From bf080a46c858f9803876d32450cea4440f5e2807 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jan 06 2006 22:51:40 +0000 Subject: part of dan's mega patch --- diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index d988436..da58eac 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -91,7 +91,7 @@ tmp/base.mod: base.conf # Construct a base.conf # base.conf: $(BASE_SECTIONS) - @echo "Creating $(NAME) base module policy.conf" + @echo "Creating $(NAME) base module base.conf" # checkpolicy can use the #line directives provided by -s for error reporting: $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ @@ -170,6 +170,16 @@ endif ######################################## # +# Remove the dontaudit rules from the base.conf +# +enableaudit: base.conf + @test -d tmp || mkdir -p tmp + @echo "Removing dontaudit rules from base.conf" + $(QUIET) grep -v dontaudit base.conf > tmp/base.audit + $(QUIET) mv tmp/base.audit base.conf + +######################################## +# # Appconfig files # $(APPDIR)/customizable_types: base.conf diff --git a/refpolicy/config/appconfig-strict-mcs/default_type b/refpolicy/config/appconfig-strict-mcs/default_type index d0a5932..5212ca4 100644 --- a/refpolicy/config/appconfig-strict-mcs/default_type +++ b/refpolicy/config/appconfig-strict-mcs/default_type @@ -1,3 +1,3 @@ -sysadm_r:sysadm_t:s0 -staff_r:staff_t:s0 -user_r:user_t:s0 +sysadm_r:sysadm_t +staff_r:staff_t +user_r:user_t diff --git a/refpolicy/config/appconfig-strict-mls/default_type b/refpolicy/config/appconfig-strict-mls/default_type index d0a5932..09ff05b 100644 --- a/refpolicy/config/appconfig-strict-mls/default_type +++ b/refpolicy/config/appconfig-strict-mls/default_type @@ -1,3 +1,4 @@ -sysadm_r:sysadm_t:s0 -staff_r:staff_t:s0 -user_r:user_t:s0 +sysadm_r:sysadm_t +secadm_r:secadm_t +staff_r:staff_t +user_r:user_t diff --git a/refpolicy/config/appconfig-strict-mls/initrc_context b/refpolicy/config/appconfig-strict-mls/initrc_context index 30ab971..5435ea4 100644 --- a/refpolicy/config/appconfig-strict-mls/initrc_context +++ b/refpolicy/config/appconfig-strict-mls/initrc_context @@ -1 +1 @@ -system_u:system_r:initrc_t:s0 +system_u:system_r:initrc_t:s0-s15:c0.c255 diff --git a/refpolicy/config/appconfig-targeted-mcs/default_type b/refpolicy/config/appconfig-targeted-mcs/default_type index 30fd6c0..7ba74a9 100644 --- a/refpolicy/config/appconfig-targeted-mcs/default_type +++ b/refpolicy/config/appconfig-targeted-mcs/default_type @@ -1 +1 @@ -system_r:unconfined_t:s0 +system_r:unconfined_t diff --git a/refpolicy/config/appconfig-targeted-mls/default_type b/refpolicy/config/appconfig-targeted-mls/default_type index 30fd6c0..7ba74a9 100644 --- a/refpolicy/config/appconfig-targeted-mls/default_type +++ b/refpolicy/config/appconfig-targeted-mls/default_type @@ -1 +1 @@ -system_r:unconfined_t:s0 +system_r:unconfined_t diff --git a/refpolicy/config/appconfig-targeted-mls/initrc_context b/refpolicy/config/appconfig-targeted-mls/initrc_context index dd0e5d9..bc60ff4 100644 --- a/refpolicy/config/appconfig-targeted-mls/initrc_context +++ b/refpolicy/config/appconfig-targeted-mls/initrc_context @@ -1 +1 @@ -user_u:system_r:unconfined_t:s0 +user_u:system_r:unconfined_t:s0-s15:c0.c255 diff --git a/refpolicy/man/man8/ftpd_selinux.8 b/refpolicy/man/man8/ftpd_selinux.8 new file mode 100644 index 0000000..4ce159a --- /dev/null +++ b/refpolicy/man/man8/ftpd_selinux.8 @@ -0,0 +1,56 @@ +.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation" +.SH "NAME" +ftpd_selinux \- Security Enhanced Linux Policy for the ftp daemon +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the ftpd server via flexible mandatory access +control. +.SH FILE_CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +Policy governs the access daemons have to these files. +If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool. +.TP +chcon -R -t public_content_t /var/ftp +.TP +If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. +.TP +chcon -t public_content_rw_t /var/ftp/incoming +.TP +You must also turn on the boolean allow_ftp_anon_write. +.TP +setsebool -P allow_ftp_anon_write=1 +.TP +If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. +.TP +/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local +.br +/var/ftp(/.*)? system_u:object_r:public_content_t +/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t + +.SH BOOLEANS +SELinux ftp daemon policy is customizable based on least access required. So by +default SElinux does not allow users to login and read their home directories. +.br +If you are setting up this machine as a ftpd server and wish to allow users to access their home +directorories, you need to set the ftp_home_dir boolean. +.TP +setsebool -P ftp_home_dir 1 +.TP +ftpd can run either as a standalone daemon or as part of the xinetd domain. If you want to run ftpd as a daemon you must set the ftpd_is_daemon boolean. +.TP +setsebool -P ftpd_is_daemon 1 +.TP +You can disable SELinux protection for the ftpd daemon by executing: +.TP +setsebool -P ftpd_disable_trans 1 +.br +service vsftpd restart +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSO" +selinux(8), ftpd(8), chcon(1), setsebool(8) + + diff --git a/refpolicy/man/man8/httpd_selinux.8 b/refpolicy/man/man8/httpd_selinux.8 new file mode 100644 index 0000000..e9d4774 --- /dev/null +++ b/refpolicy/man/man8/httpd_selinux.8 @@ -0,0 +1,123 @@ +.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" +.SH "NAME" +httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the httpd server via flexible mandatory access +control. +.SH FILE_CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +Policy governs the access daemons have to these files. +SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. +.TP +The following file contexts types are defined for httpd: +.br + +httpd_sys_content_t +.br +- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon. +.br + +httpd_sys_script_exec_t +.br +- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. +.br + +httpd_sys_script_ro_t +.br +- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access. +.br + +httpd_sys_script_rw_t +.br +- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. +.br + +httpd_sys_script_ra_t +.br +- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. + +httpd_unconfined_script_exec_t +.br +- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. +.br + +.SH NOTE +With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: + +setsebool -P allow_httpd_anon_write=1 + +or + +setsebool -P allow_httpd_sys_script_anon_write=1 + +.SH BOOLEANS +SELinux policy is customizable based on least access required. So by +default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. +.TP +httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this +.br + +setsebool -P httpd_enable_cgi 1 + +.TP +httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. +.br + +setsebool -P httpd_enable_homedirs 1 +.br +chcon -R -t httpd_sys_content_t ~user/public_html + +.TP +httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. +.br + +setsebool -P httpd_tty_comm 1 + +.TP +httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. +.br + +setsebool -P httpd_unified 0 + +.TP +httpd can be configured to turn off internal scripting (PHP). PHP and other +loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. +.br + +setsebool -P httpd_builtin_scripting 0 + +.TP +httpd scripts by default are not allowed to connect out to the network. +This would prevent a hacker from breaking into you httpd server and attacking +other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. +.br + +setsebool -P httpd_can_network_connect 1 + +.TP +You can disable suexec transition, set httpd_suexec_disable_trans deny this +.br + +setsebool -P httpd_suexec_disable_trans 1 + +.TP +You can disable SELinux protection for the httpd daemon by executing: +.br + +setsebool -P httpd_disable_trans 1 +.br +service httpd restart + +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSO" +selinux(8), httpd(8), chcon(1), setsebool(8) + + diff --git a/refpolicy/man/man8/kerberos_selinux.8 b/refpolicy/man/man8/kerberos_selinux.8 new file mode 100644 index 0000000..94b3228 --- /dev/null +++ b/refpolicy/man/man8/kerberos_selinux.8 @@ -0,0 +1,31 @@ +.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation" +.SH "NAME" +kerberos_selinux \- Security Enhanced Linux Policy for Kerberos. +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the system via flexible mandatory access +control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network. +.SH BOOLEANS +.TP +You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. +.TP +setsebool -P allow_kerberos 1 +.TP +If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans. +.br + +setsebool -P krb5kdc_disable_trans 1 +.br +service krb5kdc restart +.br +setsebool -P kadmind_disable_trans booleans 1 +.br +service kadmind restart + +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSO" +selinux(8), kerberos(1), chcon(1), setsebool(8) diff --git a/refpolicy/man/man8/named_selinux.8 b/refpolicy/man/man8/named_selinux.8 new file mode 100644 index 0000000..2381614 --- /dev/null +++ b/refpolicy/man/man8/named_selinux.8 @@ -0,0 +1,29 @@ +.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" +.SH "NAME" +named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the named server via flexible mandatory access +control. +.SH BOOLEANS +SELinux policy is customizable based on least access required. So by +default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. +.TP +.br +setsebool -P named_write_master_zones 1 + +.TP +You can disable SELinux protection for the named daemon by executing: +.TP +setsebool -P named_disable_trans 1 +.br +service named restart +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSO" +selinux(8), named(8), chcon(1), setsebool(8) + + diff --git a/refpolicy/man/man8/nfs_selinux.8 b/refpolicy/man/man8/nfs_selinux.8 new file mode 100644 index 0000000..422f042 --- /dev/null +++ b/refpolicy/man/man8/nfs_selinux.8 @@ -0,0 +1,30 @@ +.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation" +.SH "NAME" +nfs_selinux \- Security Enhanced Linux Policy for NFS +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the nfs server via flexible mandatory access +control. +.SH BOOLEANS +SELinux policy is customizable based on least access required. So by +default SElinux policy does not allow nfs to share files. If you want to +setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean. + +.TP +setsebool -P nfs_export_all_ro 1 +.TP +If you want to share files read/write you must set the nfs_export_all_rw boolean. +.TP +setsebool -P nfs_export_all_rw 1 + +.TP +If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean. +.TP +setsebool -P use_nfs_home_dirs 1 +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSpppO" +selinux(8), chcon(1), setsebool(8) diff --git a/refpolicy/man/man8/nis_selinux.8 b/refpolicy/man/man8/nis_selinux.8 new file mode 100644 index 0000000..6271c95 --- /dev/null +++ b/refpolicy/man/man8/nis_selinux.8 @@ -0,0 +1 @@ +.so man8/ypbind_selinux.8 diff --git a/refpolicy/man/man8/rsync_selinux.8 b/refpolicy/man/man8/rsync_selinux.8 new file mode 100644 index 0000000..8ff4429 --- /dev/null +++ b/refpolicy/man/man8/rsync_selinux.8 @@ -0,0 +1,41 @@ +.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" +.SH "NAME" +rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the rsync server via flexible mandatory access +control. +.SH FILE_CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +Policy governs the access daemons have to these files. +If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you +would need to label the directory with the chcon tool. +.TP +chcon -t public_content_t /var/rsync +.TP +If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. +.TP +/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local +.br +/var/rsync(/.*)? system_u:object_r:public_content_t + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute: + +setsebool -P allow_rsync_anon_write=1 + + +.SH BOOLEANS +.TP +You can disable SELinux protection for the rsync daemon by executing: +.TP +setsebool -P rsync_disable_trans 1 +.br +service xinetd restart +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSO" +selinux(8), rsync(1), chcon(1), setsebool(8) diff --git a/refpolicy/man/man8/samba_selinux.8 b/refpolicy/man/man8/samba_selinux.8 new file mode 100644 index 0000000..55e10ac --- /dev/null +++ b/refpolicy/man/man8/samba_selinux.8 @@ -0,0 +1,60 @@ +.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation" +.SH "NAME" +samba_selinux \- Security Enhanced Linux Policy for Samba +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the Samba server via flexible mandatory access +control. +.SH FILE_CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +Policy governs the access daemons have to these files. +If you want to share files other than home directories, those files must be +labeled samba_share_t. So if you created a special directory /var/eng, you +would need to label the directory with the chcon tool. +.TP +chcon -t samba_share_t /var/eng +.TP +If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. +.TP +/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local +.br +/var/eng(/.*)? system_u:object_r:samba_share_t + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: + +setsebool -P allow_smb_anon_write=1 + +.SH BOOLEANS +.br +SELinux policy is customizable based on least access required. So by +default SElinux policy turns off SELinux sharing of home directories and +the use of Samba shares from a remote machine as a home directory. +.TP +If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. +.br + +setsebool -P samba_enable_home_dirs 1 +.TP +If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean. +.br + +setsebool -P use_samba_home_dirs 1 +.TP +You can disable SELinux protection for the samba daemon by executing: +.br + +setsebool -P smbd_disable_trans 1 +.br +service smb restart +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. + + + + +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSO" +selinux(8), samba(7), chcon(1), setsebool(8) diff --git a/refpolicy/man/man8/ypbind_selinux.8 b/refpolicy/man/man8/ypbind_selinux.8 new file mode 100644 index 0000000..ed07681 --- /dev/null +++ b/refpolicy/man/man8/ypbind_selinux.8 @@ -0,0 +1,19 @@ +.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation" +.SH "NAME" +ypbind_selinux \- Security Enhanced Linux Policy for NIS. +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the system via flexible mandatory access +control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network. +.SH BOOLEANS +.TP +You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. +.TP +setsebool -P allow_ypbind 1 +.TP +system-config-securitylevel is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +This manual page was written by Dan Walsh . + +.SH "SEE ALSO" +selinux(8), ypbind(8), chcon(1), setsebool(8) diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index ba62978..cfcb4d3 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -9,6 +9,9 @@ # Common tunables # +## Allow cvs daemon to read shadow +gen_tunable(allow_cvs_read_shadow,false) + ## Allow making anonymous memory executable, e.g. ## for runtime-code generation or executable stack. gen_tunable(allow_execmem,false) diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs index 5af2fc1..ce5ad18 100644 --- a/refpolicy/policy/mcs +++ b/refpolicy/policy/mcs @@ -19,263 +19,70 @@ dominance { s0 } # # Each category has a name and zero or more aliases. # -category c0; -category c1; -category c2; -category c3; -category c4; -category c5; -category c6; -category c7; -category c8; -category c9; -category c10; -category c11; -category c12; -category c13; -category c14; -category c15; -category c16; -category c17; -category c18; -category c19; -category c20; -category c21; -category c22; -category c23; -category c24; -category c25; -category c26; -category c27; -category c28; -category c29; -category c30; -category c31; -category c32; -category c33; -category c34; -category c35; -category c36; -category c37; -category c38; -category c39; -category c40; -category c41; -category c42; -category c43; -category c44; -category c45; -category c46; -category c47; -category c48; -category c49; -category c50; -category c51; -category c52; -category c53; -category c54; -category c55; -category c56; -category c57; -category c58; -category c59; -category c60; -category c61; -category c62; -category c63; -category c64; -category c65; -category c66; -category c67; -category c68; -category c69; -category c70; -category c71; -category c72; -category c73; -category c74; -category c75; -category c76; -category c77; -category c78; -category c79; -category c80; -category c81; -category c82; -category c83; -category c84; -category c85; -category c86; -category c87; -category c88; -category c89; -category c90; -category c91; -category c92; -category c93; -category c94; -category c95; -category c96; -category c97; -category c98; -category c99; -category c100; -category c101; -category c102; -category c103; -category c104; -category c105; -category c106; -category c107; -category c108; -category c109; -category c110; -category c111; -category c112; -category c113; -category c114; -category c115; -category c116; -category c117; -category c118; -category c119; -category c120; -category c121; -category c122; -category c123; -category c124; -category c125; -category c126; -category c127; -category c128; -category c129; -category c130; -category c131; -category c132; -category c133; -category c134; -category c135; -category c136; -category c137; -category c138; -category c139; -category c140; -category c141; -category c142; -category c143; -category c144; -category c145; -category c146; -category c147; -category c148; -category c149; -category c150; -category c151; -category c152; -category c153; -category c154; -category c155; -category c156; -category c157; -category c158; -category c159; -category c160; -category c161; -category c162; -category c163; -category c164; -category c165; -category c166; -category c167; -category c168; -category c169; -category c170; -category c171; -category c172; -category c173; -category c174; -category c175; -category c176; -category c177; -category c178; -category c179; -category c180; -category c181; -category c182; -category c183; -category c184; -category c185; -category c186; -category c187; -category c188; -category c189; -category c190; -category c191; -category c192; -category c193; -category c194; -category c195; -category c196; -category c197; -category c198; -category c199; -category c200; -category c201; -category c202; -category c203; -category c204; -category c205; -category c206; -category c207; -category c208; -category c209; -category c210; -category c211; -category c212; -category c213; -category c214; -category c215; -category c216; -category c217; -category c218; -category c219; -category c220; -category c221; -category c222; -category c223; -category c224; -category c225; -category c226; -category c227; -category c228; -category c229; -category c230; -category c231; -category c232; -category c233; -category c234; -category c235; -category c236; -category c237; -category c238; -category c239; -category c240; -category c241; -category c242; -category c243; -category c244; -category c245; -category c246; -category c247; -category c248; -category c249; -category c250; -category c251; -category c252; -category c253; -category c254; -category c255; - +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; +category c24; category c25; category c26; category c27; +category c28; category c29; category c30; category c31; +category c32; category c33; category c34; category c35; +category c36; category c37; category c38; category c39; +category c40; category c41; category c42; category c43; +category c44; category c45; category c46; category c47; +category c48; category c49; category c50; category c51; +category c52; category c53; category c54; category c55; +category c56; category c57; category c58; category c59; +category c60; category c61; category c62; category c63; +category c64; category c65; category c66; category c67; +category c68; category c69; category c70; category c71; +category c72; category c73; category c74; category c75; +category c76; category c77; category c78; category c79; +category c80; category c81; category c82; category c83; +category c84; category c85; category c86; category c87; +category c88; category c89; category c90; category c91; +category c92; category c93; category c94; category c95; +category c96; category c97; category c98; category c99; +category c100; category c101; category c102; category c103; +category c104; category c105; category c106; category c107; +category c108; category c109; category c110; category c111; +category c112; category c113; category c114; category c115; +category c116; category c117; category c118; category c119; +category c120; category c121; category c122; category c123; +category c124; category c125; category c126; category c127; +category c128; category c129; category c130; category c131; +category c132; category c133; category c134; category c135; +category c136; category c137; category c138; category c139; +category c140; category c141; category c142; category c143; +category c144; category c145; category c146; category c147; +category c148; category c149; category c150; category c151; +category c152; category c153; category c154; category c155; +category c156; category c157; category c158; category c159; +category c160; category c161; category c162; category c163; +category c164; category c165; category c166; category c167; +category c168; category c169; category c170; category c171; +category c172; category c173; category c174; category c175; +category c176; category c177; category c178; category c179; +category c180; category c181; category c182; category c183; +category c184; category c185; category c186; category c187; +category c188; category c189; category c190; category c191; +category c192; category c193; category c194; category c195; +category c196; category c197; category c198; category c199; +category c200; category c201; category c202; category c203; +category c204; category c205; category c206; category c207; +category c208; category c209; category c210; category c211; +category c212; category c213; category c214; category c215; +category c216; category c217; category c218; category c219; +category c220; category c221; category c222; category c223; +category c224; category c225; category c226; category c227; +category c228; category c229; category c230; category c231; +category c232; category c233; category c234; category c235; +category c236; category c237; category c238; category c239; +category c240; category c241; category c242; category c243; +category c244; category c245; category c246; category c247; +category c248; category c249; category c250; category c251; +category c252; category c253; category c254; category c255; # # Each MCS level specifies a sensitivity and zero or more categories which may diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls index dc1ab87..6f585f6 100644 --- a/refpolicy/policy/mls +++ b/refpolicy/policy/mls @@ -33,262 +33,70 @@ dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } # # Each category has a name and zero or more aliases. # -category c0; -category c1; -category c2; -category c3; -category c4; -category c5; -category c6; -category c7; -category c8; -category c9; -category c10; -category c11; -category c12; -category c13; -category c14; -category c15; -category c16; -category c17; -category c18; -category c19; -category c20; -category c21; -category c22; -category c23; -category c24; -category c25; -category c26; -category c27; -category c28; -category c29; -category c30; -category c31; -category c32; -category c33; -category c34; -category c35; -category c36; -category c37; -category c38; -category c39; -category c40; -category c41; -category c42; -category c43; -category c44; -category c45; -category c46; -category c47; -category c48; -category c49; -category c50; -category c51; -category c52; -category c53; -category c54; -category c55; -category c56; -category c57; -category c58; -category c59; -category c60; -category c61; -category c62; -category c63; -category c64; -category c65; -category c66; -category c67; -category c68; -category c69; -category c70; -category c71; -category c72; -category c73; -category c74; -category c75; -category c76; -category c77; -category c78; -category c79; -category c80; -category c81; -category c82; -category c83; -category c84; -category c85; -category c86; -category c87; -category c88; -category c89; -category c90; -category c91; -category c92; -category c93; -category c94; -category c95; -category c96; -category c97; -category c98; -category c99; -category c100; -category c101; -category c102; -category c103; -category c104; -category c105; -category c106; -category c107; -category c108; -category c109; -category c110; -category c111; -category c112; -category c113; -category c114; -category c115; -category c116; -category c117; -category c118; -category c119; -category c120; -category c121; -category c122; -category c123; -category c124; -category c125; -category c126; -category c127; -category c128; -category c129; -category c130; -category c131; -category c132; -category c133; -category c134; -category c135; -category c136; -category c137; -category c138; -category c139; -category c140; -category c141; -category c142; -category c143; -category c144; -category c145; -category c146; -category c147; -category c148; -category c149; -category c150; -category c151; -category c152; -category c153; -category c154; -category c155; -category c156; -category c157; -category c158; -category c159; -category c160; -category c161; -category c162; -category c163; -category c164; -category c165; -category c166; -category c167; -category c168; -category c169; -category c170; -category c171; -category c172; -category c173; -category c174; -category c175; -category c176; -category c177; -category c178; -category c179; -category c180; -category c181; -category c182; -category c183; -category c184; -category c185; -category c186; -category c187; -category c188; -category c189; -category c190; -category c191; -category c192; -category c193; -category c194; -category c195; -category c196; -category c197; -category c198; -category c199; -category c200; -category c201; -category c202; -category c203; -category c204; -category c205; -category c206; -category c207; -category c208; -category c209; -category c210; -category c211; -category c212; -category c213; -category c214; -category c215; -category c216; -category c217; -category c218; -category c219; -category c220; -category c221; -category c222; -category c223; -category c224; -category c225; -category c226; -category c227; -category c228; -category c229; -category c230; -category c231; -category c232; -category c233; -category c234; -category c235; -category c236; -category c237; -category c238; -category c239; -category c240; -category c241; -category c242; -category c243; -category c244; -category c245; -category c246; -category c247; -category c248; -category c249; -category c250; -category c251; -category c252; -category c253; -category c254; -category c255; +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; +category c24; category c25; category c26; category c27; +category c28; category c29; category c30; category c31; +category c32; category c33; category c34; category c35; +category c36; category c37; category c38; category c39; +category c40; category c41; category c42; category c43; +category c44; category c45; category c46; category c47; +category c48; category c49; category c50; category c51; +category c52; category c53; category c54; category c55; +category c56; category c57; category c58; category c59; +category c60; category c61; category c62; category c63; +category c64; category c65; category c66; category c67; +category c68; category c69; category c70; category c71; +category c72; category c73; category c74; category c75; +category c76; category c77; category c78; category c79; +category c80; category c81; category c82; category c83; +category c84; category c85; category c86; category c87; +category c88; category c89; category c90; category c91; +category c92; category c93; category c94; category c95; +category c96; category c97; category c98; category c99; +category c100; category c101; category c102; category c103; +category c104; category c105; category c106; category c107; +category c108; category c109; category c110; category c111; +category c112; category c113; category c114; category c115; +category c116; category c117; category c118; category c119; +category c120; category c121; category c122; category c123; +category c124; category c125; category c126; category c127; +category c128; category c129; category c130; category c131; +category c132; category c133; category c134; category c135; +category c136; category c137; category c138; category c139; +category c140; category c141; category c142; category c143; +category c144; category c145; category c146; category c147; +category c148; category c149; category c150; category c151; +category c152; category c153; category c154; category c155; +category c156; category c157; category c158; category c159; +category c160; category c161; category c162; category c163; +category c164; category c165; category c166; category c167; +category c168; category c169; category c170; category c171; +category c172; category c173; category c174; category c175; +category c176; category c177; category c178; category c179; +category c180; category c181; category c182; category c183; +category c184; category c185; category c186; category c187; +category c188; category c189; category c190; category c191; +category c192; category c193; category c194; category c195; +category c196; category c197; category c198; category c199; +category c200; category c201; category c202; category c203; +category c204; category c205; category c206; category c207; +category c208; category c209; category c210; category c211; +category c212; category c213; category c214; category c215; +category c216; category c217; category c218; category c219; +category c220; category c221; category c222; category c223; +category c224; category c225; category c226; category c227; +category c228; category c229; category c230; category c231; +category c232; category c233; category c234; category c235; +category c236; category c237; category c238; category c239; +category c240; category c241; category c242; category c243; +category c244; category c245; category c246; category c247; +category c248; category c249; category c250; category c251; +category c252; category c253; category c254; category c255; # @@ -358,7 +166,7 @@ level s15:c0.c255; mlsconstrain { file lnk_file fifo_file } { create relabelto } ( l2 eq h2 ); -# new file labels must be dominated by the relabeling subject clearance +# new file labels must be dominated by the relabeling subjects clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto ( h1 dom h2 ); @@ -431,7 +239,7 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create # MLS policy for the filesystem class # -# new filesystem labels must be dominated by the relabeling subject clearance +# new filesystem labels must be dominated by the relabeling subjects clearance mlsconstrain filesystem relabelto ( h1 dom h2 ); @@ -457,7 +265,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # MLS policy for the socket classes # -# new socket labels must be dominated by the relabeling subject clearance +# new socket labels must be dominated by the relabeling subjects clearance mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto ( h1 dom h2 ); @@ -566,7 +374,7 @@ mlsconstrain { netif node } { tcp_send udp_send rawip_send } # MLS policy for the process class # -# new process labels must be dominated by the relabeling subject clearance +# new process labels must be dominated by the relabeling subjects clearance # and sensitivity level changes require privilege mlsconstrain process transition (( h1 dom h2 ) and @@ -686,7 +494,8 @@ mlsconstrain window { listprop getattr enumerate mousemotion inputevent draweven mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent } (( l1 eq l2 ) or (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); + ( t1 == mlsxwinwrite ) or + ( t2 == mlstrustedobject )); # these access vectors have no MLS restrictions # window { map unmap } @@ -724,12 +533,14 @@ mlsconstrain font free mlsconstrain colormap { list read getattr } (( l1 dom l2 ) or (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinreadcolormap ) or ( t1 == mlsxwinread )); # the colormap "write" ops (implicit single level) mlsconstrain colormap { create free install uninstall store setattr } (( l1 eq l2 ) or (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwritecolormap ) or ( t1 == mlsxwinwrite )); @@ -743,12 +554,14 @@ mlsconstrain colormap { create free install uninstall store setattr } mlsconstrain property { read } (( l1 dom l2 ) or (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinreadproperty ) or ( t1 == mlsxwinread )); # the property "write" ops (implicit single level) mlsconstrain property { create free write } (( l1 eq l2 ) or (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwriteproperty ) or ( t1 == mlsxwinwrite )); @@ -784,16 +597,14 @@ mlsconstrain xclient kill # MLS policy for the xinput class # -# the xinput "read" ops (implicit single level) -mlsconstrain xinput { lookup getattr mousemotion } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); +# these access vectors have no MLS restrictions +# xinput ~{ relabelinput setattr } # the xinput "write" ops (implicit single level) -mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput } +mlsconstrain xinput { setattr relabelinput } (( l1 eq l2 ) or (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwritexinput ) or ( t1 == mlsxwinwrite )); @@ -803,17 +614,8 @@ mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab # MLS policy for the xserver class # -# the xserver "read" ops (implicit single level) -mlsconstrain xserver { gethostlist getfontpath getattr screensaver } - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the xserver "write" ops (implicit single level) -mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver } - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); +# these access vectors have no MLS restrictions +# xserver * @@ -822,17 +624,8 @@ mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver } # MLS policy for the xextension class # -# the xextension "read" ops (implicit single level) -mlsconstrain xextension query - (( l1 dom l2 ) or - (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsxwinread )); - -# the xextension "write" ops (implicit single level) -mlsconstrain xextension use - (( l1 eq l2 ) or - (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsxwinwrite )); +# these access vectors have no MLS restrictions +# xextension { query use } # diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 4c021dd..8151576 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -1,5 +1,5 @@ -policy_module(kudzu,1.0.0) +policy_module(kudzu,1.0.1) ######################################## # @@ -23,7 +23,8 @@ files_pid_file(kudzu_var_run_t) allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; dontaudit kudzu_t self:capability sys_tty_config; -allow kudzu_t self:process signal_perms; +allow kudzu_t self:process { signal_perms execmem }; +auditallow kudzu_t self:process execmem; allow kudzu_t self:fifo_file rw_file_perms; allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow kudzu_t self:unix_dgram_socket create_socket_perms; @@ -61,6 +62,8 @@ fs_search_auto_mountpoints(kudzu_t) fs_search_ramfs(kudzu_t) fs_write_ramfs_socket(kudzu_t) +mls_file_read_up(kudzu_t) + modutils_read_mods_deps(kudzu_t) modutils_read_module_conf(kudzu_t) modutils_rename_module_conf(kudzu_t) @@ -130,10 +133,6 @@ ifdef(`targeted_policy',` unconfined_domain_template(kudzu_t) ') -tunable_policy(`allow_execmem',` - allow kudzu_t self:process execmem; -') - optional_policy(`gpm',` gpm_getattr_gpmctl(kudzu_t) ') diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 5f151a8..cbd298a 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -1,5 +1,5 @@ -policy_module(logrotate,1.1.1) +policy_module(logrotate,1.1.2) ######################################## # @@ -72,6 +72,10 @@ dev_read_urand(logrotate_t) fs_search_auto_mountpoints(logrotate_t) fs_getattr_xattr_fs(logrotate_t) +mls_file_read_up(logrotate_t) +mls_file_write_down(logrotate_t) +mls_file_upgrade(logrotate_t) + selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc index 7bbff29..f8463b6 100644 --- a/refpolicy/policy/modules/admin/rpm.fc +++ b/refpolicy/policy/modules/admin/rpm.fc @@ -1,5 +1,6 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 27194c3..7439414 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.1.1) +policy_module(rpm,1.1.2) ######################################## # @@ -114,6 +114,10 @@ fs_manage_nfs_symlinks(rpm_t) fs_getattr_all_fs(rpm_t) fs_search_auto_mountpoints(rpm_t) +mls_file_read_up(rpm_t) +mls_file_write_down(rpm_t) +mls_file_upgrade(rpm_t) + selinux_get_fs_mount(rpm_t) selinux_validate_context(rpm_t) selinux_compute_access_vector(rpm_t) @@ -269,6 +273,9 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) +mls_file_read_up(rpm_script_t) +mls_file_write_down(rpm_script_t) + selinux_get_fs_mount(rpm_script_t) selinux_validate_context(rpm_script_t) selinux_compute_access_vector(rpm_script_t) @@ -328,17 +335,17 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy',` unconfined_domain_template(rpm_script_t) ',` - ifdef(`distro_redhat',` - optional_policy(`mta',` - mta_send_mail(rpm_script_t) - ') - ') - optional_policy(`bootloader',` bootloader_domtrans(rpm_script_t) ') ') +ifdef(`distro_redhat',` + optional_policy(`mta',` + mta_send_mail(rpm_script_t) + ') +') + tunable_policy(`allow_execmem',` allow rpm_script_t self:process execmem; ') diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te index 6191a7b..4873cd0 100644 --- a/refpolicy/policy/modules/admin/tmpreaper.te +++ b/refpolicy/policy/modules/admin/tmpreaper.te @@ -1,5 +1,5 @@ -policy_module(tmpreaper,1.0.0) +policy_module(tmpreaper,1.0.1) ######################################## # @@ -31,6 +31,9 @@ files_purge_tmp(tmpreaper_t) # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) +mls_file_read_up(tmpreaper_t) +mls_file_write_down(tmpreaper_t) + libs_use_ld_so(tmpreaper_t) libs_use_shared_libs(tmpreaper_t) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 88a0b72..0316748 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.1.0) +policy_module(usermanage,1.1.1) ######################################## # @@ -136,6 +136,10 @@ optional_policy(`nis',` nis_use_ypbind(chfn_t) ') +optional_policy(`nscd',` + nscd_use_socket(chfn_t) +') + ######################################## # # Crack local policy @@ -197,7 +201,7 @@ allow groupadd_t self:unix_dgram_socket create_socket_perms; allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; allow groupadd_t self:unix_stream_socket connectto; -allow groupadd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; +allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) @@ -262,7 +266,7 @@ optional_policy(`rpm',` # Passwd local policy # -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write }; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; @@ -338,6 +342,10 @@ optional_policy(`nis',` nis_use_ypbind(passwd_t) ') +optional_policy(`nscd',` + nscd_use_socket(passwd_t) +') + ######################################## # # Password admin local policy @@ -443,7 +451,7 @@ allow useradd_t self:unix_dgram_socket create_socket_perms; allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; -allow useradd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; +allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 67353a0..3cea361 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -1,5 +1,5 @@ -policy_module(webalizer,1.1.0) +policy_module(webalizer,1.1.1) ######################################## # @@ -87,6 +87,7 @@ miscfiles_read_localization(webalizer_t) sysnet_read_config(webalizer_t) userdom_use_unpriv_users_fd(webalizer_t) +userdom_dontaudit_search_all_users_home(webalizer_t) apache_read_log(webalizer_t) apache_manage_sys_content(webalizer_t) diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index 8fca398..f012e7f 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -64,6 +64,8 @@ ifdef(`targeted_policy',` # /lib # +/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_gentoo',` /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) ') diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index a5040fb..960016c 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.0.1) +policy_module(corenetwork,1.0.2) ######################################## # @@ -143,15 +143,15 @@ portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0) # nodes in net_contexts or net_contexts.mls. # type node_t, node_type; -sid node gen_context(system_u:object_r:node_t,s0) +sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255) network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::) network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255) type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, ) -network_node(lo, s0, 127.0.0.1, 255.255.255.255) +network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255) network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::) -network_node(multicast, s0, ff00::, ff00::) +network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::) network_node(site_local, s0, fec0::, ffc0::) network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) @@ -164,7 +164,9 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) # netif_t is the default type of network interfaces. # type netif_t, netif_type; -sid netif gen_context(system_u:object_r:netif_t,s0) +sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255) -#network_interface(lo, lo,s0) +ifdef(`enable_mls', ` +network_interface(lo, lo,s0 - s15:c0.c255) +') #network_interface(eth0, eth0,s0) diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc index d11b6b0..0cf1cc1 100644 --- a/refpolicy/policy/modules/kernel/devices.fc +++ b/refpolicy/policy/modules/kernel/devices.fc @@ -15,12 +15,12 @@ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) -/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) +/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) -/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s0) +/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -/dev/mem -c gen_context(system_u:object_r:memory_device_t,s0) +/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -28,17 +28,17 @@ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s0) +/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) -/dev/port -c gen_context(system_u:object_r:memory_device_t,s0) +/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) +/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255) /dev/psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) -/dev/rtc -c gen_context(system_u:object_r:clock_device_t,s0) +/dev/rtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -72,9 +72,9 @@ ifdef(`distro_suse', ` /dev/pts(/.*)? <> -/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc index bfc99f5..073712d 100644 --- a/refpolicy/policy/modules/kernel/files.fc +++ b/refpolicy/policy/modules/kernel/files.fc @@ -24,7 +24,7 @@ ifdef(`distro_suse',` # /boot # /boot/\.journal <> -/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) +/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /boot/lost\+found/.* <> # @@ -89,10 +89,10 @@ ifdef(`distro_suse',` # HOME_ROOT # expanded by genhomedircon # -HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0) +HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s15:c0.c255) HOME_ROOT/\.journal <> -HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) -HOME_ROOT/lost\+found/.* <> +HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) +HOME_ROOT/lost\+found/.* <> # # /initrd @@ -103,7 +103,7 @@ HOME_ROOT/lost\+found/.* <> # # /lost+found # -/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) +/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /lost\+found/.* <> # @@ -150,11 +150,11 @@ HOME_ROOT/lost\+found/.* <> # # /tmp # -/tmp -d gen_context(system_u:object_r:tmp_t,s0) +/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /tmp/.* <> /tmp/\.journal <> -/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) +/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /tmp/lost\+found/.* <> # @@ -171,19 +171,19 @@ HOME_ROOT/lost\+found/.* <> /usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) -/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) +/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /usr/local/lost\+found/.* <> /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) -/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) +/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /usr/lost\+found/.* <> /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) -/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0) +/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /usr/tmp/.* <> # @@ -202,16 +202,17 @@ HOME_ROOT/lost\+found/.* <> /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) -/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) +/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /var/lost\+found/.* <> -/var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0) +/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255) +/var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) -/var/tmp -d gen_context(system_u:object_r:tmp_t,s0) +/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255) /var/tmp/.* <> -/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0) +/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /var/tmp/lost\+found/.* <> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 4b05302..91291d6 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -31,6 +31,10 @@ interface(`kernel_userland_entry',` allow $1 kernel_t:fd use; allow $1 kernel_t:fifo_file rw_file_perms; allow $1 kernel_t:process sigchld; + + ifdef(`enable_mls',` + allow kernel_t $1:process noatsecure; + ') ') ######################################## @@ -436,7 +440,7 @@ interface(`kernel_read_debugfs',` type debugfs_t; ') - allow $1 debugfs_t:dir r_file_perms; + allow $1 debugfs_t:dir r_dir_perms; allow $1 debugfs_t:file r_file_perms; allow $1 debugfs_t:lnk_file { getattr read }; ') @@ -1680,6 +1684,7 @@ interface(`kernel_relabel_unlabeled',` gen_require_set({ getattr relabelfrom },dir_file_class_set) ') + kernel_list_unlabeled($1) allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom }; ') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index e6973f3..4300355 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.1.0) +policy_module(kernel,1.1.1) ######################################## # @@ -38,7 +38,7 @@ type kernel_t, can_load_kernmodule; domain_base_type(kernel_t) mls_rangetrans_source(kernel_t) role system_r types kernel_t; -sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127) +sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255) # # DebugFS @@ -61,13 +61,13 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) # kernel message interface type proc_kmsg_t, proc_type; -genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s0) +genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255) neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; # /proc kcore: inaccessible type proc_kcore_t, proc_type; neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; -genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s0) +genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) @@ -132,18 +132,18 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) # have labels that are no longer valid are treated as having this type. # type unlabeled_t; -sid unlabeled gen_context(system_u:object_r:unlabeled_t,s0) +sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) # These initial sids are no longer used, and can be removed: -sid any_socket gen_context(system_u:object_r:unlabeled_t,s0) +sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) -sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s0) -sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s0) +sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) +sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid init gen_context(system_u:object_r:unlabeled_t,s0) -sid kmod gen_context(system_u:object_r:unlabeled_t,s0) -sid netmsg gen_context(system_u:object_r:unlabeled_t,s0) -sid policy gen_context(system_u:object_r:unlabeled_t,s0) -sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s0) +sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) +sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) +sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) +sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0) @@ -151,7 +151,7 @@ sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0) sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0) -sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s0) +sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) ######################################## # @@ -197,9 +197,13 @@ corenet_non_ipsec_sendrecv(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) corenet_raw_sendrecv_all_nodes(kernel_t) +corenet_raw_send_generic_if(kernel_t) + # Kernel-generated traffic e.g., TCP resets: corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) +corenet_raw_send_generic_node(kernel_t) +corenet_raw_send_multicast_node(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 964c52b..1186c59 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.1.1) +policy_module(mls,1.1.2) ######################################## # @@ -36,8 +36,11 @@ attribute mlsxwinread; attribute mlsxwinreadtoclr; attribute mlsxwinwrite; attribute mlsxwinwritetoclr; -attribute mlsxwinupgrade; -attribute mlsxwindowngrade; +attribute mlsxwinreadproperty; +attribute mlsxwinwriteproperty; +attribute mlsxwinreadcolormap; +attribute mlsxwinwritecolormap; +attribute mlsxwinwritexinput; attribute mlstrustedobject; diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te index 3f06358..750941b 100644 --- a/refpolicy/policy/modules/kernel/selinux.te +++ b/refpolicy/policy/modules/kernel/selinux.te @@ -1,5 +1,5 @@ -policy_module(selinux,1.0.0) +policy_module(selinux,1.0.1) ######################################## # @@ -18,7 +18,7 @@ attribute can_setsecparam; type security_t; fs_type(security_t) mls_trusted_object(security_t) -sid security gen_context(system_u:object_r:security_t,s0) +sid security gen_context(system_u:object_r:security_t,s15:c0.c255) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) neverallow ~can_load_policy security_t:security load_policy; diff --git a/refpolicy/policy/modules/kernel/storage.fc b/refpolicy/policy/modules/kernel/storage.fc index 287099a..d3cc161 100644 --- a/refpolicy/policy/modules/kernel/storage.fc +++ b/refpolicy/policy/modules/kernel/storage.fc @@ -5,35 +5,35 @@ /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) -/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) -/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) +/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) ifdef(`distro_redhat', ` -/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) ') /dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0) @@ -41,21 +41,23 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255) -/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) -/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) -/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) -/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) + +/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) -/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) -/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) -/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0) +/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255) /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) diff --git a/refpolicy/policy/modules/kernel/terminal.fc b/refpolicy/policy/modules/kernel/terminal.fc index e43d08c..2fd702d 100644 --- a/refpolicy/policy/modules/kernel/terminal.fc +++ b/refpolicy/policy/modules/kernel/terminal.fc @@ -17,6 +17,8 @@ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) +/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255) + /dev/vcc?/.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/vcs[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index cbab9d0..916a05a 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.0.2) +policy_module(automount,1.0.3) ######################################## # @@ -65,7 +65,7 @@ kernel_list_proc(automount_t) bootloader_getattr_boot_dir(automount_t) -corecmd_search_sbin(automount_t) +corecmd_exec_sbin(automount_t) corecmd_exec_bin(automount_t) corecmd_exec_shell(automount_t) @@ -80,6 +80,8 @@ corenet_tcp_sendrecv_all_ports(automount_t) corenet_udp_sendrecv_all_ports(automount_t) corenet_tcp_bind_all_nodes(automount_t) corenet_udp_bind_all_nodes(automount_t) +corenet_tcp_connect_portmap_port(automount_t) +corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t) dev_read_sysfs(automount_t) # for SSP @@ -113,6 +115,7 @@ libs_use_ld_so(automount_t) libs_use_shared_libs(automount_t) logging_send_syslog_msg(automount_t) +logging_search_logs(automount_t) miscfiles_read_localization(automount_t) diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if index c84daf6..871da08 100644 --- a/refpolicy/policy/modules/services/bind.if +++ b/refpolicy/policy/modules/services/bind.if @@ -188,3 +188,22 @@ interface(`bind_setattr_pid_dir',` allow $1 named_var_run_t:dir setattr; ') + +######################################## +## +## Read BIND zone files. +## +## +## Domain allowed access. +## +# +interface(`bind_read_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + allow $1 named_zone_t:dir search_dir_perms; + allow $1 named_zone_t:file r_file_perms; +') + diff --git a/refpolicy/policy/modules/services/bluetooth.if b/refpolicy/policy/modules/services/bluetooth.if index e2db8fe..d130b38 100644 --- a/refpolicy/policy/modules/services/bluetooth.if +++ b/refpolicy/policy/modules/services/bluetooth.if @@ -2,6 +2,22 @@ ######################################## ## +## Read bluetooth daemon configuration. +## +## +## Domain allowed access. +## +# +interface(`bluetooth_read_config',` + gen_require(` + type bluetooth_conf_t; + ') + + allow $1 bluetooth_conf_t:file { getattr read ioctl }; +') + +######################################## +## ## Execute bluetooth_helper in the bluetooth_helper domain. ## ## diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 9b2fddf..5588040 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron, 1.1.1) +policy_module(cron,1.1.2) gen_require(` class passwd rootok; @@ -120,6 +120,7 @@ files_search_default(crond_t) init_use_fd(crond_t) init_use_script_pty(crond_t) +init_read_script_pid(crond_t) libs_use_ld_so(crond_t) libs_use_shared_libs(crond_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 05aed4c..35f0305 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -365,6 +365,7 @@ allow initrc_t printer_device_t:chr_file getattr; allow initrc_t ptal_var_run_t:dir rmdir; allow initrc_t ptal_var_run_t:fifo_file unlink; +allow initrc_t cupsd_rw_etc_t:file r_file_perms; ######################################## # diff --git a/refpolicy/policy/modules/services/cvs.fc b/refpolicy/policy/modules/services/cvs.fc index d653924..689a960 100644 --- a/refpolicy/policy/modules/services/cvs.fc +++ b/refpolicy/policy/modules/services/cvs.fc @@ -1,2 +1,7 @@ +/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) + +/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te index 6ee29d7..08d2ad1 100644 --- a/refpolicy/policy/modules/services/cvs.te +++ b/refpolicy/policy/modules/services/cvs.te @@ -1,5 +1,5 @@ -policy_module(cvs,1.1.0) +policy_module(cvs,1.1.1) ######################################## # @@ -86,6 +86,12 @@ sysnet_read_config(cvs_t) mta_send_mail(cvs_t) +# cjp: typeattribute doesnt work in conditionals yet +auth_can_read_shadow_passwords(cvs_t) +tunable_policy(`allow_cvs_read_shadow',` + auth_tunable_read_shadow(cvs_t) +') + optional_policy(`kerberos',` kerberos_use(cvs_t) kerberos_read_keytab(cvs_t) diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index a271d27..66468e1 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -206,6 +206,22 @@ template(`dbus_system_bus_client_template',` ######################################## ## +## Read dbus configuration. +## +## +## Domain allowed access. +## +# +interface(`dbus_read_config',` + gen_require(` + type dbusd_etc_t; + ') + + allow $1 dbusd_etc_t:file r_file_perms; +') + +######################################## +## ## Connect to the the system DBUS ## for service (acquire_svc). ## diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 4287366..e5b58d9 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.1.1) +policy_module(dovecot,1.1.2) ######################################## # @@ -95,6 +95,7 @@ domain_use_wide_inherit_fd(dovecot_t) files_read_etc_files(dovecot_t) files_search_spool(dovecot_t) files_search_tmp(dovecot_t) +files_dontaudit_list_default(dovecot_t) init_use_fd(dovecot_t) init_use_script_pty(dovecot_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 78365a0..4c79f65 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.1.3) +policy_module(hal,1.1.4) ######################################## # @@ -105,6 +105,7 @@ storage_raw_write_fixed_disk(hald_t) term_dontaudit_use_console(hald_t) term_dontaudit_ioctl_unallocated_ttys(hald_t) +term_dontaudit_use_unallocated_tty(hald_t) init_use_fd(hald_t) init_use_script_pty(hald_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 479293f..2010674 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap,1.1.0) +policy_module(ldap,1.1.1) ######################################## # @@ -138,6 +138,10 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_file(slapd_t) ') +optional_policy(`kerberos',` + kerberos_use(slapd_t) +') + optional_policy(`nis',` nis_use_ypbind(slapd_t) ') diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 38fe0c2..8e3e8dd 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -1,5 +1,5 @@ -policy_module(ppp,1.1.0) +policy_module(ppp,1.1.1) ######################################## # @@ -318,10 +318,8 @@ optional_policy(`udev',` udev_read_db(pptp_t) ') -ifdef(`postfix.te', ` - allow pppd_t postfix_etc_t:dir search; - allow pppd_t postfix_etc_t:file r_file_perms; - allow pppd_t postfix_master_exec_t:file { getattr read }; +optional_policy(`postfix',` + postfix_read_config(pppd_t) ') domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index b95b323..7dfb861 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -1,5 +1,5 @@ -policy_module(remotelogin,1.0.0) +policy_module(remotelogin,1.0.1) ######################################## # @@ -106,6 +106,7 @@ libs_use_shared_libs(remote_login_t) logging_send_syslog_msg(remote_login_t) +mls_file_read_up(remote_login_t) mls_file_write_down(remote_login_t) mls_file_upgrade(remote_login_t) mls_file_downgrade(remote_login_t) diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index fd422c8..52b961f 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -158,6 +158,7 @@ interface(`samba_read_log',` ') logging_search_logs($1) + allow $1 samba_log_t:dir r_dir_perms; allow $1 samba_log_t:file { read getattr lock }; ') diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index 625bbea..39745b7 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl,1.1.0) +policy_module(sasl,1.1.1) ######################################## # @@ -87,10 +87,11 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(saslauthd_t) ') -# cjp: typeattribute doesnt work in conditionals yet -#tunable_policy(`allow_saslauthd_read_shadow',` -# auth_read_shadow(saslauthd_t) -#') +# cjp: typeattribute dont work in conditionals yet +auth_can_read_shadow_passwords(saslauthd_t) +tunable_policy(`allow_saslauthd_read_shadow',` + auth_tunable_read_shadow(saslauthd_t) +') optional_policy(`mysql',` mysql_search_db_dir(saslauthd_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 7a9c558..c207b54 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -1,5 +1,5 @@ -policy_module(sendmail,1.1.0) +policy_module(sendmail,1.1.1) ######################################## # @@ -15,15 +15,10 @@ files_tmp_file(sendmail_tmp_t) type sendmail_var_run_t; files_pid_file(sendmail_var_run_t) -ifdef(`targeted_policy',` - unconfined_alias_domain(sendmail_t) - mta_sendmail_mailserver(sendmail_t) -',` - type sendmail_t; - mta_sendmail_mailserver(sendmail_t) - mta_mailserver_delivery(sendmail_t) - mta_mailserver_sender(sendmail_t) -') +type sendmail_t; +mta_sendmail_mailserver(sendmail_t) +mta_mailserver_delivery(sendmail_t) +mta_mailserver_sender(sendmail_t) ######################################## # @@ -31,9 +26,11 @@ ifdef(`targeted_policy',` # allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; +allow sendmail_t self:process signal; allow sendmail_t self:fifo_file rw_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; +allow sendmail_t self:tcp_socket create_stream_socket_perms; allow sendmail_t sendmail_log_t:file create_file_perms; allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; @@ -111,7 +108,7 @@ ifdef(`targeted_policy',` allow sendmail_t sendmail_tmp_t:file create_file_perms; files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir }) - allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink }; + allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock }; files_create_pid(sendmail_t,sendmail_var_run_t) ') @@ -128,6 +125,10 @@ optional_policy(`postfix',` postfix_search_spool(sendmail_t) ') +optional_policy(`procmail',` + procmail_domtrans(sendmail_t) +') + optional_policy(`selinuxutil',` seutil_sigchld_newrole(sendmail_t) ') @@ -152,12 +153,5 @@ allow user_mail_domain etc_mail_t:file rw_file_perms; # Silently deny attempts to access /root. dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; -# Run procmail in its own domain, if defined. -ifdef(`procmail.te',` -corecmd_search_bin(sendmail_t) -procmail_domtrans(sendmail_t) -domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) -') - dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 2170c29..6d48614 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.1.0) +policy_module(ssh,1.1.1) ######################################## # @@ -87,14 +87,16 @@ ifdef(`targeted_policy',`',` # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) + mls_file_read_up(sshd_t) + mls_file_write_down(sshd_t) + mls_file_upgrade(sshd_t) + mls_file_downgrade(sshd_t) + mls_process_set_level(sshd_t) + auth_exec_pam(sshd_t) seutil_read_config(sshd_t) - ifdef(`targeted_policy',` - unconfined_domain_template(sshd_t) - ') - tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 6118ed9..310aaee 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -319,16 +319,31 @@ interface(`auth_dontaudit_getattr_shadow',` ## The type of the process performing this action. ## # +# cjp: these next three interfaces are split +# since typeattribute does not work in conditionals +# yet, otherwise they should be one interface. +# interface(`auth_read_shadow',` + auth_can_read_shadow_passwords($1) + auth_tunable_read_shadow($1) +') + +interface(`auth_can_read_shadow_passwords',` gen_require(` attribute can_read_shadow_passwords; + ') + + typeattribute $1 can_read_shadow_passwords; +') + +interface(`auth_tunable_read_shadow',` + gen_require(` type shadow_t; class file r_file_perms; ') files_list_etc($1) allow $1 shadow_t:file r_file_perms; - typeattribute $1 can_read_shadow_passwords; ') ######################################## diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 0cc1104..60b3ee8 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.1.0) +policy_module(authlogin,1.1.1) ######################################## # @@ -211,6 +211,7 @@ libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) mls_file_read_up(pam_console_t) +mls_file_write_down(pam_console_t) seutil_read_file_contexts(pam_console_t) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 9900234..7eeb20c 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -1,5 +1,5 @@ -policy_module(getty,1.0.0) +policy_module(getty,1.0.1) ######################################## # @@ -69,6 +69,9 @@ fs_search_auto_mountpoints(getty_t) # for error condition handling fs_getattr_xattr_fs(getty_t) +mls_file_read_up(getty_t) +mls_file_write_down(getty_t) + # Chown, chmod, read and write ttys. term_use_all_user_ttys(getty_t) term_use_unallocated_tty(getty_t) diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 6de541a..a1d2ba1 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -64,5 +64,6 @@ interface(`hostname_exec',` type hostname_exec_t; ') + corecmd_search_bin($1) can_exec($1,hostname_exec_t) ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9bed727..36e53b8 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.1.1) +policy_module(init,1.1.2) gen_require(` class passwd rootok; @@ -369,6 +369,7 @@ mls_file_read_up(initrc_t) mls_file_write_down(initrc_t) mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) +mls_rangetrans_source(initrc_t) modutils_read_module_conf(initrc_t) modutils_domtrans_insmod(initrc_t) @@ -435,15 +436,19 @@ ifdef(`distro_redhat',` fs_use_tmpfs_chr_dev(initrc_t) storage_create_fixed_disk(initrc_t) + storage_getattr_removable_device(initrc_t) files_create_boot_flag(initrc_t) files_getattr_all_file_type_sockets(initrc_t) # wants to read /.fonts directory files_read_default_files(initrc_t) - files_mountpoint(initrc_tmp_t) + miscfiles_read_fonts(initrc_t) + miscfiles_read_hwdata(initrc_t) + # readahead asks for these + auth_dontaudit_read_shadow(initrc_t) mta_read_aliases(initrc_t) optional_policy(`bind',` @@ -496,6 +501,7 @@ optional_policy(`bind',` optional_policy(`bluetooth',` dev_read_usbfs(initrc_t) + bluetooth_read_config(initrc_t) ') optional_policy(`cpucontrol',` @@ -511,6 +517,7 @@ optional_policy(`dbus',` dbus_connect_system_bus(initrc_t) dbus_send_system_bus_msg(initrc_t) dbus_system_bus_client_template(initrc,initrc_t) + dbus_read_config(initrc_t) optional_policy(`networkmanager',` networkmanager_dbus_chat(initrc_t) @@ -580,6 +587,7 @@ optional_policy(`mailman',` ') optional_policy(`mta',` + mta_read_config(initrc_t) mta_dontaudit_read_spool_symlink(initrc_t) ') diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 1c02b33..ec23ab1 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables, 1.0.0) +policy_module(iptables,1.0.1) ######################################## # @@ -48,6 +48,8 @@ dev_read_sysfs(iptables_t) fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) +mls_file_read_up(iptables_t) + term_dontaudit_use_console(iptables_t) domain_use_wide_inherit_fd(iptables_t) diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index e7f1ef0..e44bbf2 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -98,6 +98,7 @@ ifdef(`distro_redhat',` /usr/lib/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -113,7 +114,8 @@ ifdef(`distro_redhat',` /usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr(/.*)?/pcsc/drivers(/.*)?/libcm(2020|4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr(/.*)?/pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -148,6 +150,7 @@ ifdef(`distro_redhat',` /usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libavformat-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libavcodec-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libavutil-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 80f3d00..51f4a61 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -1,5 +1,5 @@ -policy_module(locallogin,1.0.0) +policy_module(locallogin,1.0.1) ######################################## # @@ -152,6 +152,7 @@ logging_send_syslog_msg(local_login_t) miscfiles_read_localization(local_login_t) +mls_file_read_up(local_login_t) mls_file_write_down(local_login_t) mls_file_upgrade(local_login_t) mls_file_downgrade(local_login_t) diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc index ff2b623..7d07518 100644 --- a/refpolicy/policy/modules/system/logging.fc +++ b/refpolicy/policy/modules/system/logging.fc @@ -1,8 +1,8 @@ -/dev/log -s gen_context(system_u:object_r:devlog_t,s0) +/dev/log -s gen_context(system_u:object_r:devlog_t,s0) -/etc/auditd.conf -- gen_context(system_u:object_r:auditd_etc_t,s0) -/etc/audit.rules -- gen_context(system_u:object_r:auditd_etc_t,s0) +/etc/auditd.conf -- gen_context(system_u:object_r:auditd_etc_t,s0) +/etc/audit.rules -- gen_context(system_u:object_r:auditd_etc_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) @@ -19,10 +19,11 @@ ifdef(`distro_suse', ` /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -/var/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) -/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s0) +/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255) +/var/log/.* gen_context(system_u:object_r:var_log_t,s0) +/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255) -/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s0) +/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index fa44e26..f99a955 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -22,6 +22,24 @@ interface(`logging_log_file',` ######################################## ## +## Read the audit log. +## +## +## Domain allowed access. +## +# +interface(`logging_read_audit_log',` + gen_require(` + type auditd_log_t; + ') + + files_search_var($1) + allow $1 auditd_log_t:dir r_dir_perms; + allow $1 auditd_log_t:file r_file_perms; +') + +######################################## +## ## Execute auditctl in the auditctl domain. ## ## diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 9c76bb1..64625b2 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.1.0) +policy_module(logging,1.1.1) ######################################## # @@ -74,6 +74,8 @@ kernel_read_proc_symlinks(auditctl_t) domain_read_all_domains_state(auditctl_t) domain_use_wide_inherit_fd(auditctl_t) +mls_file_read_up(auditctl_t) + init_use_script_pty(auditctl_t) init_dontaudit_use_fd(auditctl_t) @@ -155,6 +157,7 @@ libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) mls_file_read_up(auditd_t) +mls_rangetrans_target(auditd_t) seutil_dontaudit_read_config(auditd_t) @@ -227,6 +230,8 @@ logging_send_syslog_msg(klogd_t) miscfiles_read_localization(klogd_t) +mls_file_read_up(klogd_t) + userdom_dontaudit_search_sysadm_home_dir(klogd_t) optional_policy(`udev',` diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc index b709812..8364ca4 100644 --- a/refpolicy/policy/modules/system/selinuxutil.fc +++ b/refpolicy/policy/modules/system/selinuxutil.fc @@ -9,9 +9,9 @@ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) -/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s0) - -/etc/selinux/([^/]*/)?src(/.*)? gen_context(system_u:object_r:policy_src_t,s0) +/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255) +/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) +/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255) # # /root diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index f30d2a6..b9cb9e8 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.0.0) +policy_module(selinuxutil,1.0.1) gen_require(` bool secure_mode; @@ -182,6 +182,7 @@ domain_use_wide_inherit_fd(load_policy_t) # for mcs.conf files_read_etc_files(load_policy_t) +files_read_etc_runtime_files(load_policy_t) libs_use_ld_so(load_policy_t) libs_use_shared_libs(load_policy_t) @@ -190,16 +191,19 @@ miscfiles_read_localization(load_policy_t) userdom_use_all_user_fd(load_policy_t) -ifdef(`targeted_policy', ` +ifdef(`hide_broken_symptoms',` + # cjp: cover up stray file descriptors. + dontaudit load_policy_t selinux_config_t:file write; + optional_policy(`unconfined',` + unconfined_dontaudit_read_pipe(load_policy_t) + ') +') + +ifdef(`targeted_policy',` term_use_unallocated_tty(load_policy_t) term_use_generic_pty(load_policy_t) ') -# cjp: temporary hack to cover -# up stray file descriptors. -dontaudit load_policy_t selinux_config_t:file write; -unconfined_dontaudit_read_pipe(load_policy_t) - ######################################## # # Newrole local policy @@ -217,7 +221,8 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read }; +allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms; allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; @@ -407,8 +412,8 @@ selinux_compute_user_contexts(run_init_t) ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; - allow run_init_t self:fifo_file rw_file_perms; + allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read }; # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 1d1e93d..9cbbc99 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.1.0) +policy_module(udev,1.1.1) ######################################## # @@ -39,7 +39,7 @@ files_pid_file(udev_var_run_t) # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_nice }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource sys_nice }; dontaudit udev_t self:capability sys_tty_config; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; @@ -79,6 +79,7 @@ kernel_read_device_sysctl(udev_t) kernel_read_hotplug_sysctl(udev_t) kernel_read_modprobe_sysctl(udev_t) kernel_read_kernel_sysctl(udev_t) +kernel_rw_hotplug_sysctl(udev_t) kernel_rw_unix_dgram_socket(udev_t) kernel_sendto_unix_dgram_socket(udev_t) kernel_signal(udev_t) @@ -141,6 +142,7 @@ seutil_domtrans_restorecon(udev_t) sysnet_domtrans_ifconfig(udev_t) userdom_use_sysadm_tty(udev_t) +userdom_dontaudit_search_all_users_home(udev_t) ifdef(`distro_redhat',` fs_manage_tmpfs_dirs(udev_t) diff --git a/refpolicy/policy/modules/system/unconfined.fc b/refpolicy/policy/modules/system/unconfined.fc index b0b5ed8..47a158f 100644 --- a/refpolicy/policy/modules/system/unconfined.fc +++ b/refpolicy/policy/modules/system/unconfined.fc @@ -1,3 +1,5 @@ # Add programs here which should not be confined by SELinux # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 37b933d..42ca908 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.1.2) +policy_module(unconfined,1.1.3) ######################################## # @@ -118,7 +118,6 @@ ifdef(`targeted_policy',` optional_policy(`rpm',` rpm_domtrans(unconfined_t) - rpm_script_domtrans(unconfined_t) ') optional_policy(`samba',` diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index ca5e45d..d107a9d 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -572,6 +572,7 @@ template(`unpriv_user_template', ` corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) files_list_home($1_t) files_read_usr_files($1_t) files_exec_usr_files($1_t) @@ -1880,11 +1881,19 @@ interface(`userdom_getattr_sysadm_home_dir',` ## # interface(`userdom_dontaudit_getattr_sysadm_home_dir',` - gen_require(` - type sysadm_home_dir_t; - ') + ifdef(`targeted_policy',` + gen_require(` + type user_home_dir_t; + ') + + dontaudit $1 user_home_dir_t:dir getattr; + ', ` + gen_require(` + type sysadm_home_dir_t; + ') - dontaudit $1 sysadm_home_dir_t:dir getattr; + dontaudit $1 sysadm_home_dir_t:dir getattr; + ') ') ######################################## @@ -1913,11 +1922,19 @@ interface(`userdom_search_sysadm_home_dir',` ## # interface(`userdom_dontaudit_search_sysadm_home_dir',` + ifdef(`targeted_policy',` gen_require(` - type sysadm_home_dir_t; + type user_home_dir_t; ') - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; + dontaudit $1 user_home_dir_t:dir search_dir_perms; + ',` + gen_require(` + type sysadm_home_dir_t; + ') + + dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; + ') ') ######################################## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 8f30f4b..c852d6b 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,8 +1,8 @@ -policy_module(userdomain,1.1.1) +policy_module(userdomain,1.1.2) gen_require(` - role sysadm_r, staff_r, user_r; + role sysadm_r, staff_r, user_r, secadm_r; ') ######################################## @@ -96,11 +96,19 @@ ifdef(`targeted_policy',` type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t; files_search_home(privhome) + ifdef(`enable_mls',` + allow secadm_r system_r; + allow secadm_r user_r; + allow user_r secadm_r; + allow staff_r secadm_r; + ') + optional_policy(`samba',` samba_per_userdomain_template(user) ') ',` admin_user_template(sysadm) + admin_user_template(secadm) unpriv_user_template(staff) unpriv_user_template(user) @@ -111,6 +119,7 @@ ifdef(`targeted_policy',` # only staff_r can change to sysadm_r role_change(staff, sysadm) + role_change(staff, secadm) # this should be tunable_policy, but # currently type_change and RBAC allow @@ -133,6 +142,10 @@ ifdef(`targeted_policy',` allow sysadm_t user_home_dir_t:dir create_dir_perms; files_create_home_dirs(sysadm_t,user_home_dir_t) + mls_process_read_up(sysadm_t) + + logging_read_audit_log(sysadm_t) + ifdef(`direct_sysadm_daemon',` optional_policy(`init',` init_run_daemon(sysadm_t,sysadm_r,admin_terminal)