -105,12 +127,17 @@
optional_policy(`
samba_run_smbmount($1, $2)
')
+
+ optional_policy(`
+ mount_run_fusermount($1, $2)
+ ')
')
########################################
## <summary>
## Execute fusermount in the mount domain, and
-## allow the specified role the mount domain
+## allow the specified role the mount domain,
+## and use the caller's terminal.
## </summary>
## <param name="domain">
## <summary>
@@ -131,6 +158,33 @@
mount_domtrans_fusermount($1)
role $2 types mount_t;
+
+ fstools_run(mount_t, $2)
+')
+
+#######################################
+## <summary>
+## Execute showmount in the showmount domain, and
+## allow the specified role the showmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the showmount domain.
+## </summary>
+## </param>
+#
+interface(`mount_run_showmount',`
+ gen_require(`
+ type showmount_t;
+ ')
+
+ mount_domtrans_showmount($1)
+ role $2 types showmount_t;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-04-16 14:59:03.256613224 +0200
@@ -41,6 +41,14 @@
type mount_var_run_t;
files_pid_file(mount_var_run_t)
+# showmount - show mount information for an NFS server
+type showmount_t;
+type showmount_exec_t;
+application_domain(showmount_t, showmount_exec_t)
+role system_r types showmount_t;
+
+permissive showmount_t;
+
########################################
#
# mount local policy
@@ -48,7 +56,7 @@
# setuid/setgid needed to mount cifs
allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
-allow mount_t self:process { getsched ptrace signal };
+allow mount_t self:process { getcap getsched ptrace setcap signal };
allow mount_t self:fifo_file rw_fifo_file_perms;
allow mount_t self:unix_stream_socket create_stream_socket_perms;
allow mount_t self:unix_dgram_socket create_socket_perms;
@@ -155,6 +163,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
+userdom_read_user_home_content_files(mount_t)
userdom_manage_user_home_content_dirs(mount_t)
ifdef(`distro_redhat',`
@@ -181,6 +191,7 @@
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
files_mounton_non_security(mount_t)
+ files_rw_all_inherited_files(mount_t)
')
optional_policy(`
@@ -260,6 +271,18 @@
samba_read_config(mount_t)
')
+optional_policy(`
+ ssh_exec(mount_t)
+')
+
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
+')
+
########################################
#
# Unconfined mount local policy
@@ -268,8 +291,41 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
unconfined_domain_noaudit(unconfined_mount_t)
+ userdom_unpriv_usertype(unconfined, unconfined_mount_t)
rpc_domtrans_rpcd(unconfined_mount_t)
devicekit_dbus_chat_disk(unconfined_mount_t)
')
+#######################################
+#
+# showmount local policy
+#
+
+allow showmount_t self:tcp_socket create_stream_socket_perms;
+allow showmount_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(showmount_t)
+
+corenet_all_recvfrom_unlabeled(showmount_t)
+corenet_all_recvfrom_netlabel(showmount_t)
+corenet_tcp_sendrecv_generic_if(showmount_t)
+corenet_udp_sendrecv_generic_if(showmount_t)
+corenet_tcp_sendrecv_generic_node(showmount_t)
+corenet_udp_sendrecv_generic_node(showmount_t)
+corenet_tcp_sendrecv_all_ports(showmount_t)
+corenet_udp_sendrecv_all_ports(showmount_t)
+corenet_tcp_bind_generic_node(showmount_t)
+corenet_udp_bind_generic_node(showmount_t)
+corenet_tcp_bind_all_rpc_ports(showmount_t)
+corenet_udp_bind_all_rpc_ports(showmount_t)
+corenet_tcp_connect_all_ports(showmount_t)
+
+files_read_etc_files(showmount_t)
+
+miscfiles_read_localization(showmount_t)
+
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-01-18 18:24:22.965530078 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-03-01 16:18:46.909490203 +0100
@@ -1142,6 +1142,27 @@
role $2 types setsebool_t;
')
+#######################################
+## <summary>
+## Full management of the semanage
+## module store.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+ gen_require(`
+ type selinux_config_t, semanage_store_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ read_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
########################################
## <summary>
## Full management of the semanage
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-03-30 08:54:31.529611109 +0200
@@ -1,5 +1,5 @@
-policy_module(selinuxutil, 1.13.0)
+policy_module(selinuxutil, 1.13.1)
gen_require(`
bool secure_mode;
@@ -190,6 +190,7 @@
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
miscfiles_read_localization(load_policy_t)
@@ -258,25 +259,19 @@
selinux_compute_relabel_context(newrole_t)
selinux_compute_user_contexts(newrole_t)
-term_use_all_user_ttys(newrole_t)
-term_use_all_user_ptys(newrole_t)
-term_relabel_all_user_ttys(newrole_t)
-term_relabel_all_user_ptys(newrole_t)
+term_use_all_ttys(newrole_t)
+term_use_all_ptys(newrole_t)
+term_relabel_all_ttys(newrole_t)
+term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
-auth_use_nsswitch(newrole_t)
-auth_domtrans_chk_passwd(newrole_t)
-auth_domtrans_upd_passwd(newrole_t)
-auth_rw_faillog(newrole_t)
+auth_use_pam(newrole_t)
# Write to utmp.
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
-logging_send_audit_msgs(newrole_t)
-logging_send_syslog_msg(newrole_t)
-
miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
@@ -514,6 +509,12 @@
allow setfiles_mac_t self:capability2 mac_admin;
kernel_relabelto_unlabeled(setfiles_mac_t)
+optional_policy(`
+ livecd_dontaudit_leaks(setfiles_mac_t)
+ livecd_rw_tmp_files(setfiles_mac_t)
+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
+')
+
ifdef(`hide_broken_symptoms',`
optional_policy(`
setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.6.32/policy/modules/system/sosreport.fc
--- nsaserefpolicy/policy/modules/system/sosreport.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sosreport.fc 2010-03-15 22:24:08.238477345 +0100
@@ -0,0 +1,2 @@
+
+/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.6.32/policy/modules/system/sosreport.if
--- nsaserefpolicy/policy/modules/system/sosreport.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sosreport.if 2010-03-15 22:24:08.248663221 +0100
@@ -0,0 +1,74 @@
+
+## <summary>policy for sosreport</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run sosreport.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sosreport_domtrans',`
+ gen_require(`
+ type sosreport_t, sosreport_exec_t;
+ ')
+
+ domtrans_pattern($1, sosreport_exec_t, sosreport_t)
+')
+
+
+########################################
+## <summary>
+## Execute sosreport in the sosreport domain, and
+## allow the specified role the sosreport domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sosreport domain.
+## </summary>
+## </param>
+#
+interface(`sosreport_run',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ sosreport_domtrans($1)
+ role $2 types sosreport_t;
+')
+
+########################################
+## <summary>
+## Role access for sosreport
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`sosreport_role',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ role $1 types sosreport_t;
+
+ sosreport_domtrans($2)
+
+ ps_process_pattern($2, sosreport_t)
+ allow $2 sosreport_t:process signal;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.6.32/policy/modules/system/sosreport.te
--- nsaserefpolicy/policy/modules/system/sosreport.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sosreport.te 2010-03-15 22:24:08.281168472 +0100
@@ -0,0 +1,129 @@
+
+policy_module(sosreport,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sosreport_t;
+type sosreport_exec_t;
+application_domain(sosreport_t, sosreport_exec_t)
+role system_r types sosreport_t;
+
+type sosreport_tmp_t;
+files_tmp_file(sosreport_tmp_t)
+
+type sosreport_tmpfs_t;
+files_tmpfs_file(sosreport_tmpfs_t)
+
+########################################
+#
+# sosreport local policy
+#
+
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_nice sys_ptrace dac_override };
+allow sosreport_t self:process { setsched signull };
+
+allow sosreport_t self:fifo_file rw_fifo_file_perms;
+allow sosreport_t self:tcp_socket create_stream_socket_perms;
+allow sosreport_t self:udp_socket create_socket_perms;
+allow sosreport_t self:unix_dgram_socket create_socket_perms;
+allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
+allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
+
+# sosreport tmp files
+manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
+manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file)
+
+kernel_read_device_sysctls(sosreport_t)
+kernel_read_hotplug_sysctls(sosreport_t)
+kernel_read_kernel_sysctls(sosreport_t)
+kernel_read_modprobe_sysctls(sosreport_t)
+kernel_read_net_sysctls(sosreport_t)
+kernel_read_network_state(sosreport_t)
+kernel_read_rpc_sysctls(sosreport_t)
+kernel_read_software_raid_state(sosreport_t)
+kernel_read_unix_sysctls(sosreport_t)
+kernel_read_vm_sysctls(sosreport_t)
+kernel_search_debugfs(sosreport_t)
+
+corecmd_exec_all_executables(sosreport_t)
+
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
+
+dev_read_rand(sosreport_t)
+dev_read_urand(sosreport_t)
+dev_read_raw_memory(sosreport_t)
+dev_read_sysfs(sosreport_t)
+
+domain_getattr_all_domains(sosreport_t)
+domain_read_all_domains_state(sosreport_t)
+
+# for blkid.tab
+files_manage_etc_runtime_files(sosreport_t)
+files_etc_filetrans_etc_runtime(sosreport_t, file)
+
+files_exec_etc_files(sosreport_t)
+files_list_all(sosreport_t)
+files_read_config_files(sosreport_t)
+files_read_etc_files(sosreport_t)
+files_read_generic_tmp_files(sosreport_t)
+files_read_usr_files(sosreport_t)
+files_read_var_lib_files(sosreport_t)
+files_read_var_symlinks(sosreport_t)
+files_read_kernel_modules(sosreport_t)
+
+fs_getattr_all_fs(sosreport_t)
+
+# cjp: some config files do not have configfile attribute
+# sosreport needs to read various files on system
+auth_read_all_files_except_shadow(sosreport_t)
+auth_use_nsswitch(sosreport_t)
+
+init_domtrans_script(sosreport_t)
+
+libs_domtrans_ldconfig(sosreport_t)
+
+logging_read_all_logs(sosreport_t)
+logging_send_syslog_msg(sosreport_t)
+
+miscfiles_read_localization(sosreport_t)
+
+# needed by modinfo
+modutils_read_module_deps(sosreport_t)
+
+sysnet_read_config(sosreport_t)
+
+optional_policy(`
+ cups_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ lvm_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ rpm_exec(sosreport_t)
+ rpm_dontaudit_manage_db(sosreport_t)
+ rpm_read_db(sosreport_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(sosreport_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-01-18 18:24:22.968540028 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2010-04-13 14:47:39.733850947 +0200
@@ -11,7 +11,10 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100
@@ -430,6 +430,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit ifconfig_t $1:socket_class_set { read write };
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-04-21 14:18:56.424659141 +0200
@@ -87,6 +87,7 @@
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
+kernel_search_network_sysctl(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
kernel_request_load_module(dhcpc_t)
kernel_use_fds(dhcpc_t)
@@ -157,7 +158,7 @@
')
optional_policy(`
- consoletype_exec(dhcpc_t)
+ consoletype_domtrans(dhcpc_t)
')
optional_policy(`
@@ -374,6 +375,7 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_read_pid_files(ifconfig_t)
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100
+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-09 09:59:57.514626722 +0100
@@ -100,6 +100,7 @@
# udev_node.c/node_symlink() symlink labels are explicitly
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
+dev_manage_generic_symlinks(udev_t)
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -273,6 +274,10 @@
')
optional_policy(`
+ usbmuxd_domtrans(udev_t)
+')
+
+optional_policy(`
vbetool_domtrans(udev_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100
@@ -21,6 +21,8 @@
allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:socket_class_set create_socket_perms;
+
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-18 18:24:22.977540055 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-03-26 15:26:10.081766491 +0100
@@ -6,4 +6,6 @@
/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.gvfs(/.*)? <<none>>
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-03-09 16:30:07.806384243 +0100
@@ -461,7 +461,7 @@
xserver_create_xdm_tmp_sockets($1)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($1)
- xserver_xdm_dbus_chat($1)
+ xserver_dbus_chat_xdm($1)
')
')
@@ -951,9 +951,6 @@
userdom_restricted_user_template($1)
userdom_xwindows_client($1_usertype)
- optional_policy(`
- xserver_common_app($1_t)
- ')
##############################
#
@@ -964,7 +961,6 @@
auth_search_pam_console_data($1_usertype)
xserver_role($1_r, $1_t)
- xserver_communicate($1_usertype, $1_usertype)
kernel_dontaudit_list_all_proc($1_usertype)
@@ -1095,6 +1091,8 @@
fs_list_cgroup_dirs($1_usertype)
+ miscfiles_read_hwdata($1_usertype)
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -1136,7 +1134,6 @@
optional_policy(`
mount_run($1_t, $1_r)
- mount_run_fusermount($1_usertype, $1_r)
')
optional_policy(`
@@ -2316,6 +2313,24 @@
dontaudit $1 user_tmp_t:dir list_dir_perms;
')
+#######################################
+## <summary>
+## Dontaudit search user temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to manage users
@@ -3631,6 +3646,24 @@
########################################
## <summary>
+## Allow domain to list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Allow Search /root
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.32/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-01-18 18:24:22.984543460 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2010-04-16 09:59:51.257614843 +0200
@@ -126,3 +126,7 @@
')
allow userdomain userdomain:process signull;
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.32/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2010-01-18 18:24:22.986540012 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.if 2010-02-22 12:42:55.475866743 +0100
@@ -211,8 +211,10 @@
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
+ attribute xm_transition_domain;
')
+ typeattribute $1 xm_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-03-01 16:28:30.815490952 +0100
@@ -13,6 +13,8 @@
## </desc>
gen_tunable(xen_use_nfs, false)
+attribute xm_transition_domain;
+
# console ptys
type xen_devpts_t;
term_pty(xen_devpts_t)
@@ -248,6 +250,7 @@
#
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@@ -268,6 +271,7 @@
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
fs_list_tmpfs(xenconsoled_t)
@@ -286,6 +290,10 @@
xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
+optional_policy(`
+ ptchown_domtrans(xenconsoled_t)
+')
+
########################################
#
# Xen store local policy
@@ -329,6 +337,7 @@
files_read_usr_files(xenstored_t)
+fs_manage_xenfs_files(xenstored_t)
fs_search_xenfs(xenstored_t)
storage_raw_read_fixed_disk(xenstored_t)
@@ -413,12 +422,21 @@
xen_stream_connect_xenstore(xm_t)
optional_policy(`
+ dbus_system_bus_client(xm_t)
+ optional_policy(`
+ hal_dbus_chat(xm_t)
+ ')
+')
+
+optional_policy(`
vhostmd_rw_tmpfs_files(xm_t)
vhostmd_stream_connect(xm_t)
vhostmd_dontaudit_rw_stream_connect(xm_t)
')
optional_policy(`
+ virt_domtrans(xm_t)
+ virt_manage_config(xm_t)
virt_manage_images(xm_t)
virt_stream_connect(xm_t)
')
@@ -431,11 +449,15 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
+files_search_tmp(xm_ssh_t)
+
fs_manage_xenfs_dirs(xm_ssh_t)
fs_manage_xenfs_files(xm_ssh_t)
userdom_search_admin_dir(xm_ssh_t)
+dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_fifo_file_perms;
+
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-04-13 15:18:36.940600248 +0200
@@ -28,8 +28,7 @@
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
#
# Datagram socket classes.
@@ -227,7 +226,7 @@
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
@@ -274,7 +273,8 @@
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
@@ -291,7 +291,8 @@
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100
+++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no