From a0824843c2e6a485abfaadd9e5bf8964051c183a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 16 2005 13:36:26 +0000 Subject: more merging from nsa cvs --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 85c05a4..58b23ac 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Add experimental MCS support. - Add equivalents for old can_resolve(), can_ldap(), and can_portmap() to sysnetwork. - Fix base module compile issues. diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 1350fa5..4aeb490 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -108,12 +108,19 @@ USERPATH = $(INSTALLDIR)/users CONTEXTPATH = $(INSTALLDIR)/contexts # enable MLS if requested. -ifneq ($(findstring mls,$(TYPE)),) +ifneq ($(findstring -mls,$(TYPE)),) override M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M endif +# enable MLS if MCS requested. +ifneq ($(findstring -mcs,$(TYPE)),) + override M4PARAM += -D enable_mcs + CHECKPOLICY += -M + CHECKMODULE += -M +endif + # compile targeted policy if requested. ifneq ($(findstring targeted,$(TYPE)),) override M4PARAM += -D targeted_policy diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index 067ee01..d8debf5 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -11,7 +11,7 @@ BASE_FC := base.fc BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf -BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls +BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs BASE_TE_FILES := $(BASE_MODS) BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints BASE_FC_FILES := $(BASE_MODS:.te=.fc) diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index 1d5c6cb..7153e1e 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -18,7 +18,7 @@ ALL_INTERFACES := $(ALL_MODULES:.te=.if) ALL_TE_FILES := $(ALL_MODULES) ALL_FC_FILES := $(ALL_MODULES:.te=.fc) -PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls +PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 28004e2..1bed344 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -22,6 +22,9 @@ gen_tunable(allow_gpg_execstack,false) ## Allow system to run with kerberos gen_tunable(allow_kerberos,false) +## allow host key based authentication +gen_tunable(allow_ssh_keysign,false) + ## Allow users to connect to mysql gen_tunable(allow_user_mysql_connect,false) diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs new file mode 100644 index 0000000..754753b --- /dev/null +++ b/refpolicy/policy/mcs @@ -0,0 +1,215 @@ +ifdef(`enable_mcs',` +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +# MCS is single-sensitivity. +# +sensitivity s0; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; +category c14; +category c15; +category c16; +category c17; +category c18; +category c19; +category c20; +category c21; +category c22; +category c23; +category c24; +category c25; +category c26; +category c27; +category c28; +category c29; +category c30; +category c31; +category c32; +category c33; +category c34; +category c35; +category c36; +category c37; +category c38; +category c39; +category c40; +category c41; +category c42; +category c43; +category c44; +category c45; +category c46; +category c47; +category c48; +category c49; +category c50; +category c51; +category c52; +category c53; +category c54; +category c55; +category c56; +category c57; +category c58; +category c59; +category c60; +category c61; +category c62; +category c63; +category c64; +category c65; +category c66; +category c67; +category c68; +category c69; +category c70; +category c71; +category c72; +category c73; +category c74; +category c75; +category c76; +category c77; +category c78; +category c79; +category c80; +category c81; +category c82; +category c83; +category c84; +category c85; +category c86; +category c87; +category c88; +category c89; +category c90; +category c91; +category c92; +category c93; +category c94; +category c95; +category c96; +category c97; +category c98; +category c99; +category c100; +category c101; +category c102; +category c103; +category c104; +category c105; +category c106; +category c107; +category c108; +category c109; +category c110; +category c111; +category c112; +category c113; +category c114; +category c115; +category c116; +category c117; +category c118; +category c119; +category c120; +category c121; +category c122; +category c123; +category c124; +category c125; +category c126; +category c127; + + +# +# Each MCS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0.c127; + +# +# Define the MCS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + +# +# MCS policy for the file classes +# +# Constrain file access so that the high range of the process dominates +# the high range of the file. We use the high range of the process so +# that processes can always simply run at s0. +# +# Only files are constrained by MCS at this stage. +# +mlsconstrain file { read write setattr append unlink link rename + create ioctl lock execute } (h1 dom h2); + + +# XXX +# +# For some reason, we need to reference the mlsfileread attribute +# or we get a build error. Below is a dummy entry to do this. +mlsconstrain xextension query ( t1 == mlsfileread ); + +attribute mlsfileread; +') dnl end enable_mcs diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index 8f19fa6..359cbdc 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -93,8 +93,6 @@ modutils_domtrans_insmod(firstboot_t) modutils_read_module_conf(firstboot_t) modutils_read_mods_deps(firstboot_t) -sysnet_manage_config(firstboot_t) - # Add/remove user home directories userdom_create_user_home_dir(firstboot_t) userdom_manage_user_home_dir(firstboot_t) @@ -109,10 +107,6 @@ ifdef(`targeted_policy',` unconfined_domtrans(firstboot_t) ') -optional_policy(`kerberos.te',` - kerberos_rw_config(firstboot_t) -') - optional_policy(`nis.te',` nis_use_ypbind(firstboot_t) ') diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index d139e14..1a1e714 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -72,6 +72,7 @@ fs_search_auto_mountpoints(logrotate_t) fs_getattr_xattr_fs(logrotate_t) selinux_get_fs_mount(logrotate_t) +selinux_get_enforce_mode(logrotate_t) auth_manage_login_records(logrotate_t) @@ -106,7 +107,7 @@ libs_use_shared_libs(logrotate_t) miscfiles_read_localization(logrotate_t) -seutil_dontaudit_search_config(logrotate_t) +seutil_dontaudit_read_config(logrotate_t) sysnet_read_config(logrotate_t) diff --git a/refpolicy/policy/modules/admin/netutils.fc b/refpolicy/policy/modules/admin/netutils.fc index 2fc2442..7804251 100644 --- a/refpolicy/policy/modules/admin/netutils.fc +++ b/refpolicy/policy/modules/admin/netutils.fc @@ -1,5 +1,6 @@ /bin/ping.* -- context_template(system_u:object_r:ping_exec_t,s0) +/bin/tracepath.* -- context_template(system_u:object_r:traceroute_exec_t,s0) /bin/traceroute.* -- context_template(system_u:object_r:traceroute_exec_t,s0) /sbin/arping -- context_template(system_u:object_r:netutils_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc index ed98aba..f7f130a 100644 --- a/refpolicy/policy/modules/admin/su.fc +++ b/refpolicy/policy/modules/admin/su.fc @@ -1,2 +1,4 @@ /bin/su -- context_template(system_u:object_r:su_exec_t,s0) + +/usr(/local)?/bin/ksu -- context_template(system_u:object_r:su_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/sudo.fc b/refpolicy/policy/modules/admin/sudo.fc index 1bd2127..14f48c5 100644 --- a/refpolicy/policy/modules/admin/sudo.fc +++ b/refpolicy/policy/modules/admin/sudo.fc @@ -1,2 +1,2 @@ -/usr/bin/sudo -- context_template(system_u:object_r:sudo_exec_t,s0) +/usr/bin/sudo(edit)? -- context_template(system_u:object_r:sudo_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 3d1a165..4452dee 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -78,6 +78,8 @@ allow chfn_t self:msgq create_msgq_perms; allow chfn_t self:msg { send receive }; kernel_read_system_state(chfn_t) +kernel_read_kernel_sysctl(chfn_t) + selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) selinux_compute_access_vector(chfn_t) @@ -297,6 +299,8 @@ allow passwd_t self:msg { send receive }; allow passwd_t crack_db_t:dir r_dir_perms; allow passwd_t crack_db_t:file r_file_perms; +kernel_read_kernel_sysctl(passwd_t) + # for SSP dev_read_urand(passwd_t) @@ -389,14 +393,16 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_var(sysadm_passwd_t) +kernel_read_kernel_sysctl(sysadm_passwd_t) +# for /proc/meminfo +kernel_read_system_state(sysadm_passwd_t) + selinux_get_fs_mount(sysadm_passwd_t) selinux_validate_context(sysadm_passwd_t) selinux_compute_access_vector(sysadm_passwd_t) selinux_compute_create_context(sysadm_passwd_t) selinux_compute_relabel_context(sysadm_passwd_t) selinux_compute_user_contexts(sysadm_passwd_t) -# for /proc/meminfo -kernel_read_system_state(sysadm_passwd_t) # for SSP dev_read_urand(sysadm_passwd_t) @@ -460,6 +466,10 @@ dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; dontaudit sysadm_passwd_t var_run_t:dir search; dontaudit sysadm_passwd_t selinux_config_t:dir search; +ifdef(`targeted_policy', ` +role system_r types sysadm_passwd_t; +allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; +') ') dnl endif TODO ######################################## @@ -508,6 +518,7 @@ corecmd_exec_sbin(useradd_t) domain_use_wide_inherit_fd(useradd_t) files_manage_etc_files(useradd_t) +files_search_var_lib(useradd_t) init_use_fd(useradd_t) init_rw_script_pid(useradd_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.fc b/refpolicy/policy/modules/kernel/bootloader.fc index 43c9acf..a302ded 100644 --- a/refpolicy/policy/modules/kernel/bootloader.fc +++ b/refpolicy/policy/modules/kernel/bootloader.fc @@ -3,7 +3,7 @@ /initrd\.img.* -l context_template(system_u:object_r:boot_t,s0) /boot(/.*)? context_template(system_u:object_r:boot_t,s0) -/boot/System\.map-.* -- context_template(system_u:object_r:system_map_t,s0) +/boot/System\.map(-.*)? -- context_template(system_u:object_r:system_map_t,s0) /etc/lilo\.conf.* -- context_template(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- context_template(system_u:object_r:bootloader_etc_t,s0) diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index c1e59f0..310b6e7 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -158,11 +158,5 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) type netif_t, netif_type; sid netif context_template(system_u:object_r:netif_t,s0) -network_interface(lo, lo,s0) -network_interface(eth0, eth0,s0) -network_interface(eth1, eth1,s0) -network_interface(eth2, eth2,s0) -network_interface(ippp0, ippp0,s0) -network_interface(ipsec0, ipsec0,s0) -network_interface(ipsec1, ipsec1,s0) -network_interface(ipsec2, ipsec2,s0) +#network_interface(lo, lo,s0) +#network_interface(eth0, eth0,s0) diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc index b60f902..0ef00bf 100644 --- a/refpolicy/policy/modules/kernel/devices.fc +++ b/refpolicy/policy/modules/kernel/devices.fc @@ -55,6 +55,7 @@ ifdef(`distro_suse', ` /dev/vttuner -c context_template(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c context_template(system_u:object_r:v4l_device_t,s0) /dev/winradio. -c context_template(system_u:object_r:v4l_device_t,s0) +/dev/z90crypt -c context_template(system_u:object_r:crypt_device_t,s0) /dev/zero -c context_template(system_u:object_r:zero_device_t,s0) /dev/cpu/.* -c context_template(system_u:object_r:cpu_device_t,s0) diff --git a/refpolicy/policy/modules/kernel/terminal.fc b/refpolicy/policy/modules/kernel/terminal.fc index a22099d..7457125 100644 --- a/refpolicy/policy/modules/kernel/terminal.fc +++ b/refpolicy/policy/modules/kernel/terminal.fc @@ -1,6 +1,7 @@ /dev/.*tty[^/]* -c context_template(system_u:object_r:tty_device_t,s0) /dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c context_template(system_u:object_r:bsdpty_device_t,s0) +/dev/adb.* -c context_template(system_u:object_r:tty_device_t,s0) /dev/capi.* -c context_template(system_u:object_r:tty_device_t,s0) /dev/cu.* -c context_template(system_u:object_r:tty_device_t,s0) /dev/dcbri[0-9]+ -c context_template(system_u:object_r:tty_device_t,s0) diff --git a/refpolicy/policy/modules/services/bind.fc b/refpolicy/policy/modules/services/bind.fc index ecedc6c..8287f7f 100644 --- a/refpolicy/policy/modules/services/bind.fc +++ b/refpolicy/policy/modules/services/bind.fc @@ -1,27 +1,28 @@ /etc/rndc.* -- context_template(system_u:object_r:named_conf_t,s0) -/etc/rndc.key -- context_template(system_u:object_r:dnssec_t,s0) +/etc/rndc\.key -- context_template(system_u:object_r:dnssec_t,s0) /usr/sbin/lwresd -- context_template(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- context_template(system_u:object_r:named_exec_t,s0) +/usr/sbin/named -- context_template(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-checkconf -- context_template(system_u:object_r:named_checkconf_exec_t,s0) /usr/sbin/r?ndc -- context_template(system_u:object_r:ndc_exec_t,s0) -/var/run/ndc -s context_template(system_u:object_r:named_var_run_t,s0) +/var/log/named.* -- context_template(system_u:object_r:named_log_t,s0) +/var/run/ndc -s context_template(system_u:object_r:named_var_run_t,s0) /var/run/bind(/.*)? context_template(system_u:object_r:named_var_run_t,s0) - /var/run/named(/.*)? context_template(system_u:object_r:named_var_run_t,s0) ifdef(`distro_debian',` /etc/bind(/.*)? context_template(system_u:object_r:named_zone_t,s0) /etc/bind/named\.conf -- context_template(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- context_template(system_u:object_r:named_conf_t,s0) +/etc/bind/rndc\.key -- context_template(system_u:object_r:dnssec_t,s0) /var/cache/bind(/.*)? context_template(system_u:object_r:named_cache_t,s0) ') ifdef(`distro_gentoo',` /etc/bind(/.*)? context_template(system_u:object_r:named_zone_t,s0) /etc/bind/named\.conf -- context_template(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- context_template(system_u:object_r:named_conf_t,s0) +/etc/bind/rndc\.key -- context_template(system_u:object_r:dnssec_t,s0) /var/bind(/.*)? context_template(system_u:object_r:named_cache_t,s0) /var/bind/pri(/.*)? context_template(system_u:object_r:named_zone_t,s0) ') diff --git a/refpolicy/policy/modules/services/cron.fc b/refpolicy/policy/modules/services/cron.fc index 2d705aa..46af1bd 100644 --- a/refpolicy/policy/modules/services/cron.fc +++ b/refpolicy/policy/modules/services/cron.fc @@ -22,8 +22,12 @@ /var/spool/cron -d context_template(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- context_template(system_u:object_r:sysadm_cron_spool_t,s0) - /var/spool/cron/[^/]* -- <> +ifdef(`distro_suse', ` +/var/spool/cron/lastrun -d context_template(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun/[^/]* -- <> +/var/spool/cron/tabs -d context_template(system_u:object_r:cron_spool_t,s0) +') /var/spool/cron/crontabs -d context_template(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> diff --git a/refpolicy/policy/modules/services/dhcp.fc b/refpolicy/policy/modules/services/dhcp.fc index dd68495..84b0bc9 100644 --- a/refpolicy/policy/modules/services/dhcp.fc +++ b/refpolicy/policy/modules/services/dhcp.fc @@ -3,4 +3,4 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- context_template(system_u:object_r:dhcpd_state_t,s0) -/var/run/dhcpd\.pid -d context_template(system_u:object_r:dhcpd_var_run_t,s0) +/var/run/dhcpd\.pid -- context_template(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index bb2be4e..0c483ca 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -62,6 +62,7 @@ corenet_tcp_bind_all_nodes(dhcpd_t) corenet_udp_bind_all_nodes(dhcpd_t) corenet_udp_bind_dhcpd_port(dhcpd_t) corenet_udp_bind_pxe_port(dhcpd_t) +corenet_tcp_connect_all_ports(dhcpd_t) dev_read_sysfs(dhcpd_t) dev_read_rand(dhcpd_t) @@ -121,6 +122,10 @@ optional_policy(`nis.te',` nis_use_ypbind(dhcpd_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(dhcpd_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(dhcpd_t) ') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 162e9f8..8963214 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -16,7 +16,7 @@ files_tmp_file(hald_tmp_t) type hald_var_run_t; files_pid_file(hald_var_run_t) -allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; +allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; dontaudit hald_t self:capability sys_tty_config; allow hald_t self:fifo_file rw_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -49,12 +49,21 @@ dev_read_sysfs(hald_t) dev_read_usbfs(hald_t) dev_read_urand(hald_t) dev_read_input(hald_t) +dev_read_mouse(hald_t) dev_rw_printer(hald_t) +dev_getattr_all_chr_files(hald_t) dev_manage_generic_chr_file(hald_t) fs_getattr_all_fs(hald_t) fs_search_auto_mountpoints(hald_t) +selinux_get_fs_mount(hald_t) +selinux_validate_context(hald_t) +selinux_compute_access_vector(hald_t) +selinux_compute_create_context(hald_t) +selinux_compute_relabel_context(hald_t) +selinux_compute_user_contexts(hald_t) + storage_raw_read_removable_device(hald_t) storage_raw_read_fixed_disk(hald_t) storage_raw_write_fixed_disk(hald_t) diff --git a/refpolicy/policy/modules/services/kerberos.fc b/refpolicy/policy/modules/services/kerberos.fc index 830b095..fcbb737 100644 --- a/refpolicy/policy/modules/services/kerberos.fc +++ b/refpolicy/policy/modules/services/kerberos.fc @@ -12,6 +12,3 @@ /var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmind\.log context_template(system_u:object_r:kadmind_log_t,s0) - -#this goes to su: -#/usr(/local)?/bin/ksu -- context_template(system_u:object_r:su_exec_t,s0) diff --git a/refpolicy/policy/modules/services/nscd.fc b/refpolicy/policy/modules/services/nscd.fc index 0eec9ba..8409e17 100644 --- a/refpolicy/policy/modules/services/nscd.fc +++ b/refpolicy/policy/modules/services/nscd.fc @@ -3,6 +3,8 @@ /var/db/nscd(/.*)? context_template(system_u:object_r:nscd_var_run_t,s0) +/var/log/nscd\.log.* -- context_template(system_u:object_r:nscd_log_t,s0) + /var/run/nscd\.pid -- context_template(system_u:object_r:nscd_var_run_t,s0) /var/run/\.nscd_socket -s context_template(system_u:object_r:nscd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/ntp.fc b/refpolicy/policy/modules/services/ntp.fc index 3554fcd..a856d9c 100644 --- a/refpolicy/policy/modules/services/ntp.fc +++ b/refpolicy/policy/modules/services/ntp.fc @@ -1,10 +1,10 @@ -/etc/ntp(d)?\.conf(.sv)? -- context_template(system_u:object_r:net_conf_t,s0) +/etc/ntp(d)?\.conf.* -- context_template(system_u:object_r:net_conf_t,s0) /etc/cron\.(daily|weekly)/ntp-simple -- context_template(system_u:object_r:ntpd_exec_t,s0) /etc/cron\.(daily|weekly)/ntp-server -- context_template(system_u:object_r:ntpd_exec_t,s0) -/etc/ntp/step-tickers -- context_template(system_u:object_r:net_conf_t,s0) +/etc/ntp/step-tickers.* -- context_template(system_u:object_r:net_conf_t,s0) /etc/ntp/data(/.*)? context_template(system_u:object_r:ntp_drift_t,s0) /usr/sbin/ntpd -- context_template(system_u:object_r:ntpd_exec_t,s0) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 7ff072a..3c1bdba 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -30,7 +30,7 @@ init_system_domain(ntpd_t,ntpdate_exec_t) # Local policy # -allow ntpd_t self:capability { kill setgid setuid sys_time ipc_lock sys_chroot }; +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot }; # ntpdate wants sys_nice dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms setcap setsched }; diff --git a/refpolicy/policy/modules/services/portmap.fc b/refpolicy/policy/modules/services/portmap.fc index 6975de0..53933d1 100644 --- a/refpolicy/policy/modules/services/portmap.fc +++ b/refpolicy/policy/modules/services/portmap.fc @@ -8,3 +8,5 @@ ifdef(`distro_debian',` /usr/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0) /usr/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0) ') + +/var/run/portmap.upgrade-state -- context_template(system_u:object_r:portmap_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index 1160bb8..4b5eec3 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -63,6 +63,8 @@ logging_send_syslog_msg(privoxy_t) miscfiles_read_localization(privoxy_t) +sysnet_dns_name_resolve(privoxy_t) + userdom_dontaudit_use_unpriv_user_fd(privoxy_t) userdom_dontaudit_search_sysadm_home_dir(privoxy_t) # cjp: this should really not be needed diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index c56c5a3..daf9875 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -125,6 +125,11 @@ optional_policy(`nscd.te',` nscd_use_socket(samba_net_t) ') +ifdef(`TODO',` +role system_r types samba_net_t; +in_user_role(samba_net_t) +') + ######################################## # # smbd Local policy @@ -194,6 +199,7 @@ corenet_tcp_bind_all_nodes(smbd_t) corenet_udp_bind_all_nodes(smbd_t) corenet_tcp_bind_smbd_port(smbd_t) corenet_tcp_connect_ipp_port(smbd_t) +corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) diff --git a/refpolicy/policy/modules/services/ssh.fc b/refpolicy/policy/modules/services/ssh.fc index 46d3cb8..c970a01 100644 --- a/refpolicy/policy/modules/services/ssh.fc +++ b/refpolicy/policy/modules/services/ssh.fc @@ -7,6 +7,8 @@ /usr/bin/ssh-agent -- context_template(system_u:object_r:ssh_agent_exec_t,s0) /usr/bin/ssh-keygen -- context_template(system_u:object_r:ssh_keygen_exec_t,s0) +/usr/libexec/openssh/ssh-keysign -- context_template(system_u:object_r:ssh_keysign_exec_t,s0) + /usr/sbin/sshd -- context_template(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- context_template(system_u:object_r:sshd_var_run_t,s0) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 1b4b1d4..edb0e04 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -467,6 +467,9 @@ template(`ssh_server_template', ` userdom_search_all_users_home($1_t) + # Allow checking users mail at login + mta_getattr_spool($1_t) + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) ') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 69e7652..fe1f7c9 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -21,6 +21,9 @@ type ssh_keygen_exec_t; init_system_domain(ssh_keygen_t,ssh_keygen_exec_t) role system_r types ssh_keygen_t; +type ssh_keysign_exec_t; +files_type(ssh_keysign_exec_t) + ssh_server_template(sshd) # cjp: commenting this out until typeattribute works in a conditional @@ -69,9 +72,6 @@ auth_exec_pam(sshd_t) seutil_read_config(sshd_t) -# Allow checking users mail at login -mta_getattr_spool(sshd_t) - tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index a53c3bf..90c51ba 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -25,6 +25,7 @@ allow hwclock_t self:process signal_perms; # but hwclock does require it. allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; dontaudit hwclock_t self:capability sys_tty_config; +allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append }; diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc index 5166326..5df4a0f 100644 --- a/refpolicy/policy/modules/system/corecommands.fc +++ b/refpolicy/policy/modules/system/corecommands.fc @@ -65,6 +65,10 @@ ifdef(`distro_gentoo', ` /usr(/.*)?/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0) +ifdef(`distro_suse', ` +/usr/lib/cron/run-crons -- context_template(system_u:object_r:bin_t,s0) +') + /usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0) /usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc index 90f772d..265cdeb 100644 --- a/refpolicy/policy/modules/system/fstools.fc +++ b/refpolicy/policy/modules/system/fstools.fc @@ -34,5 +34,6 @@ /usr/bin/partition_uuid -- context_template(system_u:object_r:fsadm_exec_t,s0) /usr/bin/raw -- context_template(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- context_template(system_u:object_r:fsadm_exec_t,s0) +/usr/bin/syslinux -- context_template(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/smartctl -- context_template(system_u:object_r:fsadm_exec_t,s0) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index f4b0190..845b705 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -6,7 +6,7 @@ policy_module(fstools,1.0) # Declarations # -type fsadm_t; +type fsadm_t; #, mlsfileread; type fsadm_exec_t; init_system_domain(fsadm_t,fsadm_exec_t) role system_r types fsadm_t; @@ -23,7 +23,7 @@ files_type(swapfile_t) # # ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config }; +allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_file_perms; @@ -63,8 +63,7 @@ dev_manage_generic_symlinks(fsadm_t) # Access to /initrd devices dev_search_usbfs(fsadm_t) # for swapon -dev_getattr_sysfs_dir(fsadm_t) -dev_search_sysfs(fsadm_t) +dev_read_sysfs(fsadm_t) # Access to /initrd devices dev_getattr_usbfs_dir(fsadm_t) @@ -83,6 +82,8 @@ storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) storage_swapon_fixed_disk(fsadm_t) +term_use_console(fsadm_t) + corecmd_list_bin(fsadm_t) corecmd_list_sbin(fsadm_t) corecmd_read_bin_symlink(fsadm_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 61dbd27..471b076 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -36,6 +36,7 @@ term_use_all_user_ttys(hostname_t) term_use_all_user_ptys(hostname_t) init_use_fd(hostname_t) +init_use_script_fd(hostname_t) init_use_script_pty(hostname_t) domain_use_wide_inherit_fd(hostname_t) diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index 25e0b0a..a954963 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -42,6 +42,7 @@ files_pid_file(ipsec_mgmt_var_run_t) allow ipsec_t self:capability { net_admin dac_override dac_read_search }; dontaudit ipsec_t self:capability sys_tty_config; allow ipsec_t self:process signal; +allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:key_socket { create write read setopt }; allow ipsec_t self:fifo_file { read getattr }; diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index ce9eb73..d4dc4d4 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -44,6 +44,7 @@ /usr/X11R6/lib/libGL\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0) +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0) # # /var # diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc index c7d5734..fd88bb3 100644 --- a/refpolicy/policy/modules/system/logging.fc +++ b/refpolicy/policy/modules/system/logging.fc @@ -1,6 +1,10 @@ /dev/log -s context_template(system_u:object_r:devlog_t,s0) +/etc/auditd.conf -- context_template(system_u:object_r:auditd_etc_t,s0) +/etc/audit.rules -- context_template(system_u:object_r:auditd_etc_t,s0) + +/sbin/auditctl -- context_template(system_u:object_r:auditctl_exec_t,s0) /sbin/auditd -- context_template(system_u:object_r:auditd_exec_t,s0) /sbin/klogd -- context_template(system_u:object_r:klogd_exec_t,s0) /sbin/minilogd -- context_template(system_u:object_r:syslogd_exec_t,s0) diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc index c1d0120..bcd4720 100644 --- a/refpolicy/policy/modules/system/miscfiles.fc +++ b/refpolicy/policy/modules/system/miscfiles.fc @@ -23,15 +23,14 @@ /usr/man(/.*)? context_template(system_u:object_r:man_t,s0) /usr/share/fonts(/.*)? context_template(system_u:object_r:fonts_t,s0) - /usr/share/ghostscript/fonts(/.*)? context_template(system_u:object_r:fonts_t,s0) - /usr/share/locale(/.*)? context_template(system_u:object_r:locale_t,s0) - /usr/share/man(/.*)? context_template(system_u:object_r:man_t,s0) - /usr/share/zoneinfo(/.*)? context_template(system_u:object_r:locale_t,s0) +/usr/share/ssl/certs(/.*)? context_template(system_u:object_r:cert_t,s0) +/usr/share/ssl/private(/.*)? context_template(system_u:object_r:cert_t,s0) + /usr/X11R6/lib/X11/fonts(/.*)? context_template(system_u:object_r:fonts_t,s0) /usr/X11R6/man(/.*)? context_template(system_u:object_r:man_t,s0) @@ -46,9 +45,6 @@ ifdef(`distro_debian', ` /var/lib/texmf(/.*)? context_template(system_u:object_r:tetex_data_t,s0) /var/cache/fonts(/.*)? context_template(system_u:object_r:tetex_data_t,s0) - -/var/cache/man(/.*)? context_template(system_u:object_r:catman_t,s0) - -/var/catman(/.*)? context_template(system_u:object_r:catman_t,s0) +/var/cache/man(/.*)? context_template(system_u:object_r:man_t,s0) /var/spool/texmf(/.*)? context_template(system_u:object_r:tetex_data_t,s0) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 280bf4f..3c5b3cc 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -475,6 +475,26 @@ interface(`seutil_dontaudit_search_config',` ') ######################################## +## +## Do not audit attempts to read the SELinux +## userland configuration (/etc/selinux). +## +## +## Domain to not audit. +## +# +interface(`seutil_dontaudit_read_config',` + gen_require(` + type selinux_config_t; + class dir search; + class file { getattr read }; + ') + + dontaudit $1 selinux_config_t:dir search; + dontaudit $1 selinux_config_t:file { getattr read }; +') + +######################################## # # seutil_read_config(domain) # diff --git a/refpolicy/policy/modules/system/udev.fc b/refpolicy/policy/modules/system/udev.fc index f959a14..133ddd5 100644 --- a/refpolicy/policy/modules/system/udev.fc +++ b/refpolicy/policy/modules/system/udev.fc @@ -1,18 +1,19 @@ # udev -/dev/\.udev\.tdb -- context_template(system_u:object_r:udev_tbl_t,s0) +/dev/\.udevdb -- context_template(system_u:object_r:udev_tbl_t,s0) /dev/udev\.tbl -- context_template(system_u:object_r:udev_tbl_t,s0) /etc/dev\.d/.+ -- context_template(system_u:object_r:udev_helper_exec_t,s0) /etc/hotplug\.d/default/udev.* -- context_template(system_u:object_r:udev_helper_exec_t,s0) -/etc/udev/scripts/.+ -- context_template(system_u:object_r:udev_helper_exec_t,s0) +/etc/udev/scripts/.+ -- context_template(system_u:object_r:udev_helper_exec_t,s0) /sbin/start_udev -- context_template(system_u:object_r:udev_exec_t,s0) /sbin/udev -- context_template(system_u:object_r:udev_exec_t,s0) /sbin/udevd -- context_template(system_u:object_r:udev_exec_t,s0) /sbin/udevsend -- context_template(system_u:object_r:udev_exec_t,s0) +/sbin/udevstart -- context_template(system_u:object_r:udev_exec_t,s0) /sbin/wait_for_sysfs -- context_template(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- context_template(system_u:object_r:udev_exec_t,s0) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 0829712..fe0b5a2 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -42,7 +42,7 @@ allow udev_t self:fifo_file rw_file_perms; allow udev_t self:unix_stream_socket { listen accept }; allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; -allow udev_t self:netlink_kobject_uevent_socket { create bind read }; +allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; allow udev_t self:shm create_shm_perms; allow udev_t self:sem create_sem_perms; allow udev_t self:msgq create_msgq_perms; diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt index 60bb608..4dafb20 100644 --- a/refpolicy/policy/support/misc_macros.spt +++ b/refpolicy/policy/support/misc_macros.spt @@ -21,11 +21,12 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4'); ######################################## # -# gen_con(context,sensitivity) +# gen_con(context,mls_sensitivity,[mcs_categories]) # -# Optionally put the sensitivity for the file +# MLS: Optionally put the sensitivity for the file +# MCS: Optionally put the categories of the file # -define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl +define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl ######################################## # diff --git a/strict/ChangeLog b/strict/ChangeLog index 20fcfc3..db9833c 100644 --- a/strict/ChangeLog +++ b/strict/ChangeLog @@ -1,3 +1,26 @@ +1.27.1 2005-09-15 + * Merged small patches from Russell Coker for the apostrophe, + dhcpc, fsadm, and setfiles policy. + * Merged a patch from Russell Coker with some minor fixes to a + multitude of policy files. + * Merged patch from Dan Walsh from August 15th. Adds certwatch + policy. Adds mcs support to Makefile. Adds mcs file which + defines sensitivities and categories for the MSC policy. Creates + an authentication_domain macro in global_macros.te for domains + that use pam_authentication. Creates the anonymous_domain macro + so that the ftpd, rsync, httpd, and smbd domains can share the + ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to + start isolating individual ethernet devices. Changes vpnc from a + daemon to an application_domain. Adds audit_control capability to + crond_t. Adds dac_override and dac_read_search capabilities to + fsadm_t to allow the manipulation of removable media. Adds + read_sysctl macro to the base_passwd_domain macro. Adds rules to + allow alsa_t to communicate with userspace. Allows networkmanager + to communicate with isakmp_port and to use vpnc. For targeted + policy, removes transitions of sysadm_t to apm_t, backup_t, + bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t. + Makes other minor cleanups and fixes. + 1.26 2005-09-06 * Updated version for release. diff --git a/strict/Makefile b/strict/Makefile index fec8c3e..fac8cab 100644 --- a/strict/Makefile +++ b/strict/Makefile @@ -15,6 +15,9 @@ # Set to y if MLS is enabled in the policy. MLS=n +# Set to y if MCS is enabled in the policy +MCS=n + FLASKDIR = flask/ PREFIX = /usr BINDIR = $(PREFIX)/bin @@ -24,14 +27,18 @@ CHECKPOLICY = $(BINDIR)/checkpolicy GENHOMEDIRCON = $(SBINDIR)/genhomedircon SETFILES = $(SBINDIR)/setfiles VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') +PREVERS := 19 KERNVERS := $(shell cat /selinux/policyvers) POLICYVER := policy.$(VERS) TOPDIR = $(DESTDIR)/etc/selinux +TYPE=strict ifeq ($(MLS),y) TYPE=mls -else -TYPE=strict endif +ifeq ($(MCS),y) +TYPE=mcs +endif + INSTALLDIR = $(TOPDIR)/$(TYPE) POLICYPATH = $(INSTALLDIR)/policy SRCPATH = $(INSTALLDIR)/src @@ -54,6 +61,10 @@ ifeq ($(MLS),y) POLICYFILES += mls CHECKPOLMLS += -M endif +ifeq ($(MCS), y) +POLICYFILES += mcs +CHECKPOLMLS += -M +endif DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) POLICYFILES += $(USER_FILES) @@ -148,8 +159,10 @@ $(LOADPATH): policy.conf $(CHECKPOLICY) @echo "Compiling policy ..." @mkdir -p $(POLICYPATH) $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf -ifneq ($(MLS),y) +ifneq ($(VERS),$(PREVERS)) + $(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf endif + # Note: Can't use install, so not sure how to deal with mode, user, and group # other than by default. @@ -162,7 +175,11 @@ $(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) reload tmp/load: $(LOADPATH) @echo "Loading Policy ..." +ifeq ($(VERS), $(KERNVERS)) $(LOADPOLICY) $(LOADPATH) +else + $(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS) +endif touch tmp/load load: tmp/load $(FCPATH) @@ -328,3 +345,22 @@ mlsconvert: @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new @mv Makefile.new Makefile @echo "Done" + +mcsconvert: + @for file in $(CONTEXTFILES); do \ + echo "Converting $$file"; \ + sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ + mv $$file.new $$file; \ + done + @for file in $(USER_FILES); do \ + echo "Converting $$file"; \ + sed -r -e 's/\;/ level s0 range s0;/' $$file | \ + sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \ + mv $$file.new $$file; \ + done + @sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts + @echo "Enabling MCS in the Makefile" + @sed "s/MCS=y/MCS=y/" Makefile > Makefile.new + @mv Makefile.new Makefile + @echo "Done" + diff --git a/strict/VERSION b/strict/VERSION index 24cffb8..08002f8 100644 --- a/strict/VERSION +++ b/strict/VERSION @@ -1 +1 @@ -1.26 +1.27.1 diff --git a/strict/appconfig/default_type b/strict/appconfig/default_type index 5212ca4..af878bd 100644 --- a/strict/appconfig/default_type +++ b/strict/appconfig/default_type @@ -1,3 +1,4 @@ +secadm_r:secadm_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --git a/strict/attrib.te b/strict/attrib.te index ca9d8e8..9648dcf 100644 --- a/strict/attrib.te +++ b/strict/attrib.te @@ -94,7 +94,7 @@ attribute priv_system_role; # The privowner attribute identifies every domain that can # assign a different SELinux user identity to a file, or that -# can create a file with an identity that's not the same as the +# can create a file with an identity that is not the same as the # process identity. This attribute is used in the constraints # configuration. attribute privowner; @@ -201,6 +201,10 @@ attribute userpty_type; # unpriviledged user attribute user_tty_type; +# The admin_tty_type identifies every type for a tty or pty owned by a +# priviledged user +attribute admin_tty_type; + # The user_crond_domain attribute identifies every user_crond domain, presently # user_crond_t and sysadm_crond_t. It is used in TE rules that should be # applied to all user domains. @@ -255,6 +259,11 @@ attribute dev_fs; # in TE rules to grant such access for administrator domains. attribute sysadmfile; +# The secadmfile attribute identifies all types assigned to files +# that should be only accessible to security administrators. It is used +# in TE rules to grant such access for security administrator domains. +attribute secadmfile; + # The fs_type attribute identifies all types assigned to filesystems # (not limited to persistent filesystems). # It is used in TE rules to permit certain domains to mount diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te index 75f3074..bbb4fdc 100644 --- a/strict/domains/program/acct.te +++ b/strict/domains/program/acct.te @@ -23,10 +23,11 @@ allow acct_t urandom_device_t:chr_file read; type acct_data_t, file_type, logfile, sysadmfile; -allow acct_t self:capability sys_pacct; +# not sure why we need this, the command "last" is reported as using it +dontaudit acct_t self:capability kill; # gzip needs chown capability for some reason -allow acct_t self:capability chown; +allow acct_t self:capability { chown fsetid sys_pacct }; allow acct_t var_t:dir { getattr search }; rw_dir_create_file(acct_t, acct_data_t) @@ -37,14 +38,13 @@ allow acct_t bin_t:lnk_file read; read_locale(acct_t) -allow acct_t self:capability fsetid; allow acct_t fs_t:filesystem getattr; allow acct_t self:unix_stream_socket create_socket_perms; allow acct_t self:fifo_file { read write getattr }; -allow acct_t proc_t:file { read getattr }; +allow acct_t { self proc_t }:file { read getattr }; read_sysctl(acct_t) @@ -53,8 +53,6 @@ dontaudit acct_t sysadm_home_dir_t:dir { getattr search }; # for nscd dontaudit acct_t var_run_t:dir search; -# not sure why we need this, the command "last" is reported as using it -dontaudit acct_t self:capability kill; allow acct_t devtty_t:chr_file { read write }; diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te index 72a708c..fb1fc1e 100644 --- a/strict/domains/program/apache.te +++ b/strict/domains/program/apache.te @@ -222,6 +222,9 @@ tmp_domain(httpd_php) # Creation of lock files for apache2 lock_domain(httpd) +# Allow apache to used ftpd_anon_t +anonymous_domain(httpd) + # connect to mysql ifdef(`mysqld.te', ` can_unix_connect(httpd_php_t, mysqld_t) @@ -300,7 +303,7 @@ allow httpd_helper_t httpd_log_t:file { append }; ################################################## if (httpd_tty_comm) { -allow { httpd_t httpd_helper_t } devpts_t:dir { search }; +allow { httpd_t httpd_helper_t } devpts_t:dir search; ifdef(`targeted_policy', ` allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write }; ') diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te index dd08d41..6ce5958 100644 --- a/strict/domains/program/apmd.te +++ b/strict/domains/program/apmd.te @@ -16,7 +16,9 @@ allow apmd_t urandom_device_t:chr_file read; type apm_t, domain, privlog; type apm_exec_t, file_type, sysadmfile, exec_type; +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, apm_exec_t, apm_t) +') uses_shlib(apm_t) allow apm_t privfd:fd use; allow apm_t admin_tty_type:chr_file rw_file_perms; diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te index b2e3622..fc09db6 100644 --- a/strict/domains/program/bluetooth.te +++ b/strict/domains/program/bluetooth.te @@ -43,3 +43,6 @@ allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl }; allow initrc_t usbfs_t:file { getattr read }; allow bluetooth_t usbfs_t:dir r_dir_perms; allow bluetooth_t usbfs_t:file rw_file_perms; +allow bluetooth_t bin_t:dir search; +can_exec(bluetooth_t, bin_t) + diff --git a/strict/domains/program/certwatch.te b/strict/domains/program/certwatch.te new file mode 100644 index 0000000..2abb168 --- /dev/null +++ b/strict/domains/program/certwatch.te @@ -0,0 +1,11 @@ +#DESC certwatch - generate SSL certificate expiry warnings +# +# Domains for the certwatch process +# Authors: Dan Walsh , +# +application_domain(certwatch) +role system_r types certwatch_t; +r_dir_file(certwatch_t, cert_t) +can_exec(certwatch_t, httpd_modules_t) +system_crond_entry(certwatch_exec_t, certwatch_t) +read_locale(certwatch_t) diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te index a22fce9..8680035 100644 --- a/strict/domains/program/cyrus.te +++ b/strict/domains/program/cyrus.te @@ -20,7 +20,7 @@ allow cyrus_t port_type:tcp_socket name_connect; can_ypbind(cyrus_t) can_exec(cyrus_t, bin_t) allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; -allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms; +allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; allow cyrus_t etc_t:file { getattr read }; allow cyrus_t lib_t:file { execute execute_no_trans getattr read }; read_locale(cyrus_t) @@ -42,3 +42,11 @@ allow system_crond_t cyrus_var_lib_t:file create_file_perms; create_dir_file(cyrus_t, mail_spool_t) allow cyrus_t var_spool_t:dir search; +ifdef(`saslaudthd.te', ` +allow cyrus_t saslauthd_var_run_t:dir search; +allow cyrus_t saslauthd_var_run_t:sock_file { read write }; +allow cyrus_t saslauthd_t:unix_stream_socket { connectto }; +') + +r_dir_file(cyrus_t, cert_t) +allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr }; diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te index 67ae087..07ad4ce 100644 --- a/strict/domains/program/dhcpd.te +++ b/strict/domains/program/dhcpd.te @@ -15,21 +15,18 @@ # dhcpd_exec_t is the type of the dhcpdd executable. # The dhcpd_t can be used for other DHCPC related files as well. # -daemon_domain(dhcpd) +daemon_domain(dhcpd, `, nscd_client_domain') allow dhcpd_t dhcpd_port_t:udp_socket name_bind; # for UDP port 4011 -ifdef(`pxe.te', `', ` -type pxe_port_t, port_type; -') allow dhcpd_t pxe_port_t:udp_socket name_bind; type dhcp_etc_t, file_type, sysadmfile, usercanread; -typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; # Use the network. can_network(dhcpd_t) +allow dhcpd_t port_type:tcp_socket name_connect; can_ypbind(dhcpd_t) allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te index bb4d4e8..e07bc43 100644 --- a/strict/domains/program/firstboot.te +++ b/strict/domains/program/firstboot.te @@ -57,9 +57,6 @@ allow firstboot_t etc_t:file write; # Allow write to utmp file allow firstboot_t initrc_var_run_t:file write; -allow firstboot_t krb5_conf_t:file { getattr read }; -allow firstboot_t net_conf_t:file { getattr read }; - ifdef(`samba.te', ` rw_dir_file(firstboot_t, samba_etc_t) ') @@ -95,10 +92,6 @@ allow firstboot_t krb5_conf_t:file rw_file_perms; allow firstboot_t modules_conf_t:file { getattr read }; allow firstboot_t modules_dep_t:file { getattr read }; allow firstboot_t modules_object_t:dir search; -allow firstboot_t net_conf_t:file rw_file_perms; -allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send }; -allow firstboot_t node_t:node { tcp_recv tcp_send }; - allow firstboot_t port_t:tcp_socket { recv_msg send_msg }; allow firstboot_t proc_t:lnk_file read; diff --git a/strict/domains/program/fs_daemon.te b/strict/domains/program/fs_daemon.te index 6ec6da0..05c98a9 100644 --- a/strict/domains/program/fs_daemon.te +++ b/strict/domains/program/fs_daemon.te @@ -15,6 +15,8 @@ allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms; allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; allow fsdaemon_t etc_runtime_t:file { getattr read }; +allow fsdaemon_t proc_mdstat_t:file { getattr read }; + can_exec_any(fsdaemon_t) allow fsdaemon_t self:fifo_file rw_file_perms; can_network_udp(fsdaemon_t) diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te index 6ae2a67..56295e3 100644 --- a/strict/domains/program/fsadm.te +++ b/strict/domains/program/fsadm.te @@ -12,14 +12,14 @@ # administration. # fsadm_exec_t is the type of the corresponding programs. # -type fsadm_t, domain, privlog, fs_domain; +type fsadm_t, domain, privlog, fs_domain, mlsfileread; role system_r types fsadm_t; role sysadm_r types fsadm_t; general_domain_access(fsadm_t) # for swapon -allow fsadm_t sysfs_t:dir { search getattr }; +r_dir_file(fsadm_t, sysfs_t) # Read system information files in /proc. r_dir_file(fsadm_t, proc_t) @@ -33,8 +33,7 @@ allow fsadm_t tmpfs_t:dir { getattr search }; base_file_read_access(fsadm_t) # Read /etc. -allow fsadm_t etc_t:dir r_dir_perms; -allow fsadm_t etc_t:notdevfile_class_set r_file_perms; +r_dir_file(fsadm_t, etc_t) # Read module-related files. allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms; @@ -47,8 +46,9 @@ uses_shlib(fsadm_t) type fsadm_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) - +') tmp_domain(fsadm) # remount file system to apply changes @@ -63,7 +63,7 @@ allow fsadm_t proc_t:filesystem getattr; allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; # Use capabilities. ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config }; +allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; # Write to /etc/mtab. file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) @@ -101,7 +101,7 @@ allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; allow fsadm_t kernel_t:system syslog_console; # Access terminals. -allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') allow fsadm_t privfd:fd use; allow fsadm_t devpts_t:dir { getattr search }; diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te index 57d79f6..ab5101e 100644 --- a/strict/domains/program/ftpd.te +++ b/strict/domains/program/ftpd.te @@ -110,9 +110,5 @@ if (use_samba_home_dirs && ftp_home_dir) { r_dir_file(ftpd_t, cifs_t) } dontaudit ftpd_t selinux_config_t:dir search; -# -# Type for access to anon ftp -# -r_dir_file(ftpd_t,ftpd_anon_t) -type ftpd_anon_rw_t, file_type, sysadmfile, customizable; -create_dir_file(ftpd_t,ftpd_anon_rw_t) +anonymous_domain(ftpd) + diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te index ed84911..1d1ce66 100644 --- a/strict/domains/program/hald.te +++ b/strict/domains/program/hald.te @@ -30,12 +30,13 @@ allow hald_t { bin_t sbin_t }:dir search; allow hald_t self:fifo_file rw_file_perms; allow hald_t usr_t:file { getattr read }; allow hald_t bin_t:file getattr; + # For backwards compatibility with older kernels allow hald_t self:netlink_socket create_socket_perms; allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; allow hald_t self:netlink_route_socket r_netlink_socket_perms; -allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod }; +allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; can_network_server(hald_t) can_ypbind(hald_t) @@ -45,6 +46,10 @@ allow hald_t removable_device_t:blk_file write; allow hald_t event_device_t:chr_file { getattr read ioctl }; allow hald_t printer_device_t:chr_file rw_file_perms; allow hald_t urandom_device_t:chr_file read; +allow hald_t mouse_device_t:chr_file r_file_perms; +allow hald_t device_type:chr_file getattr; + +can_getsecurity(hald_t) ifdef(`updfstab.te', ` domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te index 575833c..579cd97 100644 --- a/strict/domains/program/hostname.te +++ b/strict/domains/program/hostname.te @@ -10,7 +10,7 @@ role sysadm_r types hostname_t; allow hostname_t self:capability sys_admin; allow hostname_t etc_t:file { getattr read }; -allow hostname_t { user_tty_type admin_tty_type }:chr_file { getattr read write }; +allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; read_locale(hostname_t) can_resolve(hostname_t) allow hostname_t userdomain:fd use; @@ -26,3 +26,5 @@ dontaudit hostname_t file_t:dir search; ifdef(`distro_redhat', ` allow hostname_t tmpfs_t:chr_file rw_file_perms; ') +allow hostname_t initrc_devpts_t:chr_file { read write }; +allow hostname_t initrc_t:fd use; diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te index c4e3d77..e5c5c4e 100644 --- a/strict/domains/program/hwclock.te +++ b/strict/domains/program/hwclock.te @@ -17,7 +17,9 @@ # daemon_base_domain(hwclock) role sysadm_r types hwclock_t; +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t) +') type adjtime_t, file_type, sysadmfile; allow hwclock_t fs_t:filesystem getattr; @@ -44,3 +46,4 @@ read_locale(hwclock_t) # for when /usr is not mounted dontaudit hwclock_t file_t:dir search; +allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te index 48ffb7b..dbab5bf 100644 --- a/strict/domains/program/ifconfig.te +++ b/strict/domains/program/ifconfig.te @@ -34,7 +34,7 @@ allow ifconfig_t etc_t:file { getattr read }; allow ifconfig_t self:socket create_socket_perms; # Use capabilities. -allow ifconfig_t self:capability net_admin; +allow ifconfig_t self:capability { net_raw net_admin }; dontaudit ifconfig_t self:capability sys_module; allow ifconfig_t self:capability sys_tty_config; diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te index 3bb4bad..36e55ac 100644 --- a/strict/domains/program/ipsec.te +++ b/strict/domains/program/ipsec.te @@ -60,8 +60,8 @@ allow sysadm_t ipsec_t:key_socket getattr; # it in its own domain?) can_exec(ipsec_mgmt_t, bin_t) # logger, running in ipsec_mgmt_t needs to use sockets -allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; -allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; +allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms; +allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms; # also need to run things like whack and shell scripts can_exec(ipsec_mgmt_t, ipsec_exec_t) @@ -169,7 +169,7 @@ allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read wri # Pluto needs network access can_network_server(ipsec_t) can_ypbind(ipsec_t) -allow ipsec_t self:unix_dgram_socket { create connect write }; +allow ipsec_t self:unix_dgram_socket create_socket_perms; # for sleep allow ipsec_mgmt_t fs_t:filesystem getattr; @@ -211,6 +211,7 @@ allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; allow ipsec_mgmt_t self:key_socket { create setopt }; can_exec(ipsec_mgmt_t, initrc_exec_t) allow ipsec_t self:netlink_xfrm_socket create_socket_perms; +allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; read_locale(ipsec_t) ifdef(`consoletype.te', ` can_exec(ipsec_mgmt_t, consoletype_exec_t ) diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te index 7ec13fc..803ae3d 100644 --- a/strict/domains/program/kudzu.te +++ b/strict/domains/program/kudzu.te @@ -48,7 +48,9 @@ allow kudzu_t devpts_t:dir search; allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms; role sysadm_r types kudzu_t; +ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t) +') ifdef(`anaconda.te', ` domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t) ') diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te index 33c1d51..d568a5f 100644 --- a/strict/domains/program/logrotate.te +++ b/strict/domains/program/logrotate.te @@ -141,5 +141,10 @@ allow logrotate_t syslogd_t:unix_dgram_socket sendto; domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) +# Supress libselinux initialization denials dontaudit logrotate_t selinux_config_t:dir search; +dontaudit logrotate_t selinux_config_t:file { read getattr }; +# Allow selinux_getenforce +allow logrotate_t security_t:dir search; +allow logrotate_t security_t:file { getattr read }; diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te index b2f593e..72fe6a7 100644 --- a/strict/domains/program/mailman.te +++ b/strict/domains/program/mailman.te @@ -91,6 +91,8 @@ allow mailman_cgi_t var_spool_t:dir search; allow mta_delivery_agent mailman_data_t:dir search; allow mta_delivery_agent mailman_data_t:lnk_file read; +allow initrc_t mailman_data_t:lnk_file read; +allow initrc_t mailman_data_t:dir r_dir_perms; domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t) ifdef(`direct_sysadm_daemon', ` domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t) diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te index 6c141c4..d7d49e1 100644 --- a/strict/domains/program/mta.te +++ b/strict/domains/program/mta.te @@ -22,7 +22,7 @@ ifdef(`targeted_policy', ` # rules are currently defined in sendmail.te, but it is not included in # targeted policy. We could move these rules permanantly here. ifdef(`postfix.te', `', `can_exec_any(system_mail_t)') -allow system_mail_t self:dir { search }; +allow system_mail_t self:dir search; allow system_mail_t self:lnk_file read; r_dir_file(system_mail_t, { proc_t proc_net_t }) allow system_mail_t fs_t:filesystem getattr; diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te index 80ea965..db49c23 100644 --- a/strict/domains/program/ntpd.te +++ b/strict/domains/program/ntpd.te @@ -26,7 +26,7 @@ allow ntpd_t ntp_drift_t:file create_file_perms; # for SSP allow ntpd_t urandom_device_t:chr_file { getattr read }; -allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot }; +allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot }; dontaudit ntpd_t self:capability { net_admin }; allow ntpd_t self:process { setcap setsched }; # ntpdate wants sys_nice diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te index e984320..d7dff6c 100644 --- a/strict/domains/program/passwd.te +++ b/strict/domains/program/passwd.te @@ -64,6 +64,7 @@ dontaudit $1_t { user_home_dir_type user_home_type }:dir search; dontaudit $1_t { proc_t device_t }:dir { search read }; allow $1_t device_t:dir getattr; +read_sysctl($1_t) ') ################################# @@ -149,3 +150,8 @@ allow passwd_t userdomain:file { getattr read }; allow passwd_t userdomain:process getattr; allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +ifdef(`targeted_policy', ` +role system_r types sysadm_passwd_t; +allow sysadm_passwd_t devpts_t:chr_file rw_file_perms; +') diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te index cc1407e..3a54e81 100644 --- a/strict/domains/program/ping.te +++ b/strict/domains/program/ping.te @@ -42,9 +42,6 @@ allow ping_t self:unix_stream_socket create_socket_perms; # Let ping create raw ICMP packets. allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; -allow ping_t netif_type:netif { rawip_send rawip_recv }; -allow ping_t node_type:node { rawip_send rawip_recv }; - # Use capabilities. allow ping_t self:capability { net_raw setuid }; @@ -52,7 +49,6 @@ allow ping_t self:capability { net_raw setuid }; allow ping_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') allow ping_t privfd:fd use; - dontaudit ping_t fs_t:filesystem getattr; # it tries to access /var/run diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te index e0c1ea2..c2dc6e7 100644 --- a/strict/domains/program/pppd.te +++ b/strict/domains/program/pppd.te @@ -32,12 +32,9 @@ allow pppd_t sysfs_t:dir search; log_domain(pppd) # Use the network. -can_network(pppd_t) +can_network_server(pppd_t) can_ypbind(pppd_t) -allow pppd_t fingerd_port_t:tcp_socket name_connect; - - # Use capabilities. allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; lock_domain(pppd) @@ -55,8 +52,6 @@ allow postfix_postqueue_t pppd_t:process sigchld; # allow running ip-up and ip-down scripts and running chat. can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t }) -can_exec(pppd_t, pppd_etc_rw_t) -can_exec(pppd_t, hostname_exec_t) allow pppd_t { bin_t sbin_t }:dir search; allow pppd_t { sbin_t bin_t }:lnk_file read; @@ -115,7 +110,6 @@ ifdef(`modutil.te', ` domain_auto_trans(pppd_t, insmod_exec_t, insmod_t) ') } -domain_auto_trans(pppd_t, named_exec_t, named_t) daemon_domain(pptp) can_network_client_tcp(pptp_t) @@ -136,4 +130,17 @@ allow pptp_t self:capability net_raw; allow pptp_t self:fifo_file { read write }; allow pptp_t ptmx_t:chr_file rw_file_perms; log_domain(pptp) + +# Fix sockets +allow pptp_t pptp_var_run_t:sock_file create_file_perms; + +# Allow pptp to append to pppd log files allow pptp_t pppd_log_t:file append; + +ifdef(`named.te', ` +dontaudit ndc_t pppd_t:fd use; +') + +# Allow /etc/ppp/ip-{up,down} to run most anything +type pppd_script_exec_t, file_type, sysadmfile; +domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te index 9e94026..b8a522d 100644 --- a/strict/domains/program/privoxy.te +++ b/strict/domains/program/privoxy.te @@ -16,8 +16,9 @@ logdir_domain(privoxy) allow privoxy_t self:capability net_bind_service; # Use the network. -can_network(privoxy_t) +can_network_tcp(privoxy_t) can_ypbind(privoxy_t) +can_resolve(privoxy_t) allow privoxy_t http_cache_port_t:tcp_socket name_bind; allow privoxy_t etc_t:file { getattr read }; allow privoxy_t self:capability { setgid setuid }; diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te index d6fa1c5..b0ac4f0 100644 --- a/strict/domains/program/rlogind.te +++ b/strict/domains/program/rlogind.te @@ -35,4 +35,4 @@ allow rlogind_t self:file { getattr read }; allow rlogind_t default_t:dir search; typealias rlogind_port_t alias rlogin_port_t; read_sysctl(rlogind_t); -allow rlogind_t krb5_keytab_t:file { getattr read }; +allow rlogind_t krb5_keytab_t:file r_file_perms; diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te index 0fc36f9..e245f57 100644 --- a/strict/domains/program/rpm.te +++ b/strict/domains/program/rpm.te @@ -31,6 +31,7 @@ tmpfs_domain(rpm) log_domain(rpm) can_network(rpm_t) +allow rpm_t port_type:tcp_socket name_connect; can_ypbind(rpm_t) # Allow the rpm domain to execute other programs diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te index 6bac7b7..c7d5378 100644 --- a/strict/domains/program/rsync.te +++ b/strict/domains/program/rsync.te @@ -15,3 +15,5 @@ inetd_child_domain(rsync) type rsync_data_t, file_type, sysadmfile; r_dir_file(rsync_t, rsync_data_t) r_dir_file(rsync_t, ftpd_anon_t) + + diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te index 09f5960..a1570b6 100644 --- a/strict/domains/program/samba.te +++ b/strict/domains/program/samba.te @@ -50,7 +50,7 @@ can_network(smbd_t) can_ldap(smbd_t) can_kerberos(smbd_t) can_winbind(smbd_t) -allow smbd_t ipp_port_t:tcp_socket name_connect; +allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect; allow smbd_t urandom_device_t:chr_file { getattr read }; @@ -189,6 +189,8 @@ allow smbmount_t local_login_t:fd use; ') # Derive from app. domain. Transition from mount. application_domain(samba_net, `, nscd_client_domain') +role system_r types samba_net_t; +in_user_role(samba_net_t) file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file) read_locale(samba_net_t) allow samba_net_t samba_etc_t:file r_file_perms; diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te index c10b03b..8786dd1 100644 --- a/strict/domains/program/saslauthd.te +++ b/strict/domains/program/saslauthd.te @@ -9,6 +9,7 @@ allow saslauthd_t self:fifo_file { read write }; allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; +allow saslauthd_t var_lib_t:dir search; allow saslauthd_t etc_t:dir { getattr search }; allow saslauthd_t etc_t:file r_file_perms; @@ -29,3 +30,12 @@ bool allow_saslauthd_read_shadow false; if (allow_saslauthd_read_shadow) { allow saslauthd_t shadow_t:file r_file_perms; } +dontaudit saslauthd_t selinux_config_t:dir search; +dontaudit saslauthd_t selinux_config_t:file { getattr read }; + + +dontaudit saslauthd_t initrc_t:unix_stream_socket connectto; +ifdef(`mysqld.te', ` +allow saslauthd_t mysqld_db_t:dir search; +allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms; +') diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te index f3bdbd9..dae93e0 100644 --- a/strict/domains/program/setfiles.te +++ b/strict/domains/program/setfiles.te @@ -17,6 +17,7 @@ type setfiles_exec_t, file_type, sysadmfile, exec_type; role system_r types setfiles_t; role sysadm_r types setfiles_t; +role secadm_r types setfiles_t; ifdef(`distro_redhat', ` domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t) @@ -26,7 +27,7 @@ allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_fi allow setfiles_t self:unix_dgram_socket create_socket_perms; -domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t) +domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t) allow setfiles_t { userdomain privfd initrc_t init_t }:fd use; uses_shlib(setfiles_t) diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te index d854f59..8512aab 100644 --- a/strict/domains/program/slocate.te +++ b/strict/domains/program/slocate.te @@ -10,7 +10,8 @@ # locate_exec_t is the type of the locate executable. # daemon_base_domain(locate) - +role system_r types locate_t; +role sysadm_r types locate_t; allow locate_t fs_t:filesystem getattr; ifdef(`crond.te', ` @@ -23,6 +24,7 @@ allow system_crond_t locate_etc_t:file { getattr read }; allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms; allow locate_t { fs_type file_type }:dir r_dir_perms; +dontaudit locate_t sysctl_t:dir getattr; allow locate_t file_type:lnk_file r_file_perms; allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr; dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read; diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te index ee4dcf1..221ec7a 100644 --- a/strict/domains/program/ssh.te +++ b/strict/domains/program/ssh.te @@ -9,6 +9,9 @@ # Allow ssh logins as sysadm_r:sysadm_t bool ssh_sysadm_login false; +# allow host key based authentication +bool allow_ssh_keysign false; + ifdef(`inetd.te', ` # Allow ssh to run from inetd instead of as a daemon. bool run_ssh_inetd false; @@ -111,6 +114,11 @@ read_sysctl($1_t) can_create_pty($1, `, server_pty') allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom }; dontaudit sshd_t userpty_type:chr_file relabelfrom; + +# Allow checking users mail at login +allow $1_t { var_spool_t mail_spool_t }:dir search; +allow $1_t mail_spool_t:lnk_file read; +allow $1_t mail_spool_t:file getattr; ')dnl end sshd_program_domain # macro for defining which domains a sshd can spawn @@ -157,11 +165,6 @@ sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type) # for when the network connection breaks after running newrole -r sysadm_r dontaudit sshd_t sysadm_devpts_t:chr_file setattr; -# Allow checking users mail at login -allow sshd_t { var_spool_t mail_spool_t }:dir search; -allow sshd_t mail_spool_t:lnk_file read; -allow sshd_t mail_spool_t:file getattr; - ifdef(`inetd.te', ` if (run_ssh_inetd) { allow inetd_t ssh_port_t:tcp_socket name_bind; @@ -217,6 +220,7 @@ file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file) # Type for the ssh executable. type ssh_exec_t, file_type, exec_type, sysadmfile; +type ssh_keysign_exec_t, file_type, exec_type, sysadmfile; # Everything else is in the ssh_domain macro in # macros/program/ssh_macros.te. diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te index ae4760c..5ff434f 100644 --- a/strict/domains/program/udev.te +++ b/strict/domains/program/udev.te @@ -33,7 +33,7 @@ allow udev_t self:file { getattr read }; allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; allow udev_t self:unix_dgram_socket create_socket_perms; allow udev_t self:fifo_file rw_file_perms; -allow udev_t self:netlink_kobject_uevent_socket { create bind read }; +allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; allow udev_t device_t:file { unlink rw_file_perms }; allow udev_t device_t:sock_file create_file_perms; allow udev_t device_t:lnk_file create_lnk_perms; diff --git a/strict/domains/program/unused/clockspeed.te b/strict/domains/program/unused/clockspeed.te index ef51d66..f79c314 100644 --- a/strict/domains/program/unused/clockspeed.te +++ b/strict/domains/program/unused/clockspeed.te @@ -21,5 +21,6 @@ allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms; # sysadm can play with clockspeed role sysadm_r types clockspeed_t; +ifdef(`targeted_policy', `', ` domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t) - +') diff --git a/strict/domains/program/unused/cvs.te b/strict/domains/program/unused/cvs.te index ca089ed..324ddd3 100644 --- a/strict/domains/program/unused/cvs.te +++ b/strict/domains/program/unused/cvs.te @@ -15,12 +15,14 @@ inetd_child_domain(cvs, tcp) typeattribute cvs_t privmail; typeattribute cvs_t auth_chkpwd; -type cvs_data_t, file_type, sysadmfile; +type cvs_data_t, file_type, sysadmfile, customizable; create_dir_file(cvs_t, cvs_data_t) can_exec(cvs_t, { bin_t sbin_t shell_exec_t }) +allow cvs_t bin_t:dir search; +allow cvs_t { bin_t sbin_t }:lnk_file read; allow cvs_t etc_runtime_t:file { getattr read }; allow system_mail_t cvs_data_t:file { getattr read }; dontaudit cvs_t devtty_t:chr_file { read write }; -allow cvs_t default_t:dir search; -allow cvs_t default_t:lnk_file read; - +# Allow kerberos to work +allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms; +dontaudit cvs_t krb5_conf_t:file write; diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te index 21f1f8e..29255f3 100644 --- a/strict/domains/program/unused/ddclient.te +++ b/strict/domains/program/unused/ddclient.te @@ -38,5 +38,7 @@ allow ddclient_t self:unix_stream_socket create_socket_perms; # allow access to ddclient.conf and ddclient.cache allow ddclient_t ddclient_etc_t:file r_file_perms; -allow ddclient_t ddclient_var_t:dir rw_dir_perms; -allow ddclient_t ddclient_var_t:file create_file_perms; +file_type_auto_trans(ddclient_t, var_t, ddclient_var_t) +dontaudit ddclient_t devpts_t:dir search; +dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms; +dontaudit httpd_t selinux_config_t:dir search; diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te index 34ba329..4feb508 100644 --- a/strict/domains/program/unused/dpkg.te +++ b/strict/domains/program/unused/dpkg.te @@ -178,6 +178,9 @@ etcdir_domain(apt) type apt_rw_etc_t, file_type, sysadmfile; tmp_domain(apt, `', `{ dir file lnk_file }') can_exec(apt_t, apt_tmp_t) +ifdef(`crond.te', ` +allow system_crond_t apt_etc_t:file { getattr read }; +') rw_dir_create_file(apt_t, apt_rw_etc_t) diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te index 3397b0b..a96c987 100644 --- a/strict/domains/program/unused/sxid.te +++ b/strict/domains/program/unused/sxid.te @@ -32,6 +32,7 @@ allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr; allow sxid_t ttyfile:chr_file getattr; allow sxid_t file_type:dir { getattr read search }; allow sxid_t sysadmfile:file { getattr read }; +dontaudit sxid_t devpts_t:dir r_dir_perms; allow sxid_t fs_type:dir { getattr read search }; # Use the network. diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te index 779cd31..121e03c 100644 --- a/strict/domains/program/useradd.te +++ b/strict/domains/program/useradd.te @@ -102,3 +102,4 @@ dontaudit groupadd_t initrc_var_run_t:file write; allow useradd_t default_context_t:dir search; allow useradd_t file_context_t:dir search; allow useradd_t file_context_t:file { getattr read }; +allow useradd_t var_lib_t:dir search; diff --git a/strict/file_contexts/homedir_template b/strict/file_contexts/homedir_template deleted file mode 100644 index 1206f76..0000000 --- a/strict/file_contexts/homedir_template +++ /dev/null @@ -1,32 +0,0 @@ -# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd -# HOME_DIR expands to each user's home directory, -# and to HOME_ROOT/[^/]+ for each HOME_ROOT. -# ROLE expands to each user's role when role != user_r, and to "user" otherwise. -HOME_ROOT -d system_u:object_r:home_root_t -HOME_DIR -d system_u:object_r:ROLE_home_dir_t -HOME_DIR/.+ system_u:object_r:ROLE_home_t -HOME_ROOT/\.journal <> -HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t -HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t -HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t -HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_home_irc_t -HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t -HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t -HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t -HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t -HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t -HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t -HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t -HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t -HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t -HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc index 444c3f0..96c5b3a 100644 --- a/strict/file_contexts/program/apache.fc +++ b/strict/file_contexts/program/apache.fc @@ -7,6 +7,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_ /var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t /var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t /var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t +/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t +/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t /etc/httpd -d system_u:object_r:httpd_config_t /etc/httpd/conf.* system_u:object_r:httpd_config_t /etc/httpd/logs system_u:object_r:httpd_log_t @@ -26,15 +28,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_ /var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t /var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t /var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t -/var/run/apache(2)?\.pid.* -- system_u:object_r:httpd_var_run_t +/var/run/apache.* system_u:object_r:httpd_var_run_t /var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t /var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t /etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t /usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t /usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t /var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t -/var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t /var/run/gcache_port -s system_u:object_r:httpd_var_run_t +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? system_u:object_r:httpd_log_t +') ifdef(`distro_suse', ` # suse puts shell scripts there :-( /usr/share/apache2/[^/]* -- system_u:object_r:bin_t diff --git a/strict/file_contexts/program/auditd.fc b/strict/file_contexts/program/auditd.fc index 32401bb..a87077b 100644 --- a/strict/file_contexts/program/auditd.fc +++ b/strict/file_contexts/program/auditd.fc @@ -1,3 +1,8 @@ # auditd +/sbin/auditctl -- system_u:object_r:auditctl_exec_t /sbin/auditd -- system_u:object_r:auditd_exec_t /var/log/audit.log -- system_u:object_r:auditd_log_t +/var/log/audit(/.*)? system_u:object_r:auditd_log_t +/etc/auditd.conf -- system_u:object_r:auditd_etc_t +/etc/audit.rules -- system_u:object_r:auditd_etc_t + diff --git a/strict/file_contexts/program/certwatch.fc b/strict/file_contexts/program/certwatch.fc new file mode 100644 index 0000000..20bb8ca --- /dev/null +++ b/strict/file_contexts/program/certwatch.fc @@ -0,0 +1,3 @@ +# certwatch.fc +/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t + diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc index 4262e05..90c898c 100644 --- a/strict/file_contexts/program/clamav.fc +++ b/strict/file_contexts/program/clamav.fc @@ -12,4 +12,4 @@ /var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t /var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t /var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t -/var/run/clamav/clamd.sock -s system_u:object_r:clamd_sock_t +/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t diff --git a/strict/file_contexts/program/compat.fc b/strict/file_contexts/program/compat.fc new file mode 100644 index 0000000..ba15f45 --- /dev/null +++ b/strict/file_contexts/program/compat.fc @@ -0,0 +1,62 @@ +ifdef(`setfiles.te', `', ` +# setfiles +/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t +') + +ifdef(`mount.te', `', ` +# mount +/bin/mount.* -- system_u:object_r:mount_exec_t +/bin/umount.* -- system_u:object_r:mount_exec_t +') +ifdef(`loadkeys.te', `', ` +# loadkeys +/bin/unikeys -- system_u:object_r:loadkeys_exec_t +/bin/loadkeys -- system_u:object_r:loadkeys_exec_t +') +ifdef(`dmesg.te', `', ` +# dmesg +/bin/dmesg -- system_u:object_r:dmesg_exec_t +') +ifdef(`fsadm.te', `', ` +# fs admin utilities +/sbin/fsck.* -- system_u:object_r:fsadm_exec_t +/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t +/sbin/e2fsck -- system_u:object_r:fsadm_exec_t +/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t +/sbin/dosfsck -- system_u:object_r:fsadm_exec_t +/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t +/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t +/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t +/sbin/e2label -- system_u:object_r:fsadm_exec_t +/sbin/findfs -- system_u:object_r:fsadm_exec_t +/sbin/mkfs -- system_u:object_r:fsadm_exec_t +/sbin/mke2fs -- system_u:object_r:fsadm_exec_t +/sbin/mkswap -- system_u:object_r:fsadm_exec_t +/sbin/scsi_info -- system_u:object_r:fsadm_exec_t +/sbin/sfdisk -- system_u:object_r:fsadm_exec_t +/sbin/cfdisk -- system_u:object_r:fsadm_exec_t +/sbin/fdisk -- system_u:object_r:fsadm_exec_t +/sbin/parted -- system_u:object_r:fsadm_exec_t +/sbin/tune2fs -- system_u:object_r:fsadm_exec_t +/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t +/sbin/swapon.* -- system_u:object_r:fsadm_exec_t +/sbin/hdparm -- system_u:object_r:fsadm_exec_t +/sbin/raidstart -- system_u:object_r:fsadm_exec_t +/sbin/mkraid -- system_u:object_r:fsadm_exec_t +/sbin/blockdev -- system_u:object_r:fsadm_exec_t +/sbin/losetup.* -- system_u:object_r:fsadm_exec_t +/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t +/sbin/lsraid -- system_u:object_r:fsadm_exec_t +/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t +/sbin/install-mbr -- system_u:object_r:fsadm_exec_t +/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t +/usr/bin/raw -- system_u:object_r:fsadm_exec_t +/sbin/partx -- system_u:object_r:fsadm_exec_t +/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t +/sbin/partprobe -- system_u:object_r:fsadm_exec_t +') +ifdef(`kudzu.te', `', ` +# kudzu +/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t +/sbin/kmodule -- system_u:object_r:kudzu_exec_t +') diff --git a/strict/file_contexts/program/crond.fc b/strict/file_contexts/program/crond.fc index 90869cf..3a46659 100644 --- a/strict/file_contexts/program/crond.fc +++ b/strict/file_contexts/program/crond.fc @@ -9,7 +9,6 @@ /var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t /var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t /var/spool/cron/[^/]* -- <> -/var/log/cron.* -- system_u:object_r:crond_log_t /var/run/crond\.reboot -- system_u:object_r:crond_var_run_t /var/run/crond?\.pid -- system_u:object_r:crond_var_run_t # fcron @@ -27,3 +26,9 @@ /var/spool/at/spool -d system_u:object_r:cron_spool_t /var/spool/at/[^/]* -- <> /var/run/atd\.pid -- system_u:object_r:crond_var_run_t +ifdef(`distro_suse', ` +/usr/lib/cron/run-crons -- system_u:object_r:bin_t +/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t +/var/spool/cron/lastrun/[^/]* -- <> +/var/spool/cron/tabs -d system_u:object_r:cron_spool_t +') diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc index d4c1eb2..26ae56f 100644 --- a/strict/file_contexts/program/cups.fc +++ b/strict/file_contexts/program/cups.fc @@ -5,6 +5,7 @@ /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t /etc/cups/client\.conf -- system_u:object_r:etc_t /etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t +/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t /etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t /etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t /etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc index 4e612cf..3e010c3 100644 --- a/strict/file_contexts/program/dhcpd.fc +++ b/strict/file_contexts/program/dhcpd.fc @@ -3,7 +3,7 @@ /etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t /usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t /var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t -/var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t +/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t ifdef(`dhcp_defined', `', ` /var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t define(`dhcp_defined') diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc index 5d42601..9b81537 100644 --- a/strict/file_contexts/program/fsadm.fc +++ b/strict/file_contexts/program/fsadm.fc @@ -37,3 +37,4 @@ /sbin/partx -- system_u:object_r:fsadm_exec_t /usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t /sbin/partprobe -- system_u:object_r:fsadm_exec_t +/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc index fc65c44..e74e2c5 100644 --- a/strict/file_contexts/program/lvm.fc +++ b/strict/file_contexts/program/lvm.fc @@ -12,7 +12,6 @@ /etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t /var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t /dev/lvm -c system_u:object_r:fixed_disk_device_t -/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t /dev/mapper/control -c system_u:object_r:lvm_control_t /lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t /lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t diff --git a/strict/file_contexts/program/named.fc b/strict/file_contexts/program/named.fc index b39ec8f..edcbe3e 100644 --- a/strict/file_contexts/program/named.fc +++ b/strict/file_contexts/program/named.fc @@ -9,18 +9,21 @@ ifdef(`distro_redhat', ` ifdef(`distro_debian', ` /etc/bind(/.*)? system_u:object_r:named_zone_t /etc/bind/named\.conf -- system_u:object_r:named_conf_t -/etc/bind/rndc\.key -- system_u:object_r:named_conf_t +/etc/bind/rndc\.key -- system_u:object_r:dnssec_t /var/cache/bind(/.*)? system_u:object_r:named_cache_t ') dnl distro_debian /etc/rndc.* -- system_u:object_r:named_conf_t -/etc/rndc.key -- system_u:object_r:dnssec_t +/etc/rndc\.key -- system_u:object_r:dnssec_t /usr/sbin/named -- system_u:object_r:named_exec_t +/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t /usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t /var/run/ndc -s system_u:object_r:named_var_run_t /var/run/bind(/.*)? system_u:object_r:named_var_run_t /var/run/named(/.*)? system_u:object_r:named_var_run_t /usr/sbin/lwresd -- system_u:object_r:named_exec_t +/var/log/named.* -- system_u:object_r:named_log_t + ifdef(`distro_redhat', ` /var/named/named\.ca -- system_u:object_r:named_conf_t /var/named/chroot(/.*)? system_u:object_r:named_conf_t @@ -40,7 +43,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_gentoo', ` /etc/bind(/.*)? system_u:object_r:named_zone_t /etc/bind/named\.conf -- system_u:object_r:named_conf_t -/etc/bind/rndc\.key -- system_u:object_r:named_conf_t +/etc/bind/rndc\.key -- system_u:object_r:dnssec_t /var/bind(/.*)? system_u:object_r:named_cache_t /var/bind/pri(/.*)? system_u:object_r:named_zone_t ') dnl distro_gentoo diff --git a/strict/file_contexts/program/nscd.fc b/strict/file_contexts/program/nscd.fc index aa24987..5c39b46 100644 --- a/strict/file_contexts/program/nscd.fc +++ b/strict/file_contexts/program/nscd.fc @@ -4,3 +4,4 @@ /var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t /var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t /var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t +/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t diff --git a/strict/file_contexts/program/ntpd.fc b/strict/file_contexts/program/ntpd.fc index 3b178b4..84dd7b9 100644 --- a/strict/file_contexts/program/ntpd.fc +++ b/strict/file_contexts/program/ntpd.fc @@ -1,7 +1,7 @@ /var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t /etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t -/etc/ntp(d)?\.conf(.sv)? -- system_u:object_r:net_conf_t -/etc/ntp/step-tickers -- system_u:object_r:net_conf_t +/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t +/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t /usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t /usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t /var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t diff --git a/strict/file_contexts/program/portmap.fc b/strict/file_contexts/program/portmap.fc index 08802d5..4417c85 100644 --- a/strict/file_contexts/program/portmap.fc +++ b/strict/file_contexts/program/portmap.fc @@ -7,3 +7,4 @@ ifdef(`distro_debian', ` /usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t /usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t ') +/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc index 2a5850b..0e96508 100644 --- a/strict/file_contexts/program/postfix.fc +++ b/strict/file_contexts/program/postfix.fc @@ -10,6 +10,7 @@ ifdef(`distro_redhat', ` /usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t /usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t /usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t +/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t /usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t /usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t /usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t @@ -22,6 +23,7 @@ ifdef(`distro_redhat', ` /usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t /usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t /usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t +/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t /usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t /usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t /usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc index af9d512..a16da2a 100644 --- a/strict/file_contexts/program/pppd.fc +++ b/strict/file_contexts/program/pppd.fc @@ -13,9 +13,13 @@ /var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t /var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t /var/log/ppp/.* -- system_u:object_r:pppd_log_t -/etc/ppp/ip-down.* -- system_u:object_r:bin_t -/etc/ppp/ip-up.* -- system_u:object_r:bin_t -/etc/ppp/ipv6-up -- system_u:object_r:bin_t -/etc/ppp/ipv6-down -- system_u:object_r:bin_t +/etc/ppp/ip-down\..* -- system_u:object_r:bin_t +/etc/ppp/ip-up\..* -- system_u:object_r:bin_t +/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t +/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t /etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t -/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t +/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t +# Fix pptp sockets +/var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t +# Fix /etc/ppp {up,down} family scripts (see man pppd) +/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t diff --git a/strict/file_contexts/program/qmail.fc b/strict/file_contexts/program/qmail.fc index 510f077..7704ed7 100644 --- a/strict/file_contexts/program/qmail.fc +++ b/strict/file_contexts/program/qmail.fc @@ -17,7 +17,7 @@ /usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t /usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t /usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t -# qmail - djb's locations +# qmail - djb locations /var/qmail/control(/.*)? system_u:object_r:qmail_etc_t /var/qmail/bin -d system_u:object_r:bin_t /var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t diff --git a/strict/file_contexts/program/radvd.fc b/strict/file_contexts/program/radvd.fc index fc8ddcf..5000383 100644 --- a/strict/file_contexts/program/radvd.fc +++ b/strict/file_contexts/program/radvd.fc @@ -2,3 +2,4 @@ /etc/radvd\.conf -- system_u:object_r:radvd_etc_t /usr/sbin/radvd -- system_u:object_r:radvd_exec_t /var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t +/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t diff --git a/strict/file_contexts/program/ssh.fc b/strict/file_contexts/program/ssh.fc index 078f8ef..3cd1d0c 100644 --- a/strict/file_contexts/program/ssh.fc +++ b/strict/file_contexts/program/ssh.fc @@ -1,5 +1,6 @@ # ssh /usr/bin/ssh -- system_u:object_r:ssh_exec_t +/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t /usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t # sshd /etc/ssh/primes -- system_u:object_r:sshd_key_t diff --git a/strict/file_contexts/program/sudo.fc b/strict/file_contexts/program/sudo.fc index 3eed3ff..d733894 100644 --- a/strict/file_contexts/program/sudo.fc +++ b/strict/file_contexts/program/sudo.fc @@ -1,2 +1,3 @@ # sudo -/usr/bin/sudo -- system_u:object_r:sudo_exec_t +/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t + diff --git a/strict/file_contexts/program/traceroute.fc b/strict/file_contexts/program/traceroute.fc index 6a8b259..66a6c5f 100644 --- a/strict/file_contexts/program/traceroute.fc +++ b/strict/file_contexts/program/traceroute.fc @@ -1,5 +1,6 @@ # traceroute /bin/traceroute.* -- system_u:object_r:traceroute_exec_t +/bin/tracepath.* -- system_u:object_r:traceroute_exec_t /usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t /usr/bin/lft -- system_u:object_r:traceroute_exec_t /usr/bin/nmap -- system_u:object_r:traceroute_exec_t diff --git a/strict/file_contexts/program/udev.fc b/strict/file_contexts/program/udev.fc index 40f1fd5..0b6c719 100644 --- a/strict/file_contexts/program/udev.fc +++ b/strict/file_contexts/program/udev.fc @@ -3,11 +3,12 @@ /sbin/udev -- system_u:object_r:udev_exec_t /sbin/udevd -- system_u:object_r:udev_exec_t /sbin/start_udev -- system_u:object_r:udev_exec_t +/sbin/udevstart -- system_u:object_r:udev_exec_t /usr/bin/udevinfo -- system_u:object_r:udev_exec_t /etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t /etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t /etc/udev/devices/.* system_u:object_r:device_t /etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t /dev/udev\.tbl -- system_u:object_r:udev_tbl_t -/dev/\.udev\.tdb(/.*)? -- system_u:object_r:udev_tdb_t +/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t /sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc index 4708e08..33816d9 100644 --- a/strict/file_contexts/types.fc +++ b/strict/file_contexts/types.fc @@ -46,9 +46,9 @@ # # Ordinary user home directories. # HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd -# HOME_DIR expands to each user's home directory, +# HOME_DIR expands to each users home directory, # and to HOME_ROOT/[^/]+ for each HOME_ROOT. -# ROLE expands to each user's role when role != user_r, and to "user" otherwise. +# ROLE expands to each users role when role != user_r, and to "user" otherwise. # HOME_ROOT -d system_u:object_r:home_root_t HOME_DIR -d system_u:object_r:ROLE_home_dir_t @@ -58,7 +58,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t # # Mount points; do not relabel subdirectories, since -# we don't want to change any removable media by default. +# we do not want to change any removable media by default. /mnt(/[^/]*)? -d system_u:object_r:mnt_t /mnt/[^/]*/.* <> /media(/[^/]*)? -d system_u:object_r:mnt_t @@ -68,8 +68,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t # /var # /var(/.*)? system_u:object_r:var_t -/var/catman(/.*)? system_u:object_r:catman_t -/var/cache/man(/.*)? system_u:object_r:catman_t +/var/cache/man(/.*)? system_u:object_r:man_t /var/yp(/.*)? system_u:object_r:var_yp_t /var/lib(/.*)? system_u:object_r:var_lib_t /var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t @@ -110,7 +109,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t # /boot # /boot(/.*)? system_u:object_r:boot_t -/boot/System\.map-.* -- system_u:object_r:system_map_t +/boot/System\.map(-.*)? system_u:object_r:system_map_t # # /dev @@ -129,6 +128,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t /dev/nvram -c system_u:object_r:memory_device_t /dev/random -c system_u:object_r:random_device_t /dev/urandom -c system_u:object_r:urandom_device_t +/dev/adb.* -c system_u:object_r:tty_device_t /dev/capi.* -c system_u:object_r:tty_device_t /dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t /dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t @@ -157,6 +157,7 @@ ifdef(`distro_redhat', ` /dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t /dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t /dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t +/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t /dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t /dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t /dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t @@ -247,6 +248,7 @@ ifdef(`distro_suse', ` /dev/dri/.+ -c system_u:object_r:dri_device_t /dev/radeon -c system_u:object_r:dri_device_t /dev/agpgart -c system_u:object_r:agp_device_t +/dev/z90crypt -c system_u:object_r:crypt_device_t # # Misc @@ -352,8 +354,11 @@ ifdef(`distro_gentoo', ` /usr/share/man(/.*)? system_u:object_r:man_t /usr/share/mc/extfs/.* -- system_u:object_r:bin_t /usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t +/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t +/usr/share/ssl/private(/.*)? system_u:object_r:cert_t # nvidia share libraries +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t diff --git a/strict/macros/content_macros.te b/strict/macros/content_macros.te new file mode 100644 index 0000000..fb36d46 --- /dev/null +++ b/strict/macros/content_macros.te @@ -0,0 +1,188 @@ +# Content access macros + +# FIXME: After nested booleans are supported, replace NFS/CIFS +# w/ read_network_home, and write_network_home macros from global + +# FIXME: If true/false constant booleans are supported, replace +# ugly $3 ifdefs with if(true), if(false)... + +# FIXME: Do we want write to imply read? + +############################################################ +# read_content(domain, role_prefix, bool_prefix) +# +# Allow the given domain to read content. +# Content may be trusted or untrusted, +# Reading anything is subject to a controlling boolean based on bool_prefix. +# Reading untrusted content is additionally subject to read_untrusted_content +# Reading default_t is additionally subject to read_default_t + +define(`read_content', ` + +# Declare controlling boolean +ifelse($3, `', `', ` +ifdef(`$3_read_content_defined', `', ` +define(`$3_read_content_defined') +bool $3_read_content false; +') dnl ifdef +') dnl ifelse + +# Handle nfs home dirs +ifelse($3, `', +`if (use_nfs_home_dirs) { ', +`if ($3_read_content && use_nfs_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +r_dir_file($1, nfs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 nfs_t:file r_file_perms; +dontaudit $1 nfs_t:dir r_dir_perms; +} + +# Handle samba home dirs +ifelse($3, `', +`if (use_samba_home_dirs) { ', +`if ($3_read_content && use_samba_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +r_dir_file($1, cifs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 cifs_t:file r_file_perms; +dontaudit $1 cifs_t:dir r_dir_perms; +} + +# Handle removable media, /tmp, and /home +ifelse($3, `', `', +`if ($3_read_content) {') +allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +r_dir_file($1, { $2_tmp_t $2_home_t } ) +ifdef(`mls_policy', `', ` +r_dir_file($1, removable_t) +') + +ifelse($3, `', `', +`} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms; +dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms; +}') + +# Handle default_t content +ifelse($3, `', +`if (read_default_t) { ', +`if ($3_read_content && read_default_t) {') +r_dir_file($1, default_t) +} else { +dontaudit $1 default_t:file r_file_perms; +dontaudit $1 default_t:dir r_dir_perms; +} + +# Handle untrusted content +ifelse($3, `', +`if (read_untrusted_content) { ', +`if ($3_read_content && read_untrusted_content) {') +allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t }) +} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms; +dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms; +} +') dnl read_content + +################################################# +# write_trusted(domain, role_prefix, bool_prefix) +# +# Allow the given domain to write trusted content. +# This is subject to a controlling boolean based +# on bool_prefix. + +define(`write_trusted', ` + +# Declare controlling boolean +ifelse($3, `', `', ` +ifdef(`$3_write_content_defined', `', ` +define(`$3_write_content_defined') +bool $3_write_content false; +') dnl ifdef +') dnl ifelse + +# Handle nfs homedirs +ifelse($3, `', +`if (use_nfs_home_dirs) { ', +`if ($3_write_content && use_nfs_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, nfs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 nfs_t:file create_file_perms; +dontaudit $1 nfs_t:dir create_dir_perms; +} + +# Handle samba homedirs +ifelse($3, `', +`if (use_samba_home_dirs) { ', +`if ($3_write_content && use_samba_home_dirs) {') +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, cifs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 cifs_t:file create_file_perms; +dontaudit $1 cifs_t:dir create_dir_perms; +} + +# Handle /tmp and /home +ifelse($3, `', `', +`if ($3_write_content) {') +allow $1 home_root_t:dir { read getattr search }; +file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file }); +file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file }); +ifelse($3, `', `', +`} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; +dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; +}') + +') dnl write_trusted + +######################################### +# write_untrusted(domain, role_prefix) +# +# Allow the given domain to write untrusted content. +# This is subject to the global boolean write_untrusted. + +define(`write_untrusted', ` + +# Handle nfs homedirs +if (write_untrusted_content && use_nfs_home_dirs) { +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, nfs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 nfs_t:file create_file_perms; +dontaudit $1 nfs_t:dir create_dir_perms; +} + +# Handle samba homedirs +if (write_untrusted_content && use_samba_home_dirs) { +allow $1 { autofs_t home_root_t }:dir { read search getattr }; +create_dir_file($1, cifs_t) +} else { +dontaudit $1 { autofs_t home_root_t }:dir { read search getattr }; +dontaudit $1 cifs_t:file create_file_perms; +dontaudit $1 cifs_t:dir create_dir_perms; +} + +# Handle /tmp and /home +if (write_untrusted_content) { +allow $1 home_root_t:dir { read getattr search }; +file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file }) +file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file }) +} else { +dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search }; +dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms; +dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms; +} + +') dnl write_untrusted diff --git a/strict/macros/home_macros.te b/strict/macros/home_macros.te new file mode 100644 index 0000000..033b32f --- /dev/null +++ b/strict/macros/home_macros.te @@ -0,0 +1,130 @@ +# Home macros + +################################################ +# network_home(source) +# +# Allows source domain to use a network home +# This includes privileges of create and execute +# as well as the ability to create sockets and fifo + +define(`network_home', ` +allow $1 autofs_t:dir { search getattr }; + +if (use_nfs_home_dirs) { +create_dir_file($1, nfs_t) +can_exec($1, nfs_t) +allow $1 nfs_t:{ sock_file fifo_file } create_file_perms; +} + +if (use_samba_home_dirs) { +create_dir_file($1, cifs_t) +can_exec($1, cifs_t) +allow $1 cifs_t:{ sock_file fifo_file } create_file_perms; +} +') dnl network_home + +################################################ +# write_network_home(source) +# +# Allows source domain to create directories and +# files on network file system + +define(`write_network_home', ` +allow $1 home_root_t:dir search; + +if (use_nfs_home_dirs) { +create_dir_file($1, nfs_t) +} +if (use_samba_home_dirs) { +create_dir_file($1, cifs_t) +} +allow $1 autofs_t:dir { search getattr }; +') dnl write_network_home + +################################################ +# read_network_home(source) +# +# Allows source domain to read directories and +# files on network file system + +define(`read_network_home', ` +allow $1 home_root_t:dir search; + +if (use_nfs_home_dirs) { +r_dir_file($1, nfs_t) +} +if (use_samba_home_dirs) { +r_dir_file($1, cifs_t) +} +allow $1 autofs_t:dir { search getattr }; +') dnl read_network_home + +################################################## +# home_domain_ro_access(source, user, app) +# +# Gives source access to the read-only home +# domain of app for the given user type + +define(`home_domain_ro_access', ` +allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; +read_network_home($1) +r_dir_file($1, $2_$3_ro_home_t) +') dnl home_domain_ro_access + +################################################# +# home_domain_access(source, user, app) +# +# Gives source full access to the home +# domain of app for the given user type +# +# Requires transition in caller + +define(`home_domain_access', ` +allow $1 { home_root_t $2_home_dir_t }:dir { search getattr }; +write_network_home($1) +create_dir_file($1, $2_$3_home_t) +') dnl home_domain_access + +#################################################################### +# home_domain (prefix, app) +# +# Creates a domain in the prefix home where an application can +# store its settings. It is accessible by the prefix domain. +# +# Requires transition in caller + +define(`home_domain', ` + +# Declare home domain +type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember; +typealias $1_$2_home_t alias $1_$2_rw_t; + +# User side access +create_dir_file($1_t, $1_$2_home_t) +allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + +# App side access +home_domain_access($1_$2_t, $1, $2) +') + +#################################################################### +# home_domain_ro (user, app) +# +# Creates a read-only domain in the user home where an application can +# store its settings. It is fully accessible by the user, but +# it is read-only for the application. +# + +define(`home_domain_ro', ` + +# Declare home domain +type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile; +typealias $1_$2_ro_home_t alias $1_$2_ro_t; + +# User side access +create_dir_file($1_t, $1_$2_ro_home_t) +allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; + +# App side access +home_domain_ro_access($1_$2_t, $1, $2) +') diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te index a363f7b..b19d3f7 100644 --- a/strict/macros/program/apache_macros.te +++ b/strict/macros/program/apache_macros.te @@ -23,6 +23,7 @@ if (httpd_enable_cgi) { domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms; +allow httpd_t httpd_$1_script_exec_t:file r_file_perms; allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; @@ -101,7 +102,9 @@ allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search }; read_fonts(httpd_$1_script_t) r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t) create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t) +allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms; ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t) +anonymous_domain(httpd_$1_script) if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) { create_dir_file(httpd_$1_script_t, httpdcontent) @@ -136,9 +139,10 @@ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; if (httpd_builtin_scripting) { r_dir_file(httpd_t, httpd_$1_script_ro_t) create_dir_file(httpd_t, httpd_$1_script_rw_t) +allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms; ra_dir_file(httpd_t, httpd_$1_script_ra_t) -} r_dir_file(httpd_t, httpd_$1_content_t) +} ') define(`apache_user_domain', ` diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te index aa9e1e5..8b94a00 100644 --- a/strict/macros/program/cdrecord_macros.te +++ b/strict/macros/program/cdrecord_macros.te @@ -27,16 +27,8 @@ allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; can_resmgrd_connect($1_cdrecord_t) -allow $1_cdrecord_t { tmp_t home_root_t }:dir search; - -# allow cdrecord to read user files -r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t }) -if (use_nfs_home_dirs) { -r_dir_file($1_cdrecord_t, nfs_t) -} -if (use_samba_home_dirs) { -r_dir_file($1_cdrecord_t, cifs_t) -} +read_content($1_cdrecord_t, $1, cdrecord) + allow $1_cdrecord_t etc_t:file { getattr read }; # allow searching for cdrom-drive @@ -50,6 +42,8 @@ allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms; -read_content($1_cdrecord_t, $1) +allow $1_cdrecord_t $1_home_t:dir search; +allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms; +allow $1_cdrecord_t $1_home_t:file r_file_perms; ') diff --git a/strict/macros/program/ethereal_macros.te b/strict/macros/program/ethereal_macros.te index c546cb4..36f1a96 100644 --- a/strict/macros/program/ethereal_macros.te +++ b/strict/macros/program/ethereal_macros.te @@ -38,11 +38,10 @@ domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t) role $1_r types $1_ethereal_t; # Manual transition from userhelper -# FIXME: Need to handle the fallback case, which requires userhelper support ifdef(`userhelper.te', ` -allow userhelperdomain sysadm_ethereal_t:process { transition siginh rlimitinh noatsecure }; -allow sysadm_ethereal_t userhelperdomain:fd use; -allow sysadm_ethereal_t userhelperdomain:process sigchld; +allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure }; +allow $1_ethereal_t userhelperdomain:fd use; +allow $1_ethereal_t userhelperdomain:process sigchld; ') dnl userhelper # X, GNOME diff --git a/strict/macros/program/evolution_macros.te b/strict/macros/program/evolution_macros.te index facfe7f..37fc087 100644 --- a/strict/macros/program/evolution_macros.te +++ b/strict/macros/program/evolution_macros.te @@ -64,7 +64,7 @@ can_network_client_tcp($1_evolution_server_t, ldap_port_t) allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect; # Look in /etc/pki -allow $1_evolution_server_t cert_t:dir r_dir_perms; +r_dir_file($1_evolution_server_t, cert_t) ') dnl evolution_data_server diff --git a/strict/macros/program/irc_macros.te b/strict/macros/program/irc_macros.te index 8c9c876..3adaef7 100644 --- a/strict/macros/program/irc_macros.te +++ b/strict/macros/program/irc_macros.te @@ -21,6 +21,7 @@ define(`irc_domain',` # Home domain home_domain($1, irc) +file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir) # Derived domain based on the calling user domain and the program. type $1_irc_t, domain; @@ -46,6 +47,7 @@ allow $1_t $1_irc_t:process signal; # Use the network. can_network_client($1_irc_t) +allow $1_irc_t port_type:tcp_socket name_connect; can_ypbind($1_irc_t) allow $1_irc_t usr_t:file { getattr read }; @@ -65,7 +67,7 @@ allow $1_irc_t self:dir search; dontaudit $1_irc_t var_run_t:dir search; # allow utmp access -allow $1_irc_t initrc_var_run_t:file read; +allow $1_irc_t initrc_var_run_t:file { getattr read }; dontaudit $1_irc_t initrc_var_run_t:file lock; # access files under /tmp diff --git a/strict/macros/program/lpr_macros.te b/strict/macros/program/lpr_macros.te index beb6ca2..3dea9b0 100644 --- a/strict/macros/program/lpr_macros.te +++ b/strict/macros/program/lpr_macros.te @@ -35,6 +35,7 @@ role $1_r types $1_lpr_t; # This domain is granted permissions common to most domains (including can_net) can_network_client($1_lpr_t) +allow $1_lpr_t port_type:tcp_socket name_connect; can_ypbind($1_lpr_t) # Use capabilities. @@ -52,7 +53,6 @@ r_dir_file($1_lpr_t, printconf_t) ') tmp_domain($1_lpr) -r_dir_file($1_lpr_t, $1_tmp_t) # Type for spool files. type $1_print_spool_t, file_type, sysadmfile; @@ -71,18 +71,8 @@ ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;') allow $1_lpr_t privfd:fd use; # Read user files. -allow sysadm_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search; -allow sysadm_lpr_t $1_home_t:{ file lnk_file } r_file_perms; -allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search; -allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms; - -if (use_nfs_home_dirs) { -r_dir_file($1_lpr_t, nfs_t) -} - -if (use_samba_home_dirs) { -r_dir_file($1_lpr_t, cifs_t) -} +read_content(sysadm_lpr_t, $1) +read_content($1_lpr_t, $1) # Read and write shared files in the spool directory. allow $1_lpr_t print_spool_t:file rw_file_perms; @@ -114,8 +104,7 @@ allow $1_lpr_t lpd_t:process signal; ')dnl end if lpd.te ifdef(`xdm.te', ` -allow $1_lpr_t xdm_t:fd use; -allow $1_lpr_t xdm_t:fifo_file write; +can_pipe_xdm($1_lpr_t) ') ifdef(`cups.te', ` @@ -124,11 +113,5 @@ allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read }; can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t) ')dnl end ifdef cups.te -ifdef(`hide_broken_symptoms', ` -# thunderbird causes these -dontaudit $1_lpr_t $1_t:tcp_socket { read write }; -dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write; -') - ')dnl end macro definition diff --git a/strict/macros/program/mail_client_macros.te b/strict/macros/program/mail_client_macros.te index 90b9b1d..da22a62 100644 --- a/strict/macros/program/mail_client_macros.te +++ b/strict/macros/program/mail_client_macros.te @@ -54,10 +54,15 @@ domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t) ') ifdef(`dbusd.te', ` dbusd_client(system, $1) +allow $1_t system_dbusd_t:dbus send_msg; dbusd_client($2, $1) allow $1_t $2_dbusd_t:dbus send_msg; ifdef(`cups.te', ` allow cupsd_t $1_t:dbus send_msg; ') ') +# Allow the user domain to signal/ps. +can_ps($2_t, $1_t) +allow $2_t $1_t:process signal_perms; + ') diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te index 3980122..cc8afb0 100644 --- a/strict/macros/program/mozilla_macros.te +++ b/strict/macros/program/mozilla_macros.te @@ -139,7 +139,14 @@ allow $1_mozilla_t self:process { execmem execstack }; } allow $1_mozilla_t texrel_shlib_t:file execmod; +ifdef(`dbusd.te', ` dbusd_client(system, $1_mozilla) +allow $1_mozilla_t system_dbusd_t:dbus send_msg; +ifdef(`cups.te', ` +allow cupsd_t $1_mozilla_t:dbus send_msg; +') +') + ifdef(`apache.te', ` ifelse($1, sysadm, `', ` r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t }) diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te index d7678f5..c85cfc7 100644 --- a/strict/macros/program/spamassassin_macros.te +++ b/strict/macros/program/spamassassin_macros.te @@ -85,7 +85,7 @@ file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, d spamassassin_agent_privs($1_spamassassin_t, $1) can_resolve($1_spamassassin_t) -# set tunable if you give spamassassin full network access. +# set tunable if you have spamassassin do DNS lookups if (spamassasin_can_network) { can_network($1_spamassassin_t) allow $1_spamassassin_t port_type:tcp_socket name_connect; diff --git a/strict/macros/program/thunderbird_macros.te b/strict/macros/program/thunderbird_macros.te index b84e41d..2c0711d 100644 --- a/strict/macros/program/thunderbird_macros.te +++ b/strict/macros/program/thunderbird_macros.te @@ -38,6 +38,7 @@ dontaudit $1_thunderbird_t $1_home_t:file { getattr read }; x_client_domain($1_thunderbird, $1) mail_client_domain($1_thunderbird, $1) +allow $1_thunderbird_t self:process signull; allow $1_thunderbird_t fs_t:filesystem getattr; # GNOME support @@ -54,9 +55,6 @@ home_domain($1, thunderbird) can_network_client_tcp($1_thunderbird_t, http_port_t) allow $1_thunderbird_t http_port_t:tcp_socket name_connect; -allow $1_thunderbird_t self:process { execheap execstack }; -if (allow_execmem) { -allow $1_thunderbird_t self:process execmem; -} +allow $1_thunderbird_t self:process { execheap execmem execstack }; ') diff --git a/strict/mls b/strict/mls index ef20c21..01a652a 100644 --- a/strict/mls +++ b/strict/mls @@ -217,7 +217,7 @@ level s9:c0.c127; mlsconstrain { file lnk_file fifo_file } { create relabelto } ( l2 eq h2 ); -# new file labels must be dominated by the relabeling subject clearance +# new file labels must be dominated by the relabeling subject's clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto ( h1 dom h2 ); @@ -272,7 +272,7 @@ mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } # create can also require the upgrade/downgrade checks if the creating process # has used setfscreate (note that both the high and low level of the object -# default to the process sensitivity level) +# default to the process' sensitivity level) mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create ((( l1 eq l2 ) or (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or @@ -290,7 +290,7 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create # MLS policy for the filesystem class # -# new filesystem labels must be dominated by the relabeling subject clearance +# new filesystem labels must be dominated by the relabeling subject's clearance mlsconstrain filesystem relabelto ( h1 dom h2 ); @@ -316,7 +316,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # MLS policy for the socket classes # -# new socket labels must be dominated by the relabeling subject clearance +# new socket labels must be dominated by the relabeling subject's clearance mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto ( h1 dom h2 ); diff --git a/strict/net_contexts b/strict/net_contexts index fd10f9b..f38e613 100644 --- a/strict/net_contexts +++ b/strict/net_contexts @@ -223,14 +223,6 @@ portcon udp 1-1023 system_u:object_r:reserved_port_t # # interface netif_context default_msg_context # -netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t -netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t -netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t -netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t -netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t -netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t -netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t -netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t # Nodes (default = initial SID "node") # diff --git a/strict/types/network.te b/strict/types/network.te index bf5ca67..e3c66f8 100644 --- a/strict/types/network.te +++ b/strict/types/network.te @@ -74,15 +74,6 @@ type reserved_port_t, port_type; # interfaces in net_contexts or net_contexts.mls. # type netif_t, netif_type; -type netif_eth0_t, netif_type; -type netif_eth1_t, netif_type; -type netif_eth2_t, netif_type; -type netif_lo_t, netif_type; -type netif_ippp0_t, netif_type; - -type netif_ipsec0_t, netif_type; -type netif_ipsec1_t, netif_type; -type netif_ipsec2_t, netif_type; # # node_t is the default type of network nodes.