From d4af172a643fa519a59df1b56847471a5930f086 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 11 2009 12:30:22 +0000 Subject: - Separate out the ucnonfined user from the unconfined.pp package --- diff --git a/modules-minimum.conf b/modules-minimum.conf index d90a8dd..abdf2ef 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1676,6 +1676,13 @@ bitlbee = module # soundserver = module +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + # Layer:role # Module: staff # diff --git a/modules-targeted.conf b/modules-targeted.conf index d90a8dd..abdf2ef 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1676,6 +1676,13 @@ bitlbee = module # soundserver = module +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + # Layer:role # Module: staff # diff --git a/policy-20090105.patch b/policy-20090105.patch index 1dd0d5d..4800cdb 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1022,7 +1022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-09 04:59:09.000000000 -0400 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1101,7 +1101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,10 +190,20 @@ +@@ -174,17 +190,28 @@ ') optional_policy(` @@ -1122,8 +1122,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol prelink_domtrans(rpm_t) ') -@@ -185,6 +211,7 @@ - unconfined_domain(rpm_t) + optional_policy(` +- unconfined_domain(rpm_t) ++ unconfined_domain_noaudit(rpm_t) # yum-updatesd requires this unconfined_dbus_chat(rpm_t) + unconfined_dbus_chat(rpm_script_t) @@ -1514,6 +1515,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-3.6.12/policy/modules/apps/ada.te +--- nsaserefpolicy/policy/modules/apps/ada.te 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/ada.te 2009-04-09 04:47:52.000000000 -0400 +@@ -21,5 +21,5 @@ + userdom_use_user_terminals(ada_t) + + optional_policy(` +- unconfined_domain_noaudit(ada_t) ++ unconfined_domain(ada_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-04-07 16:01:44.000000000 -0400 @@ -2384,7 +2395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-09 04:48:20.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -2394,7 +2405,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_dbus_chat_script(mono_t) -@@ -46,3 +46,7 @@ +@@ -42,7 +42,11 @@ + ') + + optional_policy(` +- unconfined_domain_noaudit(mono_t) ++ unconfined_domain(mono_t) unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) ') @@ -4272,7 +4288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.12/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-09 04:47:36.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -4285,9 +4301,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` allow wine_t self:process { execstack execmem execheap }; +- unconfined_domain_noaudit(wine_t) + domain_mmap_low_type(wine_t) + domain_mmap_low(wine_t) - unconfined_domain_noaudit(wine_t) ++ unconfined_domain(wine_t) files_execmod_all_files(wine_t) +') @@ -4689,7 +4706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type urandom_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-09 10:10:17.000000000 -0400 @@ -629,6 +629,7 @@ dontaudit $1 unconfined_domain_type:dir search_dir_perms; @@ -4909,7 +4926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-09 10:14:04.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5118,7 +5135,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4532,7 +4662,8 @@ +@@ -4413,6 +4543,28 @@ + + ######################################## + ## ++## manage all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ manage_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, lockfile, lockfile) ++ manage_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## + ## Create an object in the locks directory, with a private + ## type using a type transition. + ## +@@ -4532,7 +4684,8 @@ type var_t, var_run_t; ') @@ -5128,7 +5174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4873,7 +5004,7 @@ +@@ -4873,7 +5026,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -5137,7 +5183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4895,12 +5026,15 @@ +@@ -4895,12 +5048,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -5154,7 +5200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5055,95 @@ +@@ -4921,3 +5077,95 @@ typeattribute $1 files_unconfined_type; ') @@ -5493,7 +5539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-09 10:10:27.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -5576,23 +5622,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -@@ -359,6 +384,10 @@ - unconfined_domain(kernel_t) +@@ -356,7 +381,11 @@ ') -+optional_policy(` -+ xserver_xdm_manage_spool(kernel_t) + optional_policy(` +- unconfined_domain(kernel_t) ++ unconfined_domain_noaudit(kernel_t) +') + ++optional_policy(` ++ xserver_xdm_manage_spool(kernel_t) + ') + ######################################## - # - # Unlabeled process local policy -@@ -388,3 +417,5 @@ +@@ -388,3 +417,7 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) ++ ++permissive kernel_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.12/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/selinux.if 2009-04-07 16:01:44.000000000 -0400 @@ -5653,6 +5703,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.12/policy/modules/kernel/terminal.fc +--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2008-08-07 11:15:01.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/terminal.fc 2009-04-11 08:00:47.000000000 -0400 +@@ -13,6 +13,7 @@ + /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) ++/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) + /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-04-07 16:01:44.000000000 -0400 @@ -6221,251 +6282,79 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` yam_run(sysadm_t, sysadm_r) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-04-07 16:01:44.000000000 -0400 -@@ -14,142 +14,13 @@ - userdom_unpriv_user_template(user) - - optional_policy(` -- apache_role(user_r, user_t) -+ kerneloops_dontaudit_dbus_chat(user_t) - ') - - optional_policy(` -- auth_role(user_r, user_t) -+ rpm_dontaudit_dbus_chat(user_t) - ') - - optional_policy(` -- bluetooth_role(user_r, user_t) --') -- --optional_policy(` -- cdrecord_role(user_r, user_t) --') -- --optional_policy(` -- cron_role(user_r, user_t) --') -- --optional_policy(` -- dbus_role_template(user, user_r, user_t) --') -- --optional_policy(` -- ethereal_role(user_r, user_t) --') -- --optional_policy(` -- evolution_role(user_r, user_t) --') -- --optional_policy(` -- games_role(user_r, user_t) --') -- --optional_policy(` -- gift_role(user_r, user_t) --') -- --optional_policy(` -- gnome_role(user_r, user_t) --') -- --optional_policy(` -- gpg_role(user_r, user_t) --') -- --optional_policy(` -- irc_role(user_r, user_t) --') -- --optional_policy(` -- java_role(user_r, user_t) --') -- --optional_policy(` -- lockdev_role(user_r, user_t) --') -- --optional_policy(` -- lpd_role(user_r, user_t) --') -- --optional_policy(` -- mozilla_role(user_r, user_t) --') -- --optional_policy(` -- mplayer_role(user_r, user_t) --') -- --optional_policy(` -- mta_role(user_r, user_t) --') -- --optional_policy(` -- oident_manage_user_content(user_t) -- oident_relabel_user_content(user_t) --') -- --optional_policy(` -- pyzor_role(user_r, user_t) --') -- --optional_policy(` -- razor_role(user_r, user_t) --') -- --optional_policy(` -- rssh_role(user_r, user_t) --') -- --optional_policy(` -- screen_role_template(user, user_r, user_t) --') -- --optional_policy(` -- spamassassin_role(user_r, user_t) --') -- --optional_policy(` -- ssh_role_template(user, user_r, user_t) --') -- --optional_policy(` -- su_role_template(user, user_r, user_t) --') -- --optional_policy(` -- sudo_role_template(user, user_r, user_t) --') -- --optional_policy(` -- thunderbird_role(user_r, user_t) --') -- --optional_policy(` -- tvtime_role(user_r, user_t) --') -- --optional_policy(` -- uml_role(user_r, user_t) --') -- --optional_policy(` -- userhelper_role_template(user, user_r, user_t) --') -- --optional_policy(` -- vmware_role(user_r, user_t) --') -- --optional_policy(` -- wireshark_role(user_r, user_t) --') -- --optional_policy(` -- xserver_role(user_r, user_t) -+ setroubleshoot_dontaudit_stream_connect(user_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.12/policy/modules/roles/webadm.te ---- nsaserefpolicy/policy/modules/roles/webadm.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/roles/webadm.te 2009-04-07 16:06:28.000000000 -0400 -@@ -42,7 +42,7 @@ - - userdom_dontaudit_search_user_home_dirs(webadm_t) - --#apache_admin(webadm_t, webadm_r) -+apache_admin(webadm_t, webadm_r) - - tunable_policy(`webadm_manage_user_files',` - userdom_manage_user_home_content_files(webadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.12/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/roles/xguest.te 2009-04-07 16:01:44.000000000 -0400 -@@ -67,7 +67,11 @@ - ') - - optional_policy(` -- java_role(xguest_r, xguest_t) -+ java_role_template(xguest, xguest_r, xguest_t) -+') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc +--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-09 04:44:48.000000000 -0400 +@@ -0,0 +1,30 @@ ++# Add programs here which should not be confined by SELinux ++# e.g.: ++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t ++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + -+optional_policy(` -+ mono_role_template(xguest, xguest_r, xguest_t) - ') - - optional_policy(` -@@ -75,9 +79,13 @@ - ') - - optional_policy(` -+ nsplugin_role(xguest_r, xguest_t) ++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ifdef(`distro_gentoo',` ++/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +') ++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+optional_policy(` - tunable_policy(`xguest_connect_network',` - networkmanager_dbus_chat(xguest_t) - ') - ') - --#gen_user(xguest_u,, xguest_r, s0, s0) -+gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.12/policy/modules/services/afs.fc ---- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/afs.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,3 +1,6 @@ -+/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) -+ - /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) - /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) - /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) -@@ -17,6 +20,13 @@ - - /usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) - -+/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) -+ - /vicepa gen_context(system_u:object_r:afs_files_t,s0) - /vicepb gen_context(system_u:object_r:afs_files_t,s0) - /vicepc gen_context(system_u:object_r:afs_files_t,s0) -+ ++/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + -+/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) ++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.12/policy/modules/services/afs.if ---- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/afs.if 2009-04-07 16:01:44.000000000 -0400 -@@ -1 +1,110 @@ - ## Andrew Filesystem server ++/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if +--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-09 05:37:59.000000000 -0400 +@@ -0,0 +1,638 @@ ++## Unconfiend user role + +######################################## +## -+## Execute a domain transition to run afs. -+## -+## -+## -+## Domain allowed to transition. ++## Change from the unconfineduser role. +## ++## ++##

++## Change from the unconfineduser role to ++## the specified role. ++##

++##

++## This is an interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++##
++## ++## ++## Role allowed access. ++## +## ++## +# -+interface(`afs_domtrans',` ++interface(`unconfined_role_change_to',` + gen_require(` -+ type afs_t; -+ type afs_exec_t; ++ role unconfined_r; + ') + -+ domtrans_pattern($1,afs_exec_t,afs_t) ++ allow unconfined_r $1; +') + -+ +######################################## +## -+## Read and write afs UDP sockets. ++## Transition to the unconfined domain. +## +## +## @@ -6473,628 +6362,399 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`afs_rw_udp_sockets',` ++interface(`unconfined_domtrans',` + gen_require(` -+ type afs_t; ++ type unconfined_t, unconfined_exec_t; + ') + -+ allow $1 afs_t:udp_socket { read write }; ++ domtrans_pattern($1,unconfined_exec_t,unconfined_t) +') + +######################################## +## -+## read/write afs cache files ++## Execute specified programs in the unconfined domain. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to allow the unconfined domain. ++## +## +# -+interface(`afs_rw_cache',` ++interface(`unconfined_run',` + gen_require(` -+ type afs_cache_t; ++ type unconfined_t; + ') + -+ allow $1 afs_cache_t:file {read write}; ++ unconfined_domtrans($1) ++ role $2 types unconfined_t; +') + ++######################################## ++## ++## Transition to the unconfined domain by executing a shell. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_shell_domtrans',` ++ gen_require(` ++ attribute unconfined_login_domain; ++ ') ++ typeattribute $1 unconfined_login_domain; ++') + +######################################## +## -+## Execute afs server in the afs domain. ++## Allow unconfined to execute the specified program in ++## the specified domain. +## ++## ++##

++## Allow unconfined to execute the specified program in ++## the specified domain. ++##

++##

++## This is a interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++##
+## +## -+## The type of the process performing this action. ++## Domain to execute in. ++## ++## ++## ++## ++## Domain entry point file. +## +## +# -+interface(`afs_initrc_domtrans',` ++interface(`unconfined_domtrans_to',` + gen_require(` -+ type afs_initrc_exec_t; ++ type unconfined_t; + ') + -+ init_script_domtrans_spec($1,afs_initrc_exec_t) ++ domtrans_pattern(unconfined_t,$2,$1) +') + +######################################## +## -+## All of the rules required to administrate -+## an afs environment ++## Allow unconfined to execute the specified program in ++## the specified domain. Allow the specified domain the ++## unconfined role and use of unconfined user terminals. +## ++## ++##

++## Allow unconfined to execute the specified program in ++## the specified domain. Allow the specified domain the ++## unconfined role and use of unconfined user terminals. ++##

++##

++## This is a interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++##
+## +## -+## Domain allowed access. ++## Domain to execute in. +## +## -+## ++## +## -+## The role to be allowed to manage the afs domain. ++## Domain entry point file. +## +## -+## +# -+interface(`afs_admin',` ++interface(`unconfined_run_to',` + gen_require(` -+ type afs_t; -+ type afs_initrc_exec_t; ++ type unconfined_t; ++ role unconfined_r; + ') + -+ allow $1 afs_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, afs_t, afs_t) ++ domtrans_pattern(unconfined_t,$2,$1) ++ role unconfined_r types $1; ++ userdom_use_user_terminals($1) ++') + -+ # Allow afs_t to restart the apache service -+ afs_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 afs_initrc_exec_t system_r; -+ allow $2 system_r; ++######################################## ++## ++## Inherit file descriptors from the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_use_fds',` ++ gen_require(` ++ type unconfined_t; ++ ') + ++ allow $1 unconfined_t:fd use; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.12/policy/modules/services/afs.te ---- nsaserefpolicy/policy/modules/services/afs.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/afs.te 2009-04-07 16:01:44.000000000 -0400 -@@ -6,6 +6,16 @@ - # Declarations - # - -+type afs_t; -+type afs_exec_t; -+init_daemon_domain(afs_t, afs_exec_t) -+ -+type afs_initrc_exec_t; -+init_script_file(afs_initrc_exec_t) + -+type afs_cache_t; -+files_type(afs_cache_t) ++######################################## ++## ++## Send a SIGCHLD signal to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_sigchld',` ++ gen_require(` ++ type unconfined_t; ++ ') + - type afs_bosserver_t; - type afs_bosserver_exec_t; - init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) -@@ -302,3 +312,46 @@ - sysnet_read_config(afs_vlserver_t) - - userdom_dontaudit_use_user_terminals(afs_vlserver_t) ++ allow $1 unconfined_t:process sigchld; ++') + +######################################## ++## ++## Send a SIGNULL signal to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+# afs local policy -+# ++interface(`unconfined_signull',` ++ gen_require(` ++ type unconfined_t; ++ ') + -+allow afs_t self:capability { sys_nice sys_tty_config }; -+allow afs_t self:process setsched; -+allow afs_t self:udp_socket create_socket_perms; -+allow afs_t self:fifo_file rw_file_perms; -+allow afs_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1 unconfined_t:process signull; ++') + -+manage_files_pattern(afs_t,afs_cache_t,afs_cache_t) -+manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t) -+files_var_filetrans(afs_t,afs_cache_t,{file dir}) ++######################################## ++## ++## Send a SIGNULL signal to the unconfined execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_signull',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') + -+files_mounton_mnt(afs_t) -+files_read_etc_files(afs_t) -+files_rw_etc_runtime_files(afs_t) ++ allow $1 unconfined_execmem_t:process signull; ++') + -+fs_getattr_xattr_fs(afs_t) -+fs_mount_nfs(afs_t) ++######################################## ++## ++## Send a signal to the unconfined execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_signal',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') + -+kernel_rw_afs_state(afs_t) ++ allow $1 unconfined_execmem_t:process signal; ++') + -+# Init script handling -+domain_use_interactive_fds(afs_t) ++######################################## ++## ++## Send generic signals to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_signal',` ++ gen_require(` ++ type unconfined_t; ++ ') + -+corenet_all_recvfrom_unlabeled(afs_t) -+corenet_all_recvfrom_netlabel(afs_t) -+corenet_tcp_sendrecv_generic_if(afs_t) -+corenet_udp_sendrecv_generic_if(afs_t) -+corenet_tcp_sendrecv_generic_node(afs_t) -+corenet_udp_sendrecv_generic_node(afs_t) -+corenet_tcp_sendrecv_all_ports(afs_t) -+corenet_udp_sendrecv_all_ports(afs_t) -+corenet_udp_bind_generic_node(afs_t) ++ allow $1 unconfined_t:process signal; ++') + -+miscfiles_read_localization(afs_t) ++######################################## ++## ++## Read unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_read_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') + -+logging_send_syslog_msg(afs_t) ++ allow $1 unconfined_t:fifo_file read_fifo_file_perms; ++') + -+permissive afs_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc ---- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,12 +1,13 @@ --HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) - - /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) --/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) - /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) - /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) -+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) - - /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -22,6 +23,7 @@ - /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - -+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -@@ -32,12 +34,17 @@ - /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') - -+/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++######################################## ++## ++## Do not audit attempts to read unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dontaudit_read_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') + - - /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,6 +54,7 @@ - - /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) - /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,8 +58,10 @@ - /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++ dontaudit $1 unconfined_t:fifo_file read; ++') + - /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - -+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +74,28 @@ - /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) - - /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) - /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) - - /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++######################################## ++## ++## Read and write unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_rw_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') + -+#Bugzilla file context -+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) -+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) -+#viewvc file context -+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++ allow $1 unconfined_t:fifo_file rw_fifo_file_perms; ++') + -+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++######################################## ++## ++## Do not audit attempts to read and write ++## unconfined domain unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') + -+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++ dontaudit $1 unconfined_t:fifo_file rw_file_perms; ++') + -+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/apache.if 2009-04-07 16:01:44.000000000 -0400 -@@ -13,21 +13,16 @@ - # - template(`apache_content_template',` - gen_require(` -- attribute httpdcontent; - attribute httpd_exec_scripts; - attribute httpd_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; - ') -- # allow write access to public file transfer -- # services files. -- gen_tunable(allow_httpd_$1_script_anon_write, false) -- - #This type is for webpages -- type httpd_$1_content_t, httpdcontent; # customizable -+ type httpd_$1_content_t; - files_type(httpd_$1_content_t) - - # This type is used for .htaccess files -- type httpd_$1_htaccess_t; # customizable; -+ type httpd_$1_htaccess_t; - files_type(httpd_$1_htaccess_t) - - # Type that CGI scripts run as -@@ -42,20 +37,22 @@ - - # The following three are the only areas that - # scripts can read, read/write, or append to -- type httpd_$1_script_ro_t, httpdcontent; # customizable -- files_type(httpd_$1_script_ro_t) -+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - -- type httpd_$1_script_rw_t, httpdcontent; # customizable -- files_type(httpd_$1_script_rw_t) -+ type httpd_$1_content_rw_t; -+ files_type(httpd_$1_content_rw_t) -+ typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; - -- type httpd_$1_script_ra_t, httpdcontent; # customizable -- files_type(httpd_$1_script_ra_t) -+ type httpd_$1_content_ra_t; -+ files_type(httpd_$1_content_ra_t) -+ typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; - -- allow httpd_t httpd_$1_htaccess_t:file read_file_perms; -+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; -+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; -+ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; - - allow httpd_$1_script_t self:fifo_file rw_file_perms; - allow httpd_$1_script_t self:unix_stream_socket connectto; -@@ -65,29 +62,27 @@ - dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - - # Allow the script process to search the cgi directory, and users directory -- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; -+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -+ list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - - append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) - logging_search_logs(httpd_$1_script_t) - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; -+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - -- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- -- allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; -- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- -- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) -+ allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++######################################## ++## ++## Do not audit attempts to read and write ++## unconfined domain stream. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_stream',` ++ gen_require(` ++ type unconfined_t; ++ ') + -+ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) - - kernel_dontaudit_search_sysctl(httpd_$1_script_t) - kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -96,6 +91,7 @@ - dev_read_urand(httpd_$1_script_t) - - corecmd_exec_all_executables(httpd_$1_script_t) -+ application_exec_all(httpd_$1_script_t) - - files_exec_etc_files(httpd_$1_script_t) - files_read_etc_files(httpd_$1_script_t) -@@ -109,34 +105,21 @@ - - seutil_dontaudit_search_config(httpd_$1_script_t) - -- tunable_policy(`httpd_enable_cgi && httpd_unified',` -- allow httpd_$1_script_t httpdcontent:file entrypoint; -- -- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- can_exec(httpd_$1_script_t, httpdcontent) -- ') -- -- tunable_policy(`allow_httpd_$1_script_anon_write',` -- miscfiles_manage_public_files(httpd_$1_script_t) -- ') -- - # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` -- manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- -- allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- -- allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; -- read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -+ manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ -+ allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ -+ allow httpd_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -@@ -149,9 +132,13 @@ - # privileged users run the script: - domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; -+ - # apache runs the script: - domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms; ++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; ++') + - allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; - -@@ -175,50 +162,6 @@ - miscfiles_read_localization(httpd_$1_script_t) - ') - -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_$1_script_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) -- corenet_all_recvfrom_netlabel(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) -- -- sysnet_read_config(httpd_$1_script_t) -- ') -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_$1_script_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) -- corenet_all_recvfrom_netlabel(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_tcp_connect_all_ports(httpd_$1_script_t) -- corenet_sendrecv_all_client_packets(httpd_$1_script_t) -- -- sysnet_read_config(httpd_$1_script_t) -- ') -- -- optional_policy(` -- mta_send_mail(httpd_$1_script_t) -- ') -- -- optional_policy(` -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_$1_script_t) -- ') -- ') -- - optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -227,10 +170,6 @@ - - optional_policy(` - postgresql_unpriv_client(httpd_$1_script_t) -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- postgresql_tcp_connect(httpd_$1_script_t) -- ') - ') - - optional_policy(` -@@ -504,6 +443,47 @@ - ######################################## - ## - ## Allow the specified domain to read -+## apache tmp files. ++######################################## ++## ++## Connect to the unconfined domain using ++## a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`apache_read_tmp',` ++interface(`unconfined_stream_connect',` + gen_require(` -+ type httpd_config_t; ++ type unconfined_t; + ') + -+ files_search_tmp($1) -+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ++ allow $1 unconfined_t:unix_stream_socket connectto; +') + +######################################## +## -+## Dontaudit attempts ti write -+## apache tmp files. ++## Do not audit attempts to read or write ++## unconfined domain tcp sockets. +## ++## ++##

++## Do not audit attempts to read or write ++## unconfined domain tcp sockets. ++##

++##

++## This interface was added due to a broken ++## symptom in ldconfig. ++##

++##
+## +## -+## Domain allowed access. ++## Domain to not audit. +## +## -+## +# -+interface(`apache_dontaudit_write_tmp',` ++interface(`unconfined_dontaudit_rw_tcp_sockets',` + gen_require(` -+ type httpd_config_t; ++ type unconfined_t; + ') + -+ dontaudit $1 httpd_tmp_t:file write; ++ dontaudit $1 unconfined_t:tcp_socket { read write }; +') + +######################################## +## -+## Allow the specified domain to read - ## apache configuration files. - ## - ## -@@ -579,7 +559,7 @@ - ## - ## - ## --## The role to be allowed the dmidecode domain. -+## The role to be allowed the http_helper domain. - ## - ## - ## -@@ -715,6 +695,7 @@ - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) - ') - - ######################################## -@@ -782,6 +763,32 @@ - - ######################################## - ## -+## Allow the specified domain to delete -+## apache system content rw files. ++## Create keys for the unconfined domain. +## +## +## +## Domain allowed access. +## +## -+## +# -+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr -+interface(`apache_delete_sys_content_rw',` ++interface(`unconfined_create_keys',` + gen_require(` -+ type httpd_sys_content_rw_t; ++ type unconfined_t; + ') + -+ files_search_tmp($1) -+ delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ allow $1 unconfined_t:key create; +') + +######################################## +## - ## Execute all web scripts in the system - ## script domain. - ## -@@ -791,16 +798,18 @@ - ##
- ## - # --# cjp: this interface specifically added to allow --# sysadm_t to run scripts - interface(`apache_domtrans_sys_script',` - gen_require(` -- attribute httpdcontent; - type httpd_sys_script_t; -+ type httpd_sys_content_t; -+ ') -+ -+ tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` -- domtrans_pattern($1, httpdcontent, httpd_sys_script_t) -+ domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t) - ') - ') - -@@ -859,6 +868,8 @@ - ## - ## - # -+# cjp: this is missing the terminal since scripts -+# do not output to the terminal - interface(`apache_run_all_scripts',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_domains; -@@ -884,7 +895,7 @@ - type httpd_squirrelmail_t; - ') - -- allow $1 httpd_squirrelmail_t:file read_file_perms; -+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) - ') - - ######################################## -@@ -1040,3 +1051,160 @@ - - allow httpd_t $1:process signal; - ') -+ -+######################################## -+## -+## Allow the specified domain to search -+## apache bugzilla directories. ++## Send messages to the unconfined domain over dbus. +## +## +## @@ -7102,18 +6762,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`apache_search_bugzilla_dirs',` ++interface(`unconfined_dbus_send',` + gen_require(` -+ type httpd_bugzilla_content_t; ++ type unconfined_t; ++ class dbus send_msg; + ') + -+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; ++ allow $1 unconfined_t:dbus send_msg; +') + +######################################## +## -+## Do not audit attempts to read and write Apache -+## bugzill script unix domain stream sockets. ++## Send and receive messages from ++## unconfined_t over dbus. +## +## +## @@ -7121,102 +6782,131 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` ++interface(`unconfined_dbus_chat',` + gen_require(` -+ type httpd_bugzilla_script_t; ++ type unconfined_t; ++ class dbus send_msg; + ') + -+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; ++ allow $1 unconfined_t:dbus send_msg; ++ allow unconfined_t $1:dbus send_msg; +') + +######################################## +## -+## All of the rules required to administrate an apache environment ++## Connect to the the unconfined DBUS ++## for service (acquire_svc). +## -+## ++## +## -+## Prefix of the domain. Example, user would be -+## the prefix for the uder_t domain. ++## Domain allowed access. +## +## ++# ++interface(`unconfined_dbus_connect',` ++ gen_require(` ++ type unconfined_t; ++ class dbus acquire_svc; ++ ') ++ ++ allow $1 unconfined_t:dbus acquire_svc; ++') ++ ++######################################## ++## ++## Allow ptrace of unconfined domain ++## +## +## +## Domain allowed access. +## +## -+## ++# ++interface(`unconfined_ptrace',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process ptrace; ++') ++ ++######################################## ++## ++## Read and write to unconfined shared memory. ++## ++## +## -+## The role to be allowed to manage the apache domain. ++## The type of the process performing this action. +## +## -+## +# -+interface(`apache_admin',` -+ ++interface(`unconfined_rw_shm',` + gen_require(` -+ type httpd_t, httpd_initrc_exec_t, httpd_config_t; -+ type httpd_log_t, httpd_modules_t, httpd_lock_t; -+ type httpd_var_run_t; -+ attribute httpdcontent; -+ attribute httpd_script_exec_type; -+ type httpd_bool_t; -+ type httpd_php_tmp_t; -+ type httpd_suexec_tmp_t; -+ type httpd_tmp_t; -+ ++ type unconfined_t; + ') + -+ allow $1 httpd_t:process { getattr ptrace signal_perms }; -+ ps_process_pattern($1, httpd_t) -+ -+ init_labeled_script_domtrans($1, httpd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 httpd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ apache_manage_all_content($1) -+ miscfiles_manage_public_files($1) -+ -+ files_search_etc($1) -+ admin_pattern($1, httpd_config_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, httpd_log_t) ++ allow $1 unconfined_t:shm rw_shm_perms; ++') + -+ admin_pattern($1, httpd_modules_t) ++######################################## ++## ++## Read and write to unconfined execmem shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`unconfined_execmem_rw_shm',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') + -+ admin_pattern($1, httpd_lock_t) -+ files_lock_filetrans($1, httpd_lock_t, file) ++ allow $1 unconfined_execmem_t:shm rw_shm_perms; ++') + -+ admin_pattern($1, httpd_var_run_t) -+ files_pid_filetrans($1, httpd_var_run_t, file) ++######################################## ++## ++## Transition to the unconfined_execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_domtrans',` + -+ kernel_search_proc($1) -+ allow $1 httpd_t:dir list_dir_perms; -+ ps_process_pattern($1, httpd_t) -+ read_lnk_files_pattern($1, httpd_t, httpd_t) ++ gen_require(` ++ type unconfined_execmem_t, execmem_exec_t; ++ ') + -+ admin_pattern($1, httpdcontent) -+ admin_pattern($1, httpd_script_exec_type) ++ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) ++') + -+ seutil_domtrans_setfiles($1) ++######################################## ++## ++## execute the execmem applications ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_exec',` + -+ admin_pattern($1, httpd_tmp_t) -+ admin_pattern($1, httpd_php_tmp_t) -+ admin_pattern($1, httpd_suexec_tmp_t) -+ files_tmp_filetrans($1, httpd_tmp_t, { file dir }) ++ gen_require(` ++ type execmem_exec_t; ++ ') + -+ifdef(`TODO',` -+ apache_set_booleans($1, $2, $3, httpd_bool_t ) -+ seutil_setsebool_role_template($1, $3, $2) -+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; -+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; -+') ++ can_exec($1, execmem_exec_t) +') + +######################################## +## -+## Mark content as being readable by standard apache processes ++## Allow apps to set rlimits on userdomain +## +## +## @@ -7224,16 +6914,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+template(`apache_ro_content',` ++interface(`unconfined_set_rlimitnh',` + gen_require(` -+ attribute httpd_ro_content; ++ type unconfined_t; + ') -+ typeattribute $1 httpd_ro_content; ++ ++ allow $1 unconfined_t:process rlimitinh; +') + +######################################## +## -+## Mark content as being read/write by standard apache processes ++## Get the process group of unconfined. +## +## +## @@ -7241,1272 +6932,739 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+template(`apache_rw_content',` ++interface(`unconfined_getpgid',` + gen_require(` -+ attribute httpd_rw_content; ++ type unconfined_t; + ') -+ typeattribute $1 httpd_rw_content; ++ ++ allow $1 unconfined_t:process getpgid; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-04-07 16:01:44.000000000 -0400 -@@ -19,6 +19,8 @@ - # Declarations - # - -+selinux_genbool(httpd_bool_t) + - ## - ##

- ## Allow Apache to modify public files -@@ -30,10 +32,17 @@ - - ## - ##

--## Allow Apache to use mod_auth_pam -+## Allow httpd scripts and modules execmem/execstack - ##

- ##
--gen_tunable(allow_httpd_mod_auth_pam, false) -+gen_tunable(httpd_execmem, false) ++######################################## ++## ++## Change to the unconfined role. ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`unconfined_role_change',` ++ gen_require(` ++ role unconfined_r; ++ ') ++ ++ allow $1 unconfined_r; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te +--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-09 05:43:27.000000000 -0400 +@@ -0,0 +1,402 @@ ++policy_module(unconfineduser, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++attribute unconfined_login_domain; + +## +##

-+## Allow Apache to communicate with avahi service via dbus -+##

-+##
-+gen_tunable(httpd_dbus_avahi, false) - - ## - ##

-@@ -44,6 +53,13 @@ - - ## - ##

-+## Allow http daemon to send mail ++## Transition to confined nsplugin domains from unconfined user +##

+##
-+gen_tunable(httpd_can_sendmail, false) ++gen_tunable(allow_unconfined_nsplugin_transition, false) + +## +##

- ## Allow HTTPD scripts and modules to connect to the network using TCP. - ##

- ##
-@@ -108,6 +124,29 @@ - ## - gen_tunable(httpd_unified, false) - -+## -+##

-+## Allow httpd to access nfs file systems ++## Allow a user to login as an unconfined domain +##

+##
-+gen_tunable(httpd_use_nfs, false) ++gen_tunable(unconfined_login, true) + +## +##

-+## Allow httpd to access cifs file systems ++## Allow unconfined domain to map low memory in the kernel +##

+##
-+gen_tunable(httpd_use_cifs, false) ++gen_tunable(allow_unconfined_mmap_low, false) + +## +##

-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. ++## Transition to confined qemu domains from unconfined user +##

+##
-+gen_tunable(allow_httpd_sys_script_anon_write, false) ++gen_tunable(allow_unconfined_qemu_transition, false) + -+attribute httpd_ro_content; -+attribute httpd_rw_content; - attribute httpdcontent; - attribute httpd_user_content_type; - -@@ -140,6 +179,9 @@ - domain_entry_file(httpd_helper_t, httpd_helper_exec_t) - role system_r types httpd_helper_t; - -+type httpd_initrc_exec_t; -+init_script_file(httpd_initrc_exec_t) ++# usage in this module of types created by these ++# calls is not correct, however we dont currently ++# have another method to add access to these types ++userdom_base_user_template(unconfined) ++userdom_manage_home_role(unconfined_r, unconfined_t) ++userdom_manage_tmp_role(unconfined_r, unconfined_t) ++userdom_manage_tmpfs_role(unconfined_r, unconfined_t) ++userdom_execmod_user_home_files(unconfined_t) + - type httpd_lock_t; - files_lock_file(httpd_lock_t) - -@@ -180,6 +222,10 @@ - # setup the system domain for system CGI scripts - apache_content_template(sys) - -+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable -+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable -+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable ++type unconfined_exec_t; ++init_system_domain(unconfined_t, unconfined_exec_t) ++role unconfined_r types unconfined_t; + - type httpd_tmp_t; - files_tmp_file(httpd_tmp_t) - -@@ -187,15 +233,20 @@ - files_tmpfs_file(httpd_tmpfs_t) - - apache_content_template(user) ++domain_user_exemption_target(unconfined_t) ++allow system_r unconfined_r; ++allow unconfined_r system_r; ++init_script_role_transition(unconfined_r) ++role system_r types unconfined_t; ++typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t }; + - ubac_constrained(httpd_user_script_t) -+typeattribute httpd_user_content_t httpdcontent; -+typeattribute httpd_user_content_rw_t httpdcontent; -+typeattribute httpd_user_content_ra_t httpdcontent; ++type unconfined_execmem_t; ++type execmem_exec_t; ++init_system_domain(unconfined_execmem_t, execmem_exec_t) ++role unconfined_r types unconfined_execmem_t; ++typealias execmem_exec_t alias unconfined_execmem_exec_t; + - userdom_user_home_content(httpd_user_content_t) - userdom_user_home_content(httpd_user_htaccess_t) - userdom_user_home_content(httpd_user_script_exec_t) --userdom_user_home_content(httpd_user_script_ra_t) --userdom_user_home_content(httpd_user_script_ro_t) --userdom_user_home_content(httpd_user_script_rw_t) -+userdom_user_home_content(httpd_user_content_ra_t) -+userdom_user_home_content(httpd_user_content_rw_t) - typeattribute httpd_user_script_t httpd_script_domains; - typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; -+typealias httpd_user_content_t alias httpd_unconfined_content_t; - typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; - typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; - typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; -@@ -230,7 +281,7 @@ - # Apache server local policy - # - --allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; -+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; - dontaudit httpd_t self:capability { net_admin sys_tty_config }; - allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow httpd_t self:fd use; -@@ -272,6 +323,7 @@ - allow httpd_t httpd_modules_t:dir list_dir_perms; - mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - - apache_domtrans_rotatelogs(httpd_t) - # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +335,9 @@ - - allow httpd_t httpd_suexec_exec_t:file read_file_perms; - --allow httpd_t httpd_sys_content_t:dir list_dir_perms; --read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) --read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -+allow httpd_t httpd_ro_content:dir list_dir_perms; -+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) -+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) - - manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) - manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,6 +353,7 @@ - manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) - files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) - -+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -312,6 +365,7 @@ - kernel_read_kernel_sysctls(httpd_t) - # for modules that want to access /proc/meminfo - kernel_read_system_state(httpd_t) -+kernel_search_network_sysctl(httpd_t) - - corenet_all_recvfrom_unlabeled(httpd_t) - corenet_all_recvfrom_netlabel(httpd_t) -@@ -322,6 +376,7 @@ - corenet_tcp_sendrecv_all_ports(httpd_t) - corenet_udp_sendrecv_all_ports(httpd_t) - corenet_tcp_bind_generic_node(httpd_t) -+corenet_udp_bind_generic_node(httpd_t) - corenet_tcp_bind_http_port(httpd_t) - corenet_tcp_bind_http_cache_port(httpd_t) - corenet_sendrecv_http_server_packets(httpd_t) -@@ -335,12 +390,12 @@ - - fs_getattr_all_fs(httpd_t) - fs_search_auto_mountpoints(httpd_t) -+fs_list_inotifyfs(httpd_t) -+fs_read_iso9660_files(httpd_t) - - auth_use_nsswitch(httpd_t) - --# execute perl --corecmd_exec_bin(httpd_t) --corecmd_exec_shell(httpd_t) -+application_exec_all(httpd_t) - - domain_use_interactive_fds(httpd_t) - -@@ -358,6 +413,10 @@ - files_read_var_lib_symlinks(httpd_t) - - fs_search_auto_mountpoints(httpd_sys_script_t) -+# php uploads a file to /tmp and then execs programs to acton them -+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file }) - - libs_read_lib_files(httpd_t) - -@@ -372,18 +431,33 @@ - - userdom_use_unpriv_users_fds(httpd_t) - --mta_send_mail(httpd_t) -- - tunable_policy(`allow_httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) - ') - --ifdef(`TODO', ` - # - # We need optionals to be able to be within booleans to make this work - # -+## -+##

-+## Allow Apache to use mod_auth_pam -+##

-+##
-+gen_tunable(allow_httpd_mod_auth_pam, false) ++type unconfined_notrans_t; ++type unconfined_notrans_exec_t; ++init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) ++role unconfined_r types unconfined_notrans_t; + - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) -+ auth_domtrans_chkpwd(httpd_t) ++######################################## ++# ++# Local policy ++# ++ ++dontaudit unconfined_t self:dir write; ++ ++allow unconfined_t self:system syslog_read; ++dontaudit unconfined_t self:capability sys_module; ++ ++domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) ++ ++files_create_boot_flag(unconfined_t) ++files_create_default_dir(unconfined_t) ++ ++mcs_killall(unconfined_t) ++mcs_ptrace_all(unconfined_t) ++mls_file_write_all_levels(unconfined_t) ++ ++init_run_daemon(unconfined_t, unconfined_r) ++init_domtrans_script(unconfined_t) ++ ++libs_run_ldconfig(unconfined_t, unconfined_r) ++ ++logging_send_syslog_msg(unconfined_t) ++logging_run_auditctl(unconfined_t, unconfined_r) ++ ++mount_run_unconfined(unconfined_t, unconfined_r) ++# Unconfined running as system_r ++mount_domtrans_unconfined(unconfined_t) ++ ++seutil_run_setsebool(unconfined_t, unconfined_r) ++seutil_run_setfiles(unconfined_t, unconfined_r) ++seutil_run_semanage(unconfined_t, unconfined_r) ++ ++unconfined_domain_noaudit(unconfined_t) ++domain_mmap_low(unconfined_t) ++ ++userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) ++ ++usermanage_run_passwd(unconfined_t, unconfined_r) ++usermanage_run_chfn(unconfined_t, unconfined_r) ++ ++tunable_policy(`unconfined_login',` ++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) ++ allow unconfined_t unconfined_login_domain:fd use; ++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; ++ allow unconfined_t unconfined_login_domain:process sigchld; +') + -+## -+##

-+## Allow Apache to use mod_auth_pam -+##

-+##
-+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` -+tunable_policy(`allow_httpd_mod_auth_pam',` -+ samba_domtrans_winbind_helper(httpd_t) - ') - ') - -@@ -391,20 +465,54 @@ - corenet_tcp_connect_all_ports(httpd_t) - ') - -+tunable_policy(`httpd_can_sendmail',` -+ # allow httpd to connect to mail servers -+ corenet_tcp_connect_smtp_port(httpd_t) -+ corenet_sendrecv_smtp_client_packets(httpd_t) -+ corenet_tcp_connect_pop_port(httpd_t) -+ corenet_sendrecv_pop_client_packets(httpd_t) -+ mta_send_mail(httpd_t) -+ mta_send_mail(httpd_sys_script_t) ++ loadkeys_run(unconfined_t, unconfined_r) +') + - tunable_policy(`httpd_can_network_relay',` - # allow httpd to work as a relay - corenet_tcp_connect_gopher_port(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) - corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) -+ corenet_tcp_connect_memcache_port(httpd_t) - corenet_sendrecv_gopher_client_packets(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) - ') - -+tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; -+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) -+ can_exec(httpd_sys_script_t, httpd_sys_content_t) ++optional_policy(` ++ nsplugin_role_notrans(unconfined_r, unconfined_t) ++ tunable_policy(`allow_unconfined_nsplugin_transition',` ++ nsplugin_domtrans(unconfined_execmem_t) ++ nsplugin_domtrans_config(unconfined_execmem_t) ++ nsplugin_domtrans(unconfined_t) ++ nsplugin_domtrans_config(unconfined_t) ++ ') +') + -+tunable_policy(`allow_httpd_sys_script_anon_write',` -+ miscfiles_manage_public_files(httpd_sys_script_t) -+') ++ifdef(`distro_gentoo',` ++ seutil_run_runinit(unconfined_t, unconfined_r) ++ seutil_init_script_run_runinit(unconfined_t, unconfined_r) ++') + -+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ++optional_policy(` ++ ada_run(unconfined_t, unconfined_r) +') + -+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` -+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ++optional_policy(` ++ apache_run_helper(unconfined_t, unconfined_r) +') + ++optional_policy(` ++ bind_run_ndc(unconfined_t, unconfined_r) ++') + - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` -- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) -+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) -+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) -+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) -+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -415,20 +523,28 @@ - corenet_tcp_bind_ftp_port(httpd_t) - ') - --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_t) --') -- - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_t) - fs_read_nfs_symlinks(httpd_t) - ') - -+tunable_policy(`httpd_use_nfs',` -+ fs_manage_nfs_dirs(httpd_t) -+ fs_manage_nfs_files(httpd_t) -+ fs_manage_nfs_symlinks(httpd_t) ++optional_policy(` ++ bootloader_run(unconfined_t, unconfined_r) +') + - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) - ') - -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_t) -+ fs_manage_cifs_files(httpd_t) -+ fs_manage_cifs_symlinks(httpd_t) ++optional_policy(` ++ cron_unconfined_role(unconfined_r, unconfined_t) +') + - tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) - allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +567,10 @@ - ') - - optional_policy(` -+ cvs_read_data(httpd_t) ++optional_policy(` ++ init_dbus_chat_script(unconfined_t) ++ ++ dbus_stub(unconfined_t) ++ ++ optional_policy(` ++ avahi_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ bluetooth_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ consolekit_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ cups_dbus_chat_config(unconfined_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ gnomeclock_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ kerneloops_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ oddjob_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ vpnc_dbus_chat(unconfined_t) ++ ') +') + +optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) - ') - -@@ -459,8 +579,13 @@ - ') - - optional_policy(` -- kerberos_use(httpd_t) -- kerberos_read_kdc_config(httpd_t) -+ dbus_system_bus_client(httpd_t) -+ tunable_policy(`httpd_dbus_avahi',` -+ avahi_dbus_chat(httpd_t) -+ ') ++ firstboot_run(unconfined_t, unconfined_r) +') ++ +optional_policy(` -+ kerberos_keytab_template(httpd, httpd_t) - ') - - optional_policy(` -@@ -468,22 +593,18 @@ - mailman_domtrans_cgi(httpd_t) - # should have separate types for public and private archives - mailman_search_data(httpd_t) -+ mailman_read_data_files(httpd_t) - mailman_read_archive(httpd_t) - ') - - optional_policy(` -- # Allow httpd to work with mysql - mysql_stream_connect(httpd_t) - mysql_rw_db_sockets(httpd_t) -- -- tunable_policy(`httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_t) -- ') -+ mysql_read_config(httpd_t) - ') - - optional_policy(` - nagios_read_config(httpd_t) -- nagios_domtrans_cgi(httpd_t) - ') - - optional_policy(` -@@ -493,6 +614,12 @@ - openca_kill(httpd_t) - ') - -+tunable_policy(`httpd_execmem',` -+ allow httpd_t self:process { execmem execstack }; -+ allow httpd_sys_script_t self:process { execmem execstack }; -+ allow httpd_suexec_t self:process { execmem execstack }; -+') ++ ftp_run_ftpdctl(unconfined_t, unconfined_r) ++') + - optional_policy(` - # Allow httpd to work with postgresql - postgresql_stream_connect(httpd_t) -@@ -500,6 +627,7 @@ - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) -+ postgresql_tcp_connect(httpd_sys_script_t) - ') - ') - -@@ -508,6 +636,7 @@ - ') - - optional_policy(` -+ files_dontaudit_rw_usr_dirs(httpd_t) - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) - ') -@@ -535,6 +664,22 @@ - - userdom_use_user_terminals(httpd_helper_t) - -+tunable_policy(`httpd_tty_comm',` -+ userdom_use_user_terminals(httpd_helper_t) ++optional_policy(` ++ gpsd_run(unconfined_t, unconfined_r) +') + +optional_policy(` -+ type httpd_unconfined_script_t; -+ type httpd_unconfined_script_exec_t; -+ domain_type(httpd_unconfined_script_t) -+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) -+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -+ unconfined_domain(httpd_unconfined_script_t) ++ iptables_run(unconfined_t, unconfined_r) ++') + -+ role system_r types httpd_unconfined_script_t; ++optional_policy(` ++ java_run_unconfined(unconfined_t, unconfined_r) +') + ++optional_policy(` ++ kismet_run(unconfined_t, unconfined_r) ++') + - ######################################## - # - # Apache PHP script local policy -@@ -564,20 +709,25 @@ - - fs_search_auto_mountpoints(httpd_php_t) - -+auth_use_nsswitch(httpd_php_t) ++optional_policy(` ++ livecd_run(unconfined_t, unconfined_r) ++') + - libs_exec_lib_files(httpd_php_t) - - userdom_use_unpriv_users_fds(httpd_php_t) - --optional_policy(` -- mysql_stream_connect(httpd_php_t) -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_mysqld_port(httpd_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_t) -+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_mysqld_port(httpd_suexec_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) - ') - --optional_policy(` -- nis_use_ypbind(httpd_php_t) --') - - optional_policy(` -- postgresql_stream_connect(httpd_php_t) -+ mysql_stream_connect(httpd_php_t) -+ mysql_read_config(httpd_php_t) - ') - - ######################################## -@@ -595,23 +745,24 @@ - append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - --allow httpd_suexec_t httpd_t:fifo_file getattr; -+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - - manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - -+can_exec(httpd_suexec_t, httpd_sys_script_exec_t) ++optional_policy(` ++ lpd_run_checkpc(unconfined_t, unconfined_r) ++') + - kernel_read_kernel_sysctls(httpd_suexec_t) - kernel_list_proc(httpd_suexec_t) - kernel_read_proc_symlinks(httpd_suexec_t) - - dev_read_urand(httpd_suexec_t) - -+fs_read_iso9660_files(httpd_suexec_t) - fs_search_auto_mountpoints(httpd_suexec_t) - --# for shell scripts --corecmd_exec_bin(httpd_suexec_t) --corecmd_exec_shell(httpd_suexec_t) -+application_exec_all(httpd_suexec_t) - - files_read_etc_files(httpd_suexec_t) - files_read_usr_files(httpd_suexec_t) -@@ -624,6 +775,7 @@ - logging_send_syslog_msg(httpd_suexec_t) - - miscfiles_read_localization(httpd_suexec_t) -+miscfiles_read_public_files(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect',` - allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -641,12 +793,20 @@ - corenet_sendrecv_all_client_packets(httpd_suexec_t) - ') - -+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) ++optional_policy(` ++ modutils_run_update_mods(unconfined_t, unconfined_r) ++') + -+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) - tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_sys_script_t httpdcontent:file entrypoint; - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) - ') -- --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_suexec_t) -+tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +832,14 @@ - dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; - ') - --optional_policy(` -- nagios_domtrans_cgi(httpd_suexec_t) --') -- - ######################################## - # - # Apache system script local policy - # - -+auth_use_nsswitch(httpd_sys_script_t) ++optional_policy(` ++ mono_role_template(unconfined, unconfined_r, unconfined_t) ++ unconfined_domain_noaudit(unconfined_mono_t) ++ role system_r types unconfined_mono_t; ++') + -+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; - allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - - dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +858,24 @@ - # Should we add a boolean? - apache_domtrans_rotatelogs(httpd_sys_script_t) - -+sysnet_read_config(httpd_sys_script_t) ++optional_policy(` ++ oddjob_run_mkhomedir(unconfined_t, unconfined_r) ++') + - ifdef(`distro_redhat',` - allow httpd_sys_script_t httpd_log_t:file append_file_perms; - ') - --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_sys_script_t) -+fs_read_iso9660_files(httpd_sys_script_t) ++optional_policy(` ++ prelink_run(unconfined_t, unconfined_r) ++') + -+tunable_policy(`httpd_use_nfs',` -+ fs_manage_nfs_dirs(httpd_sys_script_t) -+ fs_manage_nfs_files(httpd_sys_script_t) -+ fs_manage_nfs_symlinks(httpd_sys_script_t) -+ fs_exec_nfs_files(httpd_sys_script_t) ++optional_policy(` ++ portmap_run_helper(unconfined_t, unconfined_r) ++') + -+ fs_manage_nfs_dirs(httpd_suexec_t) -+ fs_manage_nfs_files(httpd_suexec_t) -+ fs_manage_nfs_symlinks(httpd_suexec_t) -+ fs_exec_nfs_files(httpd_suexec_t) - ') - - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +883,35 @@ - fs_read_nfs_symlinks(httpd_sys_script_t) - ') - -+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_sys_script_t self:udp_socket create_socket_perms; ++optional_policy(` ++ qemu_role_notrans(unconfined_r, unconfined_t) ++ qemu_unconfined_role(unconfined_r) + -+ corenet_tcp_bind_generic_node(httpd_sys_script_t) -+ corenet_udp_bind_generic_node(httpd_sys_script_t) -+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t) -+ corenet_all_recvfrom_netlabel(httpd_sys_script_t) -+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) -+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t) -+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) -+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t) -+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_tcp_connect_all_ports(httpd_sys_script_t) -+ corenet_sendrecv_all_client_packets(httpd_sys_script_t) ++ tunable_policy(`allow_unconfined_qemu_transition',` ++ qemu_domtrans(unconfined_t) ++ ',` ++ qemu_domtrans_unconfined(unconfined_t) ++') +') + ++optional_policy(` ++ rpm_run(unconfined_t, unconfined_r) ++ # Allow SELinux aware applications to request rpm_script execution ++ rpm_transition_script(unconfined_t) ++ rpm_role_transition(unconfined_r) ++') + -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_sys_script_t) -+ fs_manage_cifs_files(httpd_sys_script_t) -+ fs_manage_cifs_symlinks(httpd_sys_script_t) -+ fs_manage_cifs_dirs(httpd_suexec_t) -+ fs_manage_cifs_files(httpd_suexec_t) -+ fs_manage_cifs_symlinks(httpd_suexec_t) -+ fs_exec_cifs_files(httpd_suexec_t) ++optional_policy(` ++ samba_role_notrans(unconfined_r) ++ samba_run_unconfined_net(unconfined_t, unconfined_r) ++ samba_run_winbind_helper(unconfined_t, unconfined_r) ++ samba_run_smbcontrol(unconfined_t, unconfined_r) +') + - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_sys_script_t) - fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +924,10 @@ - optional_policy(` - mysql_stream_connect(httpd_sys_script_t) - mysql_rw_db_sockets(httpd_sys_script_t) -+ mysql_read_config(httpd_sys_script_t) -+ mysql_stream_connect(httpd_suexec_t) -+ mysql_rw_db_sockets(httpd_suexec_t) -+ mysql_read_config(httpd_suexec_t) - ') - - optional_policy(` -@@ -735,6 +939,8 @@ - # httpd_rotatelogs local policy - # - -+allow httpd_rotatelogs_t self:capability dac_override; ++optional_policy(` ++ sendmail_run_unconfined(unconfined_t, unconfined_r) ++') + - manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - - kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +960,12 @@ - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_user_script_t httpdcontent:file entrypoint; -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) - ') - - # allow accessing files/dirs below the users home dir -@@ -762,3 +974,66 @@ - userdom_search_user_home_dirs(httpd_suexec_t) - userdom_search_user_home_dirs(httpd_user_script_t) - ') ++optional_policy(` ++ sysnet_run_dhcpc(unconfined_t, unconfined_r) ++ sysnet_dbus_chat_dhcpc(unconfined_t) ++ sysnet_role_transition_dhcpc(unconfined_r) ++') + -+#============= bugzilla policy ============== -+apache_content_template(bugzilla) ++optional_policy(` ++ tzdata_run(unconfined_t, unconfined_r) ++') + -+type httpd_bugzilla_tmp_t; -+files_tmp_file(httpd_bugzilla_tmp_t) ++optional_policy(` ++ vbetool_run(unconfined_t, unconfined_r) ++') + -+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; -+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; -+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; ++optional_policy(` ++ vpn_run(unconfined_t, unconfined_r) ++') + -+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) -+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) -+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_http_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) -+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) -+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) ++optional_policy(` ++ webalizer_run(unconfined_t, unconfined_r) ++') + -+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) ++optional_policy(` ++ wine_run(unconfined_t, unconfined_r) ++') + -+files_search_var_lib(httpd_bugzilla_script_t) ++optional_policy(` ++ xserver_run(unconfined_t, unconfined_r) ++ xserver_rw_shm(unconfined_t) ++') + -+mta_send_mail(httpd_bugzilla_script_t) ++######################################## ++# ++# Unconfined Execmem Local policy ++# + -+sysnet_read_config(httpd_bugzilla_script_t) -+sysnet_use_ldap(httpd_bugzilla_script_t) ++allow unconfined_execmem_t self:process { execstack execmem }; ++unconfined_domain_noaudit(unconfined_execmem_t) ++allow unconfined_execmem_t unconfined_t:process transition; + +optional_policy(` -+ mysql_search_db(httpd_bugzilla_script_t) -+ mysql_stream_connect(httpd_bugzilla_script_t) ++ init_dbus_chat_script(unconfined_execmem_t) ++ dbus_system_bus_client(unconfined_execmem_t) ++ unconfined_dbus_chat(unconfined_execmem_t) ++ unconfined_dbus_connect(unconfined_execmem_t) +') + +optional_policy(` -+ postgresql_stream_connect(httpd_bugzilla_script_t) ++ avahi_dbus_chat(unconfined_execmem_t) +') + -+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++ optional_policy(` ++ hal_dbus_chat(unconfined_execmem_t) ++ ') + -+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) -+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) -+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) ++optional_policy(` ++ xserver_rw_shm(unconfined_execmem_t) ++') + -+# Removal of fastcgi, will cause problems without the following -+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -+typealias httpd_sys_content_t alias httpd_fastcgi_content_t; -+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; -+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; -+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; -+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; -+typealias httpd_sys_script_t alias httpd_fastcgi_script_t; -+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.12/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/automount.te 2009-04-07 16:01:44.000000000 -0400 -@@ -71,6 +71,7 @@ - files_mounton_all_mountpoints(automount_t) - files_mount_all_file_type_fs(automount_t) - files_unmount_all_file_type_fs(automount_t) -+files_manage_non_security_dirs(automount_t) - - fs_mount_all_fs(automount_t) - fs_unmount_all_fs(automount_t) -@@ -100,6 +101,7 @@ - corenet_udp_bind_all_rpc_ports(automount_t) - - dev_read_sysfs(automount_t) -+dev_rw_autofs(automount_t) - # for SSP - dev_read_rand(automount_t) - dev_read_urand(automount_t) -@@ -127,6 +129,7 @@ - fs_unmount_autofs(automount_t) - fs_mount_autofs(automount_t) - fs_manage_autofs_symlinks(automount_t) -+fs_read_nfs_files(automount_t) - - storage_rw_fuse(automount_t) - -@@ -142,6 +145,7 @@ - - # Run mount in the mount_t domain. - mount_domtrans(automount_t) -+mount_signal(automount_t) - - userdom_dontaudit_use_unpriv_user_fds(automount_t) - userdom_dontaudit_search_user_home_dirs(automount_t) -@@ -155,7 +159,7 @@ - ') - - optional_policy(` -- kerberos_read_keytab(automount_t) -+ kerberos_keytab_template(automount, automount_t) - kerberos_read_config(automount_t) - kerberos_dontaudit_write_config(automount_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te ---- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-04-07 16:01:44.000000000 -0400 -@@ -33,6 +33,7 @@ - allow avahi_t self:tcp_socket create_stream_socket_perms; - allow avahi_t self:udp_socket create_socket_perms; - -+files_search_var_lib(avahi_t) - manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) - manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) - files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) -@@ -93,6 +94,7 @@ - dbus_connect_system_bus(avahi_t) - - init_dbus_chat_script(avahi_t) -+ dbus_system_domain(avahi_t, avahi_exec_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.12/policy/modules/services/bind.fc ---- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/bind.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,17 +1,22 @@ - /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+ - /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - - /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) - /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) - /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) - /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) -+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) - - /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - - /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) - /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - - ifdef(`distro_debian',` - /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -@@ -40,8 +45,8 @@ - /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) - /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) - /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) --/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/var/named/chroot/proc(/.*)? <> - /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) - /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) - /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.12/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/bind.if 2009-04-07 16:01:44.000000000 -0400 -@@ -38,6 +38,42 @@ - - ######################################## - ## -+## Send signulls to BIND. -+## -+## -+## -+## Domain allowed access. -+## -+## ++######################################## +# -+interface(`bind_signull',` ++# Unconfined notrans Local policy ++# ++ ++allow unconfined_notrans_t self:process { execstack execmem }; ++unconfined_domain_noaudit(unconfined_notrans_t) ++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) ++# Allow SELinux aware applications to request rpm_script execution ++rpm_transition_script(unconfined_notrans_t) ++domain_ptrace_all_domains(unconfined_notrans_t) ++ ++optional_policy(` + gen_require(` -+ type named_t; ++ type mplayer_exec_t; + ') -+ -+ allow $1 named_t:process signull; ++ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) +') + -+######################################## -+## -+## Send BIND the kill signal -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bind_kill',` ++optional_policy(` ++tunable_policy(`allow_unconfined_nsplugin_transition',`', ` + gen_require(` -+ type named_t; ++ type mozilla_exec_t; + ') ++ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) ++') ++') + -+ allow $1 named_t:process sigkill; ++optional_policy(` ++ gen_require(` ++ type openoffice_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) +') + +######################################## -+## - ## Execute ndc in the ndc domain, and - ## allow the specified role the ndc domain. - ## -@@ -251,6 +287,25 @@ - - ######################################## - ## -+## Execute bind server in the bind domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## +# ++# Unconfined mount local policy +# -+interface(`bind_initrc_domtrans',` ++ ++optional_policy(` + gen_require(` -+ type bind_initrc_exec_t; ++ type unconfined_mount_t; + ') + -+ init_labeled_script_domtrans($1, bind_initrc_exec_t) ++ files_etc_filetrans_etc_runtime(unconfined_mount_t,file) ++ ++ rpc_domtrans_rpcd(unconfined_mount_t) ++ ++ unconfined_domain_noaudit(unconfined_mount_t) ++ optional_policy(` ++ hal_dbus_chat(unconfined_mount_t) ++ ') +') + -+######################################## -+## - ## All of the rules required to administrate - ## an bind environment - ## -@@ -269,7 +324,7 @@ - interface(`bind_admin',` - gen_require(` - type named_t, named_tmp_t, named_log_t; -- type named_conf_t, named_var_run_t; -+ type named_conf_t, named_var_lib_t, named_var_run_t; - type named_cache_t, named_zone_t; - type dnssec_t, ndc_t; - type named_initrc_exec_t; -@@ -283,6 +338,7 @@ - - bind_run_ndc($1, $2) - -+ bind_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; -@@ -300,6 +356,9 @@ - admin_pattern($1, named_zone_t) - admin_pattern($1, dnssec_t) - -+ files_list_var_lib($1) -+ admin_pattern($1, named_var_lib_t) ++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + - files_list_pids($1) - admin_pattern($1, named_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.12/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/bind.te 2009-04-07 16:01:44.000000000 -0400 -@@ -123,6 +123,7 @@ - corenet_sendrecv_dns_client_packets(named_t) - corenet_sendrecv_rndc_server_packets(named_t) - corenet_sendrecv_rndc_client_packets(named_t) -+corenet_dontaudit_udp_bind_all_reserved_ports(named_t) - corenet_udp_bind_all_unreserved_ports(named_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te +--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-04-07 16:01:44.000000000 -0400 +@@ -14,142 +14,13 @@ + userdom_unpriv_user_template(user) - dev_read_sysfs(named_t) -@@ -169,7 +170,7 @@ + optional_policy(` +- apache_role(user_r, user_t) ++ kerneloops_dontaudit_dbus_chat(user_t) ') optional_policy(` -- kerberos_use(named_t) -+ kerberos_keytab_template(named, named_t) +- auth_role(user_r, user_t) ++ rpm_dontaudit_dbus_chat(user_t) ') optional_policy(` -@@ -229,6 +230,7 @@ - files_search_pids(ndc_t) - - fs_getattr_xattr_fs(ndc_t) -+fs_list_inotifyfs(ndc_t) - - init_use_fds(ndc_t) - init_use_script_ptys(ndc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.12/policy/modules/services/bitlbee.te ---- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/bitlbee.te 2009-04-07 16:01:44.000000000 -0400 -@@ -75,6 +75,8 @@ - # grant read-only access to the user help files - files_read_usr_files(bitlbee_t) - -+kernel_read_system_state(bitlbee_t) -+ - libs_legacy_use_shared_libs(bitlbee_t) - - miscfiles_read_localization(bitlbee_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc ---- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,9 @@ -+ -+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) -+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) -+ -+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) -+ -+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -+ -+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.12/policy/modules/services/certmaster.if ---- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/certmaster.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,123 @@ -+## policy for certmaster -+ -+######################################## -+## -+## Execute a domain transition to run certmaster. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`certmaster_domtrans',` -+ gen_require(` -+ type certmaster_t, certmaster_exec_t; -+ ') -+ -+ domtrans_pattern($1,certmaster_exec_t,certmaster_t) +- bluetooth_role(user_r, user_t) +-') +- +-optional_policy(` +- cdrecord_role(user_r, user_t) +-') +- +-optional_policy(` +- cron_role(user_r, user_t) +-') +- +-optional_policy(` +- dbus_role_template(user, user_r, user_t) +-') +- +-optional_policy(` +- ethereal_role(user_r, user_t) +-') +- +-optional_policy(` +- evolution_role(user_r, user_t) +-') +- +-optional_policy(` +- games_role(user_r, user_t) +-') +- +-optional_policy(` +- gift_role(user_r, user_t) +-') +- +-optional_policy(` +- gnome_role(user_r, user_t) +-') +- +-optional_policy(` +- gpg_role(user_r, user_t) +-') +- +-optional_policy(` +- irc_role(user_r, user_t) +-') +- +-optional_policy(` +- java_role(user_r, user_t) +-') +- +-optional_policy(` +- lockdev_role(user_r, user_t) +-') +- +-optional_policy(` +- lpd_role(user_r, user_t) +-') +- +-optional_policy(` +- mozilla_role(user_r, user_t) +-') +- +-optional_policy(` +- mplayer_role(user_r, user_t) +-') +- +-optional_policy(` +- mta_role(user_r, user_t) +-') +- +-optional_policy(` +- oident_manage_user_content(user_t) +- oident_relabel_user_content(user_t) +-') +- +-optional_policy(` +- pyzor_role(user_r, user_t) +-') +- +-optional_policy(` +- razor_role(user_r, user_t) +-') +- +-optional_policy(` +- rssh_role(user_r, user_t) +-') +- +-optional_policy(` +- screen_role_template(user, user_r, user_t) +-') +- +-optional_policy(` +- spamassassin_role(user_r, user_t) +-') +- +-optional_policy(` +- ssh_role_template(user, user_r, user_t) +-') +- +-optional_policy(` +- su_role_template(user, user_r, user_t) +-') +- +-optional_policy(` +- sudo_role_template(user, user_r, user_t) +-') +- +-optional_policy(` +- thunderbird_role(user_r, user_t) +-') +- +-optional_policy(` +- tvtime_role(user_r, user_t) +-') +- +-optional_policy(` +- uml_role(user_r, user_t) +-') +- +-optional_policy(` +- userhelper_role_template(user, user_r, user_t) +-') +- +-optional_policy(` +- vmware_role(user_r, user_t) +-') +- +-optional_policy(` +- wireshark_role(user_r, user_t) +-') +- +-optional_policy(` +- xserver_role(user_r, user_t) ++ setroubleshoot_dontaudit_stream_connect(user_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.12/policy/modules/roles/webadm.te +--- nsaserefpolicy/policy/modules/roles/webadm.te 2009-04-07 15:53:36.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/roles/webadm.te 2009-04-07 16:06:28.000000000 -0400 +@@ -42,7 +42,7 @@ + + userdom_dontaudit_search_user_home_dirs(webadm_t) + +-#apache_admin(webadm_t, webadm_r) ++apache_admin(webadm_t, webadm_r) + + tunable_policy(`webadm_manage_user_files',` + userdom_manage_user_home_content_files(webadm_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.12/policy/modules/roles/xguest.te +--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/roles/xguest.te 2009-04-07 16:01:44.000000000 -0400 +@@ -67,7 +67,11 @@ + ') + + optional_policy(` +- java_role(xguest_r, xguest_t) ++ java_role_template(xguest, xguest_r, xguest_t) +') + -+####################################### ++optional_policy(` ++ mono_role_template(xguest, xguest_r, xguest_t) + ') + + optional_policy(` +@@ -75,9 +79,13 @@ + ') + + optional_policy(` ++ nsplugin_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + tunable_policy(`xguest_connect_network',` + networkmanager_dbus_chat(xguest_t) + ') + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) ++gen_user(xguest_u, user, xguest_r, s0, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.12/policy/modules/services/afs.fc +--- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/afs.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,3 +1,6 @@ ++/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) ++ + /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) + /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) + /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) +@@ -17,6 +20,13 @@ + + /usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) + ++/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) ++ + /vicepa gen_context(system_u:object_r:afs_files_t,s0) + /vicepb gen_context(system_u:object_r:afs_files_t,s0) + /vicepc gen_context(system_u:object_r:afs_files_t,s0) ++ ++ ++/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) ++ ++/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.12/policy/modules/services/afs.if +--- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/afs.if 2009-04-07 16:01:44.000000000 -0400 +@@ -1 +1,110 @@ + ## Andrew Filesystem server ++ ++######################################## +## -+## read certmaster logs. ++## Execute a domain transition to run afs. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`certmaster_read_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') ++interface(`afs_domtrans',` ++ gen_require(` ++ type afs_t; ++ type afs_exec_t; ++ ') + -+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++ domtrans_pattern($1,afs_exec_t,afs_t) +') + -+####################################### ++ ++######################################## +## -+## Append to certmaster logs. ++## Read and write afs UDP sockets. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`certmaster_append_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') ++interface(`afs_rw_udp_sockets',` ++ gen_require(` ++ type afs_t; ++ ') + -+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++ allow $1 afs_t:udp_socket { read write }; +') + -+####################################### ++######################################## +## -+## Create, read, write, and delete -+## certmaster logs. ++## read/write afs cache files +## +## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_manage_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') -+ -+######################################## +## -+## All of the rules required to administrate -+## an snort environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+# -+interface(`certmaster_admin',` -+ gen_require(` -+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; -+ type certmaster_etc_rw_t, certmaster_var_log_t; -+ type certmaster_initrc_exec_t; -+ ') -+ -+ allow $1 certmaster_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, certmaster_t) -+ -+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 certmaster_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ miscfiles_manage_cert_dirs($1) -+ miscfiles_manage_cert_files($1) -+ -+ admin_pattern($1, certmaster_etc_rw_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, certmaster_var_run_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, certmaster_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, certmaster_var_lib_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.12/policy/modules/services/certmaster.te ---- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/certmaster.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,79 @@ -+policy_module(certmaster,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+# type and domain for certmaster -+type certmaster_t; -+type certmaster_exec_t; -+init_daemon_domain(certmaster_t, certmaster_exec_t) -+ -+type certmaster_initrc_exec_t; -+init_script_file(certmaster_initrc_exec_t) -+ -+# var/lib files -+type certmaster_var_lib_t; -+files_type(certmaster_var_lib_t) -+ -+# config files -+type certmaster_etc_rw_t; -+files_config_file(certmaster_etc_rw_t) -+ -+# log files -+type certmaster_var_log_t; -+logging_log_file(certmaster_var_log_t) -+ -+# pid files -+type certmaster_var_run_t; -+files_pid_file(certmaster_var_run_t) -+ -+########################################### -+# -+# certmaster local policy -+# -+ -+allow certmaster_t self:capability sys_tty_config; -+allow certmaster_t self:tcp_socket create_stream_socket_perms; -+ -+# config files -+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) -+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) -+ -+# var/lib files for certmaster -+manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) -+ -+# log files -+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -+logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) -+ -+# pid file -+manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) -+ -+corecmd_search_bin(certmaster_t) -+corecmd_getattr_bin_files(certmaster_t) -+ -+# network -+corenet_tcp_bind_generic_node(certmaster_t) -+corenet_tcp_bind_certmaster_port(certmaster_t) -+ -+files_search_etc(certmaster_t) -+files_list_var(certmaster_t) -+files_search_var_lib(certmaster_t) -+ -+# read meminfo -+kernel_read_system_state(certmaster_t) -+ -+auth_use_nsswitch(certmaster_t) -+ -+miscfiles_read_localization(certmaster_t) -+ -+miscfiles_manage_cert_dirs(certmaster_t) -+miscfiles_manage_cert_files(certmaster_t) -+ -+permissive certmaster_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.12/policy/modules/services/clamav.fc ---- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/clamav.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,20 +1,23 @@ - /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) -+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) - - /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - - /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) -+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - - /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) - - /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -+/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) - --/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) --/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) - /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) - - /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.12/policy/modules/services/clamav.if ---- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/clamav.if 2009-04-07 16:01:44.000000000 -0400 -@@ -38,6 +38,27 @@ - - ######################################## - ## -+## Allow the specified domain to append -+## to clamav log files. ++## Domain allowed to transition. +## -+## -+## -+## Domain allowed access. -+## +## +# -+interface(`clamav_append_log',` ++interface(`afs_rw_cache',` + gen_require(` -+ type clamav_log_t; ++ type afs_cache_t; + ') + -+ logging_search_logs($1) -+ allow $1 clamav_log_t:dir list_dir_perms; -+ append_files_pattern($1, clamav_log_t, clamav_log_t) ++ allow $1 afs_cache_t:file {read write}; +') + -+######################################## -+## - ## Read clamav configuration files. - ## - ## -@@ -91,3 +112,87 @@ - - domtrans_pattern($1, clamscan_exec_t, clamscan_t) - ') + +######################################## +## -+## Execute clamscan without a transition. ++## Execute afs server in the afs domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`clamav_exec_clamscan',` ++interface(`afs_initrc_domtrans',` + gen_require(` -+ type clamscan_exec_t; ++ type afs_initrc_exec_t; + ') + -+ can_exec($1, clamscan_exec_t) -+ ++ init_script_domtrans_spec($1,afs_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate -+## an clamav environment ++## an afs environment +## +## +## @@ -8515,606 +7673,590 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the clamav domain. ++## The role to be allowed to manage the afs domain. +## +## +## +# -+interface(`clamav_admin',` ++interface(`afs_admin',` + gen_require(` -+ type clamd_t, clamd_etc_t, clamd_tmp_t; -+ type clamd_var_log_t, clamd_var_lib_t; -+ type clamd_var_run_t; -+ -+ type clamscan_t, clamscan_tmp_t; -+ -+ type freshclam_t, freshclam_var_log_t; -+ -+ type clamd_initrc_exec_t; ++ type afs_t; ++ type afs_initrc_exec_t; + ') + -+ allow $1 clamd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, clamd_t) -+ -+ allow $1 clamscan_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, clamscan_t) ++ allow $1 afs_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, afs_t, afs_t) + -+ allow $1 freshclam_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, freshclam_t) -+ -+ init_labeled_script_domtrans($1, clamd_initrc_exec_t) ++ # Allow afs_t to restart the apache service ++ afs_initrc_domtrans($1) + domain_system_change_exemption($1) -+ role_transition $2 clamd_initrc_exec_t system_r; ++ role_transition $2 afs_initrc_exec_t system_r; + allow $2 system_r; + -+ files_list_tmp($1) -+ admin_pattern($1, clamd_tmp_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, clamd_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, clamd_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, clamd_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, clamd_var_run_t) -+ -+ admin_pattern($1, clamscan_tmp_t) -+ -+ admin_pattern($1, freshclam_var_log_t) +') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.12/policy/modules/services/clamav.te ---- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/clamav.te 2009-04-07 16:01:44.000000000 -0400 -@@ -13,7 +13,10 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.12/policy/modules/services/afs.te +--- nsaserefpolicy/policy/modules/services/afs.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/afs.te 2009-04-07 16:01:44.000000000 -0400 +@@ -6,6 +6,16 @@ + # Declarations + # - # configuration files - type clamd_etc_t; --files_type(clamd_etc_t) -+files_config_file(clamd_etc_t) ++type afs_t; ++type afs_exec_t; ++init_daemon_domain(afs_t, afs_exec_t) + -+type clamd_initrc_exec_t; -+init_script_file(clamd_initrc_exec_t) - - # tmp files - type clamd_tmp_t; -@@ -87,6 +90,9 @@ - kernel_dontaudit_list_proc(clamd_t) - kernel_read_sysctl(clamd_t) - kernel_read_kernel_sysctls(clamd_t) -+kernel_read_system_state(clamd_t) ++type afs_initrc_exec_t; ++init_script_file(afs_initrc_exec_t) + -+corecmd_exec_shell(clamd_t) - - corenet_all_recvfrom_unlabeled(clamd_t) - corenet_all_recvfrom_netlabel(clamd_t) -@@ -97,6 +103,8 @@ - corenet_tcp_bind_generic_node(clamd_t) - corenet_tcp_bind_clamd_port(clamd_t) - corenet_sendrecv_clamd_server_packets(clamd_t) -+corenet_tcp_bind_generic_port(clamd_t) -+corenet_tcp_connect_generic_port(clamd_t) - - dev_read_rand(clamd_t) - dev_read_urand(clamd_t) -@@ -117,6 +125,9 @@ - cron_use_system_job_fds(clamd_t) - cron_rw_pipes(clamd_t) - -+mta_read_config(clamd_t) -+mta_send_mail(clamd_t) ++type afs_cache_t; ++files_type(afs_cache_t) + - optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) -@@ -124,6 +135,10 @@ - amavis_create_pid_files(clamd_t) - ') + type afs_bosserver_t; + type afs_bosserver_exec_t; + init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) +@@ -302,3 +312,46 @@ + sysnet_read_config(afs_vlserver_t) -+optional_policy(` -+ exim_read_spool_files(clamd_t) -+') + userdom_dontaudit_use_user_terminals(afs_vlserver_t) + - ######################################## - # - # Freshclam local policy -@@ -191,7 +206,7 @@ - allow clamscan_t self:fifo_file rw_file_perms; - allow clamscan_t self:unix_stream_socket create_stream_socket_perms; - allow clamscan_t self:unix_dgram_socket create_socket_perms; --allow clamscan_t self:tcp_socket { listen accept }; -+allow clamscan_t self:tcp_socket create_stream_socket_perms; - - # configuration files - allow clamscan_t clamd_etc_t:dir list_dir_perms; -@@ -207,6 +222,14 @@ - manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) - allow clamscan_t clamd_var_lib_t:dir list_dir_perms; - -+corenet_all_recvfrom_unlabeled(clamscan_t) -+corenet_all_recvfrom_netlabel(clamscan_t) -+corenet_tcp_sendrecv_generic_if(clamscan_t) -+corenet_tcp_sendrecv_generic_node(clamscan_t) -+corenet_tcp_sendrecv_all_ports(clamscan_t) -+corenet_tcp_sendrecv_clamd_port(clamscan_t) -+corenet_tcp_connect_clamd_port(clamscan_t) ++######################################## ++# ++# afs local policy ++# + - kernel_read_kernel_sysctls(clamscan_t) - - files_read_etc_files(clamscan_t) -@@ -221,6 +244,8 @@ - - clamav_stream_connect(clamscan_t) - -+mta_send_mail(clamscan_t) ++allow afs_t self:capability { sys_nice sys_tty_config }; ++allow afs_t self:process setsched; ++allow afs_t self:udp_socket create_socket_perms; ++allow afs_t self:fifo_file rw_file_perms; ++allow afs_t self:unix_stream_socket create_stream_socket_perms; + - optional_policy(` - apache_read_sys_content(clamscan_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.12/policy/modules/services/consolekit.fc ---- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/consolekit.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,3 +1,6 @@ - /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - - /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) ++manage_files_pattern(afs_t,afs_cache_t,afs_cache_t) ++manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t) ++files_var_filetrans(afs_t,afs_cache_t,{file dir}) + -+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.12/policy/modules/services/consolekit.if ---- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/consolekit.if 2009-04-07 16:01:44.000000000 -0400 -@@ -38,3 +38,24 @@ - allow $1 consolekit_t:dbus send_msg; - allow consolekit_t $1:dbus send_msg; - ') ++files_mounton_mnt(afs_t) ++files_read_etc_files(afs_t) ++files_rw_etc_runtime_files(afs_t) + -+######################################## -+## -+## Read consolekit log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`consolekit_read_log',` -+ gen_require(` -+ type consolekit_log_t; -+ ') ++fs_getattr_xattr_fs(afs_t) ++fs_mount_nfs(afs_t) + -+ files_search_pids($1) -+ read_files_pattern($1, consolekit_log_t, consolekit_log_t) -+') ++kernel_rw_afs_state(afs_t) + ++# Init script handling ++domain_use_interactive_fds(afs_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-07 16:01:44.000000000 -0400 -@@ -13,6 +13,9 @@ - type consolekit_var_run_t; - files_pid_file(consolekit_var_run_t) - -+type consolekit_log_t; -+files_pid_file(consolekit_log_t) ++corenet_all_recvfrom_unlabeled(afs_t) ++corenet_all_recvfrom_netlabel(afs_t) ++corenet_tcp_sendrecv_generic_if(afs_t) ++corenet_udp_sendrecv_generic_if(afs_t) ++corenet_tcp_sendrecv_generic_node(afs_t) ++corenet_udp_sendrecv_generic_node(afs_t) ++corenet_tcp_sendrecv_all_ports(afs_t) ++corenet_udp_sendrecv_all_ports(afs_t) ++corenet_udp_bind_generic_node(afs_t) + - ######################################## - # - # consolekit local policy -@@ -24,20 +27,27 @@ - allow consolekit_t self:unix_stream_socket create_stream_socket_perms; - allow consolekit_t self:unix_dgram_socket create_socket_perms; - -+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -+logging_log_filetrans(consolekit_t, consolekit_log_t, file) ++miscfiles_read_localization(afs_t) + -+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) - manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) --files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) -+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) - - kernel_read_system_state(consolekit_t) - - corecmd_exec_bin(consolekit_t) -+corecmd_exec_shell(consolekit_t) - - dev_read_urand(consolekit_t) - dev_read_sysfs(consolekit_t) - - domain_read_all_domains_state(consolekit_t) - domain_use_interactive_fds(consolekit_t) -+domain_dontaudit_ptrace_all_domains(consolekit_t) ++logging_send_syslog_msg(afs_t) ++ ++permissive afs_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc +--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,12 +1,13 @@ +-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) ++HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) - files_read_etc_files(consolekit_t) -+files_read_usr_files(consolekit_t) - # needs to read /var/lib/dbus/machine-id - files_read_var_lib_files(consolekit_t) + /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) + /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) + /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) + /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) + /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) ++/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -@@ -47,13 +57,35 @@ + /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +@@ -22,6 +23,7 @@ + /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - auth_use_nsswitch(consolekit_t) ++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +@@ -32,12 +34,17 @@ + /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) + ') -+init_telinit(consolekit_t) -+init_rw_utmp(consolekit_t) -+init_chat(consolekit_t) -+ -+logging_send_syslog_msg(consolekit_t) ++/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + - miscfiles_read_localization(consolekit_t) -+# consolekit needs to be able to ptrace all logged in users -+userdom_ptrace_all_users(consolekit_t) -+userdom_dontaudit_read_user_home_content_files(consolekit_t) -+userdom_read_user_tmp_files(consolekit_t) -+ -+hal_ptrace(consolekit_t) -+mcs_ptrace_all(consolekit_t) -+ - optional_policy(` -- dbus_system_bus_client(consolekit_t) -- dbus_connect_system_bus(consolekit_t) -+ cron_read_system_job_lib_files(consolekit_t) -+') + /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +@@ -47,6 +54,7 @@ -+optional_policy(` -+ dbus_system_domain(consolekit_t, consolekit_exec_t) -+ optional_policy(` - hal_dbus_chat(consolekit_t) -+ ') + /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +@@ -50,8 +58,10 @@ + /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + -+ optional_policy(` -+ rpm_dbus_chat(consolekit_t) -+ ') + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - optional_policy(` - unconfined_dbus_chat(consolekit_t) -@@ -61,6 +93,31 @@ - ') ++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +@@ -64,11 +74,28 @@ + /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) - optional_policy(` -+ polkit_domtrans_auth(consolekit_t) -+ polkit_read_lib(consolekit_t) -+ polkit_read_reload(consolekit_t) -+') -+ -+optional_policy(` - xserver_read_user_xauth(consolekit_t) - xserver_stream_connect(consolekit_t) -+ xserver_ptrace_xdm(consolekit_t) -+ xserver_common_app(consolekit_t) -+') + /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) + /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) + + /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + -+optional_policy(` -+ #reading .Xauthity -+ unconfined_ptrace(consolekit_t) -+ unconfined_stream_connect(consolekit_t) -+') ++#Bugzilla file context ++/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) ++/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) ++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) ++#viewvc file context ++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_list_nfs(consolekit_t) -+ fs_dontaudit_rw_nfs_files(consolekit_t) - ') ++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + -+tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_list_cifs(consolekit_t) -+ fs_dontaudit_rw_cifs_files(consolekit_t) -+') ++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.12/policy/modules/services/courier.if ---- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/courier.if 2009-04-07 16:01:44.000000000 -0400 -@@ -179,6 +179,24 @@ ++/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.12/policy/modules/services/apache.if +--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/apache.if 2009-04-07 16:01:44.000000000 -0400 +@@ -13,21 +13,16 @@ + # + template(`apache_content_template',` + gen_require(` +- attribute httpdcontent; + attribute httpd_exec_scripts; + attribute httpd_script_exec_type; + type httpd_t, httpd_suexec_t, httpd_log_t; + ') +- # allow write access to public file transfer +- # services files. +- gen_tunable(allow_httpd_$1_script_anon_write, false) +- + #This type is for webpages +- type httpd_$1_content_t, httpdcontent; # customizable ++ type httpd_$1_content_t; + files_type(httpd_$1_content_t) - ######################################## - ## -+## Read courier spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`courier_read_spool',` -+ gen_require(` -+ type courier_spool_t; -+ ') -+ -+ read_files_pattern($1, courier_spool_t, courier_spool_t) -+') -+ -+######################################## -+## - ## Read and write to courier spool pipes. - ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.12/policy/modules/services/courier.te ---- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/courier.te 2009-04-07 16:01:44.000000000 -0400 -@@ -10,6 +10,7 @@ + # This type is used for .htaccess files +- type httpd_$1_htaccess_t; # customizable; ++ type httpd_$1_htaccess_t; + files_type(httpd_$1_htaccess_t) - type courier_etc_t; - files_config_file(courier_etc_t) -+mta_system_content(courier_etc_t) + # Type that CGI scripts run as +@@ -42,20 +37,22 @@ - courier_domain_template(pcp) + # The following three are the only areas that + # scripts can read, read/write, or append to +- type httpd_$1_script_ro_t, httpdcontent; # customizable +- files_type(httpd_$1_script_ro_t) ++ typealias httpd_$1_content_t alias httpd_$1_script_ro_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.12/policy/modules/services/cron.fc ---- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) +- type httpd_$1_script_rw_t, httpdcontent; # customizable +- files_type(httpd_$1_script_rw_t) ++ type httpd_$1_content_rw_t; ++ files_type(httpd_$1_content_rw_t) ++ typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; - /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -@@ -17,9 +18,9 @@ - /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) - /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +- type httpd_$1_script_ra_t, httpdcontent; # customizable +- files_type(httpd_$1_script_ra_t) ++ type httpd_$1_content_ra_t; ++ files_type(httpd_$1_content_ra_t) ++ typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; --/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) --/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) --/var/spool/at/[^/]* -- <> -+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -+ -+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +- allow httpd_t httpd_$1_htaccess_t:file read_file_perms; ++ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) - #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -@@ -41,7 +42,11 @@ - #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) --/var/spool/fcron/[^/]* <> -+/var/spool/fcron/.* <> - /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -+ -+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) -+ -+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if ---- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-04-07 16:01:44.000000000 -0400 -@@ -12,6 +12,10 @@ - ## - # - template(`cron_common_crontab_template',` -+ gen_require(` -+ type crond_t, crond_var_run_t; -+ ') -+ - ############################## - # - # Declarations -@@ -31,16 +35,21 @@ +- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; ++ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; ++ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; - # dac_override is to create the file in the directory under /tmp - allow $1_t self:capability { fowner setuid setgid chown dac_override }; -- allow $1_t self:process signal_perms; -+ allow $1_t self:process { setsched signal_perms }; -+ allow $1_t self:fifo_file rw_fifo_file_perms; -+ -+ allow $1_t crond_t:process signal; -+ allow $1_t crond_var_run_t:file read_file_perms; + allow httpd_$1_script_t self:fifo_file rw_file_perms; + allow httpd_$1_script_t self:unix_stream_socket connectto; +@@ -65,29 +62,27 @@ + dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - allow $1_t $1_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_t,$1_tmp_t,file) + # Allow the script process to search the cgi directory, and users directory +- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; ++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; ++ list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - # create files in /var/spool/cron - # cjp: change this to a role transition -+ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t) - manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) - filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) -- files_search_spool($1_t) -+ files_list_spool($1_t) + append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) + logging_search_logs(httpd_$1_script_t) - # crontab signals crond by updating the mtime on the spooldir - allow $1_t cron_spool_t:dir setattr; -@@ -55,9 +64,16 @@ - domain_use_interactive_fds($1_t) + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) +- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; ++ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - files_read_etc_files($1_t) -+ files_read_usr_files($1_t) - files_dontaudit_search_pids($1_t) - - logging_send_syslog_msg($1_t) -+ logging_send_audit_msgs($1_t) -+ logging_set_loginuid($1_t) -+ auth_domtrans_chk_passwd($1_t) +- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; +- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- +- allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; +- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- +- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) ++ allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + -+ init_dontaudit_write_utmp($1_t) -+ init_read_utmp($1_t) ++ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) - miscfiles_read_localization($1_t) + kernel_dontaudit_search_sysctl(httpd_$1_script_t) + kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) +@@ -96,6 +91,7 @@ + dev_read_urand(httpd_$1_script_t) -@@ -147,26 +163,26 @@ - # - interface(`cron_unconfined_role',` - gen_require(` -- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; -+ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; - ') + corecmd_exec_all_executables(httpd_$1_script_t) ++ application_exec_all(httpd_$1_script_t) -- role $1 types { unconfined_cronjob_t crontab_t }; -+ role $1 types { unconfined_cronjob_t admin_crontab_t }; + files_exec_etc_files(httpd_$1_script_t) + files_read_etc_files(httpd_$1_script_t) +@@ -109,34 +105,21 @@ - # cronjob shows up in user ps - ps_process_pattern($2, unconfined_cronjob_t) + seutil_dontaudit_search_config(httpd_$1_script_t) - # Transition from the user domain to the derived domain. -- domtrans_pattern($2, crontab_exec_t, crontab_t) -+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t) +- tunable_policy(`httpd_enable_cgi && httpd_unified',` +- allow httpd_$1_script_t httpdcontent:file entrypoint; +- +- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- can_exec(httpd_$1_script_t, httpdcontent) +- ') +- +- tunable_policy(`allow_httpd_$1_script_anon_write',` +- miscfiles_manage_public_files(httpd_$1_script_t) +- ') +- + # Allow the web server to run scripts and serve pages + tunable_policy(`httpd_builtin_scripting',` +- manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- +- allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; +- read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- +- allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; +- read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) ++ manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ ++ allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ ++ allow httpd_t httpd_$1_content_t:dir list_dir_perms; ++ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - # crontab shows up in user ps -- ps_process_pattern($2, crontab_t) -- allow $2 crontab_t:process signal; -+ ps_process_pattern($2, admin_crontab_t) -+ allow $2 admin_crontab_t:process signal; + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) +@@ -149,9 +132,13 @@ + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - # Run helper programs as the user domain -- #corecmd_bin_domtrans(crontab_t, $2) -- #corecmd_shell_domtrans(crontab_t, $2) -- corecmd_exec_bin(crontab_t) -- corecmd_exec_shell(crontab_t) -+ #corecmd_bin_domtrans(admin_crontab_t, $2) -+ #corecmd_shell_domtrans(admin_crontab_t, $2) -+ corecmd_exec_bin(admin_crontab_t) -+ corecmd_exec_shell(admin_crontab_t) ++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; ++ + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - optional_policy(` - gen_require(` -@@ -261,10 +277,12 @@ - allow $1 system_cronjob_t:fifo_file rw_file_perms; - allow $1 system_cronjob_t:process sigchld; ++ allow httpd_t httpd_$1_script_exec_t:file read_file_perms; ++ + allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; + allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; -+ domain_auto_trans(crond_t, $2, $1) - allow $1 crond_t:fifo_file rw_file_perms; - allow $1 crond_t:fd use; - allow $1 crond_t:process sigchld; +@@ -175,50 +162,6 @@ + miscfiles_read_localization(httpd_$1_script_t) + ') -+ userdom_dontaudit_list_admin_dir($1) - role system_r types $1; - ') +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; +- allow httpd_$1_script_t self:udp_socket create_socket_perms; +- +- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) +- corenet_all_recvfrom_netlabel(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) +- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) +- +- sysnet_read_config(httpd_$1_script_t) +- ') +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; +- allow httpd_$1_script_t self:udp_socket create_socket_perms; +- +- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) +- corenet_all_recvfrom_netlabel(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) +- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) +- corenet_tcp_connect_all_ports(httpd_$1_script_t) +- corenet_sendrecv_all_client_packets(httpd_$1_script_t) +- +- sysnet_read_config(httpd_$1_script_t) +- ') +- +- optional_policy(` +- mta_send_mail(httpd_$1_script_t) +- ') +- +- optional_policy(` +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_$1_script_t) +- ') +- ') +- + optional_policy(` + tunable_policy(`httpd_enable_cgi && allow_ypbind',` + nis_use_ypbind_uncond(httpd_$1_script_t) +@@ -227,10 +170,6 @@ -@@ -343,6 +361,24 @@ + optional_policy(` + postgresql_unpriv_client(httpd_$1_script_t) +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_$1_script_t) +- ') + ') + optional_policy(` +@@ -504,6 +443,47 @@ ######################################## ## -+## Allow read/write unix stream sockets from the system cron jobs. + ## Allow the specified domain to read ++## apache tmp files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`cron_rw_system_stream_sockets',` ++interface(`apache_read_tmp',` + gen_require(` -+ type system_cronjob_t; ++ type httpd_config_t; + ') + -+ allow $1 system_cronjob_t:unix_stream_socket { read write }; ++ files_search_tmp($1) ++ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) +') + +######################################## +## - ## Read and write a cron daemon unnamed pipe. - ## - ## -@@ -361,7 +397,7 @@ - - ######################################## - ## --## Read, and write cron daemon TCP sockets. -+## Dontaudit Read, and write cron daemon TCP sockets. - ## - ## - ## -@@ -369,7 +405,7 @@ - ## - ## - # --interface(`cron_rw_tcp_sockets',` -+interface(`cron_dontaudit_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') -@@ -416,6 +452,42 @@ - - ######################################## - ## -+## Execute cron in the cron system domain. ++## Dontaudit attempts ti write ++## apache tmp files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`cron_domtrans',` ++interface(`apache_dontaudit_write_tmp',` + gen_require(` -+ type system_cronjob_t, crond_exec_t; ++ type httpd_config_t; + ') + -+ domtrans_pattern($1,crond_exec_t,system_cronjob_t) ++ dontaudit $1 httpd_tmp_t:file write; +') + +######################################## +## -+## Execute crond_exec_t -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_exec',` -+ gen_require(` -+ type crond_exec_t; ++## Allow the specified domain to read + ## apache configuration files. + ## + ## +@@ -579,7 +559,7 @@ + ## + ## + ## +-## The role to be allowed the dmidecode domain. ++## The role to be allowed the http_helper domain. + ## + ## + ## +@@ -715,6 +695,7 @@ + ') + + allow $1 httpd_modules_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) + ') + + ######################################## +@@ -782,6 +763,32 @@ + + ######################################## + ## ++## Allow the specified domain to delete ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr ++interface(`apache_delete_sys_content_rw',` ++ gen_require(` ++ type httpd_sys_content_rw_t; + ') + -+ can_exec($1,crond_exec_t) ++ files_search_tmp($1) ++ delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) +') + +######################################## +## - ## Inherit and use a file descriptor - ## from system cron jobs. + ## Execute all web scripts in the system + ## script domain. ## -@@ -481,11 +553,14 @@ +@@ -791,16 +798,18 @@ + ## + ## # - interface(`cron_read_system_job_tmp_files',` +-# cjp: this interface specifically added to allow +-# sysadm_t to run scripts + interface(`apache_domtrans_sys_script',` gen_require(` -- type system_cronjob_tmp_t; -+ type system_cronjob_tmp_t, cron_var_run_t; +- attribute httpdcontent; + type httpd_sys_script_t; ++ type httpd_sys_content_t; ++ ') ++ ++ tunable_policy(`httpd_enable_cgi',` ++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) ') - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; -+ -+ files_search_pids($1) -+ allow $1 cron_var_run_t:file read_file_perms; + tunable_policy(`httpd_enable_cgi && httpd_unified',` +- domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ++ domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t) + ') + ') + +@@ -859,6 +868,8 @@ + ## + ## + # ++# cjp: this is missing the terminal since scripts ++# do not output to the terminal + interface(`apache_run_all_scripts',` + gen_require(` + attribute httpd_exec_scripts, httpd_script_domains; +@@ -884,7 +895,7 @@ + type httpd_squirrelmail_t; + ') + +- allow $1 httpd_squirrelmail_t:file read_file_perms; ++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) ') ######################################## -@@ -506,3 +581,101 @@ +@@ -1040,3 +1051,160 @@ - dontaudit $1 system_cronjob_tmp_t:file append; + allow httpd_t $1:process signal; ') + -+ +######################################## +## -+## Do not audit attempts to write temporary -+## files from the system cron jobs. ++## Allow the specified domain to search ++## apache bugzilla directories. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`cron_dontaudit_write_system_job_tmp_files',` ++interface(`apache_search_bugzilla_dirs',` + gen_require(` -+ type system_cronjob_tmp_t; -+ type cron_var_run_t; -+ type system_cronjob_var_run_t; ++ type httpd_bugzilla_content_t; + ') + -+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -+ dontaudit $1 cron_var_run_t:file write_file_perms; -+ ') ++ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; ++') + +######################################## +## -+## Read temporary files from the system cron jobs. ++## Do not audit attempts to read and write Apache ++## bugzill script unix domain stream sockets. +## +## +## @@ -9122,37 +8264,102 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`cron_read_system_job_lib_files',` ++interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` + gen_require(` -+ type system_cronjob_var_lib_t; ++ type httpd_bugzilla_script_t; + ') + -+ -+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') + +######################################## +## -+## Manage files from the system cron jobs. ++## All of the rules required to administrate an apache environment +## ++## ++## ++## Prefix of the domain. Example, user would be ++## the prefix for the uder_t domain. ++## ++## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the apache domain. ++## ++## ++## +# -+interface(`cron_manage_system_job_lib_files',` ++interface(`apache_admin',` ++ + gen_require(` -+ type system_cronjob_var_lib_t; ++ type httpd_t, httpd_initrc_exec_t, httpd_config_t; ++ type httpd_log_t, httpd_modules_t, httpd_lock_t; ++ type httpd_var_run_t; ++ attribute httpdcontent; ++ attribute httpd_script_exec_type; ++ type httpd_bool_t; ++ type httpd_php_tmp_t; ++ type httpd_suexec_tmp_t; ++ type httpd_tmp_t; ++ + ') + ++ allow $1 httpd_t:process { getattr ptrace signal_perms }; ++ ps_process_pattern($1, httpd_t) + -+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ init_labeled_script_domtrans($1, httpd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 httpd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ apache_manage_all_content($1) ++ miscfiles_manage_public_files($1) ++ ++ files_search_etc($1) ++ admin_pattern($1, httpd_config_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, httpd_log_t) ++ ++ admin_pattern($1, httpd_modules_t) ++ ++ admin_pattern($1, httpd_lock_t) ++ files_lock_filetrans($1, httpd_lock_t, file) ++ ++ admin_pattern($1, httpd_var_run_t) ++ files_pid_filetrans($1, httpd_var_run_t, file) ++ ++ kernel_search_proc($1) ++ allow $1 httpd_t:dir list_dir_perms; ++ ps_process_pattern($1, httpd_t) ++ read_lnk_files_pattern($1, httpd_t, httpd_t) ++ ++ admin_pattern($1, httpdcontent) ++ admin_pattern($1, httpd_script_exec_type) ++ ++ seutil_domtrans_setfiles($1) ++ ++ admin_pattern($1, httpd_tmp_t) ++ admin_pattern($1, httpd_php_tmp_t) ++ admin_pattern($1, httpd_suexec_tmp_t) ++ files_tmp_filetrans($1, httpd_tmp_t, { file dir }) ++ ++ifdef(`TODO',` ++ apache_set_booleans($1, $2, $3, httpd_bool_t ) ++ seutil_setsebool_role_template($1, $3, $2) ++ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; ++ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; ++') +') + +######################################## +## -+## Manage pid files used by cron ++## Mark content as being readable by standard apache processes +## +## +## @@ -9160,1421 +8367,1239 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`cron_manage_pid_files',` ++template(`apache_ro_content',` + gen_require(` -+ type crond_var_run_t; ++ attribute httpd_ro_content; + ') -+ -+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ++ typeattribute $1 httpd_ro_content; +') + +######################################## +## -+## Execute crond server in the nscd domain. ++## Mark content as being read/write by standard apache processes +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`cron_initrc_domtrans',` ++template(`apache_rw_content',` + gen_require(` -+ type crond_initrc_exec_t; -+') -+ -+ init_labeled_script_domtrans($1, crond_initrc_exec_t) ++ attribute httpd_rw_content; ++ ') ++ typeattribute $1 httpd_rw_content; +') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-07 16:01:44.000000000 -0400 -@@ -38,6 +38,10 @@ - type cron_var_lib_t; - files_type(cron_var_lib_t) - -+# var/lib files -+type cron_var_run_t; -+files_type(cron_var_run_t) -+ - # var/log files - type cron_log_t; - logging_log_file(cron_log_t) -@@ -56,8 +60,13 @@ - domain_interactive_fd(crond_t) - domain_cron_exemption_source(crond_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te +--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-04-07 16:01:44.000000000 -0400 +@@ -19,6 +19,8 @@ + # Declarations + # -+type crond_initrc_exec_t; -+init_script_file(crond_initrc_exec_t) ++selinux_genbool(httpd_bool_t) + - type crond_tmp_t; - files_tmp_file(crond_tmp_t) -+files_poly_parent(crond_tmp_t) -+mta_system_content(crond_tmp_t) + ## + ##

+ ## Allow Apache to modify public files +@@ -30,10 +32,17 @@ - type crond_var_run_t; - files_pid_file(crond_var_run_t) -@@ -74,6 +83,7 @@ - typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; - typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; - typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; -+allow admin_crontab_t crond_t:process signal; + ## + ##

+-## Allow Apache to use mod_auth_pam ++## Allow httpd scripts and modules execmem/execstack + ##

+ ##
+-gen_tunable(allow_httpd_mod_auth_pam, false) ++gen_tunable(httpd_execmem, false) ++ ++## ++##

++## Allow Apache to communicate with avahi service via dbus ++##

++##
++gen_tunable(httpd_dbus_avahi, false) - type system_cron_spool_t, cron_spool_type; - files_type(system_cron_spool_t) -@@ -98,11 +108,18 @@ + ## + ##

+@@ -44,6 +53,13 @@ - # Type of user crontabs once moved to cron spool. - type user_cron_spool_t, cron_spool_type; --typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t }; -+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; - typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; - files_type(user_cron_spool_t) - ubac_constrained(user_cron_spool_t) + ## + ##

++## Allow http daemon to send mail ++##

++##
++gen_tunable(httpd_can_sendmail, false) ++ ++## ++##

+ ## Allow HTTPD scripts and modules to connect to the network using TCP. + ##

+ ##
+@@ -108,6 +124,29 @@ + ## + gen_tunable(httpd_unified, false) -+type system_cronjob_var_lib_t; -+files_type(system_cronjob_var_lib_t) -+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; ++## ++##

++## Allow httpd to access nfs file systems ++##

++##
++gen_tunable(httpd_use_nfs, false) + -+type system_cronjob_var_run_t; -+files_pid_file(system_cronjob_var_run_t) ++## ++##

++## Allow httpd to access cifs file systems ++##

++##
++gen_tunable(httpd_use_cifs, false) + - ######################################## - # - # Admin crontab local policy -@@ -130,7 +147,7 @@ - # Cron daemon local policy - # ++## ++##

++## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. ++##

++##
++gen_tunable(allow_httpd_sys_script_anon_write, false) ++ ++attribute httpd_ro_content; ++attribute httpd_rw_content; + attribute httpdcontent; + attribute httpd_user_content_type; --allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; -+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; - dontaudit crond_t self:capability { sys_resource sys_tty_config }; - allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow crond_t self:process { setexec setfscreate }; -@@ -146,22 +163,23 @@ - allow crond_t self:msg { send receive }; - allow crond_t self:key { search write link }; +@@ -140,6 +179,9 @@ + domain_entry_file(httpd_helper_t, httpd_helper_exec_t) + role system_r types httpd_helper_t; --allow crond_t crond_var_run_t:file manage_file_perms; -+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) - files_pid_filetrans(crond_t,crond_var_run_t,file) ++type httpd_initrc_exec_t; ++init_script_file(httpd_initrc_exec_t) ++ + type httpd_lock_t; + files_lock_file(httpd_lock_t) --allow crond_t cron_spool_t:dir rw_dir_perms; --allow crond_t cron_spool_t:file read_file_perms; -+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +@@ -180,6 +222,10 @@ + # setup the system domain for system CGI scripts + apache_content_template(sys) - manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) - manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) - files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) ++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable ++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable ++typeattribute httpd_sys_content_ra_t httpdcontent; # customizable ++ + type httpd_tmp_t; + files_tmp_file(httpd_tmp_t) --allow crond_t system_cron_spool_t:dir list_dir_perms; --allow crond_t system_cron_spool_t:file read_file_perms; -+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) -+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +@@ -187,15 +233,20 @@ + files_tmpfs_file(httpd_tmpfs_t) - kernel_read_kernel_sysctls(crond_t) -+kernel_read_fs_sysctls(crond_t) - kernel_search_key(crond_t) + apache_content_template(user) ++ + ubac_constrained(httpd_user_script_t) ++typeattribute httpd_user_content_t httpdcontent; ++typeattribute httpd_user_content_rw_t httpdcontent; ++typeattribute httpd_user_content_ra_t httpdcontent; ++ + userdom_user_home_content(httpd_user_content_t) + userdom_user_home_content(httpd_user_htaccess_t) + userdom_user_home_content(httpd_user_script_exec_t) +-userdom_user_home_content(httpd_user_script_ra_t) +-userdom_user_home_content(httpd_user_script_ro_t) +-userdom_user_home_content(httpd_user_script_rw_t) ++userdom_user_home_content(httpd_user_content_ra_t) ++userdom_user_home_content(httpd_user_content_rw_t) + typeattribute httpd_user_script_t httpd_script_domains; + typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; ++typealias httpd_user_content_t alias httpd_unconfined_content_t; + typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; + typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; + typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; +@@ -230,7 +281,7 @@ + # Apache server local policy + # -+dev_read_kmsg(crond_t) - dev_read_sysfs(crond_t) - selinux_get_fs_mount(crond_t) - selinux_validate_context(crond_t) -@@ -174,6 +192,7 @@ +-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; ++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; + dontaudit httpd_t self:capability { net_admin sys_tty_config }; + allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow httpd_t self:fd use; +@@ -272,6 +323,7 @@ + allow httpd_t httpd_modules_t:dir list_dir_perms; + mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) ++read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - fs_getattr_all_fs(crond_t) - fs_search_auto_mountpoints(crond_t) -+fs_list_inotifyfs(crond_t) + apache_domtrans_rotatelogs(httpd_t) + # Apache-httpd needs to be able to send signals to the log rotate procs. +@@ -283,9 +335,9 @@ - # need auth_chkpwd to check for locked accounts. - auth_domtrans_chk_passwd(crond_t) -@@ -183,7 +202,11 @@ - corecmd_read_bin_symlinks(crond_t) + allow httpd_t httpd_suexec_exec_t:file read_file_perms; - domain_use_interactive_fds(crond_t) -+domain_subj_id_change_exemption(crond_t) -+domain_role_change_exemption(crond_t) +-allow httpd_t httpd_sys_content_t:dir list_dir_perms; +-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++allow httpd_t httpd_ro_content:dir list_dir_perms; ++read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) ++read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) -+files_read_usr_files(crond_t) -+files_read_etc_runtime_files(crond_t) - files_read_etc_files(crond_t) - files_read_generic_spool(crond_t) - files_list_usr(crond_t) -@@ -192,10 +215,15 @@ - files_search_default(crond_t) + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) + manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -301,6 +353,7 @@ + manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) + files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) - init_rw_utmp(crond_t) -+init_spec_domtrans_script(crond_t) ++setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) + manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) + manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) + files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) +@@ -312,6 +365,7 @@ + kernel_read_kernel_sysctls(httpd_t) + # for modules that want to access /proc/meminfo + kernel_read_system_state(httpd_t) ++kernel_search_network_sysctl(httpd_t) - auth_use_nsswitch(crond_t) + corenet_all_recvfrom_unlabeled(httpd_t) + corenet_all_recvfrom_netlabel(httpd_t) +@@ -322,6 +376,7 @@ + corenet_tcp_sendrecv_all_ports(httpd_t) + corenet_udp_sendrecv_all_ports(httpd_t) + corenet_tcp_bind_generic_node(httpd_t) ++corenet_udp_bind_generic_node(httpd_t) + corenet_tcp_bind_http_port(httpd_t) + corenet_tcp_bind_http_cache_port(httpd_t) + corenet_sendrecv_http_server_packets(httpd_t) +@@ -335,12 +390,12 @@ -+logging_send_audit_msgs(crond_t) - logging_send_syslog_msg(crond_t) -+logging_set_loginuid(crond_t) -+ -+rpc_search_nfs_state_data(crond_t) + fs_getattr_all_fs(httpd_t) + fs_search_auto_mountpoints(httpd_t) ++fs_list_inotifyfs(httpd_t) ++fs_read_iso9660_files(httpd_t) - seutil_read_config(crond_t) - seutil_read_default_contexts(crond_t) -@@ -208,6 +236,7 @@ - userdom_list_user_home_dirs(crond_t) + auth_use_nsswitch(httpd_t) - mta_send_mail(crond_t) -+mta_system_content(cron_spool_t) +-# execute perl +-corecmd_exec_bin(httpd_t) +-corecmd_exec_shell(httpd_t) ++application_exec_all(httpd_t) - ifdef(`distro_debian',` - # pam_limits is used -@@ -227,21 +256,43 @@ - ') - ') + domain_use_interactive_fds(httpd_t) -+tunable_policy(`allow_polyinstantiation',` -+ files_polyinstantiate_all(crond_t) -+') -+ -+optional_policy(` -+ apache_search_sys_content(crond_t) -+') -+ - optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) - ') +@@ -358,6 +413,10 @@ + files_read_var_lib_symlinks(httpd_t) -+optional_policy(` -+ # these should probably be unconfined_crond_t -+ init_dbus_send_script(crond_t) -+') -+ -+optional_policy(` -+ mono_domtrans(crond_t) -+') -+ - tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; - ') + fs_search_auto_mountpoints(httpd_sys_script_t) ++# php uploads a file to /tmp and then execs programs to acton them ++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file }) - optional_policy(` -+ amanda_search_var_lib(crond_t) + libs_read_lib_files(httpd_t) + +@@ -372,18 +431,33 @@ + + userdom_use_unpriv_users_fds(httpd_t) + +-mta_send_mail(httpd_t) +- + tunable_policy(`allow_httpd_anon_write',` + miscfiles_manage_public_files(httpd_t) + ') + +-ifdef(`TODO', ` + # + # We need optionals to be able to be within booleans to make this work + # ++## ++##

++## Allow Apache to use mod_auth_pam ++##

++##
++gen_tunable(allow_httpd_mod_auth_pam, false) ++ + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) ++ auth_domtrans_chkpwd(httpd_t) +') + ++## ++##

++## Allow Apache to use mod_auth_pam ++##

++##
++gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - amavis_search_lib(crond_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` ++ samba_domtrans_winbind_helper(httpd_t) ') - - optional_policy(` -- hal_dbus_send(crond_t) -+ hal_dbus_chat(crond_t) -+ hal_dbus_chat(system_cronjob_t) ') - optional_policy(` -@@ -268,8 +319,8 @@ - # System cron process domain - # - --allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; --allow system_cronjob_t self:process { signal_perms setsched }; -+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -+allow system_cronjob_t self:process { signal_perms getsched setsched }; - allow system_cronjob_t self:fifo_file rw_fifo_file_perms; - allow system_cronjob_t self:passwd rootok; +@@ -391,20 +465,54 @@ + corenet_tcp_connect_all_ports(httpd_t) + ') -@@ -283,7 +334,14 @@ - allow system_cronjob_t cron_var_lib_t:file manage_file_perms; - files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) ++tunable_policy(`httpd_can_sendmail',` ++ # allow httpd to connect to mail servers ++ corenet_tcp_connect_smtp_port(httpd_t) ++ corenet_sendrecv_smtp_client_packets(httpd_t) ++ corenet_tcp_connect_pop_port(httpd_t) ++ corenet_sendrecv_pop_client_packets(httpd_t) ++ mta_send_mail(httpd_t) ++ mta_send_mail(httpd_sys_script_t) ++') ++ + tunable_policy(`httpd_can_network_relay',` + # allow httpd to work as a relay + corenet_tcp_connect_gopher_port(httpd_t) + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) ++ corenet_tcp_connect_memcache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_sendrecv_http_client_packets(httpd_t) + corenet_sendrecv_http_cache_client_packets(httpd_t) + ') -+allow system_cronjob_t cron_var_run_t:file manage_file_perms; -+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) ++tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; ++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) ++ can_exec(httpd_sys_script_t, httpd_sys_content_t) ++') + - allow system_cronjob_t system_cron_spool_t:file read_file_perms; ++tunable_policy(`allow_httpd_sys_script_anon_write',` ++ miscfiles_manage_public_files(httpd_sys_script_t) ++') + -+# anacron forces the following -+allow system_cronjob_t system_cron_spool_t:file { write setattr }; ++tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` ++ fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ++') + - # The entrypoint interface is not used as this is not - # a regular entrypoint. Since crontab files are - # not directly executed, crond must ensure that -@@ -314,9 +372,13 @@ - filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) - files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - -+# var/lib files for system_crond -+files_search_var_lib(system_cronjob_t) -+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` ++ fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ++') + - # Read from /var/spool/cron. - allow system_cronjob_t cron_spool_t:dir list_dir_perms; --allow system_cronjob_t cron_spool_t:file read_file_perms; -+allow system_cronjob_t cron_spool_t:file rw_file_perms; - - kernel_read_kernel_sysctls(system_cronjob_t) - kernel_read_system_state(system_cronjob_t) -@@ -370,7 +432,8 @@ - init_read_utmp(system_cronjob_t) - init_dontaudit_rw_utmp(system_cronjob_t) - # prelink tells init to restart it self, we either need to allow or dontaudit --init_write_initctl(system_cronjob_t) -+init_telinit(system_cronjob_t) -+init_spec_domtrans_script(system_cronjob_t) ++ + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` +- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) ++ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) ++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) ++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) ++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) ++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) - auth_use_nsswitch(system_cronjob_t) + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) +@@ -415,20 +523,28 @@ + corenet_tcp_bind_ftp_port(httpd_t) + ') -@@ -378,6 +441,7 @@ - libs_exec_ld_so(system_cronjob_t) +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_t) +-') +- + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_t) + fs_read_nfs_symlinks(httpd_t) + ') - logging_read_generic_logs(system_cronjob_t) -+logging_send_audit_msgs(system_cronjob_t) - logging_send_syslog_msg(system_cronjob_t) ++tunable_policy(`httpd_use_nfs',` ++ fs_manage_nfs_dirs(httpd_t) ++ fs_manage_nfs_files(httpd_t) ++ fs_manage_nfs_symlinks(httpd_t) ++') ++ + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) + ') - miscfiles_read_localization(system_cronjob_t) -@@ -418,6 +482,10 @@ ++tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_t) ++ fs_manage_cifs_files(httpd_t) ++ fs_manage_cifs_symlinks(httpd_t) ++') ++ + tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) + allow httpd_sys_script_t httpd_t:fd use; +@@ -451,6 +567,10 @@ ') optional_policy(` -+ dbus_system_bus_client(system_cronjob_t) ++ cvs_read_data(httpd_t) +') + +optional_policy(` - ftp_read_log(system_cronjob_t) + cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -428,11 +496,20 @@ +@@ -459,8 +579,13 @@ ') optional_policy(` -+ lpd_list_spool(system_cronjob_t) -+') -+ -+optional_policy(` -+ mono_domtrans(system_cronjob_t) +- kerberos_use(httpd_t) +- kerberos_read_kdc_config(httpd_t) ++ dbus_system_bus_client(httpd_t) ++ tunable_policy(`httpd_dbus_avahi',` ++ avahi_dbus_chat(httpd_t) ++ ') +') -+ +optional_policy(` - mrtg_append_create_logs(system_cronjob_t) ++ kerberos_keytab_template(httpd, httpd_t) ') optional_policy(` - mta_send_mail(system_cronjob_t) -+ mta_system_content(system_cron_spool_t) +@@ -468,22 +593,18 @@ + mailman_domtrans_cgi(httpd_t) + # should have separate types for public and private archives + mailman_search_data(httpd_t) ++ mailman_read_data_files(httpd_t) + mailman_read_archive(httpd_t) ') optional_policy(` -@@ -447,6 +524,7 @@ - prelink_read_cache(system_cronjob_t) - prelink_manage_log(system_cronjob_t) - prelink_delete_cache(system_cronjob_t) -+ prelink_manage_var_lib(system_cronjob_t) +- # Allow httpd to work with mysql + mysql_stream_connect(httpd_t) + mysql_rw_db_sockets(httpd_t) +- +- tunable_policy(`httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_t) +- ') ++ mysql_read_config(httpd_t) ') optional_policy(` -@@ -460,8 +538,7 @@ + nagios_read_config(httpd_t) +- nagios_domtrans_cgi(httpd_t) ') optional_policy(` -- # cjp: why? -- squid_domtrans(system_cronjob_t) -+ spamassassin_manage_lib_files(system_cronjob_t) +@@ -493,6 +614,12 @@ + openca_kill(httpd_t) ') ++tunable_policy(`httpd_execmem',` ++ allow httpd_t self:process { execmem execstack }; ++ allow httpd_sys_script_t self:process { execmem execstack }; ++ allow httpd_suexec_t self:process { execmem execstack }; ++') ++ optional_policy(` -@@ -469,24 +546,17 @@ + # Allow httpd to work with postgresql + postgresql_stream_connect(httpd_t) +@@ -500,6 +627,7 @@ + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_t) ++ postgresql_tcp_connect(httpd_sys_script_t) + ') + ') + +@@ -508,6 +636,7 @@ ') optional_policy(` -+ unconfined_dbus_send(crond_t) -+ unconfined_shell_domtrans(crond_t) -+ unconfined_domain(crond_t) - unconfined_domain(system_cronjob_t) -- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) --') -- --ifdef(`TODO',` --ifdef(`mta.te', ` --allow system_cronjob_t mail_spool_t:lnk_file read; --allow mta_user_agent system_cronjob_t:fd use; --r_dir_file(system_mail_t, crond_tmp_t) ++ files_dontaudit_rw_usr_dirs(httpd_t) + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') --') dnl end TODO +@@ -535,6 +664,22 @@ + + userdom_use_user_terminals(httpd_helper_t) ++tunable_policy(`httpd_tty_comm',` ++ userdom_use_user_terminals(httpd_helper_t) ++') ++ ++optional_policy(` ++ type httpd_unconfined_script_t; ++ type httpd_unconfined_script_exec_t; ++ domain_type(httpd_unconfined_script_t) ++ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) ++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) ++ unconfined_domain(httpd_unconfined_script_t) ++ ++ role system_r types httpd_unconfined_script_t; ++') ++ ++ ######################################## # - # User cronjobs local policy - # + # Apache PHP script local policy +@@ -564,20 +709,25 @@ --allow cronjob_t self:capability dac_override; - allow cronjob_t self:process { signal_perms setsched }; - allow cronjob_t self:fifo_file rw_fifo_file_perms; - allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +640,9 @@ - userdom_manage_user_home_content_sockets(cronjob_t) - #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) + fs_search_auto_mountpoints(httpd_php_t) -+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++auth_use_nsswitch(httpd_php_t) + - tunable_policy(`fcron_crond', ` - allow crond_t user_cron_spool_t:file manage_file_perms; + libs_exec_lib_files(httpd_php_t) + + userdom_use_unpriv_users_fds(httpd_php_t) + +-optional_policy(` +- mysql_stream_connect(httpd_php_t) ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_mysqld_port(httpd_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_t) ++ corenet_tcp_connect_mysqld_port(httpd_sys_script_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_mysqld_port(httpd_suexec_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc ---- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -5,27 +5,38 @@ - /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) -+ -+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) +-optional_policy(` +- nis_use_ypbind(httpd_php_t) +-') - /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + optional_policy(` +- postgresql_stream_connect(httpd_php_t) ++ mysql_stream_connect(httpd_php_t) ++ mysql_read_config(httpd_php_t) + ') -+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ - /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) + ######################################## +@@ -595,23 +745,24 @@ + append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) --/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) --/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) --/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +-allow httpd_suexec_t httpd_t:fifo_file getattr; ++allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) + manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) + files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) - /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -+# keep as separate lines to ensure proper sorting -+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) ++can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + - /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) - /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +44,7 @@ + kernel_read_kernel_sysctls(httpd_suexec_t) + kernel_list_proc(httpd_suexec_t) + kernel_read_proc_symlinks(httpd_suexec_t) - /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) - /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + dev_read_urand(httpd_suexec_t) - /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +54,19 @@ - /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++fs_read_iso9660_files(httpd_suexec_t) + fs_search_auto_mountpoints(httpd_suexec_t) - /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) --/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) +-# for shell scripts +-corecmd_exec_bin(httpd_suexec_t) +-corecmd_exec_shell(httpd_suexec_t) ++application_exec_all(httpd_suexec_t) -+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) - /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -+ -+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + files_read_etc_files(httpd_suexec_t) + files_read_usr_files(httpd_suexec_t) +@@ -624,6 +775,7 @@ + logging_send_syslog_msg(httpd_suexec_t) + + miscfiles_read_localization(httpd_suexec_t) ++miscfiles_read_public_files(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; +@@ -641,12 +793,20 @@ + corenet_sendrecv_all_client_packets(httpd_suexec_t) + ') + ++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) ++read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t) ++read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) + -+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.12/policy/modules/services/cups.if ---- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cups.if 2009-04-07 16:01:44.000000000 -0400 -@@ -20,6 +20,30 @@ ++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) + tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_sys_script_t httpdcontent:file entrypoint; + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + ') +- +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_suexec_t) ++tunable_policy(`httpd_enable_cgi',` ++ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) + ') + + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -672,15 +832,14 @@ + dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; + ') +-optional_policy(` +- nagios_domtrans_cgi(httpd_suexec_t) +-') +- ######################################## - ## -+## Setup cups to transtion to the cups backend domain -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`cups_backend',` -+ gen_require(` -+ type cupsd_t; -+ ') + # + # Apache system script local policy + # + ++auth_use_nsswitch(httpd_sys_script_t) + -+ domtrans_pattern(cupsd_t, $2, $1) ++allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; + allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + + dontaudit httpd_sys_script_t httpd_config_t:dir search; +@@ -699,12 +858,24 @@ + # Should we add a boolean? + apache_domtrans_rotatelogs(httpd_sys_script_t) + ++sysnet_read_config(httpd_sys_script_t) + -+ allow cupsd_t $1:process signal; -+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; + ifdef(`distro_redhat',` + allow httpd_sys_script_t httpd_log_t:file append_file_perms; + ') + +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_sys_script_t) ++fs_read_iso9660_files(httpd_sys_script_t) + -+ cups_read_config($1) -+ cups_append_log($1) -+') ++tunable_policy(`httpd_use_nfs',` ++ fs_manage_nfs_dirs(httpd_sys_script_t) ++ fs_manage_nfs_files(httpd_sys_script_t) ++ fs_manage_nfs_symlinks(httpd_sys_script_t) ++ fs_exec_nfs_files(httpd_sys_script_t) + -+######################################## -+## - ## Connect to cupsd over an unix domain stream socket. - ## - ## -@@ -212,6 +236,25 @@ ++ fs_manage_nfs_dirs(httpd_suexec_t) ++ fs_manage_nfs_files(httpd_suexec_t) ++ fs_manage_nfs_symlinks(httpd_suexec_t) ++ fs_exec_nfs_files(httpd_suexec_t) + ') - ######################################## - ## -+## Append cups log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cups_append_log',` -+ gen_require(` -+ type cupsd_log_t; -+ ') + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -712,6 +883,35 @@ + fs_read_nfs_symlinks(httpd_sys_script_t) + ') + ++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_sys_script_t self:udp_socket create_socket_perms; + -+ logging_search_logs($1) -+ append_files_pattern($1, cupsd_log_t, cupsd_log_t) ++ corenet_tcp_bind_generic_node(httpd_sys_script_t) ++ corenet_udp_bind_generic_node(httpd_sys_script_t) ++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t) ++ corenet_all_recvfrom_netlabel(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_tcp_connect_all_ports(httpd_sys_script_t) ++ corenet_sendrecv_all_client_packets(httpd_sys_script_t) +') + -+######################################## -+## - ## Write cups log files. - ## - ## -@@ -247,3 +290,66 @@ - files_search_pids($1) - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) - ') + -+######################################## -+## -+## All of the rules required to administrate -+## an cups environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the cups domain. -+## -+## -+## -+# -+interface(`cups_admin',` -+ gen_require(` -+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; -+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; -+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t; -+ type cupsd_var_run_t, ptal_etc_t; -+ type ptal_var_run_t, hplip_var_run_t; -+ type cupsd_initrc_exec_t; -+ ') ++tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_sys_script_t) ++ fs_manage_cifs_files(httpd_sys_script_t) ++ fs_manage_cifs_symlinks(httpd_sys_script_t) ++ fs_manage_cifs_dirs(httpd_suexec_t) ++ fs_manage_cifs_files(httpd_suexec_t) ++ fs_manage_cifs_symlinks(httpd_suexec_t) ++ fs_exec_cifs_files(httpd_suexec_t) ++') + -+ allow $1 cupsd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, cupsd_t) -+ -+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 cupsd_initrc_exec_t system_r; -+ allow $2 system_r; + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +@@ -724,6 +924,10 @@ + optional_policy(` + mysql_stream_connect(httpd_sys_script_t) + mysql_rw_db_sockets(httpd_sys_script_t) ++ mysql_read_config(httpd_sys_script_t) ++ mysql_stream_connect(httpd_suexec_t) ++ mysql_rw_db_sockets(httpd_suexec_t) ++ mysql_read_config(httpd_suexec_t) + ') + + optional_policy(` +@@ -735,6 +939,8 @@ + # httpd_rotatelogs local policy + # + ++allow httpd_rotatelogs_t self:capability dac_override; + -+ files_list_tmp($1) -+ admin_pattern($1, cupsd_tmp_t) + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) + + kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -754,6 +960,12 @@ + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) + ') + + # allow accessing files/dirs below the users home dir +@@ -762,3 +974,66 @@ + userdom_search_user_home_dirs(httpd_suexec_t) + userdom_search_user_home_dirs(httpd_user_script_t) + ') + -+ admin_pattern($1, cupsd_lpd_tmp_t) ++#============= bugzilla policy ============== ++apache_content_template(bugzilla) + -+ files_list_etc($1) -+ admin_pattern($1, cupsd_etc_t) ++type httpd_bugzilla_tmp_t; ++files_tmp_file(httpd_bugzilla_tmp_t) + -+ admin_pattern($1, ptal_etc_t) ++allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; ++allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; ++allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; + -+ files_list_spool($1) -+ admin_pattern($1, cupsd_spool_t) ++corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) ++corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) ++corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) ++corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) ++corenet_tcp_connect_http_port(httpd_bugzilla_script_t) ++corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) ++corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) ++corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) + -+ logging_list_logs($1) -+ admin_pattern($1, cupsd_log_t) ++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) + -+ files_list_pids($1) -+ admin_pattern($1, cupsd_var_run_t) ++files_search_var_lib(httpd_bugzilla_script_t) + -+ admin_pattern($1, ptal_var_run_t) ++mta_send_mail(httpd_bugzilla_script_t) + -+ admin_pattern($1, cupsd_config_var_run_t) ++sysnet_read_config(httpd_bugzilla_script_t) ++sysnet_use_ldap(httpd_bugzilla_script_t) + -+ admin_pattern($1, cupsd_lpd_var_run_t) ++optional_policy(` ++ mysql_search_db(httpd_bugzilla_script_t) ++ mysql_stream_connect(httpd_bugzilla_script_t) ++') + -+ admin_pattern($1, hplip_var_run_t) ++optional_policy(` ++ postgresql_stream_connect(httpd_bugzilla_script_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-07 16:01:44.000000000 -0400 -@@ -20,9 +20,18 @@ - type cupsd_etc_t; - files_config_file(cupsd_etc_t) - -+type cupsd_initrc_exec_t; -+init_script_file(cupsd_initrc_exec_t) + -+type cupsd_interface_t; -+files_type(cupsd_interface_t) ++manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) + - type cupsd_rw_etc_t; - files_config_file(cupsd_rw_etc_t) - -+type cupsd_lock_t; -+files_lock_file(cupsd_lock_t) ++manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) + - type cupsd_log_t; - logging_log_file(cupsd_log_t) ++# Removal of fastcgi, will cause problems without the following ++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; ++typealias httpd_sys_content_t alias httpd_fastcgi_content_t; ++typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; ++typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; ++typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; ++typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; ++typealias httpd_sys_script_t alias httpd_fastcgi_script_t; ++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.12/policy/modules/services/automount.te +--- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/automount.te 2009-04-07 16:01:44.000000000 -0400 +@@ -71,6 +71,7 @@ + files_mounton_all_mountpoints(automount_t) + files_mount_all_file_type_fs(automount_t) + files_unmount_all_file_type_fs(automount_t) ++files_manage_non_security_dirs(automount_t) -@@ -48,6 +57,10 @@ - type hplip_t; - type hplip_exec_t; - init_daemon_domain(hplip_t, hplip_exec_t) -+# For CUPS to run as a backend -+cups_backend(hplip_t, hplip_exec_t) -+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) + fs_mount_all_fs(automount_t) + fs_unmount_all_fs(automount_t) +@@ -100,6 +101,7 @@ + corenet_udp_bind_all_rpc_ports(automount_t) - type hplip_etc_t; - files_config_file(hplip_etc_t) -@@ -65,6 +78,16 @@ - type ptal_var_run_t; - files_pid_file(ptal_var_run_t) + dev_read_sysfs(automount_t) ++dev_rw_autofs(automount_t) + # for SSP + dev_read_rand(automount_t) + dev_read_urand(automount_t) +@@ -127,6 +129,7 @@ + fs_unmount_autofs(automount_t) + fs_mount_autofs(automount_t) + fs_manage_autofs_symlinks(automount_t) ++fs_read_nfs_files(automount_t) -+type cups_pdf_t; -+type cups_pdf_exec_t; -+domain_type(cups_pdf_t) -+domain_entry_file(cups_pdf_t, cups_pdf_exec_t) -+cups_backend(cups_pdf_t, cups_pdf_exec_t) -+role system_r types cups_pdf_t; -+ -+type cups_pdf_tmp_t; -+files_tmp_file(cups_pdf_tmp_t) -+ - ifdef(`enable_mcs',` - init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) - ') -@@ -79,13 +102,14 @@ - # + storage_rw_fuse(automount_t) - # /usr/lib/cups/backend/serial needs sys_admin(?!) --allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; -+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; - dontaudit cupsd_t self:capability { sys_tty_config net_admin }; --allow cupsd_t self:process { setsched signal_perms }; --allow cupsd_t self:fifo_file rw_file_perms; -+allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; -+allow cupsd_t self:fifo_file rw_fifo_file_perms; - allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow cupsd_t self:unix_dgram_socket create_socket_perms; - allow cupsd_t self:netlink_selinux_socket create_socket_perms; -+allow cupsd_t self:shm create_shm_perms; - allow cupsd_t self:tcp_socket create_stream_socket_perms; - allow cupsd_t self:udp_socket create_socket_perms; - allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -97,6 +121,9 @@ - read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - files_search_etc(cupsd_t) - -+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) -+can_exec(cupsd_t, cupsd_interface_t) -+ - manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -104,8 +131,11 @@ - - # allow cups to execute its backend scripts - can_exec(cupsd_t, cupsd_exec_t) --allow cupsd_t cupsd_exec_t:dir search; --allow cupsd_t cupsd_exec_t:lnk_file read; -+allow cupsd_t cupsd_exec_t:dir search_dir_perms; -+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -+ -+allow cupsd_t cupsd_lock_t:file manage_file_perms; -+files_lock_filetrans(cupsd_t, cupsd_lock_t, file) - - manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - allow cupsd_t cupsd_log_t:dir setattr; -@@ -116,13 +146,20 @@ - manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) - -+# This whole section needs to be moved to a smbspool policy -+# smbspool seems to be iterating through all existing tmp files. -+# Looking for kerberos files -+files_getattr_all_tmp_files(cupsd_t) -+userdom_read_user_tmp_files(cupsd_t) -+files_dontaudit_getattr_all_tmp_sockets(cupsd_t) -+ - allow cupsd_t cupsd_var_run_t:dir setattr; - manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) - files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) - --read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -- -+allow cupsd_t hplip_t:process {signal sigkill }; - allow cupsd_t hplip_var_run_t:file read_file_perms; - - stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +186,49 @@ - corenet_tcp_bind_reserved_port(cupsd_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) - corenet_tcp_connect_all_ports(cupsd_t) -+corenet_tcp_connect_smbd_port(cupsd_t) - corenet_sendrecv_hplip_client_packets(cupsd_t) - corenet_sendrecv_ipp_client_packets(cupsd_t) - corenet_sendrecv_ipp_server_packets(cupsd_t) -+corenet_tcp_bind_all_rpc_ports(cupsd_t) - - dev_rw_printer(cupsd_t) - dev_read_urand(cupsd_t) - dev_read_sysfs(cupsd_t) --dev_read_usbfs(cupsd_t) -+dev_rw_input_dev(cupsd_t) #447878 -+dev_rw_generic_usb_dev(cupsd_t) -+dev_rw_usbfs(cupsd_t) - dev_getattr_printer_dev(cupsd_t) - - domain_read_all_domains_state(cupsd_t) - - fs_getattr_all_fs(cupsd_t) - fs_search_auto_mountpoints(cupsd_t) -+fs_read_anon_inodefs_files(cupsd_t) - -+mls_fd_use_all_levels(cupsd_t) - mls_file_downgrade(cupsd_t) - mls_file_write_all_levels(cupsd_t) - mls_file_read_all_levels(cupsd_t) -+mls_rangetrans_target(cupsd_t) - mls_socket_write_all_levels(cupsd_t) - - term_use_unallocated_ttys(cupsd_t) - term_search_ptys(cupsd_t) - --auth_domtrans_chk_passwd(cupsd_t) --auth_dontaudit_read_pam_pid(cupsd_t) -- - # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp - corecmd_exec_shell(cupsd_t) - corecmd_exec_bin(cupsd_t) - - domain_use_interactive_fds(cupsd_t) +@@ -142,6 +145,7 @@ -+files_list_spool(cupsd_t) - files_read_etc_files(cupsd_t) - files_read_etc_runtime_files(cupsd_t) - # read python modules - files_read_usr_files(cupsd_t) - # for /var/lib/defoma --files_search_var_lib(cupsd_t) -+files_read_var_lib_files(cupsd_t) - files_list_world_readable(cupsd_t) - files_read_world_readable_files(cupsd_t) - files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +237,16 @@ - files_read_var_symlinks(cupsd_t) - # for /etc/printcap - files_dontaudit_write_etc_files(cupsd_t) --# smbspool seems to be iterating through all existing tmp files. --# redhat bug #214953 --# cjp: this might be a broken behavior --files_dontaudit_getattr_all_tmp_files(cupsd_t) + # Run mount in the mount_t domain. + mount_domtrans(automount_t) ++mount_signal(automount_t) - selinux_compute_access_vector(cupsd_t) -+selinux_validate_context(cupsd_t) + userdom_dontaudit_use_unpriv_user_fds(automount_t) + userdom_dontaudit_search_user_home_dirs(automount_t) +@@ -155,7 +159,7 @@ + ') - init_exec_script_files(cupsd_t) -+init_read_utmp(cupsd_t) + optional_policy(` +- kerberos_read_keytab(automount_t) ++ kerberos_keytab_template(automount, automount_t) + kerberos_read_config(automount_t) + kerberos_dontaudit_write_config(automount_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-04-07 16:01:44.000000000 -0400 +@@ -33,6 +33,7 @@ + allow avahi_t self:tcp_socket create_stream_socket_perms; + allow avahi_t self:udp_socket create_socket_perms; -+auth_domtrans_chk_passwd(cupsd_t) -+auth_dontaudit_read_pam_pid(cupsd_t) -+auth_rw_faillog(cupsd_t) - auth_use_nsswitch(cupsd_t) ++files_search_var_lib(avahi_t) + manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) + manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) + files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) +@@ -93,6 +94,7 @@ + dbus_connect_system_bus(avahi_t) - # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -@@ -217,17 +260,21 @@ - miscfiles_read_fonts(cupsd_t) + init_dbus_chat_script(avahi_t) ++ dbus_system_domain(avahi_t, avahi_exec_t) + ') - seutil_read_config(cupsd_t) -+sysnet_exec_ifconfig(cupsd_t) + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.12/policy/modules/services/bind.fc +--- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/bind.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,17 +1,22 @@ + /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++ + /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) + /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) --sysnet_read_config(cupsd_t) -- -+files_dontaudit_list_home(cupsd_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_t) - userdom_dontaudit_search_user_home_content(cupsd_t) + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) + /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) + /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) + /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) ++/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) - # Write to /var/spool/cups. - lpd_manage_spool(cupsd_t) -+lpd_read_config(cupsd_t) -+lpd_exec_lpr(cupsd_t) -+lpd_relabel_spool(cupsd_t) + /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - ifdef(`enable_mls',` -- lpd_relabel_spool(cupsd_t) -+ mls_trusted_object(cupsd_var_run_t) -+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh) - ') + /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) + /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) + /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - optional_policy(` -@@ -244,8 +291,16 @@ - userdom_dbus_send_all_users(cupsd_t) + ifdef(`distro_debian',` + /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +@@ -40,8 +45,8 @@ + /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/var/named/chroot/proc(/.*)? <> + /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) + /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.12/policy/modules/services/bind.if +--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/bind.if 2009-04-07 16:01:44.000000000 -0400 +@@ -38,6 +38,42 @@ - optional_policy(` -+ avahi_dbus_chat(cupsd_t) + ######################################## + ## ++## Send signulls to BIND. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_signull',` ++ gen_require(` ++ type named_t; + ') + -+ optional_policy(` - hal_dbus_chat(cupsd_t) - ') ++ allow $1 named_t:process signull; ++') + -+ optional_policy(` -+ unconfined_dbus_chat(cupsd_t) ++######################################## ++## ++## Send BIND the kill signal ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_kill',` ++ gen_require(` ++ type named_t; + ') - ') - - optional_policy(` -@@ -261,6 +316,10 @@ - ') - - optional_policy(` -+ mta_send_mail(cupsd_t) ++ ++ allow $1 named_t:process sigkill; +') + -+optional_policy(` - # cups execs smbtool which reads samba_etc_t files - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) -@@ -279,7 +338,7 @@ - # Cups configuration daemon local policy - # - --allow cupsd_config_t self:capability { chown sys_tty_config }; -+allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; - dontaudit cupsd_config_t self:capability sys_tty_config; - allow cupsd_config_t self:process signal_perms; - allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -302,8 +361,10 @@ - - allow cupsd_config_t cupsd_log_t:file rw_file_perms; - --allow cupsd_config_t cupsd_tmp_t:file manage_file_perms; --files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir }) -+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) - - allow cupsd_config_t cupsd_var_run_t:file read_file_perms; - -@@ -311,7 +372,7 @@ - files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) - - kernel_read_system_state(cupsd_config_t) --kernel_read_kernel_sysctls(cupsd_config_t) -+kernel_read_all_sysctls(cupsd_config_t) - - corenet_all_recvfrom_unlabeled(cupsd_config_t) - corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -324,6 +385,7 @@ - dev_read_sysfs(cupsd_config_t) - dev_read_urand(cupsd_config_t) - dev_read_rand(cupsd_config_t) -+dev_rw_generic_usb_dev(cupsd_config_t) - - fs_getattr_all_fs(cupsd_config_t) - fs_search_auto_mountpoints(cupsd_config_t) -@@ -341,13 +403,14 @@ - files_read_var_symlinks(cupsd_config_t) - - # Alternatives asks for this --init_getattr_script_files(cupsd_config_t) -+init_getattr_all_script_files(cupsd_config_t) - - auth_use_nsswitch(cupsd_config_t) - - logging_send_syslog_msg(cupsd_config_t) ++######################################## ++## + ## Execute ndc in the ndc domain, and + ## allow the specified role the ndc domain. + ## +@@ -251,6 +287,25 @@ - miscfiles_read_localization(cupsd_config_t) -+miscfiles_read_hwdata(cupsd_config_t) + ######################################## + ## ++## Execute bind server in the bind domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`bind_initrc_domtrans',` ++ gen_require(` ++ type bind_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, bind_initrc_exec_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an bind environment + ## +@@ -269,7 +324,7 @@ + interface(`bind_admin',` + gen_require(` + type named_t, named_tmp_t, named_log_t; +- type named_conf_t, named_var_run_t; ++ type named_conf_t, named_var_lib_t, named_var_run_t; + type named_cache_t, named_zone_t; + type dnssec_t, ndc_t; + type named_initrc_exec_t; +@@ -283,6 +338,7 @@ - seutil_dontaudit_search_config(cupsd_config_t) + bind_run_ndc($1, $2) -@@ -359,14 +422,16 @@ - lpd_read_config(cupsd_config_t) ++ bind_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 named_initrc_exec_t system_r; + allow $2 system_r; +@@ -300,6 +356,9 @@ + admin_pattern($1, named_zone_t) + admin_pattern($1, dnssec_t) - ifdef(`distro_redhat',` -- init_getattr_script_files(cupsd_config_t) -- - optional_policy(` - rpm_read_db(cupsd_config_t) - ') ++ files_list_var_lib($1) ++ admin_pattern($1, named_var_lib_t) ++ + files_list_pids($1) + admin_pattern($1, named_var_run_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.12/policy/modules/services/bind.te +--- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/bind.te 2009-04-07 16:01:44.000000000 -0400 +@@ -123,6 +123,7 @@ + corenet_sendrecv_dns_client_packets(named_t) + corenet_sendrecv_rndc_server_packets(named_t) + corenet_sendrecv_rndc_client_packets(named_t) ++corenet_dontaudit_udp_bind_all_reserved_ports(named_t) + corenet_udp_bind_all_unreserved_ports(named_t) - optional_policy(` -+ term_use_generic_ptys(cupsd_config_t) -+') -+ -+optional_policy(` - cron_system_entry(cupsd_config_t, cupsd_config_exec_t) + dev_read_sysfs(named_t) +@@ -169,7 +170,7 @@ ') -@@ -382,6 +447,7 @@ optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) -+ hal_dontaudit_use_fds(hplip_t) +- kerberos_use(named_t) ++ kerberos_keytab_template(named, named_t) ') optional_policy(` -@@ -491,7 +557,10 @@ - allow hplip_t self:udp_socket create_socket_perms; - allow hplip_t self:rawip_socket create_socket_perms; +@@ -229,6 +230,7 @@ + files_search_pids(ndc_t) --allow hplip_t cupsd_etc_t:dir search; -+allow hplip_t cupsd_etc_t:dir search_dir_perms; -+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) + fs_getattr_xattr_fs(ndc_t) ++fs_list_inotifyfs(ndc_t) - cups_stream_connect(hplip_t) + init_use_fds(ndc_t) + init_use_script_ptys(ndc_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.12/policy/modules/services/bitlbee.te +--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/bitlbee.te 2009-04-07 16:01:44.000000000 -0400 +@@ -75,6 +75,8 @@ + # grant read-only access to the user help files + files_read_usr_files(bitlbee_t) -@@ -500,6 +569,10 @@ - read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) - files_search_etc(hplip_t) ++kernel_read_system_state(bitlbee_t) ++ + libs_legacy_use_shared_libs(bitlbee_t) -+fs_rw_anon_inodefs_files(hplip_t) + miscfiles_read_localization(bitlbee_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc +--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,9 @@ + -+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) ++/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) ++/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) + - manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) - files_pid_filetrans(hplip_t, hplip_var_run_t, file) - -@@ -529,7 +602,8 @@ - dev_read_urand(hplip_t) - dev_read_rand(hplip_t) - dev_rw_generic_usb_dev(hplip_t) --dev_read_usbfs(hplip_t) -+dev_rw_usbfs(hplip_t) ++/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) + - - fs_getattr_all_fs(hplip_t) - fs_search_auto_mountpoints(hplip_t) -@@ -553,7 +627,9 @@ - userdom_dontaudit_search_user_home_dirs(hplip_t) - userdom_dontaudit_search_user_home_content(hplip_t) - --lpd_read_config(cupsd_t) ++/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) + -+lpd_read_config(hplip_t) -+lpd_manage_spool(hplip_t) - - optional_policy(` - dbus_system_bus_client(hplip_t) -@@ -635,3 +711,49 @@ - optional_policy(` - udev_read_db(ptal_t) - ') ++/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.12/policy/modules/services/certmaster.if +--- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/certmaster.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,123 @@ ++## policy for certmaster + +######################################## ++## ++## Execute a domain transition to run certmaster. ++## ++## ++## ++## Domain allowed to transition. ++## ++## +# -+# cups_pdf local policy -+# -+ -+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; ++interface(`certmaster_domtrans',` ++ gen_require(` ++ type certmaster_t, certmaster_exec_t; ++ ') + -+allow cups_pdf_t self:fifo_file rw_file_perms; -+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; ++ domtrans_pattern($1,certmaster_exec_t,certmaster_t) ++') + -+files_read_etc_files(cups_pdf_t) -+files_read_usr_files(cups_pdf_t) ++####################################### ++## ++## read certmaster logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmaster_read_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') + -+kernel_read_system_state(cups_pdf_t) ++ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++') + -+auth_use_nsswitch(cups_pdf_t) ++####################################### ++## ++## Append to certmaster logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`certmaster_append_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') + -+corecmd_exec_shell(cups_pdf_t) -+corecmd_exec_bin(cups_pdf_t) ++ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++') + -+miscfiles_read_localization(cups_pdf_t) -+ -+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) -+ -+userdom_home_filetrans_user_home_dir(cups_pdf_t) -+userdom_manage_user_home_content_dirs(cups_pdf_t) -+userdom_manage_user_home_content_files(cups_pdf_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(cups_pdf_t) -+ fs_manage_nfs_files(cups_pdf_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(cups_pdf_t) -+ fs_manage_cifs_files(cups_pdf_t) -+') -+ -+lpd_manage_spool(cups_pdf_t) -+ -+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -+miscfiles_read_fonts(cups_pdf_t) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-07 16:01:44.000000000 -0400 -@@ -112,4 +112,5 @@ - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.12/policy/modules/services/dbus.fc ---- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dbus.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -4,6 +4,9 @@ - /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) - /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+ - /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - - /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-07 16:01:44.000000000 -0400 -@@ -44,6 +44,7 @@ - - attribute session_bus_type; - type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; -+ type $1_t; - ') - - ############################## -@@ -76,7 +77,7 @@ - allow $3 $1_dbusd_t:unix_stream_socket connectto; - - # SE-DBus specific permissions -- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; -+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -91,7 +92,7 @@ - allow $3 $1_dbusd_t:process { sigkill signal }; - - # cjp: this seems very broken -- corecmd_bin_domtrans($1_dbusd_t, $3) -+ corecmd_bin_domtrans($1_dbusd_t, $1_t) - allow $1_dbusd_t $3:process sigkill; - allow $3 $1_dbusd_t:fd use; - allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -117,6 +118,7 @@ - dev_read_urand($1_dbusd_t) - - domain_use_interactive_fds($1_dbusd_t) -+ domain_read_all_domains_state($1_dbusd_t) - - files_read_etc_files($1_dbusd_t) - files_list_home($1_dbusd_t) -@@ -145,6 +147,8 @@ - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - -+ term_use_all_terms($1_dbusd_t) -+ - userdom_read_user_home_content_files($1_dbusd_t) - - ifdef(`hide_broken_symptoms', ` -@@ -160,6 +164,10 @@ - ') - - optional_policy(` -+ gnome_read_gconf_home_files($1_dbusd_t) -+ ') -+ -+ optional_policy(` - hal_dbus_chat($1_dbusd_t) - ') - -@@ -185,10 +193,12 @@ - type system_dbusd_t, system_dbusd_t; - type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; -+ attribute dbusd_unconfined; - ') - - # SE-DBus specific permissions -- allow $1 { system_dbusd_t self }:dbus send_msg; -+ allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg; -+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; - - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - files_search_var_lib($1) -@@ -197,6 +207,10 @@ - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($1) -+ -+ optional_policy(` -+ rpm_script_dbus_chat($1) -+ ') - ') - - ####################################### -@@ -244,6 +258,35 @@ - - ######################################## - ## -+## Chat on user/application specific DBUS. -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`dbus_chat_user_bus',` -+ gen_require(` -+ type $1_t; -+ type $1_dbusd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $2 $1_dbusd_t:dbus send_msg; -+ allow $1_dbusd_t $2:dbus send_msg; -+ allow $2 $1_t:dbus send_msg; -+ allow $1_t $2:dbus send_msg; -+') -+ -+######################################## -+## - ## Read dbus configuration. - ## - ## -@@ -318,3 +361,77 @@ - - allow $1 system_dbusd_t:dbus *; - ') -+ -+######################################## ++####################################### +## -+## Allow unconfined access to the system DBUS. ++## Create, read, write, and delete ++## certmaster logs. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dbus_unconfined',` -+ gen_require(` -+ attribute dbusd_unconfined; -+ ') ++interface(`certmaster_manage_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') + -+ typeattribute $1 dbusd_unconfined; ++ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) +') + +######################################## +## -+## Create a domain for processes -+## which can be started by the system dbus ++## All of the rules required to administrate ++## an snort environment +## +## -+## -+## Type to be used as a domain. -+## ++## ++## Domain allowed access. ++## +## -+## -+## -+## Type of the program to be used as an entry point to this domain. -+## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## +## ++## +# -+interface(`dbus_system_domain',` -+ gen_require(` -+ type system_dbusd_t; -+ role system_r; -+ ') ++interface(`certmaster_admin',` ++ gen_require(` ++ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; ++ type certmaster_etc_rw_t, certmaster_var_log_t; ++ type certmaster_initrc_exec_t; ++ ') + -+ domain_type($1) -+ domain_entry_file($1, $2) ++ allow $1 certmaster_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, certmaster_t) + -+ role system_r types $1; ++ init_labeled_script_domtrans($1, certmaster_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 certmaster_initrc_exec_t system_r; ++ allow $2 system_r; + -+ domtrans_pattern(system_dbusd_t, $2, $1) ++ files_list_etc($1) ++ miscfiles_manage_cert_dirs($1) ++ miscfiles_manage_cert_files($1) + -+ dbus_system_bus_client($1) -+ dbus_connect_system_bus($1) ++ admin_pattern($1, certmaster_etc_rw_t) + -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+ '); ++ files_list_pids($1) ++ admin_pattern($1, certmaster_var_run_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, certmaster_var_log_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, certmaster_var_lib_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.12/policy/modules/services/certmaster.te +--- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/certmaster.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,79 @@ ++policy_module(certmaster,1.0.0) + +######################################## -+## -+## Dontaudit Read, and write system dbus TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+ gen_require(` -+ type system_dbusd_t; -+ ') ++# Declarations ++# + -+ allow $1 system_dbusd_t:tcp_socket { read write }; -+ allow $1 system_dbusd_t:fd use; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.12/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dbus.te 2009-04-07 16:01:44.000000000 -0400 -@@ -9,14 +9,15 @@ - # - # Delcarations - # -- -+attribute dbusd_unconfined; - attribute session_bus_type; - - type dbusd_etc_t; --files_type(dbusd_etc_t) -+files_config_file(dbusd_etc_t) - - type dbusd_exec_t; - corecmd_executable_file(dbusd_exec_t) -+typealias dbusd_exec_t alias system_dbusd_exec_t; - - type session_dbusd_tmp_t; - typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; -@@ -31,11 +32,25 @@ - files_tmp_file(system_dbusd_tmp_t) - - type system_dbusd_var_lib_t; --files_pid_file(system_dbusd_var_lib_t) -+files_type(system_dbusd_var_lib_t) - - type system_dbusd_var_run_t; - files_pid_file(system_dbusd_var_run_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh) -+') ++# type and domain for certmaster ++type certmaster_t; ++type certmaster_exec_t; ++init_daemon_domain(certmaster_t, certmaster_exec_t) + -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh) -+ mls_fd_use_all_levels(system_dbusd_t) -+ mls_rangetrans_target(system_dbusd_t) -+ mls_file_read_all_levels(system_dbusd_t) -+ mls_socket_write_all_levels(system_dbusd_t) -+ mls_socket_read_to_clearance(system_dbusd_t) -+ mls_dbus_recv_all_levels(system_dbusd_t) -+') ++type certmaster_initrc_exec_t; ++init_script_file(certmaster_initrc_exec_t) + - ############################## - # - # System bus local policy -@@ -45,7 +60,7 @@ - # cjp: dac_override should probably go in a distro_debian - allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; - dontaudit system_dbusd_t self:capability sys_tty_config; --allow system_dbusd_t self:process { getattr signal_perms setcap }; -+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; - allow system_dbusd_t self:fifo_file rw_fifo_file_perms; - allow system_dbusd_t self:dbus { send_msg acquire_svc }; - allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -53,6 +68,8 @@ - # Receive notifications of policy reloads and enforcing status changes. - allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -+can_exec(system_dbusd_t, dbusd_exec_t) ++# var/lib files ++type certmaster_var_lib_t; ++files_type(certmaster_var_lib_t) + - allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -75,6 +92,8 @@ - - fs_getattr_all_fs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) -+fs_list_inotifyfs(system_dbusd_t) -+fs_dontaudit_list_nfs(system_dbusd_t) - - selinux_get_fs_mount(system_dbusd_t) - selinux_validate_context(system_dbusd_t) -@@ -91,9 +110,9 @@ - corecmd_list_bin(system_dbusd_t) - corecmd_read_bin_pipes(system_dbusd_t) - corecmd_read_bin_sockets(system_dbusd_t) --corecmd_exec_bin(system_dbusd_t) - - domain_use_interactive_fds(system_dbusd_t) -+domain_read_all_domains_state(system_dbusd_t) - - files_read_etc_files(system_dbusd_t) - files_list_home(system_dbusd_t) -@@ -101,6 +120,8 @@ - - init_use_fds(system_dbusd_t) - init_use_script_ptys(system_dbusd_t) -+init_bin_domtrans_spec(system_dbusd_t) -+init_domtrans_script(system_dbusd_t) - - logging_send_audit_msgs(system_dbusd_t) - logging_send_syslog_msg(system_dbusd_t) -@@ -128,9 +149,38 @@ - ') - - optional_policy(` -+ gnome_exec_gconf(system_dbusd_t) -+') ++# config files ++type certmaster_etc_rw_t; ++files_config_file(certmaster_etc_rw_t) + -+optional_policy(` -+ networkmanager_initrc_domtrans(system_dbusd_t) -+') ++# log files ++type certmaster_var_log_t; ++logging_log_file(certmaster_var_log_t) + -+optional_policy(` -+ polkit_domtrans_auth(system_dbusd_t) -+ polkit_search_lib(system_dbusd_t) -+') ++# pid files ++type certmaster_var_run_t; ++files_pid_file(certmaster_var_run_t) + -+optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) - ') - - optional_policy(` - udev_read_db(system_dbusd_t) - ') ++########################################### ++# ++# certmaster local policy ++# + -+optional_policy(` -+ gen_require(` -+ type unconfined_dbusd_t; -+ ') -+ unconfined_domain(unconfined_dbusd_t) -+ unconfined_execmem_domtrans(unconfined_dbusd_t) ++allow certmaster_t self:capability sys_tty_config; ++allow certmaster_t self:tcp_socket create_stream_socket_perms; + -+ optional_policy(` -+ xserver_rw_shm(unconfined_dbusd_t) -+ ') -+') ++# config files ++list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) ++manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) + -+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; -+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; -+allow session_bus_type dbusd_unconfined:dbus send_msg; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.12/policy/modules/services/dcc.fc ---- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/dcc.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -12,6 +12,8 @@ - - /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) - /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -+/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - - /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) - /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te ---- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-04-07 16:01:44.000000000 -0400 -@@ -137,6 +137,7 @@ - - corenet_all_recvfrom_unlabeled(dcc_client_t) - corenet_all_recvfrom_netlabel(dcc_client_t) -+corenet_udp_bind_generic_node(dcc_client_t) - corenet_udp_sendrecv_generic_if(dcc_client_t) - corenet_udp_sendrecv_generic_node(dcc_client_t) - corenet_udp_sendrecv_all_ports(dcc_client_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.12/policy/modules/services/devicekit.fc ---- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,8 @@ ++# var/lib files for certmaster ++manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) ++manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) ++files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) + -+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) -+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -+/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ++# log files ++manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) ++logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) + -+/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) ++# pid file ++manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) ++manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) ++files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) + -+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if ---- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,197 @@ ++corecmd_search_bin(certmaster_t) ++corecmd_getattr_bin_files(certmaster_t) + -+## policy for devicekit ++# network ++corenet_tcp_bind_generic_node(certmaster_t) ++corenet_tcp_bind_certmaster_port(certmaster_t) + -+######################################## -+## -+## Execute a domain transition to run devicekit. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`devicekit_domtrans',` -+ gen_require(` -+ type devicekit_t; -+ type devicekit_exec_t; -+ ') ++files_search_etc(certmaster_t) ++files_list_var(certmaster_t) ++files_search_var_lib(certmaster_t) + -+ domtrans_pattern($1,devicekit_exec_t,devicekit_t) -+') ++# read meminfo ++kernel_read_system_state(certmaster_t) + ++auth_use_nsswitch(certmaster_t) + -+######################################## -+## -+## Read devicekit PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_read_pid_files',` -+ gen_require(` -+ type devicekit_var_run_t; -+ ') ++miscfiles_read_localization(certmaster_t) + -+ files_search_pids($1) -+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -+') ++miscfiles_manage_cert_dirs(certmaster_t) ++miscfiles_manage_cert_files(certmaster_t) + -+######################################## -+## -+## Manage devicekit var_run files. ++permissive certmaster_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.12/policy/modules/services/clamav.fc +--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/clamav.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,20 +1,23 @@ + /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) ++/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) + + /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) + /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) + /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + + /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) ++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + + /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) + + /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) ++/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) + +-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) +-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) + /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) ++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) + + /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.12/policy/modules/services/clamav.if +--- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/clamav.if 2009-04-07 16:01:44.000000000 -0400 +@@ -38,6 +38,27 @@ + + ######################################## + ## ++## Allow the specified domain to append ++## to clamav log files. +## +## +## @@ -10582,41 +9607,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`devicekit_manage_var_run',` ++interface(`clamav_append_log',` + gen_require(` -+ type devicekit_var_run_t; ++ type clamav_log_t; + ') + -+ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t) -+ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) -+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++ logging_search_logs($1) ++ allow $1 clamav_log_t:dir list_dir_perms; ++ append_files_pattern($1, clamav_log_t, clamav_log_t) +') + -+ +######################################## +## -+## Send and receive messages from -+## devicekit over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_dbus_chat',` -+ gen_require(` -+ type devicekit_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 devicekit_t:dbus send_msg; -+ allow devicekit_t $1:dbus send_msg; -+') + ## Read clamav configuration files. + ## + ## +@@ -91,3 +112,87 @@ + + domtrans_pattern($1, clamscan_exec_t, clamscan_t) + ') + +######################################## +## -+## Send signal devicekit power ++## Execute clamscan without a transition. +## +## +## @@ -10624,39 +9637,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`devicekit_power_signal',` ++interface(`clamav_exec_clamscan',` + gen_require(` -+ type devicekit_power_t; ++ type clamscan_exec_t; + ') + -+ allow $1 devicekit_power_t:process signal; -+') -+ -+######################################## -+## -+## Send and receive messages from -+## devicekit power over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_power_dbus_chat',` -+ gen_require(` -+ type devicekit_power_t; -+ class dbus send_msg; -+ ') ++ can_exec($1, clamscan_exec_t) + -+ allow $1 devicekit_power_t:dbus send_msg; -+ allow devicekit_power_t $1:dbus send_msg; +') + +######################################## +## +## All of the rules required to administrate -+## an devicekit environment ++## an clamav environment +## +## +## @@ -10665,441 +9658,539 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the devicekit domain. -+## -+## -+## -+## -+## The type of the user terminal. ++## The role to be allowed to manage the clamav domain. +## +## +## +# -+interface(`devicekit_admin',` ++interface(`clamav_admin',` + gen_require(` -+ type devicekit_t; -+ ') -+ -+ allow $1 devicekit_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, devicekit_t, devicekit_t) -+ ++ type clamd_t, clamd_etc_t, clamd_tmp_t; ++ type clamd_var_log_t, clamd_var_lib_t; ++ type clamd_var_run_t; + -+ devicekit_manage_var_run($1) ++ type clamscan_t, clamscan_tmp_t; + -+') ++ type freshclam_t, freshclam_var_log_t; + -+######################################## -+## -+## Send to devicekit over a unix domain -+## datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_dgram_send',` -+ gen_require(` -+ type devicekit_t; ++ type clamd_initrc_exec_t; + ') + -+ allow $1 devicekit_t:unix_dgram_socket sendto; -+') ++ allow $1 clamd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, clamd_t) ++ ++ allow $1 clamscan_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, clamscan_t) + -+######################################## -+## -+## Send and receive messages from -+## devicekit disk over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_disk_dbus_chat',` -+ gen_require(` -+ type devicekit_disk_t; -+ class dbus send_msg; -+ ') ++ allow $1 freshclam_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, freshclam_t) ++ ++ init_labeled_script_domtrans($1, clamd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 clamd_initrc_exec_t system_r; ++ allow $2 system_r; + -+ allow $1 devicekit_disk_t:dbus send_msg; -+ allow devicekit_disk_t $1:dbus send_msg; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te ---- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,217 @@ -+policy_module(devicekit,1.0.0) ++ files_list_tmp($1) ++ admin_pattern($1, clamd_tmp_t) + -+######################################## -+# -+# Declarations -+# ++ files_list_etc($1) ++ admin_pattern($1, clamd_etc_t) + -+type devicekit_t; -+type devicekit_exec_t; -+dbus_system_domain(devicekit_t, devicekit_exec_t) ++ logging_list_logs($1) ++ admin_pattern($1, clamd_var_log_t) + -+permissive devicekit_t; ++ files_list_var_lib($1) ++ admin_pattern($1, clamd_var_lib_t) + -+type devicekit_power_t; -+type devicekit_power_exec_t; -+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) ++ files_list_pids($1) ++ admin_pattern($1, clamd_var_run_t) + -+permissive devicekit_power_t; ++ admin_pattern($1, clamscan_tmp_t) + -+type devicekit_disk_t; -+type devicekit_disk_exec_t; -+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) ++ admin_pattern($1, freshclam_var_log_t) ++') + -+permissive devicekit_disk_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.12/policy/modules/services/clamav.te +--- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/clamav.te 2009-04-07 16:01:44.000000000 -0400 +@@ -13,7 +13,10 @@ + + # configuration files + type clamd_etc_t; +-files_type(clamd_etc_t) ++files_config_file(clamd_etc_t) + -+type devicekit_tmp_t; -+files_tmp_file(devicekit_tmp_t) ++type clamd_initrc_exec_t; ++init_script_file(clamd_initrc_exec_t) + + # tmp files + type clamd_tmp_t; +@@ -87,6 +90,9 @@ + kernel_dontaudit_list_proc(clamd_t) + kernel_read_sysctl(clamd_t) + kernel_read_kernel_sysctls(clamd_t) ++kernel_read_system_state(clamd_t) + -+type devicekit_var_run_t; -+files_pid_file(devicekit_var_run_t) -+ -+type devicekit_var_lib_t; -+files_type(devicekit_var_lib_t) -+ -+# -+# DeviceKit local policy -+# -+allow devicekit_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir }) -+ -+dev_read_sysfs(devicekit_t) -+dev_read_urand(devicekit_t) -+ -+files_read_etc_files(devicekit_t) -+ -+fs_list_inotifyfs(devicekit_t) -+ -+miscfiles_read_localization(devicekit_t) -+ -+optional_policy(` -+ dbus_system_bus_client(devicekit_t) -+') ++corecmd_exec_shell(clamd_t) + + corenet_all_recvfrom_unlabeled(clamd_t) + corenet_all_recvfrom_netlabel(clamd_t) +@@ -97,6 +103,8 @@ + corenet_tcp_bind_generic_node(clamd_t) + corenet_tcp_bind_clamd_port(clamd_t) + corenet_sendrecv_clamd_server_packets(clamd_t) ++corenet_tcp_bind_generic_port(clamd_t) ++corenet_tcp_connect_generic_port(clamd_t) + + dev_read_rand(clamd_t) + dev_read_urand(clamd_t) +@@ -117,6 +125,9 @@ + cron_use_system_job_fds(clamd_t) + cron_rw_pipes(clamd_t) + ++mta_read_config(clamd_t) ++mta_send_mail(clamd_t) + + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +@@ -124,6 +135,10 @@ + amavis_create_pid_files(clamd_t) + ') + +optional_policy(` -+ udev_read_db(devicekit_t) ++ exim_read_spool_files(clamd_t) +') + -+# -+# DeviceKit-Power local policy -+# -+allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice }; -+allow devicekit_power_t self:fifo_file rw_fifo_file_perms; -+allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) -+ -+corecmd_exec_bin(devicekit_power_t) -+corecmd_exec_shell(devicekit_power_t) + ######################################## + # + # Freshclam local policy +@@ -191,7 +206,7 @@ + allow clamscan_t self:fifo_file rw_file_perms; + allow clamscan_t self:unix_stream_socket create_stream_socket_perms; + allow clamscan_t self:unix_dgram_socket create_socket_perms; +-allow clamscan_t self:tcp_socket { listen accept }; ++allow clamscan_t self:tcp_socket create_stream_socket_perms; + + # configuration files + allow clamscan_t clamd_etc_t:dir list_dir_perms; +@@ -207,6 +222,14 @@ + manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) + allow clamscan_t clamd_var_lib_t:dir list_dir_perms; + ++corenet_all_recvfrom_unlabeled(clamscan_t) ++corenet_all_recvfrom_netlabel(clamscan_t) ++corenet_tcp_sendrecv_generic_if(clamscan_t) ++corenet_tcp_sendrecv_generic_node(clamscan_t) ++corenet_tcp_sendrecv_all_ports(clamscan_t) ++corenet_tcp_sendrecv_clamd_port(clamscan_t) ++corenet_tcp_connect_clamd_port(clamscan_t) + -+consoletype_exec(devicekit_power_t) + kernel_read_kernel_sysctls(clamscan_t) + + files_read_etc_files(clamscan_t) +@@ -221,6 +244,8 @@ + + clamav_stream_connect(clamscan_t) + ++mta_send_mail(clamscan_t) + -+domain_read_all_domains_state(devicekit_power_t) + optional_policy(` + apache_read_sys_content(clamscan_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.12/policy/modules/services/consolekit.fc +--- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/consolekit.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,3 +1,6 @@ + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + + /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) ++/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + -+kernel_read_system_state(devicekit_power_t) -+kernel_rw_kernel_sysctl(devicekit_power_t) -+kernel_rw_hotplug_sysctls(devicekit_power_t) -+kernel_write_proc_files(devicekit_power_t) ++/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.12/policy/modules/services/consolekit.if +--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/consolekit.if 2009-04-07 16:01:44.000000000 -0400 +@@ -38,3 +38,24 @@ + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; + ') + -+dev_rw_generic_usb_dev(devicekit_power_t) -+dev_rw_netcontrol(devicekit_power_t) -+dev_rw_sysfs(devicekit_power_t) ++######################################## ++## ++## Read consolekit log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`consolekit_read_log',` ++ gen_require(` ++ type consolekit_log_t; ++ ') + -+files_read_etc_files(devicekit_power_t) -+files_read_usr_files(devicekit_power_t) ++ files_search_pids($1) ++ read_files_pattern($1, consolekit_log_t, consolekit_log_t) ++') + -+fs_list_inotifyfs(devicekit_power_t) + -+term_use_all_terms(devicekit_power_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te +--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-07 16:01:44.000000000 -0400 +@@ -13,6 +13,9 @@ + type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) + ++type consolekit_log_t; ++files_pid_file(consolekit_log_t) + -+auth_use_nsswitch(devicekit_power_t) + ######################################## + # + # consolekit local policy +@@ -24,20 +27,27 @@ + allow consolekit_t self:unix_stream_socket create_stream_socket_perms; + allow consolekit_t self:unix_dgram_socket create_socket_perms; + ++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) ++logging_log_filetrans(consolekit_t, consolekit_log_t, file) + -+miscfiles_read_localization(devicekit_power_t) ++manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) + manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) ++files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) + + kernel_read_system_state(consolekit_t) + + corecmd_exec_bin(consolekit_t) ++corecmd_exec_shell(consolekit_t) + + dev_read_urand(consolekit_t) + dev_read_sysfs(consolekit_t) + + domain_read_all_domains_state(consolekit_t) + domain_use_interactive_fds(consolekit_t) ++domain_dontaudit_ptrace_all_domains(consolekit_t) + + files_read_etc_files(consolekit_t) ++files_read_usr_files(consolekit_t) + # needs to read /var/lib/dbus/machine-id + files_read_var_lib_files(consolekit_t) + +@@ -47,13 +57,35 @@ + + auth_use_nsswitch(consolekit_t) + ++init_telinit(consolekit_t) ++init_rw_utmp(consolekit_t) ++init_chat(consolekit_t) + -+userdom_read_all_users_state(devicekit_power_t) ++logging_send_syslog_msg(consolekit_t) + -+optional_policy(` -+ hal_domtrans_mac(devicekit_power_t) -+ hal_create_log(devicekit_power_t) -+ hal_manage_pid_dirs(devicekit_power_t) -+ hal_manage_pid_files(devicekit_power_t) -+ hal_dbus_chat(devicekit_power_t) -+') + miscfiles_read_localization(consolekit_t) + ++# consolekit needs to be able to ptrace all logged in users ++userdom_ptrace_all_users(consolekit_t) ++userdom_dontaudit_read_user_home_content_files(consolekit_t) ++userdom_read_user_tmp_files(consolekit_t) + -+optional_policy(` -+ cron_initrc_domtrans(devicekit_power_t) -+') ++hal_ptrace(consolekit_t) ++mcs_ptrace_all(consolekit_t) + -+optional_policy(` -+ polkit_domtrans_auth(devicekit_power_t) -+ polkit_read_lib(devicekit_power_t) -+ polkit_read_reload(devicekit_power_t) + optional_policy(` +- dbus_system_bus_client(consolekit_t) +- dbus_connect_system_bus(consolekit_t) ++ cron_read_system_job_lib_files(consolekit_t) +') -+ + +optional_policy(` -+ dbus_system_bus_client(devicekit_power_t) -+ allow devicekit_power_t devicekit_t:dbus send_msg; -+ allow devicekit_t devicekit_power_t:dbus send_msg; -+ -+ optional_policy(` -+ consolekit_dbus_chat(devicekit_power_t) -+ ') -+ ++ dbus_system_domain(consolekit_t, consolekit_exec_t) + optional_policy(` -+ networkmanager_dbus_chat(devicekit_power_t) + hal_dbus_chat(consolekit_t) + ') + + optional_policy(` -+ rpm_dbus_chat(devicekit_power_t) ++ rpm_dbus_chat(consolekit_t) + ') + + optional_policy(` + unconfined_dbus_chat(consolekit_t) +@@ -61,6 +93,31 @@ + ') + + optional_policy(` ++ polkit_domtrans_auth(consolekit_t) ++ polkit_read_lib(consolekit_t) ++ polkit_read_reload(consolekit_t) +') + +optional_policy(` -+ bootloader_domtrans(devicekit_power_t) + xserver_read_user_xauth(consolekit_t) + xserver_stream_connect(consolekit_t) ++ xserver_ptrace_xdm(consolekit_t) ++ xserver_common_app(consolekit_t) +') + +optional_policy(` -+ fstools_domtrans(devicekit_power_t) ++ #reading .Xauthity ++ unconfined_ptrace(consolekit_t) ++ unconfined_stream_connect(consolekit_t) +') + -+optional_policy(` -+ vbetool_domtrans(devicekit_power_t) -+') -+# -+# DeviceKit disk local policy -+# ++tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_list_nfs(consolekit_t) ++ fs_dontaudit_rw_nfs_files(consolekit_t) + ') + -+allow devicekit_disk_t self:capability { sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; ++tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_list_cifs(consolekit_t) ++ fs_dontaudit_rw_cifs_files(consolekit_t) ++') + -+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) -+ -+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) -+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) -+ -+corecmd_exec_bin(devicekit_disk_t) -+ -+dev_read_sysfs(devicekit_disk_t) -+dev_read_urand(devicekit_disk_t) -+dev_getattr_usbfs_dirs(devicekit_disk_t) -+dev_manage_generic_files(devicekit_disk_t) -+ -+kernel_read_software_raid_state(devicekit_disk_t) -+ -+files_manage_mnt_dirs(devicekit_disk_t) -+files_read_etc_files(devicekit_disk_t) -+files_read_etc_runtime_files(devicekit_disk_t) -+files_read_usr_files(devicekit_disk_t) -+ -+fs_list_inotifyfs(devicekit_disk_t) -+ -+storage_raw_read_fixed_disk(devicekit_disk_t) -+storage_raw_read_removable_device(devicekit_disk_t) -+storage_raw_write_removable_device(devicekit_disk_t) -+ -+term_use_all_terms(devicekit_disk_t) -+ -+auth_use_nsswitch(devicekit_disk_t) -+ -+miscfiles_read_localization(devicekit_disk_t) -+ -+userdom_read_all_users_state(devicekit_disk_t) -+ -+optional_policy(` -+ fstools_domtrans(devicekit_disk_t) -+') -+ -+optional_policy(` -+ lvm_domtrans(devicekit_disk_t) -+') -+ -+optional_policy(` -+ polkit_domtrans_auth(devicekit_disk_t) -+ polkit_read_lib(devicekit_disk_t) -+ polkit_read_reload(devicekit_disk_t) -+') -+ -+optional_policy(` -+ mount_domtrans(devicekit_disk_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(devicekit_disk_t) -+ allow devicekit_disk_t devicekit_t:dbus send_msg; -+ allow devicekit_t devicekit_disk_t:dbus send_msg; -+ -+ optional_policy(` -+ consolekit_dbus_chat(devicekit_disk_t) -+ ') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.12/policy/modules/services/dhcp.if ---- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dhcp.if 2009-04-07 16:01:44.000000000 -0400 -@@ -22,6 +22,25 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.12/policy/modules/services/courier.if +--- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/courier.if 2009-04-07 16:01:44.000000000 -0400 +@@ -179,6 +179,24 @@ ######################################## ## -+## Execute dhcp server in the dhcp domain. ++## Read courier spool files. +## -+## ++## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+# -+interface(`dhcpd_initrc_domtrans',` ++interface(`courier_read_spool',` + gen_require(` -+ type dhcpd_initrc_exec_t; ++ type courier_spool_t; + ') + -+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) ++ read_files_pattern($1, courier_spool_t, courier_spool_t) +') + +######################################## +## - ## All of the rules required to administrate - ## an dhcp environment + ## Read and write to courier spool pipes. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.12/policy/modules/services/dnsmasq.if ---- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.if 2009-04-07 16:01:44.000000000 -0400 -@@ -22,6 +22,25 @@ + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.12/policy/modules/services/courier.te +--- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/courier.te 2009-04-07 16:01:44.000000000 -0400 +@@ -10,6 +10,7 @@ + + type courier_etc_t; + files_config_file(courier_etc_t) ++mta_system_content(courier_etc_t) + + courier_domain_template(pcp) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.12/policy/modules/services/cron.fc +--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,3 +1,4 @@ ++/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) + + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +@@ -17,9 +18,9 @@ + /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) + /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) + +-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/at/[^/]* -- <> ++/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) ++ ++/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) + + /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) + #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +@@ -41,7 +42,11 @@ + #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + + /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/fcron/[^/]* <> ++/var/spool/fcron/.* <> + /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) ++ ++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) ++ ++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if +--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-04-07 16:01:44.000000000 -0400 +@@ -12,6 +12,10 @@ + ## + # + template(`cron_common_crontab_template',` ++ gen_require(` ++ type crond_t, crond_var_run_t; ++ ') ++ + ############################## + # + # Declarations +@@ -31,16 +35,21 @@ + + # dac_override is to create the file in the directory under /tmp + allow $1_t self:capability { fowner setuid setgid chown dac_override }; +- allow $1_t self:process signal_perms; ++ allow $1_t self:process { setsched signal_perms }; ++ allow $1_t self:fifo_file rw_fifo_file_perms; ++ ++ allow $1_t crond_t:process signal; ++ allow $1_t crond_var_run_t:file read_file_perms; + + allow $1_t $1_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_t,$1_tmp_t,file) + + # create files in /var/spool/cron + # cjp: change this to a role transition ++ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t) + manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) + filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) +- files_search_spool($1_t) ++ files_list_spool($1_t) + + # crontab signals crond by updating the mtime on the spooldir + allow $1_t cron_spool_t:dir setattr; +@@ -55,9 +64,16 @@ + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) ++ files_read_usr_files($1_t) + files_dontaudit_search_pids($1_t) + + logging_send_syslog_msg($1_t) ++ logging_send_audit_msgs($1_t) ++ logging_set_loginuid($1_t) ++ auth_domtrans_chk_passwd($1_t) ++ ++ init_dontaudit_write_utmp($1_t) ++ init_read_utmp($1_t) + + miscfiles_read_localization($1_t) + +@@ -147,26 +163,26 @@ + # + interface(`cron_unconfined_role',` + gen_require(` +- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; ++ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; + ') + +- role $1 types { unconfined_cronjob_t crontab_t }; ++ role $1 types { unconfined_cronjob_t admin_crontab_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) + + # Transition from the user domain to the derived domain. +- domtrans_pattern($2, crontab_exec_t, crontab_t) ++ domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + # crontab shows up in user ps +- ps_process_pattern($2, crontab_t) +- allow $2 crontab_t:process signal; ++ ps_process_pattern($2, admin_crontab_t) ++ allow $2 admin_crontab_t:process signal; + + # Run helper programs as the user domain +- #corecmd_bin_domtrans(crontab_t, $2) +- #corecmd_shell_domtrans(crontab_t, $2) +- corecmd_exec_bin(crontab_t) +- corecmd_exec_shell(crontab_t) ++ #corecmd_bin_domtrans(admin_crontab_t, $2) ++ #corecmd_shell_domtrans(admin_crontab_t, $2) ++ corecmd_exec_bin(admin_crontab_t) ++ corecmd_exec_shell(admin_crontab_t) + + optional_policy(` + gen_require(` +@@ -261,10 +277,12 @@ + allow $1 system_cronjob_t:fifo_file rw_file_perms; + allow $1 system_cronjob_t:process sigchld; + ++ domain_auto_trans(crond_t, $2, $1) + allow $1 crond_t:fifo_file rw_file_perms; + allow $1 crond_t:fd use; + allow $1 crond_t:process sigchld; + ++ userdom_dontaudit_list_admin_dir($1) + role system_r types $1; + ') + +@@ -343,6 +361,24 @@ ######################################## ## -+## Execute dnsmasq server in the dnsmasq domain. ++## Allow read/write unix stream sockets from the system cron jobs. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+# -+interface(`dnsmasq_initrc_domtrans',` ++interface(`cron_rw_system_stream_sockets',` + gen_require(` -+ type dnsmasq_initrc_exec_t; ++ type system_cronjob_t; + ') + -+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) ++ allow $1 system_cronjob_t:unix_stream_socket { read write }; +') + +######################################## +## - ## Send dnsmasq a signal + ## Read and write a cron daemon unnamed pipe. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te ---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-07 16:01:44.000000000 -0400 -@@ -42,8 +42,7 @@ - files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) - - kernel_read_kernel_sysctls(dnsmasq_t) --kernel_list_proc(dnsmasq_t) --kernel_read_proc_symlinks(dnsmasq_t) -+kernel_read_system_state(dnsmasq_t) - - corenet_all_recvfrom_unlabeled(dnsmasq_t) - corenet_all_recvfrom_netlabel(dnsmasq_t) -@@ -84,6 +83,14 @@ - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) - - optional_policy(` -+ cron_manage_pid_files(dnsmasq_t) -+') -+ -+optional_policy(` -+ tftp_read_content(dnsmasq_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(dnsmasq_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.12/policy/modules/services/dovecot.fc ---- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dovecot.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -6,6 +6,7 @@ - /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - - /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - - # - # /usr -@@ -17,19 +18,22 @@ - - ifdef(`distro_debian', ` - /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - ') - - ifdef(`distro_redhat', ` - /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - ') +@@ -361,7 +397,7 @@ + ######################################## + ## +-## Read, and write cron daemon TCP sockets. ++## Dontaudit Read, and write cron daemon TCP sockets. + ## + ## + ## +@@ -369,7 +405,7 @@ + ## + ## # - # /var - # - /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) --# this is a hard link to /var/lib/dovecot/ssl-parameters.dat --/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) -+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - - /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - -+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) -+ - /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.12/policy/modules/services/dovecot.if ---- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dovecot.if 2009-04-07 16:01:44.000000000 -0400 -@@ -21,7 +21,46 @@ +-interface(`cron_rw_tcp_sockets',` ++interface(`cron_dontaudit_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') +@@ -416,6 +452,42 @@ ######################################## ## --## Do not audit attempts to delete dovecot lib files. -+## Connect to dovecot auth unix domain stream socket. ++## Execute cron in the cron system domain. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`dovecot_auth_stream_connect',` ++interface(`cron_domtrans',` + gen_require(` -+ type dovecot_auth_t, dovecot_var_run_t; ++ type system_cronjob_t, crond_exec_t; + ') + -+ allow $1 dovecot_var_run_t:dir search; -+ allow $1 dovecot_var_run_t:sock_file write; -+ allow $1 dovecot_auth_t:unix_stream_socket connectto; ++ domtrans_pattern($1,crond_exec_t,system_cronjob_t) +') + +######################################## +## -+## Execute dovecot_deliver in the dovecot_deliver domain. ++## Execute crond_exec_t +## +## +## @@ -11107,2230 +10198,2121 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dovecot_domtrans_deliver',` ++interface(`cron_exec',` + gen_require(` -+ type dovecot_deliver_t, dovecot_deliver_exec_t; ++ type crond_exec_t; + ') + -+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) ++ can_exec($1,crond_exec_t) +') + -+####################################### ++######################################## +## -+## Do not audit attempts to d`elete dovecot lib files. + ## Inherit and use a file descriptor + ## from system cron jobs. ## - ## - ## -@@ -36,3 +75,60 @@ +@@ -481,11 +553,14 @@ + # + interface(`cron_read_system_job_tmp_files',` + gen_require(` +- type system_cronjob_tmp_t; ++ type system_cronjob_tmp_t, cron_var_run_t; + ') - dontaudit $1 dovecot_var_lib_t:file unlink; + files_search_tmp($1) + allow $1 system_cronjob_tmp_t:file read_file_perms; ++ ++ files_search_pids($1) ++ allow $1 cron_var_run_t:file read_file_perms; + ') + + ######################################## +@@ -506,3 +581,101 @@ + + dontaudit $1 system_cronjob_tmp_t:file append; ') + ++ +######################################## +## -+## All of the rules required to administrate -+## an dovecot environment ++## Do not audit attempts to write temporary ++## files from the system cron jobs. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## -+## ++# ++interface(`cron_dontaudit_write_system_job_tmp_files',` ++ gen_require(` ++ type system_cronjob_tmp_t; ++ type cron_var_run_t; ++ type system_cronjob_var_run_t; ++ ') ++ ++ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ++ dontaudit $1 cron_var_run_t:file write_file_perms; ++ ') ++ ++######################################## ++## ++## Read temporary files from the system cron jobs. ++## ++## +## -+## The role to be allowed to manage the dovecot domain. ++## Domain allowed access. +## +## -+## +# -+interface(`dovecot_admin',` ++interface(`cron_read_system_job_lib_files',` + gen_require(` -+ type dovecot_t, dovecot_etc_t, dovecot_log_t; -+ type dovecot_spool_t, dovecot_var_lib_t; -+ type dovecot_var_run_t; -+ -+ type dovecot_cert_t, dovecot_passwd_t; -+ type dovecot_initrc_exec_t; ++ type system_cronjob_var_lib_t; + ') + -+ allow $1 dovecot_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, dovecot_t) -+ -+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 dovecot_initrc_exec_t system_r; -+ allow $2 system_r; + -+ files_list_etc($1) -+ admin_pattern($1, dovecot_etc_t) ++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++') + -+ logging_list_logs($1) -+ admin_pattern($1, dovecot_log_t) ++######################################## ++## ++## Manage files from the system cron jobs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_manage_system_job_lib_files',` ++ gen_require(` ++ type system_cronjob_var_lib_t; ++ ') + -+ files_list_spool($1) -+ admin_pattern($1, dovecot_spool_t) + -+ files_list_var_lib($1) -+ admin_pattern($1, dovecot_var_lib_t) ++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++') + -+ files_list_pids($1) -+ admin_pattern($1, dovecot_var_run_t) ++######################################## ++## ++## Manage pid files used by cron ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_manage_pid_files',` ++ gen_require(` ++ type crond_var_run_t; ++ ') + -+ admin_pattern($1, dovecot_cert_t) ++ manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ++') + -+ admin_pattern($1, dovecot_passwd_t) ++######################################## ++## ++## Execute crond server in the nscd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`cron_initrc_domtrans',` ++ gen_require(` ++ type crond_initrc_exec_t; +') + ++ init_labeled_script_domtrans($1, crond_initrc_exec_t) ++') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.12/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dovecot.te 2009-04-07 16:01:44.000000000 -0400 -@@ -15,12 +15,21 @@ - domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) - role system_r types dovecot_auth_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te +--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-09 05:33:16.000000000 -0400 +@@ -38,6 +38,10 @@ + type cron_var_lib_t; + files_type(cron_var_lib_t) -+type dovecot_deliver_t; -+type dovecot_deliver_exec_t; -+domain_type(dovecot_deliver_t) -+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) -+role system_r types dovecot_deliver_t; ++# var/lib files ++type cron_var_run_t; ++files_type(cron_var_run_t) + - type dovecot_cert_t; - files_type(dovecot_cert_t) - - type dovecot_etc_t; - files_config_file(dovecot_etc_t) - -+type dovecot_initrc_exec_t; -+init_script_file(dovecot_initrc_exec_t) + # var/log files + type cron_log_t; + logging_log_file(cron_log_t) +@@ -56,8 +60,13 @@ + domain_interactive_fd(crond_t) + domain_cron_exemption_source(crond_t) + ++type crond_initrc_exec_t; ++init_script_file(crond_initrc_exec_t) + - type dovecot_passwd_t; - files_type(dovecot_passwd_t) + type crond_tmp_t; + files_tmp_file(crond_tmp_t) ++files_poly_parent(crond_tmp_t) ++mta_system_content(crond_tmp_t) -@@ -31,9 +40,15 @@ - type dovecot_var_lib_t; - files_type(dovecot_var_lib_t) + type crond_var_run_t; + files_pid_file(crond_var_run_t) +@@ -74,6 +83,7 @@ + typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; + typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; + typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; ++allow admin_crontab_t crond_t:process signal; -+type dovecot_var_log_t; -+logging_log_file(dovecot_var_log_t) -+ - type dovecot_var_run_t; - files_pid_file(dovecot_var_run_t) + type system_cron_spool_t, cron_spool_type; + files_type(system_cron_spool_t) +@@ -98,11 +108,18 @@ -+type dovecot_auth_tmp_t; -+files_tmp_file(dovecot_auth_tmp_t) + # Type of user crontabs once moved to cron spool. + type user_cron_spool_t, cron_spool_type; +-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t }; ++typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; + typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; + files_type(user_cron_spool_t) + ubac_constrained(user_cron_spool_t) + ++type system_cronjob_var_lib_t; ++files_type(system_cronjob_var_lib_t) ++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; ++ ++type system_cronjob_var_run_t; ++files_pid_file(system_cronjob_var_run_t) + ######################################## # - # dovecot local policy -@@ -58,6 +73,10 @@ - - can_exec(dovecot_t, dovecot_exec_t) + # Admin crontab local policy +@@ -130,7 +147,7 @@ + # Cron daemon local policy + # -+# log files -+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) -+ - manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -85,6 +104,7 @@ - dev_read_urand(dovecot_t) +-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; ++allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; + dontaudit crond_t self:capability { sys_resource sys_tty_config }; + allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow crond_t self:process { setexec setfscreate }; +@@ -146,22 +163,23 @@ + allow crond_t self:msg { send receive }; + allow crond_t self:key { search write link }; - fs_getattr_all_fs(dovecot_t) -+fs_getattr_all_dirs(dovecot_t) - fs_search_auto_mountpoints(dovecot_t) - fs_list_inotifyfs(dovecot_t) +-allow crond_t crond_var_run_t:file manage_file_perms; ++manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) + files_pid_filetrans(crond_t,crond_var_run_t,file) -@@ -98,7 +118,7 @@ - files_dontaudit_list_default(dovecot_t) - # Dovecot now has quota support and it uses getmntent() to find the mountpoints. - files_read_etc_runtime_files(dovecot_t) --files_getattr_all_mountpoints(dovecot_t) -+files_search_all_mountpoints(dovecot_t) +-allow crond_t cron_spool_t:dir rw_dir_perms; +-allow crond_t cron_spool_t:file read_file_perms; ++manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - init_getattr_utmp(dovecot_t) + manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) + manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) + files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) -@@ -120,7 +140,7 @@ - mta_manage_spool(dovecot_t) +-allow crond_t system_cron_spool_t:dir list_dir_perms; +-allow crond_t system_cron_spool_t:file read_file_perms; ++list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) ++read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - optional_policy(` -- kerberos_use(dovecot_t) -+ kerberos_keytab_template(dovecot, dovecot_t) - ') + kernel_read_kernel_sysctls(crond_t) ++kernel_read_fs_sysctls(crond_t) + kernel_search_key(crond_t) - optional_policy(` -@@ -140,25 +160,35 @@ - # dovecot auth local policy - # ++dev_read_kmsg(crond_t) + dev_read_sysfs(crond_t) + selinux_get_fs_mount(crond_t) + selinux_validate_context(crond_t) +@@ -174,6 +192,7 @@ --allow dovecot_auth_t self:capability { setgid setuid }; -+allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; - allow dovecot_auth_t self:process signal_perms; - allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; - allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; - allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; + fs_getattr_all_fs(crond_t) + fs_search_auto_mountpoints(crond_t) ++fs_list_inotifyfs(crond_t) --allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; -+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; + # need auth_chkpwd to check for locked accounts. + auth_domtrans_chk_passwd(crond_t) +@@ -183,7 +202,11 @@ + corecmd_read_bin_symlinks(crond_t) --allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; -+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) -+ -+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) + domain_use_interactive_fds(crond_t) ++domain_subj_id_change_exemption(crond_t) ++domain_role_change_exemption(crond_t) - # Allow dovecot to create and read SSL parameters file - manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) - files_search_var_lib(dovecot_t) -+files_read_var_symlinks(dovecot_t) ++files_read_usr_files(crond_t) ++files_read_etc_runtime_files(crond_t) + files_read_etc_files(crond_t) + files_read_generic_spool(crond_t) + files_list_usr(crond_t) +@@ -192,10 +215,15 @@ + files_search_default(crond_t) - allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; -+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_auth_stream_connect(dovecot_auth_t) + init_rw_utmp(crond_t) ++init_spec_domtrans_script(crond_t) - kernel_read_all_sysctls(dovecot_auth_t) - kernel_read_system_state(dovecot_auth_t) + auth_use_nsswitch(crond_t) -+logging_send_audit_msgs(dovecot_auth_t) -+logging_send_syslog_msg(dovecot_auth_t) ++logging_send_audit_msgs(crond_t) + logging_send_syslog_msg(crond_t) ++logging_set_loginuid(crond_t) + - dev_read_urand(dovecot_auth_t) ++rpc_search_nfs_state_data(crond_t) - auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -167,6 +197,7 @@ - files_read_etc_files(dovecot_auth_t) - files_read_etc_runtime_files(dovecot_auth_t) - files_search_pids(dovecot_auth_t) -+files_read_usr_files(dovecot_auth_t) - files_read_usr_symlinks(dovecot_auth_t) - files_search_tmp(dovecot_auth_t) - files_read_var_lib_files(dovecot_t) -@@ -182,5 +213,58 @@ - ') + seutil_read_config(crond_t) + seutil_read_default_contexts(crond_t) +@@ -208,6 +236,7 @@ + userdom_list_user_home_dirs(crond_t) - optional_policy(` -- logging_send_syslog_msg(dovecot_auth_t) -+ mysql_search_db(dovecot_auth_t) -+ mysql_stream_connect(dovecot_auth_t) + mta_send_mail(crond_t) ++mta_system_content(cron_spool_t) + + ifdef(`distro_debian',` + # pam_limits is used +@@ -227,21 +256,43 @@ + ') ') + ++tunable_policy(`allow_polyinstantiation',` ++ files_polyinstantiate_all(crond_t) ++') + +optional_policy(` -+ nis_authenticate(dovecot_auth_t) ++ apache_search_sys_content(crond_t) +') + + optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) + ') + +optional_policy(` -+ postfix_manage_private_sockets(dovecot_auth_t) -+ postfix_search_spool(dovecot_auth_t) ++ # these should probably be unconfined_crond_t ++ init_dbus_send_script(crond_t) +') + -+# for gssapi (kerberos) -+userdom_list_user_tmp(dovecot_auth_t) -+userdom_read_user_tmp_files(dovecot_auth_t) -+userdom_read_user_tmp_symlinks(dovecot_auth_t) -+ -+######################################## -+# -+# dovecot deliver local policy -+# -+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; -+ -+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; -+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -+ -+kernel_read_all_sysctls(dovecot_deliver_t) -+kernel_read_system_state(dovecot_deliver_t) -+ -+files_read_etc_files(dovecot_deliver_t) -+files_read_etc_runtime_files(dovecot_deliver_t) -+ -+auth_use_nsswitch(dovecot_deliver_t) -+ -+logging_send_syslog_msg(dovecot_deliver_t) -+ -+miscfiles_read_localization(dovecot_deliver_t) -+ -+dovecot_auth_stream_connect(dovecot_deliver_t) -+ -+files_search_tmp(dovecot_deliver_t) -+fs_getattr_all_fs(dovecot_deliver_t) -+ -+userdom_manage_user_home_content_dirs(dovecot_deliver_t) -+userdom_manage_user_home_content_files(dovecot_deliver_t) -+userdom_manage_user_home_content_symlinks(dovecot_deliver_t) -+userdom_manage_user_home_content_pipes(dovecot_deliver_t) -+userdom_manage_user_home_content_sockets(dovecot_deliver_t) -+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) -+ +optional_policy(` -+ mta_manage_spool(dovecot_deliver_t) ++ mono_domtrans(crond_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.12/policy/modules/services/exim.if ---- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/exim.if 2009-04-07 16:01:44.000000000 -0400 -@@ -97,6 +97,26 @@ + tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; + ') - ######################################## - ## -+## Allow the specified domain to manage exim's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`exim_manage_log',` -+ gen_require(` -+ type exim_log_t; -+ ') -+ -+ manage_files_pattern($1, exim_log_t, exim_log_t) -+ logging_search_logs($1) + optional_policy(` ++ amanda_search_var_lib(crond_t) +') + -+######################################## -+## - ## Allow the specified domain to append - ## exim log files. - ## -@@ -154,3 +174,23 @@ - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) ++optional_policy(` + amavis_search_lib(crond_t) ') -+ -+######################################## -+## -+## Create, read, write, and delete -+## exim spool dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`exim_manage_spool_dirs',` -+ gen_require(` -+ type exim_spool_t; -+ ') -+ -+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) -+ files_search_spool($1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-07 16:01:44.000000000 -0400 -@@ -21,9 +21,20 @@ - ## - gen_tunable(exim_manage_user_files, false) -+## -+##

-+## Allow exim to connect to databases (postgres, mysql) -+##

-+##
-+gen_tunable(exim_can_connect_db, false) -+ - type exim_t; - type exim_exec_t; - init_daemon_domain(exim_t, exim_exec_t) -+mta_mailserver(exim_t, exim_exec_t) -+mta_mailserver_user_agent(exim_t) -+application_executable_file(exim_exec_t) -+mta_agent_executable(exim_exec_t) + optional_policy(` +- hal_dbus_send(crond_t) ++ hal_dbus_chat(crond_t) ++ hal_dbus_chat(system_cronjob_t) + ') - type exim_log_t; - logging_log_file(exim_log_t) -@@ -42,10 +53,12 @@ - # exim local policy + optional_policy(` +@@ -268,8 +319,8 @@ + # System cron process domain # --allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; -+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; -+allow exim_t self:process { setrlimit setpgid }; - allow exim_t self:fifo_file rw_fifo_file_perms; - allow exim_t self:unix_stream_socket create_stream_socket_perms; - allow exim_t self:tcp_socket create_stream_socket_perms; -+allow exim_t self:udp_socket create_socket_perms; - - can_exec(exim_t,exim_exec_t) - -@@ -66,12 +79,15 @@ - files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(exim_t) -- - kernel_dontaudit_read_system_state(exim_t) -+kernel_read_network_state(exim_t) - - corecmd_search_bin(exim_t) - - corenet_all_recvfrom_unlabeled(exim_t) -+corenet_all_recvfrom_netlabel(exim_t) -+corenet_udp_sendrecv_generic_if(exim_t) -+corenet_udp_sendrecv_generic_node(exim_t) - corenet_tcp_sendrecv_generic_if(exim_t) - corenet_tcp_sendrecv_generic_node(exim_t) - corenet_tcp_sendrecv_all_ports(exim_t) -@@ -82,6 +98,8 @@ - corenet_tcp_connect_smtp_port(exim_t) - corenet_tcp_connect_ldap_port(exim_t) - corenet_tcp_connect_inetd_child_port(exim_t) -+# connect to spamassassin -+corenet_tcp_connect_spamd_port(exim_t) - - dev_read_rand(exim_t) - dev_read_urand(exim_t) -@@ -89,20 +107,27 @@ - # Init script handling - domain_use_interactive_fds(exim_t) +-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; +-allow system_cronjob_t self:process { signal_perms setsched }; ++allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; ++allow system_cronjob_t self:process { signal_perms getsched setsched }; + allow system_cronjob_t self:fifo_file rw_fifo_file_perms; + allow system_cronjob_t self:passwd rootok; -+files_search_usr(exim_t) -+files_search_var(exim_t) - files_read_etc_files(exim_t) -+files_read_etc_runtime_files(exim_t) +@@ -283,7 +334,14 @@ + allow system_cronjob_t cron_var_lib_t:file manage_file_perms; + files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - auth_use_nsswitch(exim_t) ++allow system_cronjob_t cron_var_run_t:file manage_file_perms; ++files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) ++ + allow system_cronjob_t system_cron_spool_t:file read_file_perms; ++ ++# anacron forces the following ++allow system_cronjob_t system_cron_spool_t:file { write setattr }; ++ + # The entrypoint interface is not used as this is not + # a regular entrypoint. Since crontab files are + # not directly executed, crond must ensure that +@@ -303,6 +361,7 @@ + allow system_cronjob_t crond_t:fd use; + allow system_cronjob_t crond_t:fifo_file rw_file_perms; + allow system_cronjob_t crond_t:process sigchld; ++allow crond_t system_cronjob_t:key manage_key_perms; + + # Write /var/lock/makewhatis.lock. + allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; +@@ -314,9 +373,13 @@ + filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) + files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - logging_send_syslog_msg(exim_t) ++# var/lib files for system_crond ++files_search_var_lib(system_cronjob_t) ++manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ + # Read from /var/spool/cron. + allow system_cronjob_t cron_spool_t:dir list_dir_perms; +-allow system_cronjob_t cron_spool_t:file read_file_perms; ++allow system_cronjob_t cron_spool_t:file rw_file_perms; - miscfiles_read_localization(exim_t) -+miscfiles_read_certs(exim_t) + kernel_read_kernel_sysctls(system_cronjob_t) + kernel_read_system_state(system_cronjob_t) +@@ -370,7 +433,8 @@ + init_read_utmp(system_cronjob_t) + init_dontaudit_rw_utmp(system_cronjob_t) + # prelink tells init to restart it self, we either need to allow or dontaudit +-init_write_initctl(system_cronjob_t) ++init_telinit(system_cronjob_t) ++init_spec_domtrans_script(system_cronjob_t) --sysnet_dns_name_resolve(exim_t) -+fs_getattr_xattr_fs(exim_t) -+fs_list_inotifyfs(exim_t) + auth_use_nsswitch(system_cronjob_t) - userdom_dontaudit_search_user_home_dirs(exim_t) +@@ -378,6 +442,7 @@ + libs_exec_ld_so(system_cronjob_t) - mta_read_aliases(exim_t) --mta_rw_spool(exim_t) -+mta_read_config(exim_t) -+mta_manage_spool(exim_t) -+mta_mailserver_delivery(exim_t) + logging_read_generic_logs(system_cronjob_t) ++logging_send_audit_msgs(system_cronjob_t) + logging_send_syslog_msg(system_cronjob_t) - tunable_policy(`exim_read_user_files',` - userdom_read_user_home_content_files(exim_t) -@@ -114,3 +139,62 @@ - userdom_read_user_tmp_files(exim_t) - userdom_write_user_tmp_files(exim_t) + miscfiles_read_localization(system_cronjob_t) +@@ -418,6 +483,10 @@ ') -+ -+tunable_policy(`exim_can_connect_db',` -+ corenet_tcp_connect_mysqld_port(exim_t) -+ corenet_sendrecv_mysqld_client_packets(exim_t) -+ corenet_tcp_connect_postgresql_port(exim_t) -+ corenet_sendrecv_postgresql_client_packets(exim_t) -+') -+ -+optional_policy(` -+ dovecot_auth_stream_connect(exim_t) -+') -+ -+optional_policy(` -+ tunable_policy(`exim_can_connect_db',` -+ mysql_stream_connect(exim_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`exim_can_connect_db',` -+ postgresql_stream_connect(exim_t) -+') -+') -+ -+optional_policy(` -+ kerberos_keytab_template(exim, exim_t) -+') -+ -+optional_policy(` -+ mailman_read_data_files(exim_t) -+ mailman_domtrans(exim_t) -+') -+ -+optional_policy(` -+ procmail_domtrans(exim_t) -+') -+ -+optional_policy(` -+ sasl_connect(exim_t) -+') -+ -+optional_policy(` -+ cron_read_pipes(exim_t) -+ cron_rw_system_job_pipes(exim_t) + + optional_policy(` ++ dbus_system_bus_client(system_cronjob_t) +') + +optional_policy(` -+ cyrus_stream_connect(exim_t) + ftp_read_log(system_cronjob_t) + ') + +@@ -428,11 +497,20 @@ + ') + + optional_policy(` ++ lpd_list_spool(system_cronjob_t) +') + +optional_policy(` -+ clamav_domtrans_clamscan(exim_t) -+ clamav_stream_connect(exim_t) ++ mono_domtrans(system_cronjob_t) +') + +optional_policy(` -+ spamassassin_exec(exim_t) -+ spamassassin_exec_client(exim_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te ---- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-04-07 16:01:44.000000000 -0400 -@@ -26,6 +26,7 @@ - # fail2ban local policy - # + mrtg_append_create_logs(system_cronjob_t) + ') -+allow fail2ban_t self:capability { sys_tty_config }; - allow fail2ban_t self:process signal; - allow fail2ban_t self:fifo_file rw_fifo_file_perms; - allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-04-07 16:01:44.000000000 -0400 -@@ -26,7 +26,7 @@ - ## - ##

- ## Allow ftp servers to use cifs --## used for public file transfer services. -+## for public file transfer services. - ##

- ##
- gen_tunable(allow_ftpd_use_cifs, false) -@@ -34,13 +34,20 @@ - ## - ##

- ## Allow ftp servers to use nfs --## used for public file transfer services. -+## for public file transfer services. - ##

- ##
- gen_tunable(allow_ftpd_use_nfs, false) + optional_policy(` + mta_send_mail(system_cronjob_t) ++ mta_system_content(system_cron_spool_t) + ') - ## - ##

-+## Allow ftp servers to use connect to mysql database -+##

-+##
-+gen_tunable(ftpd_connect_db, false) -+ -+## -+##

- ## Allow ftp to read and write files in the user home directories - ##

- ##
-@@ -92,6 +99,7 @@ - allow ftpd_t self:unix_stream_socket create_stream_socket_perms; - allow ftpd_t self:tcp_socket create_stream_socket_perms; - allow ftpd_t self:udp_socket create_socket_perms; -+allow ftpd_t self:key manage_key_perms; + optional_policy(` +@@ -447,6 +525,7 @@ + prelink_read_cache(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_delete_cache(system_cronjob_t) ++ prelink_manage_var_lib(system_cronjob_t) + ') - allow ftpd_t ftpd_etc_t:file read_file_perms; + optional_policy(` +@@ -460,8 +539,7 @@ + ') -@@ -131,6 +139,7 @@ + optional_policy(` +- # cjp: why? +- squid_domtrans(system_cronjob_t) ++ spamassassin_manage_lib_files(system_cronjob_t) + ') - dev_read_sysfs(ftpd_t) - dev_read_urand(ftpd_t) -+fs_list_inotifyfs(ftpd_t) + optional_policy(` +@@ -469,24 +547,17 @@ + ') - corecmd_exec_bin(ftpd_t) + optional_policy(` ++ unconfined_dbus_send(crond_t) ++ unconfined_shell_domtrans(crond_t) ++ unconfined_domain(crond_t) + unconfined_domain(system_cronjob_t) +- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) +-') +- +-ifdef(`TODO',` +-ifdef(`mta.te', ` +-allow system_cronjob_t mail_spool_t:lnk_file read; +-allow mta_user_agent system_cronjob_t:fd use; +-r_dir_file(system_mail_t, crond_tmp_t) + ') +-') dnl end TODO -@@ -160,6 +169,7 @@ + ######################################## + # + # User cronjobs local policy + # - fs_search_auto_mountpoints(ftpd_t) - fs_getattr_all_fs(ftpd_t) -+fs_search_fusefs(ftpd_t) +-allow cronjob_t self:capability dac_override; + allow cronjob_t self:process { signal_perms setsched }; + allow cronjob_t self:fifo_file rw_fifo_file_perms; + allow cronjob_t self:unix_stream_socket create_stream_socket_perms; +@@ -570,6 +641,9 @@ + userdom_manage_user_home_content_sockets(cronjob_t) + #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) - auth_use_nsswitch(ftpd_t) - auth_domtrans_chk_passwd(ftpd_t) -@@ -222,9 +232,15 @@ - userdom_manage_user_home_content_dirs(ftpd_t) - userdom_manage_user_home_content_files(ftpd_t) - userdom_manage_user_home_content_symlinks(ftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) ++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) + -+ auth_read_all_dirs_except_shadow(ftpd_t) -+ auth_read_all_files_except_shadow(ftpd_t) -+ auth_read_all_symlinks_except_shadow(ftpd_t) + tunable_policy(`fcron_crond', ` + allow crond_t user_cron_spool_t:file manage_file_perms; ') - -+# Needed for permissive mode, to make sure everything gets labeled correctly -+userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc +--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -5,27 +5,38 @@ + /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) + - tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` - fs_manage_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) -@@ -258,7 +274,26 @@ - ') ++/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - optional_policy(` -- kerberos_read_keytab(ftpd_t) -+ kerberos_keytab_template(ftpd, ftpd_t) -+ kerberos_manage_host_rcache(ftpd_t) -+ selinux_validate_context(ftpd_t) -+') -+ -+optional_policy(` -+ tunable_policy(`ftpd_connect_db',` -+ mysql_stream_connect(ftpd_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`ftpd_connect_db',` -+ postgresql_stream_connect(ftpd_t) -+ ') -+') -+ -+tunable_policy(`ftpd_connect_db',` -+ corenet_tcp_connect_mysqld_port(ftpd_t) -+ corenet_tcp_connect_postgresql_port(ftpd_t) - ') + /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - optional_policy(` -@@ -270,6 +305,14 @@ - ') + /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - optional_policy(` -+ dbus_system_bus_client(ftpd_t) -+ optional_policy(` -+ oddjob_dbus_chat(ftpd_t) -+ oddjob_domtrans_mkhomedir(ftpd_t) -+ ') -+') ++/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + -+optional_policy(` - seutil_sigchld_newrole(ftpd_t) - ') + /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.12/policy/modules/services/git.te ---- nsaserefpolicy/policy/modules/services/git.te 2009-04-07 15:53:35.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/git.te 2009-04-07 16:03:07.000000000 -0400 -@@ -7,3 +6,4 @@ - # +-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) +-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) +-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) ++/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) ++/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) - apache_content_template(git) -+permissive httpd_git_script_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.12/policy/modules/services/gnomeclock.fc ---- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,3 @@ + /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + + /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) + /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) ++# keep as separate lines to ensure proper sorting ++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) + -+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) + /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) +@@ -33,7 +44,7 @@ + + /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) + /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + + /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +@@ -43,10 +54,19 @@ + /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + + /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) +-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) + ++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.12/policy/modules/services/gnomeclock.if ---- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,69 @@ ++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + -+## policy for gnomeclock ++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + -+######################################## -+## -+## Execute a domain transition to run gnomeclock. ++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.12/policy/modules/services/cups.if +--- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/cups.if 2009-04-07 16:01:44.000000000 -0400 +@@ -20,6 +20,30 @@ + + ######################################## + ## ++## Setup cups to transtion to the cups backend domain +## +## -+## -+## Domain allowed to transition. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`gnomeclock_domtrans',` ++interface(`cups_backend',` + gen_require(` -+ type gnomeclock_t; -+ type gnomeclock_exec_t; ++ type cupsd_t; + ') + -+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) -+') ++ domtrans_pattern(cupsd_t, $2, $1) + ++ allow cupsd_t $1:process signal; ++ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; ++ ++ cups_read_config($1) ++ cups_append_log($1) ++') + +######################################## +## -+## Execute gnomeclock in the gnomeclock domain, and -+## allow the specified role the gnomeclock domain. + ## Connect to cupsd over an unix domain stream socket. + ## + ## +@@ -212,6 +236,25 @@ + + ######################################## + ## ++## Append cups log files. +## +## +## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the gnomeclock domain. ++## Domain allowed access. +## +## +# -+interface(`gnomeclock_run',` ++interface(`cups_append_log',` + gen_require(` -+ type gnomeclock_t; ++ type cupsd_log_t; + ') + -+ gnomeclock_domtrans($1) -+ role $2 types gnomeclock_t; ++ logging_search_logs($1) ++ append_files_pattern($1, cupsd_log_t, cupsd_log_t) +') + ++######################################## ++## + ## Write cups log files. + ## + ## +@@ -247,3 +290,66 @@ + files_search_pids($1) + stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) + ') + +######################################## +## -+## Send and receive messages from -+## gnomeclock over dbus. ++## All of the rules required to administrate ++## an cups environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the cups domain. ++## ++## ++## +# -+interface(`gnomeclock_dbus_chat',` ++interface(`cups_admin',` + gen_require(` -+ type gnomeclock_t; -+ class dbus send_msg; ++ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; ++ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; ++ type cupsd_config_var_run_t, cupsd_lpd_var_run_t; ++ type cupsd_var_run_t, ptal_etc_t; ++ type ptal_var_run_t, hplip_var_run_t; ++ type cupsd_initrc_exec_t; + ') + -+ allow $1 gnomeclock_t:dbus send_msg; -+ allow gnomeclock_t $1:dbus send_msg; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te ---- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,51 @@ -+policy_module(gnomeclock, 1.0.0) -+######################################## -+# -+# Declarations -+# ++ allow $1 cupsd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, cupsd_t) ++ ++ init_labeled_script_domtrans($1, cupsd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 cupsd_initrc_exec_t system_r; ++ allow $2 system_r; + -+type gnomeclock_t; -+type gnomeclock_exec_t; -+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++ files_list_tmp($1) ++ admin_pattern($1, cupsd_tmp_t) + -+######################################## -+# -+# gnomeclock local policy -+# -+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -+allow gnomeclock_t self:process { getattr getsched }; -+allow gnomeclock_t self:fifo_file rw_fifo_file_perms; -+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; ++ admin_pattern($1, cupsd_lpd_tmp_t) + -+corecmd_exec_bin(gnomeclock_t) ++ files_list_etc($1) ++ admin_pattern($1, cupsd_etc_t) + -+userdom_ptrace_all_users(gnomeclock_t) ++ admin_pattern($1, ptal_etc_t) + -+files_read_etc_files(gnomeclock_t) -+files_read_usr_files(gnomeclock_t) ++ files_list_spool($1) ++ admin_pattern($1, cupsd_spool_t) + -+miscfiles_manage_localization(gnomeclock_t) -+miscfiles_etc_filetrans_localization(gnomeclock_t) ++ logging_list_logs($1) ++ admin_pattern($1, cupsd_log_t) + -+fs_list_inotifyfs(gnomeclock_t) ++ files_list_pids($1) ++ admin_pattern($1, cupsd_var_run_t) + -+auth_use_nsswitch(gnomeclock_t) ++ admin_pattern($1, ptal_var_run_t) + -+miscfiles_read_localization(gnomeclock_t) ++ admin_pattern($1, cupsd_config_var_run_t) + -+userdom_read_all_users_state(gnomeclock_t) ++ admin_pattern($1, cupsd_lpd_var_run_t) + -+optional_policy(` -+ consolekit_dbus_chat(gnomeclock_t) ++ admin_pattern($1, hplip_var_run_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te +--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-08 08:57:24.000000000 -0400 +@@ -20,9 +20,18 @@ + type cupsd_etc_t; + files_config_file(cupsd_etc_t) + ++type cupsd_initrc_exec_t; ++init_script_file(cupsd_initrc_exec_t) + -+optional_policy(` -+ clock_domtrans(gnomeclock_t) -+') ++type cupsd_interface_t; ++files_type(cupsd_interface_t) + -+optional_policy(` -+ polkit_domtrans_auth(gnomeclock_t) -+ polkit_read_lib(gnomeclock_t) -+ polkit_read_reload(gnomeclock_t) -+') + type cupsd_rw_etc_t; + files_config_file(cupsd_rw_etc_t) + ++type cupsd_lock_t; ++files_lock_file(cupsd_lock_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.12/policy/modules/services/gpm.te ---- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/gpm.te 2009-04-07 16:01:44.000000000 -0400 -@@ -54,6 +54,8 @@ - dev_rw_input_dev(gpm_t) - dev_rw_mouse(gpm_t) + type cupsd_log_t; + logging_log_file(cupsd_log_t) -+files_read_etc_files(gpm_t) +@@ -48,6 +57,10 @@ + type hplip_t; + type hplip_exec_t; + init_daemon_domain(hplip_t, hplip_exec_t) ++# For CUPS to run as a backend ++cups_backend(hplip_t, hplip_exec_t) ++domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) ++read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) + + type hplip_etc_t; + files_config_file(hplip_etc_t) +@@ -55,6 +68,9 @@ + type hplip_var_run_t; + files_pid_file(hplip_var_run_t) + ++type hplip_tmp_t; ++files_tmp_file(hplip_tmp_t) + - fs_getattr_all_fs(gpm_t) - fs_search_auto_mountpoints(gpm_t) + type ptal_t; + type ptal_exec_t; + init_daemon_domain(ptal_t, ptal_exec_t) +@@ -65,6 +81,16 @@ + type ptal_var_run_t; + files_pid_file(ptal_var_run_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.12/policy/modules/services/gpsd.fc ---- nsaserefpolicy/policy/modules/services/gpsd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/gpsd.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,3 @@ ++type cups_pdf_t; ++type cups_pdf_exec_t; ++domain_type(cups_pdf_t) ++domain_entry_file(cups_pdf_t, cups_pdf_exec_t) ++cups_backend(cups_pdf_t, cups_pdf_exec_t) ++role system_r types cups_pdf_t; + -+/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) ++type cups_pdf_tmp_t; ++files_tmp_file(cups_pdf_tmp_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.12/policy/modules/services/gpsd.if ---- nsaserefpolicy/policy/modules/services/gpsd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/gpsd.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,83 @@ -+## gpsd monitor daemon + ifdef(`enable_mcs',` + init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) + ') +@@ -79,13 +105,14 @@ + # + + # /usr/lib/cups/backend/serial needs sys_admin(?!) +-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; ++allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; + dontaudit cupsd_t self:capability { sys_tty_config net_admin }; +-allow cupsd_t self:process { setsched signal_perms }; +-allow cupsd_t self:fifo_file rw_file_perms; ++allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; ++allow cupsd_t self:fifo_file rw_fifo_file_perms; + allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow cupsd_t self:unix_dgram_socket create_socket_perms; + allow cupsd_t self:netlink_selinux_socket create_socket_perms; ++allow cupsd_t self:shm create_shm_perms; + allow cupsd_t self:tcp_socket create_stream_socket_perms; + allow cupsd_t self:udp_socket create_socket_perms; + allow cupsd_t self:appletalk_socket create_socket_perms; +@@ -97,6 +124,9 @@ + read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + files_search_etc(cupsd_t) + ++manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) ++can_exec(cupsd_t, cupsd_interface_t) + -+######################################## -+## -+## Execute a domain transition to run gpsd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gpsd_domtrans',` -+ gen_require(` -+ type gpsd_t, gpsd_exec_t; -+ ') + manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) +@@ -104,8 +134,11 @@ + + # allow cups to execute its backend scripts + can_exec(cupsd_t, cupsd_exec_t) +-allow cupsd_t cupsd_exec_t:dir search; +-allow cupsd_t cupsd_exec_t:lnk_file read; ++allow cupsd_t cupsd_exec_t:dir search_dir_perms; ++allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; + -+ domtrans_pattern($1, gpsd_exec_t, gpsd_t) -+') ++allow cupsd_t cupsd_lock_t:file manage_file_perms; ++files_lock_filetrans(cupsd_t, cupsd_lock_t, file) + + manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) + allow cupsd_t cupsd_log_t:dir setattr; +@@ -116,13 +149,20 @@ + manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) + ++# This whole section needs to be moved to a smbspool policy ++# smbspool seems to be iterating through all existing tmp files. ++# Looking for kerberos files ++files_getattr_all_tmp_files(cupsd_t) ++userdom_read_user_tmp_files(cupsd_t) ++files_dontaudit_getattr_all_tmp_sockets(cupsd_t) + -+######################################## -+## -+## Execute gpsd in the gpsd domain, and -+## allow the specified role the gpsd domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the gpsd domain. -+## -+## -+# -+interface(`gpsd_run',` -+ gen_require(` -+ type gpsd_t; -+ ') -+ -+ gpsd_domtrans($1) -+ role $2 types gpsd_t; -+') -+ -+######################################## -+## -+## Read and write to gpsd shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`gpsd_rw_shm',` -+ gen_require(` -+ type gpsd_t; -+ ') -+ -+ allow $1 gpsd_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Read/write gpsd tmpfs files. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`gpsd_rw_tmpfs_files',` -+ gen_require(` -+ type gpsd_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 gpsd_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) -+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.12/policy/modules/services/gpsd.te ---- nsaserefpolicy/policy/modules/services/gpsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/gpsd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,52 @@ -+policy_module(gpsd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type gpsd_t; -+type gpsd_exec_t; -+application_domain(gpsd_t, gpsd_exec_t) -+role system_r types gpsd_t; -+ -+type gpsd_tmpfs_t; -+files_tmpfs_file(gpsd_tmpfs_t) -+ -+######################################## -+# -+# gpsd local policy -+# -+ -+allow gpsd_t self:capability { setuid sys_nice setgid fowner }; -+allow gpsd_t self:process setsched; -+allow gpsd_t self:shm create_shm_perms; -+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow gpsd_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) -+ -+corenet_tcp_bind_all_nodes(gpsd_t) -+corenet_tcp_bind_gpsd_port(gpsd_t) -+ -+term_use_unallocated_ttys(gpsd_t) -+term_setattr_unallocated_ttys(gpsd_t) -+ -+auth_use_nsswitch(gpsd_t) -+ -+logging_send_syslog_msg(gpsd_t) + allow cupsd_t cupsd_var_run_t:dir setattr; + manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) ++manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) + files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) + +-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) +- ++allow cupsd_t hplip_t:process {signal sigkill }; + allow cupsd_t hplip_var_run_t:file read_file_perms; + + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) +@@ -149,44 +189,49 @@ + corenet_tcp_bind_reserved_port(cupsd_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) + corenet_tcp_connect_all_ports(cupsd_t) ++corenet_tcp_connect_smbd_port(cupsd_t) + corenet_sendrecv_hplip_client_packets(cupsd_t) + corenet_sendrecv_ipp_client_packets(cupsd_t) + corenet_sendrecv_ipp_server_packets(cupsd_t) ++corenet_tcp_bind_all_rpc_ports(cupsd_t) + + dev_rw_printer(cupsd_t) + dev_read_urand(cupsd_t) + dev_read_sysfs(cupsd_t) +-dev_read_usbfs(cupsd_t) ++dev_rw_input_dev(cupsd_t) #447878 ++dev_rw_generic_usb_dev(cupsd_t) ++dev_rw_usbfs(cupsd_t) + dev_getattr_printer_dev(cupsd_t) + + domain_read_all_domains_state(cupsd_t) + + fs_getattr_all_fs(cupsd_t) + fs_search_auto_mountpoints(cupsd_t) ++fs_read_anon_inodefs_files(cupsd_t) + ++mls_fd_use_all_levels(cupsd_t) + mls_file_downgrade(cupsd_t) + mls_file_write_all_levels(cupsd_t) + mls_file_read_all_levels(cupsd_t) ++mls_rangetrans_target(cupsd_t) + mls_socket_write_all_levels(cupsd_t) + + term_use_unallocated_ttys(cupsd_t) + term_search_ptys(cupsd_t) + +-auth_domtrans_chk_passwd(cupsd_t) +-auth_dontaudit_read_pam_pid(cupsd_t) +- + # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp + corecmd_exec_shell(cupsd_t) + corecmd_exec_bin(cupsd_t) + + domain_use_interactive_fds(cupsd_t) + ++files_list_spool(cupsd_t) + files_read_etc_files(cupsd_t) + files_read_etc_runtime_files(cupsd_t) + # read python modules + files_read_usr_files(cupsd_t) + # for /var/lib/defoma +-files_search_var_lib(cupsd_t) ++files_read_var_lib_files(cupsd_t) + files_list_world_readable(cupsd_t) + files_read_world_readable_files(cupsd_t) + files_read_world_readable_symlinks(cupsd_t) +@@ -195,15 +240,16 @@ + files_read_var_symlinks(cupsd_t) + # for /etc/printcap + files_dontaudit_write_etc_files(cupsd_t) +-# smbspool seems to be iterating through all existing tmp files. +-# redhat bug #214953 +-# cjp: this might be a broken behavior +-files_dontaudit_getattr_all_tmp_files(cupsd_t) + + selinux_compute_access_vector(cupsd_t) ++selinux_validate_context(cupsd_t) + + init_exec_script_files(cupsd_t) ++init_read_utmp(cupsd_t) + ++auth_domtrans_chk_passwd(cupsd_t) ++auth_dontaudit_read_pam_pid(cupsd_t) ++auth_rw_faillog(cupsd_t) + auth_use_nsswitch(cupsd_t) + + # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* +@@ -217,17 +263,21 @@ + miscfiles_read_fonts(cupsd_t) + + seutil_read_config(cupsd_t) ++sysnet_exec_ifconfig(cupsd_t) + +-sysnet_read_config(cupsd_t) +- ++files_dontaudit_list_home(cupsd_t) + userdom_dontaudit_use_unpriv_user_fds(cupsd_t) + userdom_dontaudit_search_user_home_content(cupsd_t) + + # Write to /var/spool/cups. + lpd_manage_spool(cupsd_t) ++lpd_read_config(cupsd_t) ++lpd_exec_lpr(cupsd_t) ++lpd_relabel_spool(cupsd_t) + + ifdef(`enable_mls',` +- lpd_relabel_spool(cupsd_t) ++ mls_trusted_object(cupsd_var_run_t) ++ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh) + ') + + optional_policy(` +@@ -244,8 +294,16 @@ + userdom_dbus_send_all_users(cupsd_t) + + optional_policy(` ++ avahi_dbus_chat(cupsd_t) ++ ') + -+miscfiles_read_localization(gpsd_t) ++ optional_policy(` + hal_dbus_chat(cupsd_t) + ') + -+optional_policy(` -+ ntpd_rw_shm(gpsd_t) -+ ntpd_rw_tmpfs_files(gpsd_t) ++ optional_policy(` ++ unconfined_dbus_chat(cupsd_t) ++ ') + ') + + optional_policy(` +@@ -261,6 +319,10 @@ + ') + + optional_policy(` ++ mta_send_mail(cupsd_t) +') + +optional_policy(` -+ dbus_system_bus_client(gpsd_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.12/policy/modules/services/hal.fc ---- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/hal.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -5,6 +5,7 @@ - /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) + # cups execs smbtool which reads samba_etc_t files + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) +@@ -279,7 +341,7 @@ + # Cups configuration daemon local policy + # - /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) -+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) - /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) - /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) - /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.12/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/hal.if 2009-04-07 16:01:44.000000000 -0400 -@@ -20,6 +20,24 @@ +-allow cupsd_config_t self:capability { chown sys_tty_config }; ++allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; + allow cupsd_config_t self:process signal_perms; + allow cupsd_config_t self:fifo_file rw_fifo_file_perms; +@@ -302,8 +364,10 @@ - ######################################## - ## -+## Execute hal mac in the hal mac domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_domtrans_mac',` -+ gen_require(` -+ type hald_mac_t, hald_mac_exec_t; -+ ') -+ -+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) -+') -+ -+######################################## -+## - ## Get the attributes of a hal process. - ## - ## -@@ -51,10 +69,7 @@ - type hald_t; - ') + allow cupsd_config_t cupsd_log_t:file rw_file_perms; -- allow $1 hald_t:dir list_dir_perms; -- read_files_pattern($1, hald_t, hald_t) -- read_lnk_files_pattern($1, hald_t, hald_t) -- dontaudit $1 hald_t:process ptrace; -+ ps_process_pattern($1, hald_t) - ') +-allow cupsd_config_t cupsd_tmp_t:file manage_file_perms; +-files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir }) ++manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) ++files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) - ######################################## -@@ -340,3 +355,62 @@ - files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; - ') -+ -+######################################## -+## -+## Manage hald PID dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_manage_pid_dirs',` -+ gen_require(` -+ type hald_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) -+') -+ -+######################################## -+## -+## Manage hald PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_manage_pid_files',` -+ gen_require(` -+ type hald_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t) -+') -+ -+######################################## -+## -+## Manage hald log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_create_log',` -+ gen_require(` -+ type hald_log_t; -+ ') -+ -+ # log files for hald -+ manage_files_pattern($1, hald_log_t, hald_log_t) -+ logging_log_filetrans($1, hald_log_t, file) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-07 16:01:44.000000000 -0400 -@@ -49,6 +49,15 @@ - type hald_var_lib_t; - files_type(hald_var_lib_t) + allow cupsd_config_t cupsd_var_run_t:file read_file_perms; -+typealias hald_log_t alias pmtools_log_t; -+typealias hald_var_run_t alias pmtools_var_run_t; -+ -+type hald_dccm_t; -+type hald_dccm_exec_t; -+domain_type(hald_dccm_t) -+domain_entry_file(hald_dccm_t, hald_dccm_exec_t) -+role system_r types hald_dccm_t; -+ - ######################################## - # - # Local policy -@@ -143,11 +152,16 @@ - files_getattr_all_dirs(hald_t) - files_read_kernel_img(hald_t) - files_rw_lock_dirs(hald_t) -+files_read_generic_pids(hald_t) +@@ -311,7 +375,7 @@ + files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) - fs_getattr_all_fs(hald_t) - fs_search_all(hald_t) - fs_list_inotifyfs(hald_t) - fs_list_auto_mountpoints(hald_t) -+fs_mount_dos_fs(hald_t) -+fs_unmount_dos_fs(hald_t) -+fs_manage_dos_files(hald_t) -+ - files_getattr_all_mountpoints(hald_t) + kernel_read_system_state(cupsd_config_t) +-kernel_read_kernel_sysctls(cupsd_config_t) ++kernel_read_all_sysctls(cupsd_config_t) - mls_file_read_all_levels(hald_t) -@@ -195,6 +209,7 @@ - seutil_read_file_contexts(hald_t) + corenet_all_recvfrom_unlabeled(cupsd_config_t) + corenet_all_recvfrom_netlabel(cupsd_config_t) +@@ -324,6 +388,7 @@ + dev_read_sysfs(cupsd_config_t) + dev_read_urand(cupsd_config_t) + dev_read_rand(cupsd_config_t) ++dev_rw_generic_usb_dev(cupsd_config_t) - sysnet_read_config(hald_t) -+sysnet_domtrans_dhcpc(hald_t) + fs_getattr_all_fs(cupsd_config_t) + fs_search_auto_mountpoints(cupsd_config_t) +@@ -341,13 +406,14 @@ + files_read_var_symlinks(cupsd_config_t) - userdom_dontaudit_use_unpriv_user_fds(hald_t) - userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +292,17 @@ + # Alternatives asks for this +-init_getattr_script_files(cupsd_config_t) ++init_getattr_all_script_files(cupsd_config_t) + + auth_use_nsswitch(cupsd_config_t) + + logging_send_syslog_msg(cupsd_config_t) + + miscfiles_read_localization(cupsd_config_t) ++miscfiles_read_hwdata(cupsd_config_t) + + seutil_dontaudit_search_config(cupsd_config_t) + +@@ -359,14 +425,16 @@ + lpd_read_config(cupsd_config_t) + + ifdef(`distro_redhat',` +- init_getattr_script_files(cupsd_config_t) +- + optional_policy(` + rpm_read_db(cupsd_config_t) + ') ') optional_policy(` -+ ppp_read_rw_config(hald_t) -+') -+ -+optional_policy(` -+ polkit_domtrans_auth(hald_t) -+ polkit_domtrans_resolve(hald_t) -+ polkit_read_lib(hald_t) -+ polkit_read_reload(hald_t) ++ term_use_generic_ptys(cupsd_config_t) +') + +optional_policy(` - rpc_search_nfs_state_data(hald_t) + cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -301,12 +327,16 @@ - virt_manage_images(hald_t) +@@ -382,6 +450,7 @@ + optional_policy(` + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) ++ hal_dontaudit_use_fds(hplip_t) ') -+optional_policy(` -+ xserver_read_pid(hald_t) -+') -+ - ######################################## - # - # Hal acl local policy - # + optional_policy(` +@@ -491,7 +560,10 @@ + allow hplip_t self:udp_socket create_socket_perms; + allow hplip_t self:rawip_socket create_socket_perms; --allow hald_acl_t self:capability { dac_override fowner }; -+allow hald_acl_t self:capability { dac_override fowner sys_resource }; - allow hald_acl_t self:process { getattr signal }; - allow hald_acl_t self:fifo_file rw_fifo_file_perms; +-allow hplip_t cupsd_etc_t:dir search; ++allow hplip_t cupsd_etc_t:dir search_dir_perms; ++manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) ++files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) -@@ -321,6 +351,7 @@ - manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) - manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) - files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) -+allow hald_t hald_var_run_t:dir mounton; + cups_stream_connect(hplip_t) - corecmd_exec_bin(hald_acl_t) +@@ -500,6 +572,13 @@ + read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) + files_search_etc(hplip_t) -@@ -339,6 +370,8 @@ ++fs_rw_anon_inodefs_files(hplip_t) ++ ++read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) ++ ++manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) ++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) ++ + manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) + files_pid_filetrans(hplip_t, hplip_var_run_t, file) - storage_getattr_removable_dev(hald_acl_t) - storage_setattr_removable_dev(hald_acl_t) -+storage_getattr_fixed_disk_dev(hald_acl_t) -+storage_setattr_fixed_disk_dev(hald_acl_t) +@@ -529,7 +608,8 @@ + dev_read_urand(hplip_t) + dev_read_rand(hplip_t) + dev_rw_generic_usb_dev(hplip_t) +-dev_read_usbfs(hplip_t) ++dev_rw_usbfs(hplip_t) ++ - auth_use_nsswitch(hald_acl_t) + fs_getattr_all_fs(hplip_t) + fs_search_auto_mountpoints(hplip_t) +@@ -553,7 +633,9 @@ + userdom_dontaudit_search_user_home_dirs(hplip_t) + userdom_dontaudit_search_user_home_content(hplip_t) -@@ -346,12 +379,18 @@ +-lpd_read_config(cupsd_t) ++ ++lpd_read_config(hplip_t) ++lpd_manage_spool(hplip_t) - miscfiles_read_localization(hald_acl_t) - -+optional_policy(` -+ polkit_domtrans_auth(hald_acl_t) -+ polkit_read_lib(hald_acl_t) -+ polkit_read_reload(hald_acl_t) -+') -+ - ######################################## - # - # Local hald mac policy - # - --allow hald_mac_t self:capability { setgid setuid }; -+allow hald_mac_t self:capability { setgid setuid sys_admin }; - - domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) - allow hald_t hald_mac_t:process signal; -@@ -374,6 +413,8 @@ - - auth_use_nsswitch(hald_mac_t) - -+logging_send_syslog_msg(hald_mac_t) -+ - miscfiles_read_localization(hald_mac_t) - - ######################################## -@@ -415,6 +456,53 @@ - - dev_rw_input_dev(hald_keymap_t) - -+files_read_etc_files(hald_keymap_t) - files_read_usr_files(hald_keymap_t) - - miscfiles_read_localization(hald_keymap_t) -+ -+# This is caused by a bug in hald and PolicyKit. -+# Should be removed when this is fixed -+cron_read_system_job_lib_files(hald_t) + optional_policy(` + dbus_system_bus_client(hplip_t) +@@ -635,3 +717,49 @@ + optional_policy(` + udev_read_db(ptal_t) + ') + +######################################## +# -+# Local hald dccm policy ++# cups_pdf local policy +# -+allow hald_dccm_t self:capability { net_bind_service }; -+allow hald_dccm_t self:process getsched; -+allow hald_dccm_t self:tcp_socket create_stream_socket_perms; -+allow hald_dccm_t self:udp_socket create_socket_perms; -+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; + -+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) -+allow hald_t hald_dccm_t:process signal; -+allow hald_dccm_t hald_t:unix_stream_socket connectto; ++allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; + -+corenet_all_recvfrom_unlabeled(hald_dccm_t) -+corenet_all_recvfrom_netlabel(hald_dccm_t) -+corenet_tcp_sendrecv_generic_if(hald_dccm_t) -+corenet_udp_sendrecv_generic_if(hald_dccm_t) -+corenet_tcp_sendrecv_generic_node(hald_dccm_t) -+corenet_udp_sendrecv_generic_node(hald_dccm_t) -+corenet_tcp_sendrecv_all_ports(hald_dccm_t) -+corenet_udp_sendrecv_all_ports(hald_dccm_t) -+corenet_tcp_bind_generic_node(hald_dccm_t) -+corenet_udp_bind_generic_node(hald_dccm_t) -+corenet_udp_bind_dhcpc_port(hald_dccm_t) -+corenet_tcp_bind_ftps_port(hald_dccm_t) -+corenet_tcp_bind_dccm_port(hald_dccm_t) ++allow cups_pdf_t self:fifo_file rw_file_perms; ++allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; + -+kernel_search_network_sysctl(hald_dccm_t) ++files_read_etc_files(cups_pdf_t) ++files_read_usr_files(cups_pdf_t) + -+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -+files_search_var_lib(hald_dccm_t) ++kernel_read_system_state(cups_pdf_t) + -+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) ++auth_use_nsswitch(cups_pdf_t) + -+files_read_usr_files(hald_dccm_t) ++corecmd_exec_shell(cups_pdf_t) ++corecmd_exec_bin(cups_pdf_t) + -+miscfiles_read_localization(hald_dccm_t) ++miscfiles_read_localization(cups_pdf_t) + -+permissive hald_dccm_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.12/policy/modules/services/ifplugd.fc ---- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ifplugd.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,9 @@ ++manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) ++manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) ++files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) + -+/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) ++userdom_home_filetrans_user_home_dir(cups_pdf_t) ++userdom_manage_user_home_content_dirs(cups_pdf_t) ++userdom_manage_user_home_content_files(cups_pdf_t) + -+/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(cups_pdf_t) ++ fs_manage_nfs_files(cups_pdf_t) ++') + -+/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(cups_pdf_t) ++ fs_manage_cifs_files(cups_pdf_t) ++') + -+/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) ++lpd_manage_spool(cups_pdf_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.12/policy/modules/services/ifplugd.if ---- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ifplugd.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,194 @@ -+## policy for ifplugd ++manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) ++miscfiles_read_fonts(cups_pdf_t) + -+######################################## -+## -+## Execute a domain transition to run ifplugd. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.12/policy/modules/services/cvs.te +--- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cvs.te 2009-04-07 16:01:44.000000000 -0400 +@@ -112,4 +112,5 @@ + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.12/policy/modules/services/dbus.fc +--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dbus.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -4,6 +4,9 @@ + /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) + /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) + ++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ + /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) + + /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if +--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-07 16:01:44.000000000 -0400 +@@ -44,6 +44,7 @@ + + attribute session_bus_type; + type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; ++ type $1_t; + ') + + ############################## +@@ -76,7 +77,7 @@ + allow $3 $1_dbusd_t:unix_stream_socket connectto; + + # SE-DBus specific permissions +- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; ++ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + + allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; +@@ -91,7 +92,7 @@ + allow $3 $1_dbusd_t:process { sigkill signal }; + + # cjp: this seems very broken +- corecmd_bin_domtrans($1_dbusd_t, $3) ++ corecmd_bin_domtrans($1_dbusd_t, $1_t) + allow $1_dbusd_t $3:process sigkill; + allow $3 $1_dbusd_t:fd use; + allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; +@@ -117,6 +118,7 @@ + dev_read_urand($1_dbusd_t) + + domain_use_interactive_fds($1_dbusd_t) ++ domain_read_all_domains_state($1_dbusd_t) + + files_read_etc_files($1_dbusd_t) + files_list_home($1_dbusd_t) +@@ -145,6 +147,8 @@ + seutil_read_config($1_dbusd_t) + seutil_read_default_contexts($1_dbusd_t) + ++ term_use_all_terms($1_dbusd_t) ++ + userdom_read_user_home_content_files($1_dbusd_t) + + ifdef(`hide_broken_symptoms', ` +@@ -160,6 +164,10 @@ + ') + + optional_policy(` ++ gnome_read_gconf_home_files($1_dbusd_t) ++ ') ++ ++ optional_policy(` + hal_dbus_chat($1_dbusd_t) + ') + +@@ -185,10 +193,12 @@ + type system_dbusd_t, system_dbusd_t; + type system_dbusd_var_run_t, system_dbusd_var_lib_t; + class dbus send_msg; ++ attribute dbusd_unconfined; + ') + + # SE-DBus specific permissions +- allow $1 { system_dbusd_t self }:dbus send_msg; ++ allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg; ++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; + + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) +@@ -197,6 +207,10 @@ + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + dbus_read_config($1) ++ ++ optional_policy(` ++ rpm_script_dbus_chat($1) ++ ') + ') + + ####################################### +@@ -244,6 +258,35 @@ + + ######################################## + ## ++## Chat on user/application specific DBUS. +## -+## -+## -+## Domain allowed to transition. ++## ++## ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). +## +## ++## ++## ++## Domain allowed access. ++## ++## +# -+interface(`ifplugd_domtrans',` ++template(`dbus_chat_user_bus',` + gen_require(` -+ type ifplugd_t, ifplugd_exec_t; ++ type $1_t; ++ type $1_dbusd_t; ++ class dbus send_msg; + ') + -+ domtrans_pattern($1,ifplugd_exec_t,ifplugd_t) ++ allow $2 $1_dbusd_t:dbus send_msg; ++ allow $1_dbusd_t $2:dbus send_msg; ++ allow $2 $1_t:dbus send_msg; ++ allow $1_t $2:dbus send_msg; +') + +######################################## +## -+## Read and write ifplugd UDP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ifplugd_rw_udp_sockets',` -+ gen_require(` -+ type ifplugd_t; -+ ') -+ -+ allow $1 ifplugd_t:udp_socket { read write }; -+') + ## Read dbus configuration. + ## + ## +@@ -318,3 +361,77 @@ + + allow $1 system_dbusd_t:dbus *; + ') + +######################################## +## -+## Read and write ifplugd packet sockets. ++## Allow unconfined access to the system DBUS. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`ifplugd_rw_packet_sockets',` -+ gen_require(` -+ type ifplugd_t; -+ ') ++interface(`dbus_unconfined',` ++ gen_require(` ++ attribute dbusd_unconfined; ++ ') + -+ allow $1 ifplugd_t:packet_socket { read write }; ++ typeattribute $1 dbusd_unconfined; +') + +######################################## +## -+## Read and write ifplugd netlink -+## routing sockets. ++## Create a domain for processes ++## which can be started by the system dbus +## +## -+## -+## Domain allowed access. -+## ++## ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ++## +## +# -+interface(`ifplugd_rw_routing_sockets',` -+ gen_require(` -+ type ifplugd_t; -+ ') ++interface(`dbus_system_domain',` ++ gen_require(` ++ type system_dbusd_t; ++ role system_r; ++ ') + -+ allow $1 ifplugd_t:netlink_route_socket { read write }; -+') ++ domain_type($1) ++ domain_entry_file($1, $2) + -+######################################## -+## -+## Send a generic signal to ifplugd -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ifplugd_signal',` -+ gen_require(` -+ type ifplugd_t; -+ ') ++ role system_r types $1; + -+ allow $1 ifplugd_t:process signal; -+') ++ domtrans_pattern(system_dbusd_t, $2, $1) + -+######################################## -+## -+## Read ifplugd etc configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`ifplugd_read_etc',` -+ gen_require(` -+ type ifplugd_etc_t; -+ ') ++ dbus_system_bus_client($1) ++ dbus_connect_system_bus($1) + -+ files_search_etc($1) -+ read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ++ '); +') + +######################################## +## -+## Manage ifplugd etc configuration files. ++## Dontaudit Read, and write system dbus TCP sockets. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`ifplugd_manage_etc',` -+ gen_require(` -+ type ifplugd_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -+ manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) ++interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ++ gen_require(` ++ type system_dbusd_t; ++ ') + ++ allow $1 system_dbusd_t:tcp_socket { read write }; ++ allow $1 system_dbusd_t:fd use; +') -+ -+######################################## -+## -+## Read ifplugd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`ifplugd_read_pid_files',` -+ gen_require(` -+ type ifplugd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 ifplugd_var_run_t:file read_file_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.12/policy/modules/services/dbus.te +--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dbus.te 2009-04-07 16:01:44.000000000 -0400 +@@ -9,14 +9,15 @@ + # + # Delcarations + # +- ++attribute dbusd_unconfined; + attribute session_bus_type; + + type dbusd_etc_t; +-files_type(dbusd_etc_t) ++files_config_file(dbusd_etc_t) + + type dbusd_exec_t; + corecmd_executable_file(dbusd_exec_t) ++typealias dbusd_exec_t alias system_dbusd_exec_t; + + type session_dbusd_tmp_t; + typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; +@@ -31,11 +32,25 @@ + files_tmp_file(system_dbusd_tmp_t) + + type system_dbusd_var_lib_t; +-files_pid_file(system_dbusd_var_lib_t) ++files_type(system_dbusd_var_lib_t) + + type system_dbusd_var_run_t; + files_pid_file(system_dbusd_var_run_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh) +') + -+######################################## -+## -+## All of the rules required to administrate -+## an ifplugd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the ifplugd domain. -+## -+## -+## -+## -+# -+interface(`ifplugd_admin',` -+ gen_require(` -+ type ifplugd_t, ifplugd_etc_t; -+ type ifplugd_var_run_t, ifplugd_initrc_exec_t; -+ ') -+ -+ allow $1 ifplugd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ifplugd_t) -+ -+ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 ifplugd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ admin_pattern($1, ifplugd_etc_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, ifplugd_var_run_t) -+ ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh) ++ mls_fd_use_all_levels(system_dbusd_t) ++ mls_rangetrans_target(system_dbusd_t) ++ mls_file_read_all_levels(system_dbusd_t) ++ mls_socket_write_all_levels(system_dbusd_t) ++ mls_socket_read_to_clearance(system_dbusd_t) ++ mls_dbus_recv_all_levels(system_dbusd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.12/policy/modules/services/ifplugd.te ---- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ifplugd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,89 @@ -+policy_module(ifplugd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# + -+type ifplugd_t; -+type ifplugd_exec_t; -+init_daemon_domain(ifplugd_t, ifplugd_exec_t) -+ -+type ifplugd_initrc_exec_t; -+init_script_file(ifplugd_initrc_exec_t) + ############################## + # + # System bus local policy +@@ -45,7 +60,7 @@ + # cjp: dac_override should probably go in a distro_debian + allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; + dontaudit system_dbusd_t self:capability sys_tty_config; +-allow system_dbusd_t self:process { getattr signal_perms setcap }; ++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; + allow system_dbusd_t self:fifo_file rw_fifo_file_perms; + allow system_dbusd_t self:dbus { send_msg acquire_svc }; + allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; +@@ -53,6 +68,8 @@ + # Receive notifications of policy reloads and enforcing status changes. + allow system_dbusd_t self:netlink_selinux_socket { create bind read }; + ++can_exec(system_dbusd_t, dbusd_exec_t) + -+# config files -+type ifplugd_etc_t; -+files_type(ifplugd_etc_t) + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; + read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) +@@ -75,6 +92,8 @@ + + fs_getattr_all_fs(system_dbusd_t) + fs_search_auto_mountpoints(system_dbusd_t) ++fs_list_inotifyfs(system_dbusd_t) ++fs_dontaudit_list_nfs(system_dbusd_t) + + selinux_get_fs_mount(system_dbusd_t) + selinux_validate_context(system_dbusd_t) +@@ -91,9 +110,9 @@ + corecmd_list_bin(system_dbusd_t) + corecmd_read_bin_pipes(system_dbusd_t) + corecmd_read_bin_sockets(system_dbusd_t) +-corecmd_exec_bin(system_dbusd_t) + + domain_use_interactive_fds(system_dbusd_t) ++domain_read_all_domains_state(system_dbusd_t) + + files_read_etc_files(system_dbusd_t) + files_list_home(system_dbusd_t) +@@ -101,6 +120,8 @@ + + init_use_fds(system_dbusd_t) + init_use_script_ptys(system_dbusd_t) ++init_bin_domtrans_spec(system_dbusd_t) ++init_domtrans_script(system_dbusd_t) + + logging_send_audit_msgs(system_dbusd_t) + logging_send_syslog_msg(system_dbusd_t) +@@ -128,9 +149,38 @@ + ') + + optional_policy(` ++ gnome_exec_gconf(system_dbusd_t) ++') + -+# pid files -+type ifplugd_var_run_t; -+files_pid_file(ifplugd_var_run_t) ++optional_policy(` ++ networkmanager_initrc_domtrans(system_dbusd_t) ++') + -+######################################## -+# -+# ifplugd local policy -+# ++optional_policy(` ++ polkit_domtrans_auth(system_dbusd_t) ++ polkit_search_lib(system_dbusd_t) ++') + -+allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; -+dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; -+allow ifplugd_t self:process { signal signull }; ++optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) + ') + + optional_policy(` + udev_read_db(system_dbusd_t) + ') + -+allow ifplugd_t self:fifo_file rw_fifo_file_perms; -+allow ifplugd_t self:tcp_socket create_stream_socket_perms; -+allow ifplugd_t self:udp_socket create_socket_perms; -+allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; -+allow ifplugd_t self:packet_socket create_socket_perms; ++optional_policy(` ++ gen_require(` ++ type unconfined_dbusd_t; ++ ') ++ unconfined_domain(unconfined_dbusd_t) ++ unconfined_execmem_domtrans(unconfined_dbusd_t) + -+# pid file -+manage_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) -+manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) -+files_pid_filetrans(ifplugd_t,ifplugd_var_run_t, { file sock_file }) ++ optional_policy(` ++ xserver_rw_shm(unconfined_dbusd_t) ++ ') ++') + -+# config files -+read_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) -+exec_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) ++allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; ++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; ++allow session_bus_type dbusd_unconfined:dbus send_msg; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.12/policy/modules/services/dcc.fc +--- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/dcc.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -12,6 +12,8 @@ + + /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) + /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) ++/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) ++/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) + + /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) + /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-04-07 16:01:44.000000000 -0400 +@@ -137,6 +137,7 @@ + + corenet_all_recvfrom_unlabeled(dcc_client_t) + corenet_all_recvfrom_netlabel(dcc_client_t) ++corenet_udp_bind_generic_node(dcc_client_t) + corenet_udp_sendrecv_generic_if(dcc_client_t) + corenet_udp_sendrecv_generic_node(dcc_client_t) + corenet_udp_sendrecv_all_ports(dcc_client_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.12/policy/modules/services/devicekit.fc +--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.fc 2009-04-11 06:40:12.000000000 -0400 +@@ -0,0 +1,9 @@ + -+kernel_read_system_state(ifplugd_t) -+kernel_read_network_state(ifplugd_t) -+kernel_search_network_sysctl(ifplugd_t) -+kernel_rw_net_sysctls(ifplugd_t) -+kernel_read_kernel_sysctls(ifplugd_t) ++/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) ++/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) ++/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + -+# reading of hardware information -+dev_read_sysfs(ifplugd_t) ++/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + -+corecmd_exec_shell(ifplugd_t) -+corecmd_exec_bin(ifplugd_t) ++/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ++/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if +--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-09 05:23:51.000000000 -0400 +@@ -0,0 +1,197 @@ + -+domain_read_confined_domains_state(ifplugd_t) -+domain_dontaudit_read_all_domains_state(ifplugd_t) ++## policy for devicekit + -+auth_use_nsswitch(ifplugd_t) ++######################################## ++## ++## Execute a domain transition to run devicekit. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`devicekit_domtrans',` ++ gen_require(` ++ type devicekit_t; ++ type devicekit_exec_t; ++ ') + -+libs_use_ld_so(ifplugd_t) -+libs_use_shared_libs(ifplugd_t) -+miscfiles_read_localization(ifplugd_t) ++ domtrans_pattern($1,devicekit_exec_t,devicekit_t) ++') + -+logging_send_syslog_msg(ifplugd_t) + -+netutils_domtrans(ifplugd_t) -+# transition to ifconfig & dhcpc -+sysnet_domtrans_ifconfig(ifplugd_t) -+sysnet_domtrans_dhcpc(ifplugd_t) ++######################################## ++## ++## Read devicekit PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_read_pid_files',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') + -+sysnet_delete_dhcpc_pid(ifplugd_t) -+sysnet_read_dhcpc_pid(ifplugd_t) -+sysnet_signal_dhcpc(ifplugd_t) -+#sysnet_kill_dhcpc(ifplugd_t) -+#sysnet_manage_config(ifplugd_t) -+#sysnet_read_dhcp_config(ifplugd_t) -+#sysnet_search_dhcp_state(ifplugd_t) ++ files_search_pids($1) ++ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++') + -+optional_policy(` -+ consoletype_exec(ifplugd_t) ++######################################## ++## ++## Manage devicekit var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_manage_var_run',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) +') + -+permissive ifplugd_t; + ++######################################## ++## ++## Send and receive messages from ++## devicekit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_dbus_chat',` ++ gen_require(` ++ type devicekit_t; ++ class dbus send_msg; ++ ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if ---- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if 2009-04-07 16:01:44.000000000 -0400 -@@ -63,6 +63,25 @@ - - ######################################## - ## -+## Allow domain to manage kerneloops tmp files ++ allow $1 devicekit_t:dbus send_msg; ++ allow devicekit_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Send signal devicekit power +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`kerneloops_manage_tmp_files',` ++interface(`devicekit_power_signal',` + gen_require(` -+ type kerneloops_tmp_t; ++ type devicekit_power_t; + ') + -+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) -+ files_search_tmp($1) ++ allow $1 devicekit_power_t:process signal; +') + +######################################## +## - ## All of the rules required to administrate - ## an kerneloops environment - ## -@@ -81,6 +100,7 @@ - interface(`kerneloops_admin',` - gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; -+ type kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; -@@ -90,4 +110,7 @@ - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; -+ -+ admin_pattern($1, kerneloops_tmp_t) - ') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te ---- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-04-07 16:01:44.000000000 -0400 -@@ -13,6 +13,9 @@ - type kerneloops_initrc_exec_t; - init_script_file(kerneloops_initrc_exec_t) - -+type kerneloops_tmp_t; -+files_tmp_file(kerneloops_tmp_t) -+ - ######################################## - # - # kerneloops local policy -@@ -23,8 +26,13 @@ - allow kerneloops_t self:fifo_file rw_file_perms; - allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; - -+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -+files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) -+ - kernel_read_ring_buffer(kerneloops_t) - -+fs_list_inotifyfs(kerneloops_t) -+ - # Init script handling - domain_use_interactive_fds(kerneloops_t) - -@@ -46,6 +54,5 @@ - sysnet_dns_name_resolve(kerneloops_t) - - optional_policy(` -- dbus_system_bus_client(kerneloops_t) -- dbus_connect_system_bus(kerneloops_t) -+ dbus_system_domain(kerneloops_t, kerneloops_exec_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.12/policy/modules/services/ktalk.te ---- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ktalk.te 2009-04-07 16:01:44.000000000 -0400 -@@ -69,6 +69,7 @@ - files_read_etc_files(ktalkd_t) - - term_search_ptys(ktalkd_t) -+term_use_all_terms(ktalkd_t) - - auth_use_nsswitch(ktalkd_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.12/policy/modules/services/lircd.fc ---- nsaserefpolicy/policy/modules/services/lircd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/lircd.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,9 @@ -+ -+/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0) -+ -+/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) -+/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) -+ -+/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) -+ -+/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.12/policy/modules/services/lircd.if ---- nsaserefpolicy/policy/modules/services/lircd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/lircd.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,100 @@ -+## Lirc daemon -+ -+######################################## -+## -+## Execute a domain transition to run lircd. ++## Send and receive messages from ++## devicekit power over dbus. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`lircd_domtrans',` ++interface(`devicekit_power_dbus_chat',` + gen_require(` -+ type lircd_t, lircd_exec_t; ++ type devicekit_power_t; ++ class dbus send_msg; + ') + -+ domain_auto_trans($1,lircd_exec_t,lircd_t) -+ ++ allow $1 devicekit_power_t:dbus send_msg; ++ allow devicekit_power_t $1:dbus send_msg; +') + -+####################################### ++######################################## +## -+## Read lircd etc file ++## All of the rules required to administrate ++## an devicekit environment +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the devicekit domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## +## ++## +# -+interface(`lircd_read_etc',` ++interface(`devicekit_admin',` + gen_require(` -+ type lircd_etc_t; -+ ') ++ type devicekit_t; ++ ') ++ ++ allow $1 devicekit_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, devicekit_t, devicekit_t) ++ ++ ++ devicekit_manage_var_run($1) + -+ read_files_pattern($1, lircd_etc_t, lircd_etc_t) +') + -+###################################### ++######################################## +## -+## Connect to lircd over a unix domain -+## stream socket. ++## Send to devicekit over a unix domain ++## datagram socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`lircd_stream_connect',` -+ gen_require(` -+ type lircd_sock_t, lircd_t; -+ ') ++interface(`devicekit_dgram_send',` ++ gen_require(` ++ type devicekit_t; ++ ') + -+ allow $1 lircd_t:unix_stream_socket connectto; -+ allow $1 lircd_sock_t:sock_file { getattr write }; -+ files_search_pids($1) ++ allow $1 devicekit_t:unix_dgram_socket sendto; +') + +######################################## +## -+## All of the rules required to administrate -+## an lircd environment ++## Send and receive messages from ++## devicekit disk over dbus. +## +## +## +## Domain allowed access. +## +## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## +# -+interface(`lircd_admin',` ++interface(`devicekit_disk_dbus_chat',` + gen_require(` -+ type lircd_t, lircd_var_run_t, lircd_sock_t; -+ type lircd_initrc_exec_t, lircd_etc_t; ++ type devicekit_disk_t; ++ class dbus send_msg; + ') + -+ allow $1 lircd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, lircd_t) -+ -+ init_labeled_script_domtrans($1, lircd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 lircd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_etc($1) -+ admin_pattern($1, lircd_etc_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, lircd_var_run_t) -+ -+ admin_pattern($1, lircd_sock_t) ++ allow $1 devicekit_disk_t:dbus send_msg; ++ allow devicekit_disk_t $1:dbus send_msg; +') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te ---- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,55 @@ -+policy_module(lircd,1.0.0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te +--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-11 08:02:27.000000000 -0400 +@@ -0,0 +1,235 @@ ++policy_module(devicekit,1.0.0) + +######################################## +# +# Declarations +# + -+type lircd_t; -+type lircd_exec_t; -+init_daemon_domain(lircd_t, lircd_exec_t) ++type devicekit_t; ++type devicekit_exec_t; ++dbus_system_domain(devicekit_t, devicekit_exec_t) + -+type lircd_initrc_exec_t; -+init_script_file(lircd_initrc_exec_t) ++type devicekit_power_t; ++type devicekit_power_exec_t; ++dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + -+# pid files -+type lircd_var_run_t; -+files_pid_file(lircd_var_run_t) ++type devicekit_disk_t; ++type devicekit_disk_exec_t; ++dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + -+# etc file -+type lircd_etc_t; -+files_config_file(lircd_etc_t) ++type devicekit_tmp_t; ++files_tmp_file(devicekit_tmp_t) + -+# type for lircd /dev/ sock file -+type lircd_sock_t; -+files_type(lircd_sock_t) ++type devicekit_var_run_t; ++files_pid_file(devicekit_var_run_t) ++ ++type devicekit_var_lib_t; ++files_type(devicekit_var_lib_t) + -+######################################## +# -+# lircd local policy ++# DeviceKit local policy +# ++allow devicekit_t self:unix_dgram_socket create_socket_perms; + -+allow lircd_t self:process signal; -+allow lircd_t self:unix_dgram_socket create_socket_perms; ++manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) ++manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) ++files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir }) + -+# etc file -+read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) ++dev_read_sysfs(devicekit_t) ++dev_read_urand(devicekit_t) + -+# pid file -+manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -+manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -+files_pid_filetrans(lircd_t,lircd_var_run_t, { dir file }) ++files_read_etc_files(devicekit_t) + -+# /dev/lircd socket -+manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) -+dev_filetrans(lircd_t, lircd_sock_t, sock_file ) ++fs_list_inotifyfs(devicekit_t) + -+logging_send_syslog_msg(lircd_t) ++miscfiles_read_localization(devicekit_t) + -+files_read_etc_files(lircd_t) -+files_list_var(lircd_t) -+files_manage_generic_locks(lircd_t) -+files_read_all_locks(lircd_t) ++optional_policy(` ++ dbus_system_bus_client(devicekit_t) ++') + -+miscfiles_read_localization(lircd_t) ++optional_policy(` ++ udev_read_db(devicekit_t) ++') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.12/policy/modules/services/mailman.fc ---- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/mailman.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -31,3 +31,4 @@ - /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) - /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - ') -+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if ---- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-04-07 16:01:44.000000000 -0400 -@@ -31,6 +31,12 @@ - allow mailman_$1_t self:tcp_socket create_stream_socket_perms; - allow mailman_$1_t self:udp_socket create_socket_perms; - -+ files_search_spool(mailman_$1_t) ++# ++# DeviceKit-Power local policy ++# ++allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice }; ++allow devicekit_power_t self:fifo_file rw_fifo_file_perms; ++allow devicekit_power_t self:unix_dgram_socket create_socket_perms; + -+ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) ++manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) ++manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) ++files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) + - manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) -@@ -64,6 +70,7 @@ - corenet_sendrecv_smtp_client_packets(mailman_$1_t) - - fs_getattr_xattr_fs(mailman_$1_t) -+ fs_list_inotifyfs(mailman_$1_t) - - corecmd_exec_all_executables(mailman_$1_t) - -@@ -191,6 +198,7 @@ - ') - - read_files_pattern($1, mailman_data_t, mailman_data_t) -+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) - ') - - ####################################### -@@ -209,6 +217,7 @@ - type mailman_data_t; - ') - -+ manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) - ') - -@@ -250,6 +259,25 @@ ++corecmd_exec_bin(devicekit_power_t) ++corecmd_exec_shell(devicekit_power_t) ++ ++consoletype_exec(devicekit_power_t) ++ ++domain_read_all_domains_state(devicekit_power_t) ++ ++kernel_read_system_state(devicekit_power_t) ++kernel_rw_kernel_sysctl(devicekit_power_t) ++kernel_rw_hotplug_sysctls(devicekit_power_t) ++kernel_write_proc_files(devicekit_power_t) ++ ++dev_rw_generic_usb_dev(devicekit_power_t) ++dev_rw_netcontrol(devicekit_power_t) ++dev_rw_sysfs(devicekit_power_t) ++ ++files_read_etc_files(devicekit_power_t) ++files_read_usr_files(devicekit_power_t) ++ ++fs_list_inotifyfs(devicekit_power_t) ++ ++term_use_all_terms(devicekit_power_t) ++ ++auth_use_nsswitch(devicekit_power_t) ++ ++miscfiles_read_localization(devicekit_power_t) ++ ++userdom_read_all_users_state(devicekit_power_t) ++ ++optional_policy(` ++ hal_domtrans_mac(devicekit_power_t) ++ hal_create_log(devicekit_power_t) ++ hal_manage_pid_dirs(devicekit_power_t) ++ hal_manage_pid_files(devicekit_power_t) ++ hal_dbus_chat(devicekit_power_t) ++') ++ ++optional_policy(` ++ cron_initrc_domtrans(devicekit_power_t) ++') ++ ++optional_policy(` ++ polkit_domtrans_auth(devicekit_power_t) ++ polkit_read_lib(devicekit_power_t) ++ polkit_read_reload(devicekit_power_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(devicekit_power_t) ++ allow devicekit_power_t devicekit_t:dbus send_msg; ++ allow devicekit_t devicekit_power_t:dbus send_msg; ++ ++ optional_policy(` ++ consolekit_dbus_chat(devicekit_power_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(devicekit_power_t) ++ ') ++ ++ optional_policy(` ++ rpm_dbus_chat(devicekit_power_t) ++ ') ++') ++ ++optional_policy(` ++ bootloader_domtrans(devicekit_power_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(devicekit_power_t) ++') ++ ++optional_policy(` ++ vbetool_domtrans(devicekit_power_t) ++') ++# ++# DeviceKit disk local policy ++# ++ ++allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; ++ ++manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) ++manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) ++files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir }) ++ ++manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) ++manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) ++files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) ++ ++corecmd_exec_bin(devicekit_disk_t) ++ ++dev_rw_sysfs(devicekit_disk_t) ++dev_read_urand(devicekit_disk_t) ++dev_getattr_usbfs_dirs(devicekit_disk_t) ++dev_manage_generic_files(devicekit_disk_t) ++ ++kernel_read_software_raid_state(devicekit_disk_t) ++kernel_setsched(devicekit_disk_t) ++ ++files_manage_mnt_dirs(devicekit_disk_t) ++files_read_etc_files(devicekit_disk_t) ++files_read_etc_runtime_files(devicekit_disk_t) ++files_read_usr_files(devicekit_disk_t) ++files_manage_isid_type_dirs(devicekit_disk_t) ++ ++fs_list_inotifyfs(devicekit_disk_t) ++fs_mount_all_fs(devicekit_disk_t) ++fs_unmount_all_fs(devicekit_disk_t) ++ ++storage_raw_read_fixed_disk(devicekit_disk_t) ++storage_raw_write_fixed_disk(devicekit_disk_t) ++storage_raw_read_removable_device(devicekit_disk_t) ++storage_raw_write_removable_device(devicekit_disk_t) ++ ++term_use_all_terms(devicekit_disk_t) ++ ++auth_use_nsswitch(devicekit_disk_t) ++ ++miscfiles_read_localization(devicekit_disk_t) ++ ++userdom_read_all_users_state(devicekit_disk_t) ++userdom_search_user_home_dirs(devicekit_disk_t) ++ ++optional_policy(` ++ fstools_domtrans(devicekit_disk_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(devicekit_disk_t) ++') ++ ++optional_policy(` ++ polkit_domtrans_auth(devicekit_disk_t) ++ polkit_read_lib(devicekit_disk_t) ++ polkit_read_reload(devicekit_disk_t) ++') ++ ++optional_policy(` ++ mount_domtrans(devicekit_disk_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(devicekit_disk_t) ++ allow devicekit_disk_t devicekit_t:dbus send_msg; ++ allow devicekit_t devicekit_disk_t:dbus send_msg; ++ ++ optional_policy(` ++ consolekit_dbus_chat(devicekit_disk_t) ++ ') ++') ++ ++optional_policy(` ++ udev_domtrans(devicekit_disk_t) ++ udev_read_db(devicekit_disk_t) ++') ++ ++ ++ifdef(`TESTING',` ++ permissive devicekit_t; ++ permissive devicekit_power_t; ++ permissive devicekit_disk_t; ++',` ++optional_policy(` ++ unconfined_domain(devicekit_t) ++ unconfined_domain(devicekit_power_t) ++ unconfined_domain(devicekit_disk_t) ++') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.12/policy/modules/services/dhcp.if +--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dhcp.if 2009-04-07 16:01:44.000000000 -0400 +@@ -22,6 +22,25 @@ - ####################################### + ######################################## ## -+## read -+## mailman logs. ++## Execute dhcp server in the dhcp domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`mailman_read_log',` ++# ++interface(`dhcpd_initrc_domtrans',` + gen_require(` -+ type mailman_log_t; ++ type dhcpd_initrc_exec_t; + ') + -+ read_files_pattern($1, mailman_log_t, mailman_log_t) ++ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) +') + -+####################################### ++######################################## +## - ## Append to mailman logs. + ## All of the rules required to administrate + ## an dhcp environment ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.12/policy/modules/services/mailman.te ---- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mailman.te 2009-04-07 16:01:44.000000000 -0400 -@@ -53,10 +53,8 @@ - apache_use_fds(mailman_cgi_t) - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) -- -- optional_policy(` -- nscd_socket_use(mailman_cgi_t) -- ') -+ apache_read_config(mailman_cgi_t) -+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.12/policy/modules/services/dnsmasq.if +--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.if 2009-04-07 16:01:44.000000000 -0400 +@@ -22,6 +22,25 @@ ######################################## -@@ -65,15 +63,31 @@ - # - - allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -+allow mailman_mail_t initrc_t:process signal; -+allow mailman_mail_t self:process { signal signull }; -+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + ## ++## Execute dnsmasq server in the dnsmasq domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`dnsmasq_initrc_domtrans',` ++ gen_require(` ++ type dnsmasq_initrc_exec_t; ++ ') + -+files_search_spool(mailman_mail_t) -+fs_rw_anon_inodefs_files(mailman_mail_t) -+fs_list_inotifyfs(mailman_mail_t) ++ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) ++') + -+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) ++######################################## ++## + ## Send dnsmasq a signal + ## + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te +--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-04-07 16:01:44.000000000 -0400 +@@ -42,8 +42,7 @@ + files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) - mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -+mta_dontaudit_rw_queue(mailman_mail_t) + kernel_read_kernel_sysctls(dnsmasq_t) +-kernel_list_proc(dnsmasq_t) +-kernel_read_proc_symlinks(dnsmasq_t) ++kernel_read_system_state(dnsmasq_t) + + corenet_all_recvfrom_unlabeled(dnsmasq_t) + corenet_all_recvfrom_netlabel(dnsmasq_t) +@@ -84,6 +83,14 @@ + userdom_dontaudit_search_user_home_dirs(dnsmasq_t) --ifdef(`TODO',` optional_policy(` -- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; -- # do we really need this? -- allow mailman_mail_t qmail_lspawn_t:fifo_file write; -+ courier_read_spool(mailman_mail_t) - ') ++ cron_manage_pid_files(dnsmasq_t) ++') + +optional_policy(` -+ postfix_search_spool(mailman_mail_t) ++ tftp_read_content(dnsmasq_t) +') + +optional_policy(` -+ cron_read_pipes(mailman_mail_t) + seutil_sigchld_newrole(dnsmasq_t) ') - ######################################## -@@ -99,11 +113,15 @@ - # for su - seutil_dontaudit_search_config(mailman_queue_t) - -+su_exec(mailman_queue_t) -+ - # some of the following could probably be changed to dontaudit, someone who - # knows mailman well should test this out and send the changes - userdom_search_user_home_dirs(mailman_queue_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.12/policy/modules/services/dovecot.fc +--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dovecot.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -6,6 +6,7 @@ + /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) --su_exec(mailman_queue_t) -+optional_policy(` -+ apache_read_config(mailman_queue_t) -+') + /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) ++/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - optional_policy(` - cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.12/policy/modules/services/mta.fc ---- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/mta.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,4 +1,4 @@ --/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + # + # /usr +@@ -17,19 +18,22 @@ - /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) - /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -@@ -10,10 +10,13 @@ + ifdef(`distro_debian', ` + /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') - /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + ifdef(`distro_redhat', ` + /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) + ') -+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + # + # /var + # + /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +-# this is a hard link to /var/lib/dovecot/ssl-parameters.dat +-/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) ++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) -@@ -22,7 +25,5 @@ - /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) - /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -- --#ifdef(`postfix.te', `', ` --#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) --#') -+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-07 16:01:44.000000000 -0400 -@@ -130,6 +130,15 @@ - sendmail_create_log($1_mail_t) - ') ++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) ++ + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.12/policy/modules/services/dovecot.if +--- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dovecot.if 2009-04-07 16:01:44.000000000 -0400 +@@ -21,7 +21,46 @@ -+ optional_policy(` -+ exim_read_log($1_mail_t) -+ exim_append_log($1_mail_t) -+ exim_manage_spool_files($1_mail_t) + ######################################## + ## +-## Do not audit attempts to delete dovecot lib files. ++## Connect to dovecot auth unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dovecot_auth_stream_connect',` ++ gen_require(` ++ type dovecot_auth_t, dovecot_var_run_t; ++ ') ++ ++ allow $1 dovecot_var_run_t:dir search; ++ allow $1 dovecot_var_run_t:sock_file write; ++ allow $1 dovecot_auth_t:unix_stream_socket connectto; +') + -+ optional_policy(` -+ uucp_manage_spool($1_mail_t) ++######################################## ++## ++## Execute dovecot_deliver in the dovecot_deliver domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dovecot_domtrans_deliver',` ++ gen_require(` ++ type dovecot_deliver_t, dovecot_deliver_exec_t; + ') - ') - - ######################################## -@@ -302,11 +311,13 @@ - allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1, mail_spool_t, mail_spool_t) - read_files_pattern($1, mail_spool_t, mail_spool_t) -+ append_files_pattern($1, mail_spool_t, mail_spool_t) - create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - - optional_policy(` - dovecot_manage_spool($1) -+ dovecot_domtrans_deliver($1) - ') - - optional_policy(` -@@ -341,6 +352,7 @@ - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets($1) - apache_dontaudit_rw_sys_script_stream_sockets($1) -+ apache_append_log($1) - ') - ') - -@@ -591,8 +603,8 @@ - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; -- allow $1 mail_spool_t:lnk_file read; -- allow $1 mail_spool_t:file getattr; -+ getattr_files_pattern($1, mail_spool_t, mail_spool_t) -+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - - ######################################## -@@ -612,7 +624,7 @@ - ') - - files_dontaudit_search_spool($1) -- dontaudit $1 mail_spool_t:dir search; -+ dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read; - dontaudit $1 mail_spool_t:file getattr; - ') -@@ -665,7 +677,7 @@ - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file setattr; -- rw_files_pattern($1, mail_spool_t, mail_spool_t) -+ manage_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - -@@ -806,6 +818,7 @@ - ') ++ ++ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) ++') ++ ++####################################### ++## ++## Do not audit attempts to d`elete dovecot lib files. + ## + ## + ## +@@ -36,3 +75,60 @@ - files_search_spool($1) -+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) - manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.12/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mta.te 2009-04-07 16:01:44.000000000 -0400 -@@ -27,6 +27,9 @@ - type mail_spool_t; - files_mountpoint(mail_spool_t) - -+type mail_forward_t, mailcontent_type; -+files_type(mail_forward_t) -+ - type sendmail_exec_t; - mta_agent_executable(sendmail_exec_t) - -@@ -47,34 +50,49 @@ - # - - # newalias required this, not sure if it is needed in 'if' file --allow system_mail_t self:capability { dac_override }; -+allow system_mail_t self:capability { dac_override fowner }; -+allow system_mail_t self:fifo_file rw_fifo_file_perms; - - read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) -+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - - allow system_mail_t mta_exec_type:file entrypoint; - --allow system_mail_t mailcontent_type:file read_file_perms; -+can_exec(system_mail_t, mta_exec_type) -+ -+files_read_all_tmp_files(system_mail_t) - - kernel_read_system_state(system_mail_t) - kernel_read_network_state(system_mail_t) - -+dev_read_sysfs(system_mail_t) - dev_read_rand(system_mail_t) - dev_read_urand(system_mail_t) - -+fs_rw_anon_inodefs_files(system_mail_t) -+fs_list_inotifyfs(system_mail_t) -+ -+selinux_getattr_fs(system_mail_t) -+ - init_use_script_ptys(system_mail_t) - - userdom_use_user_terminals(system_mail_t) - userdom_dontaudit_search_user_home_dirs(system_mail_t) -+userdom_dontaudit_list_admin_dir(system_mail_t) -+ -+logging_append_all_logs(system_mail_t) - - optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) -+ apache_search_bugzilla_dirs(system_mail_t) - - # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) - ') - - optional_policy(` -@@ -88,6 +106,13 @@ - optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) -+ cron_rw_system_stream_sockets(system_mail_t) -+') -+ -+optional_policy(` -+ courier_manage_spool_dirs(system_mail_t) -+ courier_manage_spool_files(system_mail_t) -+ courier_rw_spool_pipes(system_mail_t) - ') - - optional_policy(` -@@ -95,16 +120,16 @@ - ') - - optional_policy(` -- logrotate_read_tmp_files(system_mail_t) -+ exim_domtrans(system_mail_t) -+ exim_manage_log(system_mail_t) - ') - - optional_policy(` -- logwatch_read_tmp_files(system_mail_t) -+ logrotate_read_tmp_files(system_mail_t) - ') - - optional_policy(` -- # newaliases runs as system_mail_t when the sendmail initscript does a restart -- milter_getattr_all_sockets(system_mail_t) -+ logwatch_read_tmp_files(system_mail_t) - ') - - optional_policy(` -@@ -132,10 +157,6 @@ - # compatability for old default main.cf - postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') -- -- optional_policy(` -- cron_rw_tcp_sockets(system_mail_t) -- ') - ') - - optional_policy(` -@@ -155,6 +176,19 @@ - ') - - optional_policy(` -+ clamav_stream_connect(system_mail_t) -+ clamav_append_log(system_mail_t) -+') -+ -+optional_policy(` -+ fail2ban_append_log(system_mail_t) -+ ') -+ -+ optional_policy(` -+ spamd_stream_connect(system_mail_t) -+') -+ -+optional_policy(` - smartmon_read_tmp_files(system_mail_t) - ') - -@@ -174,6 +208,25 @@ - ') - ') - -+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -+userdom_search_admin_dir(mailserver_delivery) -+read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) -+ -+init_stream_connect_script(mailserver_delivery) -+init_rw_script_stream_sockets(mailserver_delivery) -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(mailserver_delivery) -+ fs_manage_cifs_files(mailserver_delivery) -+ fs_manage_cifs_symlinks(mailserver_delivery) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(mailserver_delivery) -+ fs_manage_nfs_files(mailserver_delivery) -+ fs_manage_nfs_symlinks(mailserver_delivery) -+') -+ - ######################################## - # - # User send mail local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.12/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/munin.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,4 +1,5 @@ - /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) -+/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - - /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -@@ -6,6 +7,8 @@ - /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - - /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) --/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) -+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) - /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) --/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.12/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/munin.if 2009-04-07 16:01:44.000000000 -0400 -@@ -59,8 +59,9 @@ - type munin_log_t; - ') - -- allow $1 munin_log_t:file append_file_perms; - logging_search_logs($1) -+ allow $1 munin_log_t:dir list_dir_perms; -+ append_files_pattern($1, munin_log_t, munin_log_t) - ') - - ####################################### -@@ -100,3 +101,55 @@ - - dontaudit $1 munin_var_lib_t:dir search_dir_perms; + dontaudit $1 dovecot_var_lib_t:file unlink; ') + +######################################## +## +## All of the rules required to administrate -+## an munin environment ++## an dovecot environment +## +## +## @@ -13339,1983 +12321,1377 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the munin domain. ++## The role to be allowed to manage the dovecot domain. +## +## +## +# -+interface(`munin_admin',` ++interface(`dovecot_admin',` + gen_require(` -+ type munin_t, munin_etc_t, munin_tmp_t; -+ type munin_log_t, munin_var_lib_t, munin_var_run_t; -+ type httpd_munin_content_t; -+ type munin_initrc_exec_t; ++ type dovecot_t, dovecot_etc_t, dovecot_log_t; ++ type dovecot_spool_t, dovecot_var_lib_t; ++ type dovecot_var_run_t; ++ ++ type dovecot_cert_t, dovecot_passwd_t; ++ type dovecot_initrc_exec_t; + ') + -+ allow $1 munin_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, munin_t) ++ allow $1 dovecot_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, dovecot_t) + -+ init_labeled_script_domtrans($1, munin_initrc_exec_t) ++ init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + domain_system_change_exemption($1) -+ role_transition $2 munin_initrc_exec_t system_r; ++ role_transition $2 dovecot_initrc_exec_t system_r; + allow $2 system_r; + -+ files_list_tmp($1) -+ admin_pattern($1, munin_tmp_t) ++ files_list_etc($1) ++ admin_pattern($1, dovecot_etc_t) + + logging_list_logs($1) -+ admin_pattern($1, munin_log_t) ++ admin_pattern($1, dovecot_log_t) + -+ files_list_etc($1) -+ admin_pattern($1, munin_etc_t) ++ files_list_spool($1) ++ admin_pattern($1, dovecot_spool_t) + + files_list_var_lib($1) -+ admin_pattern($1, munin_var_lib_t) ++ admin_pattern($1, dovecot_var_lib_t) + + files_list_pids($1) -+ admin_pattern($1, munin_var_run_t) ++ admin_pattern($1, dovecot_var_run_t) + -+ admin_pattern($1, httpd_munin_content_t) ++ admin_pattern($1, dovecot_cert_t) ++ ++ admin_pattern($1, dovecot_passwd_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.12/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/munin.te 2009-04-07 16:01:44.000000000 -0400 -@@ -13,6 +13,9 @@ - type munin_etc_t alias lrrd_etc_t; - files_config_file(munin_etc_t) - -+type munin_initrc_exec_t; -+init_script_file(munin_initrc_exec_t) + - type munin_log_t alias lrrd_log_t; - logging_log_file(munin_log_t) - -@@ -30,21 +33,25 @@ - # Local policy - # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.12/policy/modules/services/dovecot.te +--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/dovecot.te 2009-04-07 16:01:44.000000000 -0400 +@@ -15,12 +15,21 @@ + domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) + role system_r types dovecot_auth_t; --allow munin_t self:capability { setgid setuid }; -+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; - dontaudit munin_t self:capability sys_tty_config; - allow munin_t self:process { getsched setsched signal_perms }; - allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; - allow munin_t self:tcp_socket create_stream_socket_perms; - allow munin_t self:udp_socket create_socket_perms; -+allow munin_t self:fifo_file manage_fifo_file_perms; ++type dovecot_deliver_t; ++type dovecot_deliver_exec_t; ++domain_type(dovecot_deliver_t) ++domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) ++role system_r types dovecot_deliver_t; + -+can_exec(munin_t, munin_exec_t) + type dovecot_cert_t; + files_type(dovecot_cert_t) - allow munin_t munin_etc_t:dir list_dir_perms; - read_files_pattern(munin_t, munin_etc_t, munin_etc_t) - read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) - files_search_etc(munin_t) + type dovecot_etc_t; + files_config_file(dovecot_etc_t) --allow munin_t munin_log_t:file manage_file_perms; --logging_log_filetrans(munin_t, munin_log_t, file) -+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -+manage_files_pattern(munin_t, munin_log_t, munin_log_t) -+logging_log_filetrans(munin_t, munin_log_t, { file dir }) ++type dovecot_initrc_exec_t; ++init_script_file(dovecot_initrc_exec_t) ++ + type dovecot_passwd_t; + files_type(dovecot_passwd_t) - manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) - manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -@@ -61,9 +68,11 @@ - files_pid_filetrans(munin_t, munin_var_run_t, file) +@@ -31,9 +40,15 @@ + type dovecot_var_lib_t; + files_type(dovecot_var_lib_t) - kernel_read_system_state(munin_t) --kernel_read_kernel_sysctls(munin_t) -+kernel_read_network_state(munin_t) -+kernel_read_all_sysctls(munin_t) ++type dovecot_var_log_t; ++logging_log_file(dovecot_var_log_t) ++ + type dovecot_var_run_t; + files_pid_file(dovecot_var_run_t) - corecmd_exec_bin(munin_t) -+corecmd_exec_shell(munin_t) ++type dovecot_auth_tmp_t; ++files_tmp_file(dovecot_auth_tmp_t) ++ + ######################################## + # + # dovecot local policy +@@ -58,6 +73,10 @@ - corenet_all_recvfrom_unlabeled(munin_t) - corenet_all_recvfrom_netlabel(munin_t) -@@ -73,24 +82,36 @@ - corenet_udp_sendrecv_generic_node(munin_t) - corenet_tcp_sendrecv_all_ports(munin_t) - corenet_udp_sendrecv_all_ports(munin_t) -+corenet_tcp_bind_munin_port(munin_t) -+corenet_tcp_connect_munin_port(munin_t) -+corenet_tcp_connect_http_port(munin_t) -+corenet_tcp_bind_generic_node(munin_t) + can_exec(dovecot_t, dovecot_exec_t) - dev_read_sysfs(munin_t) - dev_read_urand(munin_t) -+fs_list_inotifyfs(munin_t) ++# log files ++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) ++logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) ++ + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -85,6 +104,7 @@ + dev_read_urand(dovecot_t) - domain_use_interactive_fds(munin_t) -+domain_read_all_domains_state(munin_t) + fs_getattr_all_fs(dovecot_t) ++fs_getattr_all_dirs(dovecot_t) + fs_search_auto_mountpoints(dovecot_t) + fs_list_inotifyfs(dovecot_t) - files_read_etc_files(munin_t) - files_read_etc_runtime_files(munin_t) - files_read_usr_files(munin_t) -+files_list_spool(munin_t) +@@ -98,7 +118,7 @@ + files_dontaudit_list_default(dovecot_t) + # Dovecot now has quota support and it uses getmntent() to find the mountpoints. + files_read_etc_runtime_files(dovecot_t) +-files_getattr_all_mountpoints(dovecot_t) ++files_search_all_mountpoints(dovecot_t) - fs_getattr_all_fs(munin_t) - fs_search_auto_mountpoints(munin_t) + init_getattr_utmp(dovecot_t) -+auth_use_nsswitch(munin_t) +@@ -120,7 +140,7 @@ + mta_manage_spool(dovecot_t) + + optional_policy(` +- kerberos_use(dovecot_t) ++ kerberos_keytab_template(dovecot, dovecot_t) + ') + + optional_policy(` +@@ -140,25 +160,35 @@ + # dovecot auth local policy + # + +-allow dovecot_auth_t self:capability { setgid setuid }; ++allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; + allow dovecot_auth_t self:process signal_perms; + allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; + allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; + allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; + +-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; ++allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; + +-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; ++read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + - logging_send_syslog_msg(munin_t) -+logging_read_all_logs(munin_t) ++manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) ++manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) ++files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -+miscfiles_read_fonts(munin_t) - miscfiles_read_localization(munin_t) + # Allow dovecot to create and read SSL parameters file + manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) + files_search_var_lib(dovecot_t) ++files_read_var_symlinks(dovecot_t) --sysnet_read_config(munin_t) -+sysnet_exec_ifconfig(munin_t) -+netutils_domtrans_ping(munin_t) + allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; ++manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_auth_stream_connect(dovecot_auth_t) - userdom_dontaudit_use_unpriv_user_fds(munin_t) - userdom_dontaudit_search_user_home_dirs(munin_t) -@@ -105,7 +126,31 @@ + kernel_read_all_sysctls(dovecot_auth_t) + kernel_read_system_state(dovecot_auth_t) + ++logging_send_audit_msgs(dovecot_auth_t) ++logging_send_syslog_msg(dovecot_auth_t) ++ + dev_read_urand(dovecot_auth_t) + + auth_domtrans_chk_passwd(dovecot_auth_t) +@@ -167,6 +197,7 @@ + files_read_etc_files(dovecot_auth_t) + files_read_etc_runtime_files(dovecot_auth_t) + files_search_pids(dovecot_auth_t) ++files_read_usr_files(dovecot_auth_t) + files_read_usr_symlinks(dovecot_auth_t) + files_search_tmp(dovecot_auth_t) + files_read_var_lib_files(dovecot_t) +@@ -182,5 +213,58 @@ ') optional_policy(` -- nis_use_ypbind(munin_t) -+ fstools_domtrans(munin_t) -+') +- logging_send_syslog_msg(dovecot_auth_t) ++ mysql_search_db(dovecot_auth_t) ++ mysql_stream_connect(dovecot_auth_t) + ') + +optional_policy(` -+ mta_read_config(munin_t) -+ mta_send_mail(munin_t) -+ mta_read_queue(munin_t) ++ nis_authenticate(dovecot_auth_t) +') + +optional_policy(` -+ mysql_read_config(munin_t) -+ mysql_stream_connect(munin_t) ++ postfix_manage_private_sockets(dovecot_auth_t) ++ postfix_search_spool(dovecot_auth_t) +') + -+optional_policy(` -+ postfix_list_spool(munin_t) -+ postfix_getattr_spool_files(munin_t) -+') ++# for gssapi (kerberos) ++userdom_list_user_tmp(dovecot_auth_t) ++userdom_read_user_tmp_files(dovecot_auth_t) ++userdom_read_user_tmp_symlinks(dovecot_auth_t) + -+optional_policy(` -+ rpc_search_nfs_state_data(munin_t) -+') ++######################################## ++# ++# dovecot deliver local policy ++# ++allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + -+optional_policy(` -+ sendmail_read_log(munin_t) - ') - - optional_policy(` -@@ -115,3 +160,10 @@ - optional_policy(` - udev_read_db(munin_t) - ') ++allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; ++allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + -+#============= http munin policy ============== -+apache_content_template(munin) ++kernel_read_all_sysctls(dovecot_deliver_t) ++kernel_read_system_state(dovecot_deliver_t) + -+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++files_read_etc_files(dovecot_deliver_t) ++files_read_etc_runtime_files(dovecot_deliver_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.12/policy/modules/services/mysql.fc ---- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mysql.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -12,6 +12,8 @@ - # - /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) - -+/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) ++auth_use_nsswitch(dovecot_deliver_t) + - /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) - - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.12/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mysql.if 2009-04-07 16:01:44.000000000 -0400 -@@ -121,6 +121,44 @@ - allow $1 mysqld_db_t:dir rw_dir_perms; - ') - -+####################################### -+## -+## Append to the MySQL database directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mysql_append_db_files',` -+ gen_require(` -+ type mysqld_db_t; -+ ') ++logging_send_syslog_msg(dovecot_deliver_t) + -+ files_search_var_lib($1) -+ append_files_pattern($1, mysqld_db_t, mysqld_db_t) -+') ++miscfiles_read_localization(dovecot_deliver_t) + -+####################################### -+## -+## Read and write to the MySQL database directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mysql_rw_db_files',` -+ gen_require(` -+ type mysqld_db_t; -+ ') -+ -+ files_search_var_lib($1) -+ rw_files_pattern($1,mysqld_db_t,mysqld_db_t) -+') -+ - ######################################## - ## - ## Create, read, write, and delete MySQL database directories. -@@ -140,6 +178,25 @@ - allow $1 mysqld_db_t:dir manage_dir_perms; - ') - -+####################################### -+## -+## Create, read, write, and delete MySQL database files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mysql_manage_db_files',` -+ gen_require(` -+ type mysqld_db_t; -+ ') ++dovecot_auth_stream_connect(dovecot_deliver_t) + -+ files_search_var_lib($1) -+ manage_files_pattern($1,mysqld_db_t,mysqld_db_t) -+') ++files_search_tmp(dovecot_deliver_t) ++fs_getattr_all_fs(dovecot_deliver_t) + - ######################################## - ## - ## Read and write to the MySQL database -@@ -161,6 +218,25 @@ - allow $1 mysqld_db_t:sock_file rw_sock_file_perms; - ') - -+##################################### -+## -+## Search MySQL PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`mysql_search_pid_files',` -+ gen_require(` -+ type mysqld_var_run_t; -+ ') ++userdom_manage_user_home_content_dirs(dovecot_deliver_t) ++userdom_manage_user_home_content_files(dovecot_deliver_t) ++userdom_manage_user_home_content_symlinks(dovecot_deliver_t) ++userdom_manage_user_home_content_pipes(dovecot_deliver_t) ++userdom_manage_user_home_content_sockets(dovecot_deliver_t) ++userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) + -+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ++optional_policy(` ++ mta_manage_spool(dovecot_deliver_t) +') + - ######################################## - ## - ## Write to the MySQL log. -@@ -177,7 +253,7 @@ - ') - - logging_search_logs($1) -- allow $1 mysqld_log_t:file { write_file_perms setattr }; -+ allow $1 mysqld_log_t:file { write_file_perms setattr getattr }; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-04-07 16:01:44.000000000 -0400 -@@ -10,6 +10,10 @@ - type mysqld_exec_t; - init_daemon_domain(mysqld_t, mysqld_exec_t) - -+type mysqld_safe_t; -+type mysqld_safe_exec_t; -+init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) -+ - type mysqld_var_run_t; - files_pid_file(mysqld_var_run_t) - -@@ -121,3 +125,36 @@ - optional_policy(` - udev_read_db(mysqld_t) - ') -+ -+####################################### -+# -+# Local mysqld_safe policy -+# -+ -+domtrans_pattern(mysqld_safe_t,mysqld_exec_t,mysqld_t) -+ -+allow mysqld_safe_t self:capability { dac_override fowner chown }; -+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; -+ -+allow mysqld_safe_t mysqld_log_t:file manage_file_perms; -+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -+ -+mysql_append_db_files(mysqld_safe_t) -+mysql_read_config(mysqld_safe_t) -+mysql_search_pid_files(mysqld_safe_t) -+mysql_write_log(mysqld_safe_t) -+ -+kernel_read_system_state(mysqld_safe_t) -+ -+dev_list_sysfs(mysqld_safe_t) -+ -+files_read_etc_files(mysqld_safe_t) -+files_read_usr_files(mysqld_safe_t) -+ -+corecmd_exec_bin(mysqld_safe_t) -+ -+miscfiles_read_localization(mysqld_safe_t) -+ -+hostname_exec(mysqld_safe_t) -+ -+permissive mysqld_safe_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.12/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/nagios.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,16 +1,19 @@ - /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) - /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) -+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - - /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - --/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) --/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - - /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) --/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -+ -+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) - - ifdef(`distro_debian',` - /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) --/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) - ') -+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.12/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/nagios.if 2009-04-07 16:01:44.000000000 -0400 -@@ -44,7 +44,7 @@ - - ######################################## - ## --## Execute the nagios CGI with -+## Execute the nagios NRPE with - ## a domain transition. - ## - ## -@@ -53,18 +53,37 @@ - ## - ## - # --interface(`nagios_domtrans_cgi',` -+interface(`nagios_domtrans_nrpe',` - gen_require(` -- type nagios_cgi_t, nagios_cgi_exec_t; -+ type nrpe_t, nrpe_exec_t; - ') - -- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) -+ domtrans_pattern($1, nrpe_exec_t, nrpe_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.12/policy/modules/services/exim.if +--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/exim.if 2009-04-07 16:01:44.000000000 -0400 +@@ -97,6 +97,26 @@ ######################################## ## --## Execute the nagios NRPE with --## a domain transition. -+## Do not audit attempts to read and write -+## NAGIOS unnamed pipes. ++## Allow the specified domain to manage exim's log files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## ++## +# -+interface(`nagios_dontaudit_rw_pipes',` -+ ++interface(`exim_manage_log',` + gen_require(` -+ type nagios_t; ++ type exim_log_t; + ') + -+ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; ++ manage_files_pattern($1, exim_log_t, exim_log_t) ++ logging_search_logs($1) +') + +######################################## +## -+## Search nagios spool directories. + ## Allow the specified domain to append + ## exim log files. ## - ## - ## -@@ -72,10 +91,63 @@ - ## - ## - # --interface(`nagios_domtrans_nrpe',` -+interface(`nagios_search_spool',` - gen_require(` -- type nrpe_t, nrpe_exec_t; -+ type nagios_spool_t; - ') - -- domtrans_pattern($1, nrpe_exec_t, nrpe_t) -+ allow $1 nagios_spool_t:dir search_dir_perms; -+ files_search_spool($1) -+') +@@ -154,3 +174,23 @@ + manage_files_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) + ') + +######################################## +## -+## All of the rules required to administrate -+## an nagios environment ++## Create, read, write, and delete ++## exim spool dirs. +## +## +## +## Domain allowed access. +## +## -+## -+## -+## The role to be allowed to manage the nagios domain. -+## -+## -+## +# -+interface(`nagios_admin',` ++interface(`exim_manage_spool_dirs',` + gen_require(` -+ type nagios_t, nrpe_t; -+ type nagios_tmp_t, nagios_log_t; -+ type nagios_etc_t, nrpe_etc_t; -+ type nagios_spool_t, nagios_var_run_t; -+ type nagios_initrc_exec_t; ++ type exim_spool_t; + ') + -+ allow $1 nagios_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nagios_t) -+ -+ init_labeled_script_domtrans($1, nagios_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 nagios_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, nagios_tmp_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, nagios_log_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, nagios_etc_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, nagios_spool_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, nagios_var_run_t) ++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) ++ files_search_spool($1) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te +--- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-07 16:01:44.000000000 -0400 +@@ -21,9 +21,20 @@ + ## + gen_tunable(exim_manage_user_files, false) + ++## ++##

++## Allow exim to connect to databases (postgres, mysql) ++##

++##
++gen_tunable(exim_can_connect_db, false) + -+ admin_pattern($1, nrpe_etc_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.12/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/nagios.te 2009-04-07 16:01:44.000000000 -0400 -@@ -10,13 +10,12 @@ - type nagios_exec_t; - init_daemon_domain(nagios_t, nagios_exec_t) + type exim_t; + type exim_exec_t; + init_daemon_domain(exim_t, exim_exec_t) ++mta_mailserver(exim_t, exim_exec_t) ++mta_mailserver_user_agent(exim_t) ++application_executable_file(exim_exec_t) ++mta_agent_executable(exim_exec_t) --type nagios_cgi_t; --type nagios_cgi_exec_t; --init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) -- - type nagios_etc_t; - files_config_file(nagios_etc_t) + type exim_log_t; + logging_log_file(exim_log_t) +@@ -42,10 +53,12 @@ + # exim local policy + # -+type nagios_initrc_exec_t; -+init_script_file(nagios_initrc_exec_t) -+ - type nagios_log_t; - logging_log_file(nagios_log_t) +-allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; ++allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; ++allow exim_t self:process { setrlimit setpgid }; + allow exim_t self:fifo_file rw_fifo_file_perms; + allow exim_t self:unix_stream_socket create_stream_socket_perms; + allow exim_t self:tcp_socket create_stream_socket_perms; ++allow exim_t self:udp_socket create_socket_perms; -@@ -26,6 +25,9 @@ - type nagios_var_run_t; - files_pid_file(nagios_var_run_t) + can_exec(exim_t,exim_exec_t) -+type nagios_spool_t; -+files_type(nagios_spool_t) -+ - type nrpe_t; - type nrpe_exec_t; - init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -60,6 +62,8 @@ - manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) - files_pid_filetrans(nagios_t, nagios_var_run_t, file) +@@ -66,12 +79,15 @@ + files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) -+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -+ - kernel_read_system_state(nagios_t) - kernel_read_kernel_sysctls(nagios_t) + kernel_read_kernel_sysctls(exim_t) +- + kernel_dontaudit_read_system_state(exim_t) ++kernel_read_network_state(exim_t) -@@ -127,39 +131,34 @@ - # - # Nagios CGI local policy - # -+apache_content_template(nagios) -+typealias httpd_nagios_script_t alias nagios_cgi_t; -+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; + corecmd_search_bin(exim_t) --allow nagios_cgi_t self:process signal_perms; --allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -+allow httpd_nagios_script_t self:process signal_perms; + corenet_all_recvfrom_unlabeled(exim_t) ++corenet_all_recvfrom_netlabel(exim_t) ++corenet_udp_sendrecv_generic_if(exim_t) ++corenet_udp_sendrecv_generic_node(exim_t) + corenet_tcp_sendrecv_generic_if(exim_t) + corenet_tcp_sendrecv_generic_node(exim_t) + corenet_tcp_sendrecv_all_ports(exim_t) +@@ -82,6 +98,8 @@ + corenet_tcp_connect_smtp_port(exim_t) + corenet_tcp_connect_ldap_port(exim_t) + corenet_tcp_connect_inetd_child_port(exim_t) ++# connect to spamassassin ++corenet_tcp_connect_spamd_port(exim_t) --read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + dev_read_rand(exim_t) + dev_read_urand(exim_t) +@@ -89,20 +107,27 @@ + # Init script handling + domain_use_interactive_fds(exim_t) --allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+files_search_spool(httpd_nagios_script_t) -+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) ++files_search_usr(exim_t) ++files_search_var(exim_t) + files_read_etc_files(exim_t) ++files_read_etc_runtime_files(exim_t) --allow nagios_cgi_t nagios_log_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) + auth_use_nsswitch(exim_t) --kernel_read_system_state(nagios_cgi_t) -+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + logging_send_syslog_msg(exim_t) --corecmd_exec_bin(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) + miscfiles_read_localization(exim_t) ++miscfiles_read_certs(exim_t) --domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) +-sysnet_dns_name_resolve(exim_t) ++fs_getattr_xattr_fs(exim_t) ++fs_list_inotifyfs(exim_t) --files_read_etc_files(nagios_cgi_t) --files_read_etc_runtime_files(nagios_cgi_t) --files_read_kernel_symbol_table(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) + userdom_dontaudit_search_user_home_dirs(exim_t) --logging_send_syslog_msg(nagios_cgi_t) --logging_search_logs(nagios_cgi_t) -- --miscfiles_read_localization(nagios_cgi_t) -- --optional_policy(` -- apache_append_log(nagios_cgi_t) --') -+logging_send_syslog_msg(httpd_nagios_script_t) + mta_read_aliases(exim_t) +-mta_rw_spool(exim_t) ++mta_read_config(exim_t) ++mta_manage_spool(exim_t) ++mta_mailserver_delivery(exim_t) - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.12/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/networkmanager.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,12 +1,25 @@ -+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) -+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + tunable_policy(`exim_read_user_files',` + userdom_read_user_home_content_files(exim_t) +@@ -114,3 +139,62 @@ + userdom_read_user_tmp_files(exim_t) + userdom_write_user_tmp_files(exim_t) + ') + - /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) - /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - - /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0) - /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++tunable_policy(`exim_can_connect_db',` ++ corenet_tcp_connect_mysqld_port(exim_t) ++ corenet_sendrecv_mysqld_client_packets(exim_t) ++ corenet_tcp_connect_postgresql_port(exim_t) ++ corenet_sendrecv_postgresql_client_packets(exim_t) ++') + -+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) - -+/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) - /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - - /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++optional_policy(` ++ dovecot_auth_stream_connect(exim_t) ++') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.12/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/networkmanager.if 2009-04-07 16:01:44.000000000 -0400 -@@ -118,6 +118,24 @@ - - ######################################## - ## -+## Execute NetworkManager scripts with an automatic domain transition to initrc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_initrc_domtrans',` -+ gen_require(` -+ type NetworkManager_initrc_exec_t; ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ mysql_stream_connect(exim_t) + ') -+ -+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + -+######################################## -+## - ## Read NetworkManager PID files. - ## - ## -@@ -134,3 +152,30 @@ - files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; - ') ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ postgresql_stream_connect(exim_t) ++') ++') + -+######################################## -+## -+## Execute NetworkManager in the NetworkManager domain, and -+## allow the specified role the NetworkManager domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the NetworkManager domain. -+## -+## -+## -+# -+interface(`networkmanager_run',` -+ gen_require(` -+ type NetworkManager_t, NetworkManager_exec_t; -+ ') ++optional_policy(` ++ kerberos_keytab_template(exim, exim_t) ++') + -+ networkmanager_domtrans($1) -+ role $2 types NetworkManager_t; ++optional_policy(` ++ mailman_read_data_files(exim_t) ++ mailman_domtrans(exim_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.12/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/networkmanager.te 2009-04-07 16:01:44.000000000 -0400 -@@ -19,6 +19,9 @@ - type NetworkManager_tmp_t; - files_tmp_file(NetworkManager_tmp_t) - -+type NetworkManager_var_lib_t; -+files_type(NetworkManager_var_lib_t) ++optional_policy(` ++ procmail_domtrans(exim_t) ++') + - type NetworkManager_var_run_t; - files_pid_file(NetworkManager_var_run_t) - -@@ -33,9 +36,9 @@ - - # networkmanager will ptrace itself if gdb is installed - # and it receives a unexpected signal (rh bug #204161) --allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock }; -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; - dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; --allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; -+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; - allow NetworkManager_t self:fifo_file rw_fifo_file_perms; - allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; - allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -@@ -51,8 +54,10 @@ - manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) - logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - --rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) --files_search_tmp(NetworkManager_t) -+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) ++optional_policy(` ++ sasl_connect(exim_t) ++') + -+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++optional_policy(` ++ cron_read_pipes(exim_t) ++ cron_rw_system_job_pipes(exim_t) ++') ++ ++optional_policy(` ++ cyrus_stream_connect(exim_t) ++') ++ ++optional_policy(` ++ clamav_domtrans_clamscan(exim_t) ++ clamav_stream_connect(exim_t) ++') ++ ++optional_policy(` ++ spamassassin_exec(exim_t) ++ spamassassin_exec_client(exim_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te +--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-04-07 16:01:44.000000000 -0400 +@@ -26,6 +26,7 @@ + # fail2ban local policy + # - manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) - manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -@@ -63,6 +68,8 @@ - kernel_read_network_state(NetworkManager_t) - kernel_read_kernel_sysctls(NetworkManager_t) - kernel_load_module(NetworkManager_t) -+kernel_read_debugfs(NetworkManager_t) -+kernel_rw_net_sysctls(NetworkManager_t) ++allow fail2ban_t self:capability { sys_tty_config }; + allow fail2ban_t self:process signal; + allow fail2ban_t self:fifo_file rw_fifo_file_perms; + allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te +--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-04-07 16:01:44.000000000 -0400 +@@ -26,7 +26,7 @@ + ## + ##

+ ## Allow ftp servers to use cifs +-## used for public file transfer services. ++## for public file transfer services. + ##

+ ##
+ gen_tunable(allow_ftpd_use_cifs, false) +@@ -34,13 +34,20 @@ + ## + ##

+ ## Allow ftp servers to use nfs +-## used for public file transfer services. ++## for public file transfer services. + ##

+ ##
+ gen_tunable(allow_ftpd_use_nfs, false) - corenet_all_recvfrom_unlabeled(NetworkManager_t) - corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +88,18 @@ - corenet_sendrecv_isakmp_server_packets(NetworkManager_t) - corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) - corenet_sendrecv_all_client_packets(NetworkManager_t) -+corenet_rw_tun_tap_dev(NetworkManager_t) -+corenet_getattr_ppp_dev(NetworkManager_t) + ## + ##

++## Allow ftp servers to use connect to mysql database ++##

++##
++gen_tunable(ftpd_connect_db, false) ++ ++## ++##

+ ## Allow ftp to read and write files in the user home directories + ##

+ ##
+@@ -92,6 +99,7 @@ + allow ftpd_t self:unix_stream_socket create_stream_socket_perms; + allow ftpd_t self:tcp_socket create_stream_socket_perms; + allow ftpd_t self:udp_socket create_socket_perms; ++allow ftpd_t self:key manage_key_perms; - dev_read_sysfs(NetworkManager_t) - dev_read_rand(NetworkManager_t) - dev_read_urand(NetworkManager_t) -+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) -+dev_getattr_all_chr_files(NetworkManager_t) + allow ftpd_t ftpd_etc_t:file read_file_perms; - fs_getattr_all_fs(NetworkManager_t) - fs_search_auto_mountpoints(NetworkManager_t) -+fs_list_inotifyfs(NetworkManager_t) +@@ -131,6 +139,7 @@ - mls_file_read_all_levels(NetworkManager_t) + dev_read_sysfs(ftpd_t) + dev_read_urand(ftpd_t) ++fs_list_inotifyfs(ftpd_t) -@@ -98,15 +110,19 @@ + corecmd_exec_bin(ftpd_t) - domain_use_interactive_fds(NetworkManager_t) - domain_read_confined_domains_state(NetworkManager_t) --domain_dontaudit_read_all_domains_state(NetworkManager_t) +@@ -160,6 +169,7 @@ - files_read_etc_files(NetworkManager_t) - files_read_etc_runtime_files(NetworkManager_t) - files_read_usr_files(NetworkManager_t) + fs_search_auto_mountpoints(ftpd_t) + fs_getattr_all_fs(ftpd_t) ++fs_search_fusefs(ftpd_t) -+storage_getattr_fixed_disk_dev(NetworkManager_t) + auth_use_nsswitch(ftpd_t) + auth_domtrans_chk_passwd(ftpd_t) +@@ -222,9 +232,15 @@ + userdom_manage_user_home_content_dirs(ftpd_t) + userdom_manage_user_home_content_files(ftpd_t) + userdom_manage_user_home_content_symlinks(ftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) + - init_read_utmp(NetworkManager_t) -+init_dontaudit_write_utmp(NetworkManager_t) - init_domtrans_script(NetworkManager_t) ++ auth_read_all_dirs_except_shadow(ftpd_t) ++ auth_read_all_files_except_shadow(ftpd_t) ++ auth_read_all_symlinks_except_shadow(ftpd_t) + ') -+auth_use_nsswitch(NetworkManager_t) ++# Needed for permissive mode, to make sure everything gets labeled correctly ++userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) + - logging_send_syslog_msg(NetworkManager_t) - - miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +132,40 @@ - - seutil_read_config(NetworkManager_t) - --sysnet_domtrans_ifconfig(NetworkManager_t) --sysnet_domtrans_dhcpc(NetworkManager_t) --sysnet_signal_dhcpc(NetworkManager_t) --sysnet_read_dhcpc_pid(NetworkManager_t) -+sysnet_etc_filetrans_config(NetworkManager_t) - sysnet_delete_dhcpc_pid(NetworkManager_t) --sysnet_search_dhcp_state(NetworkManager_t) --# in /etc created by NetworkManager will be labelled net_conf_t. -+sysnet_domtrans_dhcpc(NetworkManager_t) -+sysnet_domtrans_ifconfig(NetworkManager_t) -+sysnet_kill_dhcpc(NetworkManager_t) - sysnet_manage_config(NetworkManager_t) --sysnet_etc_filetrans_config(NetworkManager_t) -+sysnet_read_dhcp_config(NetworkManager_t) -+sysnet_read_dhcpc_pid(NetworkManager_t) -+sysnet_delete_dhcpc_state(NetworkManager_t) -+sysnet_read_dhcpc_state(NetworkManager_t) -+sysnet_signal_dhcpc(NetworkManager_t) + tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` + fs_manage_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) +@@ -258,7 +274,26 @@ + ') -+userdom_stream_connect(NetworkManager_t) - userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) - userdom_dontaudit_use_user_ttys(NetworkManager_t) - # Read gnome-keyring - userdom_read_user_home_content_files(NetworkManager_t) -+userdom_dgram_send(NetworkManager_t) + optional_policy(` +- kerberos_read_keytab(ftpd_t) ++ kerberos_keytab_template(ftpd, ftpd_t) ++ kerberos_manage_host_rcache(ftpd_t) ++ selinux_validate_context(ftpd_t) ++') + -+cron_read_system_job_lib_files(NetworkManager_t) ++optional_policy(` ++ tunable_policy(`ftpd_connect_db',` ++ mysql_stream_connect(ftpd_t) ++ ') ++') + +optional_policy(` -+ avahi_domtrans(NetworkManager_t) -+ avahi_kill(NetworkManager_t) -+ avahi_signal(NetworkManager_t) -+ avahi_signull(NetworkManager_t) ++ tunable_policy(`ftpd_connect_db',` ++ postgresql_stream_connect(ftpd_t) ++ ') +') ++ ++tunable_policy(`ftpd_connect_db',` ++ corenet_tcp_connect_mysqld_port(ftpd_t) ++ corenet_tcp_connect_postgresql_port(ftpd_t) + ') optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) -+ bind_kill(NetworkManager_t) - bind_signal(NetworkManager_t) -+ bind_signull(NetworkManager_t) - ') - - optional_policy(` -@@ -146,8 +177,25 @@ +@@ -270,6 +305,14 @@ ') optional_policy(` -- dbus_system_bus_client(NetworkManager_t) -- dbus_connect_system_bus(NetworkManager_t) -+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) -+ ++ dbus_system_bus_client(ftpd_t) + optional_policy(` -+ consolekit_dbus_chat(NetworkManager_t) ++ oddjob_dbus_chat(ftpd_t) ++ oddjob_domtrans_mkhomedir(ftpd_t) + ') +') + +optional_policy(` -+ dnsmasq_read_pid_files(NetworkManager_t) -+ dnsmasq_delete_pid_files(NetworkManager_t) -+ dnsmasq_domtrans(NetworkManager_t) -+ dnsmasq_initrc_domtrans(NetworkManager_t) -+ dnsmasq_kill(NetworkManager_t) -+ dnsmasq_signal(NetworkManager_t) -+ dnsmasq_signull(NetworkManager_t) -+') -+ -+optional_policy(` -+ hal_write_log(NetworkManager_t) - ') - - optional_policy(` -@@ -155,23 +203,50 @@ - ') - - optional_policy(` -- nis_use_ypbind(NetworkManager_t) -+ iptables_domtrans(NetworkManager_t) - ') - - optional_policy(` -- nscd_socket_use(NetworkManager_t) -+ nscd_domtrans(NetworkManager_t) - nscd_signal(NetworkManager_t) -+ nscd_signull(NetworkManager_t) -+ nscd_kill(NetworkManager_t) -+ nscd_initrc_domtrans(NetworkManager_t) -+') -+ -+optional_policy(` -+ # Dispatcher starting and stoping ntp -+ ntp_initrc_domtrans(NetworkManager_t) + seutil_sigchld_newrole(ftpd_t) ') - optional_policy(` - openvpn_domtrans(NetworkManager_t) -+ openvpn_kill(NetworkManager_t) - openvpn_signal(NetworkManager_t) -+ openvpn_signull(NetworkManager_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.12/policy/modules/services/git.te +--- nsaserefpolicy/policy/modules/services/git.te 2009-04-07 15:53:35.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/git.te 2009-04-07 16:03:07.000000000 -0400 +@@ -7,3 +6,4 @@ + # - optional_policy(` -+ polkit_domtrans_auth(NetworkManager_t) -+ polkit_read_lib(NetworkManager_t) -+ polkit_read_reload(NetworkManager_t) -+ userdom_read_all_users_state(NetworkManager_t) -+') + apache_content_template(git) ++permissive httpd_git_script_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.12/policy/modules/services/gnomeclock.fc +--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,3 @@ + -+optional_policy(` -+ ppp_initrc_domtrans(NetworkManager_t) - ppp_domtrans(NetworkManager_t) - ppp_read_pid_files(NetworkManager_t) -+ ppp_kill(NetworkManager_t) - ppp_signal(NetworkManager_t) -+ ppp_signull(NetworkManager_t) -+ ppp_read_config(NetworkManager_t) -+') ++/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + -+optional_policy(` -+ rpm_exec(NetworkManager_t) -+ rpm_read_db(NetworkManager_t) -+ rpm_dontaudit_manage_db(NetworkManager_t) - ') - - optional_policy(` -@@ -179,12 +254,15 @@ - ') - - optional_policy(` -+ udev_exec(NetworkManager_t) - udev_read_db(NetworkManager_t) - ') - - optional_policy(` - vpn_domtrans(NetworkManager_t) -+ vpn_kill(NetworkManager_t) - vpn_signal(NetworkManager_t) -+ vpn_signull(NetworkManager_t) - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.12/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/nis.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,9 +1,13 @@ -- -+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) - /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - - /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - - /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - - /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) - /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.12/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/nis.if 2009-04-07 16:01:44.000000000 -0400 -@@ -28,7 +28,7 @@ - type var_yp_t; - ') - -- dontaudit $1 self:capability net_bind_service; -+ allow $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; -@@ -49,8 +49,8 @@ - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) -- corenet_tcp_bind_reserved_port($1) -- corenet_udp_bind_reserved_port($1) -+ corenet_dontaudit_tcp_bind_all_reserved_ports($1) -+ corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) -@@ -87,6 +87,25 @@ - - ######################################## - ## -+## Use the nis to authenticate passwords -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+# -+interface(`nis_authenticate',` -+ tunable_policy(`allow_ypbind',` -+ nis_use_ypbind_uncond($1) -+ corenet_tcp_bind_all_rpc_ports($1) -+ corenet_udp_bind_all_rpc_ports($1) -+ ') -+') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.12/policy/modules/services/gnomeclock.if +--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,69 @@ + -+######################################## -+## - ## Execute ypbind in the ypbind domain. - ## - ## -@@ -244,3 +263,130 @@ - corecmd_search_bin($1) - domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) - ') ++## policy for gnomeclock + +######################################## +## -+## Execute nis server in the nis domain. ++## Execute a domain transition to run gnomeclock. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed to transition. ++## +## +# -+# -+interface(`nis_initrc_domtrans',` ++interface(`gnomeclock_domtrans',` + gen_require(` -+ type nis_initrc_exec_t; ++ type gnomeclock_t; ++ type gnomeclock_exec_t; + ') + -+ init_labeled_script_domtrans($1, nis_initrc_exec_t) ++ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) +') + ++ +######################################## +## -+## Execute nis server in the nis domain. ++## Execute gnomeclock in the gnomeclock domain, and ++## allow the specified role the gnomeclock domain. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the gnomeclock domain. +## +## +# -+interface(`nis_ypbind_initrc_domtrans',` ++interface(`gnomeclock_run',` + gen_require(` -+ type ypbind_initrc_exec_t; ++ type gnomeclock_t; + ') + -+ init_labeled_script_domtrans($1, ypbind_initrc_exec_t) ++ gnomeclock_domtrans($1) ++ role $2 types gnomeclock_t; +') + ++ +######################################## +## -+## All of the rules required to administrate -+## an nis environment ++## Send and receive messages from ++## gnomeclock over dbus. +## +## +## +## Domain allowed access. +## +## -+## -+## -+## The role to be allowed to manage the nis domain. -+## -+## -+## +# -+interface(`nis_admin',` ++interface(`gnomeclock_dbus_chat',` + gen_require(` -+ type ypbind_t, yppasswdd_t; -+ type ypserv_t, ypxfr_t; -+ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; -+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; -+ type ypbind_initrc_exec_t; -+ type nis_initrc_exec_t; ++ type gnomeclock_t; ++ class dbus send_msg; + ') + -+ allow $1 ypbind_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypbind_t) -+ -+ allow $1 yppasswdd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, yppasswdd_t) -+ -+ allow $1 ypserv_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypserv_t) -+ -+ allow $1 ypxfr_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypxfr_t) -+ -+ nis_initrc_domtrans($1) -+ nis_ypbind_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 nis_initrc_exec_t system_r; -+ role_transition $2 ypbind_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, ypbind_tmp_t) ++ allow $1 gnomeclock_t:dbus send_msg; ++ allow gnomeclock_t $1:dbus send_msg; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te +--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,51 @@ ++policy_module(gnomeclock, 1.0.0) ++######################################## ++# ++# Declarations ++# + -+ files_list_pids($1) -+ admin_pattern($1, ypbind_var_run_t) ++type gnomeclock_t; ++type gnomeclock_exec_t; ++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + -+ admin_pattern($1, yppasswdd_var_run_t) ++######################################## ++# ++# gnomeclock local policy ++# ++allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; ++allow gnomeclock_t self:process { getattr getsched }; ++allow gnomeclock_t self:fifo_file rw_fifo_file_perms; ++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + -+ files_list_etc($1) -+ admin_pattern($1, ypserv_conf_t) ++corecmd_exec_bin(gnomeclock_t) + -+ admin_pattern($1, ypserv_tmp_t) ++userdom_ptrace_all_users(gnomeclock_t) + -+ admin_pattern($1, ypserv_var_run_t) -+') ++files_read_etc_files(gnomeclock_t) ++files_read_usr_files(gnomeclock_t) + ++miscfiles_manage_localization(gnomeclock_t) ++miscfiles_etc_filetrans_localization(gnomeclock_t) + -+######################################## -+## -+## Execute ypbind in the ypbind domain, and -+## allow the specified role the ypbind domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the ypbind domain. -+## -+## -+## -+# -+interface(`nis_run_ypbind',` -+ gen_require(` -+ type ypbind_t; -+ ') ++fs_list_inotifyfs(gnomeclock_t) + -+ nis_domtrans_ypbind($1) -+ role $2 types ypbind_t; -+') ++auth_use_nsswitch(gnomeclock_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te ---- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-04-07 16:01:44.000000000 -0400 -@@ -13,6 +13,9 @@ - type ypbind_exec_t; - init_daemon_domain(ypbind_t, ypbind_exec_t) - -+type ypbind_initrc_exec_t; -+init_script_file(ypbind_initrc_exec_t) ++miscfiles_read_localization(gnomeclock_t) + - type ypbind_tmp_t; - files_tmp_file(ypbind_tmp_t) - -@@ -44,6 +47,9 @@ - type ypxfr_exec_t; - init_daemon_domain(ypxfr_t, ypxfr_exec_t) - -+type nis_initrc_exec_t; -+init_script_file(nis_initrc_exec_t) ++userdom_read_all_users_state(gnomeclock_t) + - ######################################## - # - # ypbind local policy -@@ -111,6 +117,16 @@ - userdom_dontaudit_search_user_home_dirs(ypbind_t) - - optional_policy(` -+ dbus_system_bus_client(ypbind_t) -+ dbus_connect_system_bus(ypbind_t) -+ init_dbus_chat_script(ypbind_t) ++optional_policy(` ++ consolekit_dbus_chat(gnomeclock_t) ++') + -+ optional_policy(` -+ networkmanager_dbus_chat(ypbind_t) -+ ') ++optional_policy(` ++ clock_domtrans(gnomeclock_t) +') + +optional_policy(` - seutil_sigchld_newrole(ypbind_t) - ') - -@@ -123,6 +139,7 @@ - # yppasswdd local policy - # - -+allow yppasswdd_t self:capability dac_override; - dontaudit yppasswdd_t self:capability sys_tty_config; - allow yppasswdd_t self:fifo_file rw_fifo_file_perms; - allow yppasswdd_t self:process { setfscreate signal_perms }; -@@ -153,8 +170,8 @@ - corenet_udp_sendrecv_all_ports(yppasswdd_t) - corenet_tcp_bind_generic_node(yppasswdd_t) - corenet_udp_bind_generic_node(yppasswdd_t) --corenet_tcp_bind_reserved_port(yppasswdd_t) --corenet_udp_bind_reserved_port(yppasswdd_t) -+corenet_tcp_bind_all_rpc_ports(yppasswdd_t) -+corenet_udp_bind_all_rpc_ports(yppasswdd_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) - corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) - corenet_sendrecv_generic_server_packets(yppasswdd_t) -@@ -241,6 +258,8 @@ - corenet_udp_bind_generic_node(ypserv_t) - corenet_tcp_bind_reserved_port(ypserv_t) - corenet_udp_bind_reserved_port(ypserv_t) -+corenet_tcp_bind_all_rpc_ports(ypserv_t) -+corenet_udp_bind_all_rpc_ports(ypserv_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) - corenet_sendrecv_generic_server_packets(ypserv_t) -@@ -306,6 +325,8 @@ - corenet_udp_bind_generic_node(ypxfr_t) - corenet_tcp_bind_reserved_port(ypxfr_t) - corenet_udp_bind_reserved_port(ypxfr_t) -+corenet_tcp_bind_all_rpc_ports(ypxfr_t) -+corenet_udp_bind_all_rpc_ports(ypxfr_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - corenet_tcp_connect_all_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.12/policy/modules/services/nscd.fc ---- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/nscd.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - - /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) ++ polkit_domtrans_auth(gnomeclock_t) ++ polkit_read_lib(gnomeclock_t) ++ polkit_read_reload(gnomeclock_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.12/policy/modules/services/gpm.te +--- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/gpm.te 2009-04-07 16:01:44.000000000 -0400 +@@ -54,6 +54,8 @@ + dev_rw_input_dev(gpm_t) + dev_rw_mouse(gpm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.12/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/nscd.if 2009-04-07 16:01:44.000000000 -0400 -@@ -58,6 +58,42 @@ ++files_read_etc_files(gpm_t) ++ + fs_getattr_all_fs(gpm_t) + fs_search_auto_mountpoints(gpm_t) - ######################################## - ## -+## Send NSCD the kill signal. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.12/policy/modules/services/gpsd.fc +--- nsaserefpolicy/policy/modules/services/gpsd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/gpsd.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,3 @@ ++ ++/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.12/policy/modules/services/gpsd.if +--- nsaserefpolicy/policy/modules/services/gpsd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/gpsd.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,83 @@ ++## gpsd monitor daemon ++ ++######################################## ++## ++## Execute a domain transition to run gpsd. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`nscd_kill',` -+ gen_require(` -+ type nscd_t; -+ ') ++interface(`gpsd_domtrans',` ++ gen_require(` ++ type gpsd_t, gpsd_exec_t; ++ ') + -+ allow $1 nscd_t:process sigkill; ++ domtrans_pattern($1, gpsd_exec_t, gpsd_t) +') + +######################################## +## -+## Send signulls to NSCD. ++## Execute gpsd in the gpsd domain, and ++## allow the specified role the gpsd domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the gpsd domain. ++## +## +# -+interface(`nscd_signull',` -+ gen_require(` -+ type nscd_t; -+ ') ++interface(`gpsd_run',` ++ gen_require(` ++ type gpsd_t; ++ ') + -+ allow $1 nscd_t:process signull; ++ gpsd_domtrans($1) ++ role $2 types gpsd_t; ++') ++ ++######################################## ++## ++## Read and write to gpsd shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`gpsd_rw_shm',` ++ gen_require(` ++ type gpsd_t; ++ ') ++ ++ allow $1 gpsd_t:shm rw_shm_perms; +') + +######################################## +## - ## Use NSCD services by connecting using - ## a unix stream socket. - ## -@@ -70,15 +106,14 @@ - interface(`nscd_socket_use',` - gen_require(` - type nscd_t, nscd_var_run_t; -- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; -+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') - - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_t:fd use; -- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -- -+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file { getattr read }; -@@ -198,3 +233,60 @@ - nscd_domtrans($1) - role $2 types nscd_t; - ') -+ -+######################################## -+## -+## Execute nscd server in the nscd domain. ++## Read/write gpsd tmpfs files. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`nscd_initrc_domtrans',` -+ gen_require(` -+ type nscd_initrc_exec_t; -+') ++interface(`gpsd_rw_tmpfs_files',` ++ gen_require(` ++ type gpsd_tmpfs_t; ++ ') + -+ init_labeled_script_domtrans($1, nscd_initrc_exec_t) ++ fs_search_tmpfs($1) ++ allow $1 gpsd_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) ++ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.12/policy/modules/services/gpsd.te +--- nsaserefpolicy/policy/modules/services/gpsd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/gpsd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,52 @@ ++policy_module(gpsd,1.0.0) + +######################################## -+## -+## All of the rules required to administrate -+## an nscd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the nscd domain. -+## -+## -+## +# -+interface(`nscd_admin',` -+ gen_require(` -+ type nscd_t, nscd_log_t, nscd_var_run_t; -+ type nscd_initrc_exec_t; -+ ') ++# Declarations ++# + -+ allow $1 nscd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nscd_t) -+ -+ nscd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 nscd_initrc_exec_t system_r; -+ allow $2 system_r; ++type gpsd_t; ++type gpsd_exec_t; ++application_domain(gpsd_t, gpsd_exec_t) ++role system_r types gpsd_t; + -+ logging_list_logs($1) -+ admin_pattern($1, nscd_log_t) ++type gpsd_tmpfs_t; ++files_tmpfs_file(gpsd_tmpfs_t) + -+ files_list_pids($1) -+ admin_pattern($1, nscd_var_run_t) -+') ++######################################## ++# ++# gpsd local policy ++# + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.12/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/nscd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -20,6 +20,9 @@ - type nscd_exec_t; - init_daemon_domain(nscd_t, nscd_exec_t) - -+type nscd_initrc_exec_t; -+init_script_file(nscd_initrc_exec_t) ++allow gpsd_t self:capability { setuid sys_nice setgid fowner }; ++allow gpsd_t self:process setsched; ++allow gpsd_t self:shm create_shm_perms; ++allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow gpsd_t self:tcp_socket create_stream_socket_perms; + - type nscd_log_t; - logging_log_file(nscd_log_t) - -@@ -28,14 +31,14 @@ - # Local policy - # - --allow nscd_t self:capability { kill setgid setuid audit_write }; -+allow nscd_t self:capability { kill setgid setuid }; - dontaudit nscd_t self:capability sys_tty_config; --allow nscd_t self:process { getattr setsched signal_perms }; -+allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; - allow nscd_t self:fifo_file read_fifo_file_perms; - allow nscd_t self:unix_stream_socket create_stream_socket_perms; - allow nscd_t self:unix_dgram_socket create_socket_perms; - allow nscd_t self:netlink_selinux_socket create_socket_perms; --allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) ++manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) ++fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) + - allow nscd_t self:tcp_socket create_socket_perms; - allow nscd_t self:udp_socket create_socket_perms; - -@@ -50,6 +53,9 @@ - manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) - files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) - -+corecmd_search_bin(nscd_t) -+can_exec(nscd_t, nscd_exec_t) ++corenet_tcp_bind_all_nodes(gpsd_t) ++corenet_tcp_bind_gpsd_port(gpsd_t) + - kernel_read_kernel_sysctls(nscd_t) - kernel_list_proc(nscd_t) - kernel_read_proc_symlinks(nscd_t) -@@ -60,6 +66,7 @@ - - fs_getattr_all_fs(nscd_t) - fs_search_auto_mountpoints(nscd_t) -+fs_list_inotifyfs(nscd_t) - - # for when /etc/passwd has just been updated and has the wrong type - auth_getattr_shadow(nscd_t) -@@ -73,6 +80,7 @@ - corenet_udp_sendrecv_generic_node(nscd_t) - corenet_tcp_sendrecv_all_ports(nscd_t) - corenet_udp_sendrecv_all_ports(nscd_t) -+corenet_udp_bind_generic_node(nscd_t) - corenet_tcp_connect_all_ports(nscd_t) - corenet_sendrecv_all_client_packets(nscd_t) - corenet_rw_tun_tap_dev(nscd_t) -@@ -84,12 +92,14 @@ - selinux_compute_relabel_context(nscd_t) - selinux_compute_user_contexts(nscd_t) - domain_use_interactive_fds(nscd_t) -+domain_search_all_domains_state(nscd_t) - - files_read_etc_files(nscd_t) - files_read_generic_tmp_symlinks(nscd_t) - # Needed to read files created by firstboot "/etc/hesiod.conf" - files_read_etc_runtime_files(nscd_t) - -+logging_send_audit_msgs(nscd_t) - logging_send_syslog_msg(nscd_t) - - miscfiles_read_localization(nscd_t) -@@ -105,6 +115,14 @@ - userdom_dontaudit_search_user_home_dirs(nscd_t) - - optional_policy(` -+ cron_read_system_job_tmp_files(nscd_t) -+') ++term_use_unallocated_ttys(gpsd_t) ++term_setattr_unallocated_ttys(gpsd_t) + -+optional_policy(` -+ kerberos_use(nscd_t) -+') ++auth_use_nsswitch(gpsd_t) ++ ++logging_send_syslog_msg(gpsd_t) ++ ++miscfiles_read_localization(gpsd_t) + +optional_policy(` - udev_read_db(nscd_t) - ') - -@@ -112,3 +130,12 @@ - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) - ') ++ ntpd_rw_shm(gpsd_t) ++ ntpd_rw_tmpfs_files(gpsd_t) ++') + +optional_policy(` -+ tunable_policy(`samba_domain_controller',` -+ samba_append_log(nscd_t) -+ samba_dontaudit_use_fds(nscd_t) -+ ') -+ samba_read_config(nscd_t) -+ samba_read_var_files(nscd_t) ++ dbus_system_bus_client(gpsd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.12/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/ntp.if 2009-04-07 16:01:44.000000000 -0400 -@@ -37,6 +37,32 @@ ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.12/policy/modules/services/hal.fc +--- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/hal.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -5,6 +5,7 @@ + /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) + + /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) ++/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) + /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) + /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) + /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.12/policy/modules/services/hal.if +--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/hal.if 2009-04-09 10:12:15.000000000 -0400 +@@ -20,6 +20,24 @@ ######################################## ## -+## Execute ntp in the ntp domain, and -+## allow the specified role the ntp domain. ++## Execute hal mac in the hal mac domain. +## +## +## +## Domain allowed access. +## +## -+## -+## -+## The role to be allowed the ntp domain. -+## -+## -+## +# -+interface(`ntp_run',` ++interface(`hal_domtrans_mac',` + gen_require(` -+ type ntpd_t; ++ type hald_mac_t, hald_mac_exec_t; + ') + -+ ntp_domtrans($1) -+ role $2 types ntpd_t; ++ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) +') + +######################################## +## - ## Execute ntp server in the ntpd domain. + ## Get the attributes of a hal process. ## ## -@@ -56,6 +82,63 @@ +@@ -51,10 +69,7 @@ + type hald_t; + ') + +- allow $1 hald_t:dir list_dir_perms; +- read_files_pattern($1, hald_t, hald_t) +- read_lnk_files_pattern($1, hald_t, hald_t) +- dontaudit $1 hald_t:process ptrace; ++ ps_process_pattern($1, hald_t) + ') + + ######################################## +@@ -170,6 +185,24 @@ ######################################## ## -+## Execute ntp server in the ntpd domain. ++## Allo read/write to a hal unix datagram socket. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`ntp_initrc_domtrans',` ++interface(`hal_rw_dgram_sockets',` + gen_require(` -+ type ntpd_initrc_exec_t; ++ type hald_t; + ') + -+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t) ++ dontaudit $1 hald_t:unix_dgram_socket { read write }; +') + -+####################################### ++######################################## +## -+## Read/write ntpdd tmpfs files. + ## Send to hal over a unix domain + ## stream socket. + ## +@@ -340,3 +373,62 @@ + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; + ') ++ ++######################################## ++## ++## Manage hald PID dirs. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`ntpd_rw_tmpfs_files',` -+ gen_require(` -+ type ntpd_tmpfs_t; -+ ') ++interface(`hal_manage_pid_dirs',` ++ gen_require(` ++ type hald_var_run_t; ++ ') + -+ fs_search_tmpfs($1) -+ list_dirs_pattern($1,ntpd_tmpfs_t,ntpd_tmpfs_t) -+ rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) -+ read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) ++ files_search_pids($1) ++ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## -+## -+## Read and write to ntpd shared memory. ++## ++## Manage hald PID files. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`ntpd_rw_shm',` -+ gen_require(` -+ type ntpd_t; -+ ') ++interface(`hal_manage_pid_files',` ++ gen_require(` ++ type hald_var_run_t; ++ ') + -+ allow $1 ntpd_t:shm rw_shm_perms; ++ files_search_pids($1) ++ manage_files_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## +## - ## All of the rules required to administrate - ## an ntp environment - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.12/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ntp.te 2009-04-07 16:01:44.000000000 -0400 -@@ -25,6 +25,9 @@ - type ntpd_tmp_t; - files_tmp_file(ntpd_tmp_t) - -+type ntpd_tmpfs_t; -+files_tmpfs_file(ntpd_tmpfs_t) ++## Manage hald log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_create_log',` ++ gen_require(` ++ type hald_log_t; ++ ') + - type ntpd_var_run_t; - files_pid_file(ntpd_var_run_t) - -@@ -38,10 +41,11 @@ - - # sys_resource and setrlimit is for locking memory - # ntpdate wants sys_nice --allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; -+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; - dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; - allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; - allow ntpd_t self:fifo_file rw_fifo_file_perms; -+allow ntpd_t self:shm create_shm_perms; - allow ntpd_t self:unix_dgram_socket create_socket_perms; - allow ntpd_t self:unix_stream_socket create_socket_perms; - allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -52,6 +56,7 @@ - can_exec(ntpd_t,ntpd_exec_t) - - read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) -+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - - allow ntpd_t ntpd_log_t:dir setattr; - manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) -@@ -62,6 +67,10 @@ - manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) - files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) ++ # log files for hald ++ manage_files_pattern($1, hald_log_t, hald_log_t) ++ logging_log_filetrans($1, hald_log_t, file) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te +--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-11 07:33:35.000000000 -0400 +@@ -49,6 +49,15 @@ + type hald_var_lib_t; + files_type(hald_var_lib_t) -+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) ++typealias hald_log_t alias pmtools_log_t; ++typealias hald_var_run_t alias pmtools_var_run_t; + - manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) - files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) ++type hald_dccm_t; ++type hald_dccm_exec_t; ++domain_type(hald_dccm_t) ++domain_entry_file(hald_dccm_t, hald_dccm_exec_t) ++role system_r types hald_dccm_t; ++ + ######################################## + # + # Local policy +@@ -143,11 +152,16 @@ + files_getattr_all_dirs(hald_t) + files_read_kernel_img(hald_t) + files_rw_lock_dirs(hald_t) ++files_read_generic_pids(hald_t) -@@ -90,6 +99,9 @@ + fs_getattr_all_fs(hald_t) + fs_search_all(hald_t) + fs_list_inotifyfs(hald_t) + fs_list_auto_mountpoints(hald_t) ++fs_mount_dos_fs(hald_t) ++fs_unmount_dos_fs(hald_t) ++fs_manage_dos_files(hald_t) ++ + files_getattr_all_mountpoints(hald_t) - fs_getattr_all_fs(ntpd_t) - fs_search_auto_mountpoints(ntpd_t) -+# Necessary to communicate with gpsd devices -+fs_rw_tmpfs_files(ntpd_t) -+fs_list_inotifyfs(ntpd_t) + mls_file_read_all_levels(hald_t) +@@ -195,6 +209,7 @@ + seutil_read_file_contexts(hald_t) - term_use_ptmx(ntpd_t) + sysnet_read_config(hald_t) ++sysnet_domtrans_dhcpc(hald_t) -@@ -121,6 +133,11 @@ + userdom_dontaudit_use_unpriv_user_fds(hald_t) + userdom_dontaudit_search_user_home_dirs(hald_t) +@@ -277,6 +292,17 @@ ') optional_policy(` -+ gpsd_rw_shm(ntpd_t) -+ gpsd_rw_tmpfs_files(ntpd_t) ++ ppp_read_rw_config(hald_t) +') + +optional_policy(` - firstboot_dontaudit_use_fds(ntpd_t) - firstboot_dontaudit_rw_pipes(ntpd_t) - firstboot_dontaudit_rw_stream_sockets(ntpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.12/policy/modules/services/nx.te ---- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/nx.te 2009-04-07 16:01:44.000000000 -0400 -@@ -25,6 +25,9 @@ - type nx_server_var_run_t; - files_pid_file(nx_server_var_run_t) ++ polkit_domtrans_auth(hald_t) ++ polkit_domtrans_resolve(hald_t) ++ polkit_read_lib(hald_t) ++ polkit_read_reload(hald_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(hald_t) + ') -+type nx_server_home_ssh_t; -+files_type(nx_server_home_ssh_t) +@@ -301,12 +327,16 @@ + virt_manage_images(hald_t) + ') + ++optional_policy(` ++ xserver_read_pid(hald_t) ++') + ######################################## # - # NX server local policy -@@ -44,6 +47,9 @@ - manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) - files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + # Hal acl local policy + # -+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) -+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) -+ - kernel_read_system_state(nx_server_t) - kernel_read_kernel_sysctls(nx_server_t) +-allow hald_acl_t self:capability { dac_override fowner }; ++allow hald_acl_t self:capability { dac_override fowner sys_resource }; + allow hald_acl_t self:process { getattr signal }; + allow hald_acl_t self:fifo_file rw_fifo_file_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.12/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/oddjob.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,4 +1,4 @@ --/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +@@ -321,6 +351,7 @@ + manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) + manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) + files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) ++allow hald_t hald_var_run_t:dir mounton; - /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) + corecmd_exec_bin(hald_acl_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.12/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/oddjob.if 2009-04-07 16:01:44.000000000 -0400 -@@ -44,6 +44,7 @@ - ') +@@ -339,6 +370,8 @@ - domtrans_pattern(oddjob_t, $2, $1) -+ domain_user_exemption_target($1) - ') + storage_getattr_removable_dev(hald_acl_t) + storage_setattr_removable_dev(hald_acl_t) ++storage_getattr_fixed_disk_dev(hald_acl_t) ++storage_setattr_fixed_disk_dev(hald_acl_t) - ######################################## -@@ -84,3 +85,28 @@ + auth_use_nsswitch(hald_acl_t) - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) - ') +@@ -346,12 +379,18 @@ + + miscfiles_read_localization(hald_acl_t) + ++optional_policy(` ++ polkit_domtrans_auth(hald_acl_t) ++ polkit_read_lib(hald_acl_t) ++ polkit_read_reload(hald_acl_t) ++') + -+######################################## -+## -+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the oddjob_mkhomedir domain. -+## -+## -+## -+# -+interface(`oddjob_run_mkhomedir',` -+ gen_require(` -+ type oddjob_mkhomedir_t; -+ ') -+ -+ oddjob_domtrans_mkhomedir($1) -+ role $2 types oddjob_mkhomedir_t; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.12/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/oddjob.te 2009-04-07 16:01:44.000000000 -0400 -@@ -10,14 +10,21 @@ - type oddjob_exec_t; - domain_type(oddjob_t) - init_daemon_domain(oddjob_t, oddjob_exec_t) -+domain_obj_id_change_exemption(oddjob_t) -+domain_role_change_exemption(oddjob_t) - domain_subj_id_change_exemption(oddjob_t) + ######################################## + # + # Local hald mac policy + # - type oddjob_mkhomedir_t; - type oddjob_mkhomedir_exec_t; - domain_type(oddjob_mkhomedir_t) --init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -+domain_obj_id_change_exemption(oddjob_mkhomedir_t) -+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +-allow hald_mac_t self:capability { setgid setuid }; ++allow hald_mac_t self:capability { setgid setuid sys_admin }; -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) -+') + domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) + allow hald_t hald_mac_t:process signal; +@@ -374,6 +413,8 @@ + + auth_use_nsswitch(hald_mac_t) + ++logging_send_syslog_msg(hald_mac_t) + - # pid files - type oddjob_var_run_t; - files_pid_file(oddjob_var_run_t) -@@ -65,13 +72,32 @@ - # oddjob_mkhomedir local policy - # + miscfiles_read_localization(hald_mac_t) -+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -+allow oddjob_mkhomedir_t self:process setfscreate; - allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; - allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + ######################################## +@@ -415,6 +456,55 @@ - files_read_etc_files(oddjob_mkhomedir_t) + dev_rw_input_dev(hald_keymap_t) -+kernel_read_system_state(oddjob_mkhomedir_t) -+ -+auth_use_nsswitch(oddjob_mkhomedir_t) ++files_read_etc_files(hald_keymap_t) + files_read_usr_files(hald_keymap_t) + + miscfiles_read_localization(hald_keymap_t) + -+logging_send_syslog_msg(oddjob_mkhomedir_t) ++# This is caused by a bug in hald and PolicyKit. ++# Should be removed when this is fixed ++cron_read_system_job_lib_files(hald_t) + - miscfiles_read_localization(oddjob_mkhomedir_t) - -+selinux_get_fs_mount(oddjob_mkhomedir_t) -+selinux_validate_context(oddjob_mkhomedir_t) -+selinux_compute_access_vector(oddjob_mkhomedir_t) -+selinux_compute_create_context(oddjob_mkhomedir_t) -+selinux_compute_relabel_context(oddjob_mkhomedir_t) -+selinux_compute_user_contexts(oddjob_mkhomedir_t) ++######################################## ++# ++# Local hald dccm policy ++# ++allow hald_dccm_t self:capability { net_bind_service }; ++allow hald_dccm_t self:process getsched; ++allow hald_dccm_t self:tcp_socket create_stream_socket_perms; ++allow hald_dccm_t self:udp_socket create_socket_perms; ++allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; + -+seutil_read_config(oddjob_mkhomedir_t) -+seutil_read_file_contexts(oddjob_mkhomedir_t) -+seutil_read_default_contexts(oddjob_mkhomedir_t) ++domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) ++allow hald_t hald_dccm_t:process signal; ++allow hald_dccm_t hald_t:unix_stream_socket connectto; + - # Add/remove user home directories - userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) - userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.12/policy/modules/services/pads.fc ---- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pads.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,12 @@ ++corenet_all_recvfrom_unlabeled(hald_dccm_t) ++corenet_all_recvfrom_netlabel(hald_dccm_t) ++corenet_tcp_sendrecv_generic_if(hald_dccm_t) ++corenet_udp_sendrecv_generic_if(hald_dccm_t) ++corenet_tcp_sendrecv_generic_node(hald_dccm_t) ++corenet_udp_sendrecv_generic_node(hald_dccm_t) ++corenet_tcp_sendrecv_all_ports(hald_dccm_t) ++corenet_udp_sendrecv_all_ports(hald_dccm_t) ++corenet_tcp_bind_generic_node(hald_dccm_t) ++corenet_udp_bind_generic_node(hald_dccm_t) ++corenet_udp_bind_dhcpc_port(hald_dccm_t) ++corenet_tcp_bind_ftps_port(hald_dccm_t) ++corenet_tcp_bind_dccm_port(hald_dccm_t) + -+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) ++kernel_search_network_sysctl(hald_dccm_t) + -+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) ++logging_send_syslog_msg(hald_dccm_t) + -+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) ++manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++files_search_var_lib(hald_dccm_t) + -+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) ++write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.12/policy/modules/services/pads.if ---- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pads.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,10 @@ -+## SELinux policy for PADS daemon. -+## -+##

-+## PADS is a libpcap based detection engine used to -+## passively detect network assets. It is designed to -+## complement IDS technology by providing context to IDS -+## alerts. -+##

-+##
++files_read_usr_files(hald_dccm_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.12/policy/modules/services/pads.te ---- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pads.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,65 @@ ++miscfiles_read_localization(hald_dccm_t) + -+policy_module(pads, 0.0.1) ++permissive hald_dccm_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.12/policy/modules/services/ifplugd.fc +--- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ifplugd.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,9 @@ + -+######################################## -+# -+# Declarations -+# ++/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) + -+type pads_t; -+type pads_exec_t; -+init_daemon_domain(pads_t, pads_exec_t) -+role system_r types pads_t; ++/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) + -+type pads_initrc_exec_t; -+init_script_file(pads_initrc_exec_t) ++/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) + -+type pads_config_t; -+files_config_file(pads_config_t) ++/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) + -+type pads_var_run_t; -+files_pid_file(pads_var_run_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.12/policy/modules/services/ifplugd.if +--- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ifplugd.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,194 @@ ++## policy for ifplugd + +######################################## ++## ++## Execute a domain transition to run ifplugd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## +# -+# Declarations -+# -+ -+allow pads_t self:capability { dac_override net_raw }; -+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -+allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; -+allow pads_t self:udp_socket { create ioctl }; -+allow pads_t self:unix_dgram_socket { write create connect }; ++interface(`ifplugd_domtrans',` ++ gen_require(` ++ type ifplugd_t, ifplugd_exec_t; ++ ') + -+allow pads_t pads_config_t:file manage_file_perms; -+files_etc_filetrans(pads_t, pads_config_t, file) ++ domtrans_pattern($1,ifplugd_exec_t,ifplugd_t) ++') + -+allow pads_t pads_var_run_t:file manage_file_perms; -+files_pid_filetrans(pads_t, pads_var_run_t, file) ++######################################## ++## ++## Read and write ifplugd UDP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_rw_udp_sockets',` ++ gen_require(` ++ type ifplugd_t; ++ ') + -+corecmd_search_bin(pads_t) ++ allow $1 ifplugd_t:udp_socket { read write }; ++') + -+corenet_all_recvfrom_unlabeled(pads_t) -+corenet_all_recvfrom_netlabel(pads_t) -+corenet_tcp_sendrecv_generic_if(pads_t) -+corenet_tcp_sendrecv_generic_node(pads_t) ++######################################## ++## ++## Read and write ifplugd packet sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_rw_packet_sockets',` ++ gen_require(` ++ type ifplugd_t; ++ ') + -+corenet_tcp_connect_prelude_port(pads_t) ++ allow $1 ifplugd_t:packet_socket { read write }; ++') + -+dev_read_rand(pads_t) -+dev_read_urand(pads_t) ++######################################## ++## ++## Read and write ifplugd netlink ++## routing sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_rw_routing_sockets',` ++ gen_require(` ++ type ifplugd_t; ++ ') + -+kernel_read_sysctl(pads_t) -+ -+files_read_etc_files(pads_t) -+files_search_spool(pads_t) -+ -+miscfiles_read_localization(pads_t) -+ -+logging_send_syslog_msg(pads_t) -+ -+sysnet_dns_name_resolve(pads_t) -+ -+optional_policy(` -+ prelude_manage_spool(pads_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.12/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pegasus.te 2009-04-07 16:01:44.000000000 -0400 -@@ -30,7 +30,7 @@ - # Local policy - # - --allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; -+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; - dontaudit pegasus_t self:capability sys_tty_config; - allow pegasus_t self:process signal; - allow pegasus_t self:fifo_file rw_fifo_file_perms; -@@ -66,6 +66,8 @@ - kernel_read_system_state(pegasus_t) - kernel_search_vm_sysctl(pegasus_t) - kernel_read_net_sysctls(pegasus_t) -+kernel_read_xen_state(pegasus_t) -+kernel_write_xen_state(pegasus_t) - - corenet_all_recvfrom_unlabeled(pegasus_t) - corenet_all_recvfrom_netlabel(pegasus_t) -@@ -96,13 +98,12 @@ - - auth_use_nsswitch(pegasus_t) - auth_domtrans_chk_passwd(pegasus_t) -+auth_read_shadow(pegasus_t) - - domain_use_interactive_fds(pegasus_t) - domain_read_all_domains_state(pegasus_t) - --files_read_etc_files(pegasus_t) --files_list_var_lib(pegasus_t) --files_read_var_lib_files(pegasus_t) -+files_read_all_files(pegasus_t) - files_read_var_lib_symlinks(pegasus_t) - - hostname_exec(pegasus_t) -@@ -115,7 +116,6 @@ - - miscfiles_read_localization(pegasus_t) - --sysnet_read_config(pegasus_t) - sysnet_domtrans_ifconfig(pegasus_t) - - userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -@@ -126,6 +126,14 @@ - ') - - optional_policy(` -+ samba_manage_config(pegasus_t) -+') -+ -+optional_policy(` -+ ssh_exec(pegasus_t) ++ allow $1 ifplugd_t:netlink_route_socket { read write }; +') + -+optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) - ') -@@ -137,3 +145,13 @@ - optional_policy(` - unconfined_signull(pegasus_t) - ') -+ -+optional_policy(` -+ virt_domtrans(pegasus_t) -+ virt_manage_config(pegasus_t) -+') ++######################################## ++## ++## Send a generic signal to ifplugd ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_signal',` ++ gen_require(` ++ type ifplugd_t; ++ ') + -+optional_policy(` -+ xen_stream_connect(pegasus_t) -+ xen_stream_connect_xenstore(pegasus_t) ++ allow $1 ifplugd_t:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.12/policy/modules/services/pingd.fc ---- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pingd.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,11 @@ -+ -+/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) -+ -+/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) -+ -+/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) -+ -+/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.12/policy/modules/services/pingd.if ---- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pingd.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,99 @@ -+## policy for pingd + +######################################## +## -+## Execute a domain transition to run pingd. ++## Read ifplugd etc configuration files. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## ++## +# -+interface(`pingd_domtrans',` -+ gen_require(` -+ type pingd_t, pingd_exec_t; -+ ') ++interface(`ifplugd_read_etc',` ++ gen_require(` ++ type ifplugd_etc_t; ++ ') + -+ domtrans_pattern($1,pingd_exec_t,pingd_t) ++ files_search_etc($1) ++ read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) +') + -+####################################### ++######################################## +## -+## Read pingd etc configuration files. ++## Manage ifplugd etc configuration files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`pingd_read_etc',` ++interface(`ifplugd_manage_etc',` + gen_require(` -+ type pingd_etc_t; ++ type ifplugd_etc_t; + ') + -+ files_search_etc($1) -+ read_files_pattern($1, pingd_etc_t, pingd_etc_t) -+') ++ files_search_etc($1) ++ manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) ++ manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) + -+####################################### ++') ++ ++######################################## +## -+## Manage pingd etc configuration files. ++## Read ifplugd PID files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`pingd_manage_etc',` ++interface(`ifplugd_read_pid_files',` + gen_require(` -+ type pingd_etc_t; ++ type ifplugd_var_run_t; + ') + -+ files_search_etc($1) -+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) -+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t) -+ ++ files_search_pids($1) ++ allow $1 ifplugd_var_run_t:file read_file_perms; +') + -+####################################### ++######################################## +## +## All of the rules required to administrate -+## an pingd environment ++## an ifplugd environment +## +## +## @@ -15324,1317 +13700,1305 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the pingd domain. ++## The role to be allowed to manage the ifplugd domain. +## +## +## ++## +# -+interface(`pingd_admin',` ++interface(`ifplugd_admin',` + gen_require(` -+ type pingd_t, pingd_etc_t; -+ type pingd_initrc_exec_t, pingd_modules_t; ++ type ifplugd_t, ifplugd_etc_t; ++ type ifplugd_var_run_t, ifplugd_initrc_exec_t; + ') + -+ allow $1 pingd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pingd_t) ++ allow $1 ifplugd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ifplugd_t) + -+ init_labeled_script_domtrans($1, pingd_initrc_exec_t) ++ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) + domain_system_change_exemption($1) -+ role_transition $2 pingd_initrc_exec_t system_r; ++ role_transition $2 ifplugd_initrc_exec_t system_r; + allow $2 system_r; + -+ files_list_etc($1) -+ admin_pattern($1, pingd_etc_t) -+ -+ files_list_usr($1) -+ admin_pattern($1, pingd_modules_t) ++ files_list_etc($1) ++ admin_pattern($1, ifplugd_etc_t) + ++ files_list_pids($1) ++ admin_pattern($1, ifplugd_var_run_t) ++ +') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.12/policy/modules/services/pingd.te ---- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pingd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,54 @@ -+policy_module(pingd,1.0.0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.12/policy/modules/services/ifplugd.te +--- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ifplugd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,89 @@ ++policy_module(ifplugd,1.0.0) + +######################################## +# +# Declarations +# + -+type pingd_t; -+type pingd_exec_t; -+init_daemon_domain(pingd_t, pingd_exec_t) ++type ifplugd_t; ++type ifplugd_exec_t; ++init_daemon_domain(ifplugd_t, ifplugd_exec_t) + -+type pingd_initrc_exec_t; -+init_script_file(pingd_initrc_exec_t) ++type ifplugd_initrc_exec_t; ++init_script_file(ifplugd_initrc_exec_t) + -+# type for config -+type pingd_etc_t; -+files_type(pingd_etc_t); ++# config files ++type ifplugd_etc_t; ++files_type(ifplugd_etc_t) + -+# type for pingd modules -+type pingd_modules_t; -+files_type(pingd_modules_t) ++# pid files ++type ifplugd_var_run_t; ++files_pid_file(ifplugd_var_run_t) + +######################################## +# -+# pingd local policy ++# ifplugd local policy +# + -+allow pingd_t self:capability net_raw; -+allow pingd_t self:tcp_socket create_stream_socket_perms; -+allow pingd_t self:rawip_socket { write read create bind }; ++allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; ++dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; ++allow ifplugd_t self:process { signal signull }; + -+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) ++allow ifplugd_t self:fifo_file rw_fifo_file_perms; ++allow ifplugd_t self:tcp_socket create_stream_socket_perms; ++allow ifplugd_t self:udp_socket create_socket_perms; ++allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; ++allow ifplugd_t self:packet_socket create_socket_perms; + -+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) -+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) ++# pid file ++manage_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) ++manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) ++files_pid_filetrans(ifplugd_t,ifplugd_var_run_t, { file sock_file }) + -+corenet_raw_bind_generic_node(pingd_t) -+corenet_tcp_bind_generic_node(pingd_t) -+corenet_tcp_bind_pingd_port(pingd_t) ++# config files ++read_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) ++exec_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) + -+auth_use_nsswitch(pingd_t) ++kernel_read_system_state(ifplugd_t) ++kernel_read_network_state(ifplugd_t) ++kernel_search_network_sysctl(ifplugd_t) ++kernel_rw_net_sysctls(ifplugd_t) ++kernel_read_kernel_sysctls(ifplugd_t) + -+files_search_usr(pingd_t) ++# reading of hardware information ++dev_read_sysfs(ifplugd_t) + -+libs_use_ld_so(pingd_t) -+libs_use_shared_libs(pingd_t) -+miscfiles_read_localization(pingd_t) ++corecmd_exec_shell(ifplugd_t) ++corecmd_exec_bin(ifplugd_t) + -+logging_send_syslog_msg(pingd_t) ++domain_read_confined_domains_state(ifplugd_t) ++domain_dontaudit_read_all_domains_state(ifplugd_t) + -+permissive pingd_t; ++auth_use_nsswitch(ifplugd_t) + ++libs_use_ld_so(ifplugd_t) ++libs_use_shared_libs(ifplugd_t) ++miscfiles_read_localization(ifplugd_t) + ++logging_send_syslog_msg(ifplugd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc ---- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,11 @@ ++netutils_domtrans(ifplugd_t) ++# transition to ifconfig & dhcpc ++sysnet_domtrans_ifconfig(ifplugd_t) ++sysnet_domtrans_dhcpc(ifplugd_t) + -+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) -+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) -+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) -+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) ++sysnet_delete_dhcpc_pid(ifplugd_t) ++sysnet_read_dhcpc_pid(ifplugd_t) ++sysnet_signal_dhcpc(ifplugd_t) ++#sysnet_kill_dhcpc(ifplugd_t) ++#sysnet_manage_config(ifplugd_t) ++#sysnet_read_dhcp_config(ifplugd_t) ++#sysnet_search_dhcp_state(ifplugd_t) + -+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) -+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) ++optional_policy(` ++ consoletype_exec(ifplugd_t) ++') + -+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if ---- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,241 @@ ++permissive ifplugd_t; + -+## policy for polkit_auth + -+######################################## -+## -+## Execute a domain transition to run polkit_auth. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if +--- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if 2009-04-07 16:01:44.000000000 -0400 +@@ -63,6 +63,25 @@ + + ######################################## + ## ++## Allow domain to manage kerneloops tmp files +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain to not audit. ++## +## +# -+interface(`polkit_domtrans_auth',` ++interface(`kerneloops_manage_tmp_files',` + gen_require(` -+ type polkit_auth_t; -+ type polkit_auth_exec_t; ++ type kerneloops_tmp_t; + ') + -+ domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t) ++ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) ++ files_search_tmp($1) +') + +######################################## +## -+## Search polkit lib directories. + ## All of the rules required to administrate + ## an kerneloops environment + ## +@@ -81,6 +100,7 @@ + interface(`kerneloops_admin',` + gen_require(` + type kerneloops_t, kerneloops_initrc_exec_t; ++ type kerneloops_tmp_t; + ') + + allow $1 kerneloops_t:process { ptrace signal_perms }; +@@ -90,4 +110,7 @@ + domain_system_change_exemption($1) + role_transition $2 kerneloops_initrc_exec_t system_r; + allow $2 system_r; ++ ++ admin_pattern($1, kerneloops_tmp_t) + ') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te +--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-04-07 16:01:44.000000000 -0400 +@@ -13,6 +13,9 @@ + type kerneloops_initrc_exec_t; + init_script_file(kerneloops_initrc_exec_t) + ++type kerneloops_tmp_t; ++files_tmp_file(kerneloops_tmp_t) ++ + ######################################## + # + # kerneloops local policy +@@ -23,8 +26,13 @@ + allow kerneloops_t self:fifo_file rw_file_perms; + allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; + ++manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) ++files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) ++ + kernel_read_ring_buffer(kerneloops_t) + ++fs_list_inotifyfs(kerneloops_t) ++ + # Init script handling + domain_use_interactive_fds(kerneloops_t) + +@@ -46,6 +54,5 @@ + sysnet_dns_name_resolve(kerneloops_t) + + optional_policy(` +- dbus_system_bus_client(kerneloops_t) +- dbus_connect_system_bus(kerneloops_t) ++ dbus_system_domain(kerneloops_t, kerneloops_exec_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.12/policy/modules/services/ktalk.te +--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ktalk.te 2009-04-07 16:01:44.000000000 -0400 +@@ -69,6 +69,7 @@ + files_read_etc_files(ktalkd_t) + + term_search_ptys(ktalkd_t) ++term_use_all_terms(ktalkd_t) + + auth_use_nsswitch(ktalkd_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.12/policy/modules/services/lircd.fc +--- nsaserefpolicy/policy/modules/services/lircd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/lircd.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,9 @@ ++ ++/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0) ++ ++/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) ++/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) ++ ++/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) ++ ++/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.12/policy/modules/services/lircd.if +--- nsaserefpolicy/policy/modules/services/lircd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/lircd.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,100 @@ ++## Lirc daemon ++ ++######################################## ++## ++## Execute a domain transition to run lircd. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`polkit_search_lib',` ++interface(`lircd_domtrans',` + gen_require(` -+ type polkit_var_lib_t; ++ type lircd_t, lircd_exec_t; + ') + -+ allow $1 polkit_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) ++ domain_auto_trans($1,lircd_exec_t,lircd_t) ++ +') + -+######################################## ++####################################### +## -+## read polkit lib files ++## Read lircd etc file +## +## -+## -+## Domain allowed access. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`polkit_read_lib',` ++interface(`lircd_read_etc',` + gen_require(` -+ type polkit_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) ++ type lircd_etc_t; ++ ') + -+ # Broken placement -+ cron_read_system_job_lib_files($1) ++ read_files_pattern($1, lircd_etc_t, lircd_etc_t) +') + -+######################################## ++###################################### +## -+## read polkit reload files ++## Connect to lircd over a unix domain ++## stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`polkit_read_reload',` -+ gen_require(` -+ type polkit_reload_t; -+ ') ++interface(`lircd_stream_connect',` ++ gen_require(` ++ type lircd_sock_t, lircd_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, polkit_reload_t, polkit_reload_t) ++ allow $1 lircd_t:unix_stream_socket connectto; ++ allow $1 lircd_sock_t:sock_file { getattr write }; ++ files_search_pids($1) +') + +######################################## +## -+## rw polkit reload files ++## All of the rules required to administrate ++## an lircd environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## +# -+interface(`polkit_rw_reload',` ++interface(`lircd_admin',` + gen_require(` -+ type polkit_reload_t; ++ type lircd_t, lircd_var_run_t, lircd_sock_t; ++ type lircd_initrc_exec_t, lircd_etc_t; + ') + -+ files_search_var_lib($1) -+ rw_files_pattern($1, polkit_reload_t, polkit_reload_t) -+') ++ allow $1 lircd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, lircd_t) + -+######################################## -+## -+## Execute a domain transition to run polkit_grant. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polkit_domtrans_grant',` -+ gen_require(` -+ type polkit_grant_t; -+ type polkit_grant_exec_t; -+ ') -+ -+ domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t) -+') -+ -+######################################## -+## -+## Execute a domain transition to run polkit_resolve. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polkit_domtrans_resolve',` -+ gen_require(` -+ type polkit_resolve_t; -+ type polkit_resolve_exec_t; -+ ') -+ -+ domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t) -+ -+ allow polkit_resolve_t $1:dir list_dir_perms; -+ read_files_pattern(polkit_resolve_t, $1, $1) -+ read_lnk_files_pattern(polkit_resolve_t, $1, $1) -+ allow polkit_resolve_t $1:process getattr; -+') -+ -+######################################## -+## -+## Execute a policy_grant in the policy_grant domain, and -+## allow the specified role the policy_grant domain, -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the load_policy domain. -+## -+## -+## -+# -+interface(`polkit_run_grant',` -+ gen_require(` -+ type polkit_grant_t; -+ ') -+ -+ polkit_domtrans_grant($1) -+ role $2 types polkit_grant_t; -+ allow $1 polkit_grant_t:process signal; -+ read_files_pattern(polkit_grant_t, $1, $1) -+ allow polkit_grant_t $1:process getattr; -+') ++ init_labeled_script_domtrans($1, lircd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 lircd_initrc_exec_t system_r; ++ allow $2 system_r; + -+######################################## -+## -+## Execute a policy_auth in the policy_auth domain, and -+## allow the specified role the policy_auth domain, -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the load_policy domain. -+## -+## -+# -+interface(`polkit_run_auth',` -+ gen_require(` -+ type polkit_auth_t; -+ ') ++ files_search_etc($1) ++ admin_pattern($1, lircd_etc_t) + -+ polkit_domtrans_auth($1) -+ role $2 types polkit_auth_t; -+') ++ files_search_pids($1) ++ admin_pattern($1, lircd_var_run_t) + -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+# -+template(`polkit_role',` -+ polkit_run_auth($2, $1) -+ polkit_run_grant($2, $1) -+ polkit_read_lib($2) -+ polkit_read_reload($2) ++ admin_pattern($1, lircd_sock_t) +') + -+######################################## -+## -+## Send and receive messages from -+## polkit over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`polkit_dbus_chat',` -+ gen_require(` -+ type polkit_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 polkit_t:dbus send_msg; -+ allow polkit_t $1:dbus send_msg; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.12/policy/modules/services/polkit.te ---- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/polkit.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,237 @@ -+policy_module(polkit_auth, 1.0.0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te +--- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,55 @@ ++policy_module(lircd,1.0.0) + +######################################## +# +# Declarations +# + -+type polkit_t; -+type polkit_exec_t; -+init_daemon_domain(polkit_t, polkit_exec_t) -+ -+type polkit_grant_t; -+type polkit_grant_exec_t; -+init_system_domain(polkit_grant_t, polkit_grant_exec_t) -+ -+type polkit_resolve_t; -+type polkit_resolve_exec_t; -+init_system_domain(polkit_resolve_t, polkit_resolve_exec_t) ++type lircd_t; ++type lircd_exec_t; ++init_daemon_domain(lircd_t, lircd_exec_t) + -+type polkit_auth_t; -+type polkit_auth_exec_t; -+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) ++type lircd_initrc_exec_t; ++init_script_file(lircd_initrc_exec_t) + -+type polkit_reload_t; -+files_type(polkit_reload_t) ++# pid files ++type lircd_var_run_t; ++files_pid_file(lircd_var_run_t) + -+type polkit_var_lib_t; -+files_type(polkit_var_lib_t) ++# etc file ++type lircd_etc_t; ++files_config_file(lircd_etc_t) + -+type polkit_var_run_t; -+files_pid_file(polkit_var_run_t) ++# type for lircd /dev/ sock file ++type lircd_sock_t; ++files_type(lircd_sock_t) + +######################################## +# -+# polkit local policy ++# lircd local policy +# + -+allow polkit_t self:capability { setgid setuid }; -+allow polkit_t self:process getattr; -+ -+allow polkit_t self:unix_dgram_socket create_socket_perms; -+allow polkit_t self:fifo_file rw_file_perms; -+allow polkit_t self:unix_stream_socket create_stream_socket_perms; -+ -+polkit_domtrans_auth(polkit_t) -+polkit_domtrans_resolve(polkit_t) -+ -+can_exec(polkit_t, polkit_exec_t) -+corecmd_exec_bin(polkit_t) -+ -+domain_use_interactive_fds(polkit_t) -+ -+files_read_etc_files(polkit_t) -+files_read_usr_files(polkit_t) -+ -+fs_list_inotifyfs(polkit_t) -+ -+kernel_read_kernel_sysctls(polkit_t) ++allow lircd_t self:process signal; ++allow lircd_t self:unix_dgram_socket create_socket_perms; + -+auth_use_nsswitch(polkit_t) ++# etc file ++read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + -+miscfiles_read_localization(polkit_t) ++# pid file ++manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) ++manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) ++files_pid_filetrans(lircd_t,lircd_var_run_t, { dir file }) + -+logging_send_syslog_msg(polkit_t) ++# /dev/lircd socket ++manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) ++dev_filetrans(lircd_t, lircd_sock_t, sock_file ) + -+manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) ++logging_send_syslog_msg(lircd_t) + -+rw_files_pattern(polkit_t, polkit_reload_t, polkit_reload_t) ++files_read_etc_files(lircd_t) ++files_list_var(lircd_t) ++files_manage_generic_locks(lircd_t) ++files_read_all_locks(lircd_t) + -+# pid file -+manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) -+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) -+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) ++miscfiles_read_localization(lircd_t) + -+userdom_read_all_users_state(polkit_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.12/policy/modules/services/mailman.fc +--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/mailman.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -31,3 +31,4 @@ + /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) + /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + ') ++/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if +--- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-04-07 16:01:44.000000000 -0400 +@@ -31,6 +31,12 @@ + allow mailman_$1_t self:tcp_socket create_stream_socket_perms; + allow mailman_$1_t self:udp_socket create_socket_perms; + ++ files_search_spool(mailman_$1_t) + -+optional_policy(` -+ dbus_system_domain(polkit_t, polkit_exec_t) ++ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) ++ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) ++ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + -+ optional_policy(` -+ consolekit_dbus_chat(polkit_t) -+ ') -+') -+ -+######################################## -+# -+# polkit_auth local policy + manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) + manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) + manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) +@@ -64,6 +70,7 @@ + corenet_sendrecv_smtp_client_packets(mailman_$1_t) + + fs_getattr_xattr_fs(mailman_$1_t) ++ fs_list_inotifyfs(mailman_$1_t) + + corecmd_exec_all_executables(mailman_$1_t) + +@@ -191,6 +198,7 @@ + ') + + read_files_pattern($1, mailman_data_t, mailman_data_t) ++ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) + ') + + ####################################### +@@ -209,6 +217,7 @@ + type mailman_data_t; + ') + ++ manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) + ') + +@@ -250,6 +259,25 @@ + + ####################################### + ## ++## read ++## mailman logs. ++## ++## ++## ++## Domain allowed access. ++## ++## +# ++interface(`mailman_read_log',` ++ gen_require(` ++ type mailman_log_t; ++ ') + -+allow polkit_auth_t self:capability setgid; -+allow polkit_auth_t self:process { getattr }; -+ -+allow polkit_auth_t self:unix_dgram_socket create_socket_perms; -+allow polkit_auth_t self:fifo_file rw_file_perms; -+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; -+ -+can_exec(polkit_auth_t, polkit_auth_exec_t) -+corecmd_search_bin(polkit_auth_t) -+ -+domain_use_interactive_fds(polkit_auth_t) -+ -+files_read_etc_files(polkit_auth_t) -+files_read_usr_files(polkit_auth_t) -+ -+auth_use_nsswitch(polkit_auth_t) -+ -+miscfiles_read_localization(polkit_auth_t) -+ -+logging_send_syslog_msg(polkit_auth_t) -+ -+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) -+rw_files_pattern(polkit_auth_t, polkit_reload_t, polkit_reload_t) -+ -+# pid file -+manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) -+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) -+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) -+ -+userdom_dontaudit_read_user_home_content_files(polkit_auth_t) -+ -+optional_policy(` -+ cron_read_system_job_lib_files(polkit_auth_t) ++ read_files_pattern($1, mailman_log_t, mailman_log_t) +') + -+optional_policy(` -+ dbus_system_domain( polkit_auth_t, polkit_auth_exec_t) ++####################################### ++## + ## Append to mailman logs. + ## + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.12/policy/modules/services/mailman.te +--- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/mailman.te 2009-04-07 16:01:44.000000000 -0400 +@@ -53,10 +53,8 @@ + apache_use_fds(mailman_cgi_t) + apache_dontaudit_append_log(mailman_cgi_t) + apache_search_sys_script_state(mailman_cgi_t) +- +- optional_policy(` +- nscd_socket_use(mailman_cgi_t) +- ') ++ apache_read_config(mailman_cgi_t) ++ apache_dontaudit_rw_stream_sockets(mailman_cgi_t) + ') + + ######################################## +@@ -65,15 +63,31 @@ + # + + allow mailman_mail_t self:unix_dgram_socket create_socket_perms; ++allow mailman_mail_t initrc_t:process signal; ++allow mailman_mail_t self:process { signal signull }; ++allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + -+ dbus_session_bus_client(polkit_auth_t) ++files_search_spool(mailman_mail_t) ++fs_rw_anon_inodefs_files(mailman_mail_t) ++fs_list_inotifyfs(mailman_mail_t) + -+ optional_policy(` -+ consolekit_dbus_chat(polkit_auth_t) -+ ') -+') ++manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) ++manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) ++manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) + + mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) ++mta_dontaudit_rw_queue(mailman_mail_t) + +-ifdef(`TODO',` + optional_policy(` +- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; +- # do we really need this? +- allow mailman_mail_t qmail_lspawn_t:fifo_file write; ++ courier_read_spool(mailman_mail_t) + ') + +optional_policy(` -+ kernel_search_proc(polkit_auth_t) -+ hal_read_state(polkit_auth_t) ++ postfix_search_spool(mailman_mail_t) +') + +optional_policy(` -+ xserver_xdm_append_log(polkit_auth_t) -+') -+ -+######################################## -+# -+# polkit_grant local policy -+# -+ -+allow polkit_grant_t self:capability setuid; -+allow polkit_grant_t self:process getattr; -+ -+allow polkit_grant_t self:unix_dgram_socket create_socket_perms; -+allow polkit_grant_t self:fifo_file rw_file_perms; -+allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; -+ -+can_exec(polkit_grant_t, polkit_grant_exec_t) -+corecmd_search_bin(polkit_grant_t) -+ -+files_read_etc_files(polkit_grant_t) -+files_read_usr_files(polkit_grant_t) -+ -+auth_use_nsswitch(polkit_grant_t) -+auth_domtrans_chk_passwd(polkit_grant_t) -+ -+miscfiles_read_localization(polkit_grant_t) -+ -+logging_send_syslog_msg(polkit_grant_t) -+ -+polkit_domtrans_auth(polkit_grant_t) -+polkit_domtrans_resolve(polkit_grant_t) -+ -+manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) -+ -+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) -+rw_files_pattern(polkit_grant_t, polkit_reload_t, polkit_reload_t) -+userdom_read_all_users_state(polkit_grant_t) ++ cron_read_pipes(mailman_mail_t) + ') + + ######################################## +@@ -99,11 +113,15 @@ + # for su + seutil_dontaudit_search_config(mailman_queue_t) + ++su_exec(mailman_queue_t) + + # some of the following could probably be changed to dontaudit, someone who + # knows mailman well should test this out and send the changes + userdom_search_user_home_dirs(mailman_queue_t) + +-su_exec(mailman_queue_t) +optional_policy(` -+ cron_manage_system_job_lib_files(polkit_grant_t) ++ apache_read_config(mailman_queue_t) +') -+ -+optional_policy(` -+ dbus_system_bus_client(polkit_grant_t) + + optional_policy(` + cron_system_entry(mailman_queue_t, mailman_queue_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.12/policy/modules/services/mta.fc +--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/mta.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,4 +1,4 @@ +-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) + /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +@@ -10,10 +10,13 @@ + ') + + /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + ++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + +@@ -22,7 +25,5 @@ + /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) + /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +- +-#ifdef(`postfix.te', `', ` +-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-#') ++HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) ++/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if +--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-07 16:01:44.000000000 -0400 +@@ -130,6 +130,15 @@ + sendmail_create_log($1_mail_t) + ') + + optional_policy(` -+ consolekit_dbus_chat(polkit_grant_t) -+ ') ++ exim_read_log($1_mail_t) ++ exim_append_log($1_mail_t) ++ exim_manage_spool_files($1_mail_t) +') + -+######################################## -+# -+# polkit_resolve local policy -+# -+ -+allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace }; -+allow polkit_resolve_t self:process getattr; -+ -+allow polkit_resolve_t self:unix_dgram_socket create_socket_perms; -+allow polkit_resolve_t self:fifo_file rw_file_perms; -+allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms; -+ -+read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t) -+read_files_pattern(polkit_resolve_t, polkit_reload_t, polkit_reload_t) -+ -+can_exec(polkit_resolve_t, polkit_resolve_exec_t) -+corecmd_search_bin(polkit_resolve_t) -+ -+polkit_domtrans_auth(polkit_resolve_t) -+ -+files_read_etc_files(polkit_resolve_t) -+files_read_usr_files(polkit_resolve_t) ++ optional_policy(` ++ uucp_manage_spool($1_mail_t) ++ ') + ') + + ######################################## +@@ -302,11 +311,13 @@ + allow $1 mail_spool_t:dir list_dir_perms; + create_files_pattern($1, mail_spool_t, mail_spool_t) + read_files_pattern($1, mail_spool_t, mail_spool_t) ++ append_files_pattern($1, mail_spool_t, mail_spool_t) + create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + + optional_policy(` + dovecot_manage_spool($1) ++ dovecot_domtrans_deliver($1) + ') + + optional_policy(` +@@ -341,6 +352,7 @@ + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets($1) + apache_dontaudit_rw_sys_script_stream_sockets($1) ++ apache_append_log($1) + ') + ') + +@@ -591,8 +603,8 @@ + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; +- allow $1 mail_spool_t:lnk_file read; +- allow $1 mail_spool_t:file getattr; ++ getattr_files_pattern($1, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + + ######################################## +@@ -612,7 +624,7 @@ + ') + + files_dontaudit_search_spool($1) +- dontaudit $1 mail_spool_t:dir search; ++ dontaudit $1 mail_spool_t:dir search_dir_perms; + dontaudit $1 mail_spool_t:lnk_file read; + dontaudit $1 mail_spool_t:file getattr; + ') +@@ -665,7 +677,7 @@ + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + allow $1 mail_spool_t:file setattr; +- rw_files_pattern($1, mail_spool_t, mail_spool_t) ++ manage_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + +@@ -806,6 +818,7 @@ + ') + + files_search_spool($1) ++ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) + manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.12/policy/modules/services/mta.te +--- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/mta.te 2009-04-07 16:01:44.000000000 -0400 +@@ -27,6 +27,9 @@ + type mail_spool_t; + files_mountpoint(mail_spool_t) + ++type mail_forward_t, mailcontent_type; ++files_type(mail_forward_t) + -+auth_use_nsswitch(polkit_resolve_t) + type sendmail_exec_t; + mta_agent_executable(sendmail_exec_t) + +@@ -47,34 +50,49 @@ + # + + # newalias required this, not sure if it is needed in 'if' file +-allow system_mail_t self:capability { dac_override }; ++allow system_mail_t self:capability { dac_override fowner }; ++allow system_mail_t self:fifo_file rw_fifo_file_perms; + + read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) ++read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + + allow system_mail_t mta_exec_type:file entrypoint; + +-allow system_mail_t mailcontent_type:file read_file_perms; ++can_exec(system_mail_t, mta_exec_type) + -+miscfiles_read_localization(polkit_resolve_t) ++files_read_all_tmp_files(system_mail_t) + + kernel_read_system_state(system_mail_t) + kernel_read_network_state(system_mail_t) + ++dev_read_sysfs(system_mail_t) + dev_read_rand(system_mail_t) + dev_read_urand(system_mail_t) + ++fs_rw_anon_inodefs_files(system_mail_t) ++fs_list_inotifyfs(system_mail_t) + -+logging_send_syslog_msg(polkit_resolve_t) ++selinux_getattr_fs(system_mail_t) + -+userdom_read_all_users_state(polkit_resolve_t) -+userdom_ptrace_all_users(polkit_resolve_t) -+mcs_ptrace_all(polkit_resolve_t) + init_use_script_ptys(system_mail_t) + + userdom_use_user_terminals(system_mail_t) + userdom_dontaudit_search_user_home_dirs(system_mail_t) ++userdom_dontaudit_list_admin_dir(system_mail_t) + -+optional_policy(` -+ dbus_system_bus_client(polkit_resolve_t) -+ optional_policy(` -+ consolekit_dbus_chat(polkit_resolve_t) -+ ') ++logging_append_all_logs(system_mail_t) + + optional_policy(` + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) ++ apache_search_bugzilla_dirs(system_mail_t) + + # apache should set close-on-exec + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_sockets(system_mail_t) + apache_dontaudit_rw_tcp_sockets(system_mail_t) + apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) ++ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) + ') + + optional_policy(` +@@ -88,6 +106,13 @@ + optional_policy(` + cron_read_system_job_tmp_files(system_mail_t) + cron_dontaudit_write_pipes(system_mail_t) ++ cron_rw_system_stream_sockets(system_mail_t) +') + +optional_policy(` -+ kernel_search_proc(polkit_resolve_t) -+ hal_read_state(polkit_resolve_t) ++ courier_manage_spool_dirs(system_mail_t) ++ courier_manage_spool_files(system_mail_t) ++ courier_rw_spool_pipes(system_mail_t) + ') + + optional_policy(` +@@ -95,16 +120,16 @@ + ') + + optional_policy(` +- logrotate_read_tmp_files(system_mail_t) ++ exim_domtrans(system_mail_t) ++ exim_manage_log(system_mail_t) + ') + + optional_policy(` +- logwatch_read_tmp_files(system_mail_t) ++ logrotate_read_tmp_files(system_mail_t) + ') + + optional_policy(` +- # newaliases runs as system_mail_t when the sendmail initscript does a restart +- milter_getattr_all_sockets(system_mail_t) ++ logwatch_read_tmp_files(system_mail_t) + ') + + optional_policy(` +@@ -132,10 +157,6 @@ + # compatability for old default main.cf + postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) + ') +- +- optional_policy(` +- cron_rw_tcp_sockets(system_mail_t) +- ') + ') + + optional_policy(` +@@ -155,6 +176,19 @@ + ') + + optional_policy(` ++ clamav_stream_connect(system_mail_t) ++ clamav_append_log(system_mail_t) +') + +optional_policy(` -+ unconfined_ptrace(polkit_resolve_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.12/policy/modules/services/portreserve.fc ---- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/portreserve.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,12 @@ -+# portreserve executable will have: -+# label: system_u:object_r:portreserve_exec_t -+# MLS sensitivity: s0 -+# MCS categories: -+ -+#exec -+/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) -+ -+/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) ++ fail2ban_append_log(system_mail_t) ++ ') + -+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) ++ optional_policy(` ++ spamd_stream_connect(system_mail_t) ++') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.12/policy/modules/services/portreserve.if ---- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/portreserve.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,66 @@ -+## policy for portreserve ++optional_policy(` + smartmon_read_tmp_files(system_mail_t) + ') + +@@ -174,6 +208,25 @@ + ') + ') + ++read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) ++userdom_search_admin_dir(mailserver_delivery) ++read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) + -+######################################## -+## -+## Execute a domain transition to run portreserve. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`portreserve_domtrans',` -+ gen_require(` -+ type portreserve_t, portreserve_exec_t; -+ ') ++init_stream_connect_script(mailserver_delivery) ++init_rw_script_stream_sockets(mailserver_delivery) + -+ domtrans_pattern($1,portreserve_exec_t,portreserve_t) ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(mailserver_delivery) ++ fs_manage_cifs_files(mailserver_delivery) ++ fs_manage_cifs_symlinks(mailserver_delivery) +') + -+####################################### -+## -+## Allow the specified domain to read -+## portreserve etcuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`portreserve_read_etc',` -+ gen_require(` -+ type portreserve_etc_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 portreserve_etc_t:dir list_dir_perms; -+ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+') -+ -+####################################### -+## -+## Allow the specified domain to manage -+## portreserve etcuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`portreserve_manage_etc',` -+ gen_require(` -+ type portreserve_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(mailserver_delivery) ++ fs_manage_nfs_files(mailserver_delivery) ++ fs_manage_nfs_symlinks(mailserver_delivery) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.12/policy/modules/services/portreserve.te ---- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/portreserve.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,51 @@ -+policy_module(portreserve,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type portreserve_t; -+type portreserve_exec_t; -+init_daemon_domain(portreserve_t, portreserve_exec_t) -+ -+type portreserve_etc_t; -+files_type(portreserve_etc_t) -+ -+type portreserve_var_run_t; -+files_pid_file(portreserve_var_run_t) -+ -+######################################## -+# -+# Portreserve local policy -+# -+allow portreserve_t self:fifo_file rw_fifo_file_perms; -+allow portreserve_t self:unix_stream_socket create_stream_socket_perms; -+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow portreserve_t self:tcp_socket create_socket_perms; -+allow portreserve_t self:udp_socket create_socket_perms; -+ -+# Read etc files -+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) -+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) -+ -+# Manage /var/run/portreserve/* -+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) -+ -+corenet_all_recvfrom_unlabeled(portreserve_t) -+corenet_all_recvfrom_netlabel(portreserve_t) -+corenet_tcp_bind_all_ports(portreserve_t) -+corenet_tcp_bind_all_ports(portreserve_t) -+corenet_tcp_bind_generic_node(portreserve_t) -+corenet_udp_bind_generic_node(portreserve_t) -+corenet_udp_bind_all_ports(portreserve_t) + -+files_read_etc_files(portreserve_t) -+ -+# Init script handling -+#init_use_fds(portreserve_t) -+#init_use_script_ptys(portreserve_t) -+#domain_use_interactive_fds(portreserve_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.12/policy/modules/services/postfix.fc ---- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/postfix.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -29,12 +29,10 @@ - /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) - /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) - /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) - ') - /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) - /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) - /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) - /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-07 16:01:44.000000000 -0400 -@@ -46,6 +46,7 @@ - - allow postfix_$1_t postfix_etc_t:dir list_dir_perms; - read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) -+ read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) - - can_exec(postfix_$1_t, postfix_$1_exec_t) + ######################################## + # + # User send mail local policy +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.12/policy/modules/services/munin.fc +--- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/munin.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,4 +1,5 @@ + /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) ++/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) -@@ -79,6 +80,7 @@ - files_read_usr_symlinks(postfix_$1_t) - files_search_spool(postfix_$1_t) - files_getattr_tmp_dirs(postfix_$1_t) -+ files_search_all_mountpoints(postfix_$1_t) + /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +@@ -6,6 +7,8 @@ + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - init_dontaudit_use_fds(postfix_$1_t) - init_sigchld(postfix_$1_t) -@@ -174,9 +176,8 @@ - type postfix_etc_t; + /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) ++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) + /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) ++/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) ++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.12/policy/modules/services/munin.if +--- nsaserefpolicy/policy/modules/services/munin.if 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/munin.if 2009-04-07 16:01:44.000000000 -0400 +@@ -59,8 +59,9 @@ + type munin_log_t; ') -- allow $1 postfix_etc_t:dir list_dir_perms; -- allow $1 postfix_etc_t:file read_file_perms; -- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; -+ read_files_pattern($1, postfix_etc_t, postfix_etc_t) -+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) - files_search_etc($1) +- allow $1 munin_log_t:file append_file_perms; + logging_search_logs($1) ++ allow $1 munin_log_t:dir list_dir_perms; ++ append_files_pattern($1, munin_log_t, munin_log_t) ') -@@ -232,6 +233,25 @@ + ####################################### +@@ -100,3 +101,55 @@ - ######################################## - ## -+## Allow read/write postfix local pipes -+## TCP sockets. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`postfix_rw_local_pipes',` -+ gen_require(` -+ type postfix_local_t; -+ ') -+ -+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; -+') + dontaudit $1 munin_var_lib_t:dir search_dir_perms; + ') + +######################################## +## - ## Allow domain to read postfix local process state - ## - ## -@@ -378,7 +398,7 @@ - ## - ## - # --interface(`postfix_create_pivate_sockets',` -+interface(`postfix_create_private_sockets',` - gen_require(` - type postfix_private_t; - ') -@@ -389,6 +409,25 @@ - - ######################################## - ## -+## manage named socket in a postfix private directory. ++## All of the rules required to administrate ++## an munin environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the munin domain. ++## ++## ++## +# -+interface(`postfix_manage_private_sockets',` ++interface(`munin_admin',` + gen_require(` -+ type postfix_private_t; ++ type munin_t, munin_etc_t, munin_tmp_t; ++ type munin_log_t, munin_var_lib_t, munin_var_run_t; ++ type httpd_munin_content_t; ++ type munin_initrc_exec_t; + ') + -+ allow $1 postfix_private_t:dir list_dir_perms; -+ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) ++ allow $1 munin_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, munin_t) ++ ++ init_labeled_script_domtrans($1, munin_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 munin_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_tmp($1) ++ admin_pattern($1, munin_tmp_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, munin_log_t) ++ ++ files_list_etc($1) ++ admin_pattern($1, munin_etc_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, munin_var_lib_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, munin_var_run_t) ++ ++ admin_pattern($1, httpd_munin_content_t) +') + -+######################################## -+## - ## Execute the master postfix program in the - ## postfix_master domain. - ## -@@ -418,10 +457,10 @@ - # - interface(`postfix_search_spool',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.12/policy/modules/services/munin.te +--- nsaserefpolicy/policy/modules/services/munin.te 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/munin.te 2009-04-07 16:01:44.000000000 -0400 +@@ -13,6 +13,9 @@ + type munin_etc_t alias lrrd_etc_t; + files_config_file(munin_etc_t) -- allow $1 postfix_spool_t:dir search_dir_perms; -+ allow $1 postfix_spool_type:dir search_dir_perms; - files_search_spool($1) - ') ++type munin_initrc_exec_t; ++init_script_file(munin_initrc_exec_t) ++ + type munin_log_t alias lrrd_log_t; + logging_log_file(munin_log_t) -@@ -437,11 +476,30 @@ +@@ -30,21 +33,25 @@ + # Local policy # - interface(`postfix_list_spool',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; -+ ') + +-allow munin_t self:capability { setgid setuid }; ++allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; + dontaudit munin_t self:capability sys_tty_config; + allow munin_t self:process { getsched setsched signal_perms }; + allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; + allow munin_t self:tcp_socket create_stream_socket_perms; + allow munin_t self:udp_socket create_socket_perms; ++allow munin_t self:fifo_file manage_fifo_file_perms; + -+ allow $1 postfix_spool_type:dir list_dir_perms; -+ files_search_spool($1) -+') ++can_exec(munin_t, munin_exec_t) + + allow munin_t munin_etc_t:dir list_dir_perms; + read_files_pattern(munin_t, munin_etc_t, munin_etc_t) + read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) + files_search_etc(munin_t) + +-allow munin_t munin_log_t:file manage_file_perms; +-logging_log_filetrans(munin_t, munin_log_t, file) ++manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) ++manage_files_pattern(munin_t, munin_log_t, munin_log_t) ++logging_log_filetrans(munin_t, munin_log_t, { file dir }) + + manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) + manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) +@@ -61,9 +68,11 @@ + files_pid_filetrans(munin_t, munin_var_run_t, file) + + kernel_read_system_state(munin_t) +-kernel_read_kernel_sysctls(munin_t) ++kernel_read_network_state(munin_t) ++kernel_read_all_sysctls(munin_t) + + corecmd_exec_bin(munin_t) ++corecmd_exec_shell(munin_t) + + corenet_all_recvfrom_unlabeled(munin_t) + corenet_all_recvfrom_netlabel(munin_t) +@@ -73,24 +82,36 @@ + corenet_udp_sendrecv_generic_node(munin_t) + corenet_tcp_sendrecv_all_ports(munin_t) + corenet_udp_sendrecv_all_ports(munin_t) ++corenet_tcp_bind_munin_port(munin_t) ++corenet_tcp_connect_munin_port(munin_t) ++corenet_tcp_connect_http_port(munin_t) ++corenet_tcp_bind_generic_node(munin_t) + + dev_read_sysfs(munin_t) + dev_read_urand(munin_t) ++fs_list_inotifyfs(munin_t) + + domain_use_interactive_fds(munin_t) ++domain_read_all_domains_state(munin_t) + + files_read_etc_files(munin_t) + files_read_etc_runtime_files(munin_t) + files_read_usr_files(munin_t) ++files_list_spool(munin_t) + + fs_getattr_all_fs(munin_t) + fs_search_auto_mountpoints(munin_t) + ++auth_use_nsswitch(munin_t) + -+######################################## -+## -+## Getattr postfix mail spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_getattr_spool_files',` -+ gen_require(` -+ attribute postfix_spool_type; - ') + logging_send_syslog_msg(munin_t) ++logging_read_all_logs(munin_t) -- allow $1 postfix_spool_t:dir list_dir_perms; - files_search_spool($1) -+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) - ') ++miscfiles_read_fonts(munin_t) + miscfiles_read_localization(munin_t) - ######################################## -@@ -456,16 +514,16 @@ - # - interface(`postfix_read_spool_files',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; - ') +-sysnet_read_config(munin_t) ++sysnet_exec_ifconfig(munin_t) ++netutils_domtrans_ping(munin_t) - files_search_spool($1) -- read_files_pattern($1, postfix_spool_t, postfix_spool_t) -+ read_files_pattern($1, postfix_spool_type, postfix_spool_type) + userdom_dontaudit_use_unpriv_user_fds(munin_t) + userdom_dontaudit_search_user_home_dirs(munin_t) +@@ -105,7 +126,31 @@ ') - ######################################## - ## --## Create, read, write, and delete postfix mail spool files. -+## Manage postfix mail spool files. - ## - ## - ## -@@ -475,11 +533,11 @@ - # - interface(`postfix_manage_spool_files',` - gen_require(` -- type postfix_spool_t; -+ attribute postfix_spool_type; - ') + optional_policy(` +- nis_use_ypbind(munin_t) ++ fstools_domtrans(munin_t) ++') ++ ++optional_policy(` ++ mta_read_config(munin_t) ++ mta_send_mail(munin_t) ++ mta_read_queue(munin_t) ++') ++ ++optional_policy(` ++ mysql_read_config(munin_t) ++ mysql_stream_connect(munin_t) ++') ++ ++optional_policy(` ++ postfix_list_spool(munin_t) ++ postfix_getattr_spool_files(munin_t) ++') ++ ++optional_policy(` ++ rpc_search_nfs_state_data(munin_t) ++') ++ ++optional_policy(` ++ sendmail_read_log(munin_t) + ') - files_search_spool($1) -- manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type) + optional_policy(` +@@ -115,3 +160,10 @@ + optional_policy(` + udev_read_db(munin_t) ') ++ ++#============= http munin policy ============== ++apache_content_template(munin) ++ ++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.12/policy/modules/services/mysql.fc +--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/mysql.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -12,6 +12,8 @@ + # + /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) - ######################################## -@@ -500,3 +558,23 @@ ++/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) ++ + /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) - typeattribute $1 postfix_user_domtrans; + # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.12/policy/modules/services/mysql.if +--- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/mysql.if 2009-04-07 16:01:44.000000000 -0400 +@@ -121,6 +121,44 @@ + allow $1 mysqld_db_t:dir rw_dir_perms; ') + ++####################################### ++## ++## Append to the MySQL database directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_append_db_files',` ++ gen_require(` ++ type mysqld_db_t; ++ ') + -+######################################## ++ files_search_var_lib($1) ++ append_files_pattern($1, mysqld_db_t, mysqld_db_t) ++') ++ ++####################################### +## -+## Execute the master postdrop in the -+## postfix_postdrop domain. ++## Read and write to the MySQL database directory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`postfix_domtrans_postdrop',` -+ gen_require(` -+ type postfix_postdrop_t, postfix_postdrop_exec_t; -+ ') ++interface(`mysql_rw_db_files',` ++ gen_require(` ++ type mysqld_db_t; ++ ') + -+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) ++ files_search_var_lib($1) ++ rw_files_pattern($1,mysqld_db_t,mysqld_db_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-07 16:01:44.000000000 -0400 -@@ -6,6 +6,15 @@ - # Declarations - # + ######################################## + ## + ## Create, read, write, and delete MySQL database directories. +@@ -140,6 +178,25 @@ + allow $1 mysqld_db_t:dir manage_dir_perms; + ') -+## -+##

-+## Allow postfix_local domain full write access to mail_spool directories -+## -+##

-+##
-+gen_tunable(allow_postfix_local_write_mail_spool, false) ++####################################### ++## ++## Create, read, write, and delete MySQL database files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_manage_db_files',` ++ gen_require(` ++ type mysqld_db_t; ++ ') + -+attribute postfix_spool_type; - attribute postfix_user_domains; - # domains that transition to the - # postfix user domains -@@ -13,13 +22,13 @@ - - postfix_server_domain_template(bounce) - --type postfix_spool_bounce_t; -+type postfix_spool_bounce_t, postfix_spool_type; - files_type(postfix_spool_bounce_t) - - postfix_server_domain_template(cleanup) - - type postfix_etc_t; --files_type(postfix_etc_t) -+files_config_file(postfix_etc_t) - - type postfix_exec_t; - application_executable_file(postfix_exec_t) -@@ -27,6 +36,12 @@ - postfix_server_domain_template(local) - mta_mailserver_delivery(postfix_local_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1,mysqld_db_t,mysqld_db_t) ++') ++ + ######################################## + ## + ## Read and write to the MySQL database +@@ -161,6 +218,25 @@ + allow $1 mysqld_db_t:sock_file rw_sock_file_perms; + ') -+userdom_read_user_home_content_files(postfix_local_t) ++##################################### ++## ++## Search MySQL PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mysql_search_pid_files',` ++ gen_require(` ++ type mysqld_var_run_t; ++ ') + -+tunable_policy(`allow_postfix_local_write_mail_spool',` -+ mta_manage_spool(postfix_local_t) ++ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + - type postfix_local_tmp_t; - files_tmp_file(postfix_local_tmp_t) - -@@ -34,6 +49,7 @@ - type postfix_map_t; - type postfix_map_exec_t; - application_domain(postfix_map_t, postfix_map_exec_t) -+role system_r types postfix_map_t; - - type postfix_map_tmp_t; - files_tmp_file(postfix_map_tmp_t) -@@ -68,13 +84,13 @@ - - postfix_server_domain_template(smtpd) - --type postfix_spool_t; -+type postfix_spool_t, postfix_spool_type; - files_type(postfix_spool_t) - --type postfix_spool_maildrop_t; -+type postfix_spool_maildrop_t, postfix_spool_type; - files_type(postfix_spool_maildrop_t) - --type postfix_spool_flush_t; -+type postfix_spool_flush_t, postfix_spool_type; - files_type(postfix_spool_flush_t) - - type postfix_public_t; -@@ -103,6 +119,7 @@ - allow postfix_master_t self:fifo_file rw_fifo_file_perms; - allow postfix_master_t self:tcp_socket create_stream_socket_perms; - allow postfix_master_t self:udp_socket create_socket_perms; -+allow postfix_master_t self:process setrlimit; - - allow postfix_master_t postfix_etc_t:file rw_file_perms; - -@@ -142,6 +159,7 @@ - - delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - - kernel_read_all_sysctls(postfix_master_t) - -@@ -153,6 +171,9 @@ - corenet_udp_sendrecv_generic_node(postfix_master_t) - corenet_tcp_sendrecv_all_ports(postfix_master_t) - corenet_udp_sendrecv_all_ports(postfix_master_t) -+corenet_udp_bind_generic_node(postfix_master_t) -+corenet_udp_bind_all_unreserved_ports(postfix_master_t) -+corenet_dontaudit_udp_bind_all_ports(postfix_master_t) - corenet_tcp_bind_generic_node(postfix_master_t) - corenet_tcp_bind_amavisd_send_port(postfix_master_t) - corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -170,6 +191,8 @@ - domain_use_interactive_fds(postfix_master_t) - - files_read_usr_files(postfix_master_t) -+files_search_var_lib(postfix_master_t) -+files_search_tmp(postfix_master_t) - - term_dontaudit_search_ptys(postfix_master_t) - -@@ -181,15 +204,14 @@ - - mta_rw_aliases(postfix_master_t) - mta_read_sendmail_bin(postfix_master_t) -+mta_getattr_spool(postfix_master_t) + ######################################## + ## + ## Write to the MySQL log. +@@ -177,7 +253,7 @@ + ') --ifdef(`distro_redhat',` -- # for newer main.cf that uses /etc/aliases -- mta_manage_aliases(postfix_master_t) -- mta_etc_filetrans_aliases(postfix_master_t) -+optional_policy(` -+ cyrus_stream_connect(postfix_master_t) + logging_search_logs($1) +- allow $1 mysqld_log_t:file { write_file_perms setattr }; ++ allow $1 mysqld_log_t:file { write_file_perms setattr getattr }; ') - optional_policy(` -- cyrus_stream_connect(postfix_master_t) -+ kerberos_keytab_template(postfix, postfix_t) - ') + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-04-07 16:01:44.000000000 -0400 +@@ -10,6 +10,10 @@ + type mysqld_exec_t; + init_daemon_domain(mysqld_t, mysqld_exec_t) - optional_policy(` -@@ -202,9 +224,29 @@ - ') ++type mysqld_safe_t; ++type mysqld_safe_exec_t; ++init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) ++ + type mysqld_var_run_t; + files_pid_file(mysqld_var_run_t) +@@ -121,3 +125,36 @@ optional_policy(` -+ postgrey_search_spool(postfix_master_t) -+') -+ -+optional_policy(` - sendmail_signal(postfix_master_t) + udev_read_db(mysqld_t) ') - -+########################################################### ++ ++####################################### +# -+# Partially converted rules. THESE ARE ONLY TEMPORARY ++# Local mysqld_safe policy +# + -+ifdef(`distro_redhat',` -+ # for newer main.cf that uses /etc/aliases -+ allow postfix_master_t etc_aliases_t:dir manage_dir_perms; -+ allow postfix_master_t etc_aliases_t:file manage_file_perms; -+ allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms; -+ mta_etc_filetrans_aliases(postfix_master_t) -+ filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file }) -+') ++domtrans_pattern(mysqld_safe_t,mysqld_exec_t,mysqld_t) + -+# end partially converted rules ++allow mysqld_safe_t self:capability { dac_override fowner chown }; ++allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; ++ ++allow mysqld_safe_t mysqld_log_t:file manage_file_perms; ++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + - ######################################## - # - # Postfix bounce local policy -@@ -245,6 +287,10 @@ - - corecmd_exec_bin(postfix_cleanup_t) - -+optional_policy(` -+ mailman_read_data_files(postfix_cleanup_t) -+') ++mysql_append_db_files(mysqld_safe_t) ++mysql_read_config(mysqld_safe_t) ++mysql_search_pid_files(mysqld_safe_t) ++mysql_write_log(mysqld_safe_t) + - ######################################## - # - # Postfix local local policy -@@ -270,18 +316,29 @@ - - files_read_etc_files(postfix_local_t) - -+logging_dontaudit_search_logs(postfix_local_t) ++kernel_read_system_state(mysqld_safe_t) + - mta_read_aliases(postfix_local_t) - mta_delete_spool(postfix_local_t) - # For reading spamassasin - mta_read_config(postfix_local_t) - -+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) ++dev_list_sysfs(mysqld_safe_t) ++ ++files_read_etc_files(mysqld_safe_t) ++files_read_usr_files(mysqld_safe_t) + - optional_policy(` - clamav_search_lib(postfix_local_t) -+ clamav_exec_clamscan(postfix_local_t) - ') - - optional_policy(` - # for postalias - mailman_manage_data_files(postfix_local_t) -+ mailman_append_log(postfix_local_t) -+ mailman_read_log(postfix_local_t) -+') -+ -+optional_policy(` -+ nagios_search_spool(postfix_local_t) - ') - - optional_policy(` -@@ -292,8 +349,7 @@ - # - # Postfix map local policy - # -- --allow postfix_map_t self:capability setgid; -+allow postfix_map_t self:capability { dac_override setgid setuid }; - allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; - allow postfix_map_t self:unix_dgram_socket create_socket_perms; - allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -340,10 +396,6 @@ - - miscfiles_read_localization(postfix_map_t) - --seutil_read_config(postfix_map_t) -- --userdom_use_user_terminals(postfix_map_t) -- - tunable_policy(`read_default_t',` - files_list_default(postfix_map_t) - files_read_default_files(postfix_map_t) -@@ -356,6 +408,11 @@ - locallogin_dontaudit_use_fds(postfix_map_t) - ') - -+optional_policy(` -+# for postalias -+ mailman_manage_data_files(postfix_map_t) -+') ++corecmd_exec_bin(mysqld_safe_t) ++ ++miscfiles_read_localization(mysqld_safe_t) + - ######################################## - # - # Postfix pickup local policy -@@ -380,6 +437,7 @@ - # - - allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; -+allow postfix_pipe_t self:process setrlimit; - - write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) - -@@ -387,6 +445,12 @@ ++hostname_exec(mysqld_safe_t) ++ ++permissive mysqld_safe_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.12/policy/modules/services/nagios.fc +--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/nagios.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,16 +1,19 @@ + /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) + /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) ++/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) + /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) + /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) -+ -+optional_policy(` -+ dovecot_domtrans_deliver(postfix_pipe_t) -+') -+ - optional_policy(` - procmail_domtrans(postfix_pipe_t) - ') -@@ -396,6 +460,15 @@ - ') +-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ++/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - optional_policy(` -+ mta_manage_spool(postfix_pipe_t) -+ mta_send_mail(postfix_pipe_t) -+') -+ -+optional_policy(` -+ spamassassin_domtrans_client(postfix_pipe_t) -+') + /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + -+optional_policy(` - uucp_domtrans_uux(postfix_pipe_t) - ') ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) -@@ -432,8 +505,11 @@ + ifdef(`distro_debian',` + /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ') - - optional_policy(` -- ppp_use_fds(postfix_postqueue_t) -- ppp_sigchld(postfix_postqueue_t) -+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t) -+') ++/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + -+optional_policy(` -+ uucp_manage_spool(postfix_postdrop_t) - ') - - ####################################### -@@ -459,6 +535,15 @@ - init_sigchld_script(postfix_postqueue_t) - init_use_script_fds(postfix_postqueue_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.12/policy/modules/services/nagios.if +--- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/nagios.if 2009-04-07 16:01:44.000000000 -0400 +@@ -44,7 +44,7 @@ -+optional_policy(` -+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) -+') -+ -+optional_policy(` -+ ppp_use_fds(postfix_postqueue_t) -+ ppp_sigchld(postfix_postqueue_t) -+') -+ ######################################## + ## +-## Execute the nagios CGI with ++## Execute the nagios NRPE with + ## a domain transition. + ## + ## +@@ -53,18 +53,37 @@ + ## + ## # - # Postfix qmgr local policy -@@ -513,7 +598,7 @@ - - allow postfix_smtp_t postfix_spool_t:file rw_file_perms; - --files_dontaudit_getattr_home_dir(postfix_smtp_t) -+files_search_all_mountpoints(postfix_smtp_t) +-interface(`nagios_domtrans_cgi',` ++interface(`nagios_domtrans_nrpe',` + gen_require(` +- type nagios_cgi_t, nagios_cgi_exec_t; ++ type nrpe_t, nrpe_exec_t; + ') - optional_policy(` - cyrus_stream_connect(postfix_smtp_t) -@@ -543,9 +628,18 @@ +- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) ++ domtrans_pattern($1, nrpe_exec_t, nrpe_t) + ') - # for OpenSSL certificates - files_read_usr_files(postfix_smtpd_t) + ######################################## + ## +-## Execute the nagios NRPE with +-## a domain transition. ++## Do not audit attempts to read and write ++## NAGIOS unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`nagios_dontaudit_rw_pipes',` + -+# postfix checks the size of all mounted file systems -+fs_getattr_all_dirs(postfix_smtpd_t) -+fs_getattr_all_fs(postfix_smtpd_t) ++ gen_require(` ++ type nagios_t; ++ ') + - mta_read_aliases(postfix_smtpd_t) - - optional_policy(` -+ dovecot_auth_stream_connect(postfix_smtpd_t) ++ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; +') + -+optional_policy(` - mailman_read_data_files(postfix_smtpd_t) - ') - -@@ -572,15 +666,21 @@ - files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) - - # connect to master process --stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t) -+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - - corecmd_exec_shell(postfix_virtual_t) - corecmd_exec_bin(postfix_virtual_t) - - files_read_etc_files(postfix_virtual_t) -+files_read_usr_files(postfix_virtual_t) - - mta_read_aliases(postfix_virtual_t) - mta_delete_spool(postfix_virtual_t) - # For reading spamassasin - mta_read_config(postfix_virtual_t) - mta_manage_spool(postfix_virtual_t) -+ -+userdom_manage_user_home_dirs(postfix_virtual_t) -+userdom_manage_user_home_content(postfix_virtual_t) -+userdom_home_filetrans_user_home_dir(postfix_virtual_t) -+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.12/policy/modules/services/postgresql.fc ---- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/postgresql.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -2,6 +2,7 @@ - # /etc - # - /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) -+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) - ++######################################## ++## ++## Search nagios spool directories. + ## + ## + ## +@@ -72,10 +91,63 @@ + ## + ## # - # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.12/policy/modules/services/postgresql.if ---- nsaserefpolicy/policy/modules/services/postgresql.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/postgresql.if 2009-04-07 16:01:44.000000000 -0400 -@@ -351,3 +351,46 @@ +-interface(`nagios_domtrans_nrpe',` ++interface(`nagios_search_spool',` + gen_require(` +- type nrpe_t, nrpe_exec_t; ++ type nagios_spool_t; + ') - typeattribute $1 sepgsql_unconfined_type; - ') +- domtrans_pattern($1, nrpe_exec_t, nrpe_t) ++ allow $1 nagios_spool_t:dir search_dir_perms; ++ files_search_spool($1) ++') + +######################################## +## -+## All of the rules required to administrate an postgresql environment ++## All of the rules required to administrate ++## an nagios environment +## +## +## @@ -16643,124 +15007,180 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the postgresql domain. ++## The role to be allowed to manage the nagios domain. +## +## +## +# -+interface(`postgresql_admin',` ++interface(`nagios_admin',` + gen_require(` -+ type postgresql_t, postgresql_var_run_t; -+ type postgresql_tmp_t, postgresql_db_t; -+ type postgresql_etc_t, postgresql_log_t; -+ type postgresql_initrc_exec_t; -+ ') -+ -+ allow $1 postgresql_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, postgresql_t) ++ type nagios_t, nrpe_t; ++ type nagios_tmp_t, nagios_log_t; ++ type nagios_etc_t, nrpe_etc_t; ++ type nagios_spool_t, nagios_var_run_t; ++ type nagios_initrc_exec_t; ++ ') + -+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t) ++ allow $1 nagios_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, nagios_t) ++ ++ init_labeled_script_domtrans($1, nagios_initrc_exec_t) + domain_system_change_exemption($1) -+ role_transition $2 postgresql_initrc_exec_t system_r; ++ role_transition $2 nagios_initrc_exec_t system_r; + allow $2 system_r; + -+ admin_pattern($1, postgresql_var_run_t) ++ files_list_tmp($1) ++ admin_pattern($1, nagios_tmp_t) + -+ admin_pattern($1, postgresql_db_t) ++ logging_list_logs($1) ++ admin_pattern($1, nagios_log_t) + -+ admin_pattern($1, postgresql_etc_t) ++ files_list_etc($1) ++ admin_pattern($1, nagios_etc_t) + -+ admin_pattern($1, postgresql_log_t) ++ files_list_spool($1) ++ admin_pattern($1, nagios_spool_t) + -+ admin_pattern($1, postgresql_tmp_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te ---- nsaserefpolicy/policy/modules/services/postgresql.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-04-07 16:01:44.000000000 -0400 -@@ -32,6 +32,9 @@ - type postgresql_etc_t; - files_config_file(postgresql_etc_t) - -+type postgresql_initrc_exec_t; -+init_script_file(postgresql_initrc_exec_t) ++ files_list_pids($1) ++ admin_pattern($1, nagios_var_run_t) + - type postgresql_lock_t; - files_lock_file(postgresql_lock_t) - -@@ -124,6 +127,7 @@ - dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; - allow postgresql_t self:process signal_perms; - allow postgresql_t self:fifo_file rw_fifo_file_perms; -+allow postgresql_t self:file { getattr read }; - allow postgresql_t self:sem create_sem_perms; - allow postgresql_t self:shm create_shm_perms; - allow postgresql_t self:tcp_socket create_stream_socket_perms; -@@ -178,7 +182,7 @@ ++ admin_pattern($1, nrpe_etc_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.12/policy/modules/services/nagios.te +--- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/nagios.te 2009-04-07 16:01:44.000000000 -0400 +@@ -10,13 +10,12 @@ + type nagios_exec_t; + init_daemon_domain(nagios_t, nagios_exec_t) - manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) - manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) --files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) -+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file }) +-type nagios_cgi_t; +-type nagios_cgi_exec_t; +-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) +- + type nagios_etc_t; + files_config_file(nagios_etc_t) - kernel_read_kernel_sysctls(postgresql_t) - kernel_read_system_state(postgresql_t) -@@ -194,6 +198,7 @@ - corenet_udp_sendrecv_generic_node(postgresql_t) - corenet_tcp_sendrecv_all_ports(postgresql_t) - corenet_udp_sendrecv_all_ports(postgresql_t) -+corenet_udp_bind_generic_node(postgresql_t) - corenet_tcp_bind_generic_node(postgresql_t) - corenet_tcp_bind_postgresql_port(postgresql_t) - corenet_tcp_connect_auth_port(postgresql_t) -@@ -304,7 +309,7 @@ - allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; ++type nagios_initrc_exec_t; ++init_script_file(nagios_initrc_exec_t) ++ + type nagios_log_t; + logging_log_file(nagios_log_t) - allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute install }; --allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint }; -+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; +@@ -26,6 +25,9 @@ + type nagios_var_run_t; + files_pid_file(nagios_var_run_t) - allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; - allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; -@@ -345,7 +350,7 @@ ++type nagios_spool_t; ++files_type(nagios_spool_t) ++ + type nrpe_t; + type nrpe_exec_t; + init_daemon_domain(nrpe_t, nrpe_exec_t) +@@ -60,6 +62,8 @@ + manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) + files_pid_filetrans(nagios_t, nagios_var_run_t, file) - # unconfined domain is not allowed to invoke user defined procedure directly. - # They have to confirm and relabel it at first. --allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *; -+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *; - allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; ++rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++ + kernel_read_system_state(nagios_t) + kernel_read_kernel_sysctls(nagios_t) - allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.12/policy/modules/services/ppp.fc ---- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/ppp.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,7 +1,7 @@ +@@ -127,39 +131,34 @@ # - # /etc + # Nagios CGI local policy # --/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) -+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) ++apache_content_template(nagios) ++typealias httpd_nagios_script_t alias nagios_cgi_t; ++typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; - /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) - /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -@@ -8,9 +8,8 @@ - /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) - /etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) - /etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +-allow nagios_cgi_t self:process signal_perms; +-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; ++allow httpd_nagios_script_t self:process signal_perms; + +-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + +-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; +-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) ++files_search_spool(httpd_nagios_script_t) ++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + +-allow nagios_cgi_t nagios_log_t:dir list_dir_perms; +-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) ++allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) + +-kernel_read_system_state(nagios_cgi_t) ++allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + +-corecmd_exec_bin(nagios_cgi_t) ++kernel_read_system_state(httpd_nagios_script_t) + +-domain_dontaudit_read_all_domains_state(nagios_cgi_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + +-files_read_etc_files(nagios_cgi_t) +-files_read_etc_runtime_files(nagios_cgi_t) +-files_read_kernel_symbol_table(nagios_cgi_t) ++files_read_etc_runtime_files(httpd_nagios_script_t) ++files_read_kernel_symbol_table(httpd_nagios_script_t) + +-logging_send_syslog_msg(nagios_cgi_t) +-logging_search_logs(nagios_cgi_t) - - # Fix /etc/ppp {up,down} family scripts (see man pppd) --/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0) -+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) +-miscfiles_read_localization(nagios_cgi_t) +- +-optional_policy(` +- apache_append_log(nagios_cgi_t) +-') ++logging_send_syslog_msg(httpd_nagios_script_t) + ######################################## # - # /sbin -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if ---- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-04-07 16:01:44.000000000 -0400 -@@ -58,6 +58,25 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.12/policy/modules/services/networkmanager.fc +--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/networkmanager.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,12 +1,25 @@ ++/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) ++/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++ + /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) + /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + + /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0) + /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++ ++/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) + ++/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) + /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.12/policy/modules/services/networkmanager.if +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/networkmanager.if 2009-04-07 16:01:44.000000000 -0400 +@@ -118,6 +118,24 @@ ######################################## ## -+## Send ppp a kill signal ++## Execute NetworkManager scripts with an automatic domain transition to initrc. +## +## +## @@ -16768,964 +15188,1008 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+# -+interface(`ppp_kill',` ++interface(`networkmanager_initrc_domtrans',` + gen_require(` -+ type pppd_t; ++ type NetworkManager_initrc_exec_t; + ') + -+ allow $1 pppd_t:process sigkill; ++ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + +######################################## +## - ## Send a generic signal to PPP. + ## Read NetworkManager PID files. ## ## -@@ -298,6 +317,24 @@ - - ######################################## - ## -+## Execute ppp server in the ntpd domain. +@@ -134,3 +152,30 @@ + files_search_pids($1) + allow $1 NetworkManager_var_run_t:file read_file_perms; + ') ++ ++######################################## ++## ++## Execute NetworkManager in the NetworkManager domain, and ++## allow the specified role the NetworkManager domain. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the NetworkManager domain. +## +## ++## +# -+interface(`ppp_initrc_domtrans',` ++interface(`networkmanager_run',` + gen_require(` -+ type pppd_initrc_exec_t; ++ type NetworkManager_t, NetworkManager_exec_t; + ') + -+ init_labeled_script_domtrans($1, pppd_initrc_exec_t) ++ networkmanager_domtrans($1) ++ role $2 types NetworkManager_t; +') + -+######################################## -+## - ## All of the rules required to administrate - ## an ppp environment - ## -@@ -315,33 +352,39 @@ - type pppd_etc_rw_t, pppd_var_run_t; - - type pptp_t, pptp_log_t, pptp_var_run_t; -+ type pppd_initrc_exec_t; - ') - - allow $1 pppd_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, pppd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.12/policy/modules/services/networkmanager.te +--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/networkmanager.te 2009-04-07 16:01:44.000000000 -0400 +@@ -19,6 +19,9 @@ + type NetworkManager_tmp_t; + files_tmp_file(NetworkManager_tmp_t) -+ ppp_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pppd_initrc_exec_t system_r; -+ allow $2 system_r; ++type NetworkManager_var_lib_t; ++files_type(NetworkManager_var_lib_t) + - files_list_tmp($1) -- manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t) -+ admin_pattern($1, pppd_tmp_t) + type NetworkManager_var_run_t; + files_pid_file(NetworkManager_var_run_t) - logging_list_logs($1) -- manage_files_pattern($1, pppd_log_t, pppd_log_t) -+ admin_pattern($1, pppd_log_t) +@@ -33,9 +36,9 @@ -- manage_files_pattern($1, pppd_lock_t, pppd_lock_t) -+ admin_pattern($1, pppd_lock_t) + # networkmanager will ptrace itself if gdb is installed + # and it receives a unexpected signal (rh bug #204161) +-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock }; ++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; + dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; ++allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; + allow NetworkManager_t self:fifo_file rw_fifo_file_perms; + allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; + allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; +@@ -51,8 +54,10 @@ + manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) + logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - files_list_etc($1) -- manage_files_pattern($1, pppd_etc_t, pppd_etc_t) -+ admin_pattern($1, pppd_etc_t) +-rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +-files_search_tmp(NetworkManager_t) ++manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) ++files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) ++ ++manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -- manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t) -+ admin_pattern($1, pppd_etc_rw_t) + manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +@@ -63,6 +68,8 @@ + kernel_read_network_state(NetworkManager_t) + kernel_read_kernel_sysctls(NetworkManager_t) + kernel_load_module(NetworkManager_t) ++kernel_read_debugfs(NetworkManager_t) ++kernel_rw_net_sysctls(NetworkManager_t) -- manage_files_pattern($1, pppd_secret_t, pppd_secret_t) -+ admin_pattern($1, pppd_secret_t) + corenet_all_recvfrom_unlabeled(NetworkManager_t) + corenet_all_recvfrom_netlabel(NetworkManager_t) +@@ -81,13 +88,18 @@ + corenet_sendrecv_isakmp_server_packets(NetworkManager_t) + corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) + corenet_sendrecv_all_client_packets(NetworkManager_t) ++corenet_rw_tun_tap_dev(NetworkManager_t) ++corenet_getattr_ppp_dev(NetworkManager_t) - files_list_pids($1) -- manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) -+ admin_pattern($1, pppd_var_run_t) + dev_read_sysfs(NetworkManager_t) + dev_read_rand(NetworkManager_t) + dev_read_urand(NetworkManager_t) ++dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) ++dev_getattr_all_chr_files(NetworkManager_t) - allow $1 pptp_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, pptp_t) + fs_getattr_all_fs(NetworkManager_t) + fs_search_auto_mountpoints(NetworkManager_t) ++fs_list_inotifyfs(NetworkManager_t) -- manage_files_pattern($1, pptp_log_t, pptp_log_t) -+ admin_pattern($1, pptp_log_t) + mls_file_read_all_levels(NetworkManager_t) -- manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) -+ admin_pattern($1, pptp_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.12/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ppp.te 2009-04-07 16:01:44.000000000 -0400 -@@ -37,8 +37,8 @@ - type pppd_etc_rw_t; - files_type(pppd_etc_rw_t) +@@ -98,15 +110,19 @@ --type pppd_script_exec_t; --files_type(pppd_script_exec_t) -+type pppd_initrc_exec_t; -+files_type(pppd_initrc_exec_t) + domain_use_interactive_fds(NetworkManager_t) + domain_read_confined_domains_state(NetworkManager_t) +-domain_dontaudit_read_all_domains_state(NetworkManager_t) - # pppd_secret_t is the type of the pap and chap password files - type pppd_secret_t; -@@ -114,6 +114,8 @@ - # Access secret files - allow pppd_t pppd_secret_t:file read_file_perms; + files_read_etc_files(NetworkManager_t) + files_read_etc_runtime_files(NetworkManager_t) + files_read_usr_files(NetworkManager_t) -+ppp_initrc_domtrans(pppd_t) ++storage_getattr_fixed_disk_dev(NetworkManager_t) + - kernel_read_kernel_sysctls(pppd_t) - kernel_read_system_state(pppd_t) - kernel_rw_net_sysctls(pppd_t) -@@ -161,6 +163,7 @@ + init_read_utmp(NetworkManager_t) ++init_dontaudit_write_utmp(NetworkManager_t) + init_domtrans_script(NetworkManager_t) - init_read_utmp(pppd_t) - init_dontaudit_write_utmp(pppd_t) -+init_signal_script(pppd_t) ++auth_use_nsswitch(NetworkManager_t) ++ + logging_send_syslog_msg(NetworkManager_t) - auth_use_nsswitch(pppd_t) + miscfiles_read_localization(NetworkManager_t) +@@ -116,25 +132,40 @@ -@@ -174,7 +177,6 @@ + seutil_read_config(NetworkManager_t) - userdom_use_user_terminals(pppd_t) - userdom_dontaudit_use_unpriv_user_fds(pppd_t) --# for ~/.ppprc - if it actually exists then you need some policy to read it - userdom_search_user_home_dirs(pppd_t) +-sysnet_domtrans_ifconfig(NetworkManager_t) +-sysnet_domtrans_dhcpc(NetworkManager_t) +-sysnet_signal_dhcpc(NetworkManager_t) +-sysnet_read_dhcpc_pid(NetworkManager_t) ++sysnet_etc_filetrans_config(NetworkManager_t) + sysnet_delete_dhcpc_pid(NetworkManager_t) +-sysnet_search_dhcp_state(NetworkManager_t) +-# in /etc created by NetworkManager will be labelled net_conf_t. ++sysnet_domtrans_dhcpc(NetworkManager_t) ++sysnet_domtrans_ifconfig(NetworkManager_t) ++sysnet_kill_dhcpc(NetworkManager_t) + sysnet_manage_config(NetworkManager_t) +-sysnet_etc_filetrans_config(NetworkManager_t) ++sysnet_read_dhcp_config(NetworkManager_t) ++sysnet_read_dhcpc_pid(NetworkManager_t) ++sysnet_delete_dhcpc_state(NetworkManager_t) ++sysnet_read_dhcpc_state(NetworkManager_t) ++sysnet_signal_dhcpc(NetworkManager_t) - ppp_exec(pppd_t) -@@ -191,6 +193,8 @@ ++userdom_stream_connect(NetworkManager_t) + userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) + userdom_dontaudit_use_user_ttys(NetworkManager_t) + # Read gnome-keyring + userdom_read_user_home_content_files(NetworkManager_t) ++userdom_dgram_send(NetworkManager_t) ++ ++cron_read_system_job_lib_files(NetworkManager_t) ++ ++optional_policy(` ++ avahi_domtrans(NetworkManager_t) ++ avahi_kill(NetworkManager_t) ++ avahi_signal(NetworkManager_t) ++ avahi_signull(NetworkManager_t) ++') optional_policy(` - mta_send_mail(pppd_t) -+ mta_system_content(pppd_etc_t) -+ mta_system_content(pppd_etc_rw_t) + bind_domtrans(NetworkManager_t) + bind_manage_cache(NetworkManager_t) ++ bind_kill(NetworkManager_t) + bind_signal(NetworkManager_t) ++ bind_signull(NetworkManager_t) ') optional_policy(` -@@ -214,7 +218,7 @@ - # PPTP Local policy - # - --allow pptp_t self:capability net_raw; -+allow pptp_t self:capability { net_raw net_admin }; - dontaudit pptp_t self:capability sys_tty_config; - allow pptp_t self:process signal; - allow pptp_t self:fifo_file rw_fifo_file_perms; -@@ -222,14 +226,16 @@ - allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow pptp_t self:rawip_socket create_socket_perms; - allow pptp_t self:tcp_socket create_socket_perms; -+allow pptp_t self:udp_socket create_socket_perms; -+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; - - allow pptp_t pppd_etc_t:dir list_dir_perms; - allow pptp_t pppd_etc_t:file read_file_perms; --allow pptp_t pppd_etc_t:lnk_file { getattr read }; -+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -146,8 +177,25 @@ + ') - allow pptp_t pppd_etc_rw_t:dir list_dir_perms; - allow pptp_t pppd_etc_rw_t:file read_file_perms; --allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; -+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; - can_exec(pptp_t, pppd_etc_rw_t) + optional_policy(` +- dbus_system_bus_client(NetworkManager_t) +- dbus_connect_system_bus(NetworkManager_t) ++ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) ++ ++ optional_policy(` ++ consolekit_dbus_chat(NetworkManager_t) ++ ') ++') ++ ++optional_policy(` ++ dnsmasq_read_pid_files(NetworkManager_t) ++ dnsmasq_delete_pid_files(NetworkManager_t) ++ dnsmasq_domtrans(NetworkManager_t) ++ dnsmasq_initrc_domtrans(NetworkManager_t) ++ dnsmasq_kill(NetworkManager_t) ++ dnsmasq_signal(NetworkManager_t) ++ dnsmasq_signull(NetworkManager_t) ++') ++ ++optional_policy(` ++ hal_write_log(NetworkManager_t) + ') - # Allow pptp to append to pppd log files -@@ -245,9 +251,13 @@ - kernel_list_proc(pptp_t) - kernel_read_kernel_sysctls(pptp_t) - kernel_read_proc_symlinks(pptp_t) -+kernel_read_system_state(pptp_t) + optional_policy(` +@@ -155,23 +203,50 @@ + ') - dev_read_sysfs(pptp_t) + optional_policy(` +- nis_use_ypbind(NetworkManager_t) ++ iptables_domtrans(NetworkManager_t) + ') -+corecmd_exec_shell(pptp_t) -+corecmd_read_bin_symlinks(pptp_t) -+ - corenet_all_recvfrom_unlabeled(pptp_t) - corenet_all_recvfrom_netlabel(pptp_t) - corenet_tcp_sendrecv_generic_if(pptp_t) -@@ -263,17 +273,21 @@ - fs_getattr_all_fs(pptp_t) - fs_search_auto_mountpoints(pptp_t) - -+files_read_etc_files(pptp_t) -+ - term_ioctl_generic_ptys(pptp_t) - term_search_ptys(pptp_t) - term_use_ptmx(pptp_t) - - domain_use_interactive_fds(pptp_t) - -+auth_use_nsswitch(pptp_t) + optional_policy(` +- nscd_socket_use(NetworkManager_t) ++ nscd_domtrans(NetworkManager_t) + nscd_signal(NetworkManager_t) ++ nscd_signull(NetworkManager_t) ++ nscd_kill(NetworkManager_t) ++ nscd_initrc_domtrans(NetworkManager_t) ++') + - logging_send_syslog_msg(pptp_t) - - miscfiles_read_localization(pptp_t) - --sysnet_read_config(pptp_t) -+sysnet_exec_ifconfig(pptp_t) ++optional_policy(` ++ # Dispatcher starting and stoping ntp ++ ntp_initrc_domtrans(NetworkManager_t) + ') - userdom_dontaudit_use_unpriv_user_fds(pptp_t) - userdom_dontaudit_search_user_home_dirs(pptp_t) -@@ -283,11 +297,15 @@ + optional_policy(` + openvpn_domtrans(NetworkManager_t) ++ openvpn_kill(NetworkManager_t) + openvpn_signal(NetworkManager_t) ++ openvpn_signull(NetworkManager_t) ') optional_policy(` -- hostname_exec(pptp_t) -+ dbus_system_domain(pppd_t, pppd_exec_t) ++ polkit_domtrans_auth(NetworkManager_t) ++ polkit_read_lib(NetworkManager_t) ++ polkit_read_reload(NetworkManager_t) ++ userdom_read_all_users_state(NetworkManager_t) ++') + -+ optional_policy(` -+ networkmanager_dbus_chat(pppd_t) -+ ') ++optional_policy(` ++ ppp_initrc_domtrans(NetworkManager_t) + ppp_domtrans(NetworkManager_t) + ppp_read_pid_files(NetworkManager_t) ++ ppp_kill(NetworkManager_t) + ppp_signal(NetworkManager_t) ++ ppp_signull(NetworkManager_t) ++ ppp_read_config(NetworkManager_t) ++') ++ ++optional_policy(` ++ rpm_exec(NetworkManager_t) ++ rpm_read_db(NetworkManager_t) ++ rpm_dontaudit_manage_db(NetworkManager_t) ') optional_policy(` -- nscd_socket_use(pptp_t) -+ hostname_exec(pptp_t) +@@ -179,12 +254,15 @@ ') optional_policy(` -@@ -301,6 +319,3 @@ ++ udev_exec(NetworkManager_t) + udev_read_db(NetworkManager_t) + ') + optional_policy(` - postfix_read_config(pppd_t) + vpn_domtrans(NetworkManager_t) ++ vpn_kill(NetworkManager_t) + vpn_signal(NetworkManager_t) ++ vpn_signull(NetworkManager_t) ') + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.12/policy/modules/services/nis.fc +--- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/nis.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,9 +1,13 @@ - --# FIXME: --domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.12/policy/modules/services/prelude.fc ---- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/prelude.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,3 +1,9 @@ -+/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) -+ -+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) -+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) -+ - /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) ++/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) -@@ -5,7 +11,15 @@ + /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) ++/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -+/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) -+ - /var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) + /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) + /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.12/policy/modules/services/nis.if +--- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/nis.if 2009-04-07 16:01:44.000000000 -0400 +@@ -28,7 +28,7 @@ + type var_yp_t; + ') - /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) - /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -+ -+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) -+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) -+ -+/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.12/policy/modules/services/prelude.if ---- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/prelude.if 2009-04-07 16:01:44.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # -@@ -42,7 +42,7 @@ - ## - ## - ## --## Domain allowed acccess. -+## Domain allowed to transition. - ## - ## - # -@@ -56,6 +56,45 @@ +- dontaudit $1 self:capability net_bind_service; ++ allow $1 self:capability net_bind_service; + + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; +@@ -49,8 +49,8 @@ + corenet_udp_bind_generic_node($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) +- corenet_tcp_bind_reserved_port($1) +- corenet_udp_bind_reserved_port($1) ++ corenet_dontaudit_tcp_bind_all_reserved_ports($1) ++ corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) + corenet_tcp_connect_portmap_port($1) +@@ -87,6 +87,25 @@ ######################################## ## -+## Read the prelude spool files ++## Use the nis to authenticate passwords +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## ++## +# -+interface(`prelude_read_spool',` -+ gen_require(` -+ type prelude_spool_t; ++interface(`nis_authenticate',` ++ tunable_policy(`allow_ypbind',` ++ nis_use_ypbind_uncond($1) ++ corenet_tcp_bind_all_rpc_ports($1) ++ corenet_udp_bind_all_rpc_ports($1) + ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## -+## Manage to prelude-manager spool files. + ## Execute ypbind in the ypbind domain. + ## + ## +@@ -244,3 +263,130 @@ + corecmd_search_bin($1) + domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) + ') ++ ++######################################## ++## ++## Execute nis server in the nis domain. +## +## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`nis_initrc_domtrans',` ++ gen_require(` ++ type nis_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, nis_initrc_exec_t) ++') ++ ++######################################## +## -+## Domain allowed to transition. ++## Execute nis server in the nis domain. +## ++## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`prelude_manage_spool',` ++interface(`nis_ypbind_initrc_domtrans',` + gen_require(` -+ type prelude_spool_t; ++ type ypbind_initrc_exec_t; + ') + -+ files_search_spool($1) -+ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) -+ manage_files_pattern($1, prelude_spool_t, prelude_spool_t) ++ init_labeled_script_domtrans($1, ypbind_initrc_exec_t) +') + +######################################## +## - ## All of the rules required to administrate - ## an prelude environment - ## -@@ -64,6 +103,11 @@ - ## Domain allowed access. - ## - ## ++## All of the rules required to administrate ++## an nis environment ++##
++## ++## ++## Domain allowed access. ++## ++## +## +## -+## The role to be allowed to manage the syslog domain. ++## The role to be allowed to manage the nis domain. +## +## - ## - # - interface(`prelude_admin',` -@@ -71,6 +115,10 @@ - type prelude_t, prelude_spool_t; - type prelude_var_run_t, prelude_var_lib_t; - type prelude_audisp_t, prelude_audisp_var_run_t; -+ type prelude_initrc_exec_t; -+ -+ type prelude_lml_t, prelude_lml_tmp_t; -+ type prelude_lml_var_run_t; - ') - - allow $1 prelude_t:process { ptrace signal_perms }; -@@ -79,11 +127,18 @@ - allow $1 prelude_audisp_t:process { ptrace signal_perms }; - ps_process_pattern($1, prelude_audisp_t) - -- manage_files_pattern($1, prelude_spool_t, prelude_spool_t) -- -- manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t) -- -- manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t) -+ allow $1 prelude_lml_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, prelude_lml_t) - -- manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t) -+ init_labeled_script_domtrans($1, prelude_initrc_exec_t) ++## ++# ++interface(`nis_admin',` ++ gen_require(` ++ type ypbind_t, yppasswdd_t; ++ type ypserv_t, ypxfr_t; ++ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; ++ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; ++ type ypbind_initrc_exec_t; ++ type nis_initrc_exec_t; ++ ') ++ ++ allow $1 ypbind_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypbind_t) ++ ++ allow $1 yppasswdd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, yppasswdd_t) ++ ++ allow $1 ypserv_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypserv_t) ++ ++ allow $1 ypxfr_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypxfr_t) ++ ++ nis_initrc_domtrans($1) ++ nis_ypbind_initrc_domtrans($1) + domain_system_change_exemption($1) -+ role_transition $2 prelude_initrc_exec_t system_r; ++ role_transition $2 nis_initrc_exec_t system_r; ++ role_transition $2 ypbind_initrc_exec_t system_r; + allow $2 system_r; + -+ admin_pattern($1, prelude_spool_t) -+ admin_pattern($1, prelude_var_lib_t) -+ admin_pattern($1, prelude_var_run_t) -+ admin_pattern($1, prelude_audisp_var_run_t) -+ admin_pattern($1, prelude_lml_tmp_t) -+ admin_pattern($1, prelude_lml_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.12/policy/modules/services/prelude.te ---- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/prelude.te 2009-04-07 16:01:44.000000000 -0400 -@@ -13,25 +13,57 @@ - type prelude_spool_t; - files_type(prelude_spool_t) - -+type prelude_log_t; -+logging_log_file(prelude_log_t) ++ files_list_tmp($1) ++ admin_pattern($1, ypbind_tmp_t) + - type prelude_var_run_t; - files_pid_file(prelude_var_run_t) - - type prelude_var_lib_t; - files_type(prelude_var_lib_t) - -+type prelude_initrc_exec_t; -+init_script_file(prelude_initrc_exec_t) ++ files_list_pids($1) ++ admin_pattern($1, ypbind_var_run_t) + - type prelude_audisp_t; - type prelude_audisp_exec_t; - init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) -+typealias prelude_audisp_t alias audisp_prelude_t; -+typealias prelude_audisp_exec_t alias audisp_prelude_exec_t; - - type prelude_audisp_var_run_t; - files_pid_file(prelude_audisp_var_run_t) -+typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t; ++ admin_pattern($1, yppasswdd_var_run_t) + -+type prelude_lml_t; -+type prelude_lml_exec_t; -+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) ++ files_list_etc($1) ++ admin_pattern($1, ypserv_conf_t) + -+type prelude_lml_var_run_t; -+files_pid_file(prelude_lml_var_run_t) ++ admin_pattern($1, ypserv_tmp_t) ++ ++ admin_pattern($1, ypserv_var_run_t) ++') + -+type prelude_lml_tmp_t; -+files_tmp_file(prelude_lml_tmp_t) + +######################################## ++## ++## Execute ypbind in the ypbind domain, and ++## allow the specified role the ypbind domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the ypbind domain. ++## ++## ++## +# -+# prelude_correlator declarations -+# ++interface(`nis_run_ypbind',` ++ gen_require(` ++ type ypbind_t; ++ ') + -+type prelude_correlator_t; -+type prelude_correlator_exec_t; -+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) -+role system_r types prelude_correlator_t; ++ nis_domtrans_ypbind($1) ++ role $2 types ypbind_t; ++') + -+type prelude_correlator_config_t; -+files_config_file(prelude_correlator_config_t) - - ######################################## - # - # prelude local policy - # - --allow prelude_t self:capability sys_tty_config; -+allow prelude_t self:capability { dac_override sys_tty_config }; - allow prelude_t self:fifo_file rw_file_perms; - allow prelude_t self:unix_stream_socket create_stream_socket_perms; - allow prelude_t self:netlink_route_socket r_netlink_socket_perms; -@@ -49,6 +81,9 @@ - manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) - files_pid_filetrans(prelude_t, prelude_var_run_t, file) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te +--- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-04-07 16:01:44.000000000 -0400 +@@ -13,6 +13,9 @@ + type ypbind_exec_t; + init_daemon_domain(ypbind_t, ypbind_exec_t) -+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) -+logging_log_filetrans(prelude_t, prelude_log_t, file) ++type ypbind_initrc_exec_t; ++init_script_file(ypbind_initrc_exec_t) + - corecmd_search_bin(prelude_t) - - corenet_all_recvfrom_unlabeled(prelude_t) -@@ -56,15 +91,25 @@ - corenet_tcp_sendrecv_generic_if(prelude_t) - corenet_tcp_sendrecv_generic_node(prelude_t) - corenet_tcp_bind_generic_node(prelude_t) -+corenet_tcp_bind_prelude_port(prelude_t) -+corenet_tcp_connect_prelude_port(prelude_t) -+corenet_tcp_connect_postgresql_port(prelude_t) + type ypbind_tmp_t; + files_tmp_file(ypbind_tmp_t) - dev_read_rand(prelude_t) - dev_read_urand(prelude_t) +@@ -44,6 +47,9 @@ + type ypxfr_exec_t; + init_daemon_domain(ypxfr_t, ypxfr_exec_t) -+kernel_read_system_state(prelude_t) -+kernel_read_sysctl(prelude_t) ++type nis_initrc_exec_t; ++init_script_file(nis_initrc_exec_t) + - # Init script handling - domain_use_interactive_fds(prelude_t) + ######################################## + # + # ypbind local policy +@@ -111,6 +117,16 @@ + userdom_dontaudit_search_user_home_dirs(ypbind_t) - files_read_etc_files(prelude_t) -+files_read_etc_runtime_files(prelude_t) - files_read_usr_files(prelude_t) -+files_search_tmp(prelude_t) + optional_policy(` ++ dbus_system_bus_client(ypbind_t) ++ dbus_connect_system_bus(ypbind_t) ++ init_dbus_chat_script(ypbind_t) + -+fs_rw_anon_inodefs_files(prelude_t) - - auth_use_nsswitch(prelude_t) ++ optional_policy(` ++ networkmanager_dbus_chat(ypbind_t) ++ ') ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ypbind_t) + ') -@@ -86,7 +131,7 @@ - # - # prelude_audisp local policy +@@ -123,6 +139,7 @@ + # yppasswdd local policy # -- -+allow prelude_audisp_t self:capability dac_override; - allow prelude_audisp_t self:fifo_file rw_file_perms; - allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; - allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -@@ -107,6 +152,7 @@ - corenet_tcp_sendrecv_generic_if(prelude_audisp_t) - corenet_tcp_sendrecv_generic_node(prelude_audisp_t) - corenet_tcp_bind_generic_node(prelude_audisp_t) -+corenet_tcp_connect_prelude_port(prelude_audisp_t) - dev_read_rand(prelude_audisp_t) - dev_read_urand(prelude_audisp_t) -@@ -114,12 +160,135 @@ - # Init script handling - domain_use_interactive_fds(prelude_audisp_t) ++allow yppasswdd_t self:capability dac_override; + dontaudit yppasswdd_t self:capability sys_tty_config; + allow yppasswdd_t self:fifo_file rw_fifo_file_perms; + allow yppasswdd_t self:process { setfscreate signal_perms }; +@@ -153,8 +170,8 @@ + corenet_udp_sendrecv_all_ports(yppasswdd_t) + corenet_tcp_bind_generic_node(yppasswdd_t) + corenet_udp_bind_generic_node(yppasswdd_t) +-corenet_tcp_bind_reserved_port(yppasswdd_t) +-corenet_udp_bind_reserved_port(yppasswdd_t) ++corenet_tcp_bind_all_rpc_ports(yppasswdd_t) ++corenet_udp_bind_all_rpc_ports(yppasswdd_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) + corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) + corenet_sendrecv_generic_server_packets(yppasswdd_t) +@@ -241,6 +258,8 @@ + corenet_udp_bind_generic_node(ypserv_t) + corenet_tcp_bind_reserved_port(ypserv_t) + corenet_udp_bind_reserved_port(ypserv_t) ++corenet_tcp_bind_all_rpc_ports(ypserv_t) ++corenet_udp_bind_all_rpc_ports(ypserv_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) + corenet_sendrecv_generic_server_packets(ypserv_t) +@@ -306,6 +325,8 @@ + corenet_udp_bind_generic_node(ypxfr_t) + corenet_tcp_bind_reserved_port(ypxfr_t) + corenet_udp_bind_reserved_port(ypxfr_t) ++corenet_tcp_bind_all_rpc_ports(ypxfr_t) ++corenet_udp_bind_all_rpc_ports(ypxfr_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) + corenet_tcp_connect_all_ports(ypxfr_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.12/policy/modules/services/nscd.fc +--- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/nscd.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,3 +1,4 @@ ++/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) -+kernel_read_sysctl(prelude_audisp_t) -+kernel_read_system_state(prelude_audisp_t) -+ - files_read_etc_files(prelude_audisp_t) -+files_read_etc_runtime_files(prelude_audisp_t) -+files_search_tmp(prelude_audisp_t) - - logging_send_syslog_msg(prelude_audisp_t) -+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) + /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - miscfiles_read_localization(prelude_audisp_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.12/policy/modules/services/nscd.if +--- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/nscd.if 2009-04-07 16:01:44.000000000 -0400 +@@ -58,6 +58,42 @@ -+sysnet_dns_name_resolve(prelude_audisp_t) -+ -+######################################## -+# -+# prelude_correlator local policy -+# -+ -+allow prelude_correlator_t self:capability dac_override; -+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; -+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; -+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; -+ -+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; -+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) -+ -+prelude_manage_spool(prelude_correlator_t) -+ -+corecmd_search_bin(prelude_correlator_t) -+ -+corenet_all_recvfrom_unlabeled(prelude_correlator_t) -+corenet_all_recvfrom_netlabel(prelude_correlator_t) -+corenet_tcp_sendrecv_generic_if(prelude_correlator_t) -+corenet_tcp_sendrecv_generic_node(prelude_correlator_t) -+corenet_tcp_connect_prelude_port(prelude_correlator_t) -+ -+kernel_read_sysctl(prelude_correlator_t) -+ -+dev_read_rand(prelude_correlator_t) -+dev_read_urand(prelude_correlator_t) -+ -+files_read_etc_files(prelude_correlator_t) -+files_read_usr_files(prelude_correlator_t) -+files_search_spool(prelude_correlator_t) -+ -+logging_send_syslog_msg(prelude_correlator_t) -+ -+miscfiles_read_localization(prelude_correlator_t) -+ -+sysnet_dns_name_resolve(prelude_correlator_t) -+ -+######################################## -+# -+# prelude_lml local declarations -+# -+ -+allow prelude_lml_t self:capability dac_override; -+ -+# Init script handling -+domain_use_interactive_fds(prelude_lml_t) -+ -+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; -+allow prelude_lml_t self:unix_dgram_socket { write create connect }; -+allow prelude_lml_t self:fifo_file rw_fifo_file_perms; -+allow prelude_lml_t self:unix_stream_socket connectto; -+ -+files_list_tmp(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) -+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) -+ -+files_search_spool(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) -+ -+files_search_var_lib(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -+ -+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) -+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) -+ -+corecmd_exec_bin(prelude_lml_t) -+ -+corenet_tcp_sendrecv_generic_if(prelude_lml_t) -+corenet_tcp_sendrecv_generic_node(prelude_lml_t) -+corenet_tcp_recvfrom_netlabel(prelude_lml_t) -+corenet_tcp_recvfrom_unlabeled(prelude_lml_t) -+corenet_sendrecv_unlabeled_packets(prelude_lml_t) -+corenet_tcp_connect_prelude_port(prelude_lml_t) -+ -+dev_read_rand(prelude_lml_t) -+dev_read_urand(prelude_lml_t) -+ -+kernel_read_system_state(prelude_lml_t) -+kernel_read_sysctl(prelude_lml_t) -+ -+files_list_etc(prelude_lml_t) -+files_read_etc_files(prelude_lml_t) -+files_read_etc_runtime_files(prelude_lml_t) -+ -+files_search_spool(prelude_lml_t) -+files_search_usr(prelude_lml_t) -+files_search_var_lib(prelude_lml_t) -+ -+fs_list_inotifyfs(prelude_lml_t) -+fs_read_anon_inodefs_files(prelude_lml_t) -+fs_rw_anon_inodefs_files(prelude_lml_t) -+ -+auth_use_nsswitch(prelude_lml_t) -+ -+libs_exec_lib_files(prelude_lml_t) -+libs_read_lib_files(prelude_lml_t) -+ -+logging_send_syslog_msg(prelude_lml_t) -+logging_read_generic_logs(prelude_lml_t) -+ -+miscfiles_read_localization(prelude_lml_t) -+ -+sysnet_dns_name_resolve(prelude_lml_t) -+ -+userdom_read_all_users_state(prelude_lml_t) -+ -+optional_policy(` -+ apache_search_sys_content(prelude_lml_t) -+ apache_read_log(prelude_lml_t) -+') -+ ######################################## - # - # prewikka_cgi Declarations -@@ -128,6 +297,20 @@ - optional_policy(` - apache_content_template(prewikka) - files_read_etc_files(httpd_prewikka_script_t) -+ files_search_tmp(httpd_prewikka_script_t) -+ -+ kernel_read_sysctl(httpd_prewikka_script_t) -+ kernel_search_network_sysctl(httpd_prewikka_script_t) -+ -+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) -+ -+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) -+ -+ auth_use_nsswitch(httpd_prewikka_script_t) -+ -+ logging_send_syslog_msg(httpd_prewikka_script_t) -+ -+ apache_search_sys_content(httpd_prewikka_script_t) - - optional_policy(` - mysql_search_db(httpd_prewikka_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te ---- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-07 16:01:44.000000000 -0400 -@@ -77,6 +77,7 @@ - files_read_usr_files(procmail_t) - - logging_send_syslog_msg(procmail_t) -+logging_append_all_logs(procmail_t) - - miscfiles_read_localization(procmail_t) - -@@ -92,6 +93,7 @@ - userdom_dontaudit_search_user_home_dirs(procmail_t) - - mta_manage_spool(procmail_t) -+mta_read_queue(procmail_t) - - ifdef(`hide_broken_symptoms',` - mta_dontaudit_rw_queue(procmail_t) -@@ -128,6 +130,10 @@ - ') - - optional_policy(` -+ nagios_search_spool(procmail_t) -+') -+ -+optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.12/policy/modules/services/psad.fc ---- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/psad.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,17 @@ -+ -+ -+/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) -+ -+/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) -+ -+/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) -+ -+#/usr/sbin/psadwatchd -- gen_context(system_u:object_r:psadwatchd_exec_t,s0) -+ -+#/usr/sbin/kmsgsd -- gen_context(system_u:object_r:kmsgsd_exec_t,s0) -+ -+/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) -+ -+/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) -+ -+/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.12/policy/modules/services/psad.if ---- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/psad.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,304 @@ -+## Psad SELinux policy -+ -+######################################## -+## -+## Execute a domain transition to run psad. + ## ++## Send NSCD the kill signal. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`psad_domtrans',` ++interface(`nscd_kill',` + gen_require(` -+ type psad_t, psad_exec_t; ++ type nscd_t; + ') + -+ domtrans_pattern($1, psad_exec_t, psad_t) ++ allow $1 nscd_t:process sigkill; +') + +######################################## +## -+## Read and write psad UDP sockets. ++## Send signulls to NSCD. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`psad_rw_udp_sockets',` -+ gen_require(` -+ type psad_t; -+ ') ++interface(`nscd_signull',` ++ gen_require(` ++ type nscd_t; ++ ') + -+ allow $1 psad_t:udp_socket { read write }; ++ allow $1 nscd_t:process signull; +') + +######################################## +## -+## Read and write psad packet sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`psad_rw_packet_sockets',` -+ gen_require(` -+ type psad_t; -+ ') -+ -+ allow $1 psad_t:packet_socket { read write }; -+') + ## Use NSCD services by connecting using + ## a unix stream socket. + ## +@@ -70,15 +106,14 @@ + interface(`nscd_socket_use',` + gen_require(` + type nscd_t, nscd_var_run_t; +- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ++ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; + ') + + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_t:fd use; +- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; +- ++ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + dontaudit $1 nscd_var_run_t:file { getattr read }; +@@ -198,3 +233,60 @@ + nscd_domtrans($1) + role $2 types nscd_t; + ') + +######################################## +## -+## Send a generic signal to psad ++## Execute nscd server in the nscd domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`psad_signal',` -+ gen_require(` -+ type psad_t; -+ ') ++interface(`nscd_initrc_domtrans',` ++ gen_require(` ++ type nscd_initrc_exec_t; ++') + -+ allow $1 psad_t:process signal; ++ init_labeled_script_domtrans($1, nscd_initrc_exec_t) +') + -+####################################### ++######################################## +## -+## Send a null signal to psad. ++## All of the rules required to administrate ++## an nscd environment +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the nscd domain. ++## +## ++## +# -+interface(`psad_signull',` -+ gen_require(` -+ type psad_t; ++interface(`nscd_admin',` ++ gen_require(` ++ type nscd_t, nscd_log_t, nscd_var_run_t; ++ type nscd_initrc_exec_t; + ') + -+ allow $1 psad_t:process signull; ++ allow $1 nscd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, nscd_t) ++ ++ nscd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 nscd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_list_logs($1) ++ admin_pattern($1, nscd_log_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, nscd_var_run_t) +') + -+######################################## -+## -+## Read psad etc configuration files. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.12/policy/modules/services/nscd.te +--- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/nscd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -20,6 +20,9 @@ + type nscd_exec_t; + init_daemon_domain(nscd_t, nscd_exec_t) + ++type nscd_initrc_exec_t; ++init_script_file(nscd_initrc_exec_t) ++ + type nscd_log_t; + logging_log_file(nscd_log_t) + +@@ -28,14 +31,14 @@ + # Local policy + # + +-allow nscd_t self:capability { kill setgid setuid audit_write }; ++allow nscd_t self:capability { kill setgid setuid }; + dontaudit nscd_t self:capability sys_tty_config; +-allow nscd_t self:process { getattr setsched signal_perms }; ++allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; + allow nscd_t self:fifo_file read_fifo_file_perms; + allow nscd_t self:unix_stream_socket create_stream_socket_perms; + allow nscd_t self:unix_dgram_socket create_socket_perms; + allow nscd_t self:netlink_selinux_socket create_socket_perms; +-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++ + allow nscd_t self:tcp_socket create_socket_perms; + allow nscd_t self:udp_socket create_socket_perms; + +@@ -50,6 +53,9 @@ + manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) + files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) + ++corecmd_search_bin(nscd_t) ++can_exec(nscd_t, nscd_exec_t) ++ + kernel_read_kernel_sysctls(nscd_t) + kernel_list_proc(nscd_t) + kernel_read_proc_symlinks(nscd_t) +@@ -60,6 +66,7 @@ + + fs_getattr_all_fs(nscd_t) + fs_search_auto_mountpoints(nscd_t) ++fs_list_inotifyfs(nscd_t) + + # for when /etc/passwd has just been updated and has the wrong type + auth_getattr_shadow(nscd_t) +@@ -73,6 +80,7 @@ + corenet_udp_sendrecv_generic_node(nscd_t) + corenet_tcp_sendrecv_all_ports(nscd_t) + corenet_udp_sendrecv_all_ports(nscd_t) ++corenet_udp_bind_generic_node(nscd_t) + corenet_tcp_connect_all_ports(nscd_t) + corenet_sendrecv_all_client_packets(nscd_t) + corenet_rw_tun_tap_dev(nscd_t) +@@ -84,12 +92,14 @@ + selinux_compute_relabel_context(nscd_t) + selinux_compute_user_contexts(nscd_t) + domain_use_interactive_fds(nscd_t) ++domain_search_all_domains_state(nscd_t) + + files_read_etc_files(nscd_t) + files_read_generic_tmp_symlinks(nscd_t) + # Needed to read files created by firstboot "/etc/hesiod.conf" + files_read_etc_runtime_files(nscd_t) + ++logging_send_audit_msgs(nscd_t) + logging_send_syslog_msg(nscd_t) + + miscfiles_read_localization(nscd_t) +@@ -105,6 +115,14 @@ + userdom_dontaudit_search_user_home_dirs(nscd_t) + + optional_policy(` ++ cron_read_system_job_tmp_files(nscd_t) ++') ++ ++optional_policy(` ++ kerberos_use(nscd_t) ++') ++ ++optional_policy(` + udev_read_db(nscd_t) + ') + +@@ -112,3 +130,12 @@ + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) + ') ++ ++optional_policy(` ++ tunable_policy(`samba_domain_controller',` ++ samba_append_log(nscd_t) ++ samba_dontaudit_use_fds(nscd_t) ++ ') ++ samba_read_config(nscd_t) ++ samba_read_var_files(nscd_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.12/policy/modules/services/ntp.if +--- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ntp.if 2009-04-07 16:01:44.000000000 -0400 +@@ -37,6 +37,32 @@ + + ######################################## + ## ++## Execute ntp in the ntp domain, and ++## allow the specified role the ntp domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## ++## ++## ++## The role to be allowed the ntp domain. ++## ++## ++## +# -+interface(`psad_read_etc',` -+ gen_require(` -+ type psad_etc_t; -+ ') ++interface(`ntp_run',` ++ gen_require(` ++ type ntpd_t; ++ ') + -+ files_search_etc($1) -+ read_files_pattern($1, psad_etc_t, psad_etc_t) ++ ntp_domtrans($1) ++ role $2 types ntpd_t; +') + +######################################## +## -+## Manage psad etc configuration files. + ## Execute ntp server in the ntpd domain. + ## + ## +@@ -56,6 +82,63 @@ + + ######################################## + ## ++## Execute ntp server in the ntpd domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## The type of the process performing this action. ++## +## -+## +# -+interface(`psad_manage_etc',` -+ gen_require(` -+ type psad_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t) -+ manage_files_pattern($1, psad_etc_t, psad_etc_t) ++interface(`ntp_initrc_domtrans',` ++ gen_require(` ++ type ntpd_initrc_exec_t; ++ ') + ++ init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + -+######################################## ++####################################### +## -+## Read psad PID files. ++## Read/write ntpdd tmpfs files. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## -+## +# -+interface(`psad_read_pid_files',` ++interface(`ntpd_rw_tmpfs_files',` + gen_require(` -+ type psad_var_run_t; ++ type ntpd_tmpfs_t; + ') + -+ files_search_pids($1) -+ read_files_pattern($1, psad_var_run_t, psad_var_run_t) ++ fs_search_tmpfs($1) ++ list_dirs_pattern($1,ntpd_tmpfs_t,ntpd_tmpfs_t) ++ rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) ++ read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) +') + +######################################## -+## -+## Read psad PID files. ++## ++## Read and write to ntpd shared memory. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## -+## +# -+interface(`psad_rw_pid_files',` ++interface(`ntpd_rw_shm',` + gen_require(` -+ type psad_var_run_t; ++ type ntpd_t; + ') + -+ files_search_pids($1) -+ rw_files_pattern($1, psad_var_run_t, psad_var_run_t) ++ allow $1 ntpd_t:shm rw_shm_perms; +') + +######################################## +## -+## Allow the specified domain to read psad's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`psad_read_log',` -+ gen_require(` -+ type psad_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) -+ read_files_pattern($1, psad_var_log_t, psad_var_log_t) -+') + ## All of the rules required to administrate + ## an ntp environment + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.12/policy/modules/services/ntp.te +--- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ntp.te 2009-04-07 16:01:44.000000000 -0400 +@@ -25,6 +25,9 @@ + type ntpd_tmp_t; + files_tmp_file(ntpd_tmp_t) + ++type ntpd_tmpfs_t; ++files_tmpfs_file(ntpd_tmpfs_t) + -+######################################## -+## -+## Allow the specified domain to append to psad's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`psad_append_log',` -+ gen_require(` -+ type psad_var_log_t; -+ ') + type ntpd_var_run_t; + files_pid_file(ntpd_var_run_t) + +@@ -38,10 +41,11 @@ + + # sys_resource and setrlimit is for locking memory + # ntpdate wants sys_nice +-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; ++allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; + dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; + allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; + allow ntpd_t self:fifo_file rw_fifo_file_perms; ++allow ntpd_t self:shm create_shm_perms; + allow ntpd_t self:unix_dgram_socket create_socket_perms; + allow ntpd_t self:unix_stream_socket create_socket_perms; + allow ntpd_t self:tcp_socket create_stream_socket_perms; +@@ -52,6 +56,7 @@ + can_exec(ntpd_t,ntpd_exec_t) + + read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) ++read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + + allow ntpd_t ntpd_log_t:dir setattr; + manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) +@@ -62,6 +67,10 @@ + manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) + files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) + ++manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) ++manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) ++fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) + -+ logging_search_logs($1) -+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) -+ append_files_pattern($1, psad_var_log_t, psad_var_log_t) + manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) + files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) + +@@ -90,6 +99,9 @@ + + fs_getattr_all_fs(ntpd_t) + fs_search_auto_mountpoints(ntpd_t) ++# Necessary to communicate with gpsd devices ++fs_rw_tmpfs_files(ntpd_t) ++fs_list_inotifyfs(ntpd_t) + + term_use_ptmx(ntpd_t) + +@@ -121,6 +133,11 @@ + ') + + optional_policy(` ++ gpsd_rw_shm(ntpd_t) ++ gpsd_rw_tmpfs_files(ntpd_t) +') + -+######################################## -+## -+## Read and write psad fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`psad_rw_fifo_file',` -+ gen_require(` -+ type psad_t; -+ ') -+ -+ files_search_var_lib($1) -+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) -+ rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) -+') ++optional_policy(` + firstboot_dontaudit_use_fds(ntpd_t) + firstboot_dontaudit_rw_pipes(ntpd_t) + firstboot_dontaudit_rw_stream_sockets(ntpd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.12/policy/modules/services/nx.te +--- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/nx.te 2009-04-07 16:01:44.000000000 -0400 +@@ -25,6 +25,9 @@ + type nx_server_var_run_t; + files_pid_file(nx_server_var_run_t) + ++type nx_server_home_ssh_t; ++files_type(nx_server_home_ssh_t) + -+####################################### -+## -+## Read and write psad tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`psad_rw_tmp_files',` -+ gen_require(` -+ type psad_tmp_t; -+ ') + ######################################## + # + # NX server local policy +@@ -44,6 +47,9 @@ + manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) + files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + ++manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) ++manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) + -+ files_search_tmp($1) -+ rw_files_pattern($1, psad_tmp_t, psad_tmp_t) -+') + kernel_read_system_state(nx_server_t) + kernel_read_kernel_sysctls(nx_server_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.12/policy/modules/services/oddjob.fc +--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/oddjob.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,4 +1,4 @@ +-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + + /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.12/policy/modules/services/oddjob.if +--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/oddjob.if 2009-04-07 16:01:44.000000000 -0400 +@@ -44,6 +44,7 @@ + ') + + domtrans_pattern(oddjob_t, $2, $1) ++ domain_user_exemption_target($1) + ') + + ######################################## +@@ -84,3 +85,28 @@ + + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + ') + +######################################## +## -+## All of the rules required to administrate -+## an psad environment ++## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. +## +## +## @@ -17734,736 +16198,512 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the syslog domain. ++## The role to allow the oddjob_mkhomedir domain. +## +## +## +# -+interface(`psad_admin',` ++interface(`oddjob_run_mkhomedir',` + gen_require(` -+ type psad_t, psad_var_run_t, psad_var_log_t; -+ type psad_initrc_exec_t, psad_var_lib_t; -+ type psad_tmp_t; ++ type oddjob_mkhomedir_t; + ') + -+ allow $1 psad_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, psad_t) -+ -+ init_labeled_script_domtrans($1, psad_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 psad_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_etc($1) -+ admin_pattern($1, psad_etc_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, psad_var_run_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, psad_var_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, psad_var_lib_t) -+ -+ files_search_tmp($1) -+ admin_pattern($1, psad_tmp_t) ++ oddjob_domtrans_mkhomedir($1) ++ role $2 types oddjob_mkhomedir_t; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.12/policy/modules/services/oddjob.te +--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/oddjob.te 2009-04-07 16:01:44.000000000 -0400 +@@ -10,14 +10,21 @@ + type oddjob_exec_t; + domain_type(oddjob_t) + init_daemon_domain(oddjob_t, oddjob_exec_t) ++domain_obj_id_change_exemption(oddjob_t) ++domain_role_change_exemption(oddjob_t) + domain_subj_id_change_exemption(oddjob_t) + + type oddjob_mkhomedir_t; + type oddjob_mkhomedir_exec_t; + domain_type(oddjob_mkhomedir_t) +-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) ++domain_obj_id_change_exemption(oddjob_mkhomedir_t) ++init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.12/policy/modules/services/psad.te ---- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/psad.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,107 @@ -+policy_module(psad,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+type psad_t; -+type psad_exec_t; -+init_daemon_domain(psad_t, psad_exec_t) -+ -+type psad_initrc_exec_t; -+init_script_file(psad_initrc_exec_t) -+ -+# config files -+type psad_etc_t; -+files_config_file(psad_etc_t) -+ -+# var/lib files -+type psad_var_lib_t; -+files_type(psad_var_lib_t) + -+# log files -+type psad_var_log_t; -+logging_log_file(psad_var_log_t) + # pid files + type oddjob_var_run_t; + files_pid_file(oddjob_var_run_t) +@@ -65,13 +72,32 @@ + # oddjob_mkhomedir local policy + # + ++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; ++allow oddjob_mkhomedir_t self:process setfscreate; + allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; + allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + + files_read_etc_files(oddjob_mkhomedir_t) + ++kernel_read_system_state(oddjob_mkhomedir_t) + -+# pid files -+type psad_var_run_t; -+files_pid_file(psad_var_run_t) ++auth_use_nsswitch(oddjob_mkhomedir_t) + -+# tmp files -+type psad_tmp_t; -+files_tmp_file(psad_tmp_t) ++logging_send_syslog_msg(oddjob_mkhomedir_t) + -+######################################## -+# -+# psad local policy -+# + miscfiles_read_localization(oddjob_mkhomedir_t) + ++selinux_get_fs_mount(oddjob_mkhomedir_t) ++selinux_validate_context(oddjob_mkhomedir_t) ++selinux_compute_access_vector(oddjob_mkhomedir_t) ++selinux_compute_create_context(oddjob_mkhomedir_t) ++selinux_compute_relabel_context(oddjob_mkhomedir_t) ++selinux_compute_user_contexts(oddjob_mkhomedir_t) + -+allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; -+dontaudit psad_t self:capability { sys_tty_config }; -+allow psad_t self:process signull; ++seutil_read_config(oddjob_mkhomedir_t) ++seutil_read_file_contexts(oddjob_mkhomedir_t) ++seutil_read_default_contexts(oddjob_mkhomedir_t) + -+allow psad_t self:fifo_file rw_fifo_file_perms; -+allow psad_t self:rawip_socket create_socket_perms; + # Add/remove user home directories + userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) + userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.12/policy/modules/services/pads.fc +--- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pads.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,12 @@ + -+# config files -+read_files_pattern(psad_t,psad_etc_t,psad_etc_t) -+list_dirs_pattern(psad_t,psad_etc_t,psad_etc_t) ++/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) + -+# pid file -+manage_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) -+manage_sock_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) -+files_pid_filetrans(psad_t,psad_var_run_t, { file sock_file }) ++/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) + -+# log files -+manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) -+manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) -+logging_log_filetrans(psad_t,psad_var_log_t, { file dir }) ++/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) + -+# tmp files -+manage_dirs_pattern(psad_t,psad_tmp_t,psad_tmp_t) -+manage_files_pattern(psad_t,psad_tmp_t,psad_tmp_t) -+files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) ++/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) + -+# /var/lib files -+search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) -+manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.12/policy/modules/services/pads.if +--- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pads.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,10 @@ ++## SELinux policy for PADS daemon. ++## ++##

++## PADS is a libpcap based detection engine used to ++## passively detect network assets. It is designed to ++## complement IDS technology by providing context to IDS ++## alerts. ++##

++##
+ -+kernel_read_system_state(psad_t) -+kernel_read_network_state(psad_t) -+#kernel_read_kernel_sysctls(psad_t) -+kernel_read_net_sysctls(psad_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.12/policy/modules/services/pads.te +--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pads.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,65 @@ + -+corecmd_exec_shell(psad_t) -+corecmd_exec_bin(psad_t) ++policy_module(pads, 0.0.1) + -+auth_use_nsswitch(psad_t) ++######################################## ++# ++# Declarations ++# + -+corenet_tcp_connect_whois_port(psad_t) ++type pads_t; ++type pads_exec_t; ++init_daemon_domain(pads_t, pads_exec_t) ++role system_r types pads_t; + -+dev_read_urand(psad_t) ++type pads_initrc_exec_t; ++init_script_file(pads_initrc_exec_t) + -+files_read_etc_runtime_files(psad_t) ++type pads_config_t; ++files_config_file(pads_config_t) + -+fs_getattr_all_fs(psad_t) ++type pads_var_run_t; ++files_pid_file(pads_var_run_t) + -+libs_use_ld_so(psad_t) -+libs_use_shared_libs(psad_t) ++######################################## ++# ++# Declarations ++# + -+miscfiles_read_localization(psad_t) ++allow pads_t self:capability { dac_override net_raw }; ++allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; ++allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; ++allow pads_t self:udp_socket { create ioctl }; ++allow pads_t self:unix_dgram_socket { write create connect }; + -+logging_read_generic_logs(psad_t) -+logging_read_syslog_config(psad_t) -+logging_send_syslog_msg(psad_t) ++allow pads_t pads_config_t:file manage_file_perms; ++files_etc_filetrans(pads_t, pads_config_t, file) + -+#sysnet_domtrans_ifconfig(psad_t) -+sysnet_exec_ifconfig(psad_t) -+iptables_domtrans(psad_t) ++allow pads_t pads_var_run_t:file manage_file_perms; ++files_pid_filetrans(pads_t, pads_var_run_t, file) + -+optional_policy(` -+ mta_send_mail(psad_t) -+ mta_read_queue(psad_t) -+') ++corecmd_search_bin(pads_t) + -+permissive psad_t; ++corenet_all_recvfrom_unlabeled(pads_t) ++corenet_all_recvfrom_netlabel(pads_t) ++corenet_tcp_sendrecv_generic_if(pads_t) ++corenet_tcp_sendrecv_generic_node(pads_t) + ++corenet_tcp_connect_prelude_port(pads_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,6 +1,8 @@ - /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - - HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - - /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) - /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.12/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pyzor.if 2009-04-07 16:01:44.000000000 -0400 -@@ -88,3 +88,50 @@ - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) - ') ++dev_read_rand(pads_t) ++dev_read_urand(pads_t) + -+######################################## -+## -+## All of the rules required to administrate -+## an pyzor environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the pyzor domain. -+## -+## -+## -+# -+interface(`pyzor_admin',` -+ gen_require(` -+ type pyzord_t, pyzor_tmp_t, pyzord_log_t; -+ type pyzor_etc_t, pyzor_var_lib_t; -+ type pyzord_initrc_exec_t; -+ ') ++kernel_read_sysctl(pads_t) + -+ allow $1 pyzord_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pyzord_t) -+ -+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 pyzord_initrc_exec_t system_r; -+ allow $2 system_r; ++files_read_etc_files(pads_t) ++files_search_spool(pads_t) + -+ files_list_tmp($1) -+ admin_pattern($1, pyzor_tmp_t) ++miscfiles_read_localization(pads_t) + -+ logging_list_logs($1) -+ admin_pattern($1, pyzord_log_t) ++logging_send_syslog_msg(pads_t) + -+ files_list_etc($1) -+ admin_pattern($1, pyzor_etc_t) ++sysnet_dns_name_resolve(pads_t) + -+ files_list_var_lib($1) -+ admin_pattern($1, pyzor_var_lib_t) -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-04-07 16:01:44.000000000 -0400 -@@ -6,6 +6,38 @@ - # Declarations ++optional_policy(` ++ prelude_manage_spool(pads_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.12/policy/modules/services/pegasus.te +--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pegasus.te 2009-04-07 16:01:44.000000000 -0400 +@@ -30,7 +30,7 @@ + # Local policy # -+ -+ifdef(`distro_redhat',` -+ -+ gen_require(` -+ type spamc_t; -+ type spamc_exec_t; -+ type spamd_t; -+ type spamd_initrc_exec_t; -+ type spamd_exec_t; -+ type spamc_tmp_t; -+ type spamd_log_t; -+ type spamd_var_lib_t; -+ type spamd_etc_t; -+ type spamc_tmp_t; -+ type spamc_home_t; -+ ') -+ -+ typealias spamc_t alias pyzor_t; -+ typealias spamc_exec_t alias pyzor_exec_t; -+ typealias spamd_t alias pyzord_t; -+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; -+ typealias spamd_exec_t alias pyzord_exec_t; -+ typealias spamc_tmp_t alias pyzor_tmp_t; -+ typealias spamd_log_t alias pyzor_log_t; -+ typealias spamd_log_t alias pyzord_log_t; -+ typealias spamd_var_lib_t alias pyzor_var_lib_t; -+ typealias spamd_etc_t alias pyzor_etc_t; -+ typealias spamc_home_t alias pyzor_home_t; -+ typealias spamc_home_t alias user_pyzor_home_t; -+ -+',` -+ - type pyzor_t; - type pyzor_exec_t; - typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -@@ -40,6 +72,7 @@ +-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; ++allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; + dontaudit pegasus_t self:capability sys_tty_config; + allow pegasus_t self:process signal; + allow pegasus_t self:fifo_file rw_fifo_file_perms; +@@ -66,6 +66,8 @@ + kernel_read_system_state(pegasus_t) + kernel_search_vm_sysctl(pegasus_t) + kernel_read_net_sysctls(pegasus_t) ++kernel_read_xen_state(pegasus_t) ++kernel_write_xen_state(pegasus_t) - type pyzord_log_t; - logging_log_file(pyzord_log_t) -+') + corenet_all_recvfrom_unlabeled(pegasus_t) + corenet_all_recvfrom_netlabel(pegasus_t) +@@ -96,13 +98,12 @@ - ######################################## - # -@@ -83,6 +116,8 @@ + auth_use_nsswitch(pegasus_t) + auth_domtrans_chk_passwd(pegasus_t) ++auth_read_shadow(pegasus_t) - miscfiles_read_localization(pyzor_t) + domain_use_interactive_fds(pegasus_t) + domain_read_all_domains_state(pegasus_t) -+mta_read_queue(pyzor_t) -+ - userdom_dontaudit_search_user_home_dirs(pyzor_t) +-files_read_etc_files(pegasus_t) +-files_list_var_lib(pegasus_t) +-files_read_var_lib_files(pegasus_t) ++files_read_all_files(pegasus_t) + files_read_var_lib_symlinks(pegasus_t) - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.12/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/razor.if 2009-04-07 16:01:44.000000000 -0400 -@@ -157,3 +157,45 @@ + hostname_exec(pegasus_t) +@@ -115,7 +116,6 @@ - domtrans_pattern($1, razor_exec_t, razor_t) + miscfiles_read_localization(pegasus_t) + +-sysnet_read_config(pegasus_t) + sysnet_domtrans_ifconfig(pegasus_t) + + userdom_dontaudit_use_unpriv_user_fds(pegasus_t) +@@ -126,6 +126,14 @@ + ') + + optional_policy(` ++ samba_manage_config(pegasus_t) ++') ++ ++optional_policy(` ++ ssh_exec(pegasus_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(pegasus_t) + seutil_dontaudit_read_config(pegasus_t) + ') +@@ -137,3 +145,13 @@ + optional_policy(` + unconfined_signull(pegasus_t) ') + ++optional_policy(` ++ virt_domtrans(pegasus_t) ++ virt_manage_config(pegasus_t) ++') ++ ++optional_policy(` ++ xen_stream_connect(pegasus_t) ++ xen_stream_connect_xenstore(pegasus_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.12/policy/modules/services/pingd.fc +--- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pingd.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,11 @@ ++ ++/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) ++ ++/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) ++ ++/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) ++ ++/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) ++ ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.12/policy/modules/services/pingd.if +--- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pingd.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,99 @@ ++## policy for pingd ++ +######################################## +## -+## Create, read, write, and delete razor files -+## in a user home subdirectory. ++## Execute a domain transition to run pingd. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+template(`razor_manage_user_home_files',` ++interface(`pingd_domtrans',` + gen_require(` -+ type razor_home_t; ++ type pingd_t, pingd_exec_t; + ') + -+ files_search_home($1) -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, razor_home_t, razor_home_t) -+ read_lnk_files_pattern($1, razor_home_t, razor_home_t) ++ domtrans_pattern($1,pingd_exec_t,pingd_t) +') + -+######################################## ++####################################### +## -+## read razor lib files. ++## Read pingd etc configuration files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`razor_read_lib_files',` -+ gen_require(` -+ type razor_var_lib_t; -+ ') ++interface(`pingd_read_etc',` ++ gen_require(` ++ type pingd_etc_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) ++ files_search_etc($1) ++ read_files_pattern($1, pingd_etc_t, pingd_etc_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.12/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/razor.te 2009-04-07 16:01:44.000000000 -0400 -@@ -6,6 +6,32 @@ - # Declarations - # - -+ifdef(`distro_redhat',` -+ -+ gen_require(` -+ type spamc_t; -+ type spamc_exec_t; -+ type spamd_log_t; -+ type spamd_spool_t; -+ type spamd_var_lib_t; -+ type spamd_etc_t; -+ type spamc_home_t; -+ type spamc_tmp_t; -+ ') -+ -+ typealias spamc_t alias razor_t; -+ typealias spamc_exec_t alias razor_exec_t; -+ typealias spamd_log_t alias razor_log_t; -+ typealias spamd_var_lib_t alias razor_var_lib_t; -+ typealias spamd_etc_t alias razor_etc_t; -+ typealias spamc_home_t alias razor_home_t; -+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; -+ -+',` ++####################################### ++## ++## Manage pingd etc configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pingd_manage_etc',` ++ gen_require(` ++ type pingd_etc_t; ++ ') + - type razor_exec_t; - corecmd_executable_file(razor_exec_t) - -@@ -122,3 +148,5 @@ - optional_policy(` - nscd_socket_use(razor_t) - ') ++ files_search_etc($1) ++ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) ++ manage_files_pattern($1, pingd_etc_t, pingd_etc_t) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ricci.te 2009-04-07 16:01:44.000000000 -0400 -@@ -133,6 +133,8 @@ - - dev_read_urand(ricci_t) - -+domain_read_all_domains_state(ricci_t) + - files_read_etc_files(ricci_t) - files_read_etc_runtime_files(ricci_t) - files_create_boot_flag(ricci_t) -@@ -140,7 +142,7 @@ - auth_domtrans_chk_passwd(ricci_t) - auth_append_login_records(ricci_t) - --init_dontaudit_stream_connect_script(ricci_t) -+init_stream_connect_script(ricci_t) - - locallogin_dontaudit_use_fds(ricci_t) - -@@ -202,7 +204,7 @@ - corecmd_exec_shell(ricci_modcluster_t) - corecmd_exec_bin(ricci_modcluster_t) - --domain_dontaudit_read_all_domains_state(ricci_modcluster_t) -+domain_read_all_domains_state(ricci_modcluster_t) - - files_search_locks(ricci_modcluster_t) - files_read_etc_runtime_files(ricci_modcluster_t) -@@ -214,6 +216,8 @@ - - logging_send_syslog_msg(ricci_modcluster_t) - -+consoletype_exec(ricci_modcluster_t) -+ - miscfiles_read_localization(ricci_modcluster_t) - - modutils_domtrans_insmod(ricci_modcluster_t) -@@ -229,10 +233,6 @@ - ') - - optional_policy(` -- consoletype_exec(ricci_modcluster_t) --') -- --optional_policy(` - lvm_domtrans(ricci_modcluster_t) - ') - -@@ -287,14 +287,14 @@ - corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) - corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) - --domain_dontaudit_read_all_domains_state(ricci_modclusterd_t) -+domain_read_all_domains_state(ricci_modclusterd_t) - - files_read_etc_files(ricci_modclusterd_t) - files_read_etc_runtime_files(ricci_modclusterd_t) - - fs_getattr_xattr_fs(ricci_modclusterd_t) - --init_dontaudit_stream_connect_script(ricci_modclusterd_t) -+init_stream_connect_script(ricci_modclusterd_t) - - locallogin_dontaudit_use_fds(ricci_modclusterd_t) - -@@ -328,7 +328,7 @@ - - corecmd_exec_bin(ricci_modlog_t) - --domain_dontaudit_read_all_domains_state(ricci_modlog_t) -+domain_read_all_domains_state(ricci_modlog_t) - - files_read_etc_files(ricci_modlog_t) - files_search_usr(ricci_modlog_t) -@@ -432,7 +432,7 @@ - dev_read_urand(ricci_modstorage_t) - dev_manage_generic_blk_files(ricci_modstorage_t) - --domain_dontaudit_read_all_domains_state(ricci_modstorage_t) -+domain_read_all_domains_state(ricci_modstorage_t) - - #Needed for editing /etc/fstab - files_manage_etc_files(ricci_modstorage_t) -@@ -440,6 +440,10 @@ - files_read_usr_files(ricci_modstorage_t) - files_read_kernel_modules(ricci_modstorage_t) - -+files_create_default_dir(ricci_modstorage_t) -+files_mounton_default(ricci_modstorage_t) -+files_manage_default(ricci_modstorage_t) ++####################################### ++## ++## All of the rules required to administrate ++## an pingd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the pingd domain. ++## ++## ++## ++# ++interface(`pingd_admin',` ++ gen_require(` ++ type pingd_t, pingd_etc_t; ++ type pingd_initrc_exec_t, pingd_modules_t; ++ ') + - storage_raw_read_fixed_disk(ricci_modstorage_t) - - term_dontaudit_use_console(ricci_modstorage_t) -@@ -452,6 +456,10 @@ - - modutils_read_module_deps(ricci_modstorage_t) - -+consoletype_exec(ricci_modstorage_t) ++ allow $1 pingd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pingd_t) + -+mount_domtrans(ricci_modstorage_t) ++ init_labeled_script_domtrans($1, pingd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 pingd_initrc_exec_t system_r; ++ allow $2 system_r; + - optional_policy(` - ccs_stream_connect(ricci_modstorage_t) - ccs_read_config(ricci_modstorage_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-07 16:01:44.000000000 -0400 -@@ -23,7 +23,7 @@ - gen_tunable(allow_nfsd_anon_write, false) - - type exports_t; --files_type(exports_t) -+files_config_file(exports_t) - - rpc_domain_template(gssd) - -@@ -79,16 +79,25 @@ - fs_read_rpc_symlinks(rpcd_t) - fs_rw_rpc_sockets(rpcd_t) - -+kernel_signal(rpcd_t) ++ files_list_etc($1) ++ admin_pattern($1, pingd_etc_t) + - selinux_dontaudit_read_fs(rpcd_t) - - miscfiles_read_certs(rpcd_t) - - seutil_dontaudit_search_config(rpcd_t) - -+userdom_signal_unpriv_users(rpcd_t) ++ files_list_usr($1) ++ admin_pattern($1, pingd_modules_t) + - optional_policy(` - nis_read_ypserv_config(rpcd_t) - ') - -+optional_policy(` -+ unconfined_execmem_signal(rpcd_t) -+ unconfined_signal(rpcd_t) +') + - ######################################## - # - # NFSD local policy -@@ -141,6 +150,7 @@ - fs_read_noxattr_fs_files(nfsd_t) - auth_manage_all_files_except_shadow(nfsd_t) - ') -+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) - - tunable_policy(`nfs_export_all_ro',` - dev_getattr_all_blk_files(nfsd_t) -@@ -183,9 +193,12 @@ - files_read_usr_symlinks(gssd_t) - - auth_use_nsswitch(gssd_t) -+auth_manage_cache(gssd_t) - - miscfiles_read_certs(gssd_t) - -+mount_signal(gssd_t) -+ - tunable_policy(`allow_gssd_read_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_read_user_tmp_files(gssd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.12/policy/modules/services/rshd.te ---- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/rshd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -51,7 +51,7 @@ - - files_list_home(rshd_t) - files_read_etc_files(rshd_t) --files_search_tmp(rshd_t) -+files_manage_generic_tmp_dirs(rshd_t) - - auth_login_pgm_domain(rshd_t) - auth_write_login_records(rshd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc ---- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/samba.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -2,6 +2,9 @@ - # - # /etc - # -+/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) - /etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) - /etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) - /etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -@@ -15,6 +18,7 @@ - /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) - /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) - /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) -+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) - /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) - - /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -@@ -47,3 +51,7 @@ - /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - - /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -+ -+ifndef(`enable_mls',` -+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.12/policy/modules/services/samba.if ---- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/samba.if 2009-04-07 16:01:44.000000000 -0400 -@@ -4,6 +4,45 @@ - ## from Windows NT servers. - ##
- +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.12/policy/modules/services/pingd.te +--- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pingd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,54 @@ ++policy_module(pingd,1.0.0) + +######################################## -+## -+## Execute smbd net in the smbd_t domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## +# -+interface(`samba_domtrans_smb',` -+ gen_require(` -+ type smbd_t, smbd_exec_t; -+ ') ++# Declarations ++# + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, smbd_exec_t, smbd_t) -+') ++type pingd_t; ++type pingd_exec_t; ++init_daemon_domain(pingd_t, pingd_exec_t) + -+######################################## -+## -+## Execute nmbd net in the nmbd_t domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`samba_domtrans_nmb',` -+ gen_require(` -+ type nmbd_t, nmbd_exec_t; -+ ') ++type pingd_initrc_exec_t; ++init_script_file(pingd_initrc_exec_t) + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, nmbd_exec_t, nmbd_t) -+') ++# type for config ++type pingd_etc_t; ++files_type(pingd_etc_t); + - ######################################## - ## - ## Execute samba net in the samba_net domain. -@@ -25,6 +64,25 @@ - - ######################################## - ## -+## Execute samba net in the samba_unconfined_net domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## ++# type for pingd modules ++type pingd_modules_t; ++files_type(pingd_modules_t) ++ ++######################################## ++# ++# pingd local policy +# -+interface(`samba_domtrans_unconfined_net',` -+ gen_require(` -+ type samba_unconfined_net_t, samba_net_exec_t; -+ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) -+') ++allow pingd_t self:capability net_raw; ++allow pingd_t self:tcp_socket create_stream_socket_perms; ++allow pingd_t self:rawip_socket { write read create bind }; ++ ++read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) ++ ++read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) ++mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) ++ ++corenet_raw_bind_generic_node(pingd_t) ++corenet_tcp_bind_generic_node(pingd_t) ++corenet_tcp_bind_pingd_port(pingd_t) ++ ++auth_use_nsswitch(pingd_t) ++ ++files_search_usr(pingd_t) ++ ++libs_use_ld_so(pingd_t) ++libs_use_shared_libs(pingd_t) ++miscfiles_read_localization(pingd_t) ++ ++logging_send_syslog_msg(pingd_t) ++ ++permissive pingd_t; ++ ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc +--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,11 @@ ++ ++/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) ++/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) ++/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) ++/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) ++ ++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) ++/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) ++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) ++ ++/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if +--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,241 @@ ++ ++## policy for polkit_auth + +######################################## +## - ## Execute samba net in the samba_net domain, and - ## allow the specified role the samba_net domain. - ## -@@ -49,6 +107,50 @@ - role $2 types samba_net_t; - ') - -+####################################### ++## Execute a domain transition to run polkit_auth. ++## ++## +## -+## The role for the samba module. ++## Domain allowed to transition. +## -+## -+## -+## The role to be allowed the samba_net domain. -+## +## +# -+template(`samba_role_notrans',` ++interface(`polkit_domtrans_auth',` + gen_require(` -+ type smbd_t; ++ type polkit_auth_t; ++ type polkit_auth_exec_t; + ') + -+ role $1 types smbd_t; ++ domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t) +') + +######################################## +## -+## Execute samba net in the samba_unconfined_net domain, and -+## allow the specified role the samba_unconfined_net domain. ++## Search polkit lib directories. +## +## +## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to be allowed the samba_unconfined_net domain. ++## Domain allowed access. +## +## -+## +# -+interface(`samba_run_unconfined_net',` ++interface(`polkit_search_lib',` + gen_require(` -+ type samba_unconfined_net_t; ++ type polkit_var_lib_t; + ') + -+ samba_domtrans_unconfined_net($1) -+ role $2 types samba_unconfined_net_t; ++ allow $1 polkit_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) +') + - ######################################## - ## - ## Execute smbmount in the smbmount domain. -@@ -138,6 +240,28 @@ - - ######################################## - ## -+## Allow the specified domain to read -+## and write samba configuration files. ++######################################## ++## ++## read polkit lib files +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`samba_manage_config',` ++interface(`polkit_read_lib',` + gen_require(` -+ type samba_etc_t; ++ type polkit_var_lib_t; + ') + -+ files_search_etc($1) -+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t) -+ manage_files_pattern($1, samba_etc_t, samba_etc_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) ++ ++ # Broken placement ++ cron_read_system_job_lib_files($1) +') + +######################################## +## - ## Allow the specified domain to read samba's log files. - ## - ## -@@ -281,6 +405,25 @@ - - ######################################## - ## -+## dontaudit the specified domain to -+## write samba /var files. ++## read polkit reload files +## +## +## @@ -18471,92 +16711,56 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`samba_dontaudit_write_var_files',` ++interface(`polkit_read_reload',` + gen_require(` -+ type samba_var_t; ++ type polkit_reload_t; + ') + -+ dontaudit $1 samba_var_t:file write; ++ files_search_var_lib($1) ++ read_files_pattern($1, polkit_reload_t, polkit_reload_t) +') + +######################################## +## - ## Allow the specified domain to - ## read and write samba /var files. - ## -@@ -298,6 +441,7 @@ - files_search_var($1) - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) -+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t) - ') - - ######################################## -@@ -370,6 +514,7 @@ - ') - - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -+ allow $1 winbind_helper_t:process signal; - ') - - ######################################## -@@ -447,3 +592,202 @@ - stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) - ') - ') -+ -+######################################## -+## -+## Create a set of derived types for apache -+## web content. ++## rw polkit reload files +## -+## ++## +## -+## The prefix to be used for deriving type names. ++## Domain allowed access. +## +## +# -+template(`samba_helper_template',` ++interface(`polkit_rw_reload',` + gen_require(` -+ type smbd_t; ++ type polkit_reload_t; + ') -+ #This type is for samba helper scripts -+ type samba_$1_script_t; -+ domain_type(samba_$1_script_t) -+ role system_r types samba_$1_script_t; -+ -+ # This type is used for executable scripts files -+ type samba_$1_script_exec_t; -+ corecmd_shell_entry_type(samba_$1_script_t) -+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) -+ -+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) -+ allow smbd_t samba_$1_script_exec_t:file ioctl; + ++ files_search_var_lib($1) ++ rw_files_pattern($1, polkit_reload_t, polkit_reload_t) +') + +######################################## +## -+## Allow the specified domain to read samba's shares ++## Execute a domain transition to run polkit_grant. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`samba_read_share_files',` ++interface(`polkit_domtrans_grant',` + gen_require(` -+ type samba_share_t; ++ type polkit_grant_t; ++ type polkit_grant_exec_t; + ') + -+ allow $1 samba_share_t:filesystem getattr; -+ read_files_pattern($1, samba_share_t, samba_share_t) ++ domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t) +') + +######################################## +## -+## Execute a domain transition to run smbcontrol. ++## Execute a domain transition to run polkit_resolve. +## +## +## @@ -18564,931 +16768,696 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`samba_domtrans_smbcontrol',` ++interface(`polkit_domtrans_resolve',` + gen_require(` -+ type smbcontrol_t; -+ type smbcontrol_exec_t; ++ type polkit_resolve_t; ++ type polkit_resolve_exec_t; + ') + -+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -+') -+ ++ domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t) ++ ++ allow polkit_resolve_t $1:dir list_dir_perms; ++ read_files_pattern(polkit_resolve_t, $1, $1) ++ read_lnk_files_pattern(polkit_resolve_t, $1, $1) ++ allow polkit_resolve_t $1:process getattr; ++') + +######################################## +## -+## Execute smbcontrol in the smbcontrol domain, and -+## allow the specified role the smbcontrol domain. ++## Execute a policy_grant in the policy_grant domain, and ++## allow the specified role the policy_grant domain, +## +## +## -+## Domain allowed access ++## Domain allowed access. +## +## +## +## -+## The role to be allowed the smbcontrol domain. ++## The role to be allowed the load_policy domain. +## +## ++## +# -+interface(`samba_run_smbcontrol',` ++interface(`polkit_run_grant',` + gen_require(` -+ type smbcontrol_t; ++ type polkit_grant_t; + ') + -+ samba_domtrans_smbcontrol($1) -+ role $2 types smbcontrol_t; ++ polkit_domtrans_grant($1) ++ role $2 types polkit_grant_t; ++ allow $1 polkit_grant_t:process signal; ++ read_files_pattern(polkit_grant_t, $1, $1) ++ allow polkit_grant_t $1:process getattr; +') + +######################################## +## -+## Execute samba server in the samba domain. ++## Execute a policy_auth in the policy_auth domain, and ++## allow the specified role the policy_auth domain, +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the load_policy domain. +## +## +# -+interface(`samba_initrc_domtrans',` ++interface(`polkit_run_auth',` + gen_require(` -+ type samba_initrc_exec_t; ++ type polkit_auth_t; + ') + -+ init_labeled_script_domtrans($1, samba_initrc_exec_t) ++ polkit_domtrans_auth($1) ++ role $2 types polkit_auth_t; +') + -+######################################## ++####################################### +## -+## All of the rules required to administrate -+## an samba environment ++## The per role template for the nsplugin module. +## -+## ++## +## -+## Domain allowed access. ++## The role associated with the user domain. +## +## -+## ++## +## -+## The role to be allowed to manage the samba domain. ++## The type of the user domain. +## +## +## +# -+interface(`samba_admin',` ++template(`polkit_role',` ++ polkit_run_auth($2, $1) ++ polkit_run_grant($2, $1) ++ polkit_read_lib($2) ++ polkit_read_reload($2) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## polkit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polkit_dbus_chat',` + gen_require(` -+ type nmbd_t, nmbd_var_run_t; -+ type smbd_t, smbd_tmp_t; -+ type smbd_initrc_exec_t; -+ type smbd_spool_t, smbd_var_run_t; ++ type polkit_t; ++ class dbus send_msg; ++ ') + -+ type samba_log_t, samba_var_t; -+ type samba_etc_t, samba_share_t; -+ type samba_secrets_t; ++ allow $1 polkit_t:dbus send_msg; ++ allow polkit_t $1:dbus send_msg; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.12/policy/modules/services/polkit.te +--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/polkit.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,237 @@ ++policy_module(polkit_auth, 1.0.0) + -+ type swat_var_run_t, swat_tmp_t; ++######################################## ++# ++# Declarations ++# + -+ type winbind_var_run_t, winbind_tmp_t; -+ type winbind_log_t; ++type polkit_t; ++type polkit_exec_t; ++init_daemon_domain(polkit_t, polkit_exec_t) + -+ type samba_unconfined_script_t, samba_unconfined_script_exec_t; -+ type samba_initrc_exec_t; -+ ') ++type polkit_grant_t; ++type polkit_grant_exec_t; ++init_system_domain(polkit_grant_t, polkit_grant_exec_t) + -+ allow $1 smbd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, smbd_t) -+ -+ allow $1 nmbd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nmbd_t) -+ -+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) -+ -+ samba_run_smbcontrol($1, $2, $3) -+ samba_run_winbind_helper($1, $2, $3) -+ samba_run_smbmount($1, $2, $3) -+ samba_run_net($1, $2, $3) ++type polkit_resolve_t; ++type polkit_resolve_exec_t; ++init_system_domain(polkit_resolve_t, polkit_resolve_exec_t) + -+ init_labeled_script_domtrans($1, samba_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 samba_initrc_exec_t system_r; -+ allow $2 system_r; ++type polkit_auth_t; ++type polkit_auth_exec_t; ++init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) + -+ files_list_tmp($1) -+ admin_pattern($1, smbd_tmp_t) -+ admin_pattern($1, swat_tmp_t) -+ admin_pattern($1, winbind_tmp_t) ++type polkit_reload_t; ++files_type(polkit_reload_t) + -+ admin_pattern($1, samba_secrets_t) ++type polkit_var_lib_t; ++files_type(polkit_var_lib_t) + -+ files_list_etc($1) -+ admin_pattern($1, samba_etc_t) ++type polkit_var_run_t; ++files_pid_file(polkit_var_run_t) + -+ admin_pattern($1, samba_share_t) ++######################################## ++# ++# polkit local policy ++# + -+ logging_list_logs($1) -+ admin_pattern($1, samba_log_t) -+ admin_pattern($1, winbind_log_t) ++allow polkit_t self:capability { setgid setuid }; ++allow polkit_t self:process getattr; + -+ files_list_spool($1) -+ admin_pattern($1, smbd_spool_t) ++allow polkit_t self:unix_dgram_socket create_socket_perms; ++allow polkit_t self:fifo_file rw_file_perms; ++allow polkit_t self:unix_stream_socket create_stream_socket_perms; + -+ files_list_var($1) -+ admin_pattern($1, samba_var_t) ++polkit_domtrans_auth(polkit_t) ++polkit_domtrans_resolve(polkit_t) + -+ files_list_pids($1) -+ admin_pattern($1, smbd_var_run_t) -+ admin_pattern($1, nmbd_var_run_t) -+ admin_pattern($1, swat_var_run_t) -+ admin_pattern($1, winbind_var_run_t) -+ admin_pattern($1, samba_unconfined_script_exec_t) -+') ++can_exec(polkit_t, polkit_exec_t) ++corecmd_exec_bin(polkit_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-04-07 16:01:44.000000000 -0400 -@@ -66,6 +66,13 @@ - ## - gen_tunable(samba_share_nfs, false) - -+## -+##

-+## Allow samba to export ntfs/fusefs volumes. -+##

-+##
-+gen_tunable(samba_share_fusefs, false) ++domain_use_interactive_fds(polkit_t) + - type nmbd_t; - type nmbd_exec_t; - init_daemon_domain(nmbd_t, nmbd_exec_t) -@@ -73,6 +80,9 @@ - type nmbd_var_run_t; - files_pid_file(nmbd_var_run_t) - -+type samba_initrc_exec_t; -+init_script_file(samba_initrc_exec_t) ++files_read_etc_files(polkit_t) ++files_read_usr_files(polkit_t) + - type samba_etc_t; - files_config_file(samba_etc_t) - -@@ -80,11 +90,9 @@ - logging_log_file(samba_log_t) - - type samba_net_t; --domain_type(samba_net_t) --role system_r types samba_net_t; -- - type samba_net_exec_t; --domain_entry_file(samba_net_t, samba_net_exec_t) -+role system_r types samba_net_t; -+application_domain(samba_net_t, samba_net_exec_t) - - type samba_net_tmp_t; - files_tmp_file(samba_net_tmp_t) -@@ -146,11 +154,17 @@ - type winbind_var_run_t; - files_pid_file(winbind_var_run_t) - -+type smbcontrol_t; -+type smbcontrol_exec_t; -+application_domain(smbcontrol_t, smbcontrol_exec_t) -+role system_r types smbcontrol_t; ++fs_list_inotifyfs(polkit_t) + - ######################################## - # - # Samba net local policy - # -- -+allow samba_net_t self:capability { sys_nice dac_read_search dac_override }; -+allow samba_net_t self:process { getsched setsched }; - allow samba_net_t self:unix_dgram_socket create_socket_perms; - allow samba_net_t self:unix_stream_socket create_stream_socket_perms; - allow samba_net_t self:udp_socket create_socket_perms; -@@ -165,11 +179,12 @@ - manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) - files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) - --allow samba_net_t samba_var_t:dir rw_dir_perms; -+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) - - kernel_read_proc_symlinks(samba_net_t) -+kernel_read_system_state(samba_net_t) - - corenet_all_recvfrom_unlabeled(samba_net_t) - corenet_all_recvfrom_netlabel(samba_net_t) -@@ -190,15 +205,23 @@ - domain_use_interactive_fds(samba_net_t) - - files_read_etc_files(samba_net_t) -+files_read_usr_symlinks(samba_net_t) - - auth_use_nsswitch(samba_net_t) -+auth_read_cache(samba_net_t) - - logging_send_syslog_msg(samba_net_t) - - miscfiles_read_localization(samba_net_t) - -+samba_read_var_files(samba_net_t) ++kernel_read_kernel_sysctls(polkit_t) + - userdom_use_user_terminals(samba_net_t) --userdom_dontaudit_search_user_home_dirs(samba_net_t) -+userdom_list_user_home_dirs(samba_net_t) ++auth_use_nsswitch(polkit_t) ++ ++miscfiles_read_localization(polkit_t) ++ ++logging_send_syslog_msg(polkit_t) ++ ++manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) ++ ++rw_files_pattern(polkit_t, polkit_reload_t, polkit_reload_t) ++ ++# pid file ++manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) ++manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) ++files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) ++ ++userdom_read_all_users_state(polkit_t) + +optional_policy(` -+ pcscd_read_pub_files(samba_net_t) ++ dbus_system_domain(polkit_t, polkit_exec_t) ++ ++ optional_policy(` ++ consolekit_dbus_chat(polkit_t) ++ ') +') - - optional_policy(` - kerberos_use(samba_net_t) -@@ -208,7 +231,7 @@ - # - # smbd Local policy - # --allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; - dontaudit smbd_t self:capability sys_tty_config; - allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow smbd_t self:process setrlimit; -@@ -226,10 +249,8 @@ - - allow smbd_t samba_etc_t:file { rw_file_perms setattr }; - --create_dirs_pattern(smbd_t, samba_log_t, samba_log_t) -+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) - manage_files_pattern(smbd_t, samba_log_t, samba_log_t) --allow smbd_t samba_log_t:dir setattr; --dontaudit smbd_t samba_log_t:dir remove_name; - - allow smbd_t samba_net_tmp_t:file getattr; - -@@ -239,6 +260,7 @@ - manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) - manage_files_pattern(smbd_t, samba_share_t, samba_share_t) - manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) -+allow smbd_t samba_share_t:filesystem getattr; - - manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) - manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -@@ -256,7 +278,7 @@ - manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) - files_pid_filetrans(smbd_t, smbd_var_run_t, file) - --allow smbd_t winbind_var_run_t:sock_file { read write getattr }; -+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; - - kernel_getattr_core_if(smbd_t) - kernel_getattr_message_if(smbd_t) -@@ -298,6 +320,7 @@ - - auth_use_nsswitch(smbd_t) - auth_domtrans_chk_passwd(smbd_t) -+auth_domtrans_upd_passwd(smbd_t) - - domain_use_interactive_fds(smbd_t) - domain_dontaudit_list_all_domains_state(smbd_t) -@@ -321,6 +344,10 @@ - userdom_use_unpriv_users_fds(smbd_t) - userdom_dontaudit_search_user_home_dirs(smbd_t) - -+usermanage_read_crack_db(smbd_t) + -+term_use_ptmx(smbd_t) ++######################################## ++# ++# polkit_auth local policy ++# + - ifdef(`hide_broken_symptoms', ` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -333,25 +360,33 @@ - - tunable_policy(`samba_domain_controller',` - usermanage_domtrans_passwd(smbd_t) -+ usermanage_kill_passwd(smbd_t) - usermanage_domtrans_useradd(smbd_t) - usermanage_domtrans_groupadd(smbd_t) - ') - - tunable_policy(`samba_enable_home_dirs',` -- userdom_manage_user_home_content_dirs(smbd_t) -- userdom_manage_user_home_content_files(smbd_t) -- userdom_manage_user_home_content_symlinks(smbd_t) -- userdom_manage_user_home_content_sockets(smbd_t) -- userdom_manage_user_home_content_pipes(smbd_t) -- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) -+ userdom_manage_user_home_content(smbd_t) - ') - - # Support Samba sharing of NFS mount points - tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) -+ fs_manage_nfs_symlinks(smbd_t) -+ fs_manage_nfs_named_pipes(smbd_t) -+ fs_manage_nfs_named_sockets(smbd_t) -+') ++allow polkit_auth_t self:capability setgid; ++allow polkit_auth_t self:process { getattr }; + -+# Support Samba sharing of ntfs/fusefs mount points -+tunable_policy(`samba_share_fusefs',` -+ fs_manage_fusefs_dirs(smbd_t) -+ fs_manage_fusefs_files(smbd_t) -+',` -+ fs_search_fusefs(smbd_t) - ') - ++allow polkit_auth_t self:unix_dgram_socket create_socket_perms; ++allow polkit_auth_t self:fifo_file rw_file_perms; ++allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; + - optional_policy(` - cups_read_rw_config(smbd_t) - cups_stream_connect(smbd_t) -@@ -359,6 +394,16 @@ - - optional_policy(` - kerberos_use(smbd_t) -+ kerberos_keytab_template(smbd, smbd_t) ++can_exec(polkit_auth_t, polkit_auth_exec_t) ++corecmd_search_bin(polkit_auth_t) ++ ++domain_use_interactive_fds(polkit_auth_t) ++ ++files_read_etc_files(polkit_auth_t) ++files_read_usr_files(polkit_auth_t) ++ ++auth_use_nsswitch(polkit_auth_t) ++ ++miscfiles_read_localization(polkit_auth_t) ++ ++logging_send_syslog_msg(polkit_auth_t) ++ ++manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) ++rw_files_pattern(polkit_auth_t, polkit_reload_t, polkit_reload_t) ++ ++# pid file ++manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) ++manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) ++files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) ++ ++userdom_dontaudit_read_user_home_content_files(polkit_auth_t) ++ ++optional_policy(` ++ cron_read_system_job_lib_files(polkit_auth_t) +') + +optional_policy(` -+ lpd_exec_lpr(smbd_t) ++ dbus_system_domain( polkit_auth_t, polkit_auth_exec_t) ++ ++ dbus_session_bus_client(polkit_auth_t) ++ ++ optional_policy(` ++ consolekit_dbus_chat(polkit_auth_t) ++ ') +') + +optional_policy(` -+ qemu_manage_tmp_dirs(smbd_t) -+ qemu_manage_tmp_files(smbd_t) - ') - - optional_policy(` -@@ -376,13 +421,15 @@ - tunable_policy(`samba_create_home_dirs',` - allow smbd_t self:capability chown; - userdom_create_user_home_dirs(smbd_t) -- userdom_home_filetrans_user_home_dir(smbd_t) - ') -+userdom_home_filetrans_user_home_dir(smbd_t) - - tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(smbd_t) -+ auth_read_all_dirs_except_shadow(smbd_t) - auth_read_all_files_except_shadow(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) -+ auth_read_all_dirs_except_shadow(nmbd_t) - auth_read_all_files_except_shadow(nmbd_t) - ') - -@@ -391,8 +438,8 @@ - auth_manage_all_files_except_shadow(smbd_t) - fs_read_noxattr_fs_files(nmbd_t) - auth_manage_all_files_except_shadow(nmbd_t) -- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) - ') -+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) - - ######################################## - # -@@ -417,14 +464,11 @@ - files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) - - read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - - manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) - manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - --read_files_pattern(nmbd_t, samba_log_t, samba_log_t) --create_files_pattern(nmbd_t, samba_log_t, samba_log_t) --allow nmbd_t samba_log_t:dir setattr; -- - manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) - - allow nmbd_t smbd_var_run_t:dir rw_dir_perms; -@@ -454,6 +498,7 @@ - dev_getattr_mtrr_dev(nmbd_t) - - fs_getattr_all_fs(nmbd_t) -+fs_list_inotifyfs(nmbd_t) - fs_search_auto_mountpoints(nmbd_t) - - domain_use_interactive_fds(nmbd_t) -@@ -553,21 +598,36 @@ - userdom_use_user_terminals(smbmount_t) - userdom_use_all_users_fds(smbmount_t) - ++ kernel_search_proc(polkit_auth_t) ++ hal_read_state(polkit_auth_t) ++') ++ +optional_policy(` -+ cups_read_rw_config(smbmount_t) ++ xserver_xdm_append_log(polkit_auth_t) +') + - ######################################## - # - # SWAT Local policy - # - --allow swat_t self:capability { setuid setgid }; --allow swat_t self:process signal_perms; --allow swat_t self:fifo_file rw_file_perms; -+allow swat_t self:capability { setuid setgid sys_resource }; -+allow swat_t self:process { setrlimit signal_perms }; -+allow swat_t self:fifo_file rw_fifo_file_perms; - allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - allow swat_t self:tcp_socket create_stream_socket_perms; - allow swat_t self:udp_socket create_socket_perms; - -+allow swat_t self:unix_stream_socket connectto; -+samba_domtrans_smb(swat_t) -+allow swat_t smbd_port_t:tcp_socket name_bind; -+allow swat_t smbd_t:process { signal signull }; -+allow swat_t smbd_var_run_t:file { lock unlink }; ++######################################## ++# ++# polkit_grant local policy ++# + - allow swat_t nmbd_exec_t:file mmap_file_perms; -+can_exec(swat_t, nmbd_exec_t) -+allow swat_t nmbd_port_t:udp_socket name_bind; -+allow swat_t nmbd_t:process { signal signull }; -+allow swat_t nmbd_var_run_t:file { lock read unlink }; - - rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -+read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) - - append_files_pattern(swat_t, samba_log_t, samba_log_t) - -@@ -585,6 +645,9 @@ - files_pid_filetrans(swat_t, swat_var_run_t, file) - - allow swat_t winbind_exec_t:file mmap_file_perms; -+can_exec(swat_t, winbind_exec_t) -+allow swat_t winbind_var_run_t:dir { write add_name remove_name }; -+allow swat_t winbind_var_run_t:sock_file { create unlink }; - - kernel_read_kernel_sysctls(swat_t) - kernel_read_system_state(swat_t) -@@ -609,15 +672,18 @@ - - dev_read_urand(swat_t) - -+files_list_var_lib(swat_t) - files_read_etc_files(swat_t) - files_search_home(swat_t) - files_read_usr_files(swat_t) - fs_getattr_xattr_fs(swat_t) -+fs_list_inotifyfs(swat_t) - - auth_domtrans_chk_passwd(swat_t) - auth_use_nsswitch(swat_t) - - logging_send_syslog_msg(swat_t) -+logging_send_audit_msgs(swat_t) - logging_search_logs(swat_t) - - miscfiles_read_localization(swat_t) -@@ -635,6 +701,17 @@ - kerberos_use(swat_t) - ') - -+init_read_utmp(swat_t) -+init_dontaudit_write_utmp(swat_t) ++allow polkit_grant_t self:capability setuid; ++allow polkit_grant_t self:process getattr; + -+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -+create_files_pattern(swat_t, samba_log_t, samba_log_t) ++allow polkit_grant_t self:unix_dgram_socket create_socket_perms; ++allow polkit_grant_t self:fifo_file rw_file_perms; ++allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; + -+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) ++can_exec(polkit_grant_t, polkit_grant_exec_t) ++corecmd_search_bin(polkit_grant_t) + -+manage_files_pattern(swat_t, samba_var_t, samba_var_t) -+files_list_var_lib(swat_t) ++files_read_etc_files(polkit_grant_t) ++files_read_usr_files(polkit_grant_t) + - ######################################## - # - # Winbind local policy -@@ -642,7 +719,7 @@ - - allow winbind_t self:capability { dac_override ipc_lock setuid }; - dontaudit winbind_t self:capability sys_tty_config; --allow winbind_t self:process signal_perms; -+allow winbind_t self:process { signal_perms getsched setsched }; - allow winbind_t self:fifo_file rw_fifo_file_perms; - allow winbind_t self:unix_dgram_socket create_socket_perms; - allow winbind_t self:unix_stream_socket create_stream_socket_perms; -@@ -683,9 +760,10 @@ - manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) - files_pid_filetrans(winbind_t, winbind_var_run_t, file) - -+corecmd_exec_bin(winbind_t) ++auth_use_nsswitch(polkit_grant_t) ++auth_domtrans_chk_passwd(polkit_grant_t) + - kernel_read_kernel_sysctls(winbind_t) --kernel_list_proc(winbind_t) --kernel_read_proc_symlinks(winbind_t) -+kernel_read_system_state(winbind_t) - - corenet_all_recvfrom_unlabeled(winbind_t) - corenet_all_recvfrom_netlabel(winbind_t) -@@ -709,10 +787,12 @@ - - auth_domtrans_chk_passwd(winbind_t) - auth_use_nsswitch(winbind_t) -+auth_rw_cache(winbind_t) - - domain_use_interactive_fds(winbind_t) - - files_read_etc_files(winbind_t) -+files_read_usr_symlinks(winbind_t) - - logging_send_syslog_msg(winbind_t) - -@@ -768,8 +848,13 @@ - userdom_use_user_terminals(winbind_helper_t) - - optional_policy(` -+ apache_append_log(winbind_helper_t) -+') ++miscfiles_read_localization(polkit_grant_t) + -+optional_policy(` - squid_read_log(winbind_helper_t) - squid_append_log(winbind_helper_t) -+ squid_rw_stream_sockets(winbind_helper_t) - ') - - ######################################## -@@ -778,6 +863,16 @@ - # - - optional_policy(` -+ type samba_unconfined_net_t; -+ domain_type(samba_unconfined_net_t) -+ role system_r types samba_unconfined_net_t; ++logging_send_syslog_msg(polkit_grant_t) + -+ unconfined_domain(samba_unconfined_net_t) ++polkit_domtrans_auth(polkit_grant_t) ++polkit_domtrans_resolve(polkit_grant_t) + -+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) -+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) ++manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) ++ ++manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) ++rw_files_pattern(polkit_grant_t, polkit_reload_t, polkit_reload_t) ++userdom_read_all_users_state(polkit_grant_t) ++ ++optional_policy(` ++ cron_manage_system_job_lib_files(polkit_grant_t) +') + - type samba_unconfined_script_t; - type samba_unconfined_script_exec_t; - domain_type(samba_unconfined_script_t) -@@ -788,9 +883,43 @@ - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; - +optional_policy(` - unconfined_domain(samba_unconfined_script_t) ++ dbus_system_bus_client(polkit_grant_t) ++ optional_policy(` ++ consolekit_dbus_chat(polkit_grant_t) ++ ') +') - - tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) -+',` -+ can_exec(smbd_t, samba_unconfined_script_exec_t) - ') --') + +######################################## +# -+# smbcontrol local policy ++# polkit_resolve local policy +# + -+# internal communication is often done using fifo and unix sockets. -+allow smbcontrol_t self:fifo_file rw_file_perms; -+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; ++allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace }; ++allow polkit_resolve_t self:process getattr; + -+files_read_etc_files(smbcontrol_t) ++allow polkit_resolve_t self:unix_dgram_socket create_socket_perms; ++allow polkit_resolve_t self:fifo_file rw_file_perms; ++allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms; + -+miscfiles_read_localization(smbcontrol_t) ++read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t) ++read_files_pattern(polkit_resolve_t, polkit_reload_t, polkit_reload_t) + -+files_search_var_lib(smbcontrol_t) -+samba_read_config(smbcontrol_t) -+samba_rw_var_files(smbcontrol_t) -+samba_search_var(smbcontrol_t) -+samba_read_winbind_pid(smbcontrol_t) ++can_exec(polkit_resolve_t, polkit_resolve_exec_t) ++corecmd_search_bin(polkit_resolve_t) + -+allow smbcontrol_t smbd_t:process signal; -+domain_use_interactive_fds(smbcontrol_t) -+allow smbd_t smbcontrol_t:process { signal signull }; ++polkit_domtrans_auth(polkit_resolve_t) + -+allow nmbd_t smbcontrol_t:process signal; -+allow smbcontrol_t nmbd_t:process { signal signull }; ++files_read_etc_files(polkit_resolve_t) ++files_read_usr_files(polkit_resolve_t) + -+allow smbcontrol_t winbind_t:process { signal signull }; -+allow winbind_t smbcontrol_t:process signal; ++auth_use_nsswitch(polkit_resolve_t) + -+allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.12/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/sasl.te 2009-04-07 16:01:44.000000000 -0400 -@@ -99,6 +99,7 @@ - - optional_policy(` - kerberos_keytab_template(saslauthd, saslauthd_t) -+ kerberos_manage_host_rcache(saslauthd_t) - ') - - optional_policy(` -@@ -107,6 +108,10 @@ - ') - - optional_policy(` -+ nis_authenticate(saslauthd_t) -+') ++miscfiles_read_localization(polkit_resolve_t) + -+optional_policy(` - seutil_sigchld_newrole(saslauthd_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if ---- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-07 16:01:44.000000000 -0400 -@@ -149,3 +149,92 @@ - - logging_log_filetrans($1, sendmail_log_t, file) - ') ++logging_send_syslog_msg(polkit_resolve_t) + -+######################################## -+## -+## Execute the sendmail program in the sendmail domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the sendmail domain. -+## -+## -+## -+# -+interface(`sendmail_run',` -+ gen_require(` -+ type sendmail_t; ++userdom_read_all_users_state(polkit_resolve_t) ++userdom_ptrace_all_users(polkit_resolve_t) ++mcs_ptrace_all(polkit_resolve_t) ++ ++optional_policy(` ++ dbus_system_bus_client(polkit_resolve_t) ++ optional_policy(` ++ consolekit_dbus_chat(polkit_resolve_t) + ') ++') + -+ sendmail_domtrans($1) -+ role $2 types sendmail_t; ++optional_policy(` ++ kernel_search_proc(polkit_resolve_t) ++ hal_read_state(polkit_resolve_t) ++') ++ ++optional_policy(` ++ unconfined_ptrace(polkit_resolve_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.12/policy/modules/services/portreserve.fc +--- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/portreserve.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,12 @@ ++# portreserve executable will have: ++# label: system_u:object_r:portreserve_exec_t ++# MLS sensitivity: s0 ++# MCS categories: ++ ++#exec ++/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) ++ ++/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) ++ ++/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.12/policy/modules/services/portreserve.if +--- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/portreserve.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,66 @@ ++## policy for portreserve ++ +######################################## +## -+## Execute sendmail in the unconfined sendmail domain. ++## Execute a domain transition to run portreserve. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`sendmail_domtrans_unconfined',` ++interface(`portreserve_domtrans',` + gen_require(` -+ type unconfined_sendmail_t, sendmail_exec_t; ++ type portreserve_t, portreserve_exec_t; + ') + -+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) ++ domtrans_pattern($1,portreserve_exec_t,portreserve_t) +') + -+######################################## ++####################################### +## -+## Execute sendmail in the unconfined sendmail domain, and -+## allow the specified role the unconfined sendmail domain, -+## and use the caller's terminal. ++## Allow the specified domain to read ++## portreserve etcuration files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## ++## ++## ++# ++interface(`portreserve_read_etc',` ++ gen_require(` ++ type portreserve_etc_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 portreserve_etc_t:dir list_dir_perms; ++ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++') ++ ++####################################### ++## ++## Allow the specified domain to manage ++## portreserve etcuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`portreserve_manage_etc',` ++ gen_require(` ++ type portreserve_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) ++ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.12/policy/modules/services/portreserve.te +--- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/portreserve.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,51 @@ ++policy_module(portreserve,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type portreserve_t; ++type portreserve_exec_t; ++init_daemon_domain(portreserve_t, portreserve_exec_t) ++ ++type portreserve_etc_t; ++files_type(portreserve_etc_t) ++ ++type portreserve_var_run_t; ++files_pid_file(portreserve_var_run_t) ++ ++######################################## ++# ++# Portreserve local policy ++# ++allow portreserve_t self:fifo_file rw_fifo_file_perms; ++allow portreserve_t self:unix_stream_socket create_stream_socket_perms; ++allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow portreserve_t self:tcp_socket create_socket_perms; ++allow portreserve_t self:udp_socket create_socket_perms; ++ ++# Read etc files ++list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) ++read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) ++ ++# Manage /var/run/portreserve/* ++manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) ++manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) ++manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) ++files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) ++ ++corenet_all_recvfrom_unlabeled(portreserve_t) ++corenet_all_recvfrom_netlabel(portreserve_t) ++corenet_tcp_bind_all_ports(portreserve_t) ++corenet_tcp_bind_all_ports(portreserve_t) ++corenet_tcp_bind_generic_node(portreserve_t) ++corenet_udp_bind_generic_node(portreserve_t) ++corenet_udp_bind_all_ports(portreserve_t) ++ ++files_read_etc_files(portreserve_t) ++ ++# Init script handling ++#init_use_fds(portreserve_t) ++#init_use_script_ptys(portreserve_t) ++#domain_use_interactive_fds(portreserve_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.12/policy/modules/services/postfix.fc +--- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/postfix.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -29,12 +29,10 @@ + /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) + /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) + /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) + ') + /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) + /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) + /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) + /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if +--- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-07 16:01:44.000000000 -0400 +@@ -46,6 +46,7 @@ + + allow postfix_$1_t postfix_etc_t:dir list_dir_perms; + read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) ++ read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) + + can_exec(postfix_$1_t, postfix_$1_exec_t) + +@@ -79,6 +80,7 @@ + files_read_usr_symlinks(postfix_$1_t) + files_search_spool(postfix_$1_t) + files_getattr_tmp_dirs(postfix_$1_t) ++ files_search_all_mountpoints(postfix_$1_t) + + init_dontaudit_use_fds(postfix_$1_t) + init_sigchld(postfix_$1_t) +@@ -174,9 +176,8 @@ + type postfix_etc_t; + ') + +- allow $1 postfix_etc_t:dir list_dir_perms; +- allow $1 postfix_etc_t:file read_file_perms; +- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; ++ read_files_pattern($1, postfix_etc_t, postfix_etc_t) ++ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) + files_search_etc($1) + ') + +@@ -232,6 +233,25 @@ + + ######################################## + ## ++## Allow read/write postfix local pipes ++## TCP sockets. ++## ++## +## -+## The role to be allowed the unconfined sendmail domain. ++## Domain to not audit. +## +## -+## +# -+interface(`sendmail_run_unconfined',` ++interface(`postfix_rw_local_pipes',` + gen_require(` -+ type unconfined_sendmail_t; ++ type postfix_local_t; + ') + -+ sendmail_domtrans_unconfined($1) -+ role $2 types unconfined_sendmail_t; ++ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## -+## Allow attempts to read and write to -+## sendmail unnamed pipes. + ## Allow domain to read postfix local process state + ## + ## +@@ -378,7 +398,7 @@ + ##
+ ## + # +-interface(`postfix_create_pivate_sockets',` ++interface(`postfix_create_private_sockets',` + gen_require(` + type postfix_private_t; + ') +@@ -389,6 +409,25 @@ + + ######################################## + ## ++## manage named socket in a postfix private directory. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`sendmail_rw_pipes',` ++interface(`postfix_manage_private_sockets',` + gen_require(` -+ type sendmail_t; ++ type postfix_private_t; + ') + -+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms; ++ allow $1 postfix_private_t:dir list_dir_perms; ++ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-04-07 16:01:44.000000000 -0400 -@@ -20,13 +20,17 @@ - mta_mailserver_delivery(sendmail_t) - mta_mailserver_sender(sendmail_t) - -+type unconfined_sendmail_t; -+application_domain(unconfined_sendmail_t, sendmail_exec_t) -+role system_r types unconfined_sendmail_t; + - ######################################## - # - # Sendmail local policy - # - --allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; --allow sendmail_t self:process signal; -+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -+allow sendmail_t self:process { setrlimit signal signull }; - allow sendmail_t self:fifo_file rw_fifo_file_perms; - allow sendmail_t self:unix_stream_socket create_stream_socket_perms; - allow sendmail_t self:unix_dgram_socket create_socket_perms; -@@ -47,6 +51,7 @@ - kernel_read_kernel_sysctls(sendmail_t) - # for piping mail to a command - kernel_read_system_state(sendmail_t) -+kernel_read_network_state(sendmail_t) - - corenet_all_recvfrom_unlabeled(sendmail_t) - corenet_all_recvfrom_netlabel(sendmail_t) -@@ -64,24 +69,30 @@ - - fs_getattr_all_fs(sendmail_t) - fs_search_auto_mountpoints(sendmail_t) -+fs_rw_anon_inodefs_files(sendmail_t) -+fs_list_inotifyfs(sendmail_t) - - term_dontaudit_use_console(sendmail_t) - - # for piping mail to a command - corecmd_exec_shell(sendmail_t) -+corecmd_exec_bin(sendmail_t) - - domain_use_interactive_fds(sendmail_t) - - files_read_etc_files(sendmail_t) -+files_read_usr_files(sendmail_t) - files_search_spool(sendmail_t) - # for piping mail to a command - files_read_etc_runtime_files(sendmail_t) -+files_read_all_tmp_files(sendmail_t) - - init_use_fds(sendmail_t) - init_use_script_ptys(sendmail_t) - # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console - init_read_utmp(sendmail_t) - init_dontaudit_write_utmp(sendmail_t) -+init_rw_script_tmp_files(sendmail_t) - - auth_use_nsswitch(sendmail_t) - -@@ -89,23 +100,38 @@ - libs_read_lib_files(sendmail_t) - - logging_send_syslog_msg(sendmail_t) -+logging_dontaudit_write_generic_logs(sendmail_t) - - miscfiles_read_certs(sendmail_t) - miscfiles_read_localization(sendmail_t) - - userdom_dontaudit_use_unpriv_user_fds(sendmail_t) --userdom_dontaudit_search_user_home_dirs(sendmail_t) -+userdom_read_user_home_content_files(sendmail_t) - - mta_read_config(sendmail_t) - mta_etc_filetrans_aliases(sendmail_t) - # Write to /etc/aliases and /etc/mail. --mta_rw_aliases(sendmail_t) -+mta_manage_aliases(sendmail_t) - # Write to /var/spool/mail and /var/spool/mqueue. - mta_manage_queue(sendmail_t) - mta_manage_spool(sendmail_t) -+mta_sendmail_exec(sendmail_t) -+ -+optional_policy(` -+ cron_read_pipes(sendmail_t) -+') - - optional_policy(` - clamav_search_lib(sendmail_t) -+ clamav_stream_connect(sendmail_t) -+') -+ -+optional_policy(` -+ cyrus_stream_connect(sendmail_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(sendmail, sendmail_t) - ') - - optional_policy(` -@@ -113,13 +139,19 @@ - ') - - optional_policy(` -- postfix_exec_master(sendmail_t) -+ munin_dontaudit_search_lib(sendmail_t) -+') -+ -+optional_policy(` -+ postfix_domtrans_postdrop(sendmail_t) -+ postfix_domtrans_master(sendmail_t) - postfix_read_config(sendmail_t) - postfix_search_spool(sendmail_t) - ') - - optional_policy(` - procmail_domtrans(sendmail_t) -+ procmail_rw_tmp_files(sendmail_t) - ') ++######################################## ++## + ## Execute the master postfix program in the + ## postfix_master domain. + ## +@@ -418,10 +457,10 @@ + # + interface(`postfix_search_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') - optional_policy(` -@@ -127,24 +159,29 @@ +- allow $1 postfix_spool_t:dir search_dir_perms; ++ allow $1 postfix_spool_type:dir search_dir_perms; + files_search_spool($1) ') - optional_policy(` -+ sasl_connect(sendmail_t) -+') +@@ -437,11 +476,30 @@ + # + interface(`postfix_list_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; ++ ') + -+optional_policy(` -+ spamd_stream_connect(sendmail_t) ++ allow $1 postfix_spool_type:dir list_dir_perms; ++ files_search_spool($1) +') + -+optional_policy(` - udev_read_db(sendmail_t) - ') - --ifdef(`TODO',` --allow sendmail_t etc_mail_t:dir rw_dir_perms; --allow sendmail_t etc_mail_t:file manage_file_perms; --# for the start script to run make -C /etc/mail --allow initrc_t etc_mail_t:dir rw_dir_perms; --allow initrc_t etc_mail_t:file manage_file_perms; --allow system_mail_t initrc_t:fd use; --allow system_mail_t initrc_t:fifo_file write; -- --# When sendmail runs as user_mail_domain, it needs some extra permissions --# to update /etc/mail/statistics. --allow user_mail_domain etc_mail_t:file rw_file_perms; -+optional_policy(` -+ uucp_domtrans_uux(sendmail_t) -+') - --# Silently deny attempts to access /root. --dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; +######################################## ++## ++## Getattr postfix mail spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+# Unconfined sendmail local policy -+# Allow unconfined domain to run newalias and have transitions work -+# -+ -+optional_policy(` -+ mta_etc_filetrans_aliases(unconfined_sendmail_t) -+ unconfined_domain(unconfined_sendmail_t) -+') ++interface(`postfix_getattr_spool_files',` ++ gen_require(` ++ attribute postfix_spool_type; + ') --dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; --') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.12/policy/modules/services/setroubleshoot.fc ---- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,3 +1,5 @@ -+/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) -+ - /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) +- allow $1 postfix_spool_t:dir list_dir_perms; + files_search_spool($1) ++ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) + ') - /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.12/policy/modules/services/setroubleshoot.if ---- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.if 2009-04-07 16:01:44.000000000 -0400 -@@ -16,8 +16,8 @@ + ######################################## +@@ -456,16 +514,16 @@ + # + interface(`postfix_read_spool_files',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; ') - files_search_pids($1) -- allow $1 setroubleshoot_var_run_t:sock_file write; -- allow $1 setroubleshootd_t:unix_stream_socket connectto; -+ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) -+ allow $1 setroubleshoot_var_run_t:sock_file read; + files_search_spool($1) +- read_files_pattern($1, postfix_spool_t, postfix_spool_t) ++ read_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## -@@ -36,6 +36,69 @@ - type setroubleshootd_t, setroubleshoot_var_run_t; + ## +-## Create, read, write, and delete postfix mail spool files. ++## Manage postfix mail spool files. + ## + ## + ## +@@ -475,11 +533,11 @@ + # + interface(`postfix_manage_spool_files',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; ') -- dontaudit $1 setroubleshoot_var_run_t:sock_file write; -+ dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; - dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; + files_search_spool($1) +- manage_files_pattern($1, postfix_spool_t, postfix_spool_t) ++ manage_files_pattern($1, postfix_spool_type, postfix_spool_type) + ') + + ######################################## +@@ -500,3 +558,23 @@ + + typeattribute $1 postfix_user_domtrans; ') + +######################################## +## -+## Send and receive messages from -+## setroubleshoot over dbus. ++## Execute the master postdrop in the ++## postfix_postdrop domain. +## +## +## @@ -19496,665 +17465,538 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`setroubleshoot_dbus_chat',` ++interface(`postfix_domtrans_postdrop',` + gen_require(` -+ type setroubleshootd_t; -+ class dbus send_msg; ++ type postfix_postdrop_t, postfix_postdrop_exec_t; + ') + -+ allow $1 setroubleshootd_t:dbus send_msg; -+ allow setroubleshootd_t $1:dbus send_msg; ++ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + -+######################################## -+## -+## All of the rules required to administrate -+## an setroubleshoot environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the setroubleshoot domain. -+## -+## -+## -+# -+interface(`setroubleshoot_admin',` -+ gen_require(` -+ type setroubleshootd_t, setroubleshoot_log_t; -+ type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; -+ type setroubleshoot_initrc_exec_t; -+ ') -+ -+ allow $1 setroubleshootd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, setroubleshootd_t) -+ -+ init_labeled_script_domtrans($1, setroubleshoot_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 setroubleshoot_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_list_logs($1) -+ admin_pattern($1, setroubleshoot_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, setroubleshoot_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, setroubleshoot_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-04-07 16:01:44.000000000 -0400 -@@ -11,6 +11,9 @@ - domain_type(setroubleshootd_t) - init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) - -+type setroubleshoot_initrc_exec_t; -+init_script_file(setroubleshoot_initrc_exec_t) -+ - type setroubleshoot_var_lib_t; - files_type(setroubleshoot_var_lib_t) - -@@ -27,8 +30,10 @@ - # setroubleshootd local policy +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te +--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-07 16:01:44.000000000 -0400 +@@ -6,6 +6,15 @@ + # Declarations # --allow setroubleshootd_t self:capability { dac_override sys_tty_config }; --allow setroubleshootd_t self:process { signull signal getattr getsched }; -+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; -+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run -+allow setroubleshootd_t self:process { execmem execstack }; - allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; - allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; - allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -52,7 +57,10 @@ ++## ++##

++## Allow postfix_local domain full write access to mail_spool directories ++## ++##

++##
++gen_tunable(allow_postfix_local_write_mail_spool, false) ++ ++attribute postfix_spool_type; + attribute postfix_user_domains; + # domains that transition to the + # postfix user domains +@@ -13,13 +22,13 @@ - kernel_read_kernel_sysctls(setroubleshootd_t) - kernel_read_system_state(setroubleshootd_t) -+kernel_read_net_sysctls(setroubleshootd_t) - kernel_read_network_state(setroubleshootd_t) -+kernel_dontaudit_list_all_proc(setroubleshootd_t) -+kernel_read_unlabeled_state(setroubleshootd_t) + postfix_server_domain_template(bounce) - corecmd_exec_bin(setroubleshootd_t) - corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +76,24 @@ +-type postfix_spool_bounce_t; ++type postfix_spool_bounce_t, postfix_spool_type; + files_type(postfix_spool_bounce_t) - dev_read_urand(setroubleshootd_t) - dev_read_sysfs(setroubleshootd_t) -+dev_getattr_all_blk_files(setroubleshootd_t) -+dev_getattr_all_chr_files(setroubleshootd_t) + postfix_server_domain_template(cleanup) - domain_dontaudit_search_all_domains_state(setroubleshootd_t) + type postfix_etc_t; +-files_type(postfix_etc_t) ++files_config_file(postfix_etc_t) - files_read_usr_files(setroubleshootd_t) - files_read_etc_files(setroubleshootd_t) --files_getattr_all_dirs(setroubleshootd_t) -+files_list_all(setroubleshootd_t) - files_getattr_all_files(setroubleshootd_t) -+files_getattr_all_pipes(setroubleshootd_t) -+files_getattr_all_sockets(setroubleshootd_t) + type postfix_exec_t; + application_executable_file(postfix_exec_t) +@@ -27,6 +36,12 @@ + postfix_server_domain_template(local) + mta_mailserver_delivery(postfix_local_t) - fs_getattr_all_dirs(setroubleshootd_t) - fs_getattr_all_files(setroubleshootd_t) -+fs_read_fusefs_symlinks(setroubleshootd_t) -+fs_dontaudit_read_nfs_files(setroubleshootd_t) -+fs_dontaudit_read_cifs_files(setroubleshootd_t) -+fs_list_inotifyfs(setroubleshootd_t) ++userdom_read_user_home_content_files(postfix_local_t) ++ ++tunable_policy(`allow_postfix_local_write_mail_spool',` ++ mta_manage_spool(postfix_local_t) ++') ++ + type postfix_local_tmp_t; + files_tmp_file(postfix_local_tmp_t) - selinux_get_enforce_mode(setroubleshootd_t) - selinux_validate_context(setroubleshootd_t) -@@ -94,22 +110,24 @@ +@@ -34,6 +49,7 @@ + type postfix_map_t; + type postfix_map_exec_t; + application_domain(postfix_map_t, postfix_map_exec_t) ++role system_r types postfix_map_t; - locallogin_dontaudit_use_fds(setroubleshootd_t) + type postfix_map_tmp_t; + files_tmp_file(postfix_map_tmp_t) +@@ -68,13 +84,13 @@ -+logging_send_audit_msgs(setroubleshootd_t) - logging_send_syslog_msg(setroubleshootd_t) - logging_stream_connect_dispatcher(setroubleshootd_t) + postfix_server_domain_template(smtpd) - seutil_read_config(setroubleshootd_t) - seutil_read_file_contexts(setroubleshootd_t) -- --sysnet_read_config(setroubleshootd_t) -+seutil_read_bin_policy(setroubleshootd_t) +-type postfix_spool_t; ++type postfix_spool_t, postfix_spool_type; + files_type(postfix_spool_t) - userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) +-type postfix_spool_maildrop_t; ++type postfix_spool_maildrop_t, postfix_spool_type; + files_type(postfix_spool_maildrop_t) - optional_policy(` - dbus_system_bus_client(setroubleshootd_t) - dbus_connect_system_bus(setroubleshootd_t) -+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) - ') +-type postfix_spool_flush_t; ++type postfix_spool_flush_t, postfix_spool_type; + files_type(postfix_spool_flush_t) - optional_policy(` -+ rpm_signull(setroubleshootd_t) - rpm_read_db(setroubleshootd_t) - rpm_dontaudit_manage_db(setroubleshootd_t) - rpm_use_script_fds(setroubleshootd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te ---- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-04-07 16:01:44.000000000 -0400 -@@ -19,6 +19,10 @@ - type fsdaemon_tmp_t; - files_tmp_file(fsdaemon_tmp_t) + type postfix_public_t; +@@ -103,6 +119,7 @@ + allow postfix_master_t self:fifo_file rw_fifo_file_perms; + allow postfix_master_t self:tcp_socket create_stream_socket_perms; + allow postfix_master_t self:udp_socket create_socket_perms; ++allow postfix_master_t self:process setrlimit; -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(fsdaemon_t,fsdaemon_exec_t,mls_systemhigh) -+') -+ - ######################################## - # - # Local policy -@@ -26,7 +30,7 @@ + allow postfix_master_t postfix_etc_t:file rw_file_perms; - allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; - dontaudit fsdaemon_t self:capability sys_tty_config; --allow fsdaemon_t self:process signal_perms; -+allow fsdaemon_t self:process { signal_perms setfscreate }; - allow fsdaemon_t self:fifo_file rw_fifo_file_perms; - allow fsdaemon_t self:unix_dgram_socket create_socket_perms; - allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; -@@ -52,6 +56,7 @@ - corenet_udp_sendrecv_generic_node(fsdaemon_t) - corenet_udp_sendrecv_all_ports(fsdaemon_t) +@@ -142,6 +159,7 @@ -+dev_delete_generic_dirs(fsdaemon_t) - dev_read_sysfs(fsdaemon_t) - dev_read_urand(fsdaemon_t) + delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -@@ -67,9 +72,11 @@ + kernel_read_all_sysctls(postfix_master_t) - mls_file_read_all_levels(fsdaemon_t) +@@ -153,6 +171,9 @@ + corenet_udp_sendrecv_generic_node(postfix_master_t) + corenet_tcp_sendrecv_all_ports(postfix_master_t) + corenet_udp_sendrecv_all_ports(postfix_master_t) ++corenet_udp_bind_generic_node(postfix_master_t) ++corenet_udp_bind_all_unreserved_ports(postfix_master_t) ++corenet_dontaudit_udp_bind_all_ports(postfix_master_t) + corenet_tcp_bind_generic_node(postfix_master_t) + corenet_tcp_bind_amavisd_send_port(postfix_master_t) + corenet_tcp_bind_smtp_port(postfix_master_t) +@@ -170,6 +191,8 @@ + domain_use_interactive_fds(postfix_master_t) -+storage_dev_filetrans_fixed_disk(fsdaemon_t) - storage_raw_read_fixed_disk(fsdaemon_t) - storage_raw_write_fixed_disk(fsdaemon_t) - storage_raw_read_removable_device(fsdaemon_t) -+storage_manage_fixed_disk(fsdaemon_t) + files_read_usr_files(postfix_master_t) ++files_search_var_lib(postfix_master_t) ++files_search_tmp(postfix_master_t) - term_dontaudit_search_ptys(fsdaemon_t) + term_dontaudit_search_ptys(postfix_master_t) -@@ -80,6 +87,8 @@ +@@ -181,15 +204,14 @@ - miscfiles_read_localization(fsdaemon_t) + mta_rw_aliases(postfix_master_t) + mta_read_sendmail_bin(postfix_master_t) ++mta_getattr_spool(postfix_master_t) -+selinux_validate_context(fsdaemon_t) -+ - sysnet_dns_name_resolve(fsdaemon_t) +-ifdef(`distro_redhat',` +- # for newer main.cf that uses /etc/aliases +- mta_manage_aliases(postfix_master_t) +- mta_etc_filetrans_aliases(postfix_master_t) ++optional_policy(` ++ cyrus_stream_connect(postfix_master_t) + ') - userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -@@ -91,6 +100,7 @@ + optional_policy(` +- cyrus_stream_connect(postfix_master_t) ++ kerberos_keytab_template(postfix, postfix_t) + ') optional_policy(` - seutil_sigchld_newrole(fsdaemon_t) -+ seutil_read_file_contexts(fsdaemon_t) +@@ -202,9 +224,29 @@ ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.12/policy/modules/services/snmp.fc ---- nsaserefpolicy/policy/modules/services/snmp.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/snmp.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -20,5 +20,5 @@ - - /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++ postgrey_search_spool(postfix_master_t) ++') ++ ++optional_policy(` + sendmail_signal(postfix_master_t) + ') --/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) -+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) - /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.12/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/snmp.te 2009-04-07 16:01:44.000000000 -0400 -@@ -71,6 +71,7 @@ - corenet_tcp_bind_snmp_port(snmpd_t) - corenet_udp_bind_snmp_port(snmpd_t) - corenet_sendrecv_snmp_server_packets(snmpd_t) -+corenet_tcp_connect_agentx_port(snmpd_t) ++########################################################### ++# ++# Partially converted rules. THESE ARE ONLY TEMPORARY ++# ++ ++ifdef(`distro_redhat',` ++ # for newer main.cf that uses /etc/aliases ++ allow postfix_master_t etc_aliases_t:dir manage_dir_perms; ++ allow postfix_master_t etc_aliases_t:file manage_file_perms; ++ allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms; ++ mta_etc_filetrans_aliases(postfix_master_t) ++ filetrans_pattern(postfix_master_t, postfix_etc_t, etc_aliases_t, { dir file lnk_file }) ++') ++ ++# end partially converted rules ++ + ######################################## + # + # Postfix bounce local policy +@@ -245,6 +287,10 @@ - dev_list_sysfs(snmpd_t) - dev_read_sysfs(snmpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.12/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/snort.te 2009-04-07 16:01:44.000000000 -0400 -@@ -56,6 +56,7 @@ - files_pid_filetrans(snort_t, snort_var_run_t, file) + corecmd_exec_bin(postfix_cleanup_t) - kernel_read_kernel_sysctls(snort_t) -+kernel_read_sysctl(snort_t) - kernel_list_proc(snort_t) - kernel_read_proc_symlinks(snort_t) - kernel_dontaudit_read_system_state(snort_t) -@@ -70,6 +71,7 @@ - corenet_raw_sendrecv_generic_node(snort_t) - corenet_tcp_sendrecv_all_ports(snort_t) - corenet_udp_sendrecv_all_ports(snort_t) -+corenet_tcp_connect_prelude_port(snort_t) ++optional_policy(` ++ mailman_read_data_files(postfix_cleanup_t) ++') ++ + ######################################## + # + # Postfix local local policy +@@ -270,18 +316,29 @@ - dev_read_sysfs(snort_t) - dev_read_rand(snort_t) -@@ -94,6 +96,13 @@ - userdom_dontaudit_use_unpriv_user_fds(snort_t) - userdom_dontaudit_search_user_home_dirs(snort_t) + files_read_etc_files(postfix_local_t) -+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager -+sysnet_dns_name_resolve(snort_t) ++logging_dontaudit_search_logs(postfix_local_t) + -+optional_policy(` -+ prelude_manage_spool(snort_t) -+') + mta_read_aliases(postfix_local_t) + mta_delete_spool(postfix_local_t) + # For reading spamassasin + mta_read_config(postfix_local_t) + ++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) + optional_policy(` - seutil_sigchld_newrole(snort_t) + clamav_search_lib(postfix_local_t) ++ clamav_exec_clamscan(postfix_local_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc ---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,15 +1,24 @@ --HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) -+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + + optional_policy(` + # for postalias + mailman_manage_data_files(postfix_local_t) ++ mailman_append_log(postfix_local_t) ++ mailman_read_log(postfix_local_t) ++') + -+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) ++optional_policy(` ++ nagios_search_spool(postfix_local_t) + ') - /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) --/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) -+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) - /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) --/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/bin/spamd -- gen_context(system_u:object_r:spamassassin_exec_t,s0) + optional_policy(` +@@ -292,8 +349,7 @@ + # + # Postfix map local policy + # +- +-allow postfix_map_t self:capability setgid; ++allow postfix_map_t self:capability { dac_override setgid setuid }; + allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; + allow postfix_map_t self:unix_dgram_socket create_socket_perms; + allow postfix_map_t self:tcp_socket create_stream_socket_perms; +@@ -340,10 +396,6 @@ - /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) + miscfiles_read_localization(postfix_map_t) - /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +-seutil_read_config(postfix_map_t) +- +-userdom_use_user_terminals(postfix_map_t) +- + tunable_policy(`read_default_t',` + files_list_default(postfix_map_t) + files_read_default_files(postfix_map_t) +@@ -356,6 +408,11 @@ + locallogin_dontaudit_use_fds(postfix_map_t) + ') -+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) -+/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) ++optional_policy(` ++# for postalias ++ mailman_manage_data_files(postfix_map_t) ++') + - /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + ######################################## + # + # Postfix pickup local policy +@@ -380,6 +437,7 @@ + # - /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) - /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.12/policy/modules/services/spamassassin.if ---- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.if 2009-04-07 16:01:44.000000000 -0400 -@@ -111,6 +111,7 @@ - ') + allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; ++allow postfix_pipe_t self:process setrlimit; - domtrans_pattern($1, spamc_exec_t, spamc_t) -+ allow $1 spamc_exec_t:file ioctl; - ') + write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) - ######################################## -@@ -166,6 +167,7 @@ - ') +@@ -387,6 +445,12 @@ - files_search_var_lib($1) -+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) + ++domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) ++ ++optional_policy(` ++ dovecot_domtrans_deliver(postfix_pipe_t) ++') ++ + optional_policy(` + procmail_domtrans(postfix_pipe_t) + ') +@@ -396,6 +460,15 @@ ') -@@ -225,3 +227,69 @@ + optional_policy(` ++ mta_manage_spool(postfix_pipe_t) ++ mta_send_mail(postfix_pipe_t) ++') ++ ++optional_policy(` ++ spamassassin_domtrans_client(postfix_pipe_t) ++') ++ ++optional_policy(` + uucp_domtrans_uux(postfix_pipe_t) + ') - dontaudit $1 spamd_tmp_t:sock_file getattr; +@@ -432,8 +505,11 @@ ') + + optional_policy(` +- ppp_use_fds(postfix_postqueue_t) +- ppp_sigchld(postfix_postqueue_t) ++ sendmail_rw_unix_stream_sockets(postfix_postdrop_t) ++') + -+######################################## -+## -+## Connect to run spamd. -+## -+## -+## -+## Domain allowed to connect. -+## -+## -+# -+interface(`spamd_stream_connect',` -+ gen_require(` -+ type spamd_t, spamd_var_run_t; -+ ') ++optional_policy(` ++ uucp_manage_spool(postfix_postdrop_t) + ') + + ####################################### +@@ -459,6 +535,15 @@ + init_sigchld_script(postfix_postqueue_t) + init_use_script_fds(postfix_postqueue_t) + ++optional_policy(` ++ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) ++') + -+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ++optional_policy(` ++ ppp_use_fds(postfix_postqueue_t) ++ ppp_sigchld(postfix_postqueue_t) +') + -+######################################## -+## -+## All of the rules required to administrate -+## an spamassassin environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the spamassassin domain. -+## -+## -+## -+# -+interface(`spamassassin_spamd_admin',` -+ gen_require(` -+ type spamd_t, spamd_tmp_t, spamd_log_t; -+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; -+ type spamd_initrc_exec_t; -+ ') + ######################################## + # + # Postfix qmgr local policy +@@ -513,7 +598,7 @@ + + allow postfix_smtp_t postfix_spool_t:file rw_file_perms; + +-files_dontaudit_getattr_home_dir(postfix_smtp_t) ++files_search_all_mountpoints(postfix_smtp_t) + + optional_policy(` + cyrus_stream_connect(postfix_smtp_t) +@@ -543,9 +628,18 @@ + + # for OpenSSL certificates + files_read_usr_files(postfix_smtpd_t) + -+ allow $1 spamd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, spamd_t, spamd_t) -+ -+ init_labeled_script_domtrans($1, spamd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 spamd_initrc_exec_t system_r; -+ allow $2 system_r; ++# postfix checks the size of all mounted file systems ++fs_getattr_all_dirs(postfix_smtpd_t) ++fs_getattr_all_fs(postfix_smtpd_t) + -+ files_list_tmp($1) -+ admin_pattern($1, spamd_tmp_t) + mta_read_aliases(postfix_smtpd_t) + + optional_policy(` ++ dovecot_auth_stream_connect(postfix_smtpd_t) ++') + -+ logging_list_logs($1) -+ admin_pattern($1, spamd_log_t) ++optional_policy(` + mailman_read_data_files(postfix_smtpd_t) + ') + +@@ -572,15 +666,21 @@ + files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) + + # connect to master process +-stream_connect_pattern(postfix_virtual_t, postfix_public_t, postfix_public_t, postfix_master_t) ++stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + + corecmd_exec_shell(postfix_virtual_t) + corecmd_exec_bin(postfix_virtual_t) + + files_read_etc_files(postfix_virtual_t) ++files_read_usr_files(postfix_virtual_t) + + mta_read_aliases(postfix_virtual_t) + mta_delete_spool(postfix_virtual_t) + # For reading spamassasin + mta_read_config(postfix_virtual_t) + mta_manage_spool(postfix_virtual_t) + -+ files_list_spool($1) -+ admin_pattern($1, spamd_spool_t) ++userdom_manage_user_home_dirs(postfix_virtual_t) ++userdom_manage_user_home_content(postfix_virtual_t) ++userdom_home_filetrans_user_home_dir(postfix_virtual_t) ++userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.12/policy/modules/services/postgresql.fc +--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/postgresql.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -2,6 +2,7 @@ + # /etc + # + /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) ++/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) + + # + # /usr +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.12/policy/modules/services/postgresql.if +--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/postgresql.if 2009-04-07 16:01:44.000000000 -0400 +@@ -351,3 +351,46 @@ + + typeattribute $1 sepgsql_unconfined_type; + ') + -+ files_list_var_lib($1) -+ admin_pattern($1, spamd_var_lib_t) ++######################################## ++## ++## All of the rules required to administrate an postgresql environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the postgresql domain. ++## ++## ++## ++# ++interface(`postgresql_admin',` ++ gen_require(` ++ type postgresql_t, postgresql_var_run_t; ++ type postgresql_tmp_t, postgresql_db_t; ++ type postgresql_etc_t, postgresql_log_t; ++ type postgresql_initrc_exec_t; ++ ') + -+ files_list_pids($1) -+ admin_pattern($1, spamd_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te ---- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-07 16:01:44.000000000 -0400 -@@ -20,6 +20,35 @@ - ## - gen_tunable(spamd_enable_home_dirs, true) - -+ifdef(`distro_redhat',` -+# spamassassin client executable -+type spamc_t; -+type spamc_exec_t; -+application_domain(spamc_t, spamc_exec_t) -+role system_r types spamc_t; ++ allow $1 postgresql_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postgresql_t) + -+type spamd_etc_t; -+files_config_file(spamd_etc_t) ++ init_labeled_script_domtrans($1, postgresql_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 postgresql_initrc_exec_t system_r; ++ allow $2 system_r; + -+typealias spamc_exec_t alias spamassassin_exec_t; -+typealias spamc_t alias spamassassin_t; ++ admin_pattern($1, postgresql_var_run_t) + -+type spamc_home_t; -+userdom_user_home_content(spamc_home_t) -+typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; -+typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; -+typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; -+typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; ++ admin_pattern($1, postgresql_db_t) + -+type spamc_tmp_t; -+files_tmp_file(spamc_tmp_t) -+typealias spamc_tmp_t alias spamassassin_tmp_t; -+typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -+typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; ++ admin_pattern($1, postgresql_etc_t) + -+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -+', ` - type spamassassin_t; - type spamassassin_exec_t; - typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -@@ -51,11 +80,18 @@ - typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; - files_tmp_file(spamc_tmp_t) - ubac_constrained(spamc_tmp_t) ++ admin_pattern($1, postgresql_log_t) ++ ++ admin_pattern($1, postgresql_tmp_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te +--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-02-03 22:50:50.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-04-07 16:01:44.000000000 -0400 +@@ -32,6 +32,9 @@ + type postgresql_etc_t; + files_config_file(postgresql_etc_t) - type spamd_t; - type spamd_exec_t; - init_daemon_domain(spamd_t, spamd_exec_t) - -+type spamd_initrc_exec_t; -+init_script_file(spamd_initrc_exec_t) -+ -+type spamd_log_t; -+logging_log_file(spamd_log_t) ++type postgresql_initrc_exec_t; ++init_script_file(postgresql_initrc_exec_t) + - type spamd_spool_t; - files_type(spamd_spool_t) + type postgresql_lock_t; + files_lock_file(postgresql_lock_t) -@@ -159,6 +195,7 @@ - corenet_udp_sendrecv_all_ports(spamassassin_t) - corenet_tcp_connect_all_ports(spamassassin_t) - corenet_sendrecv_all_client_packets(spamassassin_t) -+ corenet_udp_bind_generic_node(spamassassin_t) +@@ -124,6 +127,7 @@ + dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; + allow postgresql_t self:process signal_perms; + allow postgresql_t self:fifo_file rw_fifo_file_perms; ++allow postgresql_t self:file { getattr read }; + allow postgresql_t self:sem create_sem_perms; + allow postgresql_t self:shm create_shm_perms; + allow postgresql_t self:tcp_socket create_stream_socket_perms; +@@ -178,7 +182,7 @@ - sysnet_read_config(spamassassin_t) - ') -@@ -216,16 +253,31 @@ - allow spamc_t self:unix_stream_socket connectto; - allow spamc_t self:tcp_socket create_stream_socket_perms; - allow spamc_t self:udp_socket create_socket_perms; -+corenet_all_recvfrom_unlabeled(spamc_t) -+corenet_all_recvfrom_netlabel(spamc_t) -+corenet_tcp_sendrecv_generic_if(spamc_t) -+corenet_tcp_sendrecv_generic_node(spamc_t) -+corenet_tcp_connect_spamd_port(spamc_t) -+ + manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) + manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) +-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) ++files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file }) - manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) - manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) - files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) + kernel_read_kernel_sysctls(postgresql_t) + kernel_read_system_state(postgresql_t) +@@ -194,6 +198,7 @@ + corenet_udp_sendrecv_generic_node(postgresql_t) + corenet_tcp_sendrecv_all_ports(postgresql_t) + corenet_udp_sendrecv_all_ports(postgresql_t) ++corenet_udp_bind_generic_node(postgresql_t) + corenet_tcp_bind_generic_node(postgresql_t) + corenet_tcp_bind_postgresql_port(postgresql_t) + corenet_tcp_connect_auth_port(postgresql_t) +@@ -304,7 +309,7 @@ + allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; -+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) -+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) -+ - # Allow connecting to a local spamd - allow spamc_t spamd_t:unix_stream_socket connectto; - allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; -+spamd_stream_connect(spamc_t) + allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute install }; +-allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint }; ++allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; - kernel_read_kernel_sysctls(spamc_t) -+kernel_read_system_state(spamc_t) + allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; + allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; +@@ -345,7 +350,7 @@ - corenet_all_recvfrom_unlabeled(spamc_t) - corenet_all_recvfrom_netlabel(spamc_t) -@@ -255,9 +307,15 @@ - files_dontaudit_search_var(spamc_t) - # cjp: this may be removable: - files_list_home(spamc_t) -+files_list_var_lib(spamc_t) -+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -+ -+fs_search_auto_mountpoints(spamc_t) - - logging_send_syslog_msg(spamc_t) - -+auth_use_nsswitch(spamc_t) -+ - miscfiles_read_localization(spamc_t) - - # cjp: this should probably be removed: -@@ -265,31 +323,35 @@ - - sysnet_read_config(spamc_t) - --# cjp: this should probably be removed: --tunable_policy(`read_default_t',` -- files_list_default(spamc_t) -- files_read_default_files(spamc_t) -- files_read_default_symlinks(spamc_t) -- files_read_default_sockets(spamc_t) -- files_read_default_pipes(spamc_t) -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(spamc_t) -+ fs_manage_nfs_files(spamc_t) -+ fs_manage_nfs_symlinks(spamc_t) - ') - --optional_policy(` -- # Allow connection to spamd socket above -- evolution_stream_connect(spamc_t) -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(spamc_t) -+ fs_manage_cifs_files(spamc_t) -+ fs_manage_cifs_symlinks(spamc_t) - ') - - optional_policy(` -- nis_use_ypbind(spamc_t) -+ # Allow connection to spamd socket above -+ evolution_stream_connect(spamc_t) - ') - - optional_policy(` -- nscd_socket_use(spamc_t) -+ postfix_domtrans_postdrop(spamc_t) -+ postfix_search_spool(spamc_t) -+ postfix_rw_local_pipes(spamc_t) - ') - - optional_policy(` -+ mta_send_mail(spamc_t) - mta_read_config(spamc_t) -+ mta_read_queue(spamc_t) - sendmail_stub(spamc_t) -+ sendmail_rw_pipes(spamc_t) - ') - - ######################################## -@@ -301,7 +363,7 @@ - # setuids to the user running spamc. Comment this if you are not - # using this ability. - --allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; -+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; - dontaudit spamd_t self:capability sys_tty_config; - allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow spamd_t self:fd use; -@@ -317,10 +379,13 @@ - allow spamd_t self:unix_stream_socket connectto; - allow spamd_t self:tcp_socket create_stream_socket_perms; - allow spamd_t self:udp_socket create_socket_perms; --allow spamd_t self:netlink_route_socket r_netlink_socket_perms; -+ -+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) -+logging_log_filetrans(spamd_t, spamd_log_t, file) - - manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) - manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) - files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) - - manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -329,10 +394,11 @@ - - # var/lib files for spamd - allow spamd_t spamd_var_lib_t:dir list_dir_perms; --read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - - manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) - - kernel_read_all_sysctls(spamd_t) -@@ -382,22 +448,27 @@ - - init_dontaudit_rw_utmp(spamd_t) - -+auth_use_nsswitch(spamd_t) -+ - logging_send_syslog_msg(spamd_t) - - miscfiles_read_localization(spamd_t) - --sysnet_read_config(spamd_t) --sysnet_use_ldap(spamd_t) --sysnet_dns_name_resolve(spamd_t) -- - userdom_use_unpriv_users_fds(spamd_t) - userdom_search_user_home_dirs(spamd_t) - -+optional_policy(` -+ exim_manage_spool_dirs(spamd_t) -+ exim_manage_spool_files(spamd_t) -+') -+ - tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(spamd_t) - fs_manage_nfs_files(spamd_t) - ') - - tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(spamd_t) - fs_manage_cifs_files(spamd_t) - ') - -@@ -415,6 +486,7 @@ - - optional_policy(` - dcc_domtrans_client(spamd_t) -+ dcc_signal_client(spamd_t) - dcc_stream_connect_dccifd(spamd_t) - ') + # unconfined domain is not allowed to invoke user defined procedure directly. + # They have to confirm and relabel it at first. +-allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *; ++allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *; + allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; -@@ -424,10 +496,6 @@ - ') + allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.12/policy/modules/services/ppp.fc +--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ppp.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,7 +1,7 @@ + # + # /etc + # +-/etc/rc.d/init.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) ++/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - optional_policy(` -- nis_use_ypbind(spamd_t) --') + /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) + /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +@@ -8,9 +8,8 @@ + /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) + /etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) + /etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) - --optional_policy(` - postfix_read_config(spamd_t) - ') + # Fix /etc/ppp {up,down} family scripts (see man pppd) +-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_script_exec_t,s0) ++/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) -@@ -442,6 +510,10 @@ + # + # /sbin +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if +--- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-04-07 16:01:44.000000000 -0400 +@@ -58,6 +58,25 @@ - optional_policy(` - razor_domtrans(spamd_t) -+ razor_read_lib_files(spamd_t) -+ tunable_policy(`spamd_enable_home_dirs',` -+ razor_manage_user_home_files(spamd_t) + ######################################## + ## ++## Send ppp a kill signal ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`ppp_kill',` ++ gen_require(` ++ type pppd_t; + ') - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.12/policy/modules/services/squid.fc ---- nsaserefpolicy/policy/modules/services/squid.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/squid.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -6,7 +6,11 @@ - /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) - /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - -+/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + - /var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -+/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) ++ allow $1 pppd_t:process sigkill; ++') + - /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) - /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.12/policy/modules/services/squid.if ---- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/squid.if 2009-04-07 16:01:44.000000000 -0400 -@@ -21,6 +21,25 @@ ++######################################## ++## + ## Send a generic signal to PPP. + ## + ## +@@ -298,6 +317,24 @@ ######################################## ## -+## Execute squid ++## Execute ppp server in the ntpd domain. +## +## +## @@ -20162,219 +18004,261 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`squid_exec',` ++interface(`ppp_initrc_domtrans',` + gen_require(` -+ type squid_exec_t; ++ type pppd_initrc_exec_t; + ') + -+ can_exec($1, squid_exec_t) ++ init_labeled_script_domtrans($1, pppd_initrc_exec_t) +') + -+ +######################################## +## - ## Send generic signals to squid. + ## All of the rules required to administrate + ## an ppp environment ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te ---- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-04-07 16:01:44.000000000 -0400 -@@ -118,6 +118,9 @@ +@@ -315,33 +352,39 @@ + type pppd_etc_rw_t, pppd_var_run_t; - fs_getattr_all_fs(squid_t) - fs_search_auto_mountpoints(squid_t) -+#squid requires the following when run in diskd mode, the recommended setting -+fs_rw_tmpfs_files(squid_t) -+fs_list_inotifyfs(squid_t) + type pptp_t, pptp_log_t, pptp_var_run_t; ++ type pppd_initrc_exec_t; + ') - selinux_dontaudit_getattr_dir(squid_t) + allow $1 pppd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, pppd_t) -@@ -185,8 +188,3 @@ - optional_policy(` - udev_read_db(squid_t) - ') -- --ifdef(`TODO',` --#squid requires the following when run in diskd mode, the recommended setting --allow squid_t tmpfs_t:file { read write }; --') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.12/policy/modules/services/ssh.fc ---- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -14,3 +14,5 @@ - /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) - - /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) ++ ppp_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pppd_initrc_exec_t system_r; ++ allow $2 system_r; + -+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if ---- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-07 16:01:44.000000000 -0400 -@@ -36,6 +36,7 @@ - gen_require(` - attribute ssh_server; - type ssh_exec_t, sshd_key_t, sshd_tmp_t; -+ type home_ssh_t; - ') + files_list_tmp($1) +- manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t) ++ admin_pattern($1, pppd_tmp_t) - ############################## -@@ -47,9 +48,6 @@ - application_domain($1_ssh_t, ssh_exec_t) - role $3 types $1_ssh_t; + logging_list_logs($1) +- manage_files_pattern($1, pppd_log_t, pppd_log_t) ++ admin_pattern($1, pppd_log_t) -- type $1_home_ssh_t; -- files_type($1_home_ssh_t) -- - ############################## - # - # Client local policy -@@ -65,8 +63,7 @@ - allow $1_ssh_t self:sem create_sem_perms; - allow $1_ssh_t self:msgq create_msgq_perms; - allow $1_ssh_t self:msg { send receive }; -- allow $1_ssh_t self:tcp_socket create_socket_perms; -- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; -+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms; +- manage_files_pattern($1, pppd_lock_t, pppd_lock_t) ++ admin_pattern($1, pppd_lock_t) - # for rsync - allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; -@@ -93,20 +90,21 @@ - ps_process_pattern($2, $1_ssh_t) + files_list_etc($1) +- manage_files_pattern($1, pppd_etc_t, pppd_etc_t) ++ admin_pattern($1, pppd_etc_t) - # user can manage the keys and config -- manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) -- manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) -- manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) -+ manage_files_pattern($2, home_ssh_t, home_ssh_t) -+ manage_lnk_files_pattern($2, home_ssh_t, home_ssh_t) -+ manage_sock_files_pattern($2, home_ssh_t, home_ssh_t) +- manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t) ++ admin_pattern($1, pppd_etc_rw_t) - # ssh client can manage the keys and config -- manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) -- read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) -+ manage_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t) -+ read_lnk_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t) +- manage_files_pattern($1, pppd_secret_t, pppd_secret_t) ++ admin_pattern($1, pppd_secret_t) - # ssh servers can read the user keys and config -- allow ssh_server $1_home_ssh_t:dir list_dir_perms; -- read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) -- read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) -+ allow ssh_server home_ssh_t:dir list_dir_perms; -+ read_files_pattern(ssh_server, home_ssh_t, home_ssh_t) -+ read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t) + files_list_pids($1) +- manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) ++ admin_pattern($1, pppd_var_run_t) - kernel_read_kernel_sysctls($1_ssh_t) -+ kernel_read_system_state($1_ssh_t) + allow $1 pptp_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, pptp_t) - corenet_all_recvfrom_unlabeled($1_ssh_t) - corenet_all_recvfrom_netlabel($1_ssh_t) -@@ -115,6 +113,8 @@ - corenet_tcp_sendrecv_all_ports($1_ssh_t) - corenet_tcp_connect_ssh_port($1_ssh_t) - corenet_sendrecv_ssh_client_packets($1_ssh_t) -+ corenet_tcp_bind_generic_node($1_ssh_t) -+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t) +- manage_files_pattern($1, pptp_log_t, pptp_log_t) ++ admin_pattern($1, pptp_log_t) - dev_read_urand($1_ssh_t) +- manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) ++ admin_pattern($1, pptp_var_run_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.12/policy/modules/services/ppp.te +--- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ppp.te 2009-04-07 16:01:44.000000000 -0400 +@@ -37,8 +37,8 @@ + type pppd_etc_rw_t; + files_type(pppd_etc_rw_t) -@@ -132,6 +132,10 @@ - files_read_etc_runtime_files($1_ssh_t) - files_read_etc_files($1_ssh_t) - files_read_var_files($1_ssh_t) -+ # Required for FreeNX -+ files_read_var_lib_symlinks($1_t) +-type pppd_script_exec_t; +-files_type(pppd_script_exec_t) ++type pppd_initrc_exec_t; ++files_type(pppd_initrc_exec_t) + + # pppd_secret_t is the type of the pap and chap password files + type pppd_secret_t; +@@ -114,6 +114,8 @@ + # Access secret files + allow pppd_t pppd_secret_t:file read_file_perms; + ++ppp_initrc_domtrans(pppd_t) + -+ auth_use_nsswitch($1_ssh_t) + kernel_read_kernel_sysctls(pppd_t) + kernel_read_system_state(pppd_t) + kernel_rw_net_sysctls(pppd_t) +@@ -161,6 +163,7 @@ - logging_send_syslog_msg($1_ssh_t) - logging_read_generic_logs($1_ssh_t) -@@ -140,9 +144,6 @@ + init_read_utmp(pppd_t) + init_dontaudit_write_utmp(pppd_t) ++init_signal_script(pppd_t) - seutil_read_config($1_ssh_t) + auth_use_nsswitch(pppd_t) -- sysnet_read_config($1_ssh_t) -- sysnet_dns_name_resolve($1_ssh_t) -- - tunable_policy(`read_default_t',` - files_list_default($1_ssh_t) - files_read_default_files($1_ssh_t) -@@ -154,14 +155,6 @@ - optional_policy(` - kerberos_use($1_ssh_t) - ') -- -- optional_policy(` -- nis_use_ypbind($1_ssh_t) -- ') -- -- optional_policy(` -- nscd_socket_use($1_ssh_t) -- ') +@@ -174,7 +177,6 @@ + + userdom_use_user_terminals(pppd_t) + userdom_dontaudit_use_unpriv_user_fds(pppd_t) +-# for ~/.ppprc - if it actually exists then you need some policy to read it + userdom_search_user_home_dirs(pppd_t) + + ppp_exec(pppd_t) +@@ -191,6 +193,8 @@ + + optional_policy(` + mta_send_mail(pppd_t) ++ mta_system_content(pppd_etc_t) ++ mta_system_content(pppd_etc_rw_t) ') - ####################################### -@@ -194,13 +187,14 @@ - type $1_var_run_t; - files_pid_file($1_var_run_t) + optional_policy(` +@@ -214,7 +218,7 @@ + # PPTP Local policy + # -- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal setsched setrlimit setexec }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - # ssh agent connections: - allow $1_t self:unix_stream_socket create_stream_socket_perms; -+ allow $1_t self:shm create_shm_perms; +-allow pptp_t self:capability net_raw; ++allow pptp_t self:capability { net_raw net_admin }; + dontaudit pptp_t self:capability sys_tty_config; + allow pptp_t self:process signal; + allow pptp_t self:fifo_file rw_fifo_file_perms; +@@ -222,14 +226,16 @@ + allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow pptp_t self:rawip_socket create_socket_perms; + allow pptp_t self:tcp_socket create_socket_perms; ++allow pptp_t self:udp_socket create_socket_perms; ++allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; - term_create_pty($1_t,$1_devpts_t) -@@ -229,7 +223,12 @@ - corenet_udp_bind_generic_node($1_t) - corenet_tcp_bind_ssh_port($1_t) - corenet_tcp_connect_all_ports($1_t) -+ corenet_tcp_bind_all_unreserved_ports($1_t) -+ corenet_sendrecv_ssh_server_packets($1_t) -+ # -R qualifier - corenet_sendrecv_ssh_server_packets($1_t) -+ # tunnel feature and -w (net_admin capability also) -+ corenet_rw_tun_tap_dev($1_t) + allow pptp_t pppd_etc_t:dir list_dir_perms; + allow pptp_t pppd_etc_t:file read_file_perms; +-allow pptp_t pppd_etc_t:lnk_file { getattr read }; ++allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; - fs_dontaudit_getattr_all_fs($1_t) + allow pptp_t pppd_etc_rw_t:dir list_dir_perms; + allow pptp_t pppd_etc_rw_t:file read_file_perms; +-allow pptp_t pppd_etc_rw_t:lnk_file { getattr read }; ++allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; + can_exec(pptp_t, pppd_etc_rw_t) -@@ -254,9 +253,14 @@ + # Allow pptp to append to pppd log files +@@ -245,9 +251,13 @@ + kernel_list_proc(pptp_t) + kernel_read_kernel_sysctls(pptp_t) + kernel_read_proc_symlinks(pptp_t) ++kernel_read_system_state(pptp_t) - userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_search_user_home_dirs($1_t) -+ userdom_read_user_home_content_files($1_t) + dev_read_sysfs(pptp_t) + ++corecmd_exec_shell(pptp_t) ++corecmd_read_bin_symlinks(pptp_t) + -+ # Allow checking users mail at login -+ mta_getattr_spool($1_t) + corenet_all_recvfrom_unlabeled(pptp_t) + corenet_all_recvfrom_netlabel(pptp_t) + corenet_tcp_sendrecv_generic_if(pptp_t) +@@ -263,17 +273,21 @@ + fs_getattr_all_fs(pptp_t) + fs_search_auto_mountpoints(pptp_t) - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_t) -+ fs_read_nfs_symlinks($1_t) - ') ++files_read_etc_files(pptp_t) ++ + term_ioctl_generic_ptys(pptp_t) + term_search_ptys(pptp_t) + term_use_ptmx(pptp_t) - tunable_policy(`use_samba_home_dirs',` -@@ -265,11 +269,7 @@ + domain_use_interactive_fds(pptp_t) - optional_policy(` - kerberos_use($1_t) -- ') ++auth_use_nsswitch(pptp_t) ++ + logging_send_syslog_msg(pptp_t) + + miscfiles_read_localization(pptp_t) + +-sysnet_read_config(pptp_t) ++sysnet_exec_ifconfig(pptp_t) + + userdom_dontaudit_use_unpriv_user_fds(pptp_t) + userdom_dontaudit_search_user_home_dirs(pptp_t) +@@ -283,11 +297,15 @@ + ') + + optional_policy(` +- hostname_exec(pptp_t) ++ dbus_system_domain(pppd_t, pppd_exec_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(pppd_t) ++ ') + ') + + optional_policy(` +- nscd_socket_use(pptp_t) ++ hostname_exec(pptp_t) + ') + + optional_policy(` +@@ -301,6 +319,3 @@ + optional_policy(` + postfix_read_config(pppd_t) + ') - -- optional_policy(` -- # Allow checking users mail at login -- mta_getattr_spool($1_t) -+ kerberos_manage_host_rcache($1_t) - ') +-# FIXME: +-domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.12/policy/modules/services/prelude.fc +--- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/prelude.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,3 +1,9 @@ ++/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) ++ ++/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0) ++/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0) ++ + /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - optional_policy(` -@@ -454,6 +454,24 @@ + /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) +@@ -5,7 +11,15 @@ + + /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) + ++/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) ++ + /var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) + + /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) + /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) ++ ++/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) ++/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) ++ ++/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.12/policy/modules/services/prelude.if +--- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/prelude.if 2009-04-07 16:01:44.000000000 -0400 +@@ -6,7 +6,7 @@ + ##
+ ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +@@ -42,7 +42,7 @@ + ##
+ ## + ## +-## Domain allowed acccess. ++## Domain allowed to transition. + ## + ## + # +@@ -56,6 +56,45 @@ ######################################## ## -+## Send a generic signal to the ssh server. ++## Read the prelude spool files +## +## +## @@ -20382,452 +18266,676 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`ssh_signal',` ++interface(`prelude_read_spool',` + gen_require(` -+ type sshd_t; ++ type prelude_spool_t; + ') + -+ allow $1 sshd_t:process signal; ++ files_search_spool($1) ++ read_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## - ## Read a ssh server unnamed pipe. - ## - ## -@@ -611,3 +629,42 @@ - - dontaudit $1 sshd_key_t:file { getattr read }; - ') -+ -+####################################### -+## -+## Delete from the ssh temp files. ++## Manage to prelude-manager spool files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`ssh_delete_tmp',` ++interface(`prelude_manage_spool',` + gen_require(` -+ type sshd_tmp_t; ++ type prelude_spool_t; + ') + -+ files_search_tmp($1) -+ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ++ files_search_spool($1) ++ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) ++ manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## +## -+## Execute the ssh agent client in the caller domain. -+## -+## + ## All of the rules required to administrate + ## an prelude environment + ##
+@@ -64,6 +103,11 @@ + ## Domain allowed access. + ##
+ ## ++## +## -+## Domain allowed access. ++## The role to be allowed to manage the syslog domain. +## +## -+# -+interface(`ssh_agent_exec',` -+ gen_require(` -+ type ssh_agent_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, ssh_agent_exec_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-04-07 16:01:44.000000000 -0400 -@@ -41,6 +41,9 @@ - files_tmp_file(sshd_tmp_t) - files_poly_parent(sshd_tmp_t) - -+type sshd_tmpfs_t; -+files_tmpfs_file(sshd_tmpfs_t) + ## + # + interface(`prelude_admin',` +@@ -71,6 +115,10 @@ + type prelude_t, prelude_spool_t; + type prelude_var_run_t, prelude_var_lib_t; + type prelude_audisp_t, prelude_audisp_var_run_t; ++ type prelude_initrc_exec_t; + - ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) - ') -@@ -75,7 +78,7 @@ - ubac_constrained(ssh_tmpfs_t) - - type home_ssh_t; --typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; -+typealias home_ssh_t alias { ssh_home_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; - typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; - files_type(home_ssh_t) - userdom_user_home_content(home_ssh_t) -@@ -95,8 +98,7 @@ - allow ssh_t self:sem create_sem_perms; - allow ssh_t self:msgq create_msgq_perms; - allow ssh_t self:msg { send receive }; --allow ssh_t self:tcp_socket create_socket_perms; --allow ssh_t self:netlink_route_socket r_netlink_socket_perms; -+allow ssh_t self:tcp_socket create_stream_socket_perms; - - # Read the ssh key file. - allow ssh_t sshd_key_t:file read_file_perms; -@@ -115,6 +117,7 @@ - manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) - manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) - userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) -+userdom_stream_connect(ssh_t) ++ type prelude_lml_t, prelude_lml_tmp_t; ++ type prelude_lml_var_run_t; + ') - # Allow the ssh program to communicate with ssh-agent. - stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -131,6 +134,7 @@ - read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t) + allow $1 prelude_t:process { ptrace signal_perms }; +@@ -79,11 +127,18 @@ + allow $1 prelude_audisp_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_audisp_t) - kernel_read_kernel_sysctls(ssh_t) -+kernel_read_system_state(ssh_t) +- manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +- +- manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t) +- +- manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t) ++ allow $1 prelude_lml_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, prelude_lml_t) - corenet_all_recvfrom_unlabeled(ssh_t) - corenet_all_recvfrom_netlabel(ssh_t) -@@ -139,6 +143,8 @@ - corenet_tcp_sendrecv_all_ports(ssh_t) - corenet_tcp_connect_ssh_port(ssh_t) - corenet_sendrecv_ssh_client_packets(ssh_t) -+corenet_tcp_bind_generic_node(ssh_t) -+corenet_tcp_bind_all_unreserved_ports(ssh_t) +- manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t) ++ init_labeled_script_domtrans($1, prelude_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 prelude_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ admin_pattern($1, prelude_spool_t) ++ admin_pattern($1, prelude_var_lib_t) ++ admin_pattern($1, prelude_var_run_t) ++ admin_pattern($1, prelude_audisp_var_run_t) ++ admin_pattern($1, prelude_lml_tmp_t) ++ admin_pattern($1, prelude_lml_var_run_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.12/policy/modules/services/prelude.te +--- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/prelude.te 2009-04-07 16:01:44.000000000 -0400 +@@ -13,25 +13,57 @@ + type prelude_spool_t; + files_type(prelude_spool_t) - dev_read_urand(ssh_t) ++type prelude_log_t; ++logging_log_file(prelude_log_t) ++ + type prelude_var_run_t; + files_pid_file(prelude_var_run_t) -@@ -160,19 +166,19 @@ - logging_send_syslog_msg(ssh_t) - logging_read_generic_logs(ssh_t) + type prelude_var_lib_t; + files_type(prelude_var_lib_t) -+auth_use_nsswitch(ssh_t) ++type prelude_initrc_exec_t; ++init_script_file(prelude_initrc_exec_t) + - miscfiles_read_localization(ssh_t) - - seutil_read_config(ssh_t) - --sysnet_read_config(ssh_t) --sysnet_dns_name_resolve(ssh_t) -- - userdom_dontaudit_list_user_home_dirs(ssh_t) - userdom_search_user_home_dirs(ssh_t) - # Write to the user domain tty. - userdom_use_user_terminals(ssh_t) - # needs to read krb tgt - userdom_read_user_tmp_files(ssh_t) -+userdom_read_user_home_content_symlinks(ssh_t) - - tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -202,23 +208,13 @@ - # for port forwarding - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_ssh_port(ssh_t) --') -- --optional_policy(` -- kerberos_use(ssh_t) --') -- --optional_policy(` -- nis_use_ypbind(ssh_t) --') -- --optional_policy(` -- nscd_socket_use(ssh_t) -+ corenet_tcp_bind_generic_node(ssh_t) - ') - - optional_policy(` - xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) - xserver_domtrans_xauth(ssh_t) -+ xserver_stream_connect(ssh_t) - ') - - ######################################## -@@ -310,6 +306,8 @@ - kernel_search_key(sshd_t) - kernel_link_key(sshd_t) + type prelude_audisp_t; + type prelude_audisp_exec_t; + init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) ++typealias prelude_audisp_t alias audisp_prelude_t; ++typealias prelude_audisp_exec_t alias audisp_prelude_exec_t; -+fs_list_inotifyfs(sshd_t) + type prelude_audisp_var_run_t; + files_pid_file(prelude_audisp_var_run_t) ++typealias prelude_audisp_var_run_t alias audisp_prelude_var_run_t; + - term_use_all_user_ptys(sshd_t) - term_setattr_all_user_ptys(sshd_t) - term_relabelto_all_user_ptys(sshd_t) -@@ -318,16 +316,30 @@ - corenet_tcp_bind_xserver_port(sshd_t) - corenet_sendrecv_xserver_server_packets(sshd_t) - -+userdom_read_user_home_content_files(sshd_t) -+userdom_read_user_home_content_symlinks(sshd_t) -+userdom_search_admin_dir(sshd_t) ++type prelude_lml_t; ++type prelude_lml_exec_t; ++init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) + -+manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t) -+fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file) ++type prelude_lml_var_run_t; ++files_pid_file(prelude_lml_var_run_t) + - tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr -- userdom_spec_domtrans_all_users(sshd_t) - userdom_signal_all_users(sshd_t) --',` -+') ++type prelude_lml_tmp_t; ++files_tmp_file(prelude_lml_tmp_t) + - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) ++######################################## ++# ++# prelude_correlator declarations ++# + -+optional_policy(` -+ kerberos_keytab_template(sshd, sshd_t) -+') ++type prelude_correlator_t; ++type prelude_correlator_exec_t; ++init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) ++role system_r types prelude_correlator_t; + -+optional_policy(` -+ xserver_getattr_xauth(sshd_t) - ') ++type prelude_correlator_config_t; ++files_config_file(prelude_correlator_config_t) - optional_policy(` -@@ -349,7 +361,11 @@ - ') + ######################################## + # + # prelude local policy + # - optional_policy(` -- unconfined_domain(sshd_t) -+ usermanage_domtrans_passwd(sshd_t) -+ usermanage_read_crack_db(sshd_t) -+') +-allow prelude_t self:capability sys_tty_config; ++allow prelude_t self:capability { dac_override sys_tty_config }; + allow prelude_t self:fifo_file rw_file_perms; + allow prelude_t self:unix_stream_socket create_stream_socket_perms; + allow prelude_t self:netlink_route_socket r_netlink_socket_perms; +@@ -49,6 +81,9 @@ + manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) + files_pid_filetrans(prelude_t, prelude_var_run_t, file) + ++manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) ++logging_log_filetrans(prelude_t, prelude_log_t, file) + -+optional_policy(` - unconfined_shell_domtrans(sshd_t) - ') + corecmd_search_bin(prelude_t) -@@ -408,6 +424,8 @@ - init_use_fds(ssh_keygen_t) - init_use_script_ptys(ssh_keygen_t) + corenet_all_recvfrom_unlabeled(prelude_t) +@@ -56,15 +91,25 @@ + corenet_tcp_sendrecv_generic_if(prelude_t) + corenet_tcp_sendrecv_generic_node(prelude_t) + corenet_tcp_bind_generic_node(prelude_t) ++corenet_tcp_bind_prelude_port(prelude_t) ++corenet_tcp_connect_prelude_port(prelude_t) ++corenet_tcp_connect_postgresql_port(prelude_t) -+auth_use_nsswitch(ssh_keygen_t) -+ - logging_send_syslog_msg(ssh_keygen_t) + dev_read_rand(prelude_t) + dev_read_urand(prelude_t) - userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc ---- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/sssd.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,6 @@ ++kernel_read_system_state(prelude_t) ++kernel_read_sysctl(prelude_t) + -+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + # Init script handling + domain_use_interactive_fds(prelude_t) + + files_read_etc_files(prelude_t) ++files_read_etc_runtime_files(prelude_t) + files_read_usr_files(prelude_t) ++files_search_tmp(prelude_t) + -+/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) -+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.12/policy/modules/services/sssd.if ---- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/sssd.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,249 @@ ++fs_rw_anon_inodefs_files(prelude_t) + + auth_use_nsswitch(prelude_t) + +@@ -86,7 +131,7 @@ + # + # prelude_audisp local policy + # +- ++allow prelude_audisp_t self:capability dac_override; + allow prelude_audisp_t self:fifo_file rw_file_perms; + allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; + allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; +@@ -107,6 +152,7 @@ + corenet_tcp_sendrecv_generic_if(prelude_audisp_t) + corenet_tcp_sendrecv_generic_node(prelude_audisp_t) + corenet_tcp_bind_generic_node(prelude_audisp_t) ++corenet_tcp_connect_prelude_port(prelude_audisp_t) + + dev_read_rand(prelude_audisp_t) + dev_read_urand(prelude_audisp_t) +@@ -114,12 +160,135 @@ + # Init script handling + domain_use_interactive_fds(prelude_audisp_t) + ++kernel_read_sysctl(prelude_audisp_t) ++kernel_read_system_state(prelude_audisp_t) + -+## policy for sssd + files_read_etc_files(prelude_audisp_t) ++files_read_etc_runtime_files(prelude_audisp_t) ++files_search_tmp(prelude_audisp_t) + + logging_send_syslog_msg(prelude_audisp_t) ++logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) + + miscfiles_read_localization(prelude_audisp_t) + ++sysnet_dns_name_resolve(prelude_audisp_t) + +######################################## -+## -+## Execute a domain transition to run sssd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## +# -+interface(`sssd_domtrans',` -+ gen_require(` -+ type sssd_t; -+ type sssd_exec_t; -+ ') ++# prelude_correlator local policy ++# + -+ domtrans_pattern($1,sssd_exec_t,sssd_t) -+') ++allow prelude_correlator_t self:capability dac_override; ++allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; ++allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; ++allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; + ++allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms; ++read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) + -+######################################## -+## -+## Execute sssd server in the sssd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`sssd_initrc_domtrans',` -+ gen_require(` -+ type sssd_initrc_exec_t; -+ ') ++prelude_manage_spool(prelude_correlator_t) + -+ init_labeled_script_domtrans($1,sssd_initrc_exec_t) -+') ++corecmd_search_bin(prelude_correlator_t) + -+######################################## -+## -+## Read sssd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_read_pid_files',` -+ gen_require(` -+ type sssd_var_run_t; -+ ') ++corenet_all_recvfrom_unlabeled(prelude_correlator_t) ++corenet_all_recvfrom_netlabel(prelude_correlator_t) ++corenet_tcp_sendrecv_generic_if(prelude_correlator_t) ++corenet_tcp_sendrecv_generic_node(prelude_correlator_t) ++corenet_tcp_connect_prelude_port(prelude_correlator_t) + -+ files_search_pids($1) -+ allow $1 sssd_var_run_t:file read_file_perms; -+') ++kernel_read_sysctl(prelude_correlator_t) ++ ++dev_read_rand(prelude_correlator_t) ++dev_read_urand(prelude_correlator_t) ++ ++files_read_etc_files(prelude_correlator_t) ++files_read_usr_files(prelude_correlator_t) ++files_search_spool(prelude_correlator_t) ++ ++logging_send_syslog_msg(prelude_correlator_t) ++ ++miscfiles_read_localization(prelude_correlator_t) ++ ++sysnet_dns_name_resolve(prelude_correlator_t) + +######################################## -+## -+## Manage sssd var_run files. -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`sssd_manage_var_run',` -+ gen_require(` -+ type sssd_var_run_t; -+ ') ++# prelude_lml local declarations ++# + -+ manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t) -+ manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t) -+ manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t) ++allow prelude_lml_t self:capability dac_override; ++ ++# Init script handling ++domain_use_interactive_fds(prelude_lml_t) ++ ++allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; ++allow prelude_lml_t self:unix_dgram_socket { write create connect }; ++allow prelude_lml_t self:fifo_file rw_fifo_file_perms; ++allow prelude_lml_t self:unix_stream_socket connectto; ++ ++files_list_tmp(prelude_lml_t) ++manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) ++manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) ++files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) ++ ++files_search_spool(prelude_lml_t) ++manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) ++manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) ++ ++files_search_var_lib(prelude_lml_t) ++manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) ++manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) ++ ++manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) ++files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) ++ ++corecmd_exec_bin(prelude_lml_t) ++ ++corenet_tcp_sendrecv_generic_if(prelude_lml_t) ++corenet_tcp_sendrecv_generic_node(prelude_lml_t) ++corenet_tcp_recvfrom_netlabel(prelude_lml_t) ++corenet_tcp_recvfrom_unlabeled(prelude_lml_t) ++corenet_sendrecv_unlabeled_packets(prelude_lml_t) ++corenet_tcp_connect_prelude_port(prelude_lml_t) ++ ++dev_read_rand(prelude_lml_t) ++dev_read_urand(prelude_lml_t) ++ ++kernel_read_system_state(prelude_lml_t) ++kernel_read_sysctl(prelude_lml_t) ++ ++files_list_etc(prelude_lml_t) ++files_read_etc_files(prelude_lml_t) ++files_read_etc_runtime_files(prelude_lml_t) ++ ++files_search_spool(prelude_lml_t) ++files_search_usr(prelude_lml_t) ++files_search_var_lib(prelude_lml_t) ++ ++fs_list_inotifyfs(prelude_lml_t) ++fs_read_anon_inodefs_files(prelude_lml_t) ++fs_rw_anon_inodefs_files(prelude_lml_t) ++ ++auth_use_nsswitch(prelude_lml_t) ++ ++libs_exec_lib_files(prelude_lml_t) ++libs_read_lib_files(prelude_lml_t) ++ ++logging_send_syslog_msg(prelude_lml_t) ++logging_read_generic_logs(prelude_lml_t) ++ ++miscfiles_read_localization(prelude_lml_t) ++ ++sysnet_dns_name_resolve(prelude_lml_t) ++ ++userdom_read_all_users_state(prelude_lml_t) ++ ++optional_policy(` ++ apache_search_sys_content(prelude_lml_t) ++ apache_read_log(prelude_lml_t) ++') ++ + ######################################## + # + # prewikka_cgi Declarations +@@ -128,6 +297,20 @@ + optional_policy(` + apache_content_template(prewikka) + files_read_etc_files(httpd_prewikka_script_t) ++ files_search_tmp(httpd_prewikka_script_t) ++ ++ kernel_read_sysctl(httpd_prewikka_script_t) ++ kernel_search_network_sysctl(httpd_prewikka_script_t) ++ ++ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) ++ ++ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) ++ ++ auth_use_nsswitch(httpd_prewikka_script_t) ++ ++ logging_send_syslog_msg(httpd_prewikka_script_t) ++ ++ apache_search_sys_content(httpd_prewikka_script_t) + + optional_policy(` + mysql_search_db(httpd_prewikka_script_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te +--- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-07 16:01:44.000000000 -0400 +@@ -77,6 +77,7 @@ + files_read_usr_files(procmail_t) + + logging_send_syslog_msg(procmail_t) ++logging_append_all_logs(procmail_t) + + miscfiles_read_localization(procmail_t) + +@@ -92,6 +93,7 @@ + userdom_dontaudit_search_user_home_dirs(procmail_t) + + mta_manage_spool(procmail_t) ++mta_read_queue(procmail_t) + + ifdef(`hide_broken_symptoms',` + mta_dontaudit_rw_queue(procmail_t) +@@ -128,6 +130,10 @@ + ') + + optional_policy(` ++ nagios_search_spool(procmail_t) +') + ++optional_policy(` + pyzor_domtrans(procmail_t) + pyzor_signal(procmail_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.12/policy/modules/services/psad.fc +--- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/psad.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,17 @@ ++ ++ ++/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) ++ ++/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) ++ ++/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) ++ ++#/usr/sbin/psadwatchd -- gen_context(system_u:object_r:psadwatchd_exec_t,s0) ++ ++#/usr/sbin/kmsgsd -- gen_context(system_u:object_r:kmsgsd_exec_t,s0) ++ ++/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) ++ ++/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) ++ ++/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.12/policy/modules/services/psad.if +--- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/psad.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,304 @@ ++## Psad SELinux policy + +######################################## +## -+## Search sssd lib directories. ++## Execute a domain transition to run psad. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`sssd_search_lib',` ++interface(`psad_domtrans',` + gen_require(` -+ type sssd_var_lib_t; ++ type psad_t, psad_exec_t; + ') + -+ allow $1 sssd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) ++ domtrans_pattern($1, psad_exec_t, psad_t) +') + +######################################## +## -+## Read sssd lib files. ++## Read and write psad UDP sockets. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`sssd_read_lib_files',` -+ gen_require(` -+ type sssd_var_lib_t; -+ ') ++interface(`psad_rw_udp_sockets',` ++ gen_require(` ++ type psad_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++ allow $1 psad_t:udp_socket { read write }; +') + +######################################## +## -+## Create, read, write, and delete -+## sssd lib files. ++## Read and write psad packet sockets. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`sssd_manage_lib_files',` -+ gen_require(` -+ type sssd_var_lib_t; -+ ') ++interface(`psad_rw_packet_sockets',` ++ gen_require(` ++ type psad_t; ++ ') + -+ files_search_var_lib($1) -+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++ allow $1 psad_t:packet_socket { read write }; +') + +######################################## +## -+## Manage sssd var_lib files. ++## Send a generic signal to psad +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`sssd_manage_var_lib',` -+ gen_require(` -+ type sssd_var_lib_t; ++interface(`psad_signal',` ++ gen_require(` ++ type psad_t; ++ ') ++ ++ allow $1 psad_t:process signal; ++') ++ ++####################################### ++## ++## Send a null signal to psad. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_signull',` ++ gen_require(` ++ type psad_t; + ') + -+ manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t) -+ manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) -+ manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) ++ allow $1 psad_t:process signull; +') + ++######################################## ++## ++## Read psad etc configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_read_etc',` ++ gen_require(` ++ type psad_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, psad_etc_t, psad_etc_t) ++') + +######################################## +## -+## Send and receive messages from -+## sssd over dbus. ++## Manage psad etc configuration files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## ++## +# -+interface(`sssd_dbus_chat',` -+ gen_require(` -+ type sssd_t; -+ class dbus send_msg; -+ ') ++interface(`psad_manage_etc',` ++ gen_require(` ++ type psad_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_dirs_pattern($1, psad_etc_t, psad_etc_t) ++ manage_files_pattern($1, psad_etc_t, psad_etc_t) + -+ allow $1 sssd_t:dbus send_msg; -+ allow sssd_t $1:dbus send_msg; +') + ++######################################## ++## ++## Read psad PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_read_pid_files',` ++ gen_require(` ++ type psad_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, psad_var_run_t, psad_var_run_t) ++') + +######################################## +## -+## Connect to sssd over an unix stream socket. ++## Read psad PID files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## ++## +# -+interface(`sssd_stream_connect',` -+ gen_require(` -+ type sssd_t, sssd_var_lib_t; -+ ') ++interface(`psad_rw_pid_files',` ++ gen_require(` ++ type psad_var_run_t; ++ ') + -+ files_search_pids($1) -+ write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -+ allow $1 sssd_t:unix_stream_socket connectto; ++ files_search_pids($1) ++ rw_files_pattern($1, psad_var_run_t, psad_var_run_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to read psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`psad_read_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) ++ read_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append to psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`psad_append_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) ++ append_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ ++######################################## ++## ++## Read and write psad fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_rw_fifo_file',` ++ gen_require(` ++ type psad_t; ++ ') ++ ++ files_search_var_lib($1) ++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) ++ rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) ++') ++ ++####################################### ++## ++## Read and write psad tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_rw_tmp_files',` ++ gen_require(` ++ type psad_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ rw_files_pattern($1, psad_tmp_t, psad_tmp_t) +') + +######################################## +## +## All of the rules required to administrate -+## an sssd environment ++## an psad environment +## +## +## @@ -20836,1081 +18944,810 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the sssd domain. -+## -+## -+## -+## -+## The type of the user terminal. ++## The role to be allowed to manage the syslog domain. +## +## +## +# -+interface(`sssd_admin',` ++interface(`psad_admin',` + gen_require(` -+ type sssd_t; ++ type psad_t, psad_var_run_t, psad_var_log_t; ++ type psad_initrc_exec_t, psad_var_lib_t; ++ type psad_tmp_t; + ') + -+ allow $1 sssd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, sssd_t, sssd_t) -+ -+ -+ gen_require(` -+ type sssd_initrc_exec_t; -+ ') ++ allow $1 psad_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, psad_t) + -+ # Allow sssd_t to restart the apache service -+ sssd_initrc_domtrans($1) ++ init_labeled_script_domtrans($1, psad_initrc_exec_t) + domain_system_change_exemption($1) -+ role_transition $2 sssd_initrc_exec_t system_r; ++ role_transition $2 psad_initrc_exec_t system_r; + allow $2 system_r; + -+ sssd_manage_var_run($1) ++ files_search_etc($1) ++ admin_pattern($1, psad_etc_t) + -+ sssd_manage_var_lib($1) ++ files_search_pids($1) ++ admin_pattern($1, psad_var_run_t) + -+') ++ logging_search_logs($1) ++ admin_pattern($1, psad_var_log_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te ---- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,68 @@ -+policy_module(sssd,1.0.0) ++ files_search_var_lib($1) ++ admin_pattern($1, psad_var_lib_t) ++ ++ files_search_tmp($1) ++ admin_pattern($1, psad_tmp_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.12/policy/modules/services/psad.te +--- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/psad.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,107 @@ ++policy_module(psad,1.0.0) + +######################################## +# +# Declarations +# ++type psad_t; ++type psad_exec_t; ++init_daemon_domain(psad_t, psad_exec_t) + -+type sssd_t; -+type sssd_exec_t; -+init_daemon_domain(sssd_t, sssd_exec_t) ++type psad_initrc_exec_t; ++init_script_file(psad_initrc_exec_t) + -+permissive sssd_t; ++# config files ++type psad_etc_t; ++files_config_file(psad_etc_t) + -+type sssd_initrc_exec_t; -+init_script_file(sssd_initrc_exec_t) ++# var/lib files ++type psad_var_lib_t; ++files_type(psad_var_lib_t) + -+type sssd_var_run_t; -+files_pid_file(sssd_var_run_t) ++# log files ++type psad_var_log_t; ++logging_log_file(psad_var_log_t) + -+type sssd_var_lib_t; -+files_type(sssd_var_lib_t) ++# pid files ++type psad_var_run_t; ++files_pid_file(psad_var_run_t) ++ ++# tmp files ++type psad_tmp_t; ++files_tmp_file(psad_tmp_t) + +######################################## +# -+# sssd local policy ++# psad local policy +# -+allow sssd_t self:capability sys_nice; -+allow sssd_t self:process { setsched signal getsched }; -+allow sssd_t tmp_t:dir { read getattr open }; + -+# Init script handling -+domain_use_interactive_fds(sssd_t) ++allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; ++dontaudit psad_t self:capability { sys_tty_config }; ++allow psad_t self:process signull; + -+# internal communication is often done using fifo and unix sockets. -+allow sssd_t self:process signal; -+allow sssd_t self:fifo_file rw_file_perms; -+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow psad_t self:fifo_file rw_fifo_file_perms; ++allow psad_t self:rawip_socket create_socket_perms; + -+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -+files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir }) ++# config files ++read_files_pattern(psad_t,psad_etc_t,psad_etc_t) ++list_dirs_pattern(psad_t,psad_etc_t,psad_etc_t) + -+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) ++# pid file ++manage_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) ++manage_sock_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) ++files_pid_filetrans(psad_t,psad_var_run_t, { file sock_file }) + -+corecmd_exec_bin(sssd_t) ++# log files ++manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) ++manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) ++logging_log_filetrans(psad_t,psad_var_log_t, { file dir }) + -+dev_read_urand(sssd_t) ++# tmp files ++manage_dirs_pattern(psad_t,psad_tmp_t,psad_tmp_t) ++manage_files_pattern(psad_t,psad_tmp_t,psad_tmp_t) ++files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) + -+kernel_read_system_state(sssd_t) ++# /var/lib files ++search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) ++manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) + -+files_list_tmp(sssd_t) -+files_read_etc_files(sssd_t) -+files_read_usr_files(sssd_t) ++kernel_read_system_state(psad_t) ++kernel_read_network_state(psad_t) ++#kernel_read_kernel_sysctls(psad_t) ++kernel_read_net_sysctls(psad_t) + -+auth_use_nsswitch(sssd_t) ++corecmd_exec_shell(psad_t) ++corecmd_exec_bin(psad_t) + -+logging_send_syslog_msg(sssd_t) -+logging_send_audit_msgs(sssd_t) ++auth_use_nsswitch(psad_t) + -+miscfiles_read_localization(sssd_t) ++corenet_tcp_connect_whois_port(psad_t) ++ ++dev_read_urand(psad_t) ++ ++files_read_etc_runtime_files(psad_t) ++ ++fs_getattr_all_fs(psad_t) ++ ++libs_use_ld_so(psad_t) ++libs_use_shared_libs(psad_t) ++ ++miscfiles_read_localization(psad_t) ++ ++logging_read_generic_logs(psad_t) ++logging_read_syslog_config(psad_t) ++logging_send_syslog_msg(psad_t) ++ ++#sysnet_domtrans_ifconfig(psad_t) ++sysnet_exec_ifconfig(psad_t) ++iptables_domtrans(psad_t) + +optional_policy(` -+ dbus_system_bus_client(sssd_t) -+ dbus_connect_system_bus(sssd_t) ++ mta_send_mail(psad_t) ++ mta_read_queue(psad_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.12/policy/modules/services/tftp.if ---- nsaserefpolicy/policy/modules/services/tftp.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/tftp.if 2009-04-07 16:01:44.000000000 -0400 -@@ -2,6 +2,24 @@ ++ ++permissive psad_t; ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc +--- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,6 +1,8 @@ + /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) ++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - ######################################## - ## -+## Read tftp content + HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) ++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) + + /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) + /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.12/policy/modules/services/pyzor.if +--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pyzor.if 2009-04-07 16:01:44.000000000 -0400 +@@ -88,3 +88,50 @@ + corecmd_search_bin($1) + can_exec($1, pyzor_exec_t) + ') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pyzor environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the pyzor domain. ++## ++## ++## +# -+interface(`tftp_read_content',` ++interface(`pyzor_admin',` + gen_require(` -+ type tftpdir_t; ++ type pyzord_t, pyzor_tmp_t, pyzord_log_t; ++ type pyzor_etc_t, pyzor_var_lib_t; ++ type pyzord_initrc_exec_t; + ') + -+ read_files_pattern($1, tftpdir_t, tftpdir_t) -+') ++ allow $1 pyzord_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pyzord_t) ++ ++ init_labeled_script_domtrans($1, pyzord_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 pyzord_initrc_exec_t system_r; ++ allow $2 system_r; + -+######################################## -+## - ## All of the rules required to administrate - ## an tftp environment - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.12/policy/modules/services/tor.te ---- nsaserefpolicy/policy/modules/services/tor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/tor.te 2009-04-07 16:01:44.000000000 -0400 -@@ -34,7 +34,7 @@ - # tor local policy - # - --allow tor_t self:capability { setgid setuid }; -+allow tor_t self:capability { setgid setuid sys_tty_config }; - allow tor_t self:fifo_file rw_fifo_file_perms; - allow tor_t self:unix_stream_socket create_stream_socket_perms; - allow tor_t self:netlink_route_socket r_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.12/policy/modules/services/ulogd.fc ---- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ulogd.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,10 @@ ++ files_list_tmp($1) ++ admin_pattern($1, pyzor_tmp_t) + -+/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) ++ logging_list_logs($1) ++ admin_pattern($1, pyzord_log_t) + -+/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) ++ files_list_etc($1) ++ admin_pattern($1, pyzor_etc_t) + -+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) ++ files_list_var_lib($1) ++ admin_pattern($1, pyzor_var_lib_t) ++') + -+/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + -+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.12/policy/modules/services/ulogd.if ---- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,127 @@ -+## policy for ulogd +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te +--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-04-07 16:01:44.000000000 -0400 +@@ -6,6 +6,38 @@ + # Declarations + # + ++ ++ifdef(`distro_redhat',` + -+######################################## -+## -+## Execute a domain transition to run ulogd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ulogd_domtrans',` + gen_require(` -+ type ulogd_t, ulogd_exec_t; ++ type spamc_t; ++ type spamc_exec_t; ++ type spamd_t; ++ type spamd_initrc_exec_t; ++ type spamd_exec_t; ++ type spamc_tmp_t; ++ type spamd_log_t; ++ type spamd_var_lib_t; ++ type spamd_etc_t; ++ type spamc_tmp_t; ++ type spamc_home_t; + ') + -+ domtrans_pattern($1,ulogd_exec_t,ulogd_t) -+') ++ typealias spamc_t alias pyzor_t; ++ typealias spamc_exec_t alias pyzor_exec_t; ++ typealias spamd_t alias pyzord_t; ++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; ++ typealias spamd_exec_t alias pyzord_exec_t; ++ typealias spamc_tmp_t alias pyzor_tmp_t; ++ typealias spamd_log_t alias pyzor_log_t; ++ typealias spamd_log_t alias pyzord_log_t; ++ typealias spamd_var_lib_t alias pyzor_var_lib_t; ++ typealias spamd_etc_t alias pyzor_etc_t; ++ typealias spamc_home_t alias pyzor_home_t; ++ typealias spamc_home_t alias user_pyzor_home_t; + -+######################################## -+## -+## Allow the specified domain to read -+## ulogd configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_read_config',` -+ gen_require(` -+ type ulogd_etc_t; -+ ') ++',` + -+ files_search_etc($1) -+ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) + type pyzor_t; + type pyzor_exec_t; + typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; +@@ -40,6 +72,7 @@ + + type pyzord_log_t; + logging_log_file(pyzord_log_t) +') + + ######################################## + # +@@ -83,6 +116,8 @@ + + miscfiles_read_localization(pyzor_t) + ++mta_read_queue(pyzor_t) + -+######################################## -+## -+## Allow the specified domain to read ulogd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_read_log',` -+ gen_require(` -+ type ulogd_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 ulogd_var_log_t:dir list_dir_perms; -+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) -+') + userdom_dontaudit_search_user_home_dirs(pyzor_t) + + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.12/policy/modules/services/razor.if +--- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/razor.if 2009-04-07 16:01:44.000000000 -0400 +@@ -157,3 +157,45 @@ + + domtrans_pattern($1, razor_exec_t, razor_t) + ') + +######################################## +## -+## Allow the specified domain to append to ulogd's log files. ++## Create, read, write, and delete razor files ++## in a user home subdirectory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## -+## +# -+interface(`ulogd_append_log',` -+ gen_require(` -+ type ulogd_var_log_t; -+ ') ++template(`razor_manage_user_home_files',` ++ gen_require(` ++ type razor_home_t; ++ ') + -+ logging_search_logs($1) -+ allow $1 ulogd_var_log_t:dir list_dir_perms; -+ allow $1 ulogd_var_log_t:file append_file_perms; ++ files_search_home($1) ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, razor_home_t, razor_home_t) ++ read_lnk_files_pattern($1, razor_home_t, razor_home_t) +') + +######################################## +## -+## All of the rules required to administrate -+## an ulogd environment ++## read razor lib files. +## +## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`ulogd_admin',` -+ gen_require(` -+ type ulogd_t, ulogd_etc_t; -+ type ulogd_var_log_t, ulogd_initrc_exec_t; -+ type ulogd_modules_t; -+ ') -+ -+ allow $1 ulogd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ulogd_t) -+ -+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 ulogd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_etc($1) -+ admin_pattern($1, ulogd_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, ulogd_var_log_t) ++interface(`razor_read_lib_files',` ++ gen_require(` ++ type razor_var_lib_t; ++ ') + -+ files_search_usr($1) -+ admin_pattern($1, ulogd_modules_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.12/policy/modules/services/ulogd.te ---- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ulogd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,51 @@ -+policy_module(ulogd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type ulogd_t; -+type ulogd_exec_t; -+init_daemon_domain(ulogd_t, ulogd_exec_t) -+ -+type ulogd_initrc_exec_t; -+init_script_file(ulogd_initrc_exec_t) -+ -+# /usr/lib files -+type ulogd_modules_t; -+files_type(ulogd_modules_t) -+ -+# config files -+type ulogd_etc_t; -+files_type(ulogd_etc_t) -+ -+# log files -+type ulogd_var_log_t; -+logging_log_file(ulogd_var_log_t) -+ -+######################################## -+ -+# -+# ulogd local policy -+# + -+allow ulogd_t self:capability net_admin; -+allow ulogd_t self:netlink_nflog_socket create_socket_perms; -+ -+# config files -+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -+ -+# modules for ulogd -+list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t) -+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.12/policy/modules/services/razor.te +--- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/razor.te 2009-04-07 16:01:44.000000000 -0400 +@@ -6,6 +6,32 @@ + # Declarations + # + ++ifdef(`distro_redhat',` + -+# log files -+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -+logging_log_filetrans(ulogd_t,ulogd_var_log_t, file ) ++ gen_require(` ++ type spamc_t; ++ type spamc_exec_t; ++ type spamd_log_t; ++ type spamd_spool_t; ++ type spamd_var_lib_t; ++ type spamd_etc_t; ++ type spamc_home_t; ++ type spamc_tmp_t; ++ ') + -+files_search_etc(ulogd_t) ++ typealias spamc_t alias razor_t; ++ typealias spamc_exec_t alias razor_exec_t; ++ typealias spamd_log_t alias razor_log_t; ++ typealias spamd_var_lib_t alias razor_var_lib_t; ++ typealias spamd_etc_t alias razor_etc_t; ++ typealias spamc_home_t alias razor_home_t; ++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; ++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; ++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; + -+miscfiles_read_localization(ulogd_t) ++',` + -+permissive ulogd_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te ---- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-04-07 16:01:44.000000000 -0400 -@@ -129,6 +129,7 @@ + type razor_exec_t; + corecmd_executable_file(razor_exec_t) + +@@ -122,3 +148,5 @@ optional_policy(` - mta_send_mail(uux_t) - mta_read_queue(uux_t) -+ sendmail_rw_unix_stream_sockets(uux_t) + nscd_socket_use(razor_t) ') ++ ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te +--- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ricci.te 2009-04-07 16:01:44.000000000 -0400 +@@ -133,6 +133,8 @@ - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc ---- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -8,5 +8,16 @@ + dev_read_urand(ricci_t) - /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) - /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+ - /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) - /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -+ -+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -+ -+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) ++domain_read_all_domains_state(ricci_t) + -+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.12/policy/modules/services/virt.if ---- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-07 16:01:44.000000000 -0400 -@@ -2,28 +2,6 @@ + files_read_etc_files(ricci_t) + files_read_etc_runtime_files(ricci_t) + files_create_boot_flag(ricci_t) +@@ -140,7 +142,7 @@ + auth_domtrans_chk_passwd(ricci_t) + auth_append_login_records(ricci_t) - ######################################## - ## --## Make the specified type usable as a virt image --## --## --## --## Type to be used as a virtual image --## --## --# --interface(`virt_image',` -- gen_require(` -- attribute virt_image_type; -- ') -- -- typeattribute $1 virt_image_type; -- files_type($1) -- -- # virt images can be assigned to blk devices -- dev_node($1) --') -- --######################################## --## - ## Execute a domain transition to run virt. - ## - ## -@@ -117,12 +95,12 @@ - ') +-init_dontaudit_stream_connect_script(ricci_t) ++init_stream_connect_script(ricci_t) - files_search_pids($1) -- allow $1 virt_var_run_t:file read_file_perms; -+ read_files_pattern($1, virt_var_run_t, virt_var_run_t) - ') + locallogin_dontaudit_use_fds(ricci_t) - ######################################## - ## --## Manage virt pid files. -+## Manage virt PID files. - ## - ## - ## -@@ -135,6 +113,7 @@ - type virt_var_run_t; - ') +@@ -202,7 +204,7 @@ + corecmd_exec_shell(ricci_modcluster_t) + corecmd_exec_bin(ricci_modcluster_t) -+ files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) - ') +-domain_dontaudit_read_all_domains_state(ricci_modcluster_t) ++domain_read_all_domains_state(ricci_modcluster_t) -@@ -293,6 +272,41 @@ + files_search_locks(ricci_modcluster_t) + files_read_etc_runtime_files(ricci_modcluster_t) +@@ -214,6 +216,8 @@ - ######################################## - ## -+## Allow domain to manage virt image files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`virt_read_content',` -+ gen_require(` -+ type virt_content_t; -+ ') -+ -+ virt_search_lib($1) -+ allow $1 virt_content_t:dir list_dir_perms; -+ list_dirs_pattern($1, virt_content_t, virt_content_t) -+ read_files_pattern($1, virt_content_t, virt_content_t) -+ read_lnk_files_pattern($1, virt_content_t, virt_content_t) -+ rw_blk_files_pattern($1, virt_content_t, virt_content_t) -+ -+ tunable_policy(`virt_use_nfs',` -+ fs_list_nfs($1) -+ fs_read_nfs_files($1) -+ fs_read_nfs_symlinks($1) -+ ') -+ -+ tunable_policy(`virt_use_samba',` -+ fs_list_cifs($1) -+ fs_read_cifs_files($1) -+ fs_read_cifs_symlinks($1) -+ ') -+') + logging_send_syslog_msg(ricci_modcluster_t) + ++consoletype_exec(ricci_modcluster_t) + -+######################################## -+## - ## All of the rules required to administrate - ## an virt environment - ## -@@ -327,3 +341,53 @@ + miscfiles_read_localization(ricci_modcluster_t) - virt_manage_log($1) + modutils_domtrans_insmod(ricci_modcluster_t) +@@ -229,10 +233,6 @@ ') -+ -+######################################## -+## -+## Creates types and rules for a basic -+## qemu process domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`virt_domain_template',` -+ -+ type $1_t; -+ virtual_domain($1_t) -+ -+ type $1_tmp_t; -+ files_tmp_file($1_tmp_t) -+ -+ type $1_tmpfs_t; -+ files_tmpfs_file($1_tmpfs_t) -+ -+ type $1_image_t; -+ virtual_image($1_image_t) -+ -+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t) -+ manage_files_pattern($1_t, $1_image_t, $1_image_t) -+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) -+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) -+ -+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) -+ -+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) -+ fs_getattr_tmpfs($1_t) -+ -+ fs_read_noxattr_fs_files($1_t) -+ fs_dontaudit_write_noxattr_fs_files($1_t) -+ -+ optional_policy(` -+ xserver_common_app($1_t) -+ ') -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te ---- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-07 16:01:44.000000000 -0400 -@@ -8,19 +8,24 @@ - ## - ##

--## Allow virt to manage nfs files -+## Allow svirt to manage nfs files - ##

- ##
- gen_tunable(virt_use_nfs, false) + optional_policy(` +- consoletype_exec(ricci_modcluster_t) +-') +- +-optional_policy(` + lvm_domtrans(ricci_modcluster_t) + ') - ## - ##

--## Allow virt to manage cifs files -+## Allow svirt to manage cifs files - ##

- ##
- gen_tunable(virt_use_samba, false) +@@ -287,14 +287,14 @@ + corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) + corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) --attribute virt_image_type; -+## -+##

-+## Allow svirt to user serial/parallell communication ports -+##

-+##
-+gen_tunable(virt_use_comm, false) +-domain_dontaudit_read_all_domains_state(ricci_modclusterd_t) ++domain_read_all_domains_state(ricci_modclusterd_t) - type virt_etc_t; - files_config_file(virt_etc_t) -@@ -29,8 +34,12 @@ - files_type(virt_etc_rw_t) + files_read_etc_files(ricci_modclusterd_t) + files_read_etc_runtime_files(ricci_modclusterd_t) - # virt Image files --type virt_image_t, virt_image_type; # customizable --virt_image(virt_image_t) -+type virt_image_t; # customizable -+virtual_image(virt_image_t) -+ -+# virt Image files -+type virt_content_t; -+virtual_image(virt_content_t) + fs_getattr_xattr_fs(ricci_modclusterd_t) - type virt_log_t; - logging_log_file(virt_log_t) -@@ -48,17 +57,39 @@ - type virtd_initrc_exec_t; - init_script_file(virtd_initrc_exec_t) +-init_dontaudit_stream_connect_script(ricci_modclusterd_t) ++init_stream_connect_script(ricci_modclusterd_t) -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mcs_systemhigh) -+') -+ -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mls_systemhigh) -+') -+ -+virt_domain_template(svirt) -+role system_r types svirt_t; -+ -+type svirt_cache_t; -+files_type(svirt_cache_t) -+ -+type svirt_var_run_t; -+files_pid_file(svirt_var_run_t) -+ - ######################################## - # - # virtd local policy - # + locallogin_dontaudit_use_fds(ricci_modclusterd_t) --allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; --allow virtd_t self:process { getsched sigkill signal execmem }; -+allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace }; -+allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate setsched }; - allow virtd_t self:fifo_file rw_file_perms; - allow virtd_t self:unix_stream_socket create_stream_socket_perms; - allow virtd_t self:tcp_socket create_stream_socket_perms; +@@ -328,7 +328,7 @@ -+manage_files_pattern(virtd_t, virt_image_t, virt_image_t) -+manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t) -+allow virtd_t virt_image_t:file { relabelfrom relabelto }; -+allow virtd_t virt_image_t:blk_file { relabelfrom relabelto }; -+ - read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) - read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + corecmd_exec_bin(ricci_modlog_t) -@@ -67,7 +98,11 @@ - manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) - filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +-domain_dontaudit_read_all_domains_state(ricci_modlog_t) ++domain_read_all_domains_state(ricci_modlog_t) --manage_files_pattern(virtd_t, virt_image_type, virt_image_type) -+virtual_manage_image(virtd_t) -+virtual_image_relabel(virtd_t) -+ -+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) -+manage_files_pattern(virtd_t, virt_content_t, virt_content_t) - - manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) - manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +121,7 @@ - kernel_read_network_state(virtd_t) - kernel_rw_net_sysctls(virtd_t) - kernel_load_module(virtd_t) -+kernel_search_debugfs(virtd_t) - - corecmd_exec_bin(virtd_t) - corecmd_exec_shell(virtd_t) -@@ -96,7 +132,7 @@ - corenet_tcp_sendrecv_generic_node(virtd_t) - corenet_tcp_sendrecv_all_ports(virtd_t) - corenet_tcp_bind_generic_node(virtd_t) --#corenet_tcp_bind_virt_port(virtd_t) -+corenet_tcp_bind_virt_port(virtd_t) - corenet_tcp_bind_vnc_port(virtd_t) - corenet_tcp_connect_vnc_port(virtd_t) - corenet_tcp_connect_soundd_port(virtd_t) -@@ -104,21 +140,39 @@ + files_read_etc_files(ricci_modlog_t) + files_search_usr(ricci_modlog_t) +@@ -432,7 +432,7 @@ + dev_read_urand(ricci_modstorage_t) + dev_manage_generic_blk_files(ricci_modstorage_t) - dev_read_sysfs(virtd_t) - dev_read_rand(virtd_t) -+dev_rw_kvm(virtd_t) -+dev_getattr_all_chr_files(virtd_t) +-domain_dontaudit_read_all_domains_state(ricci_modstorage_t) ++domain_read_all_domains_state(ricci_modstorage_t) - # Init script handling - domain_use_interactive_fds(virtd_t) -+domain_read_all_domains_state(virtd_t) -+domain_obj_id_change_exemption(virtd_t) -+domain_subj_id_change_exemption(virtd_t) + #Needed for editing /etc/fstab + files_manage_etc_files(ricci_modstorage_t) +@@ -440,6 +440,10 @@ + files_read_usr_files(ricci_modstorage_t) + files_read_kernel_modules(ricci_modstorage_t) - files_read_usr_files(virtd_t) - files_read_etc_files(virtd_t) -+files_read_usr_files(virtd_t) - files_read_etc_runtime_files(virtd_t) - files_search_all(virtd_t) --files_list_kernel_modules(virtd_t) -+files_read_kernel_modules(virtd_t) -+files_read_usr_src_files(virtd_t) -+ -+# Manages /etc/sysconfig/system-config-firewall -+files_manage_etc_files(virtd_t) ++files_create_default_dir(ricci_modstorage_t) ++files_mounton_default(ricci_modstorage_t) ++files_manage_default(ricci_modstorage_t) + -+modutils_read_module_deps(virtd_t) + storage_raw_read_fixed_disk(ricci_modstorage_t) - fs_list_auto_mountpoints(virtd_t) -+fs_getattr_xattr_fs(virtd_t) -+fs_rw_anon_inodefs_files(virtd_t) + term_dontaudit_use_console(ricci_modstorage_t) +@@ -452,6 +456,10 @@ -+storage_manage_fixed_disk(virtd_t) -+storage_relabel_fixed_disk(virtd_t) - storage_raw_write_removable_device(virtd_t) - storage_raw_read_removable_device(virtd_t) + modutils_read_module_deps(ricci_modstorage_t) -+seutil_read_default_contexts(virtd_t) ++consoletype_exec(ricci_modstorage_t) + - term_getattr_pty_fs(virtd_t) - term_use_ptmx(virtd_t) ++mount_domtrans(ricci_modstorage_t) ++ + optional_policy(` + ccs_stream_connect(ricci_modstorage_t) + ccs_read_config(ricci_modstorage_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te +--- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-07 16:01:44.000000000 -0400 +@@ -23,7 +23,7 @@ + gen_tunable(allow_nfsd_anon_write, false) -@@ -129,6 +183,13 @@ + type exports_t; +-files_type(exports_t) ++files_config_file(exports_t) - logging_send_syslog_msg(virtd_t) + rpc_domain_template(gssd) -+sysnet_domtrans_ifconfig(virtd_t) -+ -+virtual_transition(virtd_t) +@@ -79,16 +79,25 @@ + fs_read_rpc_symlinks(rpcd_t) + fs_rw_rpc_sockets(rpcd_t) + ++kernel_signal(rpcd_t) + -+userdom_dontaudit_list_admin_dir(virtd_t) -+userdom_getattr_all_users(virtd_t) -+userdom_search_user_home_content(virtd_t) - userdom_read_all_users_state(virtd_t) + selinux_dontaudit_read_fs(rpcd_t) - tunable_policy(`virt_use_nfs',` -@@ -167,22 +228,34 @@ - dnsmasq_domtrans(virtd_t) - dnsmasq_signal(virtd_t) - dnsmasq_kill(virtd_t) -+ dnsmasq_read_pid_files(virtd_t) -+ dnsmasq_signull(virtd_t) - ') + miscfiles_read_certs(rpcd_t) + + seutil_dontaudit_search_config(rpcd_t) ++userdom_signal_unpriv_users(rpcd_t) ++ optional_policy(` - iptables_domtrans(virtd_t) + nis_read_ypserv_config(rpcd_t) ') --#optional_policy(` --# polkit_domtrans_auth(virtd_t) --# polkit_domtrans_resolve(virtd_t) --#') -+optional_policy(` -+ kerberos_keytab_template(virtd, virtd_t) -+') -+ +optional_policy(` -+ lvm_domtrans(virtd_t) -+') - - optional_policy(` -- qemu_domtrans(virtd_t) -+ polkit_domtrans_auth(virtd_t) -+ polkit_domtrans_resolve(virtd_t) -+ polkit_read_lib(virtd_t) ++ unconfined_execmem_signal(rpcd_t) ++ unconfined_signal(rpcd_t) +') + -+optional_policy(` -+ qemu_spec_domtrans(virtd_t, svirt_t) - qemu_read_state(virtd_t) - qemu_signal(virtd_t) - qemu_kill(virtd_t) -+ qemu_setsched(virtd_t) + ######################################## + # + # NFSD local policy +@@ -141,6 +150,7 @@ + fs_read_noxattr_fs_files(nfsd_t) + auth_manage_all_files_except_shadow(nfsd_t) ') ++userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) - optional_policy(` -@@ -198,5 +271,78 @@ - ') + tunable_policy(`nfs_export_all_ro',` + dev_getattr_all_blk_files(nfsd_t) +@@ -183,9 +193,12 @@ + files_read_usr_symlinks(gssd_t) - optional_policy(` -- unconfined_domain(virtd_t) -+ udev_domtrans(virtd_t) -+') -+ -+#optional_policy(` -+# unconfined_domain(virtd_t) -+#') + auth_use_nsswitch(gssd_t) ++auth_manage_cache(gssd_t) + + miscfiles_read_certs(gssd_t) + ++mount_signal(gssd_t) + -+manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -+manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) + tunable_policy(`allow_gssd_read_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_read_user_tmp_files(gssd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.12/policy/modules/services/rshd.te +--- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/rshd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -51,7 +51,7 @@ + + files_list_home(rshd_t) + files_read_etc_files(rshd_t) +-files_search_tmp(rshd_t) ++files_manage_generic_tmp_dirs(rshd_t) + + auth_login_pgm_domain(rshd_t) + auth_write_login_records(rshd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.12/policy/modules/services/samba.fc +--- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/samba.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -2,6 +2,9 @@ + # + # /etc + # ++/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) + /etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) + /etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) + /etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +@@ -15,6 +18,7 @@ + /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) + /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) + /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) + /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) + + /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +@@ -47,3 +51,7 @@ + /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + + /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + -+permissive virtd_t; ++ifndef(`enable_mls',` ++/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.12/policy/modules/services/samba.if +--- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/samba.if 2009-04-07 16:01:44.000000000 -0400 +@@ -4,6 +4,45 @@ + ## from Windows NT servers. + ##
+ + +######################################## ++## ++## Execute smbd net in the smbd_t domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## +# -+# svirt local policy -+# -+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -+files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) -+ -+manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) ++interface(`samba_domtrans_smb',` ++ gen_require(` ++ type smbd_t, smbd_exec_t; ++ ') + -+allow svirt_t svirt_image_t:dir search_dir_perms; -+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) -+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, smbd_exec_t, smbd_t) ++') + -+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -+read_files_pattern(svirt_t, virt_content_t, virt_content_t) -+ -+storage_raw_write_removable_device(svirt_t) -+storage_raw_read_removable_device(svirt_t) ++######################################## ++## ++## Execute nmbd net in the nmbd_t domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`samba_domtrans_nmb',` ++ gen_require(` ++ type nmbd_t, nmbd_exec_t; ++ ') + -+userdom_search_user_home_content(svirt_t) -+userdom_read_all_users_state(svirt_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, nmbd_exec_t, nmbd_t) ++') + -+append_files_pattern(svirt_t, virt_log_t, virt_log_t) + ######################################## + ## + ## Execute samba net in the samba_net domain. +@@ -25,6 +64,25 @@ + + ######################################## + ## ++## Execute samba net in the samba_unconfined_net domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`samba_domtrans_unconfined_net',` ++ gen_require(` ++ type samba_unconfined_net_t, samba_net_exec_t; ++ ') + -+allow svirt_t self:udp_socket create_socket_perms; ++ corecmd_search_bin($1) ++ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) ++') + -+corenet_udp_sendrecv_generic_if(svirt_t) -+corenet_udp_sendrecv_generic_node(svirt_t) -+corenet_udp_sendrecv_all_ports(svirt_t) -+corenet_udp_bind_generic_node(svirt_t) -+corenet_udp_bind_all_ports(svirt_t) -+corenet_tcp_bind_all_ports(svirt_t) ++######################################## ++## + ## Execute samba net in the samba_net domain, and + ## allow the specified role the samba_net domain. + ## +@@ -49,6 +107,50 @@ + role $2 types samba_net_t; + ') + ++####################################### ++## ++## The role for the samba module. ++## ++## ++## ++## The role to be allowed the samba_net domain. ++## ++## ++# ++template(`samba_role_notrans',` ++ gen_require(` ++ type smbd_t; ++ ') + -+tunable_policy(`virt_use_comm',` -+ term_use_unallocated_ttys(svirt_t) -+ dev_rw_printer(svirt_t) ++ role $1 types smbd_t; +') + -+tunable_policy(`virt_use_nfs',` -+ fs_manage_nfs_dirs(svirt_t) -+ fs_manage_nfs_files(svirt_t) -+') ++######################################## ++## ++## Execute samba net in the samba_unconfined_net domain, and ++## allow the specified role the samba_unconfined_net domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the samba_unconfined_net domain. ++## ++## ++## ++# ++interface(`samba_run_unconfined_net',` ++ gen_require(` ++ type samba_unconfined_net_t; ++ ') + -+tunable_policy(`virt_use_samba',` -+ fs_manage_cifs_dirs(svirt_t) -+ fs_manage_cifs_files(svirt_t) ++ samba_domtrans_unconfined_net($1) ++ role $2 types samba_unconfined_net_t; +') + -+optional_policy(` -+ samba_domtrans_smb(svirt_t) -+') + ######################################## + ## + ## Execute smbmount in the smbmount domain. +@@ -138,6 +240,28 @@ + + ######################################## + ## ++## Allow the specified domain to read ++## and write samba configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`samba_manage_config',` ++ gen_require(` ++ type samba_etc_t; ++ ') + -+optional_policy(` -+ xen_rw_image_files(svirt_t) ++ files_search_etc($1) ++ manage_dirs_pattern($1, samba_etc_t, samba_etc_t) ++ manage_files_pattern($1, samba_etc_t, samba_etc_t) +') + -+optional_policy(` -+ xen_rw_image_files(svirt_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te ---- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/w3c.te 2009-04-07 16:01:44.000000000 -0400 -@@ -8,11 +8,18 @@ - - apache_content_template(w3c_validator) ++######################################## ++## + ## Allow the specified domain to read samba's log files. + ## + ## +@@ -281,6 +405,25 @@ -+type httpd_w3c_validator_tmp_t; -+files_tmp_file(httpd_w3c_validator_tmp_t) -+ ######################################## - # - # Local policy - # - -+manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -+manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -+files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) + ## ++## dontaudit the specified domain to ++## write samba /var files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_dontaudit_write_var_files',` ++ gen_require(` ++ type samba_var_t; ++ ') + - corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) - corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) - corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc ---- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -3,12 +3,16 @@ - # - HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) - HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) -+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) - HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) - HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) - HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) - HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) - HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) -+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) - -+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) - # - # /dev - # -@@ -32,11 +36,6 @@ - /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) - --ifdef(`distro_redhat',` --/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) --/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) --') -- - # - # /opt - # -@@ -61,6 +60,7 @@ - /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) - /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +89,26 @@ - - /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++ dontaudit $1 samba_var_t:file write; ++') ++ ++######################################## ++## + ## Allow the specified domain to + ## read and write samba /var files. + ## +@@ -298,6 +441,7 @@ + files_search_var($1) + files_search_var_lib($1) + manage_files_pattern($1, samba_var_t, samba_var_t) ++ manage_lnk_files_pattern($1, samba_var_t, samba_var_t) + ') --/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) -+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + ######################################## +@@ -370,6 +514,7 @@ + ') --/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) --/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) ++ allow $1 winbind_helper_t:process signal; + ') -+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) -+ -+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+ -+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) -+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) - - ifdef(`distro_suse',` - /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if ---- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-07 16:01:44.000000000 -0400 -@@ -90,7 +90,7 @@ - allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; - -- xserver_common_x_domain_template(user, $2) -+ xserver_common_app($2) - - ############################## - # -@@ -115,7 +115,8 @@ - # write: gnome-settings-daemon RANDR:SelectInput - # setattr: gnome-settings-daemon X11:GrabKey - # manage: metacity X11:ChangeWindowAttributes -- allow $2 rootwindow_t:x_drawable { read write manage setattr }; -+ allow $2 rootwindow_t:x_drawable { read write manage get_property getattr setattr }; -+ allow $2 $2:x_drawable all_x_drawable_perms; - - # setattr: metacity X11:InstallColormap - allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; -@@ -156,7 +157,7 @@ - allow $1 xserver_t:process signal; - - # Read /tmp/.X0-lock -- allow $1 xserver_tmp_t:file { getattr read }; -+ allow $1 xserver_tmp_t:file read_file_perms; - - # Client read xserver shm - allow $1 xserver_t:fd use; -@@ -219,12 +220,12 @@ - allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file -- allow $1 xauth_home_t:file { getattr read }; -- allow $1 iceauth_home_t:file { getattr read }; -+ allow $1 xauth_home_t:file read_file_perms; -+ allow $1 iceauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $1 xdm_t:fd use; -- allow $1 xdm_t:fifo_file { getattr read write ioctl }; -+ allow $1 xdm_t:fifo_file rw_fifo_file_perms; - allow $1 xdm_tmp_t:dir search; - allow $1 xdm_tmp_t:sock_file { read write }; - dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -278,7 +279,6 @@ - type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; - type xevent_t, client_xevent_t; - -- attribute x_domain; - attribute xproperty_type; - attribute xevent_type; - attribute input_xevent_type; -@@ -287,6 +287,8 @@ - class x_property all_x_property_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; -+ class x_selection all_x_selection_perms; -+ type xselection_t; + ######################################## +@@ -447,3 +592,202 @@ + stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) ') - - ############################## -@@ -294,20 +296,11 @@ - # Local Policy - # - -- # Type attributes -- typeattribute $2 x_domain; -- - # X Properties - # can read and write client properties - allow $2 $1_xproperty_t:x_property { create destroy read write append }; - type_transition $2 xproperty_t:x_property $1_xproperty_t; - -- # X Windows -- # new windows have the domain type -- type_transition $2 rootwindow_t:x_drawable $2; -- -- # X Input -- # can receive own events - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; -@@ -320,8 +313,10 @@ - type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; - type_transition $2 client_xevent_t:x_event $1_client_xevent_t; - type_transition $2 xevent_t:x_event $1_default_xevent_t; -- # can send ICCCM events to myself + ') + - allow $2 $1_manage_xevent_t:x_synthetic_event send; ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`samba_helper_template',` ++ gen_require(` ++ type smbd_t; ++ ') ++ #This type is for samba helper scripts ++ type samba_$1_script_t; ++ domain_type(samba_$1_script_t) ++ role system_r types samba_$1_script_t; + -+ xserver_common_app($2) - ') - - ####################################### -@@ -397,11 +392,12 @@ - gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; -+ class x_screen all_x_screen_perms; - ') - -- allow $2 self:shm create_shm_perms; -- allow $2 self:unix_dgram_socket create_socket_perms; -- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; -+ allow $2 $2:shm create_shm_perms; -+ allow $2 $2:unix_dgram_socket create_socket_perms; -+ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file - allow $2 xauth_home_t:file read_file_perms; -@@ -409,7 +405,7 @@ - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; -- allow $2 xdm_t:fifo_file { getattr read write ioctl }; -+ allow $2 xdm_t:fifo_file rw_fifo_file_perms; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; - dontaudit $2 xdm_t:tcp_socket { read write }; -@@ -437,6 +433,10 @@ - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - ') ++ # This type is used for executable scripts files ++ type samba_$1_script_exec_t; ++ corecmd_shell_entry_type(samba_$1_script_t) ++ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) + -+ allow $2 xserver_t:x_screen { saver_hide saver_show }; ++ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) ++ allow smbd_t samba_$1_script_exec_t:file ioctl; + -+ xserver_use_xdm($2) - ') - - ######################################## -@@ -639,7 +639,7 @@ - type xdm_t; - ') - -- allow $1 xdm_t:fifo_file { getattr read write }; -+ allow $1 xdm_t:fifo_file rw_fifo_file_perms; - ') - - ######################################## -@@ -738,6 +738,7 @@ - files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ allow $1 xdm_tmp_t:sock_file unlink; - ') - - ######################################## -@@ -756,7 +757,26 @@ - ') - - files_search_pids($1) -- allow $1 xdm_var_run_t:file read_file_perms; -+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) +') + +######################################## +## -+## Manage XDM pid files. ++## Allow the specified domain to read samba's shares +## +## +## @@ -21918,1944 +19755,1864 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`xserver_manage_xdm_pid',` ++interface(`samba_read_share_files',` + gen_require(` -+ type xdm_var_run_t; ++ type samba_share_t; + ') + -+ files_search_pids($1) -+ manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t) - ') - - ######################################## -@@ -779,6 +799,50 @@ - - ######################################## - ## -+## Read XDM var lib files. ++ allow $1 samba_share_t:filesystem getattr; ++ read_files_pattern($1, samba_share_t, samba_share_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run smbcontrol. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`xserver_manage_xdm_lib_files',` ++interface(`samba_domtrans_smbcontrol',` + gen_require(` -+ type xdm_var_lib_t; ++ type smbcontrol_t; ++ type smbcontrol_exec_t; + ') + -+ manage_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) -+ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ++ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) +') + ++ +######################################## +## -+## Execute xsever in the xserver domain, and -+## allow the specified role the xserver domain. ++## Execute smbcontrol in the smbcontrol domain, and ++## allow the specified role the smbcontrol domain. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access +## +## +## +## -+## The role to be allowed the xserver domain. ++## The role to be allowed the smbcontrol domain. +## +## +# -+interface(`xserver_run',` ++interface(`samba_run_smbcontrol',` + gen_require(` -+ type xserver_t; ++ type smbcontrol_t; + ') + -+ xserver_domtrans($1) -+ role $2 types xserver_t; ++ samba_domtrans_smbcontrol($1) ++ role $2 types smbcontrol_t; +') + +######################################## +## - ## Make an X session script an entrypoint for the specified domain. - ## - ## -@@ -872,6 +936,27 @@ - - ######################################## - ## -+## Allow append the xdm -+## log files. ++## Execute samba server in the samba domain. +## +## +## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_xdm_append_log',` -+ gen_require(` -+ type xdm_log_t; -+ attribute xdmhomewriter; -+ ') -+ -+ typeattribute $1 xdmhomewriter; -+ append_files_pattern($1, xdm_log_t, xdm_log_t) -+') -+ -+######################################## -+## - ## Do not audit attempts to write the X server - ## log files. - ## -@@ -1018,10 +1103,11 @@ - # - interface(`xserver_domtrans',` - gen_require(` -- type xserver_t, xserver_exec_t; -+ type xserver_t, xserver_exec_t, xdm_t; - ') - - allow $1 xserver_t:process siginh; -+ allow xdm_t $1:process sigchld; - domtrans_pattern($1, xserver_exec_t, xserver_t) - ') - -@@ -1159,6 +1245,275 @@ - - ######################################## - ## -+## Read xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_read_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Execute xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`xserver_exec_pid',` ++interface(`samba_initrc_domtrans',` + gen_require(` -+ type xserver_var_run_t; ++ type samba_initrc_exec_t; + ') + -+ files_search_pids($1) -+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ++ init_labeled_script_domtrans($1, samba_initrc_exec_t) +') + +######################################## +## -+## Write xserver files created in /var/run ++## All of the rules required to administrate ++## an samba environment +## +## +## +## Domain allowed access. +## +## -+# -+interface(`xserver_write_pid',` -+ gen_require(` -+ type xserver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## -+## Read user homedir fonts. -+## -+## ++## +## -+## Domain allowed access. ++## The role to be allowed to manage the samba domain. +## +## +## +# -+interface(`xserver_manage_home_fonts',` ++interface(`samba_admin',` + gen_require(` -+ type user_fonts_t; -+ type user_fonts_config_t; -+ ') -+ -+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t) -+ manage_files_pattern($1, user_fonts_t, user_fonts_t) -+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) ++ type nmbd_t, nmbd_var_run_t; ++ type smbd_t, smbd_tmp_t; ++ type smbd_initrc_exec_t; ++ type smbd_spool_t, smbd_var_run_t; + -+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) -+') ++ type samba_log_t, samba_var_t; ++ type samba_etc_t, samba_share_t; ++ type samba_secrets_t; + -+######################################## -+## -+## Read user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`xserver_read_home_fonts',` -+ gen_require(` -+ type user_fonts_t; -+ ') ++ type swat_var_run_t, swat_tmp_t; + -+ read_files_pattern($1, user_fonts_t, user_fonts_t) -+ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) -+') ++ type winbind_var_run_t, winbind_tmp_t; ++ type winbind_log_t; + -+######################################## -+## -+## write to .xsession-errors file -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_rw_xdm_home_files',` -+ gen_require(` -+ type xdm_home_t; ++ type samba_unconfined_script_t, samba_unconfined_script_exec_t; ++ type samba_initrc_exec_t; + ') + -+ allow $1 xdm_home_t:file rw_file_perms; -+') -+ -+######################################## -+## -+## Dontaudit write to .xsession-errors file -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_dontaudit_rw_xdm_home_files',` -+ gen_require(` -+ type xdm_home_t; -+ ') ++ allow $1 smbd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, smbd_t) ++ ++ allow $1 nmbd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, nmbd_t) ++ ++ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) ++ ++ samba_run_smbcontrol($1, $2, $3) ++ samba_run_winbind_helper($1, $2, $3) ++ samba_run_smbmount($1, $2, $3) ++ samba_run_net($1, $2, $3) + -+ dontaudit $1 xdm_home_t:file rw_file_perms; -+') ++ init_labeled_script_domtrans($1, samba_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 samba_initrc_exec_t system_r; ++ allow $2 system_r; + ++ files_list_tmp($1) ++ admin_pattern($1, smbd_tmp_t) ++ admin_pattern($1, swat_tmp_t) ++ admin_pattern($1, winbind_tmp_t) + -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## Client domain allowed access. -+## -+## -+# -+interface(`xserver_use_xdm',` -+ gen_require(` -+ type xdm_t, xdm_tmp_t; -+ type xdm_xproperty_t; -+ class x_client all_x_client_perms; -+ class x_drawable all_x_drawable_perms; -+ class x_property all_x_property_perms; -+ ') ++ admin_pattern($1, samba_secrets_t) + -+ allow $1 xdm_t:fd use; -+ allow $1 xdm_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1 xdm_t:tcp_socket { read write }; ++ files_list_etc($1) ++ admin_pattern($1, samba_etc_t) + -+ # Allow connections to X server. -+ xserver_stream_connect_xdm($1) -+ xserver_read_xdm_tmp_files($1) -+ xserver_xdm_stream_connect($1) -+ xserver_setattr_xdm_tmp_dirs($1) ++ admin_pattern($1, samba_share_t) + -+ allow $1 xdm_t:x_client { getattr destroy }; -+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; -+ allow $1 xdm_xproperty_t:x_property { write read }; ++ logging_list_logs($1) ++ admin_pattern($1, samba_log_t) ++ admin_pattern($1, winbind_log_t) + -+') ++ files_list_spool($1) ++ admin_pattern($1, smbd_spool_t) + -+######################################## -+## -+## Get the attributes of xauth executable -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_getattr_xauth',` -+ gen_require(` -+ type xauth_exec_t; -+ ') ++ files_list_var($1) ++ admin_pattern($1, samba_var_t) + -+ allow $1 xauth_exec_t:file getattr; ++ files_list_pids($1) ++ admin_pattern($1, smbd_var_run_t) ++ admin_pattern($1, nmbd_var_run_t) ++ admin_pattern($1, swat_var_run_t) ++ admin_pattern($1, winbind_var_run_t) ++ admin_pattern($1, samba_unconfined_script_exec_t) +') + -+######################################## -+## -+## Read a user Iceauthority domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`xserver_read_user_iceauth',` -+ gen_require(` -+ type iceauth_home_t; -+ ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te +--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-04-07 16:01:44.000000000 -0400 +@@ -66,6 +66,13 @@ + ## + gen_tunable(samba_share_nfs, false) + ++## ++##

++## Allow samba to export ntfs/fusefs volumes. ++##

++##
++gen_tunable(samba_share_fusefs, false) + -+ # Read .Iceauthority file -+ allow $1 iceauth_home_t:file read_file_perms; -+') + type nmbd_t; + type nmbd_exec_t; + init_daemon_domain(nmbd_t, nmbd_exec_t) +@@ -73,6 +80,9 @@ + type nmbd_var_run_t; + files_pid_file(nmbd_var_run_t) + ++type samba_initrc_exec_t; ++init_script_file(samba_initrc_exec_t) + -+######################################## -+## -+## Connect to apmd over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_stream_connect',` -+ gen_require(` -+ type xdm_t, xdm_var_run_t; -+ ') + type samba_etc_t; + files_config_file(samba_etc_t) + +@@ -80,11 +90,9 @@ + logging_log_file(samba_log_t) + + type samba_net_t; +-domain_type(samba_net_t) +-role system_r types samba_net_t; +- + type samba_net_exec_t; +-domain_entry_file(samba_net_t, samba_net_exec_t) ++role system_r types samba_net_t; ++application_domain(samba_net_t, samba_net_exec_t) + + type samba_net_tmp_t; + files_tmp_file(samba_net_tmp_t) +@@ -146,11 +154,17 @@ + type winbind_var_run_t; + files_pid_file(winbind_var_run_t) + ++type smbcontrol_t; ++type smbcontrol_exec_t; ++application_domain(smbcontrol_t, smbcontrol_exec_t) ++role system_r types smbcontrol_t; + -+ files_search_pids($1) -+ allow $1 xdm_var_run_t:sock_file write; -+ allow $1 xdm_t:unix_stream_socket connectto; -+') + ######################################## + # + # Samba net local policy + # +- ++allow samba_net_t self:capability { sys_nice dac_read_search dac_override }; ++allow samba_net_t self:process { getsched setsched }; + allow samba_net_t self:unix_dgram_socket create_socket_perms; + allow samba_net_t self:unix_stream_socket create_stream_socket_perms; + allow samba_net_t self:udp_socket create_socket_perms; +@@ -165,11 +179,12 @@ + manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) + files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) + +-allow samba_net_t samba_var_t:dir rw_dir_perms; ++manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) + manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) + + kernel_read_proc_symlinks(samba_net_t) ++kernel_read_system_state(samba_net_t) + + corenet_all_recvfrom_unlabeled(samba_net_t) + corenet_all_recvfrom_netlabel(samba_net_t) +@@ -190,15 +205,23 @@ + domain_use_interactive_fds(samba_net_t) + + files_read_etc_files(samba_net_t) ++files_read_usr_symlinks(samba_net_t) + + auth_use_nsswitch(samba_net_t) ++auth_read_cache(samba_net_t) + + logging_send_syslog_msg(samba_net_t) + + miscfiles_read_localization(samba_net_t) + ++samba_read_var_files(samba_net_t) + -+######################################## -+## -+## Manage the xdm_spool files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_manage_spool',` -+ gen_require(` -+ type xdm_spool_t; -+ ') + userdom_use_user_terminals(samba_net_t) +-userdom_dontaudit_search_user_home_dirs(samba_net_t) ++userdom_list_user_home_dirs(samba_net_t) + -+ files_search_spool($1) -+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ++optional_policy(` ++ pcscd_read_pub_files(samba_net_t) +') + + optional_policy(` + kerberos_use(samba_net_t) +@@ -208,7 +231,7 @@ + # + # smbd Local policy + # +-allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; + dontaudit smbd_t self:capability sys_tty_config; + allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow smbd_t self:process setrlimit; +@@ -226,10 +249,8 @@ + + allow smbd_t samba_etc_t:file { rw_file_perms setattr }; + +-create_dirs_pattern(smbd_t, samba_log_t, samba_log_t) ++manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) + manage_files_pattern(smbd_t, samba_log_t, samba_log_t) +-allow smbd_t samba_log_t:dir setattr; +-dontaudit smbd_t samba_log_t:dir remove_name; + + allow smbd_t samba_net_tmp_t:file getattr; + +@@ -239,6 +260,7 @@ + manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) + manage_files_pattern(smbd_t, samba_share_t, samba_share_t) + manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) ++allow smbd_t samba_share_t:filesystem getattr; + + manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) + manage_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -256,7 +278,7 @@ + manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + files_pid_filetrans(smbd_t, smbd_var_run_t, file) + +-allow smbd_t winbind_var_run_t:sock_file { read write getattr }; ++allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; + + kernel_getattr_core_if(smbd_t) + kernel_getattr_message_if(smbd_t) +@@ -298,6 +320,7 @@ + + auth_use_nsswitch(smbd_t) + auth_domtrans_chk_passwd(smbd_t) ++auth_domtrans_upd_passwd(smbd_t) + + domain_use_interactive_fds(smbd_t) + domain_dontaudit_list_all_domains_state(smbd_t) +@@ -321,6 +344,10 @@ + userdom_use_unpriv_users_fds(smbd_t) + userdom_dontaudit_search_user_home_dirs(smbd_t) + ++usermanage_read_crack_db(smbd_t) + -+######################################## -+## -+## Ptrace XDM -+## -+## -+## -+## Domain to not audit -+## -+## -+# -+interface(`xserver_ptrace_xdm',` -+ gen_require(` -+ type xdm_t; -+ ') ++term_use_ptmx(smbd_t) + -+ allow $1 xdm_t:process ptrace; + ifdef(`hide_broken_symptoms', ` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) +@@ -333,25 +360,33 @@ + + tunable_policy(`samba_domain_controller',` + usermanage_domtrans_passwd(smbd_t) ++ usermanage_kill_passwd(smbd_t) + usermanage_domtrans_useradd(smbd_t) + usermanage_domtrans_groupadd(smbd_t) + ') + + tunable_policy(`samba_enable_home_dirs',` +- userdom_manage_user_home_content_dirs(smbd_t) +- userdom_manage_user_home_content_files(smbd_t) +- userdom_manage_user_home_content_symlinks(smbd_t) +- userdom_manage_user_home_content_sockets(smbd_t) +- userdom_manage_user_home_content_pipes(smbd_t) +- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) ++ userdom_manage_user_home_content(smbd_t) + ') + + # Support Samba sharing of NFS mount points + tunable_policy(`samba_share_nfs',` + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) ++ fs_manage_nfs_symlinks(smbd_t) ++ fs_manage_nfs_named_pipes(smbd_t) ++ fs_manage_nfs_named_sockets(smbd_t) +') + -+######################################## -+## - ## Interface to provide X object permissions on a given X server to - ## an X client domain. Gives the domain complete control over the - ## display. -@@ -1172,7 +1527,102 @@ - interface(`xserver_unconfined',` - gen_require(` - attribute xserver_unconfined_type; -+ attribute x_domain; - ') ++# Support Samba sharing of ntfs/fusefs mount points ++tunable_policy(`samba_share_fusefs',` ++ fs_manage_fusefs_dirs(smbd_t) ++ fs_manage_fusefs_files(smbd_t) ++',` ++ fs_search_fusefs(smbd_t) + ') - typeattribute $1 xserver_unconfined_type; -+ typeattribute $1 x_domain; -+') + -+######################################## -+## -+## Rules required for using the X Windows server -+## and environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_communicate',` -+ gen_require(` -+ class x_drawable all_x_drawable_perms; -+ class x_resource all_x_resource_perms; - ') -+ -+ allow $1 $2:x_drawable all_x_drawable_perms; -+ allow $2 $1:x_drawable all_x_drawable_perms; -+ allow $1 $2:x_resource all_x_resource_perms; -+ allow $2 $1:x_resource all_x_resource_perms; -+') -+ -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## Client domain allowed access. -+## -+## -+# -+interface(`xserver_common_app',` -+ -+ gen_require(` -+ attribute x_domain; -+ attribute xevent_type; -+ type xselection_t, rootwindow_t; -+ type user_xproperty_t, xproperty_t; -+ class x_property all_x_property_perms; -+ class x_selection all_x_selection_perms; -+ class x_event all_x_event_perms; -+ class x_synthetic_event all_x_synthetic_event_perms; -+ ') -+ -+ # Type attributes -+ typeattribute $1 x_domain; -+ -+ allow $1 xselection_t:x_selection setattr; -+ allow $1 user_xproperty_t:x_property { write read destroy }; -+ allow $1 xproperty_t:x_property all_x_property_perms; -+ -+ # X Windows -+ # new windows have the domain type -+ type_transition $1 rootwindow_t:x_drawable $1; -+ -+ # X Input -+ # can receive own events -+ allow $1 xevent_type:{ x_event x_synthetic_event } { receive send }; -+ xserver_communicate($1, $1) -+ xserver_use_xdm($1) + optional_policy(` + cups_read_rw_config(smbd_t) + cups_stream_connect(smbd_t) +@@ -359,6 +394,16 @@ + + optional_policy(` + kerberos_use(smbd_t) ++ kerberos_keytab_template(smbd, smbd_t) +') + -+######################################## -+## -+## Send and receive messages from -+## xdm over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_xdm_dbus_chat',` -+ gen_require(` -+ type xdm_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 xdm_t:dbus send_msg; -+ allow xdm_t $1:dbus send_msg; ++optional_policy(` ++ lpd_exec_lpr(smbd_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-08 08:34:37.000000000 -0400 -@@ -34,6 +34,13 @@ - - ## - ##

-+## Allows XServer to execute writable memory -+##

-+##
-+gen_tunable(allow_xserver_execmem, false) -+ -+## -+##

- ## Allow xdm logins as sysadm - ##

- ##
-@@ -46,6 +53,7 @@ - ## - gen_tunable(xserver_object_manager, false) ++optional_policy(` ++ qemu_manage_tmp_dirs(smbd_t) ++ qemu_manage_tmp_files(smbd_t) + ') -+attribute xdmhomewriter; - attribute input_xevent_type; - attribute xserver_unconfined_type; - attribute x_domain; -@@ -65,14 +73,14 @@ + optional_policy(` +@@ -376,13 +421,15 @@ + tunable_policy(`samba_create_home_dirs',` + allow smbd_t self:capability chown; + userdom_create_user_home_dirs(smbd_t) +- userdom_home_filetrans_user_home_dir(smbd_t) + ') ++userdom_home_filetrans_user_home_dir(smbd_t) - type iceauth_t; - type iceauth_exec_t; --typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; -+typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t }; - typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; - application_domain(iceauth_t, iceauth_exec_t) - ubac_constrained(iceauth_t) + tunable_policy(`samba_export_all_ro',` + fs_read_noxattr_fs_files(smbd_t) ++ auth_read_all_dirs_except_shadow(smbd_t) + auth_read_all_files_except_shadow(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) ++ auth_read_all_dirs_except_shadow(nmbd_t) + auth_read_all_files_except_shadow(nmbd_t) + ') - type iceauth_home_t; - typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; --typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; -+typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; - files_poly_member(iceauth_home_t) - userdom_user_home_content(iceauth_home_t) +@@ -391,8 +438,8 @@ + auth_manage_all_files_except_shadow(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) + auth_manage_all_files_except_shadow(nmbd_t) +- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) + ') ++userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -@@ -112,17 +120,17 @@ - typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; + ######################################## + # +@@ -417,14 +464,11 @@ + files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) - type user_fonts_t; --typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; --typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; -+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t }; -+typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t }; - userdom_user_home_content(user_fonts_t) + read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) ++read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - type user_fonts_cache_t; --typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; -+typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t }; - typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; - userdom_user_home_content(user_fonts_cache_t) + manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) + manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - type user_fonts_config_t; --typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; -+typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t }; - typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; - userdom_user_home_content(user_fonts_config_t) +-read_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-create_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-allow nmbd_t samba_log_t:dir setattr; +- + manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -@@ -134,18 +142,18 @@ - type xauth_t; - type xauth_exec_t; - typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; --typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; -+typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t }; - application_domain(xauth_t, xauth_exec_t) - ubac_constrained(xauth_t) + allow nmbd_t smbd_var_run_t:dir rw_dir_perms; +@@ -454,6 +498,7 @@ + dev_getattr_mtrr_dev(nmbd_t) - type xauth_home_t; - typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; --typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; -+typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t }; - files_poly_member(xauth_home_t) - userdom_user_home_content(xauth_home_t) + fs_getattr_all_fs(nmbd_t) ++fs_list_inotifyfs(nmbd_t) + fs_search_auto_mountpoints(nmbd_t) - type xauth_tmp_t; --typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; -+typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t }; - typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; - files_tmp_file(xauth_tmp_t) - ubac_constrained(xauth_tmp_t) -@@ -166,7 +174,10 @@ - files_lock_file(xdm_lock_t) + domain_use_interactive_fds(nmbd_t) +@@ -553,21 +598,36 @@ + userdom_use_user_terminals(smbmount_t) + userdom_use_all_users_fds(smbmount_t) - type xdm_rw_etc_t; --files_type(xdm_rw_etc_t) -+files_config_file(xdm_rw_etc_t) ++optional_policy(` ++ cups_read_rw_config(smbmount_t) ++') + -+type xdm_spool_t; -+files_type(xdm_spool_t) + ######################################## + # + # SWAT Local policy + # - type xdm_var_lib_t; - files_type(xdm_var_lib_t) -@@ -174,6 +185,12 @@ - type xdm_var_run_t; - files_pid_file(xdm_var_run_t) +-allow swat_t self:capability { setuid setgid }; +-allow swat_t self:process signal_perms; +-allow swat_t self:fifo_file rw_file_perms; ++allow swat_t self:capability { setuid setgid sys_resource }; ++allow swat_t self:process { setrlimit signal_perms }; ++allow swat_t self:fifo_file rw_fifo_file_perms; + allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + allow swat_t self:tcp_socket create_stream_socket_perms; + allow swat_t self:udp_socket create_socket_perms; -+type xserver_var_lib_t; -+files_type(xserver_var_lib_t) -+ -+type xserver_var_run_t; -+files_pid_file(xserver_var_run_t) ++allow swat_t self:unix_stream_socket connectto; ++samba_domtrans_smb(swat_t) ++allow swat_t smbd_port_t:tcp_socket name_bind; ++allow swat_t smbd_t:process { signal signull }; ++allow swat_t smbd_var_run_t:file { lock unlink }; + - type xdm_tmp_t; - files_tmp_file(xdm_tmp_t) - typealias xdm_tmp_t alias ice_tmp_t; -@@ -181,6 +198,12 @@ - type xdm_tmpfs_t; - files_tmpfs_file(xdm_tmpfs_t) + allow swat_t nmbd_exec_t:file mmap_file_perms; ++can_exec(swat_t, nmbd_exec_t) ++allow swat_t nmbd_port_t:udp_socket name_bind; ++allow swat_t nmbd_t:process { signal signull }; ++allow swat_t nmbd_var_run_t:file { lock read unlink }; -+type xdm_home_t; -+userdom_user_home_content(xdm_home_t) -+ -+type xdm_log_t; -+logging_log_file(xdm_log_t) -+ - # type for /var/lib/xkb - type xkb_var_lib_t; - files_type(xkb_var_lib_t) -@@ -189,7 +212,7 @@ - type xserver_t; - type xserver_exec_t; - typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; --typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t }; -+typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; - xserver_object_types_template(xdm) - xserver_common_x_domain_template(xdm,xdm_t) - init_system_domain(xserver_t, xserver_exec_t) -@@ -197,12 +220,12 @@ + rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) ++read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) - type xserver_tmp_t; - typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; --typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t }; -+typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; - files_tmp_file(xserver_tmp_t) - ubac_constrained(xserver_tmp_t) + append_files_pattern(swat_t, samba_log_t, samba_log_t) - type xserver_tmpfs_t; --typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; -+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; - typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; - files_tmpfs_file(xserver_tmpfs_t) - ubac_constrained(xserver_tmpfs_t) -@@ -250,19 +273,21 @@ - # Xauth local policy - # +@@ -585,6 +645,9 @@ + files_pid_filetrans(swat_t, swat_var_run_t, file) -+allow xauth_t self:capability dac_override; - allow xauth_t self:process signal; - allow xauth_t self:unix_stream_socket create_stream_socket_perms; + allow swat_t winbind_exec_t:file mmap_file_perms; ++can_exec(swat_t, winbind_exec_t) ++allow swat_t winbind_var_run_t:dir { write add_name remove_name }; ++allow swat_t winbind_var_run_t:sock_file { create unlink }; - allow xauth_t xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) -+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) -+ -+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) -+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) + kernel_read_kernel_sysctls(swat_t) + kernel_read_system_state(swat_t) +@@ -609,15 +672,18 @@ - manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) - manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) - files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) + dev_read_urand(swat_t) --allow xdm_t xauth_home_t:file manage_file_perms; --userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) -- - domain_use_interactive_fds(xauth_t) ++files_list_var_lib(swat_t) + files_read_etc_files(swat_t) + files_search_home(swat_t) + files_read_usr_files(swat_t) + fs_getattr_xattr_fs(swat_t) ++fs_list_inotifyfs(swat_t) - files_read_etc_files(xauth_t) -@@ -300,13 +325,14 @@ - # XDM Local policy - # + auth_domtrans_chk_passwd(swat_t) + auth_use_nsswitch(swat_t) --allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; --allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace }; -+allow xdm_t self:process { getattr getcap setcap }; - allow xdm_t self:fifo_file rw_fifo_file_perms; - allow xdm_t self:shm create_shm_perms; - allow xdm_t self:sem create_sem_perms; - allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; --allow xdm_t self:unix_dgram_socket create_socket_perms; -+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; - allow xdm_t self:tcp_socket create_stream_socket_perms; - allow xdm_t self:udp_socket create_socket_perms; - allow xdm_t self:socket create_socket_perms; -@@ -314,6 +340,11 @@ - allow xdm_t self:key { search link write }; + logging_send_syslog_msg(swat_t) ++logging_send_audit_msgs(swat_t) + logging_search_logs(swat_t) - allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) + miscfiles_read_localization(swat_t) +@@ -635,6 +701,17 @@ + kerberos_use(swat_t) + ') + ++init_read_utmp(swat_t) ++init_dontaudit_write_utmp(swat_t) + -+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) -+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) ++manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) ++create_files_pattern(swat_t, samba_log_t, samba_log_t) ++ ++manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) ++ ++manage_files_pattern(swat_t, samba_var_t, samba_var_t) ++files_list_var_lib(swat_t) ++ + ######################################## + # + # Winbind local policy +@@ -642,7 +719,7 @@ - # Allow gdm to run gdm-binary - can_exec(xdm_t, xdm_exec_t) -@@ -329,22 +360,38 @@ - manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) -+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) + allow winbind_t self:capability { dac_override ipc_lock setuid }; + dontaudit winbind_t self:capability sys_tty_config; +-allow winbind_t self:process signal_perms; ++allow winbind_t self:process { signal_perms getsched setsched }; + allow winbind_t self:fifo_file rw_fifo_file_perms; + allow winbind_t self:unix_dgram_socket create_socket_perms; + allow winbind_t self:unix_stream_socket create_stream_socket_perms; +@@ -683,9 +760,10 @@ + manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + files_pid_filetrans(winbind_t, winbind_var_run_t, file) - manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) --fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -+fs_getattr_all_fs(xdm_t) -+fs_search_inotifyfs(xdm_t) -+fs_read_noxattr_fs_files(xdm_t) -+ -+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) ++corecmd_exec_bin(winbind_t) + -+files_search_spool(xdm_t) -+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) -+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) + kernel_read_kernel_sysctls(winbind_t) +-kernel_list_proc(winbind_t) +-kernel_read_proc_symlinks(winbind_t) ++kernel_read_system_state(winbind_t) - manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) - manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) --files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) -+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) -+# Read machine-id -+files_read_var_lib_files(xdm_t) + corenet_all_recvfrom_unlabeled(winbind_t) + corenet_all_recvfrom_netlabel(winbind_t) +@@ -709,10 +787,12 @@ - manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) - manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) - manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) --files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) -+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) + auth_domtrans_chk_passwd(winbind_t) + auth_use_nsswitch(winbind_t) ++auth_rw_cache(winbind_t) - allow xdm_t xserver_t:process signal; - allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +405,7 @@ - allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; + domain_use_interactive_fds(winbind_t) - allow xdm_t xserver_t:shm rw_shm_perms; -+read_files_pattern(xdm_t, xserver_t, xserver_t) + files_read_etc_files(winbind_t) ++files_read_usr_symlinks(winbind_t) - # connect to xdm xserver over stream socket - stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) -@@ -366,10 +414,14 @@ - delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) - delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) + logging_send_syslog_msg(winbind_t) -+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) -+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) -+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) -+logging_log_filetrans(xdm_t, xdm_log_t, file) +@@ -768,8 +848,13 @@ + userdom_use_user_terminals(winbind_helper_t) + + optional_policy(` ++ apache_append_log(winbind_helper_t) ++') + - manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) - manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) - manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) --logging_log_filetrans(xdm_t, xserver_log_t, file) ++optional_policy(` + squid_read_log(winbind_helper_t) + squid_append_log(winbind_helper_t) ++ squid_rw_stream_sockets(winbind_helper_t) + ') - kernel_read_system_state(xdm_t) - kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +441,13 @@ - corenet_udp_sendrecv_all_ports(xdm_t) - corenet_tcp_bind_generic_node(xdm_t) - corenet_udp_bind_generic_node(xdm_t) -+corenet_udp_bind_xdmcp_port(xdm_t) - corenet_tcp_connect_all_ports(xdm_t) - corenet_sendrecv_all_client_packets(xdm_t) - # xdm tries to bind to biff_port_t - corenet_dontaudit_tcp_bind_all_ports(xdm_t) - -+dev_rwx_zero(xdm_t) - dev_read_rand(xdm_t) - dev_read_sysfs(xdm_t) - dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +455,7 @@ - dev_getattr_mouse_dev(xdm_t) - dev_setattr_mouse_dev(xdm_t) - dev_rw_apm_bios(xdm_t) -+dev_rw_input_dev(xdm_t) - dev_setattr_apm_bios_dev(xdm_t) - dev_rw_dri(xdm_t) - dev_rw_agp(xdm_t) -@@ -413,14 +468,17 @@ - dev_setattr_video_dev(xdm_t) - dev_getattr_scanner_dev(xdm_t) - dev_setattr_scanner_dev(xdm_t) --dev_getattr_sound_dev(xdm_t) --dev_setattr_sound_dev(xdm_t) -+dev_read_sound(xdm_t) -+dev_write_sound(xdm_t) - dev_getattr_power_mgmt_dev(xdm_t) - dev_setattr_power_mgmt_dev(xdm_t) -+dev_getattr_null_dev(xdm_t) -+dev_setattr_null_dev(xdm_t) - - domain_use_interactive_fds(xdm_t) - # Do not audit denied probes of /proc. - domain_dontaudit_read_all_domains_state(xdm_t) -+domain_dontaudit_ptrace_all_domains(xdm_t) - - files_read_etc_files(xdm_t) - files_read_var_files(xdm_t) -@@ -431,9 +489,13 @@ - files_read_usr_files(xdm_t) - # Poweroff wants to create the /poweroff file when run from xdm - files_create_boot_flag(xdm_t) -+files_dontaudit_getattr_boot_dirs(xdm_t) -+files_dontaudit_write_usr_files(xdm_t) - - fs_getattr_all_fs(xdm_t) - fs_search_auto_mountpoints(xdm_t) -+fs_rw_anon_inodefs_files(xdm_t) -+fs_mount_tmpfs(xdm_t) - - storage_dontaudit_read_fixed_disk(xdm_t) - storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +504,7 @@ - storage_dontaudit_raw_write_removable_device(xdm_t) - storage_dontaudit_setattr_removable_dev(xdm_t) - storage_dontaudit_rw_scsi_generic(xdm_t) -+storage_dontaudit_rw_fuse(xdm_t) - - term_setattr_console(xdm_t) - term_use_unallocated_ttys(xdm_t) -@@ -450,6 +513,7 @@ - auth_domtrans_pam_console(xdm_t) - auth_manage_pam_pid(xdm_t) - auth_manage_pam_console_data(xdm_t) -+auth_signal_pam(xdm_t) - auth_rw_faillog(xdm_t) - auth_write_login_records(xdm_t) - -@@ -460,10 +524,10 @@ - - logging_read_generic_logs(xdm_t) - -+miscfiles_dontaudit_write_fonts(xdm_t) - miscfiles_read_localization(xdm_t) - miscfiles_read_fonts(xdm_t) -- --sysnet_read_config(xdm_t) -+miscfiles_manage_localization(xdm_t) - - userdom_dontaudit_use_unpriv_user_fds(xdm_t) - userdom_create_all_users_keys(xdm_t) -@@ -472,6 +536,8 @@ - # Search /proc for any user domain processes. - userdom_read_all_users_state(xdm_t) - userdom_signal_all_users(xdm_t) -+userdom_manage_user_tmp_sockets(xdm_t) -+userdom_manage_tmpfs_role(system_r, xdm_t) - - xserver_rw_session(xdm_t,xdm_tmpfs_t) - xserver_unconfined(xdm_t) -@@ -504,10 +570,12 @@ - - optional_policy(` - alsa_domtrans(xdm_t) -+ alsa_read_rw_config(xdm_t) - ') + ######################################## +@@ -778,6 +863,16 @@ + # optional_policy(` - consolekit_dbus_chat(xdm_t) -+ consolekit_read_log(xdm_t) - ') ++ type samba_unconfined_net_t; ++ domain_type(samba_unconfined_net_t) ++ role system_r types samba_unconfined_net_t; ++ ++ unconfined_domain(samba_unconfined_net_t) ++ ++ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) ++ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) ++') ++ + type samba_unconfined_script_t; + type samba_unconfined_script_exec_t; + domain_type(samba_unconfined_script_t) +@@ -788,9 +883,43 @@ + allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; + allow smbd_t samba_unconfined_script_exec_t:file ioctl; - optional_policy(` -@@ -515,12 +583,41 @@ - ') ++optional_policy(` + unconfined_domain(samba_unconfined_script_t) ++') - optional_policy(` -+ # Use dbus to start other processes as xdm_t -+ dbus_role_template(xdm, system_r, xdm_t) + tunable_policy(`samba_run_unconfined',` + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ++',` ++ can_exec(smbd_t, samba_unconfined_script_exec_t) + ') +-') + -+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; ++######################################## ++# ++# smbcontrol local policy ++# + -+ corecmd_bin_entry_type(xdm_t) ++# internal communication is often done using fifo and unix sockets. ++allow smbcontrol_t self:fifo_file rw_file_perms; ++allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + -+ dbus_system_bus_client(xdm_t) ++files_read_etc_files(smbcontrol_t) + -+ optional_policy(` -+ devicekit_power_dbus_chat(xdm_t) -+ ') ++miscfiles_read_localization(smbcontrol_t) + -+ optional_policy(` -+ hal_dbus_chat(xdm_t) -+ ') ++files_search_var_lib(smbcontrol_t) ++samba_read_config(smbcontrol_t) ++samba_rw_var_files(smbcontrol_t) ++samba_search_var(smbcontrol_t) ++samba_read_winbind_pid(smbcontrol_t) + -+ optional_policy(` -+ networkmanager_dbus_chat(xdm_t) -+ ') ++allow smbcontrol_t smbd_t:process signal; ++domain_use_interactive_fds(smbcontrol_t) ++allow smbd_t smbcontrol_t:process { signal signull }; + -+') ++allow nmbd_t smbcontrol_t:process signal; ++allow smbcontrol_t nmbd_t:process { signal signull }; + ++allow smbcontrol_t winbind_t:process { signal signull }; ++allow winbind_t smbcontrol_t:process signal; + -+optional_policy(` - # Talk to the console mouse server. - gpm_stream_connect(xdm_t) - gpm_setattr_gpmctl(xdm_t) - ') ++allow smbcontrol_t nmbd_var_run_t:file { read lock }; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.12/policy/modules/services/sasl.te +--- nsaserefpolicy/policy/modules/services/sasl.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/sasl.te 2009-04-07 16:01:44.000000000 -0400 +@@ -99,6 +99,7 @@ optional_policy(` -+ gnome_read_gconf_config(xdm_t) -+') -+ -+optional_policy(` - hostname_exec(xdm_t) + kerberos_keytab_template(saslauthd, saslauthd_t) ++ kerberos_manage_host_rcache(saslauthd_t) ') -@@ -542,6 +639,23 @@ + optional_policy(` +@@ -107,6 +108,10 @@ ') optional_policy(` -+ polkit_domtrans_auth(xdm_t) -+ polkit_read_lib(xdm_t) -+ polkit_read_reload(xdm_t) -+') -+ -+optional_policy(` -+ pulseaudio_exec(xdm_t) -+') -+ -+# On crash gdm execs gdb to dump stack -+optional_policy(` -+ rpm_exec(xdm_t) -+ rpm_read_db(xdm_t) -+ rpm_dontaudit_manage_db(xdm_t) ++ nis_authenticate(saslauthd_t) +') + +optional_policy(` - seutil_sigchld_newrole(xdm_t) - ') - -@@ -550,8 +664,9 @@ + seutil_sigchld_newrole(saslauthd_t) ') - optional_policy(` -- unconfined_domain(xdm_t) -- unconfined_domtrans(xdm_t) -+ unconfined_shell_domtrans(xdm_t) -+ unconfined_signal(xdm_t) -+') - - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; -@@ -560,7 +675,6 @@ - ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; - ') --') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if +--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-07 16:01:44.000000000 -0400 +@@ -149,3 +149,92 @@ - optional_policy(` - userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +685,10 @@ + logging_log_filetrans($1, sendmail_log_t, file) ') - - optional_policy(` -+ wm_exec(xdm_t) ++ ++######################################## ++## ++## Execute the sendmail program in the sendmail domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to allow the sendmail domain. ++## ++## ++## ++# ++interface(`sendmail_run',` ++ gen_require(` ++ type sendmail_t; ++ ') ++ ++ sendmail_domtrans($1) ++ role $2 types sendmail_t; +') + -+optional_policy(` - xfs_stream_connect(xdm_t) - ') - -@@ -587,7 +705,7 @@ - # execheap needed until the X module loader is fixed. - # NVIDIA Needs execstack - --allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; - dontaudit xserver_t self:capability chown; - allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +720,11 @@ - allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow xserver_t self:tcp_socket create_stream_socket_perms; - allow xserver_t self:udp_socket create_socket_perms; -+allow xserver_t self:netlink_selinux_socket create_socket_perms; - - # Device rules - allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; -+allow x_domain xserver_t:x_screen getattr; - - allow xserver_t { input_xevent_t input_xevent_type }:x_event send; - -@@ -622,7 +742,7 @@ - manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) - files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) - --filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) -+#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) - - manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) - manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +755,19 @@ - manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) - files_search_var_lib(xserver_t) - -+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) -+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) -+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) ++######################################## ++## ++## Execute sendmail in the unconfined sendmail domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sendmail_domtrans_unconfined',` ++ gen_require(` ++ type unconfined_sendmail_t, sendmail_exec_t; ++ ') + -+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) -+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) -+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) -+files_pid_filetrans(xserver_t, xserver_var_run_t, { dir file }) ++ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) ++') + - # Create files in /var/log with the xserver_log_t type. - manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) - logging_log_filetrans(xserver_t, xserver_log_t,file) -+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) ++######################################## ++## ++## Execute sendmail in the unconfined sendmail domain, and ++## allow the specified role the unconfined sendmail domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the unconfined sendmail domain. ++## ++## ++## ++# ++interface(`sendmail_run_unconfined',` ++ gen_require(` ++ type unconfined_sendmail_t; ++ ') ++ ++ sendmail_domtrans_unconfined($1) ++ role $2 types unconfined_sendmail_t; ++') ++ ++######################################## ++## ++## Allow attempts to read and write to ++## sendmail unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sendmail_rw_pipes',` ++ gen_require(` ++ type sendmail_t; ++ ') ++ ++ allow $1 sendmail_t:fifo_file rw_fifo_file_perms; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te +--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-04-07 16:01:44.000000000 -0400 +@@ -20,13 +20,17 @@ + mta_mailserver_delivery(sendmail_t) + mta_mailserver_sender(sendmail_t) - kernel_read_system_state(xserver_t) - kernel_read_device_sysctls(xserver_t) -@@ -680,9 +810,14 @@ - dev_rw_xserver_misc(xserver_t) - # read events - the synaptics touchpad driver reads raw events - dev_rw_input_dev(xserver_t) -+dev_read_raw_memory(xserver_t) -+dev_write_raw_memory(xserver_t) - dev_rwx_zero(xserver_t) ++type unconfined_sendmail_t; ++application_domain(unconfined_sendmail_t, sendmail_exec_t) ++role system_r types unconfined_sendmail_t; ++ + ######################################## + # + # Sendmail local policy + # -+domain_mmap_low_type(xserver_t) - domain_mmap_low(xserver_t) -+domain_dontaudit_read_all_domains_state(xserver_t) -+domain_signal_all_domains(xserver_t) +-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; +-allow sendmail_t self:process signal; ++allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; ++allow sendmail_t self:process { setrlimit signal signull }; + allow sendmail_t self:fifo_file rw_fifo_file_perms; + allow sendmail_t self:unix_stream_socket create_stream_socket_perms; + allow sendmail_t self:unix_dgram_socket create_socket_perms; +@@ -47,6 +51,7 @@ + kernel_read_kernel_sysctls(sendmail_t) + # for piping mail to a command + kernel_read_system_state(sendmail_t) ++kernel_read_network_state(sendmail_t) - files_read_etc_files(xserver_t) - files_read_etc_runtime_files(xserver_t) -@@ -697,8 +832,13 @@ - fs_search_nfs(xserver_t) - fs_search_auto_mountpoints(xserver_t) - fs_search_ramfs(xserver_t) -+fs_list_inotifyfs(xdm_t) -+fs_rw_tmpfs_files(xserver_t) + corenet_all_recvfrom_unlabeled(sendmail_t) + corenet_all_recvfrom_netlabel(sendmail_t) +@@ -64,24 +69,30 @@ - mls_xwin_read_to_clearance(xserver_t) -+mls_process_write_to_clearance(xserver_t) -+mls_file_read_to_clearance(xserver_t) -+mls_file_write_all_levels(xserver_t) + fs_getattr_all_fs(sendmail_t) + fs_search_auto_mountpoints(sendmail_t) ++fs_rw_anon_inodefs_files(sendmail_t) ++fs_list_inotifyfs(sendmail_t) - selinux_validate_context(xserver_t) - selinux_compute_access_vector(xserver_t) -@@ -720,6 +860,7 @@ + term_dontaudit_use_console(sendmail_t) - miscfiles_read_localization(xserver_t) - miscfiles_read_fonts(xserver_t) -+miscfiles_read_hwdata(xserver_t) + # for piping mail to a command + corecmd_exec_shell(sendmail_t) ++corecmd_exec_bin(sendmail_t) - modutils_domtrans_insmod(xserver_t) + domain_use_interactive_fds(sendmail_t) -@@ -742,7 +883,7 @@ - ') + files_read_etc_files(sendmail_t) ++files_read_usr_files(sendmail_t) + files_search_spool(sendmail_t) + # for piping mail to a command + files_read_etc_runtime_files(sendmail_t) ++files_read_all_tmp_files(sendmail_t) - ifdef(`enable_mls',` -- range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; -+# range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; - range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; - ') + init_use_fds(sendmail_t) + init_use_script_ptys(sendmail_t) + # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console + init_read_utmp(sendmail_t) + init_dontaudit_write_utmp(sendmail_t) ++init_rw_script_tmp_files(sendmail_t) -@@ -774,6 +915,10 @@ - ') + auth_use_nsswitch(sendmail_t) - optional_policy(` -+ devicekit_power_signal(xserver_t) -+') -+ -+optional_policy(` - rhgb_getpgid(xserver_t) - rhgb_signal(xserver_t) - ') -@@ -806,7 +951,7 @@ - allow xserver_t xdm_var_lib_t:file { getattr read }; - dontaudit xserver_t xdm_var_lib_t:dir search; +@@ -89,23 +100,38 @@ + libs_read_lib_files(sendmail_t) --allow xserver_t xdm_var_run_t:file read_file_perms; -+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) + logging_send_syslog_msg(sendmail_t) ++logging_dontaudit_write_generic_logs(sendmail_t) - # Label pid and temporary files with derived types. - manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +972,14 @@ - # to read ROLE_home_t - examine this in more detail - # (xauth?) - userdom_read_user_home_content_files(xserver_t) -+userdom_read_all_users_state(xserver_t) + miscfiles_read_certs(sendmail_t) + miscfiles_read_localization(sendmail_t) - xserver_use_user_fonts(xserver_t) + userdom_dontaudit_use_unpriv_user_fds(sendmail_t) +-userdom_dontaudit_search_user_home_dirs(sendmail_t) ++userdom_read_user_home_content_files(sendmail_t) + mta_read_config(sendmail_t) + mta_etc_filetrans_aliases(sendmail_t) + # Write to /etc/aliases and /etc/mail. +-mta_rw_aliases(sendmail_t) ++mta_manage_aliases(sendmail_t) + # Write to /var/spool/mail and /var/spool/mqueue. + mta_manage_queue(sendmail_t) + mta_manage_spool(sendmail_t) ++mta_sendmail_exec(sendmail_t) ++ +optional_policy(` -+ userhelper_search_config(xserver_t) ++ cron_read_pipes(sendmail_t) +') -+ - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xserver_t) - fs_manage_nfs_files(xserver_t) -@@ -844,11 +994,14 @@ optional_policy(` - dbus_system_bus_client(xserver_t) + clamav_search_lib(sendmail_t) ++ clamav_stream_connect(sendmail_t) ++') + -+ optional_policy(` - hal_dbus_chat(xserver_t) ++optional_policy(` ++ cyrus_stream_connect(sendmail_t) ++') ++ ++optional_policy(` ++ kerberos_keytab_template(sendmail, sendmail_t) + ') + + optional_policy(` +@@ -113,13 +139,19 @@ ') + + optional_policy(` +- postfix_exec_master(sendmail_t) ++ munin_dontaudit_search_lib(sendmail_t) +') ++ ++optional_policy(` ++ postfix_domtrans_postdrop(sendmail_t) ++ postfix_domtrans_master(sendmail_t) + postfix_read_config(sendmail_t) + postfix_search_spool(sendmail_t) + ') optional_policy(` -- resmgr_stream_connect(xdm_t) -+ mono_rw_shm(xserver_t) + procmail_domtrans(sendmail_t) ++ procmail_rw_tmp_files(sendmail_t) ') optional_policy(` -@@ -856,6 +1009,11 @@ - rhgb_rw_tmpfs_files(xserver_t) +@@ -127,24 +159,29 @@ ') -+optional_policy(` -+ rpm_dontaudit_rw_shm(xserver_t) -+ rpm_rw_tmpfs_files(xserver_t) + optional_policy(` ++ sasl_connect(sendmail_t) +') + - ######################################## - # - # Rules common to all X window domains -@@ -881,6 +1039,8 @@ - # X Server - # can read server-owned resources - allow x_domain xserver_t:x_resource read; -+allow x_domain xserver_t:x_device { manage force_cursor }; ++optional_policy(` ++ spamd_stream_connect(sendmail_t) ++') + - # can mess with own clients - allow x_domain self:x_client { manage destroy }; ++optional_policy(` + udev_read_db(sendmail_t) + ') -@@ -905,6 +1065,8 @@ - # operations allowed on my windows - allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; +-ifdef(`TODO',` +-allow sendmail_t etc_mail_t:dir rw_dir_perms; +-allow sendmail_t etc_mail_t:file manage_file_perms; +-# for the start script to run make -C /etc/mail +-allow initrc_t etc_mail_t:dir rw_dir_perms; +-allow initrc_t etc_mail_t:file manage_file_perms; +-allow system_mail_t initrc_t:fd use; +-allow system_mail_t initrc_t:fifo_file write; +- +-# When sendmail runs as user_mail_domain, it needs some extra permissions +-# to update /etc/mail/statistics. +-allow user_mail_domain etc_mail_t:file rw_file_perms; ++optional_policy(` ++ uucp_domtrans_uux(sendmail_t) ++') -+allow x_domain x_domain:x_drawable { get_property getattr list_child }; +-# Silently deny attempts to access /root. +-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; ++######################################## ++# ++# Unconfined sendmail local policy ++# Allow unconfined domain to run newalias and have transitions work ++# + - # X Colormaps - # can use the default colormap - allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1134,51 @@ - allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; - allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; ++optional_policy(` ++ mta_etc_filetrans_aliases(unconfined_sendmail_t) ++ unconfined_domain(unconfined_sendmail_t) ++') --ifdef(`TODO',` --tunable_policy(`allow_polyinstantiation',` --# xdm needs access for linking .X11-unix to poly /tmp --allow xdm_t polymember:dir { add_name remove_name write }; --allow xdm_t polymember:lnk_file { create unlink }; --# xdm needs access for copying .Xauthority into new home --allow xdm_t polymember:file { create getattr write }; -+allow xserver_unconfined_type self:x_drawable all_x_drawable_perms; -+allow xserver_unconfined_type self:x_screen all_x_screen_perms; -+allow xserver_unconfined_type self:x_gc all_x_gc_perms; -+allow xserver_unconfined_type self:x_font all_x_font_perms; -+allow xserver_unconfined_type self:x_colormap all_x_colormap_perms; -+allow xserver_unconfined_type self:x_property all_x_property_perms; -+allow xserver_unconfined_type self:x_selection all_x_selection_perms; -+allow xserver_unconfined_type self:x_cursor all_x_cursor_perms; -+allow xserver_unconfined_type self:x_client all_x_client_perms; -+allow xserver_unconfined_type self:x_device all_x_device_perms; -+allow xserver_unconfined_type self:x_server all_x_server_perms; -+allow xserver_unconfined_type self:x_extension all_x_extension_perms; -+allow xserver_unconfined_type self:x_resource all_x_resource_perms; -+allow xserver_unconfined_type self:x_event all_x_event_perms; -+allow xserver_unconfined_type self:x_synthetic_event all_x_synthetic_event_perms; +-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; +-') dnl end TODO +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.12/policy/modules/services/setroubleshoot.fc +--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,3 +1,5 @@ ++/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + -+optional_policy(` -+ unconfined_rw_shm(xserver_t) -+ unconfined_execmem_rw_shm(xserver_t) + /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) + + /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.12/policy/modules/services/setroubleshoot.if +--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.if 2009-04-07 16:01:44.000000000 -0400 +@@ -16,8 +16,8 @@ + ') + + files_search_pids($1) +- allow $1 setroubleshoot_var_run_t:sock_file write; +- allow $1 setroubleshootd_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) ++ allow $1 setroubleshoot_var_run_t:sock_file read; + ') + + ######################################## +@@ -36,6 +36,69 @@ + type setroubleshootd_t, setroubleshoot_var_run_t; + ') + +- dontaudit $1 setroubleshoot_var_run_t:sock_file write; ++ dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; + dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; + ') + -+ # xserver signals unconfined user on startx -+ unconfined_signal(xserver_t) -+ unconfined_getpgid(xserver_t) -+ unconfined_domain(xserver_t) ++######################################## ++## ++## Send and receive messages from ++## setroubleshoot over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`setroubleshoot_dbus_chat',` ++ gen_require(` ++ type setroubleshootd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 setroubleshootd_t:dbus send_msg; ++ allow setroubleshootd_t $1:dbus send_msg; +') + ++######################################## ++## ++## All of the rules required to administrate ++## an setroubleshoot environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the setroubleshoot domain. ++## ++## ++## ++# ++interface(`setroubleshoot_admin',` ++ gen_require(` ++ type setroubleshootd_t, setroubleshoot_log_t; ++ type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; ++ type setroubleshoot_initrc_exec_t; ++ ') + -+tunable_policy(`allow_xserver_execmem',` -+ allow xserver_t self:process { execheap execmem execstack }; -+') ++ allow $1 setroubleshootd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, setroubleshootd_t) ++ ++ init_labeled_script_domtrans($1, setroubleshoot_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 setroubleshoot_initrc_exec_t system_r; ++ allow $2 system_r; + -+# Hack to handle the problem of using the nvidia blobs -+tunable_policy(`allow_execmem',` -+ allow xdm_t self:process execmem; -+') ++ logging_list_logs($1) ++ admin_pattern($1, setroubleshoot_log_t) + -+tunable_policy(`allow_execstack',` -+ allow xdm_t self:process { execstack execmem }; -+') ++ files_list_var_lib($1) ++ admin_pattern($1, setroubleshoot_var_lib_t) + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_append_nfs_files(xdmhomewriter) ++ files_list_pids($1) ++ admin_pattern($1, setroubleshoot_var_run_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te +--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-04-07 16:01:44.000000000 -0400 +@@ -11,6 +11,9 @@ + domain_type(setroubleshootd_t) + init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) + ++type setroubleshoot_initrc_exec_t; ++init_script_file(setroubleshoot_initrc_exec_t) + -+tunable_policy(`use_samba_home_dirs',` -+ fs_append_cifs_files(xdmhomewriter) - ') + type setroubleshoot_var_lib_t; + files_type(setroubleshoot_var_lib_t) --# --# Wants to delete .xsession-errors file --# --allow xdm_t user_home_type:file unlink; --') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.12/policy/modules/services/zosremote.if ---- nsaserefpolicy/policy/modules/services/zosremote.if 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/zosremote.if 2009-04-07 16:01:44.000000000 -0400 -@@ -12,7 +12,7 @@ +@@ -27,8 +30,10 @@ + # setroubleshootd local policy # - interface(`zosremote_domtrans',` - gen_require(` -- type zos_remote_t, type zos_remote_exec_t; -+ type zos_remote_t, zos_remote_exec_t; - ') - - domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.12/policy/modules/system/application.te ---- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/application.te 2009-04-07 16:01:44.000000000 -0400 -@@ -7,8 +7,18 @@ - # Executables to be run by user - attribute application_exec_type; -+userdom_append_user_home_content_files(application_domain_type) -+userdom_write_user_tmp_files(application_domain_type) -+logging_rw_all_logs(application_domain_type) -+ -+files_dontaudit_search_all_dirs(application_domain_type) -+ - optional_policy(` - ssh_sigchld(application_domain_type) - ssh_rw_stream_sockets(application_domain_type) - ') +-allow setroubleshootd_t self:capability { dac_override sys_tty_config }; +-allow setroubleshootd_t self:process { signull signal getattr getsched }; ++allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; ++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; ++# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run ++allow setroubleshootd_t self:process { execmem execstack }; + allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; + allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; + allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -52,7 +57,10 @@ -+optional_policy(` -+ sudo_sigchld(application_domain_type) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc ---- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -7,12 +7,10 @@ - /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) - /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) + kernel_read_kernel_sysctls(setroubleshootd_t) + kernel_read_system_state(setroubleshootd_t) ++kernel_read_net_sysctls(setroubleshootd_t) + kernel_read_network_state(setroubleshootd_t) ++kernel_dontaudit_list_all_proc(setroubleshootd_t) ++kernel_read_unlabeled_state(setroubleshootd_t) --/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) --/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) -- - /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) - /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) - /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ifdef(`distro_suse', ` -@@ -40,6 +38,10 @@ - /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) + corecmd_exec_bin(setroubleshootd_t) + corecmd_exec_shell(setroubleshootd_t) +@@ -68,16 +76,24 @@ - /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) -- - /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+ - /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+ -+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-04-07 16:01:44.000000000 -0400 -@@ -43,20 +43,38 @@ - interface(`auth_login_pgm_domain',` - gen_require(` - type var_auth_t; -+ type auth_cache_t; - ') + dev_read_urand(setroubleshootd_t) + dev_read_sysfs(setroubleshootd_t) ++dev_getattr_all_blk_files(setroubleshootd_t) ++dev_getattr_all_chr_files(setroubleshootd_t) - domain_type($1) -+ domain_poly($1) -+ - domain_subj_id_change_exemption($1) - domain_role_change_exemption($1) - domain_obj_id_change_exemption($1) - role system_r types $1; + domain_dontaudit_search_all_domains_state(setroubleshootd_t) -+ # Needed for pam_selinux_permit to cleanup properly -+ domain_read_all_domains_state($1) -+ domain_kill_all_domains($1) -+ -+ # pam_keyring -+ allow $1 self:capability ipc_lock; -+ allow $1 self:process setkeycreate; -+ allow $1 self:key manage_key_perms; -+ userdom_manage_all_users_keys($1) -+ - files_list_var_lib($1) - manage_files_pattern($1, var_auth_t, var_auth_t) + files_read_usr_files(setroubleshootd_t) + files_read_etc_files(setroubleshootd_t) +-files_getattr_all_dirs(setroubleshootd_t) ++files_list_all(setroubleshootd_t) + files_getattr_all_files(setroubleshootd_t) ++files_getattr_all_pipes(setroubleshootd_t) ++files_getattr_all_sockets(setroubleshootd_t) - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_rw_afs_state($1) + fs_getattr_all_dirs(setroubleshootd_t) + fs_getattr_all_files(setroubleshootd_t) ++fs_read_fusefs_symlinks(setroubleshootd_t) ++fs_dontaudit_read_nfs_files(setroubleshootd_t) ++fs_dontaudit_read_cifs_files(setroubleshootd_t) ++fs_list_inotifyfs(setroubleshootd_t) -+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -+ manage_files_pattern($1, auth_cache_t, auth_cache_t) -+ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) -+ files_var_filetrans($1, auth_cache_t, dir) -+ - # for SSP/ProPolice - dev_read_urand($1) - # for fingerprint readers -@@ -90,6 +108,7 @@ - auth_rw_faillog($1) - auth_exec_pam($1) - auth_use_nsswitch($1) -+ auth_manage_pam_pid($1) + selinux_get_enforce_mode(setroubleshootd_t) + selinux_validate_context(setroubleshootd_t) +@@ -94,22 +110,24 @@ - init_rw_utmp($1) + locallogin_dontaudit_use_fds(setroubleshootd_t) -@@ -100,11 +119,40 @@ - seutil_read_config($1) - seutil_read_default_contexts($1) ++logging_send_audit_msgs(setroubleshootd_t) + logging_send_syslog_msg(setroubleshootd_t) + logging_stream_connect_dispatcher(setroubleshootd_t) -- tunable_policy(`allow_polyinstantiation',` -- files_polyinstantiate_all($1) -+ userdom_set_rlimitnh($1) -+ userdom_read_user_home_content_symlinks($1) -+ userdom_delete_user_tmp_files($1) -+ userdom_search_admin_dir($1) -+ -+ optional_policy(` -+ afs_rw_udp_sockets($1) -+ ') -+ -+ optional_policy(` -+ dbus_system_bus_client($1) -+ optional_policy(` -+ oddjob_dbus_chat($1) -+ oddjob_domtrans_mkhomedir($1) - ') + seutil_read_config(setroubleshootd_t) + seutil_read_file_contexts(setroubleshootd_t) +- +-sysnet_read_config(setroubleshootd_t) ++seutil_read_bin_policy(setroubleshootd_t) + + userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) + + optional_policy(` + dbus_system_bus_client(setroubleshootd_t) + dbus_connect_system_bus(setroubleshootd_t) ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -+ optional_policy(` -+ corecmd_exec_bin($1) -+ storage_getattr_fixed_disk_dev($1) -+ mount_domtrans($1) -+ ') -+ -+ optional_policy(` -+ nis_authenticate($1) -+ ') -+ -+ optional_policy(` -+ ssh_agent_exec($1) -+ userdom_read_user_home_content_files($1) -+ ') -+ + optional_policy(` ++ rpm_signull(setroubleshootd_t) + rpm_read_db(setroubleshootd_t) + rpm_dontaudit_manage_db(setroubleshootd_t) + rpm_use_script_fds(setroubleshootd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te +--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-04-07 16:01:44.000000000 -0400 +@@ -19,6 +19,10 @@ + type fsdaemon_tmp_t; + files_tmp_file(fsdaemon_tmp_t) + ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(fsdaemon_t,fsdaemon_exec_t,mls_systemhigh) +') + ######################################## - ## - ## Use the login program as an entry point program. -@@ -197,8 +245,11 @@ - interface(`auth_domtrans_chk_passwd',` - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; -+ type auth_cache_t; - ') + # + # Local policy +@@ -26,7 +30,7 @@ -+ allow $1 auth_cache_t:dir search_dir_perms; -+ - corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) + allow fsdaemon_t self:capability { setgid sys_rawio sys_admin }; + dontaudit fsdaemon_t self:capability sys_tty_config; +-allow fsdaemon_t self:process signal_perms; ++allow fsdaemon_t self:process { signal_perms setfscreate }; + allow fsdaemon_t self:fifo_file rw_fifo_file_perms; + allow fsdaemon_t self:unix_dgram_socket create_socket_perms; + allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms; +@@ -52,6 +56,7 @@ + corenet_udp_sendrecv_generic_node(fsdaemon_t) + corenet_udp_sendrecv_all_ports(fsdaemon_t) -@@ -207,19 +258,16 @@ - dev_read_rand($1) - dev_read_urand($1) ++dev_delete_generic_dirs(fsdaemon_t) + dev_read_sysfs(fsdaemon_t) + dev_read_urand(fsdaemon_t) -+ auth_use_nsswitch($1) -+ auth_rw_faillog($1) -+ - logging_send_audit_msgs($1) +@@ -67,9 +72,11 @@ - miscfiles_read_certs($1) + mls_file_read_all_levels(fsdaemon_t) -- sysnet_dns_name_resolve($1) -- sysnet_use_ldap($1) -- -- optional_policy(` -- kerberos_use($1) -- ') -- - optional_policy(` -- nis_use_ypbind($1) -+ kerberos_read_keytab($1) -+ kerberos_connect_524($1) - ') ++storage_dev_filetrans_fixed_disk(fsdaemon_t) + storage_raw_read_fixed_disk(fsdaemon_t) + storage_raw_write_fixed_disk(fsdaemon_t) + storage_raw_read_removable_device(fsdaemon_t) ++storage_manage_fixed_disk(fsdaemon_t) - optional_policy(` -@@ -230,6 +278,29 @@ - optional_policy(` - samba_stream_connect_winbind($1) - ') -+ auth_domtrans_upd_passwd($1) -+') -+ -+######################################## -+## -+## Run unix_chkpwd to check a password. -+## Stripped down version to be called within boolean -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_domtrans_chkpwd',` -+ gen_require(` -+ type chkpwd_t, chkpwd_exec_t, shadow_t; -+ ') + term_dontaudit_search_ptys(fsdaemon_t) + +@@ -80,6 +87,8 @@ + + miscfiles_read_localization(fsdaemon_t) + ++selinux_validate_context(fsdaemon_t) + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -+ dontaudit $1 shadow_t:file { getattr read }; -+ auth_domtrans_upd_passwd($1) - ') + sysnet_dns_name_resolve(fsdaemon_t) - ######################################## -@@ -254,6 +325,7 @@ + userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) +@@ -91,6 +100,7 @@ - auth_domtrans_chk_passwd($1) - role $2 types chkpwd_t; -+ auth_run_upd_passwd($1, $2) + optional_policy(` + seutil_sigchld_newrole(fsdaemon_t) ++ seutil_read_file_contexts(fsdaemon_t) ') - ######################################## -@@ -650,7 +722,7 @@ + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.12/policy/modules/services/snmp.fc +--- nsaserefpolicy/policy/modules/services/snmp.fc 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/snmp.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -20,5 +20,5 @@ - ######################################## - ## --## Execute pam programs in the pam domain. -+## Send signal to pam process - ## - ## - ## -@@ -1031,6 +1103,32 @@ + /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) - ######################################## - ## -+## rw all files on the filesystem, except -+## the shadow passwords and listed exceptions. -+## -+## -+## -+## The type of the domain perfoming this action. -+## -+## -+## -+## -+## The types to be excluded. Each type or attribute -+## must be negated by the caller. -+## -+## -+# -+ -+interface(`auth_rw_all_files_except_shadow',` -+ gen_require(` -+ type shadow_t; -+ ') +-/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) ++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) + /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.12/policy/modules/services/snmp.te +--- nsaserefpolicy/policy/modules/services/snmp.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/snmp.te 2009-04-07 16:01:44.000000000 -0400 +@@ -71,6 +71,7 @@ + corenet_tcp_bind_snmp_port(snmpd_t) + corenet_udp_bind_snmp_port(snmpd_t) + corenet_sendrecv_snmp_server_packets(snmpd_t) ++corenet_tcp_connect_agentx_port(snmpd_t) + + dev_list_sysfs(snmpd_t) + dev_read_sysfs(snmpd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.12/policy/modules/services/snort.te +--- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/snort.te 2009-04-07 16:01:44.000000000 -0400 +@@ -56,6 +56,7 @@ + files_pid_filetrans(snort_t, snort_var_run_t, file) + + kernel_read_kernel_sysctls(snort_t) ++kernel_read_sysctl(snort_t) + kernel_list_proc(snort_t) + kernel_read_proc_symlinks(snort_t) + kernel_dontaudit_read_system_state(snort_t) +@@ -70,6 +71,7 @@ + corenet_raw_sendrecv_generic_node(snort_t) + corenet_tcp_sendrecv_all_ports(snort_t) + corenet_udp_sendrecv_all_ports(snort_t) ++corenet_tcp_connect_prelude_port(snort_t) + + dev_read_sysfs(snort_t) + dev_read_rand(snort_t) +@@ -94,6 +96,13 @@ + userdom_dontaudit_use_unpriv_user_fds(snort_t) + userdom_dontaudit_search_user_home_dirs(snort_t) + ++# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager ++sysnet_dns_name_resolve(snort_t) + -+ files_rw_all_files($1,$2 -shadow_t) ++optional_policy(` ++ prelude_manage_spool(snort_t) +') + -+######################################## -+## - ## Manage all files on the filesystem, except - ## the shadow passwords and listed exceptions. - ## -@@ -1297,6 +1395,14 @@ - ') - - optional_policy(` -+ ldap_stream_connect($1) -+ ') + optional_policy(` + seutil_sigchld_newrole(snort_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc +--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,15 +1,24 @@ +-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) ++HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + -+ optional_policy(` -+ kerberos_use($1) -+ ') ++/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) + + /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) +-/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) ++/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) + /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) +-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/bin/spamd -- gen_context(system_u:object_r:spamassassin_exec_t,s0) + + /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) + + /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) + ++/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) ++/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) + -+ optional_policy(` - nis_use_ypbind($1) - ') + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -@@ -1305,8 +1411,13 @@ + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.12/policy/modules/services/spamassassin.if +--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.if 2009-04-07 16:01:44.000000000 -0400 +@@ -111,6 +111,7 @@ ') - optional_policy(` -+ sssd_stream_connect($1) -+ ') -+ -+ optional_policy(` - samba_stream_connect_winbind($1) - samba_read_var_files($1) -+ samba_dontaudit_write_var_files($1) + domtrans_pattern($1, spamc_exec_t, spamc_t) ++ allow $1 spamc_exec_t:file ioctl; + ') + + ######################################## +@@ -166,6 +167,7 @@ ') + + files_search_var_lib($1) ++ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') -@@ -1341,3 +1452,99 @@ - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; +@@ -225,3 +227,69 @@ + + dontaudit $1 spamd_tmp_t:sock_file getattr; ') + +######################################## +## -+## Search authentication cache ++## Connect to run spamd. +## +## +## -+## Domain allowed access. ++## Domain allowed to connect. +## +## -+## +# -+interface(`auth_search_cache',` ++interface(`spamd_stream_connect',` + gen_require(` -+ type auth_cache_t; ++ type spamd_t, spamd_var_run_t; + ') + -+ allow $1 auth_cache_t:dir search_dir_perms; ++ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + +######################################## +## -+## Read authentication cache ++## All of the rules required to administrate ++## an spamassassin environment +## +## +## +## Domain allowed access. +## +## -+## -+# -+interface(`auth_read_cache',` -+ gen_require(` -+ type auth_cache_t; -+ ') -+ -+ read_files_pattern($1, auth_cache_t, auth_cache_t) -+') -+ -+######################################## -+## -+## Read/Write authentication cache -+## -+## ++## +## -+## Domain allowed access. ++## The role to be allowed to manage the spamassassin domain. +## +## +## +# -+interface(`auth_rw_cache',` ++interface(`spamassassin_spamd_admin',` + gen_require(` -+ type auth_cache_t; ++ type spamd_t, spamd_tmp_t, spamd_log_t; ++ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; ++ type spamd_initrc_exec_t; + ') + -+ rw_files_pattern($1, auth_cache_t, auth_cache_t) -+') -+######################################## -+## -+## Manage authentication cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`auth_manage_cache',` -+ gen_require(` -+ type auth_cache_t; -+ ') ++ allow $1 spamd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, spamd_t, spamd_t) ++ ++ init_labeled_script_domtrans($1, spamd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 spamd_initrc_exec_t system_r; ++ allow $2 system_r; + -+ manage_files_pattern($1, auth_cache_t, auth_cache_t) -+') ++ files_list_tmp($1) ++ admin_pattern($1, spamd_tmp_t) + -+####################################### -+## -+## Automatic transition from cache_t to cache. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_filetrans_cache',` -+ gen_require(` -+ type auth_cache_t; -+ ') ++ logging_list_logs($1) ++ admin_pattern($1, spamd_log_t) + -+ manage_files_pattern($1, auth_cache_t, auth_cache_t) -+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -+ files_var_filetrans($1,auth_cache_t,{ file dir } ) -+') ++ files_list_spool($1) ++ admin_pattern($1, spamd_spool_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te ---- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/authlogin.te 2009-04-07 16:01:44.000000000 -0400 -@@ -12,7 +12,7 @@ - - type chkpwd_t, can_read_shadow_passwords; - type chkpwd_exec_t; --typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; -+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t }; - typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; - application_domain(chkpwd_t, chkpwd_exec_t) - role system_r types chkpwd_t; -@@ -63,6 +63,9 @@ - type utempter_exec_t; - application_domain(utempter_t,utempter_exec_t) - -+type auth_cache_t; -+logging_log_file(auth_cache_t) ++ files_list_var_lib($1) ++ admin_pattern($1, spamd_var_lib_t) + - # - # var_auth_t is the type of /var/lib/auth, usually - # used for auth data in pam_able -@@ -121,9 +124,18 @@ - ') - - optional_policy(` -+ # apache leaks file descriptors -+ apache_dontaudit_rw_tcp_sockets(chkpwd_t) ++ files_list_pids($1) ++ admin_pattern($1, spamd_var_run_t) +') -+ -+optional_policy(` - kerberos_use(chkpwd_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te +--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-07 16:01:44.000000000 -0400 +@@ -20,6 +20,35 @@ + ## + gen_tunable(spamd_enable_home_dirs, true) -+optional_policy(` -+ nis_authenticate(chkpwd_t) -+') ++ifdef(`distro_redhat',` ++# spamassassin client executable ++type spamc_t; ++type spamc_exec_t; ++application_domain(spamc_t, spamc_exec_t) ++role system_r types spamc_t; + - ######################################## - # - # PAM local policy -@@ -168,6 +180,11 @@ ++type spamd_etc_t; ++files_config_file(spamd_etc_t) ++ ++typealias spamc_exec_t alias spamassassin_exec_t; ++typealias spamc_t alias spamassassin_t; ++ ++type spamc_home_t; ++userdom_user_home_content(spamc_home_t) ++typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; ++typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; ++typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t }; ++typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t }; ++ ++type spamc_tmp_t; ++files_tmp_file(spamc_tmp_t) ++typealias spamc_tmp_t alias spamassassin_tmp_t; ++typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; ++typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t }; ++ ++typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; ++typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; ++', ` + type spamassassin_t; + type spamassassin_exec_t; + typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; +@@ -51,11 +80,18 @@ + typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; + files_tmp_file(spamc_tmp_t) + ubac_constrained(spamc_tmp_t) ++') - logging_send_syslog_msg(pam_t) + type spamd_t; + type spamd_exec_t; + init_daemon_domain(spamd_t, spamd_exec_t) -+userdom_write_user_tmp_files(pam_t) -+userdom_delete_user_tmp_files(pam_t) -+userdom_dontaudit_read_user_home_content_files(pam_t) -+userdom_dontaudit_write_user_home_content_files(pam_t) ++type spamd_initrc_exec_t; ++init_script_file(spamd_initrc_exec_t) + - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(pam_t) -@@ -183,7 +200,7 @@ - # PAM console local policy - # ++type spamd_log_t; ++logging_log_file(spamd_log_t) ++ + type spamd_spool_t; + files_type(spamd_spool_t) --allow pam_console_t self:capability { chown fowner fsetid }; -+allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid }; - dontaudit pam_console_t self:capability sys_tty_config; +@@ -159,6 +195,7 @@ + corenet_udp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) ++ corenet_udp_bind_generic_node(spamassassin_t) - allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; -@@ -201,6 +218,8 @@ - dev_read_sysfs(pam_console_t) - dev_getattr_apm_bios_dev(pam_console_t) - dev_setattr_apm_bios_dev(pam_console_t) -+dev_getattr_cpu_dev(pam_console_t) -+dev_setattr_cpu_dev(pam_console_t) - dev_getattr_dri_dev(pam_console_t) - dev_setattr_dri_dev(pam_console_t) - dev_getattr_input_dev(pam_console_t) -@@ -225,6 +244,10 @@ - dev_setattr_video_dev(pam_console_t) - dev_getattr_xserver_misc_dev(pam_console_t) - dev_setattr_xserver_misc_dev(pam_console_t) + sysnet_read_config(spamassassin_t) + ') +@@ -216,16 +253,31 @@ + allow spamc_t self:unix_stream_socket connectto; + allow spamc_t self:tcp_socket create_stream_socket_perms; + allow spamc_t self:udp_socket create_socket_perms; ++corenet_all_recvfrom_unlabeled(spamc_t) ++corenet_all_recvfrom_netlabel(spamc_t) ++corenet_tcp_sendrecv_generic_if(spamc_t) ++corenet_tcp_sendrecv_generic_node(spamc_t) ++corenet_tcp_connect_spamd_port(spamc_t) + -+dev_getattr_all_chr_files(pam_console_t) -+dev_setattr_all_chr_files(pam_console_t) + + manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) + manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) + files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) + ++manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) ++userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) + - dev_read_urand(pam_console_t) + # Allow connecting to a local spamd + allow spamc_t spamd_t:unix_stream_socket connectto; + allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; ++spamd_stream_connect(spamc_t) - mls_file_read_all_levels(pam_console_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.12/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/fstools.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,4 +1,3 @@ --/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -21,7 +20,6 @@ - /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) --/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.12/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/fstools.te 2009-04-07 16:01:44.000000000 -0400 -@@ -97,6 +97,10 @@ - fs_getattr_tmpfs_dirs(fsadm_t) - fs_read_tmpfs_symlinks(fsadm_t) + kernel_read_kernel_sysctls(spamc_t) ++kernel_read_system_state(spamc_t) -+fs_manage_nfs_files(fsadm_t) + corenet_all_recvfrom_unlabeled(spamc_t) + corenet_all_recvfrom_netlabel(spamc_t) +@@ -255,9 +307,15 @@ + files_dontaudit_search_var(spamc_t) + # cjp: this may be removable: + files_list_home(spamc_t) ++files_list_var_lib(spamc_t) ++read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + -+fs_manage_cifs_files(fsadm_t) ++fs_search_auto_mountpoints(spamc_t) + + logging_send_syslog_msg(spamc_t) + ++auth_use_nsswitch(spamc_t) + - mls_file_read_all_levels(fsadm_t) - mls_file_write_all_levels(fsadm_t) + miscfiles_read_localization(spamc_t) -@@ -150,8 +154,7 @@ + # cjp: this should probably be removed: +@@ -265,31 +323,35 @@ - seutil_read_config(fsadm_t) + sysnet_read_config(spamc_t) --userdom_use_user_terminals(fsadm_t) --userdom_use_unpriv_users_fds(fsadm_t) -+term_use_all_terms(fsadm_t) +-# cjp: this should probably be removed: +-tunable_policy(`read_default_t',` +- files_list_default(spamc_t) +- files_read_default_files(spamc_t) +- files_read_default_symlinks(spamc_t) +- files_read_default_sockets(spamc_t) +- files_read_default_pipes(spamc_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(spamc_t) ++ fs_manage_nfs_files(spamc_t) ++ fs_manage_nfs_symlinks(spamc_t) + ') - ifdef(`distro_redhat',` - optional_policy(` -@@ -188,4 +191,6 @@ +-optional_policy(` +- # Allow connection to spamd socket above +- evolution_stream_connect(spamc_t) ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(spamc_t) ++ fs_manage_cifs_files(spamc_t) ++ fs_manage_cifs_symlinks(spamc_t) + ') optional_policy(` - xen_append_log(fsadm_t) -+ xen_rw_image_files(fsadm_t) +- nis_use_ypbind(spamc_t) ++ # Allow connection to spamd socket above ++ evolution_stream_connect(spamc_t) ') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.12/policy/modules/system/hostname.te ---- nsaserefpolicy/policy/modules/system/hostname.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/hostname.te 2009-04-07 16:01:44.000000000 -0400 -@@ -8,7 +8,9 @@ - type hostname_t; - type hostname_exec_t; --init_system_domain(hostname_t,hostname_exec_t) -+ -+#dont transition from initrc -+application_domain(hostname_t, hostname_exec_t) - role system_r types hostname_t; + optional_policy(` +- nscd_socket_use(spamc_t) ++ postfix_domtrans_postdrop(spamc_t) ++ postfix_search_spool(spamc_t) ++ postfix_rw_local_pipes(spamc_t) + ') + + optional_policy(` ++ mta_send_mail(spamc_t) + mta_read_config(spamc_t) ++ mta_read_queue(spamc_t) + sendmail_stub(spamc_t) ++ sendmail_rw_pipes(spamc_t) + ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc ---- nsaserefpolicy/policy/modules/system/init.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -4,8 +4,7 @@ - /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +@@ -301,7 +363,7 @@ + # setuids to the user running spamc. Comment this if you are not + # using this ability. - /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) --/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0) --/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) +-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; ++allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; + dontaudit spamd_t self:capability sys_tty_config; + allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow spamd_t self:fd use; +@@ -317,10 +379,13 @@ + allow spamd_t self:unix_stream_socket connectto; + allow spamd_t self:tcp_socket create_stream_socket_perms; + allow spamd_t self:udp_socket create_socket_perms; +-allow spamd_t self:netlink_route_socket r_netlink_socket_perms; ++ ++manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) ++logging_log_filetrans(spamd_t, spamd_log_t, file) - /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) + manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) ++manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) + files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) -@@ -45,6 +44,8 @@ - /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -329,10 +394,11 @@ -+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) -+ - # - # /var - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-07 16:01:44.000000000 -0400 -@@ -280,6 +280,28 @@ - kernel_dontaudit_use_fds($1) - ') - ') -+ -+ userdom_dontaudit_search_user_home_dirs($1) -+ userdom_dontaudit_rw_stream($1) -+ -+ tunable_policy(`allow_daemons_use_tty',` -+ term_use_all_user_ttys($1) -+ term_use_all_user_ptys($1) -+ ',` -+ term_dontaudit_use_all_user_ttys($1) -+ term_dontaudit_use_all_user_ptys($1) -+ ') -+ -+ # these apps are often redirect output to random log files -+ logging_rw_all_logs($1) -+ -+ optional_policy(` -+ cron_rw_pipes($1) -+ ') -+ -+ optional_policy(` -+ xserver_rw_xdm_home_files($1) -+ ') - ') + # var/lib files for spamd + allow spamd_t spamd_var_lib_t:dir list_dir_perms; +-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) ++manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - ######################################## -@@ -546,7 +568,7 @@ + manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) ++manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) - # upstart uses a datagram socket instead of initctl pipe - allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 init_t:unix_dgram_socket sendto; -+ init_chat($1) - ') - ') + kernel_read_all_sysctls(spamd_t) +@@ -382,22 +448,27 @@ -@@ -619,18 +641,19 @@ - # - interface(`init_spec_domtrans_script',` - gen_require(` -- type initrc_t, initrc_exec_t; -+ type initrc_t; -+ attribute init_script_file_type; - ') + init_dontaudit_rw_utmp(spamd_t) - files_list_etc($1) -- spec_domtrans_pattern($1,initrc_exec_t,initrc_t) -+ spec_domtrans_pattern($1, init_script_file_type, initrc_t) ++auth_use_nsswitch(spamd_t) ++ + logging_send_syslog_msg(spamd_t) - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') + miscfiles_read_localization(spamd_t) - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') +-sysnet_read_config(spamd_t) +-sysnet_use_ldap(spamd_t) +-sysnet_dns_name_resolve(spamd_t) +- + userdom_use_unpriv_users_fds(spamd_t) + userdom_search_user_home_dirs(spamd_t) + ++optional_policy(` ++ exim_manage_spool_dirs(spamd_t) ++ exim_manage_spool_files(spamd_t) ++') ++ + tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(spamd_t) + fs_manage_nfs_files(spamd_t) ') -@@ -646,23 +669,43 @@ - # - interface(`init_domtrans_script',` - gen_require(` -- type initrc_t, initrc_exec_t; -+ type initrc_t; -+ attribute init_script_file_type; - ') + tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(spamd_t) + fs_manage_cifs_files(spamd_t) + ') - files_list_etc($1) -- domtrans_pattern($1,initrc_exec_t,initrc_t) -+ domtrans_pattern($1, init_script_file_type, initrc_t) +@@ -415,6 +486,7 @@ - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') + optional_policy(` + dcc_domtrans_client(spamd_t) ++ dcc_signal_client(spamd_t) + dcc_stream_connect_dccifd(spamd_t) + ') - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') +@@ -424,10 +496,6 @@ ') - ######################################## - ## -+## Execute a file in a bin directory -+## in the initrc_t domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_bin_domtrans_spec',` -+ gen_require(` -+ type initrc_t; + optional_policy(` +- nis_use_ypbind(spamd_t) +-') +- +-optional_policy(` + postfix_read_config(spamd_t) + ') + +@@ -442,6 +510,10 @@ + + optional_policy(` + razor_domtrans(spamd_t) ++ razor_read_lib_files(spamd_t) ++ tunable_policy(`spamd_enable_home_dirs',` ++ razor_manage_user_home_files(spamd_t) + ') + ') + + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.12/policy/modules/services/squid.fc +--- nsaserefpolicy/policy/modules/services/squid.fc 2008-10-08 19:00:27.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/squid.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -6,7 +6,11 @@ + /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) + /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + ++/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + -+ corecmd_bin_domtrans($1, initrc_t) -+') + /var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) ++/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) + -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## -@@ -1291,6 +1334,25 @@ + /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) + /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.12/policy/modules/services/squid.if +--- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/squid.if 2009-04-07 16:01:44.000000000 -0400 +@@ -21,6 +21,25 @@ ######################################## ## -+## Read init script temporary data. ++## Execute squid +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`init_read_script_tmp_files',` ++interface(`squid_exec',` + gen_require(` -+ type initrc_tmp_t; ++ type squid_exec_t; + ') + -+ files_search_tmp($1) -+ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ++ can_exec($1, squid_exec_t) +') + ++ +######################################## +## - ## Create files in a init script - ## temporary data directory. + ## Send generic signals to squid. ## -@@ -1521,3 +1583,51 @@ - ') - corenet_udp_recvfrom_labeled($1, daemon) + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te +--- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-04-07 16:01:44.000000000 -0400 +@@ -118,6 +118,9 @@ + + fs_getattr_all_fs(squid_t) + fs_search_auto_mountpoints(squid_t) ++#squid requires the following when run in diskd mode, the recommended setting ++fs_rw_tmpfs_files(squid_t) ++fs_list_inotifyfs(squid_t) + + selinux_dontaudit_getattr_dir(squid_t) + +@@ -185,8 +188,3 @@ + optional_policy(` + udev_read_db(squid_t) ') +- +-ifdef(`TODO',` +-#squid requires the following when run in diskd mode, the recommended setting +-allow squid_t tmpfs_t:file { read write }; +-') dnl end TODO +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.12/policy/modules/services/ssh.fc +--- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -14,3 +14,5 @@ + /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) + + /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + -+######################################## -+## -+## Transition to system_r when execute an init script -+## -+## -+##

-+## Execute a init script in a specified role -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+##
-+## ++/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if +--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-07 16:01:44.000000000 -0400 +@@ -36,6 +36,7 @@ + gen_require(` + attribute ssh_server; + type ssh_exec_t, sshd_key_t, sshd_tmp_t; ++ type home_ssh_t; + ') + + ############################## +@@ -47,9 +48,6 @@ + application_domain($1_ssh_t, ssh_exec_t) + role $3 types $1_ssh_t; + +- type $1_home_ssh_t; +- files_type($1_home_ssh_t) +- + ############################## + # + # Client local policy +@@ -65,8 +63,7 @@ + allow $1_ssh_t self:sem create_sem_perms; + allow $1_ssh_t self:msgq create_msgq_perms; + allow $1_ssh_t self:msg { send receive }; +- allow $1_ssh_t self:tcp_socket create_socket_perms; +- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; ++ allow $1_ssh_t self:tcp_socket create_stream_socket_perms; + + # for rsync + allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; +@@ -93,20 +90,21 @@ + ps_process_pattern($2, $1_ssh_t) + + # user can manage the keys and config +- manage_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) +- manage_lnk_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) +- manage_sock_files_pattern($2, $1_home_ssh_t, $1_home_ssh_t) ++ manage_files_pattern($2, home_ssh_t, home_ssh_t) ++ manage_lnk_files_pattern($2, home_ssh_t, home_ssh_t) ++ manage_sock_files_pattern($2, home_ssh_t, home_ssh_t) + + # ssh client can manage the keys and config +- manage_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) +- read_lnk_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t) ++ manage_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t) ++ read_lnk_files_pattern($1_ssh_t, home_ssh_t, home_ssh_t) + + # ssh servers can read the user keys and config +- allow ssh_server $1_home_ssh_t:dir list_dir_perms; +- read_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) +- read_lnk_files_pattern(ssh_server, $1_home_ssh_t, $1_home_ssh_t) ++ allow ssh_server home_ssh_t:dir list_dir_perms; ++ read_files_pattern(ssh_server, home_ssh_t, home_ssh_t) ++ read_lnk_files_pattern(ssh_server, home_ssh_t, home_ssh_t) + + kernel_read_kernel_sysctls($1_ssh_t) ++ kernel_read_system_state($1_ssh_t) + + corenet_all_recvfrom_unlabeled($1_ssh_t) + corenet_all_recvfrom_netlabel($1_ssh_t) +@@ -115,6 +113,8 @@ + corenet_tcp_sendrecv_all_ports($1_ssh_t) + corenet_tcp_connect_ssh_port($1_ssh_t) + corenet_sendrecv_ssh_client_packets($1_ssh_t) ++ corenet_tcp_bind_generic_node($1_ssh_t) ++ corenet_tcp_bind_all_unreserved_ports($1_ssh_t) + + dev_read_urand($1_ssh_t) + +@@ -132,6 +132,10 @@ + files_read_etc_runtime_files($1_ssh_t) + files_read_etc_files($1_ssh_t) + files_read_var_files($1_ssh_t) ++ # Required for FreeNX ++ files_read_var_lib_symlinks($1_t) ++ ++ auth_use_nsswitch($1_ssh_t) + + logging_send_syslog_msg($1_ssh_t) + logging_read_generic_logs($1_ssh_t) +@@ -140,9 +144,6 @@ + + seutil_read_config($1_ssh_t) + +- sysnet_read_config($1_ssh_t) +- sysnet_dns_name_resolve($1_ssh_t) +- + tunable_policy(`read_default_t',` + files_list_default($1_ssh_t) + files_read_default_files($1_ssh_t) +@@ -154,14 +155,6 @@ + optional_policy(` + kerberos_use($1_ssh_t) + ') +- +- optional_policy(` +- nis_use_ypbind($1_ssh_t) +- ') +- +- optional_policy(` +- nscd_socket_use($1_ssh_t) +- ') + ') + + ####################################### +@@ -194,13 +187,14 @@ + type $1_var_run_t; + files_pid_file($1_var_run_t) + +- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; ++ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; + allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:process { signal setsched setrlimit setexec }; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + # ssh agent connections: + allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:shm create_shm_perms; + + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; + term_create_pty($1_t,$1_devpts_t) +@@ -229,7 +223,12 @@ + corenet_udp_bind_generic_node($1_t) + corenet_tcp_bind_ssh_port($1_t) + corenet_tcp_connect_all_ports($1_t) ++ corenet_tcp_bind_all_unreserved_ports($1_t) ++ corenet_sendrecv_ssh_server_packets($1_t) ++ # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) ++ # tunnel feature and -w (net_admin capability also) ++ corenet_rw_tun_tap_dev($1_t) + + fs_dontaudit_getattr_all_fs($1_t) + +@@ -254,9 +253,14 @@ + + userdom_dontaudit_relabelfrom_user_ptys($1_t) + userdom_search_user_home_dirs($1_t) ++ userdom_read_user_home_content_files($1_t) ++ ++ # Allow checking users mail at login ++ mta_getattr_spool($1_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files($1_t) ++ fs_read_nfs_symlinks($1_t) + ') + + tunable_policy(`use_samba_home_dirs',` +@@ -265,11 +269,7 @@ + + optional_policy(` + kerberos_use($1_t) +- ') +- +- optional_policy(` +- # Allow checking users mail at login +- mta_getattr_spool($1_t) ++ kerberos_manage_host_rcache($1_t) + ') + + optional_policy(` +@@ -454,6 +454,24 @@ + + ######################################## + ## ++## Send a generic signal to the ssh server. ++## ++## +## -+## Role to transition from. ++## Domain allowed access. +## +## +# -+interface(`init_script_role_transition',` ++interface(`ssh_signal',` + gen_require(` -+ attribute init_script_file_type; ++ type sshd_t; + ') + -+ role_transition $1 init_script_file_type system_r; ++ allow $1 sshd_t:process signal; +') + +######################################## +## -+## Send and receive unix_stream_messages with -+## init + ## Read a ssh server unnamed pipe. + ## + ## +@@ -611,3 +629,42 @@ + + dontaudit $1 sshd_key_t:file { getattr read }; + ') ++ ++####################################### ++## ++## Delete from the ssh temp files. +## +## +## @@ -23863,1828 +21620,1621 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`init_chat',` ++interface(`ssh_delete_tmp',` + gen_require(` -+ type init_t; ++ type sshd_tmp_t; + ') + -+ allow $1 init_t:unix_dgram_socket sendto; -+ allow init_t $1:unix_dgram_socket sendto; ++ files_search_tmp($1) ++ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-07 16:01:44.000000000 -0400 -@@ -17,6 +17,20 @@ - ##
- gen_tunable(init_upstart,false) - -+## -+##

-+## Allow all daemons the ability to read/write terminals -+##

-+##
-+gen_tunable(allow_daemons_use_tty, false) + -+## -+##

-+## Allow all daemons to write corefiles to / -+##

-+##
-+gen_tunable(allow_daemons_dump_core, false) ++######################################## ++## ++## Execute the ssh agent client in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_agent_exec',` ++ gen_require(` ++ type ssh_agent_exec_t; ++ ') + - # used for direct running of init scripts - # by admin domains - attribute direct_run_init; -@@ -88,7 +102,7 @@ - # ++ corecmd_search_bin($1) ++ can_exec($1, ssh_agent_exec_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te +--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-04-07 16:01:44.000000000 -0400 +@@ -41,6 +41,9 @@ + files_tmp_file(sshd_tmp_t) + files_poly_parent(sshd_tmp_t) - # Use capabilities. old rule: --allow init_t self:capability ~sys_module; -+allow init_t self:capability ~{ audit_control audit_write sys_module }; - # is ~sys_module really needed? observed: - # sys_boot - # sys_tty_config -@@ -101,7 +115,7 @@ - # Re-exec itself - can_exec(init_t,init_exec_t) - --allow init_t initrc_t:unix_stream_socket connectto; -+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; - - # For /var/run/shutdown.pid. - allow init_t init_var_run_t:file manage_file_perms; -@@ -117,6 +131,8 @@ - kernel_read_system_state(init_t) - kernel_share_state(init_t) - -+fs_list_inotifyfs(init_t) -+ - corecmd_exec_chroot(init_t) - corecmd_exec_bin(init_t) - -@@ -167,6 +183,8 @@ - - miscfiles_read_localization(init_t) - -+allow init_t self:process setsched; -+ - ifdef(`distro_gentoo',` - allow init_t self:process { getcap setcap }; - ') -@@ -189,6 +207,14 @@ - ') - - optional_policy(` -+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to -+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up -+ # the directory. But we do not want to allow this. -+ # The master process of dovecot will manage this file. -+ dovecot_dontaudit_unlink_lib_files(initrc_t) -+') ++type sshd_tmpfs_t; ++files_tmpfs_file(sshd_tmpfs_t) + -+optional_policy(` - nscd_socket_use(init_t) + ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') +@@ -75,7 +78,7 @@ + ubac_constrained(ssh_tmpfs_t) -@@ -202,9 +228,10 @@ - # - - allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; --allow initrc_t self:capability ~{ sys_admin sys_module }; -+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; - dontaudit initrc_t self:capability sys_module; # sysctl is triggering this - allow initrc_t self:passwd rootok; -+allow initrc_t self:key { search }; + type home_ssh_t; +-typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; ++typealias home_ssh_t alias { ssh_home_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; + typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; + files_type(home_ssh_t) + userdom_user_home_content(home_ssh_t) +@@ -95,8 +98,7 @@ + allow ssh_t self:sem create_sem_perms; + allow ssh_t self:msgq create_msgq_perms; + allow ssh_t self:msg { send receive }; +-allow ssh_t self:tcp_socket create_socket_perms; +-allow ssh_t self:netlink_route_socket r_netlink_socket_perms; ++allow ssh_t self:tcp_socket create_stream_socket_perms; - # Allow IPC with self - allow initrc_t self:unix_dgram_socket create_socket_perms; -@@ -217,7 +244,8 @@ - term_create_pty(initrc_t,initrc_devpts_t) + # Read the ssh key file. + allow ssh_t sshd_key_t:file read_file_perms; +@@ -115,6 +117,7 @@ + manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) + manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) + userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) ++userdom_stream_connect(ssh_t) - # Going to single user mode --init_exec(initrc_t) -+init_telinit(initrc_t) -+init_chat(initrc_t) + # Allow the ssh program to communicate with ssh-agent. + stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) +@@ -131,6 +134,7 @@ + read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t) - can_exec(initrc_t, init_script_file_type) + kernel_read_kernel_sysctls(ssh_t) ++kernel_read_system_state(ssh_t) -@@ -230,6 +258,7 @@ + corenet_all_recvfrom_unlabeled(ssh_t) + corenet_all_recvfrom_netlabel(ssh_t) +@@ -139,6 +143,8 @@ + corenet_tcp_sendrecv_all_ports(ssh_t) + corenet_tcp_connect_ssh_port(ssh_t) + corenet_sendrecv_ssh_client_packets(ssh_t) ++corenet_tcp_bind_generic_node(ssh_t) ++corenet_tcp_bind_all_unreserved_ports(ssh_t) - allow initrc_t initrc_var_run_t:file manage_file_perms; - files_pid_filetrans(initrc_t,initrc_var_run_t,file) -+files_manage_generic_pids_symlinks(initrc_t) + dev_read_urand(ssh_t) - can_exec(initrc_t,initrc_tmp_t) - allow initrc_t initrc_tmp_t:file manage_file_perms; -@@ -249,15 +278,19 @@ - kernel_rw_all_sysctls(initrc_t) - # for lsof which is used by alsa shutdown: - kernel_dontaudit_getattr_message_if(initrc_t) -+kernel_stream_connect(initrc_t) -+files_read_kernel_modules(initrc_t) +@@ -160,19 +166,19 @@ + logging_send_syslog_msg(ssh_t) + logging_read_generic_logs(ssh_t) - files_read_kernel_symbol_table(initrc_t) -+files_exec_etc_files(initrc_t) -+fs_list_inotifyfs(initrc_t) ++auth_use_nsswitch(ssh_t) ++ + miscfiles_read_localization(ssh_t) - corenet_all_recvfrom_unlabeled(initrc_t) - corenet_all_recvfrom_netlabel(initrc_t) --corenet_tcp_sendrecv_all_if(initrc_t) --corenet_udp_sendrecv_all_if(initrc_t) --corenet_tcp_sendrecv_all_nodes(initrc_t) --corenet_udp_sendrecv_all_nodes(initrc_t) -+corenet_tcp_sendrecv_generic_if(initrc_t) -+corenet_udp_sendrecv_generic_if(initrc_t) -+corenet_tcp_sendrecv_generic_node(initrc_t) -+corenet_udp_sendrecv_generic_node(initrc_t) - corenet_tcp_sendrecv_all_ports(initrc_t) - corenet_udp_sendrecv_all_ports(initrc_t) - corenet_tcp_connect_all_ports(initrc_t) -@@ -274,7 +307,7 @@ - dev_read_sound_mixer(initrc_t) - dev_write_sound_mixer(initrc_t) - dev_setattr_all_chr_files(initrc_t) --dev_read_lvm_control(initrc_t) -+dev_rw_lvm_control(initrc_t) - dev_delete_lvm_control_dev(initrc_t) - dev_manage_generic_symlinks(initrc_t) - dev_manage_generic_files(initrc_t) -@@ -328,7 +361,7 @@ - domain_sigchld_all_domains(initrc_t) - domain_read_all_domains_state(initrc_t) - domain_getattr_all_domains(initrc_t) --domain_dontaudit_ptrace_all_domains(initrc_t) -+domain_ptrace_all_domains(initrc_t) - domain_getsession_all_domains(initrc_t) - domain_use_interactive_fds(initrc_t) - # for lsof which is used by alsa shutdown: -@@ -366,7 +399,9 @@ + seutil_read_config(ssh_t) - libs_rw_ld_so_cache(initrc_t) - libs_exec_lib_files(initrc_t) -+libs_exec_ld_so(initrc_t) +-sysnet_read_config(ssh_t) +-sysnet_dns_name_resolve(ssh_t) +- + userdom_dontaudit_list_user_home_dirs(ssh_t) + userdom_search_user_home_dirs(ssh_t) + # Write to the user domain tty. + userdom_use_user_terminals(ssh_t) + # needs to read krb tgt + userdom_read_user_tmp_files(ssh_t) ++userdom_read_user_home_content_symlinks(ssh_t) -+logging_send_audit_msgs(initrc_t) - logging_send_syslog_msg(initrc_t) - logging_manage_generic_logs(initrc_t) - logging_read_all_logs(initrc_t) -@@ -451,7 +486,7 @@ + tunable_policy(`allow_ssh_keysign',` + domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) +@@ -202,23 +208,13 @@ + # for port forwarding + tunable_policy(`user_tcp_server',` + corenet_tcp_bind_ssh_port(ssh_t) +-') +- +-optional_policy(` +- kerberos_use(ssh_t) +-') +- +-optional_policy(` +- nis_use_ypbind(ssh_t) +-') +- +-optional_policy(` +- nscd_socket_use(ssh_t) ++ corenet_tcp_bind_generic_node(ssh_t) + ') - # Red Hat systems seem to have a stray - # fd open from the initrd -- kernel_dontaudit_use_fds(initrc_t) -+ kernel_use_fds(initrc_t) - files_dontaudit_read_root_files(initrc_t) + optional_policy(` + xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) + xserver_domtrans_xauth(ssh_t) ++ xserver_stream_connect(ssh_t) + ') - selinux_set_enforce_mode(initrc_t) -@@ -498,6 +533,7 @@ - optional_policy(` - #for /etc/rc.d/init.d/nfs to create /etc/exports - rpc_write_exports(initrc_t) -+ rpc_manage_nfs_state_data(initrc_t) - ') + ######################################## +@@ -310,6 +306,8 @@ + kernel_search_key(sshd_t) + kernel_link_key(sshd_t) - optional_policy(` -@@ -516,6 +552,31 @@ - ') - ') ++fs_list_inotifyfs(sshd_t) ++ + term_use_all_user_ptys(sshd_t) + term_setattr_all_user_ptys(sshd_t) + term_relabelto_all_user_ptys(sshd_t) +@@ -318,16 +316,30 @@ + corenet_tcp_bind_xserver_port(sshd_t) + corenet_sendrecv_xserver_server_packets(sshd_t) -+domain_dontaudit_use_interactive_fds(daemon) ++userdom_read_user_home_content_files(sshd_t) ++userdom_read_user_home_content_symlinks(sshd_t) ++userdom_search_admin_dir(sshd_t) + -+userdom_dontaudit_list_admin_dir(daemon) ++manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t) ++fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file) + -+tunable_policy(`allow_daemons_use_tty',` -+ term_use_unallocated_ttys(daemon) -+ term_use_generic_ptys(daemon) -+ term_use_all_user_ttys(daemon) -+ term_use_all_user_ptys(daemon) -+',` -+ term_dontaudit_use_unallocated_ttys(daemon) -+ term_dontaudit_use_generic_ptys(daemon) -+ term_dontaudit_use_all_user_ttys(daemon) -+ term_dontaudit_use_all_user_ptys(daemon) -+ ') -+ -+# system-config-services causes avc messages that should be dontaudited -+tunable_policy(`allow_daemons_dump_core',` -+ files_dump_core(daemon) + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr +- userdom_spec_domtrans_all_users(sshd_t) + userdom_signal_all_users(sshd_t) +-',` +') + + userdom_spec_domtrans_unpriv_users(sshd_t) + userdom_signal_unpriv_users(sshd_t) ++ +optional_policy(` -+ unconfined_dontaudit_rw_pipes(daemon) ++ kerberos_keytab_template(sshd, sshd_t) +') -+ - optional_policy(` - amavis_search_lib(initrc_t) - amavis_setattr_pid_files(initrc_t) -@@ -570,6 +631,10 @@ - dbus_read_config(initrc_t) - - optional_policy(` -+ consolekit_dbus_chat(initrc_t) -+ ') + -+ optional_policy(` - networkmanager_dbus_chat(initrc_t) - ') - ') -@@ -655,12 +720,6 @@ - mta_read_config(initrc_t) - mta_dontaudit_read_spool_symlinks(initrc_t) ++optional_policy(` ++ xserver_getattr_xauth(sshd_t) ') --# cjp: require doesnt work in the else of optionals :\ --# this also would result in a type transition --# conflict if sendmail is enabled --#optional_policy(`',` --# mta_send_mail(initrc_t) --#') optional_policy(` - ifdef(`distro_redhat',` -@@ -721,6 +780,9 @@ - - # why is this needed: - rpm_manage_db(initrc_t) -+ # Allow SELinux aware applications to request rpm_script_t execution -+ rpm_transition_script(initrc_t) -+ +@@ -349,7 +361,11 @@ ') optional_policy(` -@@ -733,10 +795,12 @@ - squid_manage_logs(initrc_t) +- unconfined_domain(sshd_t) ++ usermanage_domtrans_passwd(sshd_t) ++ usermanage_read_crack_db(sshd_t) ++') ++ ++optional_policy(` + unconfined_shell_domtrans(sshd_t) ') -+ifdef(`enabled_mls',` - optional_policy(` - # allow init scripts to su - su_restricted_domain_template(initrc,initrc_t,system_r) - ') -+') +@@ -408,6 +424,8 @@ + init_use_fds(ssh_keygen_t) + init_use_script_ptys(ssh_keygen_t) - optional_policy(` - ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +818,11 @@ - uml_setattr_util_sockets(initrc_t) - ') ++auth_use_nsswitch(ssh_keygen_t) ++ + logging_send_syslog_msg(ssh_keygen_t) -+# Cron jobs used to start and stop services -+optional_policy(` -+ cron_rw_pipes(daemon) + userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc +--- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/sssd.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,6 @@ ++ ++/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) ++ ++/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) ++/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.12/policy/modules/services/sssd.if +--- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/sssd.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,249 @@ ++ ++## policy for sssd ++ ++######################################## ++## ++## Execute a domain transition to run sssd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sssd_domtrans',` ++ gen_require(` ++ type sssd_t; ++ type sssd_exec_t; ++ ') ++ ++ domtrans_pattern($1,sssd_exec_t,sssd_t) +') + - optional_policy(` - unconfined_domain(initrc_t) - -@@ -761,6 +830,8 @@ - # system-config-services causes avc messages that should be dontaudited - unconfined_dontaudit_rw_pipes(daemon) - ') -+ # sudo service restart causes this -+ unconfined_signull(daemon) - - optional_policy(` - mono_domtrans(initrc_t) -@@ -768,6 +839,10 @@ - ') - - optional_policy(` -+ rpm_dontaudit_rw_pipes(daemon) ++ ++######################################## ++## ++## Execute sssd server in the sssd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`sssd_initrc_domtrans',` ++ gen_require(` ++ type sssd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1,sssd_initrc_exec_t) +') + -+optional_policy(` - vmware_read_system_config(initrc_t) - vmware_append_system_config(initrc_t) - ') -@@ -790,3 +865,19 @@ - optional_policy(` - zebra_read_config(initrc_t) - ') ++######################################## ++## ++## Read sssd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_read_pid_files',` ++ gen_require(` ++ type sssd_var_run_t; ++ ') + -+userdom_append_user_home_content_files(daemon) -+userdom_write_user_tmp_files(daemon) -+userdom_dontaudit_rw_stream(daemon) ++ files_search_pids($1) ++ allow $1 sssd_var_run_t:file read_file_perms; ++') + -+logging_append_all_logs(daemon) ++######################################## ++## ++## Manage sssd var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_manage_var_run',` ++ gen_require(` ++ type sssd_var_run_t; ++ ') + -+optional_policy(` -+ xserver_rw_xdm_home_files(daemon) -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_rw_nfs_files(daemon) ++ manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t) ++ manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t) ++ manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t) ++') ++ ++ ++######################################## ++## ++## Search sssd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_search_lib',` ++ gen_require(` ++ type sssd_var_lib_t; + ') -+ tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_rw_cifs_files(daemon) ++ ++ allow $1 sssd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read sssd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_read_lib_files',` ++ gen_require(` ++ type sssd_var_lib_t; + ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400 -@@ -1,5 +1,5 @@ - --policy_module(ipsec, 1.9.1) -+policy_module(ipsec, 1.9.0) - - ######################################## - # -@@ -103,11 +103,13 @@ - corenet_raw_sendrecv_all_nodes(ipsec_t) - corenet_tcp_sendrecv_all_ports(ipsec_t) - corenet_tcp_bind_all_nodes(ipsec_t) --corenet_udp_bind_all_nodes(ipsec_t) - corenet_tcp_bind_reserved_port(ipsec_t) - corenet_tcp_bind_isakmp_port(ipsec_t) + -+corenet_udp_bind_all_nodes(ipsec_t) - corenet_udp_bind_isakmp_port(ipsec_t) - corenet_udp_bind_ipsecnat_port(ipsec_t) ++######################################## ++## ++## Create, read, write, and delete ++## sssd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_manage_lib_files',` ++ gen_require(` ++ type sssd_var_lib_t; ++ ') + - corenet_sendrecv_generic_server_packets(ipsec_t) - corenet_sendrecv_isakmp_server_packets(ipsec_t) - -@@ -167,6 +169,8 @@ - allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; - files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) - -+logging_send_syslog_msg(ipsec_mgmt_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++') + - manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) - manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) - -@@ -242,8 +246,6 @@ - init_exec_script_files(ipsec_mgmt_t) - init_use_fds(ipsec_mgmt_t) - --logging_send_syslog_msg(ipsec_mgmt_t) -- - miscfiles_read_localization(ipsec_mgmt_t) - - modutils_domtrans_insmod(ipsec_mgmt_t) -@@ -298,13 +300,10 @@ - kernel_read_network_state(racoon_t) - - corenet_all_recvfrom_unlabeled(racoon_t) --corenet_tcp_sendrecv_all_if(racoon_t) --corenet_udp_sendrecv_all_if(racoon_t) --corenet_tcp_sendrecv_all_nodes(racoon_t) --corenet_udp_sendrecv_all_nodes(racoon_t) - corenet_tcp_bind_all_nodes(racoon_t) - corenet_udp_bind_all_nodes(racoon_t) - corenet_udp_bind_isakmp_port(racoon_t) -+corenet_udp_sendrecv_all_if(racoon_t) - corenet_udp_bind_ipsecnat_port(racoon_t) - - dev_read_urand(racoon_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te ---- nsaserefpolicy/policy/modules/system/iptables.te 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-04-07 16:01:44.000000000 -0400 -@@ -53,6 +53,7 @@ - mls_file_read_all_levels(iptables_t) - - term_dontaudit_use_console(iptables_t) -+term_use_all_terms(iptables_t) - - domain_use_interactive_fds(iptables_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-07 16:01:44.000000000 -0400 -@@ -55,6 +55,7 @@ - files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) - - kernel_read_system_state(iscsid_t) -+kernel_search_debugfs(iscsid_t) - - corenet_all_recvfrom_unlabeled(iscsid_t) - corenet_all_recvfrom_netlabel(iscsid_t) -@@ -73,6 +74,6 @@ - - logging_send_syslog_msg(iscsid_t) - --miscfiles_read_localization(iscsid_t) -+auth_use_nsswitch(iscsid_t) - --sysnet_dns_name_resolve(iscsid_t) -+miscfiles_read_localization(iscsid_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -60,12 +60,15 @@ - # - # /opt - # -+/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - -+/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -+ - ifdef(`distro_gentoo',` - # despite the extensions, they are actually libs - /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -@@ -84,12 +87,14 @@ - - ifdef(`distro_redhat',` - /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) - /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - ') - -@@ -103,6 +108,7 @@ - # - /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,24 +121,34 @@ - - /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -+/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++######################################## ++## ++## Manage sssd var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_manage_var_lib',` ++ gen_require(` ++ type sssd_var_lib_t; ++ ') + -+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t) ++ manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) ++ manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) ++') + - /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -@@ -168,7 +184,8 @@ - # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv - # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php - /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,12 +204,15 @@ - /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -233,7 +253,7 @@ - /usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame --/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,12 +266,13 @@ - - # Flash plugin, Macromedia - HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - # Jai, Sun Microsystems (Jpackage SPRM) - /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +288,9 @@ - /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - -+/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + - # Java, Sun Microsystems (JPackage SRPM) - /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +315,8 @@ - /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -+/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) - ') dnl end distro_redhat - - # -@@ -303,6 +329,8 @@ - - /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) - -+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++######################################## ++## ++## Send and receive messages from ++## sssd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_dbus_chat',` ++ gen_require(` ++ type sssd_t; ++ class dbus send_msg; ++ ') + - ifdef(`distro_suse',` - /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) - ') -@@ -310,3 +338,37 @@ - /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) - /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) - /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) ++ allow $1 sssd_t:dbus send_msg; ++ allow sssd_t $1:dbus send_msg; ++') + -+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++######################################## ++## ++## Connect to sssd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_stream_connect',` ++ gen_require(` ++ type sssd_t, sssd_var_lib_t; ++ ') + -+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ files_search_pids($1) ++ write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++ allow $1 sssd_t:unix_stream_socket connectto; ++') + -+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++######################################## ++## ++## All of the rules required to administrate ++## an sssd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the sssd domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`sssd_admin',` ++ gen_require(` ++ type sssd_t; ++ ') + -+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ allow $1 sssd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, sssd_t, sssd_t) ++ + -+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ gen_require(` ++ type sssd_initrc_exec_t; ++ ') + -+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) ++ # Allow sssd_t to restart the apache service ++ sssd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 sssd_initrc_exec_t system_r; ++ allow $2 system_r; + -+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ sssd_manage_var_run($1) + -+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ sssd_manage_var_lib($1) + -+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++') + -+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te +--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,68 @@ ++policy_module(sssd,1.0.0) + -+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++######################################## ++# ++# Declarations ++# + ++type sssd_t; ++type sssd_exec_t; ++init_daemon_domain(sssd_t, sssd_exec_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.12/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/libraries.te 2009-04-07 16:01:44.000000000 -0400 -@@ -52,11 +52,11 @@ - # ldconfig local policy - # - --allow ldconfig_t self:capability sys_chroot; -+allow ldconfig_t self:capability { dac_override sys_chroot }; - - manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) - --allow ldconfig_t ld_so_cache_t:file manage_file_perms; -+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) - files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) - - manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) -@@ -70,8 +70,11 @@ - - fs_getattr_xattr_fs(ldconfig_t) - -+corecmd_search_bin(ldconfig_t) ++permissive sssd_t; + - domain_use_interactive_fds(ldconfig_t) - -+files_search_home(ldconfig_t) - files_search_var_lib(ldconfig_t) - files_read_etc_files(ldconfig_t) - files_search_tmp(ldconfig_t) -@@ -80,6 +83,7 @@ - files_delete_etc_files(ldconfig_t) - - init_use_script_ptys(ldconfig_t) -+init_read_script_tmp_files(ldconfig_t) - - miscfiles_read_localization(ldconfig_t) - -@@ -94,6 +98,10 @@ - ') - ') - -+userdom_manage_user_home_content_files(ldconfig_t) -+userdom_manage_user_tmp_files(ldconfig_t) -+userdom_manage_user_tmp_symlinks(ldconfig_t) ++type sssd_initrc_exec_t; ++init_script_file(sssd_initrc_exec_t) + - ifdef(`hide_broken_symptoms',` - optional_policy(` - unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) -@@ -116,4 +124,10 @@ - # and executes ldconfig on it. If you dont allow this kernel installs - # blow up. - rpm_manage_script_tmp_files(ldconfig_t) -+ # smart package manager needs the following for the same reason -+ rpm_rw_tmp_files(ldconfig_t) -+') ++type sssd_var_run_t; ++files_pid_file(sssd_var_run_t) ++ ++type sssd_var_lib_t; ++files_type(sssd_var_lib_t) ++ ++######################################## ++# ++# sssd local policy ++# ++allow sssd_t self:capability sys_nice; ++allow sssd_t self:process { setsched signal getsched }; ++allow sssd_t tmp_t:dir { read getattr open }; ++ ++# Init script handling ++domain_use_interactive_fds(sssd_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow sssd_t self:process signal; ++allow sssd_t self:fifo_file rw_file_perms; ++allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) ++manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) ++files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir }) ++ ++manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) ++ ++corecmd_exec_bin(sssd_t) ++ ++dev_read_urand(sssd_t) ++ ++kernel_read_system_state(sssd_t) ++ ++files_list_tmp(sssd_t) ++files_read_etc_files(sssd_t) ++files_read_usr_files(sssd_t) ++ ++auth_use_nsswitch(sssd_t) ++ ++logging_send_syslog_msg(sssd_t) ++logging_send_audit_msgs(sssd_t) ++ ++miscfiles_read_localization(sssd_t) + +optional_policy(` -+ unconfined_domain(ldconfig_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te ---- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-04-07 16:01:44.000000000 -0400 -@@ -67,6 +67,7 @@ - dev_setattr_power_mgmt_dev(local_login_t) - dev_getattr_sound_dev(local_login_t) - dev_setattr_sound_dev(local_login_t) -+dev_rw_generic_usb_dev(local_login_t) - dev_dontaudit_getattr_apm_bios_dev(local_login_t) - dev_dontaudit_setattr_apm_bios_dev(local_login_t) - dev_dontaudit_read_framebuffer(local_login_t) -@@ -100,7 +101,6 @@ - - auth_rw_login_records(local_login_t) - auth_rw_faillog(local_login_t) --auth_manage_pam_pid(local_login_t) - auth_manage_pam_console_data(local_login_t) - auth_domtrans_pam_console(local_login_t) - -@@ -160,6 +160,11 @@ - fs_read_cifs_symlinks(local_login_t) - ') ++ dbus_system_bus_client(sssd_t) ++ dbus_connect_system_bus(sssd_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.12/policy/modules/services/tftp.if +--- nsaserefpolicy/policy/modules/services/tftp.if 2008-11-11 16:13:45.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/tftp.if 2009-04-07 16:01:44.000000000 -0400 +@@ -2,6 +2,24 @@ -+tunable_policy(`allow_console_login',` -+ term_relabel_console(local_login_t) -+ term_setattr_console(local_login_t) + ######################################## + ## ++## Read tftp content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_read_content',` ++ gen_require(` ++ type tftpdir_t; ++ ') ++ ++ read_files_pattern($1, tftpdir_t, tftpdir_t) +') + - optional_policy(` - alsa_domtrans(local_login_t) - ') -@@ -189,7 +194,7 @@ - ') ++######################################## ++## + ## All of the rules required to administrate + ## an tftp environment + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.12/policy/modules/services/tor.te +--- nsaserefpolicy/policy/modules/services/tor.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/tor.te 2009-04-07 16:01:44.000000000 -0400 +@@ -34,7 +34,7 @@ + # tor local policy + # - optional_policy(` -- unconfined_domain(local_login_t) -+ unconfined_shell_domtrans(local_login_t) - ') - - optional_policy(` -@@ -235,17 +240,25 @@ - seutil_read_default_contexts(sulogin_t) - - auth_read_shadow(sulogin_t) -+auth_use_nsswitch(sulogin_t) - - userdom_use_unpriv_users_fds(sulogin_t) - - userdom_search_user_home_dirs(sulogin_t) - userdom_use_user_ptys(sulogin_t) - -+ifdef(`enable_mls',` - sysadm_shell_domtrans(sulogin_t) -+',` -+ optional_policy(` -+ unconfined_shell_domtrans(sulogin_t) -+ ') -+') - - # suse and debian do not use pam with sulogin... - ifdef(`distro_suse', `define(`sulogin_no_pam')') - ifdef(`distro_debian', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat',`define(`sulogin_no_pam')') - - ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; -@@ -260,10 +273,4 @@ - selinux_compute_user_contexts(sulogin_t) - ') - --optional_policy(` -- nis_use_ypbind(sulogin_t) --') - --optional_policy(` -- nscd_socket_use(sulogin_t) --') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc ---- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -53,15 +53,18 @@ - /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) - ') - --/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) --/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) --/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) --/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) -+/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) -+/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -+/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) - /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) - /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) - /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - - /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -+/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) -+/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) +-allow tor_t self:capability { setgid setuid }; ++allow tor_t self:capability { setgid setuid sys_tty_config }; + allow tor_t self:fifo_file rw_fifo_file_perms; + allow tor_t self:unix_stream_socket create_stream_socket_perms; + allow tor_t self:netlink_route_socket r_netlink_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.12/policy/modules/services/ulogd.fc +--- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ulogd.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,10 @@ + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-04-07 16:01:44.000000000 -0400 -@@ -623,7 +623,7 @@ - ') - - files_search_var($1) -- append_files_pattern($1, var_log_t, logfile) -+ append_files_pattern($1, logfile, logfile) - ') - - ######################################## -@@ -707,6 +707,8 @@ - files_search_var($1) - manage_files_pattern($1,logfile,logfile) - read_lnk_files_pattern($1,logfile,logfile) -+ allow $1 logfile:dir { relabelfrom relabelto }; -+ allow $1 logfile:file { relabelfrom relabelto }; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te ---- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-07 16:01:44.000000000 -0400 -@@ -126,7 +126,7 @@ - allow auditd_t self:process { signal_perms setpgid setsched }; - allow auditd_t self:file rw_file_perms; - allow auditd_t self:unix_dgram_socket create_socket_perms; --allow auditd_t self:fifo_file rw_file_perms; -+allow auditd_t self:fifo_file rw_fifo_file_perms; - allow auditd_t self:tcp_socket create_stream_socket_perms; - - allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -179,6 +179,8 @@ - logging_domtrans_dispatcher(auditd_t) - logging_signal_dispatcher(auditd_t) - -+auth_use_nsswitch(auditd_t) ++/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) + - miscfiles_read_localization(auditd_t) - - mls_file_read_all_levels(auditd_t) -@@ -215,9 +217,9 @@ - # audit dispatcher local policy - # - --allow audisp_t self:capability sys_nice; --allow audisp_t self:process setsched; --allow audisp_t self:fifo_file rw_file_perms; -+allow audisp_t self:capability { dac_override sys_nice }; -+allow audisp_t self:process { signal_perms setsched }; -+allow audisp_t self:fifo_file rw_fifo_file_perms; - allow audisp_t self:unix_stream_socket create_stream_socket_perms; - allow audisp_t self:unix_dgram_socket create_socket_perms; - -@@ -226,13 +228,18 @@ - manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) - files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) - --corecmd_search_bin(audisp_t) -+corecmd_exec_bin(audisp_t) -+corecmd_exec_shell(audisp_t) - - domain_use_interactive_fds(audisp_t) - - files_read_etc_files(audisp_t) -+files_read_etc_runtime_files(audisp_t) - - mls_file_write_all_levels(audisp_t) -+mls_dbus_send_all_levels(audisp_t) ++/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) + -+auth_use_nsswitch(audisp_t) - - logging_send_syslog_msg(audisp_t) - -@@ -240,6 +247,14 @@ - - sysnet_dns_name_resolve(audisp_t) - -+optional_policy(` -+ dbus_system_bus_client(audisp_t) ++/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) + -+ optional_policy(` -+ setroubleshoot_dbus_chat(audisp_t) ++/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) ++ ++/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.12/policy/modules/services/ulogd.if +--- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,127 @@ ++## policy for ulogd ++ ++######################################## ++## ++## Execute a domain transition to run ulogd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ulogd_domtrans',` ++ gen_require(` ++ type ulogd_t, ulogd_exec_t; + ') ++ ++ domtrans_pattern($1,ulogd_exec_t,ulogd_t) +') + - ######################################## - # - # Audit remote logger local policy -@@ -253,11 +268,16 @@ - corenet_tcp_sendrecv_generic_node(audisp_remote_t) - corenet_tcp_connect_audit_port(audisp_remote_t) - corenet_sendrecv_audit_client_packets(audisp_remote_t) -+corenet_tcp_bind_audit_port(audisp_remote_t) -+corenet_tcp_sendrecv_all_ports(audisp_remote_t) -+corenet_tcp_bind_generic_node(audisp_remote_t) - - files_read_etc_files(audisp_remote_t) - - logging_send_syslog_msg(audisp_remote_t) - -+auth_use_nsswitch(audisp_remote_t) ++######################################## ++## ++## Allow the specified domain to read ++## ulogd configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`ulogd_read_config',` ++ gen_require(` ++ type ulogd_etc_t; ++ ') + - miscfiles_read_localization(audisp_remote_t) - - sysnet_dns_name_resolve(audisp_remote_t) -@@ -337,7 +357,7 @@ - allow syslogd_t self:unix_dgram_socket create_socket_perms; - allow syslogd_t self:unix_stream_socket create_stream_socket_perms; - allow syslogd_t self:unix_dgram_socket sendto; --allow syslogd_t self:fifo_file rw_file_perms; -+allow syslogd_t self:fifo_file rw_fifo_file_perms; - allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.12/policy/modules/system/lvm.fc ---- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/lvm.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -55,6 +55,7 @@ - /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) -+/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) - /sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -97,3 +98,4 @@ - /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) - /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) - /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) -+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.12/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-07 16:01:44.000000000 -0400 -@@ -10,6 +10,9 @@ - type clvmd_exec_t; - init_daemon_domain(clvmd_t,clvmd_exec_t) - -+type clvmd_initrc_exec_t; -+init_script_file(clvmd_initrc_exec_t) ++ files_search_etc($1) ++ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) ++') + - type clvmd_var_run_t; - files_pid_file(clvmd_var_run_t) - -@@ -22,7 +25,7 @@ - role system_r types lvm_t; - - type lvm_etc_t; --files_type(lvm_etc_t) -+files_config_file(lvm_etc_t) - - type lvm_lock_t; - files_lock_file(lvm_lock_t) -@@ -44,9 +47,9 @@ - # Cluster LVM daemon local policy - # - --allow clvmd_t self:capability { sys_admin mknod }; -+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; - dontaudit clvmd_t self:capability sys_tty_config; --allow clvmd_t self:process signal_perms; -+allow clvmd_t self:process { signal_perms setsched }; - dontaudit clvmd_t self:process ptrace; - allow clvmd_t self:socket create_socket_perms; - allow clvmd_t self:fifo_file rw_fifo_file_perms; -@@ -54,6 +57,8 @@ - allow clvmd_t self:tcp_socket create_stream_socket_perms; - allow clvmd_t self:udp_socket create_socket_perms; - -+init_dontaudit_getattr_initctl(clvmd_t) -+ - manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t) - files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) - -@@ -85,10 +90,15 @@ - corenet_sendrecv_generic_server_packets(clvmd_t) - - dev_read_sysfs(clvmd_t) -+dev_manage_generic_symlinks(clvmd_t) -+dev_relabel_generic_dev_dirs(clvmd_t) -+dev_manage_generic_blk_files(clvmd_t) - dev_manage_generic_chr_files(clvmd_t) - dev_rw_lvm_control(clvmd_t) - dev_dontaudit_getattr_all_blk_files(clvmd_t) - dev_dontaudit_getattr_all_chr_files(clvmd_t) -+dev_create_generic_dirs(clvmd_t) -+dev_delete_generic_dirs(clvmd_t) - - files_read_etc_files(clvmd_t) - files_list_usr(clvmd_t) -@@ -99,9 +109,12 @@ - fs_dontaudit_read_removable_files(clvmd_t) - - storage_dontaudit_getattr_removable_dev(clvmd_t) -+storage_dev_filetrans_fixed_disk(clvmd_t) -+storage_manage_fixed_disk(clvmd_t) - - domain_use_interactive_fds(clvmd_t) - -+storage_relabel_fixed_disk(clvmd_t) - storage_raw_read_fixed_disk(clvmd_t) - - auth_use_nsswitch(clvmd_t) -@@ -112,6 +125,9 @@ - - seutil_dontaudit_search_config(clvmd_t) - seutil_sigchld_newrole(clvmd_t) -+seutil_read_config(clvmd_t) -+seutil_read_file_contexts(clvmd_t) -+seutil_search_default_contexts(clvmd_t) - - userdom_dontaudit_use_unpriv_user_fds(clvmd_t) - userdom_dontaudit_search_user_home_dirs(clvmd_t) -@@ -124,6 +140,14 @@ - ') - - optional_policy(` -+ dbus_system_bus_client(lvm_t) ++######################################## ++## ++## Allow the specified domain to read ulogd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`ulogd_read_log',` ++ gen_require(` ++ type ulogd_var_log_t; ++ ') + -+ optional_policy(` -+ hal_dbus_chat(lvm_t) -+ ') ++ logging_search_logs($1) ++ allow $1 ulogd_var_log_t:dir list_dir_perms; ++ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) +') + -+optional_policy(` - gpm_dontaudit_getattr_gpmctl(clvmd_t) - ') - -@@ -133,6 +157,14 @@ - ') - - optional_policy(` -+ unconfined_domain(clvmd_t) -+') ++######################################## ++## ++## Allow the specified domain to append to ulogd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`ulogd_append_log',` ++ gen_require(` ++ type ulogd_var_log_t; ++ ') + -+optional_policy(` -+ unconfined_domain(lvm_t) ++ logging_search_logs($1) ++ allow $1 ulogd_var_log_t:dir list_dir_perms; ++ allow $1 ulogd_var_log_t:file append_file_perms; +') + -+optional_policy(` - udev_read_db(clvmd_t) - ') - -@@ -143,17 +175,19 @@ - - # DAC overrides and mknod for modifying /dev entries (vgmknodes) - # rawio needed for dmraid --allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; -+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; -+# lvm needs net_admin for multipath - dontaudit lvm_t self:capability sys_tty_config; - allow lvm_t self:process { sigchld sigkill sigstop signull signal }; - # LVM will complain a lot if it cannot set its priority. - allow lvm_t self:process setsched; - allow lvm_t self:file rw_file_perms; --allow lvm_t self:fifo_file rw_file_perms; -+allow lvm_t self:fifo_file manage_fifo_file_perms; - allow lvm_t self:unix_dgram_socket create_socket_perms; - allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; - --allow lvm_t clvmd_t:unix_stream_socket connectto; -+allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; - - manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) - manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) -@@ -185,6 +219,7 @@ - manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) - filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) - files_etc_filetrans(lvm_t,lvm_metadata_t,file) -+files_search_mnt(lvm_t) - - kernel_read_system_state(lvm_t) - kernel_read_kernel_sysctls(lvm_t) -@@ -192,6 +227,7 @@ - kernel_read_kernel_sysctls(lvm_t) - # it has no reason to need this - kernel_dontaudit_getattr_core_if(lvm_t) -+kernel_use_fds(lvm_t) - - selinux_get_fs_mount(lvm_t) - selinux_validate_context(lvm_t) -@@ -221,6 +257,7 @@ - dev_dontaudit_getattr_generic_blk_files(lvm_t) - dev_dontaudit_getattr_generic_pipes(lvm_t) - dev_create_generic_dirs(lvm_t) -+dev_rw_generic_files(lvm_t) - - fs_getattr_xattr_fs(lvm_t) - fs_search_auto_mountpoints(lvm_t) -@@ -239,12 +276,18 @@ - storage_dev_filetrans_fixed_disk(lvm_t) - # Access raw devices and old /dev/lvm (c 109,0). Is this needed? - storage_manage_fixed_disk(lvm_t) -+mls_file_read_all_levels(lvm_t) -+mls_file_write_to_clearance(lvm_t) ++######################################## ++## ++## All of the rules required to administrate ++## an ulogd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++# ++interface(`ulogd_admin',` ++ gen_require(` ++ type ulogd_t, ulogd_etc_t; ++ type ulogd_var_log_t, ulogd_initrc_exec_t; ++ type ulogd_modules_t; ++ ') + -+term_use_all_terms(lvm_t) - - corecmd_exec_bin(lvm_t) - corecmd_exec_shell(lvm_t) - - domain_use_interactive_fds(lvm_t) -+domain_read_all_domains_state(lvm_t) - -+files_read_usr_files(lvm_t) - files_read_etc_files(lvm_t) - files_read_etc_runtime_files(lvm_t) - # for when /usr is not mounted: -@@ -253,6 +296,7 @@ - init_use_fds(lvm_t) - init_dontaudit_getattr_initctl(lvm_t) - init_use_script_ptys(lvm_t) -+init_read_script_state(lvm_t) - - logging_send_syslog_msg(lvm_t) - -@@ -283,5 +327,22 @@ - ') - - optional_policy(` -+ modutils_domtrans_insmod(lvm_t) -+') ++ allow $1 ulogd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ulogd_t) + -+optional_policy(` -+ rpm_manage_script_tmp_files(lvm_t) -+') ++ init_labeled_script_domtrans($1, ulogd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 ulogd_initrc_exec_t system_r; ++ allow $2 system_r; + -+optional_policy(` - udev_read_db(lvm_t) - ') ++ files_search_etc($1) ++ admin_pattern($1, ulogd_etc_t) + -+optional_policy(` -+ unconfined_domain(lvm_t) -+') ++ logging_list_logs($1) ++ admin_pattern($1, ulogd_var_log_t) + -+optional_policy(` -+ xen_append_log(lvm_t) -+ xen_dontaudit_rw_unix_stream_sockets(lvm_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-04-07 16:01:44.000000000 -0400 -@@ -42,7 +42,7 @@ - # insmod local policy - # - --allow insmod_t self:capability { dac_override net_raw sys_tty_config }; -+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; - allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; - - allow insmod_t self:udp_socket create_socket_perms; -@@ -55,6 +55,7 @@ - - kernel_load_module(insmod_t) - kernel_read_system_state(insmod_t) -+kernel_read_network_state(insmod_t) - kernel_write_proc_files(insmod_t) - kernel_mount_debugfs(insmod_t) - kernel_mount_kvmfs(insmod_t) -@@ -63,6 +64,7 @@ - kernel_read_kernel_sysctls(insmod_t) - kernel_rw_kernel_sysctl(insmod_t) - kernel_read_hotplug_sysctls(insmod_t) -+kernel_setsched(insmod_t) - - files_read_kernel_modules(insmod_t) - # for locking: (cjp: ????) -@@ -76,11 +78,10 @@ - dev_read_sound(insmod_t) - dev_write_sound(insmod_t) - dev_rw_apm_bios(insmod_t) --# cjp: why is this needed? insmod cannot mounton any dir --# and it also transitions to mount --dev_mount_usbfs(insmod_t) -+dev_create_generic_chr_files(insmod_t) - - fs_getattr_xattr_fs(insmod_t) -+fs_dontaudit_use_tmpfs_chr_dev(insmod_t) - - corecmd_exec_bin(insmod_t) - corecmd_exec_shell(insmod_t) -@@ -101,6 +102,8 @@ - init_use_fds(insmod_t) - init_use_script_fds(insmod_t) - init_use_script_ptys(insmod_t) -+init_spec_domtrans_script(insmod_t) -+init_rw_script_tmp_files(insmod_t) - - logging_send_syslog_msg(insmod_t) - logging_search_logs(insmod_t) -@@ -109,19 +112,30 @@ - - seutil_read_file_contexts(insmod_t) - --userdom_use_user_terminals(insmod_t) -+term_use_all_terms(insmod_t) -+userdom_dontaudit_search_user_home_dirs(insmod_t) - --ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(insmod_t) - ') --') - - if( ! secure_mode_insmod ) { - kernel_domtrans_to(insmod_t,insmod_exec_t) - } - - optional_policy(` -+ alsa_domtrans(insmod_t) ++ files_search_usr($1) ++ admin_pattern($1, ulogd_modules_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.12/policy/modules/services/ulogd.te +--- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/ulogd.te 2009-04-07 16:01:44.000000000 -0400 +@@ -0,0 +1,51 @@ ++policy_module(ulogd,1.0.0) + -+optional_policy(` -+ firstboot_dontaudit_rw_pipes(insmod_t) -+') ++######################################## ++# ++# Declarations ++# + -+optional_policy(` -+ hal_write_log(insmod_t) -+') ++type ulogd_t; ++type ulogd_exec_t; ++init_daemon_domain(ulogd_t, ulogd_exec_t) + -+optional_policy(` - hotplug_search_config(insmod_t) - ') - -@@ -154,6 +168,7 @@ - ++type ulogd_initrc_exec_t; ++init_script_file(ulogd_initrc_exec_t) ++ ++# /usr/lib files ++type ulogd_modules_t; ++files_type(ulogd_modules_t) ++ ++# config files ++type ulogd_etc_t; ++files_type(ulogd_etc_t) ++ ++# log files ++type ulogd_var_log_t; ++logging_log_file(ulogd_var_log_t) ++ ++######################################## ++ ++# ++# ulogd local policy ++# ++ ++allow ulogd_t self:capability net_admin; ++allow ulogd_t self:netlink_nflog_socket create_socket_perms; ++ ++# config files ++read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) ++ ++# modules for ulogd ++list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t) ++mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) ++ ++# log files ++manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) ++logging_log_filetrans(ulogd_t,ulogd_var_log_t, file ) ++ ++files_search_etc(ulogd_t) ++ ++miscfiles_read_localization(ulogd_t) ++ ++permissive ulogd_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te +--- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-04-07 16:01:44.000000000 -0400 +@@ -129,6 +129,7 @@ optional_policy(` - rpm_rw_pipes(insmod_t) -+ rpm_read_script_tmp_files(insmod_t) + mta_send_mail(uux_t) + mta_read_queue(uux_t) ++ sendmail_rw_unix_stream_sockets(uux_t) ') optional_policy(` -@@ -184,6 +199,7 @@ - - files_read_kernel_symbol_table(depmod_t) - files_read_kernel_modules(depmod_t) -+files_delete_kernel_modules(depmod_t) - - fs_getattr_xattr_fs(depmod_t) - -@@ -214,7 +230,13 @@ - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc +--- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/virt.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -8,5 +8,16 @@ - optional_policy(` -+ # Read System.map from home directories. -+ unconfined_domain(depmod_t) -+') + /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) + /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) ++/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + -+optional_policy(` - rpm_rw_pipes(depmod_t) -+ rpm_manage_script_tmp_files(depmod_t) - ') + /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) + /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ ++HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) ++HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++ ++/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) ++ ++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.12/policy/modules/services/virt.if +--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-07 16:01:44.000000000 -0400 +@@ -2,28 +2,6 @@ - ################################# -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.12/policy/modules/system/mount.fc ---- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/mount.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -1,4 +1,9 @@ - /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + ######################################## + ## +-## Make the specified type usable as a virt image +-## +-## +-## +-## Type to be used as a virtual image +-## +-## +-# +-interface(`virt_image',` +- gen_require(` +- attribute virt_image_type; +- ') - -+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -+/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) - /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -+ -+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if ---- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/mount.if 2009-04-07 16:01:44.000000000 -0400 -@@ -43,9 +43,11 @@ +- typeattribute $1 virt_image_type; +- files_type($1) +- +- # virt images can be assigned to blk devices +- dev_node($1) +-') +- +-######################################## +-## + ## Execute a domain transition to run virt. + ## + ## +@@ -117,12 +95,12 @@ + ') - mount_domtrans($1) - role $2 types mount_t; -+ #Leaked File Descriptors -+ dontaudit mount_t $1:unix_stream_socket rw_socket_perms; + files_search_pids($1) +- allow $1 virt_var_run_t:file read_file_perms; ++ read_files_pattern($1, virt_var_run_t, virt_var_run_t) + ') - optional_policy(` -- samba_run_smbmount($1, $2) -+ samba_run_smbmount($1, $2, $3) + ######################################## + ## +-## Manage virt pid files. ++## Manage virt PID files. + ## + ## + ## +@@ -135,6 +113,7 @@ + type virt_var_run_t; ') - ') -@@ -159,3 +161,21 @@ - mount_domtrans_unconfined($1) - role $2 types unconfined_mount_t; ++ files_search_pids($1) + manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ') -+ -+######################################## -+## -+## Send signal to mount process + +@@ -293,6 +272,41 @@ + + ######################################## + ## ++## Allow domain to manage virt image files +## +## +## -+## The type of the process performing this action. ++## Domain to not audit. +## +## +# -+interface(`mount_signal',` ++interface(`virt_read_content',` + gen_require(` -+ type mount_t; ++ type virt_content_t; + ') + -+ allow $1 mount_t:process signal; ++ virt_search_lib($1) ++ allow $1 virt_content_t:dir list_dir_perms; ++ list_dirs_pattern($1, virt_content_t, virt_content_t) ++ read_files_pattern($1, virt_content_t, virt_content_t) ++ read_lnk_files_pattern($1, virt_content_t, virt_content_t) ++ rw_blk_files_pattern($1, virt_content_t, virt_content_t) ++ ++ tunable_policy(`virt_use_nfs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ fs_read_nfs_symlinks($1) ++ ') ++ ++ tunable_policy(`virt_use_samba',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ fs_read_cifs_symlinks($1) ++ ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-04-07 16:01:44.000000000 -0400 -@@ -18,17 +18,21 @@ - init_system_domain(mount_t,mount_exec_t) - role system_r types mount_t; ++ ++######################################## ++## + ## All of the rules required to administrate + ## an virt environment + ## +@@ -327,3 +341,53 @@ -+typealias mount_t alias mount_ntfs_t; -+typealias mount_exec_t alias mount_ntfs_exec_t; + virt_manage_log($1) + ') + - type mount_loopback_t; # customizable - files_type(mount_loopback_t) ++######################################## ++## ++## Creates types and rules for a basic ++## qemu process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`virt_domain_template',` ++ ++ type $1_t; ++ virtual_domain($1_t) ++ ++ type $1_tmp_t; ++ files_tmp_file($1_tmp_t) ++ ++ type $1_tmpfs_t; ++ files_tmpfs_file($1_tmpfs_t) ++ ++ type $1_image_t; ++ virtual_image($1_image_t) ++ ++ manage_dirs_pattern($1_t, $1_image_t, $1_image_t) ++ manage_files_pattern($1_t, $1_image_t, $1_image_t) ++ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) ++ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) ++ ++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) ++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) ++ fs_getattr_tmpfs($1_t) ++ ++ fs_read_noxattr_fs_files($1_t) ++ fs_dontaudit_write_noxattr_fs_files($1_t) ++ ++ optional_policy(` ++ xserver_common_app($1_t) ++ ') ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te +--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-07 16:01:44.000000000 -0400 +@@ -8,19 +8,24 @@ - type mount_tmp_t; - files_tmp_file(mount_tmp_t) + ## + ##

+-## Allow virt to manage nfs files ++## Allow svirt to manage nfs files + ##

+ ##
+ gen_tunable(virt_use_nfs, false) --# causes problems with interfaces when --# this is optionally declared in monolithic --# policy--duplicate type declaration - type unconfined_mount_t; - application_domain(unconfined_mount_t,mount_exec_t) -+role system_r types unconfined_mount_t; + ## + ##

+-## Allow virt to manage cifs files ++## Allow svirt to manage cifs files + ##

+ ##
+ gen_tunable(virt_use_samba, false) + +-attribute virt_image_type; ++## ++##

++## Allow svirt to user serial/parallell communication ports ++##

++##
++gen_tunable(virt_use_comm, false) + + type virt_etc_t; + files_config_file(virt_etc_t) +@@ -29,8 +34,12 @@ + files_type(virt_etc_rw_t) + + # virt Image files +-type virt_image_t, virt_image_type; # customizable +-virt_image(virt_image_t) ++type virt_image_t; # customizable ++virtual_image(virt_image_t) + -+type mount_var_run_t; -+files_pid_file(mount_var_run_t) ++# virt Image files ++type virt_content_t; ++virtual_image(virt_content_t) + type virt_log_t; + logging_log_file(virt_log_t) +@@ -48,17 +57,39 @@ + type virtd_initrc_exec_t; + init_script_file(virtd_initrc_exec_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mcs_systemhigh) ++') ++ ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mls_systemhigh) ++') ++ ++virt_domain_template(svirt) ++role system_r types svirt_t; ++ ++type svirt_cache_t; ++files_type(svirt_cache_t) ++ ++type svirt_var_run_t; ++files_pid_file(svirt_var_run_t) ++ ######################################## # -@@ -36,7 +40,8 @@ + # virtd local policy # - # setuid/setgid needed to mount cifs --allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:process { ptrace signal }; - - allow mount_t mount_loopback_t:file read_file_perms; - -@@ -47,12 +52,25 @@ - - files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) +-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; +-allow virtd_t self:process { getsched sigkill signal execmem }; ++allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace }; ++allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate setsched }; + allow virtd_t self:fifo_file rw_file_perms; + allow virtd_t self:unix_stream_socket create_stream_socket_perms; + allow virtd_t self:tcp_socket create_stream_socket_perms; -+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+files_pid_filetrans(mount_t,mount_var_run_t,dir) -+files_var_filetrans(mount_t,mount_var_run_t,dir) ++manage_files_pattern(virtd_t, virt_image_t, virt_image_t) ++manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t) ++allow virtd_t virt_image_t:file { relabelfrom relabelto }; ++allow virtd_t virt_image_t:blk_file { relabelfrom relabelto }; + -+# In order to mount reiserfs_t -+kernel_list_unlabeled(mount_t) - kernel_read_system_state(mount_t) -+kernel_read_network_state(mount_t) - kernel_read_kernel_sysctls(mount_t) - kernel_dontaudit_getattr_core_if(mount_t) -+kernel_search_debugfs(mount_t) -+kernel_setsched(mount_t) -+kernel_use_fds(mount_t) + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) - dev_getattr_all_blk_files(mount_t) - dev_list_all_dev_nodes(mount_t) -+dev_read_usbfs(mount_t) -+dev_read_rand(mount_t) - dev_rw_lvm_control(mount_t) - dev_dontaudit_getattr_all_chr_files(mount_t) - dev_dontaudit_getattr_memory_dev(mount_t) -@@ -62,16 +80,19 @@ - storage_raw_write_fixed_disk(mount_t) - storage_raw_read_removable_device(mount_t) - storage_raw_write_removable_device(mount_t) -+storage_rw_fuse(mount_t) +@@ -67,7 +98,11 @@ + manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) --fs_getattr_xattr_fs(mount_t) --fs_getattr_cifs(mount_t) -+fs_list_all(mount_t) -+fs_getattr_all_fs(mount_t) - fs_mount_all_fs(mount_t) - fs_unmount_all_fs(mount_t) - fs_remount_all_fs(mount_t) - fs_relabelfrom_all_fs(mount_t) --fs_list_auto_mountpoints(mount_t) - fs_rw_tmpfs_chr_files(mount_t) -+fs_manage_tmpfs_dirs(mount_t) - fs_read_tmpfs_symlinks(mount_t) -+fs_read_fusefs_files(mount_t) -+fs_manage_nfs_dirs(mount_t) +-manage_files_pattern(virtd_t, virt_image_type, virt_image_type) ++virtual_manage_image(virtd_t) ++virtual_image_relabel(virtd_t) ++ ++manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) ++manage_files_pattern(virtd_t, virt_content_t, virt_content_t) - term_use_all_terms(mount_t) + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) + manage_files_pattern(virtd_t, virt_log_t, virt_log_t) +@@ -86,6 +121,7 @@ + kernel_read_network_state(virtd_t) + kernel_rw_net_sysctls(virtd_t) + kernel_load_module(virtd_t) ++kernel_search_debugfs(virtd_t) -@@ -79,6 +100,7 @@ - corecmd_exec_bin(mount_t) + corecmd_exec_bin(virtd_t) + corecmd_exec_shell(virtd_t) +@@ -96,7 +132,7 @@ + corenet_tcp_sendrecv_generic_node(virtd_t) + corenet_tcp_sendrecv_all_ports(virtd_t) + corenet_tcp_bind_generic_node(virtd_t) +-#corenet_tcp_bind_virt_port(virtd_t) ++corenet_tcp_bind_virt_port(virtd_t) + corenet_tcp_bind_vnc_port(virtd_t) + corenet_tcp_connect_vnc_port(virtd_t) + corenet_tcp_connect_soundd_port(virtd_t) +@@ -104,21 +140,39 @@ - domain_use_interactive_fds(mount_t) -+domain_dontaudit_search_all_domains_state(mount_t) + dev_read_sysfs(virtd_t) + dev_read_rand(virtd_t) ++dev_rw_kvm(virtd_t) ++dev_getattr_all_chr_files(virtd_t) - files_search_all(mount_t) - files_read_etc_files(mount_t) -@@ -87,7 +109,7 @@ - files_mounton_all_mountpoints(mount_t) - files_unmount_rootfs(mount_t) - # These rules need to be generalized. Only admin, initrc should have it: --files_relabelto_all_file_type_fs(mount_t) -+files_relabel_all_file_type_fs(mount_t) - files_mount_all_file_type_fs(mount_t) - files_unmount_all_file_type_fs(mount_t) - # for when /etc/mtab loses its type -@@ -100,6 +122,8 @@ - init_use_fds(mount_t) - init_use_script_ptys(mount_t) - init_dontaudit_getattr_initctl(mount_t) -+init_stream_connect_script(mount_t) -+init_rw_script_stream_sockets(mount_t) + # Init script handling + domain_use_interactive_fds(virtd_t) ++domain_read_all_domains_state(virtd_t) ++domain_obj_id_change_exemption(virtd_t) ++domain_subj_id_change_exemption(virtd_t) - auth_use_nsswitch(mount_t) + files_read_usr_files(virtd_t) + files_read_etc_files(virtd_t) ++files_read_usr_files(virtd_t) + files_read_etc_runtime_files(virtd_t) + files_search_all(virtd_t) +-files_list_kernel_modules(virtd_t) ++files_read_kernel_modules(virtd_t) ++files_read_usr_src_files(virtd_t) ++ ++# Manages /etc/sysconfig/system-config-firewall ++files_manage_etc_files(virtd_t) ++ ++modutils_read_module_deps(virtd_t) -@@ -116,6 +140,7 @@ - seutil_read_config(mount_t) + fs_list_auto_mountpoints(virtd_t) ++fs_getattr_xattr_fs(virtd_t) ++fs_rw_anon_inodefs_files(virtd_t) - userdom_use_all_users_fds(mount_t) -+userdom_manage_user_home_content_dirs(mount_t) ++storage_manage_fixed_disk(virtd_t) ++storage_relabel_fixed_disk(virtd_t) + storage_raw_write_removable_device(virtd_t) + storage_raw_read_removable_device(virtd_t) - ifdef(`distro_redhat',` - optional_policy(` -@@ -133,7 +158,7 @@ ++seutil_read_default_contexts(virtd_t) ++ + term_getattr_pty_fs(virtd_t) + term_use_ptmx(virtd_t) - tunable_policy(`allow_mount_anyfile',` - auth_read_all_dirs_except_shadow(mount_t) -- auth_read_all_files_except_shadow(mount_t) -+ auth_rw_all_files_except_shadow(mount_t) - files_mounton_non_security(mount_t) - ') +@@ -129,6 +183,13 @@ -@@ -141,16 +166,16 @@ - # for nfs - corenet_all_recvfrom_unlabeled(mount_t) - corenet_all_recvfrom_netlabel(mount_t) -- corenet_tcp_sendrecv_all_if(mount_t) -- corenet_raw_sendrecv_all_if(mount_t) -- corenet_udp_sendrecv_all_if(mount_t) -- corenet_tcp_sendrecv_all_nodes(mount_t) -- corenet_raw_sendrecv_all_nodes(mount_t) -- corenet_udp_sendrecv_all_nodes(mount_t) -+ corenet_tcp_sendrecv_generic_if(mount_t) -+ corenet_raw_sendrecv_generic_if(mount_t) -+ corenet_udp_sendrecv_generic_if(mount_t) -+ corenet_tcp_sendrecv_generic_node(mount_t) -+ corenet_raw_sendrecv_generic_node(mount_t) -+ corenet_udp_sendrecv_generic_node(mount_t) - corenet_tcp_sendrecv_all_ports(mount_t) - corenet_udp_sendrecv_all_ports(mount_t) -- corenet_tcp_bind_all_nodes(mount_t) -- corenet_udp_bind_all_nodes(mount_t) -+ corenet_tcp_bind_generic_node(mount_t) -+ corenet_udp_bind_generic_node(mount_t) - corenet_tcp_bind_generic_port(mount_t) - corenet_udp_bind_generic_port(mount_t) - corenet_tcp_bind_reserved_port(mount_t) -@@ -164,6 +189,8 @@ - fs_search_rpc(mount_t) + logging_send_syslog_msg(virtd_t) - rpc_stub(mount_t) ++sysnet_domtrans_ifconfig(virtd_t) + -+ rpc_domtrans_rpcd(mount_t) ++virtual_transition(virtd_t) ++ ++userdom_dontaudit_list_admin_dir(virtd_t) ++userdom_getattr_all_users(virtd_t) ++userdom_search_user_home_content(virtd_t) + userdom_read_all_users_state(virtd_t) + + tunable_policy(`virt_use_nfs',` +@@ -167,22 +228,34 @@ + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) + dnsmasq_kill(virtd_t) ++ dnsmasq_read_pid_files(virtd_t) ++ dnsmasq_signull(virtd_t) ') optional_policy(` -@@ -171,6 +198,15 @@ + iptables_domtrans(virtd_t) ') - optional_policy(` -+ dbus_system_bus_client(mount_t) -+ -+ optional_policy(` -+ hal_dbus_chat(mount_t) -+ ') +-#optional_policy(` +-# polkit_domtrans_auth(virtd_t) +-# polkit_domtrans_resolve(virtd_t) +-#') ++optional_policy(` ++ kerberos_keytab_template(virtd, virtd_t) +') + -+ +optional_policy(` - ifdef(`hide_broken_symptoms',` - # for a bug in the X server - rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +214,11 @@ - ') - ') ++ lvm_domtrans(virtd_t) ++') -+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 -+optional_policy(` -+ lvm_domtrans(mount_t) + optional_policy(` +- qemu_domtrans(virtd_t) ++ polkit_domtrans_auth(virtd_t) ++ polkit_domtrans_resolve(virtd_t) ++ polkit_read_lib(virtd_t) +') + - # for kernel package installation - optional_policy(` - rpm_rw_pipes(mount_t) -@@ -185,6 +226,7 @@ ++optional_policy(` ++ qemu_spec_domtrans(virtd_t, svirt_t) + qemu_read_state(virtd_t) + qemu_signal(virtd_t) + qemu_kill(virtd_t) ++ qemu_setsched(virtd_t) + ') optional_policy(` - samba_domtrans_smbmount(mount_t) -+ samba_read_config(mount_t) +@@ -198,5 +271,78 @@ ') - ######################################## -@@ -194,5 +236,30 @@ - optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t,file) +- unconfined_domain(virtd_t) ++ udev_domtrans(virtd_t) ++') + -+ rpc_domtrans_rpcd(unconfined_mount_t) ++#optional_policy(` ++# unconfined_domain(virtd_t) ++#') + - unconfined_domain(unconfined_mount_t) -+ optional_policy(` -+ hal_dbus_chat(unconfined_mount_t) -+') -+') ++manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) ++manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) ++ ++permissive virtd_t; + +######################################## +# -+# ntfs local policy ++# svirt local policy +# -+allow mount_t self:fifo_file rw_fifo_file_perms; -+allow mount_t self:unix_stream_socket create_stream_socket_perms; -+allow mount_t self:unix_dgram_socket create_socket_perms; ++manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) ++manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) ++files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) + -+corecmd_exec_shell(mount_t) ++manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) ++manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) ++manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) ++files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) + -+modutils_domtrans_insmod(mount_t) ++allow svirt_t svirt_image_t:dir search_dir_perms; ++manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) ++manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) + -+optional_policy(` -+ hal_write_log(mount_t) -+ hal_use_fds(mount_t) -+ hal_rw_pipes(mount_t) - ') ++list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) ++read_files_pattern(svirt_t, virt_content_t, virt_content_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.12/policy/modules/system/selinuxutil.fc ---- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -6,13 +6,13 @@ - /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) - /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) - /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) --/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) -+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) - /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) --/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) - /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) - /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) - /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) --/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) - - # - # /root -@@ -38,7 +38,7 @@ - /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) - /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) - /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) --/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) -+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) - /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) - /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) - -@@ -46,3 +46,11 @@ - # /var/run - # - /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) ++storage_raw_write_removable_device(svirt_t) ++storage_raw_read_removable_device(svirt_t) + -+# -+# /var/lib -+# -+/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) ++userdom_search_user_home_content(svirt_t) ++userdom_read_all_users_state(svirt_t) + -+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.12/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.if 2009-04-07 16:01:44.000000000 -0400 -@@ -535,6 +535,53 @@ - - ######################################## - ## -+## Execute setfiles in the setfiles domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_domtrans_setfiles_mac',` -+ gen_require(` -+ type setfiles_mac_t, setfiles_exec_t; -+ ') ++append_files_pattern(svirt_t, virt_log_t, virt_log_t) + -+ files_search_usr($1) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) -+') ++allow svirt_t self:udp_socket create_socket_perms; + -+######################################## -+## -+## Execute setfiles in the setfiles_mac domain, and -+## allow the specified role the setfiles_mac domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the setfiles_mac domain. -+## -+## -+## -+# -+interface(`seutil_run_setfiles_mac',` -+ gen_require(` -+ type setfiles_mac_t; -+ ') ++corenet_udp_sendrecv_generic_if(svirt_t) ++corenet_udp_sendrecv_generic_node(svirt_t) ++corenet_udp_sendrecv_all_ports(svirt_t) ++corenet_udp_bind_generic_node(svirt_t) ++corenet_udp_bind_all_ports(svirt_t) ++corenet_tcp_bind_all_ports(svirt_t) + -+ seutil_domtrans_setfiles_mac($1) -+ role $2 types setfiles_mac_t; ++tunable_policy(`virt_use_comm',` ++ term_use_unallocated_ttys(svirt_t) ++ dev_rw_printer(svirt_t) +') + -+######################################## -+## - ## Execute setfiles in the caller domain. - ## - ## -@@ -680,6 +727,7 @@ - ') - - files_search_etc($1) -+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1,selinux_config_t,selinux_config_t) - read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) - ') -@@ -999,6 +1047,26 @@ - - ######################################## - ## -+## Execute a domain transition to run setsebool. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`seutil_domtrans_setsebool',` -+ gen_require(` -+ type setsebool_t, setsebool_exec_t; -+ ') -+ -+ files_search_usr($1) -+ corecmd_search_bin($1) -+ domtrans_pattern($1, setsebool_exec_t, setsebool_t) ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(svirt_t) ++ fs_manage_nfs_files(svirt_t) +') + -+######################################## -+## - ## Execute semanage in the semanage domain, and - ## allow the specified role the semanage domain, - ## and use the caller's terminal. -@@ -1010,7 +1078,7 @@ - ## - ## - ## --## The role to be allowed the checkpolicy domain. -+## The role to be allowed the semanage domain. - ## - ## - ## -@@ -1028,6 +1096,33 @@ - - ######################################## - ## -+## Execute setsebool in the semanage domain, and -+## allow the specified role the semanage domain, -+## and use the caller's terminal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the setsebool domain. -+## -+## -+## -+# -+interface(`seutil_run_setsebool',` -+ gen_require(` -+ type semanage_t; -+ ') -+ -+ seutil_domtrans_setsebool($1) -+ role $2 types setsebool_t; ++tunable_policy(`virt_use_samba',` ++ fs_manage_cifs_dirs(svirt_t) ++ fs_manage_cifs_files(svirt_t) +') + -+######################################## -+## - ## Full management of the semanage - ## module store. - ## -@@ -1139,3 +1234,255 @@ - selinux_dontaudit_get_fs_mount($1) - seutil_dontaudit_read_config($1) - ') -+ -+####################################### -+## -+## The per role template for the setsebool module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for setsebool plugins that are executed by a browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+##
-+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`seutil_setsebool_per_role_template',` -+ gen_require(` -+ type setsebool_exec_t; -+ ') -+ -+ type $1_setsebool_t; -+ domain_type($1_setsebool_t) -+ domain_entry_file($1_setsebool_t, setsebool_exec_t) -+ role $3 types $1_setsebool_t; -+ -+ files_search_usr($2) -+ corecmd_search_bin($2) -+ domtrans_pattern($2, setsebool_exec_t, $1_setsebool_t) -+ seutil_semanage_policy($1_setsebool_t) -+ -+ # Need to define per type booleans -+ selinux_set_all_booleans($1_setsebool_t) -+ -+ # Bug in semanage -+ seutil_domtrans_setfiles($1_setsebool_t) -+ seutil_manage_file_contexts($1_setsebool_t) -+ seutil_manage_default_contexts($1_setsebool_t) -+ seutil_manage_config($1_setsebool_t) ++optional_policy(` ++ samba_domtrans_smb(svirt_t) +') + -+####################################### -+## -+## All rules necessary to run semanage command -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`seutil_semanage_policy',` -+ gen_require(` -+ type semanage_tmp_t; -+ type policy_config_t; -+ ') -+ allow $1 self:capability { dac_override sys_resource }; -+ dontaudit $1 self:capability sys_tty_config; -+ allow $1 self:process signal; -+ allow $1 self:unix_stream_socket create_stream_socket_perms; -+ allow $1 self:unix_dgram_socket create_socket_perms; -+ logging_send_audit_msgs($1) -+ -+ # Running genhomedircon requires this for finding all users -+ auth_use_nsswitch($1) -+ -+ allow $1 policy_config_t:file { read write }; ++optional_policy(` ++ xen_rw_image_files(svirt_t) ++') + -+ allow $1 semanage_tmp_t:dir manage_dir_perms; -+ allow $1 semanage_tmp_t:file manage_file_perms; -+ files_tmp_filetrans($1, semanage_tmp_t, { file dir }) ++optional_policy(` ++ xen_rw_image_files(svirt_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te +--- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/w3c.te 2009-04-07 16:01:44.000000000 -0400 +@@ -8,11 +8,18 @@ + + apache_content_template(w3c_validator) + ++type httpd_w3c_validator_tmp_t; ++files_tmp_file(httpd_w3c_validator_tmp_t) + -+ kernel_read_system_state($1) -+ kernel_read_kernel_sysctls($1) + ######################################## + # + # Local policy + # + ++manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) ++manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) ++files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) + -+ corecmd_exec_bin($1) -+ corecmd_exec_shell($1) + corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) + corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) + corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc +--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -3,12 +3,16 @@ + # + HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) + HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) + HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) + HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) + HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) + HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) + HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) + ++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) + # + # /dev + # +@@ -32,11 +36,6 @@ + /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) + +-ifdef(`distro_redhat',` +-/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +-/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +-') +- + # + # /opt + # +@@ -61,6 +60,7 @@ + /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) ++/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) + /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +@@ -89,16 +89,26 @@ + + /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + +-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) ++/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + +-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + ++/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + -+ dev_read_urand($1) ++/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + -+ domain_use_interactive_fds($1) ++/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) ++/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) + + ifdef(`distro_suse',` + /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if +--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-07 16:01:44.000000000 -0400 +@@ -90,7 +90,7 @@ + allow $2 xauth_home_t:file manage_file_perms; + allow $2 xauth_home_t:file { relabelfrom relabelto }; + +- xserver_common_x_domain_template(user, $2) ++ xserver_common_app($2) + + ############################## + # +@@ -115,7 +115,8 @@ + # write: gnome-settings-daemon RANDR:SelectInput + # setattr: gnome-settings-daemon X11:GrabKey + # manage: metacity X11:ChangeWindowAttributes +- allow $2 rootwindow_t:x_drawable { read write manage setattr }; ++ allow $2 rootwindow_t:x_drawable { read write manage get_property getattr setattr }; ++ allow $2 $2:x_drawable all_x_drawable_perms; + + # setattr: metacity X11:InstallColormap + allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; +@@ -156,7 +157,7 @@ + allow $1 xserver_t:process signal; + + # Read /tmp/.X0-lock +- allow $1 xserver_tmp_t:file { getattr read }; ++ allow $1 xserver_tmp_t:file read_file_perms; + + # Client read xserver shm + allow $1 xserver_t:fd use; +@@ -219,12 +220,12 @@ + allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; + + # Read .Xauthority file +- allow $1 xauth_home_t:file { getattr read }; +- allow $1 iceauth_home_t:file { getattr read }; ++ allow $1 xauth_home_t:file read_file_perms; ++ allow $1 iceauth_home_t:file read_file_perms; + + # for when /tmp/.X11-unix is created by the system + allow $1 xdm_t:fd use; +- allow $1 xdm_t:fifo_file { getattr read write ioctl }; ++ allow $1 xdm_t:fifo_file rw_fifo_file_perms; + allow $1 xdm_tmp_t:dir search; + allow $1 xdm_tmp_t:sock_file { read write }; + dontaudit $1 xdm_t:tcp_socket { read write }; +@@ -278,7 +279,6 @@ + type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; + type xevent_t, client_xevent_t; + +- attribute x_domain; + attribute xproperty_type; + attribute xevent_type; + attribute input_xevent_type; +@@ -287,6 +287,8 @@ + class x_property all_x_property_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; ++ class x_selection all_x_selection_perms; ++ type xselection_t; + ') + + ############################## +@@ -294,20 +296,11 @@ + # Local Policy + # + +- # Type attributes +- typeattribute $2 x_domain; +- + # X Properties + # can read and write client properties + allow $2 $1_xproperty_t:x_property { create destroy read write append }; + type_transition $2 xproperty_t:x_property $1_xproperty_t; + +- # X Windows +- # new windows have the domain type +- type_transition $2 rootwindow_t:x_drawable $2; +- +- # X Input +- # can receive own events + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; +@@ -320,8 +313,10 @@ + type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; + type_transition $2 client_xevent_t:x_event $1_client_xevent_t; + type_transition $2 xevent_t:x_event $1_default_xevent_t; +- # can send ICCCM events to myself + -+ files_read_etc_files($1) -+ files_read_etc_runtime_files($1) -+ files_read_usr_files($1) -+ files_list_pids($1) -+ fs_list_inotifyfs($1) -+ fs_getattr_all_fs($1) + allow $2 $1_manage_xevent_t:x_synthetic_event send; + -+ mls_file_write_all_levels($1) -+ mls_file_read_all_levels($1) ++ xserver_common_app($2) + ') + + ####################################### +@@ -397,11 +392,12 @@ + gen_require(` + type xdm_t, xdm_tmp_t; + type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ++ class x_screen all_x_screen_perms; + ') + +- allow $2 self:shm create_shm_perms; +- allow $2 self:unix_dgram_socket create_socket_perms; +- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; ++ allow $2 $2:shm create_shm_perms; ++ allow $2 $2:unix_dgram_socket create_socket_perms; ++ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms }; + + # Read .Xauthority file + allow $2 xauth_home_t:file read_file_perms; +@@ -409,7 +405,7 @@ + + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; +- allow $2 xdm_t:fifo_file { getattr read write ioctl }; ++ allow $2 xdm_t:fifo_file rw_fifo_file_perms; + allow $2 xdm_tmp_t:dir search_dir_perms; + allow $2 xdm_tmp_t:sock_file { read write }; + dontaudit $2 xdm_t:tcp_socket { read write }; +@@ -437,6 +433,10 @@ + allow $2 xserver_t:shm rw_shm_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; + ') + -+ selinux_getattr_fs($1) -+ selinux_validate_context($1) -+ selinux_get_enforce_mode($1) ++ allow $2 xserver_t:x_screen { saver_hide saver_show }; + -+ term_use_all_terms($1) ++ xserver_use_xdm($2) + ') + + ######################################## +@@ -639,7 +639,7 @@ + type xdm_t; + ') + +- allow $1 xdm_t:fifo_file { getattr read write }; ++ allow $1 xdm_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## +@@ -738,6 +738,7 @@ + files_search_tmp($1) + allow $1 xdm_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ allow $1 xdm_tmp_t:sock_file unlink; + ') + + ######################################## +@@ -756,7 +757,26 @@ + ') + + files_search_pids($1) +- allow $1 xdm_var_run_t:file read_file_perms; ++ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ++') + -+ locallogin_use_fds($1) ++######################################## ++## ++## Manage XDM pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_xdm_pid',` ++ gen_require(` ++ type xdm_var_run_t; ++ ') + -+ logging_send_syslog_msg($1) ++ files_search_pids($1) ++ manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t) + ') + + ######################################## +@@ -779,6 +799,50 @@ + + ######################################## + ## ++## Read XDM var lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_xdm_lib_files',` ++ gen_require(` ++ type xdm_var_lib_t; ++ ') + -+ miscfiles_read_localization($1) ++ manage_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ++ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ++') + -+ seutil_search_default_contexts($1) -+ seutil_domtrans_loadpolicy($1) -+ seutil_read_config($1) -+ seutil_manage_bin_policy($1) -+ seutil_use_newrole_fds($1) -+ seutil_manage_module_store($1) -+ seutil_get_semanage_trans_lock($1) -+ seutil_get_semanage_read_lock($1) ++######################################## ++## ++## Execute xsever in the xserver domain, and ++## allow the specified role the xserver domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the xserver domain. ++## ++## ++# ++interface(`xserver_run',` ++ gen_require(` ++ type xserver_t; ++ ') + -+ userdom_dontaudit_write_user_home_content_files($1) ++ xserver_domtrans($1) ++ role $2 types xserver_t; ++') + -+ optional_policy(` -+ rpm_dontaudit_rw_tmp_files($1) -+ rpm_dontaudit_rw_pipes($1) ++######################################## ++## + ## Make an X session script an entrypoint for the specified domain. + ## + ## +@@ -872,6 +936,27 @@ + + ######################################## + ## ++## Allow append the xdm ++## log files. ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_xdm_append_log',` ++ gen_require(` ++ type xdm_log_t; ++ attribute xdmhomewriter; + ') -+') + ++ typeattribute $1 xdmhomewriter; ++ append_files_pattern($1, xdm_log_t, xdm_log_t) ++') + -+####################################### ++######################################## +## -+## All rules necessary to run setfiles command + ## Do not audit attempts to write the X server + ## log files. + ## +@@ -1018,10 +1103,11 @@ + # + interface(`xserver_domtrans',` + gen_require(` +- type xserver_t, xserver_exec_t; ++ type xserver_t, xserver_exec_t, xdm_t; + ') + + allow $1 xserver_t:process siginh; ++ allow xdm_t $1:process sigchld; + domtrans_pattern($1, xserver_exec_t, xserver_t) + ') + +@@ -1159,6 +1245,275 @@ + + ######################################## + ## ++## Read xserver files created in /var/run +## +## +## @@ -25692,1627 +23242,5428 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`seutil_setfiles',` -+ -+allow $1 self:capability { dac_override dac_read_search fowner }; -+dontaudit $1 self:capability sys_tty_config; -+allow $1 self:fifo_file rw_file_perms; -+dontaudit $1 self:dir relabelfrom; -+dontaudit $1 self:file relabelfrom; -+dontaudit $1 self:lnk_file relabelfrom; ++interface(`xserver_read_pid',` ++ gen_require(` ++ type xserver_var_run_t; ++ ') + ++ files_search_pids($1) ++ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ++') + -+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; -+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; ++######################################## ++## ++## Execute xserver files created in /var/run ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_exec_pid',` ++ gen_require(` ++ type xserver_var_run_t; ++ ') + -+logging_send_audit_msgs($1) ++ files_search_pids($1) ++ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ++') + -+kernel_read_system_state($1) -+kernel_relabelfrom_unlabeled_dirs($1) -+kernel_relabelfrom_unlabeled_files($1) -+kernel_relabelfrom_unlabeled_symlinks($1) -+kernel_relabelfrom_unlabeled_pipes($1) -+kernel_relabelfrom_unlabeled_sockets($1) -+kernel_use_fds($1) -+kernel_rw_pipes($1) -+kernel_rw_unix_dgram_sockets($1) -+kernel_dontaudit_list_all_proc($1) -+kernel_read_all_sysctls($1) -+kernel_read_network_state_symlinks($1) ++######################################## ++## ++## Write xserver files created in /var/run ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_write_pid',` ++ gen_require(` ++ type xserver_var_run_t; ++ ') + -+dev_relabel_all_dev_nodes($1) ++ files_search_pids($1) ++ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ++') + -+domain_use_interactive_fds($1) -+domain_read_all_domains_state($1) -+ -+files_read_etc_runtime_files($1) -+files_read_etc_files($1) -+files_list_all($1) -+files_relabel_all_files($1) -+files_list_isid_type_dirs($1) -+files_read_isid_type_files($1) -+files_dontaudit_read_all_symlinks($1) ++######################################## ++## ++## Read user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xserver_manage_home_fonts',` ++ gen_require(` ++ type user_fonts_t; ++ type user_fonts_config_t; ++ ') + -+fs_getattr_xattr_fs($1) -+fs_list_all($1) -+fs_getattr_all_files($1) -+fs_search_auto_mountpoints($1) -+fs_relabelfrom_noxattr_fs($1) ++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t) ++ manage_files_pattern($1, user_fonts_t, user_fonts_t) ++ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + -+mls_file_read_all_levels($1) -+mls_file_write_all_levels($1) -+mls_file_upgrade($1) -+mls_file_downgrade($1) ++ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ++') + -+selinux_validate_context($1) -+selinux_compute_access_vector($1) -+selinux_compute_create_context($1) -+selinux_compute_relabel_context($1) -+selinux_compute_user_contexts($1) ++######################################## ++## ++## Read user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`xserver_read_home_fonts',` ++ gen_require(` ++ type user_fonts_t; ++ ') + -+term_use_all_terms($1) ++ read_files_pattern($1, user_fonts_t, user_fonts_t) ++ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) ++') + -+# this is to satisfy the assertion: -+auth_relabelto_shadow($1) ++######################################## ++## ++## write to .xsession-errors file ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_rw_xdm_home_files',` ++ gen_require(` ++ type xdm_home_t; ++ ') + -+init_use_fds($1) -+init_use_script_fds($1) -+init_use_script_ptys($1) -+init_exec_script_files($1) ++ allow $1 xdm_home_t:file rw_file_perms; ++') + -+logging_send_syslog_msg($1) ++######################################## ++## ++## Dontaudit write to .xsession-errors file ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_dontaudit_rw_xdm_home_files',` ++ gen_require(` ++ type xdm_home_t; ++ ') + -+miscfiles_read_localization($1) ++ dontaudit $1 xdm_home_t:file rw_file_perms; ++') + -+seutil_libselinux_linked($1) + -+userdom_use_all_users_fds($1) -+# for config files in a home directory -+userdom_read_user_home_content_files($1) ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## Client domain allowed access. ++## ++## ++# ++interface(`xserver_use_xdm',` ++ gen_require(` ++ type xdm_t, xdm_tmp_t; ++ type xdm_xproperty_t; ++ class x_client all_x_client_perms; ++ class x_drawable all_x_drawable_perms; ++ class x_property all_x_property_perms; ++ ') ++ ++ allow $1 xdm_t:fd use; ++ allow $1 xdm_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 xdm_t:tcp_socket { read write }; ++ ++ # Allow connections to X server. ++ xserver_stream_connect_xdm($1) ++ xserver_read_xdm_tmp_files($1) ++ xserver_xdm_stream_connect($1) ++ xserver_setattr_xdm_tmp_dirs($1) ++ ++ allow $1 xdm_t:x_client { getattr destroy }; ++ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; ++ allow $1 xdm_xproperty_t:x_property { write read }; + -+ifdef(`distro_debian',` -+ # udev tmpfs is populated with static device nodes -+ # and then relabeled afterwards; thus -+ # /dev/console has the tmpfs type -+ fs_rw_tmpfs_chr_files($1) +') + -+ifdef(`distro_redhat',` -+ fs_rw_tmpfs_chr_files($1) -+ fs_rw_tmpfs_blk_files($1) -+ fs_relabel_tmpfs_blk_file($1) -+ fs_relabel_tmpfs_chr_file($1) ++######################################## ++## ++## Get the attributes of xauth executable ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_getattr_xauth',` ++ gen_require(` ++ type xauth_exec_t; ++ ') ++ ++ allow $1 xauth_exec_t:file getattr; +') + -+ifdef(`distro_ubuntu',` -+ optional_policy(` -+ unconfined_domain($1) ++######################################## ++## ++## Read a user Iceauthority domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`xserver_read_user_iceauth',` ++ gen_require(` ++ type iceauth_home_t; + ') ++ ++ # Read .Iceauthority file ++ allow $1 iceauth_home_t:file read_file_perms; +') + -+optional_policy(` -+ hotplug_use_fds($1) ++######################################## ++## ++## Connect to apmd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_stream_connect',` ++ gen_require(` ++ type xdm_t, xdm_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 xdm_var_run_t:sock_file write; ++ allow $1 xdm_t:unix_stream_socket connectto; +') ++ ++######################################## ++## ++## Manage the xdm_spool files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_manage_spool',` ++ gen_require(` ++ type xdm_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, xdm_spool_t, xdm_spool_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.12/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te 2009-04-07 16:01:44.000000000 -0400 -@@ -23,6 +23,9 @@ - type selinux_config_t; - files_type(selinux_config_t) - -+type selinux_var_lib_t; -+files_type(selinux_var_lib_t) + - type checkpolicy_t, can_write_binary_policy; - type checkpolicy_exec_t; - application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -58,8 +61,9 @@ - # policy_config_t is the type of /etc/security/selinux/* - # the security server policy configuration. - # --type policy_config_t; --files_type(policy_config_t) -+#type policy_config_t; -+#files_type(policy_config_t) -+typealias semanage_store_t alias policy_config_t; - - neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; - #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -75,7 +79,6 @@ - type restorecond_exec_t; - init_daemon_domain(restorecond_t,restorecond_exec_t) - domain_obj_id_change_exemption(restorecond_t) --role system_r types restorecond_t; - - type restorecond_var_run_t; - files_pid_file(restorecond_var_run_t) -@@ -92,6 +95,10 @@ - domain_interactive_fd(semanage_t) - role system_r types semanage_t; - -+type setsebool_t; -+type setsebool_exec_t; -+init_system_domain(setsebool_t, setsebool_exec_t) ++######################################## ++## ++## Ptrace XDM ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_ptrace_xdm',` ++ gen_require(` ++ type xdm_t; ++ ') + - type semanage_store_t; - files_type(semanage_store_t) - -@@ -109,6 +116,11 @@ - init_system_domain(setfiles_t,setfiles_exec_t) - domain_obj_id_change_exemption(setfiles_t) - -+type setfiles_mac_t; -+domain_type(setfiles_mac_t) -+domain_entry_file(setfiles_mac_t, setfiles_exec_t) -+domain_obj_id_change_exemption(setfiles_mac_t) ++ allow $1 xdm_t:process ptrace; ++') + - ######################################## - # - # Checkpolicy local policy -@@ -166,6 +178,7 @@ - files_read_etc_runtime_files(load_policy_t) - - fs_getattr_xattr_fs(load_policy_t) -+fs_list_inotifyfs(load_policy_t) - - mls_file_read_all_levels(load_policy_t) - -@@ -191,15 +204,6 @@ ++######################################## ++## + ## Interface to provide X object permissions on a given X server to + ## an X client domain. Gives the domain complete control over the + ## display. +@@ -1172,7 +1527,102 @@ + interface(`xserver_unconfined',` + gen_require(` + attribute xserver_unconfined_type; ++ attribute x_domain; ') - ') - --ifdef(`hide_broken_symptoms',` -- # cjp: cover up stray file descriptors. -- dontaudit load_policy_t selinux_config_t:file write; -- -- optional_policy(` -- unconfined_dontaudit_read_pipes(load_policy_t) -- ') --') -- - ######################################## - # - # Newrole local policy -@@ -217,7 +221,7 @@ - allow newrole_t self:msg { send receive }; - allow newrole_t self:unix_dgram_socket sendto; - allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; --allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+logging_send_audit_msgs(newrole_t) - read_files_pattern(newrole_t,default_context_t,default_context_t) - read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) -@@ -270,12 +274,14 @@ - init_rw_utmp(newrole_t) - init_use_fds(newrole_t) + typeattribute $1 xserver_unconfined_type; ++ typeattribute $1 x_domain; ++') ++ ++######################################## ++## ++## Rules required for using the X Windows server ++## and environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_communicate',` ++ gen_require(` ++ class x_drawable all_x_drawable_perms; ++ class x_resource all_x_resource_perms; + ') ++ ++ allow $1 $2:x_drawable all_x_drawable_perms; ++ allow $2 $1:x_drawable all_x_drawable_perms; ++ allow $1 $2:x_resource all_x_resource_perms; ++ allow $2 $1:x_resource all_x_resource_perms; ++') ++ ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## Client domain allowed access. ++## ++## ++# ++interface(`xserver_common_app',` ++ ++ gen_require(` ++ attribute x_domain; ++ attribute xevent_type; ++ type xselection_t, rootwindow_t; ++ type user_xproperty_t, xproperty_t; ++ class x_property all_x_property_perms; ++ class x_selection all_x_selection_perms; ++ class x_event all_x_event_perms; ++ class x_synthetic_event all_x_synthetic_event_perms; ++ ') ++ ++ # Type attributes ++ typeattribute $1 x_domain; ++ ++ allow $1 xselection_t:x_selection setattr; ++ allow $1 user_xproperty_t:x_property { write read destroy }; ++ allow $1 xproperty_t:x_property all_x_property_perms; ++ ++ # X Windows ++ # new windows have the domain type ++ type_transition $1 rootwindow_t:x_drawable $1; ++ ++ # X Input ++ # can receive own events ++ allow $1 xevent_type:{ x_event x_synthetic_event } { receive send }; ++ xserver_communicate($1, $1) ++ xserver_use_xdm($1) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## xdm over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_dbus_chat',` ++ gen_require(` ++ type xdm_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 xdm_t:dbus send_msg; ++ allow xdm_t $1:dbus send_msg; ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te +--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-09 05:40:02.000000000 -0400 +@@ -34,6 +34,13 @@ -+logging_send_audit_msgs(newrole_t) - logging_send_syslog_msg(newrole_t) + ## + ##

++## Allows XServer to execute writable memory ++##

++##
++gen_tunable(allow_xserver_execmem, false) ++ ++## ++##

+ ## Allow xdm logins as sysadm + ##

+ ##
+@@ -46,6 +53,7 @@ + ## + gen_tunable(xserver_object_manager, false) - miscfiles_read_localization(newrole_t) ++attribute xdmhomewriter; + attribute input_xevent_type; + attribute xserver_unconfined_type; + attribute x_domain; +@@ -65,14 +73,14 @@ - seutil_libselinux_linked(newrole_t) + type iceauth_t; + type iceauth_exec_t; +-typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; ++typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t }; + typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; + application_domain(iceauth_t, iceauth_exec_t) + ubac_constrained(iceauth_t) -+userdom_use_unpriv_users_fds(newrole_t) - # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content(newrole_t) - userdom_search_user_home_dirs(newrole_t) -@@ -336,6 +342,8 @@ + type iceauth_home_t; + typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; +-typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; ++typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; + files_poly_member(iceauth_home_t) + userdom_user_home_content(iceauth_home_t) - seutil_libselinux_linked(restorecond_t) +@@ -112,17 +120,17 @@ + typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; -+userdom_read_user_home_content_symlinks(restorecond_t) -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(restorecond_t) -@@ -354,7 +362,7 @@ - allow run_init_t self:process setexec; - allow run_init_t self:capability setuid; - allow run_init_t self:fifo_file rw_file_perms; --allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+logging_send_audit_msgs(run_init_t) + type user_fonts_t; +-typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; +-typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; ++typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t }; ++typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t }; + userdom_user_home_content(user_fonts_t) - # often the administrator runs such programs from a directory that is owned - # by a different user or has restrictive SE permissions, do not want to audit -@@ -383,10 +391,10 @@ + type user_fonts_cache_t; +-typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; ++typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t }; + typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; + userdom_user_home_content(user_fonts_cache_t) - auth_use_nsswitch(run_init_t) - auth_domtrans_chk_passwd(run_init_t) --auth_domtrans_upd_passwd(run_init_t) - auth_dontaudit_read_shadow(run_init_t) + type user_fonts_config_t; +-typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; ++typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t }; + typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; + userdom_user_home_content(user_fonts_config_t) - init_spec_domtrans_script(run_init_t) -+ - # for utmp - init_rw_utmp(run_init_t) +@@ -134,18 +142,18 @@ + type xauth_t; + type xauth_exec_t; + typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; +-typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; ++typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t }; + application_domain(xauth_t, xauth_exec_t) + ubac_constrained(xauth_t) -@@ -406,6 +414,10 @@ - ') - ') + type xauth_home_t; + typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; +-typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; ++typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t }; + files_poly_member(xauth_home_t) + userdom_user_home_content(xauth_home_t) -+optional_policy(` -+ rpm_domtrans(run_init_t) -+') + type xauth_tmp_t; +-typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; ++typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t }; + typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; + files_tmp_file(xauth_tmp_t) + ubac_constrained(xauth_tmp_t) +@@ -166,7 +174,10 @@ + files_lock_file(xdm_lock_t) + + type xdm_rw_etc_t; +-files_type(xdm_rw_etc_t) ++files_config_file(xdm_rw_etc_t) + - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(run_init_t) -@@ -421,61 +433,22 @@ - # semodule local policy - # ++type xdm_spool_t; ++files_type(xdm_spool_t) --allow semanage_t self:capability { dac_override audit_write }; --allow semanage_t self:unix_stream_socket create_stream_socket_perms; --allow semanage_t self:unix_dgram_socket create_socket_perms; --allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+seutil_semanage_policy(semanage_t) -+allow semanage_t self:fifo_file rw_fifo_file_perms; + type xdm_var_lib_t; + files_type(xdm_var_lib_t) +@@ -174,6 +185,12 @@ + type xdm_var_run_t; + files_pid_file(xdm_var_run_t) --allow semanage_t policy_config_t:file rw_file_perms; -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++type xserver_var_lib_t; ++files_type(xserver_var_lib_t) ++ ++type xserver_var_run_t; ++files_pid_file(xserver_var_run_t) ++ + type xdm_tmp_t; + files_tmp_file(xdm_tmp_t) + typealias xdm_tmp_t alias ice_tmp_t; +@@ -181,6 +198,12 @@ + type xdm_tmpfs_t; + files_tmpfs_file(xdm_tmpfs_t) --allow semanage_t semanage_tmp_t:dir manage_dir_perms; --allow semanage_t semanage_tmp_t:file manage_file_perms; --files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) -- --kernel_read_system_state(semanage_t) --kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) -- --dev_read_urand(semanage_t) -- --domain_use_interactive_fds(semanage_t) -- --files_read_etc_files(semanage_t) --files_read_etc_runtime_files(semanage_t) --files_read_usr_files(semanage_t) --files_list_pids(semanage_t) -- --mls_file_write_all_levels(semanage_t) --mls_file_read_all_levels(semanage_t) -- --selinux_validate_context(semanage_t) --selinux_get_enforce_mode(semanage_t) --selinux_getattr_fs(semanage_t) --# for setsebool: - selinux_set_all_booleans(semanage_t) -+can_exec(semanage_t, semanage_exec_t) - --term_use_all_terms(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - --# Running genhomedircon requires this for finding all users --auth_use_nsswitch(semanage_t) -- --locallogin_use_fds(semanage_t) -- --logging_send_syslog_msg(semanage_t) -- --miscfiles_read_localization(semanage_t) -- --seutil_libselinux_linked(semanage_t) - seutil_manage_file_contexts(semanage_t) - seutil_manage_config(semanage_t) - seutil_domtrans_setfiles(semanage_t) --seutil_domtrans_loadpolicy(semanage_t) --seutil_manage_bin_policy(semanage_t) --seutil_use_newrole_fds(semanage_t) --seutil_manage_module_store(semanage_t) --seutil_get_semanage_trans_lock(semanage_t) --seutil_get_semanage_read_lock(semanage_t) ++type xdm_home_t; ++userdom_user_home_content(xdm_home_t) + - # netfilter_contexts: - seutil_manage_default_contexts(semanage_t) ++type xdm_log_t; ++logging_log_file(xdm_log_t) ++ + # type for /var/lib/xkb + type xkb_var_lib_t; + files_type(xkb_var_lib_t) +@@ -189,7 +212,7 @@ + type xserver_t; + type xserver_exec_t; + typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; +-typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t }; ++typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; + xserver_object_types_template(xdm) + xserver_common_x_domain_template(xdm,xdm_t) + init_system_domain(xserver_t, xserver_exec_t) +@@ -197,12 +220,12 @@ -@@ -484,12 +457,23 @@ - files_read_var_lib_symlinks(semanage_t) - ') + type xserver_tmp_t; + typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; +-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t }; ++typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; + files_tmp_file(xserver_tmp_t) + ubac_constrained(xserver_tmp_t) -+optional_policy(` -+ setrans_initrc_domtrans(semanage_t) -+ domain_system_change_exemption(semanage_t) -+ consoletype_exec(semanage_t) -+') -+ - ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(semanage_t) - ') - ') + type xserver_tmpfs_t; +-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; ++typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; + typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; + files_tmpfs_file(xserver_tmpfs_t) + ubac_constrained(xserver_tmpfs_t) +@@ -250,19 +273,21 @@ + # Xauth local policy + # -+optional_policy(` -+ #signal mcstrans on reload -+ init_spec_domtrans_script(semanage_t) -+') -+ - # cjp: need a more general way to handle this: - ifdef(`enable_mls',` - # read secadm tmp files -@@ -499,111 +483,36 @@ - userdom_read_user_tmp_files(semanage_t) - ') ++allow xauth_t self:capability dac_override; + allow xauth_t self:process signal; + allow xauth_t self:unix_stream_socket create_stream_socket_perms; --######################################## -+userdom_search_admin_dir(semanage_t) + allow xauth_t xauth_home_t:file manage_file_perms; + userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) ++userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) + -+####################################n#### - # --# Setfiles local policy -+# setsebool local policy - # -+seutil_semanage_policy(setsebool_t) -+selinux_set_all_booleans(setsebool_t) ++manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) ++manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) --allow setfiles_t self:capability { dac_override dac_read_search fowner }; --dontaudit setfiles_t self:capability sys_tty_config; --allow setfiles_t self:fifo_file rw_file_perms; -- --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; --allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; -- --kernel_read_system_state(setfiles_t) --kernel_relabelfrom_unlabeled_dirs(setfiles_t) --kernel_relabelfrom_unlabeled_files(setfiles_t) --kernel_relabelfrom_unlabeled_symlinks(setfiles_t) --kernel_relabelfrom_unlabeled_pipes(setfiles_t) --kernel_relabelfrom_unlabeled_sockets(setfiles_t) --kernel_use_fds(setfiles_t) --kernel_rw_pipes(setfiles_t) --kernel_rw_unix_dgram_sockets(setfiles_t) --kernel_dontaudit_list_all_proc(setfiles_t) --kernel_dontaudit_list_all_sysctls(setfiles_t) -- --dev_relabel_all_dev_nodes(setfiles_t) -- --domain_use_interactive_fds(setfiles_t) --domain_dontaudit_search_all_domains_state(setfiles_t) -- --files_read_etc_runtime_files(setfiles_t) --files_read_etc_files(setfiles_t) --files_list_all(setfiles_t) --files_relabel_all_files(setfiles_t) -- --fs_getattr_xattr_fs(setfiles_t) --fs_list_all(setfiles_t) --fs_search_auto_mountpoints(setfiles_t) --fs_relabelfrom_noxattr_fs(setfiles_t) -- --mls_file_read_all_levels(setfiles_t) --mls_file_write_all_levels(setfiles_t) --mls_file_upgrade(setfiles_t) --mls_file_downgrade(setfiles_t) -- --selinux_validate_context(setfiles_t) --selinux_compute_access_vector(setfiles_t) --selinux_compute_create_context(setfiles_t) --selinux_compute_relabel_context(setfiles_t) --selinux_compute_user_contexts(setfiles_t) -- --term_use_all_user_ttys(setfiles_t) --term_use_all_user_ptys(setfiles_t) --term_use_unallocated_ttys(setfiles_t) -- --# this is to satisfy the assertion: --auth_relabelto_shadow(setfiles_t) -- --init_use_fds(setfiles_t) --init_use_script_fds(setfiles_t) --init_use_script_ptys(setfiles_t) --init_exec_script_files(setfiles_t) -- --logging_send_syslog_msg(setfiles_t) -- --miscfiles_read_localization(setfiles_t) -- --seutil_libselinux_linked(setfiles_t) -- --userdom_use_all_users_fds(setfiles_t) --# for config files in a home directory --userdom_read_user_home_content_files(setfiles_t) + manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) + manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) + files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) + +-allow xdm_t xauth_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) - --ifdef(`distro_debian',` -- # udev tmpfs is populated with static device nodes -- # and then relabeled afterwards; thus -- # /dev/console has the tmpfs type -- fs_rw_tmpfs_chr_files(setfiles_t) --') -+init_dontaudit_use_fds(setsebool_t) + domain_use_interactive_fds(xauth_t) --ifdef(`distro_redhat', ` -- fs_rw_tmpfs_chr_files(setfiles_t) -- fs_rw_tmpfs_blk_files(setfiles_t) -- fs_relabel_tmpfs_blk_file(setfiles_t) -- fs_relabel_tmpfs_chr_file(setfiles_t) --') -+# Bug in semanage -+seutil_domtrans_setfiles(setsebool_t) -+seutil_manage_file_contexts(setsebool_t) -+seutil_manage_default_contexts(setsebool_t) -+seutil_manage_config(setsebool_t) + files_read_etc_files(xauth_t) +@@ -300,13 +325,14 @@ + # XDM Local policy + # --ifdef(`distro_ubuntu',` -- optional_policy(` -- unconfined_domain(setfiles_t) -- ') --') -+######################################## -+# -+# Setfiles local policy -+# +-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; ++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; ++allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace }; ++allow xdm_t self:process { getattr getcap setcap }; + allow xdm_t self:fifo_file rw_fifo_file_perms; + allow xdm_t self:shm create_shm_perms; + allow xdm_t self:sem create_sem_perms; + allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +-allow xdm_t self:unix_dgram_socket create_socket_perms; ++allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; + allow xdm_t self:tcp_socket create_stream_socket_perms; + allow xdm_t self:udp_socket create_socket_perms; + allow xdm_t self:socket create_socket_perms; +@@ -314,6 +340,11 @@ + allow xdm_t self:key { search link write }; --ifdef(`hide_broken_symptoms',` -- optional_policy(` -- udev_dontaudit_rw_dgram_sockets(setfiles_t) -- ') -+seutil_setfiles(setfiles_t) -+# During boot in Rawhide -+term_use_generic_ptys(setfiles_t) + allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) ++manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) ++ ++manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) ++userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) -- # cjp: cover up stray file descriptors. -- optional_policy(` -- unconfined_dontaudit_read_pipes(setfiles_t) -- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) -- ') --') -+seutil_setfiles(setfiles_mac_t) -+allow setfiles_mac_t self:capability2 mac_admin; -+kernel_relabelto_unlabeled(setfiles_mac_t) + # Allow gdm to run gdm-binary + can_exec(xdm_t, xdm_exec_t) +@@ -329,22 +360,38 @@ + manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) + manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) + files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) ++relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - optional_policy(` -- hotplug_use_fds(setfiles_t) -+ unconfined_domain(setfiles_mac_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.12/policy/modules/system/setrans.if ---- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/setrans.if 2009-04-07 16:01:44.000000000 -0400 -@@ -21,3 +21,23 @@ - stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) - files_list_pids($1) - ') + manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) +-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) ++fs_getattr_all_fs(xdm_t) ++fs_search_inotifyfs(xdm_t) ++fs_read_noxattr_fs_files(xdm_t) + -+######################################## -+## -+## Execute setrans server in the setrans domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`setrans_initrc_domtrans',` -+ gen_require(` -+ type setrans_initrc_exec_t; -+ ') ++manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) + -+ init_labeled_script_domtrans($1, setrans_initrc_exec_t) -+') ++files_search_spool(xdm_t) ++manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) ++manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) ++files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) + + manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) + manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) ++manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) ++manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) ++files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) ++# Read machine-id ++files_read_var_lib_files(xdm_t) + + manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) + manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) + manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) ++manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) ++files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) + + allow xdm_t xserver_t:process signal; + allow xdm_t xserver_t:unix_stream_socket connectto; +@@ -358,6 +405,7 @@ + allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; + + allow xdm_t xserver_t:shm rw_shm_perms; ++read_files_pattern(xdm_t, xserver_t, xserver_t) + + # connect to xdm xserver over stream socket + stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) +@@ -366,10 +414,14 @@ + delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) + delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) + ++manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++logging_log_filetrans(xdm_t, xdm_log_t, file) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.12/policy/modules/system/sysnetwork.fc ---- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -11,8 +11,12 @@ - /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) -+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) -+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) + manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) + manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) + manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) +-logging_log_filetrans(xdm_t, xserver_log_t, file) - /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) -@@ -20,6 +24,8 @@ - ifdef(`distro_redhat',` - /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) + kernel_read_system_state(xdm_t) + kernel_read_kernel_sysctls(xdm_t) +@@ -389,11 +441,13 @@ + corenet_udp_sendrecv_all_ports(xdm_t) + corenet_tcp_bind_generic_node(xdm_t) + corenet_udp_bind_generic_node(xdm_t) ++corenet_udp_bind_xdmcp_port(xdm_t) + corenet_tcp_connect_all_ports(xdm_t) + corenet_sendrecv_all_client_packets(xdm_t) + # xdm tries to bind to biff_port_t + corenet_dontaudit_tcp_bind_all_ports(xdm_t) + ++dev_rwx_zero(xdm_t) + dev_read_rand(xdm_t) + dev_read_sysfs(xdm_t) + dev_getattr_framebuffer_dev(xdm_t) +@@ -401,6 +455,7 @@ + dev_getattr_mouse_dev(xdm_t) + dev_setattr_mouse_dev(xdm_t) + dev_rw_apm_bios(xdm_t) ++dev_rw_input_dev(xdm_t) + dev_setattr_apm_bios_dev(xdm_t) + dev_rw_dri(xdm_t) + dev_rw_agp(xdm_t) +@@ -413,14 +468,17 @@ + dev_setattr_video_dev(xdm_t) + dev_getattr_scanner_dev(xdm_t) + dev_setattr_scanner_dev(xdm_t) +-dev_getattr_sound_dev(xdm_t) +-dev_setattr_sound_dev(xdm_t) ++dev_read_sound(xdm_t) ++dev_write_sound(xdm_t) + dev_getattr_power_mgmt_dev(xdm_t) + dev_setattr_power_mgmt_dev(xdm_t) ++dev_getattr_null_dev(xdm_t) ++dev_setattr_null_dev(xdm_t) + + domain_use_interactive_fds(xdm_t) + # Do not audit denied probes of /proc. + domain_dontaudit_read_all_domains_state(xdm_t) ++domain_dontaudit_ptrace_all_domains(xdm_t) + + files_read_etc_files(xdm_t) + files_read_var_files(xdm_t) +@@ -431,9 +489,13 @@ + files_read_usr_files(xdm_t) + # Poweroff wants to create the /poweroff file when run from xdm + files_create_boot_flag(xdm_t) ++files_dontaudit_getattr_boot_dirs(xdm_t) ++files_dontaudit_write_usr_files(xdm_t) + + fs_getattr_all_fs(xdm_t) + fs_search_auto_mountpoints(xdm_t) ++fs_rw_anon_inodefs_files(xdm_t) ++fs_mount_tmpfs(xdm_t) + + storage_dontaudit_read_fixed_disk(xdm_t) + storage_dontaudit_write_fixed_disk(xdm_t) +@@ -442,6 +504,7 @@ + storage_dontaudit_raw_write_removable_device(xdm_t) + storage_dontaudit_setattr_removable_dev(xdm_t) + storage_dontaudit_rw_scsi_generic(xdm_t) ++storage_dontaudit_rw_fuse(xdm_t) + + term_setattr_console(xdm_t) + term_use_unallocated_ttys(xdm_t) +@@ -450,6 +513,7 @@ + auth_domtrans_pam_console(xdm_t) + auth_manage_pam_pid(xdm_t) + auth_manage_pam_console_data(xdm_t) ++auth_signal_pam(xdm_t) + auth_rw_faillog(xdm_t) + auth_write_login_records(xdm_t) + +@@ -460,10 +524,10 @@ + + logging_read_generic_logs(xdm_t) + ++miscfiles_dontaudit_write_fonts(xdm_t) + miscfiles_read_localization(xdm_t) + miscfiles_read_fonts(xdm_t) +- +-sysnet_read_config(xdm_t) ++miscfiles_manage_localization(xdm_t) + + userdom_dontaudit_use_unpriv_user_fds(xdm_t) + userdom_create_all_users_keys(xdm_t) +@@ -472,6 +536,8 @@ + # Search /proc for any user domain processes. + userdom_read_all_users_state(xdm_t) + userdom_signal_all_users(xdm_t) ++userdom_manage_user_tmp_sockets(xdm_t) ++userdom_manage_tmpfs_role(system_r, xdm_t) + + xserver_rw_session(xdm_t,xdm_tmpfs_t) + xserver_unconfined(xdm_t) +@@ -504,10 +570,12 @@ + + optional_policy(` + alsa_domtrans(xdm_t) ++ alsa_read_rw_config(xdm_t) ') - # -@@ -57,3 +63,5 @@ - ifdef(`distro_gentoo',` - /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) + optional_policy(` + consolekit_dbus_chat(xdm_t) ++ consolekit_read_log(xdm_t) ') -+ -+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-07 16:01:44.000000000 -0400 -@@ -43,6 +43,39 @@ - sysnet_domtrans_dhcpc($1) - role $2 types dhcpc_t; + optional_policy(` +@@ -515,12 +583,41 @@ + ') + + optional_policy(` ++ # Use dbus to start other processes as xdm_t ++ dbus_role_template(xdm, system_r, xdm_t) + -+ sysnet_run_ifconfig(dhcpc_t, $2) ++ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; + -+ modutils_run_insmod(dhcpc_t, $2) ++ corecmd_bin_entry_type(xdm_t) ++ ++ dbus_system_bus_client(xdm_t) + + optional_policy(` -+ consoletype_run(dhcpc_t, $2) ++ devicekit_power_dbus_chat(xdm_t) + ') ++ + optional_policy(` -+ hostname_run(dhcpc_t, $2) ++ hal_dbus_chat(xdm_t) + ') + + optional_policy(` -+ netutils_run_ping(dhcpc_t, $2) -+ ') -+ optional_policy(` -+ netutils_run(dhcpc_t, $2) -+ ') -+ optional_policy(` -+ networkmanager_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nis_run_ypbind(dhcpc_t, $2) ++ networkmanager_dbus_chat(xdm_t) + ') + -+ optional_policy(` -+ nscd_run(dhcpc_t, $2) -+ ') -+ optional_policy(` -+ ntp_run(dhcpc_t, $2) -+ ') -+ seutil_run_setfiles(dhcpc_t, $2) - ') - - ######################################## -@@ -192,7 +225,25 @@ - type dhcpc_state_t; - ') - -- allow $1 dhcpc_state_t:file read_file_perms; -+ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) +') + -+####################################### -+## -+## Delete the dhcp client state files. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`sysnet_delete_dhcpc_state',` -+ gen_require(` -+ type dhcpc_state_t; -+ ') + -+ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) - ') - - ####################################### -@@ -230,7 +281,7 @@ - ') - - files_search_etc($1) -- allow $1 net_conf_t:file read_file_perms; -+ read_files_pattern($1, net_conf_t, net_conf_t) - ') - - ####################################### -@@ -323,7 +374,8 @@ - type net_conf_t; - ') - -- allow $1 net_conf_t:file manage_file_perms; -+ allow $1 net_conf_t:dir list_dir_perms; -+ manage_files_pattern($1, net_conf_t, net_conf_t) ++optional_policy(` + # Talk to the console mouse server. + gpm_stream_connect(xdm_t) + gpm_setattr_gpmctl(xdm_t) ') - ####################################### -@@ -541,6 +593,7 @@ - type net_conf_t; - ') - -+ allow $1 self:netlink_route_socket r_netlink_socket_perms; - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - -@@ -557,6 +610,14 @@ - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; -+ -+ optional_policy(` -+ avahi_stream_connect($1) -+ ') + optional_policy(` ++ gnome_read_gconf_config(xdm_t) ++') + -+ optional_policy(` -+ nscd_socket_use($1) -+ ') ++optional_policy(` + hostname_exec(xdm_t) ') - ######################################## -@@ -586,6 +647,8 @@ - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; -+ # LDAP Configuration using encrypted requires -+ dev_read_urand($1) +@@ -542,6 +639,23 @@ ') - ######################################## -@@ -620,3 +683,49 @@ - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; - ') -+ -+######################################## -+## -+## Do not audit attempts to use -+## the dhcp file descriptors. -+## -+## -+## -+## The domain sending the SIGCHLD. -+## -+## -+# -+interface(`sysnet_dontaudit_dhcpc_use_fds',` -+ gen_require(` -+ type dhcpc_t; -+ ') -+ -+ dontaudit $1 dhcpc_t:fd use; + optional_policy(` ++ polkit_domtrans_auth(xdm_t) ++ polkit_read_lib(xdm_t) ++ polkit_read_reload(xdm_t) +') + -+######################################## -+## -+## Transition to system_r when execute an dhclient script -+## -+## -+##

-+## Execute dhclient script in a specified role -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+##
-+## -+## -+## Role to transition from. -+## -+## -+interface(`sysnet_role_transition_dhcpc',` -+ gen_require(` -+ type dhcpc_exec_t; -+ ') ++optional_policy(` ++ pulseaudio_exec(xdm_t) ++') + -+ role_transition $1 dhcpc_exec_t system_r; ++# On crash gdm execs gdb to dump stack ++optional_policy(` ++ rpm_exec(xdm_t) ++ rpm_read_db(xdm_t) ++ rpm_dontaudit_manage_db(xdm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-07 16:01:44.000000000 -0400 -@@ -20,6 +20,9 @@ - init_daemon_domain(dhcpc_t,dhcpc_exec_t) - role system_r types dhcpc_t; - -+type dhcpc_helper_exec_t; -+init_script_file(dhcpc_helper_exec_t) + - type dhcpc_state_t; - files_type(dhcpc_state_t) - -@@ -41,21 +44,22 @@ - # - # DHCP client local policy - # --allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; -+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config }; - dontaudit dhcpc_t self:capability sys_tty_config; - # for access("/etc/bashrc", X_OK) on Red Hat - dontaudit dhcpc_t self:capability { dac_read_search sys_module }; --allow dhcpc_t self:process signal_perms; --allow dhcpc_t self:fifo_file rw_file_perms; -+allow dhcpc_t self:process { setfscreate ptrace signal_perms }; -+allow dhcpc_t self:fifo_file rw_fifo_file_perms; - allow dhcpc_t self:tcp_socket create_stream_socket_perms; - allow dhcpc_t self:udp_socket create_socket_perms; - allow dhcpc_t self:packet_socket create_socket_perms; --allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; -+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; - - allow dhcpc_t dhcp_etc_t:dir list_dir_perms; - read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) - exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) - -+allow dhcpc_t dhcp_state_t:file read_file_perms; - manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) - filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) - -@@ -65,7 +69,7 @@ - - # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files - # in /etc created by dhcpcd will be labelled net_conf_t. --allow dhcpc_t net_conf_t:file manage_file_perms; -+sysnet_manage_config(dhcpc_t) - files_etc_filetrans(dhcpc_t,net_conf_t,file) - - # create temp files -@@ -116,7 +120,7 @@ - corecmd_exec_shell(dhcpc_t) - - domain_use_interactive_fds(dhcpc_t) --domain_dontaudit_list_all_domains_state(dhcpc_t) -+domain_dontaudit_read_all_domains_state(dhcpc_t) ++optional_policy(` + seutil_sigchld_newrole(xdm_t) + ') - files_read_etc_files(dhcpc_t) - files_read_etc_runtime_files(dhcpc_t) -@@ -183,25 +187,23 @@ +@@ -550,8 +664,9 @@ ') optional_policy(` -- nis_use_ypbind(dhcpc_t) -- nis_signal_ypbind(dhcpc_t) -- nis_read_ypbind_pid(dhcpc_t) -- nis_delete_ypbind_pid(dhcpc_t) -+ networkmanager_domtrans(dhcpc_t) -+ networkmanager_read_pid_files(dhcpc_t) +- unconfined_domain(xdm_t) +- unconfined_domtrans(xdm_t) ++ unconfined_shell_domtrans(xdm_t) ++ unconfined_signal(xdm_t) +') -- # dhclient sometimes starts ypbind -- init_exec_script_files(dhcpc_t) -- nis_domtrans_ypbind(dhcpc_t) -+optional_policy(` -+ nis_ypbind_initrc_domtrans(dhcpc_t) -+ nis_read_ypbind_pid(dhcpc_t) - ') + ifndef(`distro_redhat',` + allow xdm_t self:process { execheap execmem }; +@@ -560,7 +675,6 @@ + ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; + ') +-') optional_policy(` -+ nscd_initrc_domtrans(dhcpc_t) - nscd_domtrans(dhcpc_t) - nscd_read_pid(dhcpc_t) + userhelper_dontaudit_search_config(xdm_t) +@@ -571,6 +685,10 @@ ') optional_policy(` -- # dhclient sometimes starts ntpd -- init_exec_script_files(dhcpc_t) -- ntp_domtrans(dhcpc_t) -+ ntp_initrc_domtrans(dhcpc_t) ++ wm_exec(xdm_t) ++') ++ ++optional_policy(` + xfs_stream_connect(xdm_t) ') - optional_policy(` -@@ -212,6 +214,7 @@ - optional_policy(` - seutil_sigchld_newrole(dhcpc_t) - seutil_dontaudit_search_config(dhcpc_t) -+ seutil_domtrans_setfiles(dhcpc_t) - ') +@@ -587,7 +705,7 @@ + # execheap needed until the X module loader is fixed. + # NVIDIA Needs execstack - optional_policy(` -@@ -223,6 +226,10 @@ - ') +-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + dontaudit xserver_t self:capability chown; + allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow xserver_t self:memprotect mmap_zero; +@@ -602,9 +720,11 @@ + allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow xserver_t self:tcp_socket create_stream_socket_perms; + allow xserver_t self:udp_socket create_socket_perms; ++allow xserver_t self:netlink_selinux_socket create_socket_perms; - optional_policy(` -+ vmware_append_log(dhcpc_t) -+') -+ -+optional_policy(` - kernel_read_xen_state(dhcpc_t) - kernel_write_xen_state(dhcpc_t) - xen_append_log(dhcpc_t) -@@ -236,7 +243,6 @@ + # Device rules + allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; ++allow x_domain xserver_t:x_screen getattr; - allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; - allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; --dontaudit ifconfig_t self:capability sys_module; + allow xserver_t { input_xevent_t input_xevent_type }:x_event send; - allow ifconfig_t self:fd use; - allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -250,6 +256,7 @@ - allow ifconfig_t self:sem create_sem_perms; - allow ifconfig_t self:msgq create_msgq_perms; - allow ifconfig_t self:msg { send receive }; -+allow ifconfig_t net_conf_t:file read_file_perms; +@@ -622,7 +742,7 @@ + manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) + files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) - # Create UDP sockets, necessary when called from dhcpc - allow ifconfig_t self:udp_socket create_socket_perms; -@@ -259,13 +266,20 @@ - allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; - allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; - allow ifconfig_t self:tcp_socket { create ioctl }; +-filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) ++#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) + + manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) +@@ -635,9 +755,19 @@ + manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) + files_search_var_lib(xserver_t) + ++manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) ++manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) ++files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) + -+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) ++manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) ++manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) ++manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) ++files_pid_filetrans(xserver_t, xserver_var_run_t, { dir file }) + - files_read_etc_files(ifconfig_t); -+files_read_etc_runtime_files(ifconfig_t); + # Create files in /var/log with the xserver_log_t type. + manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) + logging_log_filetrans(xserver_t, xserver_log_t,file) ++manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) - kernel_use_fds(ifconfig_t) - kernel_read_system_state(ifconfig_t) - kernel_read_network_state(ifconfig_t) - kernel_search_network_sysctl(ifconfig_t) -+kernel_search_debugfs(ifconfig_t) - kernel_rw_net_sysctls(ifconfig_t) -+# This should be put inside a boolean, but can not because of attributes -+kernel_load_module(ifconfig_t) + kernel_read_system_state(xserver_t) + kernel_read_device_sysctls(xserver_t) +@@ -680,9 +810,14 @@ + dev_rw_xserver_misc(xserver_t) + # read events - the synaptics touchpad driver reads raw events + dev_rw_input_dev(xserver_t) ++dev_read_raw_memory(xserver_t) ++dev_write_raw_memory(xserver_t) + dev_rwx_zero(xserver_t) - corenet_rw_tun_tap_dev(ifconfig_t) ++domain_mmap_low_type(xserver_t) + domain_mmap_low(xserver_t) ++domain_dontaudit_read_all_domains_state(xserver_t) ++domain_signal_all_domains(xserver_t) -@@ -276,8 +290,13 @@ - fs_getattr_xattr_fs(ifconfig_t) - fs_search_auto_mountpoints(ifconfig_t) + files_read_etc_files(xserver_t) + files_read_etc_runtime_files(xserver_t) +@@ -697,8 +832,13 @@ + fs_search_nfs(xserver_t) + fs_search_auto_mountpoints(xserver_t) + fs_search_ramfs(xserver_t) ++fs_list_inotifyfs(xdm_t) ++fs_rw_tmpfs_files(xserver_t) -+selinux_dontaudit_getattr_fs(ifconfig_t) -+ -+term_dontaudit_use_console(ifconfig_t) - term_dontaudit_use_all_user_ttys(ifconfig_t) - term_dontaudit_use_all_user_ptys(ifconfig_t) -+term_dontaudit_use_ptmx(ifconfig_t) -+term_dontaudit_use_generic_ptys(ifconfig_t) + mls_xwin_read_to_clearance(xserver_t) ++mls_process_write_to_clearance(xserver_t) ++mls_file_read_to_clearance(xserver_t) ++mls_file_write_all_levels(xserver_t) - domain_use_interactive_fds(ifconfig_t) + selinux_validate_context(xserver_t) + selinux_compute_access_vector(xserver_t) +@@ -720,6 +860,7 @@ -@@ -296,6 +315,8 @@ + miscfiles_read_localization(xserver_t) + miscfiles_read_fonts(xserver_t) ++miscfiles_read_hwdata(xserver_t) - seutil_use_runinit_fds(ifconfig_t) + modutils_domtrans_insmod(xserver_t) -+sysnet_dns_name_resolve(ifconfig_t) -+ - userdom_use_user_terminals(ifconfig_t) - userdom_use_all_users_fds(ifconfig_t) +@@ -742,7 +883,7 @@ + ') -@@ -332,6 +353,14 @@ + ifdef(`enable_mls',` +- range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; ++# range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; + range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; + ') + +@@ -774,12 +915,16 @@ ') optional_policy(` -+ unconfined_dontaudit_rw_pipes(ifconfig_t) -+') -+ -+optional_policy(` -+ vmware_append_log(ifconfig_t) ++ devicekit_power_signal(xserver_t) +') + +optional_policy(` - kernel_read_xen_state(ifconfig_t) - kernel_write_xen_state(ifconfig_t) - xen_append_log(ifconfig_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-07 16:01:44.000000000 -0400 -@@ -210,6 +210,10 @@ + rhgb_getpgid(xserver_t) + rhgb_signal(xserver_t) ') optional_policy(` -+ devicekit_read_pid_files(udev_t) +- unconfined_domain_noaudit(xserver_t) ++ unconfined_domain(xserver_t) + unconfined_domtrans(xserver_t) + ') + +@@ -806,7 +951,7 @@ + allow xserver_t xdm_var_lib_t:file { getattr read }; + dontaudit xserver_t xdm_var_lib_t:dir search; + +-allow xserver_t xdm_var_run_t:file read_file_perms; ++read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) + + # Label pid and temporary files with derived types. + manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -827,9 +972,14 @@ + # to read ROLE_home_t - examine this in more detail + # (xauth?) + userdom_read_user_home_content_files(xserver_t) ++userdom_read_all_users_state(xserver_t) + + xserver_use_user_fonts(xserver_t) + ++optional_policy(` ++ userhelper_search_config(xserver_t) +') + -+optional_policy(` - lvm_domtrans(udev_t) - ') + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(xserver_t) + fs_manage_nfs_files(xserver_t) +@@ -844,11 +994,14 @@ -@@ -242,6 +246,10 @@ + optional_policy(` + dbus_system_bus_client(xserver_t) ++ ++ optional_policy(` + hal_dbus_chat(xserver_t) ') ++') optional_policy(` -+ rpm_search_log(udev_t) -+') -+ -+optional_policy(` - kernel_write_xen_state(udev_t) - kernel_read_xen_state(udev_t) - xen_manage_log(udev_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.12/policy/modules/system/unconfined.fc ---- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/unconfined.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -2,15 +2,28 @@ - # e.g.: - # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) - # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t --/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) -- --/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -- --/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +- resmgr_stream_connect(xdm_t) ++ mono_rw_shm(xserver_t) + ') -+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - ifdef(`distro_gentoo',` --/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + optional_policy(` +@@ -856,6 +1009,11 @@ + rhgb_rw_tmpfs_files(xserver_t) ') -+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + ++optional_policy(` ++ rpm_dontaudit_rw_shm(xserver_t) ++ rpm_rw_tmpfs_files(xserver_t) ++') + -+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) + ######################################## + # + # Rules common to all X window domains +@@ -881,6 +1039,8 @@ + # X Server + # can read server-owned resources + allow x_domain xserver_t:x_resource read; ++allow x_domain xserver_t:x_device { manage force_cursor }; + -+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + # can mess with own clients + allow x_domain self:x_client { manage destroy }; + +@@ -905,6 +1065,8 @@ + # operations allowed on my windows + allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; + ++allow x_domain x_domain:x_drawable { get_property getattr list_child }; + -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.12/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-07 16:01:44.000000000 -0400 -@@ -12,14 +12,13 @@ - # - interface(`unconfined_domain_noaudit',` - gen_require(` -- type unconfined_t; - class dbus all_dbus_perms; - class nscd all_nscd_perms; - class passwd all_passwd_perms; - ') - - # Use any Linux capability. -- allow $1 self:capability *; -+ allow $1 self:capability all_capabilities; - allow $1 self:fifo_file manage_fifo_file_perms; - - # Transition to myself, to make get_ordered_context_list happy. -@@ -27,12 +26,13 @@ - - # Write access is for setting attributes under /proc/self/attr. - allow $1 self:file rw_file_perms; -+ allow $1 self:dir rw_dir_perms; - - # Userland object managers -- allow $1 self:nscd *; -- allow $1 self:dbus *; -- allow $1 self:passwd *; -- allow $1 self:association *; -+ allow $1 self:nscd all_nscd_perms; -+ allow $1 self:dbus all_dbus_perms; -+ allow $1 self:passwd all_passwd_perms; -+ allow $1 self:association all_association_perms; - - kernel_unconfined($1) - corenet_unconfined($1) -@@ -44,6 +44,16 @@ - fs_unconfined($1) - selinux_unconfined($1) + # X Colormaps + # can use the default colormap + allow x_domain rootwindow_t:x_colormap { read use add_color }; +@@ -972,17 +1134,49 @@ + allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; + allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -+ domain_mmap_low_type($1) +-ifdef(`TODO',` +-tunable_policy(`allow_polyinstantiation',` +-# xdm needs access for linking .X11-unix to poly /tmp +-allow xdm_t polymember:dir { add_name remove_name write }; +-allow xdm_t polymember:lnk_file { create unlink }; +-# xdm needs access for copying .Xauthority into new home +-allow xdm_t polymember:file { create getattr write }; ++allow xserver_unconfined_type self:x_drawable all_x_drawable_perms; ++allow xserver_unconfined_type self:x_screen all_x_screen_perms; ++allow xserver_unconfined_type self:x_gc all_x_gc_perms; ++allow xserver_unconfined_type self:x_font all_x_font_perms; ++allow xserver_unconfined_type self:x_colormap all_x_colormap_perms; ++allow xserver_unconfined_type self:x_property all_x_property_perms; ++allow xserver_unconfined_type self:x_selection all_x_selection_perms; ++allow xserver_unconfined_type self:x_cursor all_x_cursor_perms; ++allow xserver_unconfined_type self:x_client all_x_client_perms; ++allow xserver_unconfined_type self:x_device all_x_device_perms; ++allow xserver_unconfined_type self:x_server all_x_server_perms; ++allow xserver_unconfined_type self:x_extension all_x_extension_perms; ++allow xserver_unconfined_type self:x_resource all_x_resource_perms; ++allow xserver_unconfined_type self:x_event all_x_event_perms; ++allow xserver_unconfined_type self:x_synthetic_event all_x_synthetic_event_perms; + -+ mls_file_read_all_levels($1) ++optional_policy(` ++ unconfined_rw_shm(xserver_t) ++ unconfined_execmem_rw_shm(xserver_t) + -+ ubac_process_exempt($1) ++ # xserver signals unconfined user on startx ++ unconfined_signal(xserver_t) ++ unconfined_getpgid(xserver_t) ++') + -+ tunable_policy(`allow_unconfined_mmap_low',` -+ domain_mmap_low($1) -+ ') ++tunable_policy(`allow_xserver_execmem',` ++ allow xserver_t self:process { execheap execmem execstack }; ++') + - tunable_policy(`allow_execheap',` - # Allow making the stack executable via mprotect. - allow $1 self:process execheap; -@@ -69,6 +79,7 @@ - optional_policy(` - # Communicate via dbusd. - dbus_system_bus_unconfined($1) -+ dbus_unconfined($1) - ') ++# Hack to handle the problem of using the nvidia blobs ++tunable_policy(`allow_execmem',` ++ allow xdm_t self:process execmem; ++') ++ ++tunable_policy(`allow_execstack',` ++ allow xdm_t self:process { execstack execmem }; ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_append_nfs_files(xdmhomewriter) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_append_cifs_files(xdmhomewriter) + ') - optional_policy(` -@@ -227,13 +238,9 @@ +-# +-# Wants to delete .xsession-errors file +-# +-allow xdm_t user_home_type:file unlink; +-') dnl end TODO +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.12/policy/modules/services/zosremote.if +--- nsaserefpolicy/policy/modules/services/zosremote.if 2009-03-20 12:39:39.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/zosremote.if 2009-04-07 16:01:44.000000000 -0400 +@@ -12,7 +12,7 @@ # - interface(`unconfined_shell_domtrans',` - gen_require(` -- type unconfined_t; -+ attribute unconfined_login_domain; - ') -- -- corecmd_shell_domtrans($1,unconfined_t) -- allow unconfined_t $1:fd use; -- allow unconfined_t $1:fifo_file rw_file_perms; -- allow unconfined_t $1:process sigchld; -+ typeattribute $1 unconfined_login_domain; - ') + interface(`zosremote_domtrans',` + gen_require(` +- type zos_remote_t, type zos_remote_exec_t; ++ type zos_remote_t, zos_remote_exec_t; + ') - ######################################## -@@ -367,6 +374,42 @@ + domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.12/policy/modules/system/application.te +--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/application.te 2009-04-07 16:01:44.000000000 -0400 +@@ -7,8 +7,18 @@ + # Executables to be run by user + attribute application_exec_type; - ######################################## - ## -+## Send a SIGNULL signal to the unconfined execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_signull',` -+ gen_require(` -+ type unconfined_execmem_t; -+ ') -+ -+ allow $1 unconfined_execmem_t:process signull; -+') ++userdom_append_user_home_content_files(application_domain_type) ++userdom_write_user_tmp_files(application_domain_type) ++logging_rw_all_logs(application_domain_type) + -+######################################## -+## -+## Send a signal to the unconfined execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_signal',` -+ gen_require(` -+ type unconfined_execmem_t; -+ ') ++files_dontaudit_search_all_dirs(application_domain_type) + -+ allow $1 unconfined_execmem_t:process signal; + optional_policy(` + ssh_sigchld(application_domain_type) + ssh_rw_stream_sockets(application_domain_type) + ') + ++optional_policy(` ++ sudo_sigchld(application_domain_type) +') + -+######################################## -+## - ## Send generic signals to the unconfined domain. - ## - ## -@@ -458,6 +501,25 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc +--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -7,12 +7,10 @@ + /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) + /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) - ######################################## - ## -+## Do not audit attempts to read and write -+## unconfined domain stream. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`unconfined_dontaudit_rw_stream',` -+ gen_require(` -+ type unconfined_t; -+ ') +-/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) +-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) +- + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) + /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) + /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) + /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ifdef(`distro_suse', ` +@@ -40,6 +38,10 @@ + /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) + + /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) +- + /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) ++/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + -+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; -+') + /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) ++/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + -+######################################## -+## - ## Connect to the unconfined domain using - ## a unix domain stream socket. - ## -@@ -581,3 +643,150 @@ ++/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if +--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-04-07 16:01:44.000000000 -0400 +@@ -43,20 +43,38 @@ + interface(`auth_login_pgm_domain',` + gen_require(` + type var_auth_t; ++ type auth_cache_t; + ') - allow $1 unconfined_t:dbus acquire_svc; - ') + domain_type($1) ++ domain_poly($1) + -+######################################## -+## -+## Allow ptrace of unconfined domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_ptrace',` -+ gen_require(` -+ type unconfined_t; + domain_subj_id_change_exemption($1) + domain_role_change_exemption($1) + domain_obj_id_change_exemption($1) + role system_r types $1; + ++ # Needed for pam_selinux_permit to cleanup properly ++ domain_read_all_domains_state($1) ++ domain_kill_all_domains($1) ++ ++ # pam_keyring ++ allow $1 self:capability ipc_lock; ++ allow $1 self:process setkeycreate; ++ allow $1 self:key manage_key_perms; ++ userdom_manage_all_users_keys($1) ++ + files_list_var_lib($1) + manage_files_pattern($1, var_auth_t, var_auth_t) + + # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 + kernel_rw_afs_state($1) + ++ manage_dirs_pattern($1, auth_cache_t, auth_cache_t) ++ manage_files_pattern($1, auth_cache_t, auth_cache_t) ++ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) ++ files_var_filetrans($1, auth_cache_t, dir) ++ + # for SSP/ProPolice + dev_read_urand($1) + # for fingerprint readers +@@ -90,6 +108,7 @@ + auth_rw_faillog($1) + auth_exec_pam($1) + auth_use_nsswitch($1) ++ auth_manage_pam_pid($1) + + init_rw_utmp($1) + +@@ -100,11 +119,40 @@ + seutil_read_config($1) + seutil_read_default_contexts($1) + +- tunable_policy(`allow_polyinstantiation',` +- files_polyinstantiate_all($1) ++ userdom_set_rlimitnh($1) ++ userdom_read_user_home_content_symlinks($1) ++ userdom_delete_user_tmp_files($1) ++ userdom_search_admin_dir($1) ++ ++ optional_policy(` ++ afs_rw_udp_sockets($1) + ') + -+ allow $1 unconfined_t:process ptrace; ++ optional_policy(` ++ dbus_system_bus_client($1) ++ optional_policy(` ++ oddjob_dbus_chat($1) ++ oddjob_domtrans_mkhomedir($1) + ') + ') + ++ optional_policy(` ++ corecmd_exec_bin($1) ++ storage_getattr_fixed_disk_dev($1) ++ mount_domtrans($1) ++ ') ++ ++ optional_policy(` ++ nis_authenticate($1) ++ ') ++ ++ optional_policy(` ++ ssh_agent_exec($1) ++ userdom_read_user_home_content_files($1) ++ ') ++ ++') ++ + ######################################## + ## + ## Use the login program as an entry point program. +@@ -197,8 +245,11 @@ + interface(`auth_domtrans_chk_passwd',` + gen_require(` + type chkpwd_t, chkpwd_exec_t, shadow_t; ++ type auth_cache_t; + ') + ++ allow $1 auth_cache_t:dir search_dir_perms; ++ + corecmd_search_bin($1) + domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) + +@@ -207,19 +258,16 @@ + dev_read_rand($1) + dev_read_urand($1) + ++ auth_use_nsswitch($1) ++ auth_rw_faillog($1) ++ + logging_send_audit_msgs($1) + + miscfiles_read_certs($1) + +- sysnet_dns_name_resolve($1) +- sysnet_use_ldap($1) +- +- optional_policy(` +- kerberos_use($1) +- ') +- + optional_policy(` +- nis_use_ypbind($1) ++ kerberos_read_keytab($1) ++ kerberos_connect_524($1) + ') + + optional_policy(` +@@ -230,6 +278,29 @@ + optional_policy(` + samba_stream_connect_winbind($1) + ') ++ auth_domtrans_upd_passwd($1) +') + +######################################## +## -+## Read and write to unconfined shared memory. ++## Run unix_chkpwd to check a password. ++## Stripped down version to be called within boolean +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`unconfined_rw_shm',` ++interface(`auth_domtrans_chkpwd',` + gen_require(` -+ type unconfined_t; ++ type chkpwd_t, chkpwd_exec_t, shadow_t; + ') + -+ allow $1 unconfined_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Read and write to unconfined execmem shared memory. ++ corecmd_search_bin($1) ++ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) ++ dontaudit $1 shadow_t:file { getattr read }; ++ auth_domtrans_upd_passwd($1) + ') + + ######################################## +@@ -254,6 +325,7 @@ + + auth_domtrans_chk_passwd($1) + role $2 types chkpwd_t; ++ auth_run_upd_passwd($1, $2) + ') + + ######################################## +@@ -650,7 +722,7 @@ + + ######################################## + ## +-## Execute pam programs in the pam domain. ++## Send signal to pam process + ## + ## + ## +@@ -1031,6 +1103,32 @@ + + ######################################## + ## ++## rw all files on the filesystem, except ++## the shadow passwords and listed exceptions. +## +## +## -+## The type of the process performing this action. ++## The type of the domain perfoming this action. ++## ++## ++## ++## ++## The types to be excluded. Each type or attribute ++## must be negated by the caller. +## +## +# -+interface(`unconfined_execmem_rw_shm',` ++ ++interface(`auth_rw_all_files_except_shadow',` + gen_require(` -+ type unconfined_execmem_t; ++ type shadow_t; + ') + -+ allow $1 unconfined_execmem_t:shm rw_shm_perms; ++ files_rw_all_files($1,$2 -shadow_t) +') + +######################################## +## -+## Transition to the unconfined_execmem domain. + ## Manage all files on the filesystem, except + ## the shadow passwords and listed exceptions. + ## +@@ -1297,6 +1395,14 @@ + ') + + optional_policy(` ++ ldap_stream_connect($1) ++ ') ++ ++ optional_policy(` ++ kerberos_use($1) ++ ') ++ ++ optional_policy(` + nis_use_ypbind($1) + ') + +@@ -1305,8 +1411,13 @@ + ') + + optional_policy(` ++ sssd_stream_connect($1) ++ ') ++ ++ optional_policy(` + samba_stream_connect_winbind($1) + samba_read_var_files($1) ++ samba_dontaudit_write_var_files($1) + ') + ') + +@@ -1341,3 +1452,99 @@ + typeattribute $1 can_write_shadow_passwords; + typeattribute $1 can_relabelto_shadow_passwords; + ') ++ ++######################################## ++## ++## Search authentication cache +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`unconfined_execmem_domtrans',` -+ ++interface(`auth_search_cache',` + gen_require(` -+ type unconfined_execmem_t, execmem_exec_t; ++ type auth_cache_t; + ') + -+ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) ++ allow $1 auth_cache_t:dir search_dir_perms; +') + +######################################## +## -+## execute the execmem applications ++## Read authentication cache +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`unconfined_execmem_exec',` -+ ++interface(`auth_read_cache',` + gen_require(` -+ type execmem_exec_t; ++ type auth_cache_t; + ') + -+ can_exec($1, execmem_exec_t) ++ read_files_pattern($1, auth_cache_t, auth_cache_t) +') + +######################################## +## -+## Allow apps to set rlimits on userdomain ++## Read/Write authentication cache +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`unconfined_set_rlimitnh',` ++interface(`auth_rw_cache',` + gen_require(` -+ type unconfined_t; ++ type auth_cache_t; + ') + -+ allow $1 unconfined_t:process rlimitinh; ++ rw_files_pattern($1, auth_cache_t, auth_cache_t) +') -+ +######################################## +## -+## Get the process group of unconfined. ++## Manage authentication cache +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`unconfined_getpgid',` ++interface(`auth_manage_cache',` + gen_require(` -+ type unconfined_t; ++ type auth_cache_t; + ') + -+ allow $1 unconfined_t:process getpgid; ++ manage_files_pattern($1, auth_cache_t, auth_cache_t) +') + -+######################################## ++####################################### +## -+## Change to the unconfined role. ++## Automatic transition from cache_t to cache. +## -+## ++## +## -+## Role allowed access. ++## Domain allowed access. +## +## -+## +# -+interface(`unconfined_role_change',` ++interface(`auth_filetrans_cache',` + gen_require(` -+ role unconfined_r; ++ type auth_cache_t; + ') + -+ allow $1 unconfined_r; ++ manage_files_pattern($1, auth_cache_t, auth_cache_t) ++ manage_dirs_pattern($1, auth_cache_t, auth_cache_t) ++ files_var_filetrans($1,auth_cache_t,{ file dir } ) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te +--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/authlogin.te 2009-04-07 16:01:44.000000000 -0400 +@@ -12,7 +12,7 @@ + + type chkpwd_t, can_read_shadow_passwords; + type chkpwd_exec_t; +-typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; ++typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t }; + typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; + application_domain(chkpwd_t, chkpwd_exec_t) + role system_r types chkpwd_t; +@@ -63,6 +63,9 @@ + type utempter_exec_t; + application_domain(utempter_t,utempter_exec_t) + ++type auth_cache_t; ++logging_log_file(auth_cache_t) ++ + # + # var_auth_t is the type of /var/lib/auth, usually + # used for auth data in pam_able +@@ -121,9 +124,18 @@ + ') + + optional_policy(` ++ # apache leaks file descriptors ++ apache_dontaudit_rw_tcp_sockets(chkpwd_t) ++') ++ ++optional_policy(` + kerberos_use(chkpwd_t) + ') + ++optional_policy(` ++ nis_authenticate(chkpwd_t) +') ++ + ######################################## + # + # PAM local policy +@@ -168,6 +180,11 @@ + + logging_send_syslog_msg(pam_t) + ++userdom_write_user_tmp_files(pam_t) ++userdom_delete_user_tmp_files(pam_t) ++userdom_dontaudit_read_user_home_content_files(pam_t) ++userdom_dontaudit_write_user_home_content_files(pam_t) ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(pam_t) +@@ -183,7 +200,7 @@ + # PAM console local policy + # + +-allow pam_console_t self:capability { chown fowner fsetid }; ++allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid }; + dontaudit pam_console_t self:capability sys_tty_config; + + allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; +@@ -201,6 +218,8 @@ + dev_read_sysfs(pam_console_t) + dev_getattr_apm_bios_dev(pam_console_t) + dev_setattr_apm_bios_dev(pam_console_t) ++dev_getattr_cpu_dev(pam_console_t) ++dev_setattr_cpu_dev(pam_console_t) + dev_getattr_dri_dev(pam_console_t) + dev_setattr_dri_dev(pam_console_t) + dev_getattr_input_dev(pam_console_t) +@@ -225,6 +244,10 @@ + dev_setattr_video_dev(pam_console_t) + dev_getattr_xserver_misc_dev(pam_console_t) + dev_setattr_xserver_misc_dev(pam_console_t) ++ ++dev_getattr_all_chr_files(pam_console_t) ++dev_setattr_all_chr_files(pam_console_t) ++ + dev_read_urand(pam_console_t) + + mls_file_read_all_levels(pam_console_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.12/policy/modules/system/fstools.fc +--- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/fstools.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,4 +1,3 @@ +-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -21,7 +20,6 @@ + /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.12/policy/modules/system/fstools.te +--- nsaserefpolicy/policy/modules/system/fstools.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/fstools.te 2009-04-07 16:01:44.000000000 -0400 +@@ -97,6 +97,10 @@ + fs_getattr_tmpfs_dirs(fsadm_t) + fs_read_tmpfs_symlinks(fsadm_t) + ++fs_manage_nfs_files(fsadm_t) ++ ++fs_manage_cifs_files(fsadm_t) ++ + mls_file_read_all_levels(fsadm_t) + mls_file_write_all_levels(fsadm_t) + +@@ -150,8 +154,7 @@ + + seutil_read_config(fsadm_t) + +-userdom_use_user_terminals(fsadm_t) +-userdom_use_unpriv_users_fds(fsadm_t) ++term_use_all_terms(fsadm_t) + + ifdef(`distro_redhat',` + optional_policy(` +@@ -188,4 +191,6 @@ + + optional_policy(` + xen_append_log(fsadm_t) ++ xen_rw_image_files(fsadm_t) + ') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.12/policy/modules/system/hostname.te +--- nsaserefpolicy/policy/modules/system/hostname.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/hostname.te 2009-04-07 16:01:44.000000000 -0400 +@@ -8,7 +8,9 @@ + + type hostname_t; + type hostname_exec_t; +-init_system_domain(hostname_t,hostname_exec_t) ++ ++#dont transition from initrc ++application_domain(hostname_t, hostname_exec_t) + role system_r types hostname_t; + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc +--- nsaserefpolicy/policy/modules/system/init.fc 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -4,8 +4,7 @@ + /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) +-/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0) +-/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + +@@ -45,6 +44,8 @@ + /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + ++/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) ++ + # + # /var + # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if +--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-09 10:06:45.000000000 -0400 +@@ -280,6 +280,29 @@ + kernel_dontaudit_use_fds($1) + ') + ') ++ ++ userdom_dontaudit_search_user_home_dirs($1) ++ userdom_dontaudit_rw_stream($1) ++ ++ tunable_policy(`allow_daemons_use_tty',` ++ term_use_all_user_ttys($1) ++ term_use_all_user_ptys($1) ++ ',` ++ term_dontaudit_use_all_user_ttys($1) ++ term_dontaudit_use_all_user_ptys($1) ++ ') ++ ++ # these apps are often redirect output to random log files ++ logging_rw_all_logs($1) ++ ++ optional_policy(` ++ cron_rw_pipes($1) ++ ') ++ ++ optional_policy(` ++ xserver_rw_xdm_home_files($1) ++ ') ++ init_rw_script_stream_sockets($1) + ') + + ######################################## +@@ -546,7 +569,7 @@ + + # upstart uses a datagram socket instead of initctl pipe + allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 init_t:unix_dgram_socket sendto; ++ init_chat($1) + ') + ') + +@@ -619,18 +642,19 @@ + # + interface(`init_spec_domtrans_script',` + gen_require(` +- type initrc_t, initrc_exec_t; ++ type initrc_t; ++ attribute init_script_file_type; + ') + + files_list_etc($1) +- spec_domtrans_pattern($1,initrc_exec_t,initrc_t) ++ spec_domtrans_pattern($1, init_script_file_type, initrc_t) + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; ++ range_transition $1 init_script_file_type:process s0; + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; + ') + ') + +@@ -646,23 +670,43 @@ + # + interface(`init_domtrans_script',` + gen_require(` +- type initrc_t, initrc_exec_t; ++ type initrc_t; ++ attribute init_script_file_type; + ') + + files_list_etc($1) +- domtrans_pattern($1,initrc_exec_t,initrc_t) ++ domtrans_pattern($1, init_script_file_type, initrc_t) + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; ++ range_transition $1 init_script_file_type:process s0; + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; + ') + ') + + ######################################## + ## ++## Execute a file in a bin directory ++## in the initrc_t domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_bin_domtrans_spec',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ corecmd_bin_domtrans($1, initrc_t) ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -1291,6 +1335,25 @@ + + ######################################## + ## ++## Read init script temporary data. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_read_script_tmp_files',` ++ gen_require(` ++ type initrc_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ++') ++ ++######################################## ++## + ## Create files in a init script + ## temporary data directory. + ## +@@ -1521,3 +1584,51 @@ + ') + corenet_udp_recvfrom_labeled($1, daemon) + ') ++ ++######################################## ++## ++## Transition to system_r when execute an init script ++## ++## ++##

++## Execute a init script in a specified role ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##
++## ++## ++## Role to transition from. ++## ++## ++# ++interface(`init_script_role_transition',` ++ gen_require(` ++ attribute init_script_file_type; ++ ') ++ ++ role_transition $1 init_script_file_type system_r; ++') ++ ++######################################## ++## ++## Send and receive unix_stream_messages with ++## init ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_chat',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_dgram_socket sendto; ++ allow init_t $1:unix_dgram_socket sendto; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te +--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-09 10:19:55.000000000 -0400 +@@ -17,6 +17,20 @@ + ##
+ gen_tunable(init_upstart,false) + ++## ++##

++## Allow all daemons the ability to read/write terminals ++##

++##
++gen_tunable(allow_daemons_use_tty, false) ++ ++## ++##

++## Allow all daemons to write corefiles to / ++##

++##
++gen_tunable(allow_daemons_dump_core, false) ++ + # used for direct running of init scripts + # by admin domains + attribute direct_run_init; +@@ -88,7 +102,7 @@ + # + + # Use capabilities. old rule: +-allow init_t self:capability ~sys_module; ++allow init_t self:capability ~{ audit_control audit_write sys_module }; + # is ~sys_module really needed? observed: + # sys_boot + # sys_tty_config +@@ -101,7 +115,7 @@ + # Re-exec itself + can_exec(init_t,init_exec_t) + +-allow init_t initrc_t:unix_stream_socket connectto; ++allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; + + # For /var/run/shutdown.pid. + allow init_t init_var_run_t:file manage_file_perms; +@@ -117,6 +131,8 @@ + kernel_read_system_state(init_t) + kernel_share_state(init_t) + ++fs_list_inotifyfs(init_t) ++ + corecmd_exec_chroot(init_t) + corecmd_exec_bin(init_t) + +@@ -167,6 +183,8 @@ + + miscfiles_read_localization(init_t) + ++allow init_t self:process setsched; ++ + ifdef(`distro_gentoo',` + allow init_t self:process { getcap setcap }; + ') +@@ -189,6 +207,14 @@ + ') + + optional_policy(` ++ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to ++ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up ++ # the directory. But we do not want to allow this. ++ # The master process of dovecot will manage this file. ++ dovecot_dontaudit_unlink_lib_files(initrc_t) ++') ++ ++optional_policy(` + nscd_socket_use(init_t) + ') + +@@ -202,9 +228,10 @@ + # + + allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; +-allow initrc_t self:capability ~{ sys_admin sys_module }; ++allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; + dontaudit initrc_t self:capability sys_module; # sysctl is triggering this + allow initrc_t self:passwd rootok; ++allow initrc_t self:key { search }; + + # Allow IPC with self + allow initrc_t self:unix_dgram_socket create_socket_perms; +@@ -217,7 +244,8 @@ + term_create_pty(initrc_t,initrc_devpts_t) + + # Going to single user mode +-init_exec(initrc_t) ++init_telinit(initrc_t) ++init_chat(initrc_t) + + can_exec(initrc_t, init_script_file_type) + +@@ -230,10 +258,16 @@ + + allow initrc_t initrc_var_run_t:file manage_file_perms; + files_pid_filetrans(initrc_t,initrc_var_run_t,file) ++files_manage_generic_pids_symlinks(initrc_t) + + can_exec(initrc_t,initrc_tmp_t) +-allow initrc_t initrc_tmp_t:file manage_file_perms; +-allow initrc_t initrc_tmp_t:dir manage_dir_perms; ++allow initrc_t initrc_tmp_t:file relabelfrom; ++manage_chr_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) + files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) + + init_write_initctl(initrc_t) +@@ -249,15 +283,19 @@ + kernel_rw_all_sysctls(initrc_t) + # for lsof which is used by alsa shutdown: + kernel_dontaudit_getattr_message_if(initrc_t) ++kernel_stream_connect(initrc_t) ++files_read_kernel_modules(initrc_t) + + files_read_kernel_symbol_table(initrc_t) ++files_exec_etc_files(initrc_t) ++fs_list_inotifyfs(initrc_t) + + corenet_all_recvfrom_unlabeled(initrc_t) + corenet_all_recvfrom_netlabel(initrc_t) +-corenet_tcp_sendrecv_all_if(initrc_t) +-corenet_udp_sendrecv_all_if(initrc_t) +-corenet_tcp_sendrecv_all_nodes(initrc_t) +-corenet_udp_sendrecv_all_nodes(initrc_t) ++corenet_tcp_sendrecv_generic_if(initrc_t) ++corenet_udp_sendrecv_generic_if(initrc_t) ++corenet_tcp_sendrecv_generic_node(initrc_t) ++corenet_udp_sendrecv_generic_node(initrc_t) + corenet_tcp_sendrecv_all_ports(initrc_t) + corenet_udp_sendrecv_all_ports(initrc_t) + corenet_tcp_connect_all_ports(initrc_t) +@@ -274,12 +312,14 @@ + dev_read_sound_mixer(initrc_t) + dev_write_sound_mixer(initrc_t) + dev_setattr_all_chr_files(initrc_t) +-dev_read_lvm_control(initrc_t) ++dev_rw_lvm_control(initrc_t) + dev_delete_lvm_control_dev(initrc_t) + dev_manage_generic_symlinks(initrc_t) + dev_manage_generic_files(initrc_t) + # Wants to remove udev.tbl: + dev_delete_generic_symlinks(initrc_t) ++dev_getattr_all_blk_files(initrc_t) ++dev_getattr_all_chr_files(initrc_t) + + fs_register_binary_executable_type(initrc_t) + # rhgb-console writes to ramfs +@@ -328,7 +368,7 @@ + domain_sigchld_all_domains(initrc_t) + domain_read_all_domains_state(initrc_t) + domain_getattr_all_domains(initrc_t) +-domain_dontaudit_ptrace_all_domains(initrc_t) ++domain_ptrace_all_domains(initrc_t) + domain_getsession_all_domains(initrc_t) + domain_use_interactive_fds(initrc_t) + # for lsof which is used by alsa shutdown: +@@ -343,14 +383,13 @@ + files_getattr_all_pipes(initrc_t) + files_getattr_all_sockets(initrc_t) + files_purge_tmp(initrc_t) +-files_delete_all_locks(initrc_t) ++files_manage_all_locks(initrc_t) + files_read_all_pids(initrc_t) + files_delete_all_pids(initrc_t) + files_delete_all_pid_dirs(initrc_t) + files_read_etc_files(initrc_t) + files_manage_etc_runtime_files(initrc_t) + files_etc_filetrans_etc_runtime(initrc_t,file) +-files_manage_generic_locks(initrc_t) + files_exec_etc_files(initrc_t) + files_read_usr_files(initrc_t) + files_manage_urandom_seed(initrc_t) +@@ -366,7 +405,9 @@ + + libs_rw_ld_so_cache(initrc_t) + libs_exec_lib_files(initrc_t) ++libs_exec_ld_so(initrc_t) + ++logging_send_audit_msgs(initrc_t) + logging_send_syslog_msg(initrc_t) + logging_manage_generic_logs(initrc_t) + logging_read_all_logs(initrc_t) +@@ -451,7 +492,7 @@ + + # Red Hat systems seem to have a stray + # fd open from the initrd +- kernel_dontaudit_use_fds(initrc_t) ++ kernel_use_fds(initrc_t) + files_dontaudit_read_root_files(initrc_t) + + selinux_set_enforce_mode(initrc_t) +@@ -465,6 +506,7 @@ + storage_raw_read_fixed_disk(initrc_t) + storage_raw_write_fixed_disk(initrc_t) + ++ files_create_boot_dirs(initrc_t) + files_create_boot_flag(initrc_t) + files_rw_boot_symlinks(initrc_t) + # wants to read /.fonts directory +@@ -498,6 +540,7 @@ + optional_policy(` + #for /etc/rc.d/init.d/nfs to create /etc/exports + rpc_write_exports(initrc_t) ++ rpc_manage_nfs_state_data(initrc_t) + ') + + optional_policy(` +@@ -516,6 +559,31 @@ + ') + ') + ++domain_dontaudit_use_interactive_fds(daemon) ++ ++userdom_dontaudit_list_admin_dir(daemon) ++ ++tunable_policy(`allow_daemons_use_tty',` ++ term_use_unallocated_ttys(daemon) ++ term_use_generic_ptys(daemon) ++ term_use_all_user_ttys(daemon) ++ term_use_all_user_ptys(daemon) ++',` ++ term_dontaudit_use_unallocated_ttys(daemon) ++ term_dontaudit_use_generic_ptys(daemon) ++ term_dontaudit_use_all_user_ttys(daemon) ++ term_dontaudit_use_all_user_ptys(daemon) ++ ') ++ ++# system-config-services causes avc messages that should be dontaudited ++tunable_policy(`allow_daemons_dump_core',` ++ files_dump_core(daemon) ++') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(daemon) ++') ++ + optional_policy(` + amavis_search_lib(initrc_t) + amavis_setattr_pid_files(initrc_t) +@@ -570,6 +638,10 @@ + dbus_read_config(initrc_t) + + optional_policy(` ++ consolekit_dbus_chat(initrc_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(initrc_t) + ') + ') +@@ -647,6 +719,11 @@ + ') + + optional_policy(` ++ iscsi_stream_connect(initrc_t) ++ iscsi_read_lib_files(initrc_t) ++') ++ ++optional_policy(` + mailman_list_data(initrc_t) + mailman_read_data_symlinks(initrc_t) + ') +@@ -655,12 +732,6 @@ + mta_read_config(initrc_t) + mta_dontaudit_read_spool_symlinks(initrc_t) + ') +-# cjp: require doesnt work in the else of optionals :\ +-# this also would result in a type transition +-# conflict if sendmail is enabled +-#optional_policy(`',` +-# mta_send_mail(initrc_t) +-#') + + optional_policy(` + ifdef(`distro_redhat',` +@@ -721,6 +792,9 @@ + + # why is this needed: + rpm_manage_db(initrc_t) ++ # Allow SELinux aware applications to request rpm_script_t execution ++ rpm_transition_script(initrc_t) ++ + ') + + optional_policy(` +@@ -733,10 +807,12 @@ + squid_manage_logs(initrc_t) + ') + ++ifdef(`enabled_mls',` + optional_policy(` + # allow init scripts to su + su_restricted_domain_template(initrc,initrc_t,system_r) + ') ++') + + optional_policy(` + ssh_dontaudit_read_server_keys(initrc_t) +@@ -754,6 +830,11 @@ + uml_setattr_util_sockets(initrc_t) + ') + ++# Cron jobs used to start and stop services ++optional_policy(` ++ cron_rw_pipes(daemon) ++') ++ + optional_policy(` + unconfined_domain(initrc_t) + +@@ -761,6 +842,8 @@ + # system-config-services causes avc messages that should be dontaudited + unconfined_dontaudit_rw_pipes(daemon) + ') ++ # sudo service restart causes this ++ unconfined_signull(daemon) + + optional_policy(` + mono_domtrans(initrc_t) +@@ -768,6 +851,10 @@ + ') + + optional_policy(` ++ rpm_dontaudit_rw_pipes(daemon) ++') ++ ++optional_policy(` + vmware_read_system_config(initrc_t) + vmware_append_system_config(initrc_t) + ') +@@ -790,3 +877,21 @@ + optional_policy(` + zebra_read_config(initrc_t) + ') ++ ++userdom_append_user_home_content_files(daemon) ++userdom_write_user_tmp_files(daemon) ++userdom_dontaudit_rw_stream(daemon) ++ ++logging_append_all_logs(daemon) ++ ++optional_policy(` ++ xserver_rw_xdm_home_files(daemon) ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_rw_nfs_files(daemon) ++ ') ++ tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_rw_cifs_files(daemon) ++ ') ++') ++ ++init_rw_script_stream_sockets(daemon) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te +--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(ipsec, 1.9.1) ++policy_module(ipsec, 1.9.0) + + ######################################## + # +@@ -103,11 +103,13 @@ + corenet_raw_sendrecv_all_nodes(ipsec_t) + corenet_tcp_sendrecv_all_ports(ipsec_t) + corenet_tcp_bind_all_nodes(ipsec_t) +-corenet_udp_bind_all_nodes(ipsec_t) + corenet_tcp_bind_reserved_port(ipsec_t) + corenet_tcp_bind_isakmp_port(ipsec_t) ++ ++corenet_udp_bind_all_nodes(ipsec_t) + corenet_udp_bind_isakmp_port(ipsec_t) + corenet_udp_bind_ipsecnat_port(ipsec_t) ++ + corenet_sendrecv_generic_server_packets(ipsec_t) + corenet_sendrecv_isakmp_server_packets(ipsec_t) + +@@ -167,6 +169,8 @@ + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; + files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) + ++logging_send_syslog_msg(ipsec_mgmt_t) ++ + manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) + manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) + +@@ -242,8 +246,6 @@ + init_exec_script_files(ipsec_mgmt_t) + init_use_fds(ipsec_mgmt_t) + +-logging_send_syslog_msg(ipsec_mgmt_t) +- + miscfiles_read_localization(ipsec_mgmt_t) + + modutils_domtrans_insmod(ipsec_mgmt_t) +@@ -298,13 +300,10 @@ + kernel_read_network_state(racoon_t) + + corenet_all_recvfrom_unlabeled(racoon_t) +-corenet_tcp_sendrecv_all_if(racoon_t) +-corenet_udp_sendrecv_all_if(racoon_t) +-corenet_tcp_sendrecv_all_nodes(racoon_t) +-corenet_udp_sendrecv_all_nodes(racoon_t) + corenet_tcp_bind_all_nodes(racoon_t) + corenet_udp_bind_all_nodes(racoon_t) + corenet_udp_bind_isakmp_port(racoon_t) ++corenet_udp_sendrecv_all_if(racoon_t) + corenet_udp_bind_ipsecnat_port(racoon_t) + + dev_read_urand(racoon_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te +--- nsaserefpolicy/policy/modules/system/iptables.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-04-07 16:01:44.000000000 -0400 +@@ -53,6 +53,7 @@ + mls_file_read_all_levels(iptables_t) + + term_dontaudit_use_console(iptables_t) ++term_use_all_terms(iptables_t) + + domain_use_interactive_fds(iptables_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.12/policy/modules/system/iscsi.if +--- nsaserefpolicy/policy/modules/system/iscsi.if 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/iscsi.if 2009-04-09 10:18:10.000000000 -0400 +@@ -17,3 +17,43 @@ + + domtrans_pattern($1,iscsid_exec_t,iscsid_t) + ') ++ ++######################################## ++## ++## Read iscsi lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`iscsi_read_lib_files',` ++ gen_require(` ++ type iscsi_var_lib_t; ++ ') ++ ++ read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) ++ allow $1 iscsi_var_lib_t:dir list_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Connect to ISCSI using a unix domain stream socket. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`iscsi_stream_connect',` ++ gen_require(` ++ type iscsi_t, iscsi_var_lib_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsi_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te +--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-07 16:01:44.000000000 -0400 +@@ -55,6 +55,7 @@ + files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) + + kernel_read_system_state(iscsid_t) ++kernel_search_debugfs(iscsid_t) + + corenet_all_recvfrom_unlabeled(iscsid_t) + corenet_all_recvfrom_netlabel(iscsid_t) +@@ -73,6 +74,6 @@ + + logging_send_syslog_msg(iscsid_t) + +-miscfiles_read_localization(iscsid_t) ++auth_use_nsswitch(iscsid_t) + +-sysnet_dns_name_resolve(iscsid_t) ++miscfiles_read_localization(iscsid_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc +--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -60,12 +60,15 @@ + # + # /opt + # ++/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) + ++/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) ++ + ifdef(`distro_gentoo',` + # despite the extensions, they are actually libs + /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) +@@ -84,12 +87,14 @@ + + ifdef(`distro_redhat',` + /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) + /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) + /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ') + +@@ -103,6 +108,7 @@ + # + /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +@@ -115,24 +121,34 @@ + + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -168,7 +184,8 @@ + # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv + # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php + /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -187,12 +204,15 @@ + /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -233,7 +253,7 @@ + /usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame +-/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -246,12 +266,13 @@ + + # Flash plugin, Macromedia + HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + # Jai, Sun Microsystems (Jpackage SPRM) + /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -267,6 +288,9 @@ + /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + # Java, Sun Microsystems (JPackage SRPM) + /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -291,6 +315,8 @@ + /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) ++/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) + ') dnl end distro_redhat + + # +@@ -303,6 +329,8 @@ + + /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) + ++/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++ + ifdef(`distro_suse',` + /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) + ') +@@ -310,3 +338,37 @@ + /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) + /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) + /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) ++ ++/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) ++ ++/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.12/policy/modules/system/libraries.te +--- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/libraries.te 2009-04-07 16:01:44.000000000 -0400 +@@ -52,11 +52,11 @@ + # ldconfig local policy + # + +-allow ldconfig_t self:capability sys_chroot; ++allow ldconfig_t self:capability { dac_override sys_chroot }; + + manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) + +-allow ldconfig_t ld_so_cache_t:file manage_file_perms; ++manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) + files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) + + manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) +@@ -70,8 +70,11 @@ + + fs_getattr_xattr_fs(ldconfig_t) + ++corecmd_search_bin(ldconfig_t) ++ + domain_use_interactive_fds(ldconfig_t) + ++files_search_home(ldconfig_t) + files_search_var_lib(ldconfig_t) + files_read_etc_files(ldconfig_t) + files_search_tmp(ldconfig_t) +@@ -80,6 +83,7 @@ + files_delete_etc_files(ldconfig_t) + + init_use_script_ptys(ldconfig_t) ++init_read_script_tmp_files(ldconfig_t) + + miscfiles_read_localization(ldconfig_t) + +@@ -94,6 +98,10 @@ + ') + ') + ++userdom_manage_user_home_content_files(ldconfig_t) ++userdom_manage_user_tmp_files(ldconfig_t) ++userdom_manage_user_tmp_symlinks(ldconfig_t) ++ + ifdef(`hide_broken_symptoms',` + optional_policy(` + unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) +@@ -116,4 +124,10 @@ + # and executes ldconfig on it. If you dont allow this kernel installs + # blow up. + rpm_manage_script_tmp_files(ldconfig_t) ++ # smart package manager needs the following for the same reason ++ rpm_rw_tmp_files(ldconfig_t) ++') ++ ++optional_policy(` ++ unconfined_domain(ldconfig_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te +--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-04-07 16:01:44.000000000 -0400 +@@ -67,6 +67,7 @@ + dev_setattr_power_mgmt_dev(local_login_t) + dev_getattr_sound_dev(local_login_t) + dev_setattr_sound_dev(local_login_t) ++dev_rw_generic_usb_dev(local_login_t) + dev_dontaudit_getattr_apm_bios_dev(local_login_t) + dev_dontaudit_setattr_apm_bios_dev(local_login_t) + dev_dontaudit_read_framebuffer(local_login_t) +@@ -100,7 +101,6 @@ + + auth_rw_login_records(local_login_t) + auth_rw_faillog(local_login_t) +-auth_manage_pam_pid(local_login_t) + auth_manage_pam_console_data(local_login_t) + auth_domtrans_pam_console(local_login_t) + +@@ -160,6 +160,11 @@ + fs_read_cifs_symlinks(local_login_t) + ') + ++tunable_policy(`allow_console_login',` ++ term_relabel_console(local_login_t) ++ term_setattr_console(local_login_t) ++') ++ + optional_policy(` + alsa_domtrans(local_login_t) + ') +@@ -189,7 +194,7 @@ + ') + + optional_policy(` +- unconfined_domain(local_login_t) ++ unconfined_shell_domtrans(local_login_t) + ') + + optional_policy(` +@@ -235,17 +240,25 @@ + seutil_read_default_contexts(sulogin_t) + + auth_read_shadow(sulogin_t) ++auth_use_nsswitch(sulogin_t) + + userdom_use_unpriv_users_fds(sulogin_t) + + userdom_search_user_home_dirs(sulogin_t) + userdom_use_user_ptys(sulogin_t) + ++ifdef(`enable_mls',` + sysadm_shell_domtrans(sulogin_t) ++',` ++ optional_policy(` ++ unconfined_shell_domtrans(sulogin_t) ++ ') ++') + + # suse and debian do not use pam with sulogin... + ifdef(`distro_suse', `define(`sulogin_no_pam')') + ifdef(`distro_debian', `define(`sulogin_no_pam')') ++ifdef(`distro_redhat',`define(`sulogin_no_pam')') + + ifdef(`sulogin_no_pam', ` + allow sulogin_t self:capability sys_tty_config; +@@ -260,10 +273,4 @@ + selinux_compute_user_contexts(sulogin_t) + ') + +-optional_policy(` +- nis_use_ypbind(sulogin_t) +-') + +-optional_policy(` +- nscd_socket_use(sulogin_t) +-') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc +--- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -53,15 +53,18 @@ + /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) + ') + +-/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) +-/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) +-/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) +-/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) ++/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) ++/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) ++/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) ++/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) + /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) + /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) + /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + + /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) ++/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) ++/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) + + /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if +--- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-04-07 16:01:44.000000000 -0400 +@@ -623,7 +623,7 @@ + ') + + files_search_var($1) +- append_files_pattern($1, var_log_t, logfile) ++ append_files_pattern($1, logfile, logfile) + ') + + ######################################## +@@ -707,6 +707,8 @@ + files_search_var($1) + manage_files_pattern($1,logfile,logfile) + read_lnk_files_pattern($1,logfile,logfile) ++ allow $1 logfile:dir { relabelfrom relabelto }; ++ allow $1 logfile:file { relabelfrom relabelto }; + ') + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te +--- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-04-07 16:01:44.000000000 -0400 +@@ -126,7 +126,7 @@ + allow auditd_t self:process { signal_perms setpgid setsched }; + allow auditd_t self:file rw_file_perms; + allow auditd_t self:unix_dgram_socket create_socket_perms; +-allow auditd_t self:fifo_file rw_file_perms; ++allow auditd_t self:fifo_file rw_fifo_file_perms; + allow auditd_t self:tcp_socket create_stream_socket_perms; + + allow auditd_t auditd_etc_t:dir list_dir_perms; +@@ -179,6 +179,8 @@ + logging_domtrans_dispatcher(auditd_t) + logging_signal_dispatcher(auditd_t) + ++auth_use_nsswitch(auditd_t) ++ + miscfiles_read_localization(auditd_t) + + mls_file_read_all_levels(auditd_t) +@@ -215,9 +217,9 @@ + # audit dispatcher local policy + # + +-allow audisp_t self:capability sys_nice; +-allow audisp_t self:process setsched; +-allow audisp_t self:fifo_file rw_file_perms; ++allow audisp_t self:capability { dac_override sys_nice }; ++allow audisp_t self:process { signal_perms setsched }; ++allow audisp_t self:fifo_file rw_fifo_file_perms; + allow audisp_t self:unix_stream_socket create_stream_socket_perms; + allow audisp_t self:unix_dgram_socket create_socket_perms; + +@@ -226,13 +228,18 @@ + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) + files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) + +-corecmd_search_bin(audisp_t) ++corecmd_exec_bin(audisp_t) ++corecmd_exec_shell(audisp_t) + + domain_use_interactive_fds(audisp_t) + + files_read_etc_files(audisp_t) ++files_read_etc_runtime_files(audisp_t) + + mls_file_write_all_levels(audisp_t) ++mls_dbus_send_all_levels(audisp_t) ++ ++auth_use_nsswitch(audisp_t) + + logging_send_syslog_msg(audisp_t) + +@@ -240,6 +247,14 @@ + + sysnet_dns_name_resolve(audisp_t) + ++optional_policy(` ++ dbus_system_bus_client(audisp_t) ++ ++ optional_policy(` ++ setroubleshoot_dbus_chat(audisp_t) ++ ') ++') ++ + ######################################## + # + # Audit remote logger local policy +@@ -253,11 +268,16 @@ + corenet_tcp_sendrecv_generic_node(audisp_remote_t) + corenet_tcp_connect_audit_port(audisp_remote_t) + corenet_sendrecv_audit_client_packets(audisp_remote_t) ++corenet_tcp_bind_audit_port(audisp_remote_t) ++corenet_tcp_sendrecv_all_ports(audisp_remote_t) ++corenet_tcp_bind_generic_node(audisp_remote_t) + + files_read_etc_files(audisp_remote_t) + + logging_send_syslog_msg(audisp_remote_t) + ++auth_use_nsswitch(audisp_remote_t) ++ + miscfiles_read_localization(audisp_remote_t) + + sysnet_dns_name_resolve(audisp_remote_t) +@@ -337,7 +357,7 @@ + allow syslogd_t self:unix_dgram_socket create_socket_perms; + allow syslogd_t self:unix_stream_socket create_stream_socket_perms; + allow syslogd_t self:unix_dgram_socket sendto; +-allow syslogd_t self:fifo_file rw_file_perms; ++allow syslogd_t self:fifo_file rw_fifo_file_perms; + allow syslogd_t self:udp_socket create_socket_perms; + allow syslogd_t self:tcp_socket create_stream_socket_perms; + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.12/policy/modules/system/lvm.fc +--- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/lvm.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -55,6 +55,7 @@ + /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) +@@ -97,3 +98,4 @@ + /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) + /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) + /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) ++/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.12/policy/modules/system/lvm.te +--- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-09 10:07:34.000000000 -0400 +@@ -10,6 +10,9 @@ + type clvmd_exec_t; + init_daemon_domain(clvmd_t,clvmd_exec_t) + ++type clvmd_initrc_exec_t; ++init_script_file(clvmd_initrc_exec_t) ++ + type clvmd_var_run_t; + files_pid_file(clvmd_var_run_t) + +@@ -22,7 +25,7 @@ + role system_r types lvm_t; + + type lvm_etc_t; +-files_type(lvm_etc_t) ++files_config_file(lvm_etc_t) + + type lvm_lock_t; + files_lock_file(lvm_lock_t) +@@ -44,9 +47,9 @@ + # Cluster LVM daemon local policy + # + +-allow clvmd_t self:capability { sys_admin mknod }; ++allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; + dontaudit clvmd_t self:capability sys_tty_config; +-allow clvmd_t self:process signal_perms; ++allow clvmd_t self:process { signal_perms setsched }; + dontaudit clvmd_t self:process ptrace; + allow clvmd_t self:socket create_socket_perms; + allow clvmd_t self:fifo_file rw_fifo_file_perms; +@@ -54,6 +57,8 @@ + allow clvmd_t self:tcp_socket create_stream_socket_perms; + allow clvmd_t self:udp_socket create_socket_perms; + ++init_dontaudit_getattr_initctl(clvmd_t) ++ + manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t) + files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) + +@@ -85,10 +90,15 @@ + corenet_sendrecv_generic_server_packets(clvmd_t) + + dev_read_sysfs(clvmd_t) ++dev_manage_generic_symlinks(clvmd_t) ++dev_relabel_generic_dev_dirs(clvmd_t) ++dev_manage_generic_blk_files(clvmd_t) + dev_manage_generic_chr_files(clvmd_t) + dev_rw_lvm_control(clvmd_t) + dev_dontaudit_getattr_all_blk_files(clvmd_t) + dev_dontaudit_getattr_all_chr_files(clvmd_t) ++dev_create_generic_dirs(clvmd_t) ++dev_delete_generic_dirs(clvmd_t) + + files_read_etc_files(clvmd_t) + files_list_usr(clvmd_t) +@@ -99,9 +109,12 @@ + fs_dontaudit_read_removable_files(clvmd_t) + + storage_dontaudit_getattr_removable_dev(clvmd_t) ++storage_dev_filetrans_fixed_disk(clvmd_t) ++storage_manage_fixed_disk(clvmd_t) + + domain_use_interactive_fds(clvmd_t) + ++storage_relabel_fixed_disk(clvmd_t) + storage_raw_read_fixed_disk(clvmd_t) + + auth_use_nsswitch(clvmd_t) +@@ -112,6 +125,9 @@ + + seutil_dontaudit_search_config(clvmd_t) + seutil_sigchld_newrole(clvmd_t) ++seutil_read_config(clvmd_t) ++seutil_read_file_contexts(clvmd_t) ++seutil_search_default_contexts(clvmd_t) + + userdom_dontaudit_use_unpriv_user_fds(clvmd_t) + userdom_dontaudit_search_user_home_dirs(clvmd_t) +@@ -124,6 +140,14 @@ + ') + + optional_policy(` ++ dbus_system_bus_client(lvm_t) ++ ++ optional_policy(` ++ hal_dbus_chat(lvm_t) ++ ') ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(clvmd_t) + ') + +@@ -133,6 +157,14 @@ + ') + + optional_policy(` ++ unconfined_domain(clvmd_t) ++') ++ ++optional_policy(` ++ unconfined_domain(lvm_t) ++') ++ ++optional_policy(` + udev_read_db(clvmd_t) + ') + +@@ -143,17 +175,19 @@ + + # DAC overrides and mknod for modifying /dev entries (vgmknodes) + # rawio needed for dmraid +-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio }; ++allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; ++# lvm needs net_admin for multipath + dontaudit lvm_t self:capability sys_tty_config; + allow lvm_t self:process { sigchld sigkill sigstop signull signal }; + # LVM will complain a lot if it cannot set its priority. + allow lvm_t self:process setsched; + allow lvm_t self:file rw_file_perms; +-allow lvm_t self:fifo_file rw_file_perms; ++allow lvm_t self:fifo_file manage_fifo_file_perms; + allow lvm_t self:unix_dgram_socket create_socket_perms; + allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; + +-allow lvm_t clvmd_t:unix_stream_socket connectto; ++allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; + + manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) + manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) +@@ -185,6 +219,7 @@ + manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) + filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) + files_etc_filetrans(lvm_t,lvm_metadata_t,file) ++files_search_mnt(lvm_t) + + kernel_read_system_state(lvm_t) + kernel_read_kernel_sysctls(lvm_t) +@@ -192,6 +227,8 @@ + kernel_read_kernel_sysctls(lvm_t) + # it has no reason to need this + kernel_dontaudit_getattr_core_if(lvm_t) ++kernel_use_fds(lvm_t) ++kernel_search_debugfs(lvm_t) + + selinux_get_fs_mount(lvm_t) + selinux_validate_context(lvm_t) +@@ -221,6 +258,7 @@ + dev_dontaudit_getattr_generic_blk_files(lvm_t) + dev_dontaudit_getattr_generic_pipes(lvm_t) + dev_create_generic_dirs(lvm_t) ++dev_rw_generic_files(lvm_t) + + fs_getattr_xattr_fs(lvm_t) + fs_search_auto_mountpoints(lvm_t) +@@ -239,12 +277,18 @@ + storage_dev_filetrans_fixed_disk(lvm_t) + # Access raw devices and old /dev/lvm (c 109,0). Is this needed? + storage_manage_fixed_disk(lvm_t) ++mls_file_read_all_levels(lvm_t) ++mls_file_write_to_clearance(lvm_t) ++ ++term_use_all_terms(lvm_t) + + corecmd_exec_bin(lvm_t) + corecmd_exec_shell(lvm_t) + + domain_use_interactive_fds(lvm_t) ++domain_read_all_domains_state(lvm_t) + ++files_read_usr_files(lvm_t) + files_read_etc_files(lvm_t) + files_read_etc_runtime_files(lvm_t) + # for when /usr is not mounted: +@@ -253,6 +297,7 @@ + init_use_fds(lvm_t) + init_dontaudit_getattr_initctl(lvm_t) + init_use_script_ptys(lvm_t) ++init_read_script_state(lvm_t) + + logging_send_syslog_msg(lvm_t) + +@@ -283,5 +328,22 @@ + ') + + optional_policy(` ++ modutils_domtrans_insmod(lvm_t) ++') ++ ++optional_policy(` ++ rpm_manage_script_tmp_files(lvm_t) ++') ++ ++optional_policy(` + udev_read_db(lvm_t) + ') ++ ++optional_policy(` ++ unconfined_domain(lvm_t) ++') ++ ++optional_policy(` ++ xen_append_log(lvm_t) ++ xen_dontaudit_rw_unix_stream_sockets(lvm_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te +--- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-04-07 16:01:44.000000000 -0400 +@@ -42,7 +42,7 @@ + # insmod local policy + # + +-allow insmod_t self:capability { dac_override net_raw sys_tty_config }; ++allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; + allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; + + allow insmod_t self:udp_socket create_socket_perms; +@@ -55,6 +55,7 @@ + + kernel_load_module(insmod_t) + kernel_read_system_state(insmod_t) ++kernel_read_network_state(insmod_t) + kernel_write_proc_files(insmod_t) + kernel_mount_debugfs(insmod_t) + kernel_mount_kvmfs(insmod_t) +@@ -63,6 +64,7 @@ + kernel_read_kernel_sysctls(insmod_t) + kernel_rw_kernel_sysctl(insmod_t) + kernel_read_hotplug_sysctls(insmod_t) ++kernel_setsched(insmod_t) + + files_read_kernel_modules(insmod_t) + # for locking: (cjp: ????) +@@ -76,11 +78,10 @@ + dev_read_sound(insmod_t) + dev_write_sound(insmod_t) + dev_rw_apm_bios(insmod_t) +-# cjp: why is this needed? insmod cannot mounton any dir +-# and it also transitions to mount +-dev_mount_usbfs(insmod_t) ++dev_create_generic_chr_files(insmod_t) + + fs_getattr_xattr_fs(insmod_t) ++fs_dontaudit_use_tmpfs_chr_dev(insmod_t) + + corecmd_exec_bin(insmod_t) + corecmd_exec_shell(insmod_t) +@@ -101,6 +102,8 @@ + init_use_fds(insmod_t) + init_use_script_fds(insmod_t) + init_use_script_ptys(insmod_t) ++init_spec_domtrans_script(insmod_t) ++init_rw_script_tmp_files(insmod_t) + + logging_send_syslog_msg(insmod_t) + logging_search_logs(insmod_t) +@@ -109,19 +112,30 @@ + + seutil_read_file_contexts(insmod_t) + +-userdom_use_user_terminals(insmod_t) ++term_use_all_terms(insmod_t) ++userdom_dontaudit_search_user_home_dirs(insmod_t) + +-ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(insmod_t) + ') +-') + + if( ! secure_mode_insmod ) { + kernel_domtrans_to(insmod_t,insmod_exec_t) + } + + optional_policy(` ++ alsa_domtrans(insmod_t) ++') ++ ++optional_policy(` ++ firstboot_dontaudit_rw_pipes(insmod_t) ++') ++ ++optional_policy(` ++ hal_write_log(insmod_t) ++') ++ ++optional_policy(` + hotplug_search_config(insmod_t) + ') + +@@ -154,6 +168,7 @@ + + optional_policy(` + rpm_rw_pipes(insmod_t) ++ rpm_read_script_tmp_files(insmod_t) + ') + + optional_policy(` +@@ -184,6 +199,7 @@ + + files_read_kernel_symbol_table(depmod_t) + files_read_kernel_modules(depmod_t) ++files_delete_kernel_modules(depmod_t) + + fs_getattr_xattr_fs(depmod_t) + +@@ -214,7 +230,13 @@ + ') + + optional_policy(` ++ # Read System.map from home directories. ++ unconfined_domain(depmod_t) ++') ++ ++optional_policy(` + rpm_rw_pipes(depmod_t) ++ rpm_manage_script_tmp_files(depmod_t) + ') + + ################################# +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.12/policy/modules/system/mount.fc +--- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/mount.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -1,4 +1,9 @@ + /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +- ++/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) + /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) ++ ++/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if +--- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/mount.if 2009-04-07 16:01:44.000000000 -0400 +@@ -43,9 +43,11 @@ + + mount_domtrans($1) + role $2 types mount_t; ++ #Leaked File Descriptors ++ dontaudit mount_t $1:unix_stream_socket rw_socket_perms; + + optional_policy(` +- samba_run_smbmount($1, $2) ++ samba_run_smbmount($1, $2, $3) + ') + ') + +@@ -159,3 +161,21 @@ + mount_domtrans_unconfined($1) + role $2 types unconfined_mount_t; + ') ++ ++######################################## ++## ++## Send signal to mount process ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mount_signal',` ++ gen_require(` ++ type mount_t; ++ ') ++ ++ allow $1 mount_t:process signal; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te +--- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-04-09 05:37:08.000000000 -0400 +@@ -18,17 +18,21 @@ + init_system_domain(mount_t,mount_exec_t) + role system_r types mount_t; + ++typealias mount_t alias mount_ntfs_t; ++typealias mount_exec_t alias mount_ntfs_exec_t; ++ + type mount_loopback_t; # customizable + files_type(mount_loopback_t) + + type mount_tmp_t; + files_tmp_file(mount_tmp_t) + +-# causes problems with interfaces when +-# this is optionally declared in monolithic +-# policy--duplicate type declaration + type unconfined_mount_t; + application_domain(unconfined_mount_t,mount_exec_t) ++role system_r types unconfined_mount_t; ++ ++type mount_var_run_t; ++files_pid_file(mount_var_run_t) + + ######################################## + # +@@ -36,7 +40,8 @@ + # + + # setuid/setgid needed to mount cifs +-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; ++allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; ++allow mount_t self:process { ptrace signal }; + + allow mount_t mount_loopback_t:file read_file_perms; + +@@ -47,12 +52,25 @@ + + files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) + ++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) ++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) ++files_pid_filetrans(mount_t,mount_var_run_t,dir) ++files_var_filetrans(mount_t,mount_var_run_t,dir) ++ ++# In order to mount reiserfs_t ++kernel_list_unlabeled(mount_t) + kernel_read_system_state(mount_t) ++kernel_read_network_state(mount_t) + kernel_read_kernel_sysctls(mount_t) + kernel_dontaudit_getattr_core_if(mount_t) ++kernel_search_debugfs(mount_t) ++kernel_setsched(mount_t) ++kernel_use_fds(mount_t) + + dev_getattr_all_blk_files(mount_t) + dev_list_all_dev_nodes(mount_t) ++dev_read_usbfs(mount_t) ++dev_read_rand(mount_t) + dev_rw_lvm_control(mount_t) + dev_dontaudit_getattr_all_chr_files(mount_t) + dev_dontaudit_getattr_memory_dev(mount_t) +@@ -62,16 +80,19 @@ + storage_raw_write_fixed_disk(mount_t) + storage_raw_read_removable_device(mount_t) + storage_raw_write_removable_device(mount_t) ++storage_rw_fuse(mount_t) + +-fs_getattr_xattr_fs(mount_t) +-fs_getattr_cifs(mount_t) ++fs_list_all(mount_t) ++fs_getattr_all_fs(mount_t) + fs_mount_all_fs(mount_t) + fs_unmount_all_fs(mount_t) + fs_remount_all_fs(mount_t) + fs_relabelfrom_all_fs(mount_t) +-fs_list_auto_mountpoints(mount_t) + fs_rw_tmpfs_chr_files(mount_t) ++fs_manage_tmpfs_dirs(mount_t) + fs_read_tmpfs_symlinks(mount_t) ++fs_read_fusefs_files(mount_t) ++fs_manage_nfs_dirs(mount_t) + + term_use_all_terms(mount_t) + +@@ -79,6 +100,7 @@ + corecmd_exec_bin(mount_t) + + domain_use_interactive_fds(mount_t) ++domain_dontaudit_search_all_domains_state(mount_t) + + files_search_all(mount_t) + files_read_etc_files(mount_t) +@@ -87,7 +109,7 @@ + files_mounton_all_mountpoints(mount_t) + files_unmount_rootfs(mount_t) + # These rules need to be generalized. Only admin, initrc should have it: +-files_relabelto_all_file_type_fs(mount_t) ++files_relabel_all_file_type_fs(mount_t) + files_mount_all_file_type_fs(mount_t) + files_unmount_all_file_type_fs(mount_t) + # for when /etc/mtab loses its type +@@ -100,6 +122,8 @@ + init_use_fds(mount_t) + init_use_script_ptys(mount_t) + init_dontaudit_getattr_initctl(mount_t) ++init_stream_connect_script(mount_t) ++init_rw_script_stream_sockets(mount_t) + + auth_use_nsswitch(mount_t) + +@@ -116,6 +140,7 @@ + seutil_read_config(mount_t) + + userdom_use_all_users_fds(mount_t) ++userdom_manage_user_home_content_dirs(mount_t) + + ifdef(`distro_redhat',` + optional_policy(` +@@ -133,7 +158,7 @@ + + tunable_policy(`allow_mount_anyfile',` + auth_read_all_dirs_except_shadow(mount_t) +- auth_read_all_files_except_shadow(mount_t) ++ auth_rw_all_files_except_shadow(mount_t) + files_mounton_non_security(mount_t) + ') + +@@ -141,16 +166,16 @@ + # for nfs + corenet_all_recvfrom_unlabeled(mount_t) + corenet_all_recvfrom_netlabel(mount_t) +- corenet_tcp_sendrecv_all_if(mount_t) +- corenet_raw_sendrecv_all_if(mount_t) +- corenet_udp_sendrecv_all_if(mount_t) +- corenet_tcp_sendrecv_all_nodes(mount_t) +- corenet_raw_sendrecv_all_nodes(mount_t) +- corenet_udp_sendrecv_all_nodes(mount_t) ++ corenet_tcp_sendrecv_generic_if(mount_t) ++ corenet_raw_sendrecv_generic_if(mount_t) ++ corenet_udp_sendrecv_generic_if(mount_t) ++ corenet_tcp_sendrecv_generic_node(mount_t) ++ corenet_raw_sendrecv_generic_node(mount_t) ++ corenet_udp_sendrecv_generic_node(mount_t) + corenet_tcp_sendrecv_all_ports(mount_t) + corenet_udp_sendrecv_all_ports(mount_t) +- corenet_tcp_bind_all_nodes(mount_t) +- corenet_udp_bind_all_nodes(mount_t) ++ corenet_tcp_bind_generic_node(mount_t) ++ corenet_udp_bind_generic_node(mount_t) + corenet_tcp_bind_generic_port(mount_t) + corenet_udp_bind_generic_port(mount_t) + corenet_tcp_bind_reserved_port(mount_t) +@@ -164,6 +189,8 @@ + fs_search_rpc(mount_t) + + rpc_stub(mount_t) ++ ++ rpc_domtrans_rpcd(mount_t) + ') + + optional_policy(` +@@ -171,6 +198,15 @@ + ') + + optional_policy(` ++ dbus_system_bus_client(mount_t) ++ ++ optional_policy(` ++ hal_dbus_chat(mount_t) ++ ') ++') ++ ++ ++optional_policy(` + ifdef(`hide_broken_symptoms',` + # for a bug in the X server + rhgb_dontaudit_rw_stream_sockets(mount_t) +@@ -178,6 +214,11 @@ + ') + ') + ++# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 ++optional_policy(` ++ lvm_domtrans(mount_t) ++') ++ + # for kernel package installation + optional_policy(` + rpm_rw_pipes(mount_t) +@@ -185,14 +226,24 @@ + + optional_policy(` + samba_domtrans_smbmount(mount_t) ++ samba_read_config(mount_t) + ') + + ######################################## + # +-# Unconfined mount local policy ++# ntfs local policy + # ++allow mount_t self:fifo_file rw_fifo_file_perms; ++allow mount_t self:unix_stream_socket create_stream_socket_perms; ++allow mount_t self:unix_dgram_socket create_socket_perms; ++ ++corecmd_exec_shell(mount_t) ++ ++modutils_domtrans_insmod(mount_t) + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t,file) +- unconfined_domain(unconfined_mount_t) ++ hal_write_log(mount_t) ++ hal_use_fds(mount_t) ++ hal_rw_pipes(mount_t) + ') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.12/policy/modules/system/selinuxutil.fc +--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -6,13 +6,13 @@ + /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) + /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) + /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) +-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) + /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) + /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) + /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) + /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) + + # + # /root +@@ -38,7 +38,7 @@ + /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) + /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) + /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) +-/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) ++/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) + /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) + /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) + +@@ -46,3 +46,11 @@ + # /var/run + # + /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) ++ ++# ++# /var/lib ++# ++/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) ++ ++/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) ++/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.12/policy/modules/system/selinuxutil.if +--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.if 2009-04-09 09:12:25.000000000 -0400 +@@ -535,6 +535,53 @@ + + ######################################## + ## ++## Execute setfiles in the setfiles domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_domtrans_setfiles_mac',` ++ gen_require(` ++ type setfiles_mac_t, setfiles_exec_t; ++ ') ++ ++ files_search_usr($1) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) ++') ++ ++######################################## ++## ++## Execute setfiles in the setfiles_mac domain, and ++## allow the specified role the setfiles_mac domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the setfiles_mac domain. ++## ++## ++## ++# ++interface(`seutil_run_setfiles_mac',` ++ gen_require(` ++ type setfiles_mac_t; ++ ') ++ ++ seutil_domtrans_setfiles_mac($1) ++ role $2 types setfiles_mac_t; ++') ++ ++######################################## ++## + ## Execute setfiles in the caller domain. + ## + ## +@@ -680,6 +727,7 @@ + ') + + files_search_etc($1) ++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) + manage_files_pattern($1,selinux_config_t,selinux_config_t) + read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) + ') +@@ -999,6 +1047,26 @@ + + ######################################## + ## ++## Execute a domain transition to run setsebool. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`seutil_domtrans_setsebool',` ++ gen_require(` ++ type setsebool_t, setsebool_exec_t; ++ ') ++ ++ files_search_usr($1) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, setsebool_exec_t, setsebool_t) ++') ++ ++######################################## ++## + ## Execute semanage in the semanage domain, and + ## allow the specified role the semanage domain, + ## and use the caller's terminal. +@@ -1010,7 +1078,7 @@ + ## + ## + ## +-## The role to be allowed the checkpolicy domain. ++## The role to be allowed the semanage domain. + ## + ## + ## +@@ -1028,6 +1096,33 @@ + + ######################################## + ## ++## Execute setsebool in the semanage domain, and ++## allow the specified role the semanage domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the setsebool domain. ++## ++## ++## ++# ++interface(`seutil_run_setsebool',` ++ gen_require(` ++ type semanage_t; ++ ') ++ ++ seutil_domtrans_setsebool($1) ++ role $2 types setsebool_t; ++') ++ ++######################################## ++## + ## Full management of the semanage + ## module store. + ## +@@ -1139,3 +1234,255 @@ + selinux_dontaudit_get_fs_mount($1) + seutil_dontaudit_read_config($1) + ') ++ ++####################################### ++## ++## The per role template for the setsebool module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for setsebool plugins that are executed by a browser. ++##

++##

++## This template is invoked automatically for each user, and ++## generally does not need to be invoked directly ++## by policy writers. ++##

++##
++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`seutil_setsebool_per_role_template',` ++ gen_require(` ++ type setsebool_exec_t; ++ ') ++ ++ type $1_setsebool_t; ++ domain_type($1_setsebool_t) ++ domain_entry_file($1_setsebool_t, setsebool_exec_t) ++ role $3 types $1_setsebool_t; ++ ++ files_search_usr($2) ++ corecmd_search_bin($2) ++ domtrans_pattern($2, setsebool_exec_t, $1_setsebool_t) ++ seutil_semanage_policy($1_setsebool_t) ++ ++ # Need to define per type booleans ++ selinux_set_all_booleans($1_setsebool_t) ++ ++ # Bug in semanage ++ seutil_domtrans_setfiles($1_setsebool_t) ++ seutil_manage_file_contexts($1_setsebool_t) ++ seutil_manage_default_contexts($1_setsebool_t) ++ seutil_manage_config($1_setsebool_t) ++') ++ ++####################################### ++## ++## All rules necessary to run semanage command ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_semanage_policy',` ++ gen_require(` ++ type semanage_tmp_t; ++ type policy_config_t; ++ ') ++ allow $1 self:capability { dac_override sys_resource }; ++ dontaudit $1 self:capability sys_tty_config; ++ allow $1 self:process signal; ++ allow $1 self:unix_stream_socket create_stream_socket_perms; ++ allow $1 self:unix_dgram_socket create_socket_perms; ++ logging_send_audit_msgs($1) ++ ++ # Running genhomedircon requires this for finding all users ++ auth_use_nsswitch($1) ++ ++ allow $1 policy_config_t:file { read write }; ++ ++ allow $1 semanage_tmp_t:dir manage_dir_perms; ++ allow $1 semanage_tmp_t:file manage_file_perms; ++ files_tmp_filetrans($1, semanage_tmp_t, { file dir }) ++ ++ kernel_read_system_state($1) ++ kernel_read_kernel_sysctls($1) ++ ++ corecmd_exec_bin($1) ++ corecmd_exec_shell($1) ++ ++ dev_read_urand($1) ++ ++ domain_use_interactive_fds($1) ++ ++ files_read_etc_files($1) ++ files_read_etc_runtime_files($1) ++ files_read_usr_files($1) ++ files_list_pids($1) ++ fs_list_inotifyfs($1) ++ fs_getattr_all_fs($1) ++ ++ mls_file_write_all_levels($1) ++ mls_file_read_all_levels($1) ++ ++ selinux_getattr_fs($1) ++ selinux_validate_context($1) ++ selinux_get_enforce_mode($1) ++ ++ term_use_all_terms($1) ++ ++ locallogin_use_fds($1) ++ ++ logging_send_syslog_msg($1) ++ ++ miscfiles_read_localization($1) ++ ++ seutil_search_default_contexts($1) ++ seutil_domtrans_loadpolicy($1) ++ seutil_read_config($1) ++ seutil_manage_bin_policy($1) ++ seutil_use_newrole_fds($1) ++ seutil_manage_module_store($1) ++ seutil_get_semanage_trans_lock($1) ++ seutil_get_semanage_read_lock($1) ++ ++ userdom_dontaudit_write_user_home_content_files($1) ++ ++ optional_policy(` ++ rpm_dontaudit_rw_tmp_files($1) ++ rpm_dontaudit_rw_pipes($1) ++ ') ++') ++ ++ ++####################################### ++## ++## All rules necessary to run setfiles command ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_setfiles',` ++ ++allow $1 self:capability { dac_override dac_read_search fowner }; ++dontaudit $1 self:capability sys_tty_config; ++allow $1 self:fifo_file rw_file_perms; ++dontaudit $1 self:dir relabelfrom; ++dontaudit $1 self:file relabelfrom; ++dontaudit $1 self:lnk_file relabelfrom; ++ ++ ++allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; ++allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; ++allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; ++ ++logging_send_audit_msgs($1) ++ ++kernel_read_system_state($1) ++kernel_relabelfrom_unlabeled_dirs($1) ++kernel_relabelfrom_unlabeled_files($1) ++kernel_relabelfrom_unlabeled_symlinks($1) ++kernel_relabelfrom_unlabeled_pipes($1) ++kernel_relabelfrom_unlabeled_sockets($1) ++kernel_use_fds($1) ++kernel_rw_pipes($1) ++kernel_rw_unix_dgram_sockets($1) ++kernel_dontaudit_list_all_proc($1) ++kernel_read_all_sysctls($1) ++kernel_read_network_state_symlinks($1) ++ ++dev_relabel_all_dev_nodes($1) ++ ++domain_use_interactive_fds($1) ++domain_read_all_domains_state($1) ++ ++files_read_etc_runtime_files($1) ++files_read_etc_files($1) ++files_list_all($1) ++files_relabel_all_files($1) ++files_list_isid_type_dirs($1) ++files_read_isid_type_files($1) ++files_dontaudit_read_all_symlinks($1) ++ ++fs_getattr_xattr_fs($1) ++fs_list_all($1) ++fs_getattr_all_files($1) ++fs_search_auto_mountpoints($1) ++fs_relabelfrom_noxattr_fs($1) ++ ++mls_file_read_all_levels($1) ++mls_file_write_all_levels($1) ++mls_file_upgrade($1) ++mls_file_downgrade($1) ++ ++selinux_validate_context($1) ++selinux_compute_access_vector($1) ++selinux_compute_create_context($1) ++selinux_compute_relabel_context($1) ++selinux_compute_user_contexts($1) ++ ++term_use_all_terms($1) ++ ++# this is to satisfy the assertion: ++auth_relabelto_shadow($1) ++ ++init_use_fds($1) ++init_use_script_fds($1) ++init_use_script_ptys($1) ++init_exec_script_files($1) ++ ++logging_send_syslog_msg($1) ++ ++miscfiles_read_localization($1) ++ ++seutil_libselinux_linked($1) ++ ++userdom_use_all_users_fds($1) ++# for config files in a home directory ++userdom_read_user_home_content_files($1) ++ ++ifdef(`distro_debian',` ++ # udev tmpfs is populated with static device nodes ++ # and then relabeled afterwards; thus ++ # /dev/console has the tmpfs type ++ fs_rw_tmpfs_chr_files($1) ++') ++ ++ifdef(`distro_redhat',` ++ fs_rw_tmpfs_chr_files($1) ++ fs_rw_tmpfs_blk_files($1) ++ fs_relabel_tmpfs_blk_file($1) ++ fs_relabel_tmpfs_chr_file($1) ++') ++ ++ifdef(`distro_ubuntu',` ++ optional_policy(` ++ unconfined_domain($1) ++ ') ++') ++ ++optional_policy(` ++ hotplug_use_fds($1) ++') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.12/policy/modules/system/selinuxutil.te +--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.te 2009-04-07 16:01:44.000000000 -0400 +@@ -23,6 +23,9 @@ + type selinux_config_t; + files_type(selinux_config_t) + ++type selinux_var_lib_t; ++files_type(selinux_var_lib_t) ++ + type checkpolicy_t, can_write_binary_policy; + type checkpolicy_exec_t; + application_domain(checkpolicy_t, checkpolicy_exec_t) +@@ -58,8 +61,9 @@ + # policy_config_t is the type of /etc/security/selinux/* + # the security server policy configuration. + # +-type policy_config_t; +-files_type(policy_config_t) ++#type policy_config_t; ++#files_type(policy_config_t) ++typealias semanage_store_t alias policy_config_t; + + neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; + #neverallow ~can_write_binary_policy policy_config_t:file { write append }; +@@ -75,7 +79,6 @@ + type restorecond_exec_t; + init_daemon_domain(restorecond_t,restorecond_exec_t) + domain_obj_id_change_exemption(restorecond_t) +-role system_r types restorecond_t; + + type restorecond_var_run_t; + files_pid_file(restorecond_var_run_t) +@@ -92,6 +95,10 @@ + domain_interactive_fd(semanage_t) + role system_r types semanage_t; + ++type setsebool_t; ++type setsebool_exec_t; ++init_system_domain(setsebool_t, setsebool_exec_t) ++ + type semanage_store_t; + files_type(semanage_store_t) + +@@ -109,6 +116,11 @@ + init_system_domain(setfiles_t,setfiles_exec_t) + domain_obj_id_change_exemption(setfiles_t) + ++type setfiles_mac_t; ++domain_type(setfiles_mac_t) ++domain_entry_file(setfiles_mac_t, setfiles_exec_t) ++domain_obj_id_change_exemption(setfiles_mac_t) ++ + ######################################## + # + # Checkpolicy local policy +@@ -166,6 +178,7 @@ + files_read_etc_runtime_files(load_policy_t) + + fs_getattr_xattr_fs(load_policy_t) ++fs_list_inotifyfs(load_policy_t) + + mls_file_read_all_levels(load_policy_t) + +@@ -191,15 +204,6 @@ + ') + ') + +-ifdef(`hide_broken_symptoms',` +- # cjp: cover up stray file descriptors. +- dontaudit load_policy_t selinux_config_t:file write; +- +- optional_policy(` +- unconfined_dontaudit_read_pipes(load_policy_t) +- ') +-') +- + ######################################## + # + # Newrole local policy +@@ -217,7 +221,7 @@ + allow newrole_t self:msg { send receive }; + allow newrole_t self:unix_dgram_socket sendto; + allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++logging_send_audit_msgs(newrole_t) + + read_files_pattern(newrole_t,default_context_t,default_context_t) + read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) +@@ -270,12 +274,14 @@ + init_rw_utmp(newrole_t) + init_use_fds(newrole_t) + ++logging_send_audit_msgs(newrole_t) + logging_send_syslog_msg(newrole_t) + + miscfiles_read_localization(newrole_t) + + seutil_libselinux_linked(newrole_t) + ++userdom_use_unpriv_users_fds(newrole_t) + # for some PAM modules and for cwd + userdom_dontaudit_search_user_home_content(newrole_t) + userdom_search_user_home_dirs(newrole_t) +@@ -336,6 +342,8 @@ + + seutil_libselinux_linked(restorecond_t) + ++userdom_read_user_home_content_symlinks(restorecond_t) ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(restorecond_t) +@@ -354,7 +362,7 @@ + allow run_init_t self:process setexec; + allow run_init_t self:capability setuid; + allow run_init_t self:fifo_file rw_file_perms; +-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++logging_send_audit_msgs(run_init_t) + + # often the administrator runs such programs from a directory that is owned + # by a different user or has restrictive SE permissions, do not want to audit +@@ -383,10 +391,10 @@ + + auth_use_nsswitch(run_init_t) + auth_domtrans_chk_passwd(run_init_t) +-auth_domtrans_upd_passwd(run_init_t) + auth_dontaudit_read_shadow(run_init_t) + + init_spec_domtrans_script(run_init_t) ++ + # for utmp + init_rw_utmp(run_init_t) + +@@ -406,6 +414,10 @@ + ') + ') + ++optional_policy(` ++ rpm_domtrans(run_init_t) ++') ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(run_init_t) +@@ -421,61 +433,22 @@ + # semodule local policy + # + +-allow semanage_t self:capability { dac_override audit_write }; +-allow semanage_t self:unix_stream_socket create_stream_socket_perms; +-allow semanage_t self:unix_dgram_socket create_socket_perms; +-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++seutil_semanage_policy(semanage_t) ++allow semanage_t self:fifo_file rw_fifo_file_perms; + +-allow semanage_t policy_config_t:file rw_file_perms; ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + +-allow semanage_t semanage_tmp_t:dir manage_dir_perms; +-allow semanage_t semanage_tmp_t:file manage_file_perms; +-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) +- +-kernel_read_system_state(semanage_t) +-kernel_read_kernel_sysctls(semanage_t) +- +-corecmd_exec_bin(semanage_t) +- +-dev_read_urand(semanage_t) +- +-domain_use_interactive_fds(semanage_t) +- +-files_read_etc_files(semanage_t) +-files_read_etc_runtime_files(semanage_t) +-files_read_usr_files(semanage_t) +-files_list_pids(semanage_t) +- +-mls_file_write_all_levels(semanage_t) +-mls_file_read_all_levels(semanage_t) +- +-selinux_validate_context(semanage_t) +-selinux_get_enforce_mode(semanage_t) +-selinux_getattr_fs(semanage_t) +-# for setsebool: + selinux_set_all_booleans(semanage_t) ++can_exec(semanage_t, semanage_exec_t) + +-term_use_all_terms(semanage_t) ++# Admins are creating pp files in random locations ++auth_read_all_files_except_shadow(semanage_t) + +-# Running genhomedircon requires this for finding all users +-auth_use_nsswitch(semanage_t) +- +-locallogin_use_fds(semanage_t) +- +-logging_send_syslog_msg(semanage_t) +- +-miscfiles_read_localization(semanage_t) +- +-seutil_libselinux_linked(semanage_t) + seutil_manage_file_contexts(semanage_t) + seutil_manage_config(semanage_t) + seutil_domtrans_setfiles(semanage_t) +-seutil_domtrans_loadpolicy(semanage_t) +-seutil_manage_bin_policy(semanage_t) +-seutil_use_newrole_fds(semanage_t) +-seutil_manage_module_store(semanage_t) +-seutil_get_semanage_trans_lock(semanage_t) +-seutil_get_semanage_read_lock(semanage_t) ++ + # netfilter_contexts: + seutil_manage_default_contexts(semanage_t) + +@@ -484,12 +457,23 @@ + files_read_var_lib_symlinks(semanage_t) + ') + ++optional_policy(` ++ setrans_initrc_domtrans(semanage_t) ++ domain_system_change_exemption(semanage_t) ++ consoletype_exec(semanage_t) ++') ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(semanage_t) + ') + ') + ++optional_policy(` ++ #signal mcstrans on reload ++ init_spec_domtrans_script(semanage_t) ++') ++ + # cjp: need a more general way to handle this: + ifdef(`enable_mls',` + # read secadm tmp files +@@ -499,111 +483,36 @@ + userdom_read_user_tmp_files(semanage_t) + ') + +-######################################## ++userdom_search_admin_dir(semanage_t) ++ ++####################################n#### + # +-# Setfiles local policy ++# setsebool local policy + # ++seutil_semanage_policy(setsebool_t) ++selinux_set_all_booleans(setsebool_t) + +-allow setfiles_t self:capability { dac_override dac_read_search fowner }; +-dontaudit setfiles_t self:capability sys_tty_config; +-allow setfiles_t self:fifo_file rw_file_perms; +- +-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; +-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; +-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; +- +-kernel_read_system_state(setfiles_t) +-kernel_relabelfrom_unlabeled_dirs(setfiles_t) +-kernel_relabelfrom_unlabeled_files(setfiles_t) +-kernel_relabelfrom_unlabeled_symlinks(setfiles_t) +-kernel_relabelfrom_unlabeled_pipes(setfiles_t) +-kernel_relabelfrom_unlabeled_sockets(setfiles_t) +-kernel_use_fds(setfiles_t) +-kernel_rw_pipes(setfiles_t) +-kernel_rw_unix_dgram_sockets(setfiles_t) +-kernel_dontaudit_list_all_proc(setfiles_t) +-kernel_dontaudit_list_all_sysctls(setfiles_t) +- +-dev_relabel_all_dev_nodes(setfiles_t) +- +-domain_use_interactive_fds(setfiles_t) +-domain_dontaudit_search_all_domains_state(setfiles_t) +- +-files_read_etc_runtime_files(setfiles_t) +-files_read_etc_files(setfiles_t) +-files_list_all(setfiles_t) +-files_relabel_all_files(setfiles_t) +- +-fs_getattr_xattr_fs(setfiles_t) +-fs_list_all(setfiles_t) +-fs_search_auto_mountpoints(setfiles_t) +-fs_relabelfrom_noxattr_fs(setfiles_t) +- +-mls_file_read_all_levels(setfiles_t) +-mls_file_write_all_levels(setfiles_t) +-mls_file_upgrade(setfiles_t) +-mls_file_downgrade(setfiles_t) +- +-selinux_validate_context(setfiles_t) +-selinux_compute_access_vector(setfiles_t) +-selinux_compute_create_context(setfiles_t) +-selinux_compute_relabel_context(setfiles_t) +-selinux_compute_user_contexts(setfiles_t) +- +-term_use_all_user_ttys(setfiles_t) +-term_use_all_user_ptys(setfiles_t) +-term_use_unallocated_ttys(setfiles_t) +- +-# this is to satisfy the assertion: +-auth_relabelto_shadow(setfiles_t) +- +-init_use_fds(setfiles_t) +-init_use_script_fds(setfiles_t) +-init_use_script_ptys(setfiles_t) +-init_exec_script_files(setfiles_t) +- +-logging_send_syslog_msg(setfiles_t) +- +-miscfiles_read_localization(setfiles_t) +- +-seutil_libselinux_linked(setfiles_t) +- +-userdom_use_all_users_fds(setfiles_t) +-# for config files in a home directory +-userdom_read_user_home_content_files(setfiles_t) +- +-ifdef(`distro_debian',` +- # udev tmpfs is populated with static device nodes +- # and then relabeled afterwards; thus +- # /dev/console has the tmpfs type +- fs_rw_tmpfs_chr_files(setfiles_t) +-') ++init_dontaudit_use_fds(setsebool_t) + +-ifdef(`distro_redhat', ` +- fs_rw_tmpfs_chr_files(setfiles_t) +- fs_rw_tmpfs_blk_files(setfiles_t) +- fs_relabel_tmpfs_blk_file(setfiles_t) +- fs_relabel_tmpfs_chr_file(setfiles_t) +-') ++# Bug in semanage ++seutil_domtrans_setfiles(setsebool_t) ++seutil_manage_file_contexts(setsebool_t) ++seutil_manage_default_contexts(setsebool_t) ++seutil_manage_config(setsebool_t) + +-ifdef(`distro_ubuntu',` +- optional_policy(` +- unconfined_domain(setfiles_t) +- ') +-') ++######################################## ++# ++# Setfiles local policy ++# + +-ifdef(`hide_broken_symptoms',` +- optional_policy(` +- udev_dontaudit_rw_dgram_sockets(setfiles_t) +- ') ++seutil_setfiles(setfiles_t) ++# During boot in Rawhide ++term_use_generic_ptys(setfiles_t) + +- # cjp: cover up stray file descriptors. +- optional_policy(` +- unconfined_dontaudit_read_pipes(setfiles_t) +- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) +- ') +-') ++seutil_setfiles(setfiles_mac_t) ++allow setfiles_mac_t self:capability2 mac_admin; ++kernel_relabelto_unlabeled(setfiles_mac_t) + + optional_policy(` +- hotplug_use_fds(setfiles_t) ++ unconfined_domain(setfiles_mac_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.12/policy/modules/system/setrans.if +--- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/setrans.if 2009-04-07 16:01:44.000000000 -0400 +@@ -21,3 +21,23 @@ + stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) + files_list_pids($1) + ') ++ ++######################################## ++## ++## Execute setrans server in the setrans domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`setrans_initrc_domtrans',` ++ gen_require(` ++ type setrans_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, setrans_initrc_exec_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.12/policy/modules/system/sysnetwork.fc +--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.fc 2009-04-07 16:01:44.000000000 -0400 +@@ -11,8 +11,12 @@ + /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) ++/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) ++/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) + + /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) +@@ -20,6 +24,8 @@ + ifdef(`distro_redhat',` + /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) + ') + + # +@@ -57,3 +63,5 @@ + ifdef(`distro_gentoo',` + /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) + ') ++ ++/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if +--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-07 16:01:44.000000000 -0400 +@@ -43,6 +43,39 @@ + + sysnet_domtrans_dhcpc($1) + role $2 types dhcpc_t; ++ ++ sysnet_run_ifconfig(dhcpc_t, $2) ++ ++ modutils_run_insmod(dhcpc_t, $2) ++ ++ optional_policy(` ++ consoletype_run(dhcpc_t, $2) ++ ') ++ optional_policy(` ++ hostname_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ netutils_run_ping(dhcpc_t, $2) ++ ') ++ optional_policy(` ++ netutils_run(dhcpc_t, $2) ++ ') ++ optional_policy(` ++ networkmanager_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nis_run_ypbind(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nscd_run(dhcpc_t, $2) ++ ') ++ optional_policy(` ++ ntp_run(dhcpc_t, $2) ++ ') ++ seutil_run_setfiles(dhcpc_t, $2) + ') + + ######################################## +@@ -192,7 +225,25 @@ + type dhcpc_state_t; + ') + +- allow $1 dhcpc_state_t:file read_file_perms; ++ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ++') ++ ++####################################### ++## ++## Delete the dhcp client state files. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`sysnet_delete_dhcpc_state',` ++ gen_require(` ++ type dhcpc_state_t; ++ ') ++ ++ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) + ') + + ####################################### +@@ -230,7 +281,7 @@ + ') + + files_search_etc($1) +- allow $1 net_conf_t:file read_file_perms; ++ read_files_pattern($1, net_conf_t, net_conf_t) + ') + + ####################################### +@@ -323,7 +374,8 @@ + type net_conf_t; + ') + +- allow $1 net_conf_t:file manage_file_perms; ++ allow $1 net_conf_t:dir list_dir_perms; ++ manage_files_pattern($1, net_conf_t, net_conf_t) + ') + + ####################################### +@@ -541,6 +593,7 @@ + type net_conf_t; + ') + ++ allow $1 self:netlink_route_socket r_netlink_socket_perms; + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + +@@ -557,6 +610,14 @@ + + files_search_etc($1) + allow $1 net_conf_t:file read_file_perms; ++ ++ optional_policy(` ++ avahi_stream_connect($1) ++ ') ++ ++ optional_policy(` ++ nscd_socket_use($1) ++ ') + ') + + ######################################## +@@ -586,6 +647,8 @@ + + files_search_etc($1) + allow $1 net_conf_t:file read_file_perms; ++ # LDAP Configuration using encrypted requires ++ dev_read_urand($1) + ') + + ######################################## +@@ -620,3 +683,49 @@ + files_search_etc($1) + allow $1 net_conf_t:file read_file_perms; + ') ++ ++######################################## ++## ++## Do not audit attempts to use ++## the dhcp file descriptors. ++## ++## ++## ++## The domain sending the SIGCHLD. ++## ++## ++# ++interface(`sysnet_dontaudit_dhcpc_use_fds',` ++ gen_require(` ++ type dhcpc_t; ++ ') ++ ++ dontaudit $1 dhcpc_t:fd use; ++') ++ ++######################################## ++## ++## Transition to system_r when execute an dhclient script ++## ++## ++##

++## Execute dhclient script in a specified role ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##
++## ++## ++## Role to transition from. ++## ++## ++interface(`sysnet_role_transition_dhcpc',` ++ gen_require(` ++ type dhcpc_exec_t; ++ ') ++ ++ role_transition $1 dhcpc_exec_t system_r; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te +--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-07 16:01:44.000000000 -0400 +@@ -20,6 +20,9 @@ + init_daemon_domain(dhcpc_t,dhcpc_exec_t) + role system_r types dhcpc_t; + ++type dhcpc_helper_exec_t; ++init_script_file(dhcpc_helper_exec_t) ++ + type dhcpc_state_t; + files_type(dhcpc_state_t) + +@@ -41,21 +44,22 @@ + # + # DHCP client local policy + # +-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; ++allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config }; + dontaudit dhcpc_t self:capability sys_tty_config; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +-allow dhcpc_t self:process signal_perms; +-allow dhcpc_t self:fifo_file rw_file_perms; ++allow dhcpc_t self:process { setfscreate ptrace signal_perms }; ++allow dhcpc_t self:fifo_file rw_fifo_file_perms; + allow dhcpc_t self:tcp_socket create_stream_socket_perms; + allow dhcpc_t self:udp_socket create_socket_perms; + allow dhcpc_t self:packet_socket create_socket_perms; +-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; ++allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read }; + + allow dhcpc_t dhcp_etc_t:dir list_dir_perms; + read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) + exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) + ++allow dhcpc_t dhcp_state_t:file read_file_perms; + manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) + filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) + +@@ -65,7 +69,7 @@ + + # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files + # in /etc created by dhcpcd will be labelled net_conf_t. +-allow dhcpc_t net_conf_t:file manage_file_perms; ++sysnet_manage_config(dhcpc_t) + files_etc_filetrans(dhcpc_t,net_conf_t,file) + + # create temp files +@@ -116,7 +120,7 @@ + corecmd_exec_shell(dhcpc_t) + + domain_use_interactive_fds(dhcpc_t) +-domain_dontaudit_list_all_domains_state(dhcpc_t) ++domain_dontaudit_read_all_domains_state(dhcpc_t) + + files_read_etc_files(dhcpc_t) + files_read_etc_runtime_files(dhcpc_t) +@@ -183,25 +187,23 @@ + ') + + optional_policy(` +- nis_use_ypbind(dhcpc_t) +- nis_signal_ypbind(dhcpc_t) +- nis_read_ypbind_pid(dhcpc_t) +- nis_delete_ypbind_pid(dhcpc_t) ++ networkmanager_domtrans(dhcpc_t) ++ networkmanager_read_pid_files(dhcpc_t) ++') + +- # dhclient sometimes starts ypbind +- init_exec_script_files(dhcpc_t) +- nis_domtrans_ypbind(dhcpc_t) ++optional_policy(` ++ nis_ypbind_initrc_domtrans(dhcpc_t) ++ nis_read_ypbind_pid(dhcpc_t) + ') + + optional_policy(` ++ nscd_initrc_domtrans(dhcpc_t) + nscd_domtrans(dhcpc_t) + nscd_read_pid(dhcpc_t) + ') + + optional_policy(` +- # dhclient sometimes starts ntpd +- init_exec_script_files(dhcpc_t) +- ntp_domtrans(dhcpc_t) ++ ntp_initrc_domtrans(dhcpc_t) + ') + + optional_policy(` +@@ -212,6 +214,7 @@ + optional_policy(` + seutil_sigchld_newrole(dhcpc_t) + seutil_dontaudit_search_config(dhcpc_t) ++ seutil_domtrans_setfiles(dhcpc_t) + ') + + optional_policy(` +@@ -223,6 +226,10 @@ + ') + + optional_policy(` ++ vmware_append_log(dhcpc_t) ++') ++ ++optional_policy(` + kernel_read_xen_state(dhcpc_t) + kernel_write_xen_state(dhcpc_t) + xen_append_log(dhcpc_t) +@@ -236,7 +243,6 @@ + + allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; + allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; +-dontaudit ifconfig_t self:capability sys_module; + + allow ifconfig_t self:fd use; + allow ifconfig_t self:fifo_file rw_fifo_file_perms; +@@ -250,6 +256,7 @@ + allow ifconfig_t self:sem create_sem_perms; + allow ifconfig_t self:msgq create_msgq_perms; + allow ifconfig_t self:msg { send receive }; ++allow ifconfig_t net_conf_t:file read_file_perms; + + # Create UDP sockets, necessary when called from dhcpc + allow ifconfig_t self:udp_socket create_socket_perms; +@@ -259,13 +266,20 @@ + allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; + allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; + allow ifconfig_t self:tcp_socket { create ioctl }; ++ ++read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) ++ + files_read_etc_files(ifconfig_t); ++files_read_etc_runtime_files(ifconfig_t); + + kernel_use_fds(ifconfig_t) + kernel_read_system_state(ifconfig_t) + kernel_read_network_state(ifconfig_t) + kernel_search_network_sysctl(ifconfig_t) ++kernel_search_debugfs(ifconfig_t) + kernel_rw_net_sysctls(ifconfig_t) ++# This should be put inside a boolean, but can not because of attributes ++kernel_load_module(ifconfig_t) + + corenet_rw_tun_tap_dev(ifconfig_t) + +@@ -276,8 +290,13 @@ + fs_getattr_xattr_fs(ifconfig_t) + fs_search_auto_mountpoints(ifconfig_t) + ++selinux_dontaudit_getattr_fs(ifconfig_t) ++ ++term_dontaudit_use_console(ifconfig_t) + term_dontaudit_use_all_user_ttys(ifconfig_t) + term_dontaudit_use_all_user_ptys(ifconfig_t) ++term_dontaudit_use_ptmx(ifconfig_t) ++term_dontaudit_use_generic_ptys(ifconfig_t) + + domain_use_interactive_fds(ifconfig_t) + +@@ -296,6 +315,8 @@ + + seutil_use_runinit_fds(ifconfig_t) + ++sysnet_dns_name_resolve(ifconfig_t) ++ + userdom_use_user_terminals(ifconfig_t) + userdom_use_all_users_fds(ifconfig_t) + +@@ -332,6 +353,14 @@ + ') + + optional_policy(` ++ unconfined_dontaudit_rw_pipes(ifconfig_t) ++') ++ ++optional_policy(` ++ vmware_append_log(ifconfig_t) ++') ++ ++optional_policy(` + kernel_read_xen_state(ifconfig_t) + kernel_write_xen_state(ifconfig_t) + xen_append_log(ifconfig_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te +--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-09 05:27:54.000000000 -0400 +@@ -210,6 +210,11 @@ + ') + + optional_policy(` ++ devicekit_read_pid_files(udev_t) ++ devicekit_dgram_send(udev_t) ++') ++ ++optional_policy(` + lvm_domtrans(udev_t) + ') + +@@ -219,6 +224,7 @@ + + optional_policy(` + hal_dgram_send(udev_t) ++ hal_rw_dgram_sockets(udev_t) + ') + + optional_policy(` +@@ -242,6 +248,10 @@ + ') + + optional_policy(` ++ rpm_search_log(udev_t) ++') ++ ++optional_policy(` + kernel_write_xen_state(udev_t) + kernel_read_xen_state(udev_t) + xen_manage_log(udev_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.12/policy/modules/system/unconfined.fc +--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/unconfined.fc 2009-04-09 04:45:11.000000000 -0400 +@@ -1,16 +1 @@ + # Add programs here which should not be confined by SELinux +-# e.g.: +-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) +- +-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +- +-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +- +-ifdef(`distro_gentoo',` +-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.12/policy/modules/system/unconfined.if +--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-09 04:57:07.000000000 -0400 +@@ -12,14 +12,13 @@ + # + interface(`unconfined_domain_noaudit',` + gen_require(` +- type unconfined_t; + class dbus all_dbus_perms; + class nscd all_nscd_perms; + class passwd all_passwd_perms; + ') + + # Use any Linux capability. +- allow $1 self:capability *; ++ allow $1 self:capability all_capabilities; + allow $1 self:fifo_file manage_fifo_file_perms; + + # Transition to myself, to make get_ordered_context_list happy. +@@ -27,12 +26,13 @@ + + # Write access is for setting attributes under /proc/self/attr. + allow $1 self:file rw_file_perms; ++ allow $1 self:dir rw_dir_perms; + + # Userland object managers +- allow $1 self:nscd *; +- allow $1 self:dbus *; +- allow $1 self:passwd *; +- allow $1 self:association *; ++ allow $1 self:nscd all_nscd_perms; ++ allow $1 self:dbus all_dbus_perms; ++ allow $1 self:passwd all_passwd_perms; ++ allow $1 self:association all_association_perms; + + kernel_unconfined($1) + corenet_unconfined($1) +@@ -44,6 +44,16 @@ + fs_unconfined($1) + selinux_unconfined($1) + ++ domain_mmap_low_type($1) ++ ++ mls_file_read_all_levels($1) ++ ++ ubac_process_exempt($1) ++ ++ tunable_policy(`allow_unconfined_mmap_low',` ++ domain_mmap_low($1) ++ ') ++ + tunable_policy(`allow_execheap',` + # Allow making the stack executable via mprotect. + allow $1 self:process execheap; +@@ -69,6 +79,7 @@ + optional_policy(` + # Communicate via dbusd. + dbus_system_bus_unconfined($1) ++ dbus_unconfined($1) + ') + + optional_policy(` +@@ -111,6 +122,10 @@ + ## + # + interface(`unconfined_domain',` ++ gen_require(` ++ attribute unconfined_services; ++ ') ++ + unconfined_domain_noaudit($1) + + tunable_policy(`allow_execheap',` +@@ -173,411 +188,3 @@ + refpolicywarn(`$0($1) has been deprecated.') + ') + +-######################################## +-## +-## Transition to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_domtrans',` +- gen_require(` +- type unconfined_t, unconfined_exec_t; +- ') +- +- domtrans_pattern($1,unconfined_exec_t,unconfined_t) +-') +- +-######################################## +-## +-## Execute specified programs in the unconfined domain. +-## +-## +-## +-## The type of the process performing this action. +-## +-## +-## +-## +-## The role to allow the unconfined domain. +-## +-## +-# +-interface(`unconfined_run',` +- gen_require(` +- type unconfined_t; +- ') +- +- unconfined_domtrans($1) +- role $2 types unconfined_t; +-') +- +-######################################## +-## +-## Transition to the unconfined domain by executing a shell. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_shell_domtrans',` +- gen_require(` +- type unconfined_t; +- ') +- +- corecmd_shell_domtrans($1,unconfined_t) +- allow unconfined_t $1:fd use; +- allow unconfined_t $1:fifo_file rw_file_perms; +- allow unconfined_t $1:process sigchld; +-') +- +-######################################## +-## +-## Allow unconfined to execute the specified program in +-## the specified domain. +-## +-## +-##

+-## Allow unconfined to execute the specified program in +-## the specified domain. +-##

+-##

+-## This is a interface to support third party modules +-## and its use is not allowed in upstream reference +-## policy. +-##

+-##
+-## +-## +-## Domain to execute in. +-## +-## +-## +-## +-## Domain entry point file. +-## +-## +-# +-interface(`unconfined_domtrans_to',` +- gen_require(` +- type unconfined_t; +- ') +- +- domtrans_pattern(unconfined_t,$2,$1) +-') +- +-######################################## +-## +-## Allow unconfined to execute the specified program in +-## the specified domain. Allow the specified domain the +-## unconfined role and use of unconfined user terminals. +-## +-## +-##

+-## Allow unconfined to execute the specified program in +-## the specified domain. Allow the specified domain the +-## unconfined role and use of unconfined user terminals. +-##

+-##

+-## This is a interface to support third party modules +-## and its use is not allowed in upstream reference +-## policy. +-##

+-##
+-## +-## +-## Domain to execute in. +-## +-## +-## +-## +-## Domain entry point file. +-## +-## +-# +-interface(`unconfined_run_to',` +- gen_require(` +- type unconfined_t; +- role unconfined_r; +- ') +- +- domtrans_pattern(unconfined_t,$2,$1) +- role unconfined_r types $1; +- userdom_use_user_terminals($1) +-') +- +-######################################## +-## +-## Inherit file descriptors from the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_use_fds',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fd use; +-') +- +-######################################## +-## +-## Send a SIGCHLD signal to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_sigchld',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process sigchld; +-') +- +-######################################## +-## +-## Send a SIGNULL signal to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_signull',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process signull; +-') +- +-######################################## +-## +-## Send generic signals to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_signal',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process signal; +-') +- +-######################################## +-## +-## Read unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_read_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fifo_file read_fifo_file_perms; +-') +- +-######################################## +-## +-## Do not audit attempts to read unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dontaudit_read_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:fifo_file read; +-') +- +-######################################## +-## +-## Read and write unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_rw_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fifo_file rw_fifo_file_perms; +-') +- +-######################################## +-## +-## Do not audit attempts to read and write +-## unconfined domain unnamed pipes. +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`unconfined_dontaudit_rw_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:fifo_file rw_file_perms; +-') +- +-######################################## +-## +-## Connect to the unconfined domain using +-## a unix domain stream socket. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_stream_connect',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:unix_stream_socket connectto; +-') +- +-######################################## +-## +-## Do not audit attempts to read or write +-## unconfined domain tcp sockets. +-## +-## +-##

+-## Do not audit attempts to read or write +-## unconfined domain tcp sockets. +-##

+-##

+-## This interface was added due to a broken +-## symptom in ldconfig. +-##

+-##
+-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`unconfined_dontaudit_rw_tcp_sockets',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:tcp_socket { read write }; +-') +- +-######################################## +-## +-## Create keys for the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_create_keys',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:key create; +-') +- +-######################################## +-## +-## Send messages to the unconfined domain over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_send',` +- gen_require(` +- type unconfined_t; +- class dbus send_msg; +- ') +- +- allow $1 unconfined_t:dbus send_msg; +-') +- +-######################################## +-## +-## Send and receive messages from +-## unconfined_t over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_chat',` +- gen_require(` +- type unconfined_t; +- class dbus send_msg; +- ') +- +- allow $1 unconfined_t:dbus send_msg; +- allow unconfined_t $1:dbus send_msg; +-') +- +-######################################## +-## +-## Connect to the the unconfined DBUS +-## for service (acquire_svc). +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_connect',` +- gen_require(` +- type unconfined_t; +- class dbus acquire_svc; +- ') +- +- allow $1 unconfined_t:dbus acquire_svc; +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.12/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-07 16:01:44.000000000 -0400 -@@ -5,6 +5,35 @@ ++++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-09 04:23:28.000000000 -0400 +@@ -5,227 +5,6 @@ # # Declarations # -+attribute unconfined_login_domain; -+ -+## -+##

-+## Transition to confined nsplugin domains from unconfined user -+##

-+##
-+gen_tunable(allow_unconfined_nsplugin_transition, false) -+ -+## -+##

-+## Allow a user to login as an unconfined domain -+##

-+##
-+gen_tunable(unconfined_login, true) -+ -+## -+##

-+## Allow unconfined domain to map low memory in the kernel -+##

-+##
-+gen_tunable(allow_unconfined_mmap_low, false) -+ -+## -+##

-+## Transition to confined qemu domains from unconfined user -+##

-+##
-+gen_tunable(allow_unconfined_qemu_transition, false) - - # usage in this module of types created by these - # calls is not correct, however we dont currently -@@ -13,28 +42,51 @@ - userdom_manage_home_role(unconfined_r, unconfined_t) - userdom_manage_tmp_role(unconfined_r, unconfined_t) - userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -+userdom_execmod_user_home_files(unconfined_t) - - type unconfined_exec_t; - init_system_domain(unconfined_t, unconfined_exec_t) -+role unconfined_r types unconfined_t; -+ -+domain_user_exemption_target(unconfined_t) -+allow system_r unconfined_r; -+allow unconfined_r system_r; -+init_script_role_transition(unconfined_r) -+role system_r types unconfined_t; -+typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t }; - - type unconfined_execmem_t; ++attribute unconfined_services; + +-# usage in this module of types created by these +-# calls is not correct, however we dont currently +-# have another method to add access to these types +-userdom_base_user_template(unconfined) +-userdom_manage_home_role(unconfined_r, unconfined_t) +-userdom_manage_tmp_role(unconfined_r, unconfined_t) +-userdom_manage_tmpfs_role(unconfined_r, unconfined_t) + +-type unconfined_exec_t; +-init_system_domain(unconfined_t, unconfined_exec_t) +- +-type unconfined_execmem_t; -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -+type execmem_exec_t; -+init_system_domain(unconfined_execmem_t, execmem_exec_t) - role unconfined_r types unconfined_execmem_t; -+typealias execmem_exec_t alias unconfined_execmem_exec_t; -+ -+type unconfined_notrans_t; -+type unconfined_notrans_exec_t; -+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) -+role unconfined_r types unconfined_notrans_t; - - ######################################## - # - # Local policy - # - +-role unconfined_r types unconfined_execmem_t; +- +-######################################## +-# +-# Local policy +-# +- -domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) -+dontaudit unconfined_t self:dir write; -+ -+allow unconfined_t self:system syslog_read; -+dontaudit unconfined_t self:capability sys_module; -+ -+domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) - - files_create_boot_flag(unconfined_t) -+files_create_default_dir(unconfined_t) - - mcs_killall(unconfined_t) - mcs_ptrace_all(unconfined_t) -+mls_file_write_all_levels(unconfined_t) - - init_run_daemon(unconfined_t, unconfined_r) -+init_domtrans_script(unconfined_t) - - libs_run_ldconfig(unconfined_t, unconfined_r) - -@@ -42,26 +94,53 @@ - logging_run_auditctl(unconfined_t, unconfined_r) - - mount_run_unconfined(unconfined_t, unconfined_r) -+# Unconfined running as system_r -+mount_domtrans_unconfined(unconfined_t) - -+seutil_run_setsebool(unconfined_t, unconfined_r) - seutil_run_setfiles(unconfined_t, unconfined_r) - seutil_run_semanage(unconfined_t, unconfined_r) - - unconfined_domain(unconfined_t) -+domain_mmap_low(unconfined_t) - - userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) - -+usermanage_run_passwd(unconfined_t, unconfined_r) -+usermanage_run_chfn(unconfined_t, unconfined_r) -+ -+tunable_policy(`unconfined_login',` -+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) -+ allow unconfined_t unconfined_login_domain:fd use; -+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; -+ allow unconfined_t unconfined_login_domain:process sigchld; -+') -+ -+optional_policy(` -+ loadkeys_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ nsplugin_role_notrans(unconfined_r, unconfined_t) -+ tunable_policy(`allow_unconfined_nsplugin_transition',` -+ nsplugin_domtrans(unconfined_execmem_t) -+ nsplugin_domtrans_config(unconfined_execmem_t) -+ nsplugin_domtrans(unconfined_t) -+ nsplugin_domtrans_config(unconfined_t) -+ ') -+') -+ - ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r) - seutil_init_script_run_runinit(unconfined_t, unconfined_r) - ') - - optional_policy(` +- +-files_create_boot_flag(unconfined_t) +- +-mcs_killall(unconfined_t) +-mcs_ptrace_all(unconfined_t) +- +-init_run_daemon(unconfined_t, unconfined_r) +- +-libs_run_ldconfig(unconfined_t, unconfined_r) +- +-logging_send_syslog_msg(unconfined_t) +-logging_run_auditctl(unconfined_t, unconfined_r) +- +-mount_run_unconfined(unconfined_t, unconfined_r) +- +-seutil_run_setfiles(unconfined_t, unconfined_r) +-seutil_run_semanage(unconfined_t, unconfined_r) +- +-unconfined_domain(unconfined_t) +- +-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) +- +-ifdef(`distro_gentoo',` +- seutil_run_runinit(unconfined_t, unconfined_r) +- seutil_init_script_run_runinit(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - ada_domtrans(unconfined_t) -+ ada_run(unconfined_t, unconfined_r) - ') - - optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) - ') - - optional_policy(` -@@ -102,12 +181,24 @@ - ') - - optional_policy(` -+ gnomeclock_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ kerneloops_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` - networkmanager_dbus_chat(unconfined_t) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') -+ -+ optional_policy(` -+ vpnc_dbus_chat(unconfined_t) -+ ') - ') - - optional_policy(` -@@ -119,72 +210,84 @@ - ') - - optional_policy(` +-') +- +-optional_policy(` +- bind_run_ndc(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- bootloader_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- cron_unconfined_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- init_dbus_chat_script(unconfined_t) +- +- dbus_stub(unconfined_t) +- +- optional_policy(` +- avahi_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- bluetooth_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- consolekit_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- cups_dbus_chat_config(unconfined_t) +- ') +- +- optional_policy(` +- hal_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- networkmanager_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- oddjob_dbus_chat(unconfined_t) +- ') +-') +- +-optional_policy(` +- firstboot_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- ftp_run_ftpdctl(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - inn_domtrans(unconfined_t) -+ gpsd_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - java_domtrans_unconfined(unconfined_t) -+ iptables_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -+ java_run_unconfined(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -+ kismet_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - mono_domtrans(unconfined_t) -+ livecd_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - mta_role(unconfined_r, unconfined_t) -+ lpd_run_checkpc(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) -+ modutils_run_update_mods(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - prelink_run(unconfined_t, unconfined_r) -+ mono_role_template(unconfined, unconfined_r, unconfined_t) -+ unconfined_domain(unconfined_mono_t) -+ role system_r types unconfined_mono_t; - ') - - optional_policy(` +-') +- +-optional_policy(` - portmap_run_helper(unconfined_t, unconfined_r) -+ oddjob_run_mkhomedir(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - postfix_run_map(unconfined_t, unconfined_r) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) -+ prelink_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - pyzor_role(unconfined_r, unconfined_t) -+ portmap_run_helper(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) -+ qemu_role_notrans(unconfined_r, unconfined_t) -+ qemu_unconfined_role(unconfined_r) -+ -+ tunable_policy(`allow_unconfined_qemu_transition',` -+ qemu_domtrans(unconfined_t) -+ ',` -+ qemu_domtrans_unconfined(unconfined_t) -+') - ') - - optional_policy(` - rpm_run(unconfined_t, unconfined_r) -+ # Allow SELinux aware applications to request rpm_script execution -+ rpm_transition_script(unconfined_t) -+ rpm_role_transition(unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` +- rpm_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - samba_run_net(unconfined_t, unconfined_r) -+ samba_role_notrans(unconfined_r) -+ samba_run_unconfined_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) -+ samba_run_smbcontrol(unconfined_t, unconfined_r) - ') - - optional_policy(` +- samba_run_winbind_helper(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - spamassassin_role(unconfined_r, unconfined_t) -+ sendmail_run_unconfined(unconfined_t, unconfined_r) - ') - - optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r) - sysnet_dbus_chat_dhcpc(unconfined_t) -+ sysnet_role_transition_dhcpc(unconfined_r) - ') - - optional_policy(` -@@ -192,7 +295,7 @@ - ') - - optional_policy(` +-') +- +-optional_policy(` +- sysnet_run_dhcpc(unconfined_t, unconfined_r) +- sysnet_dbus_chat_dhcpc(unconfined_t) +-') +- +-optional_policy(` +- tzdata_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) -+ vbetool_run(unconfined_t, unconfined_r) - ') - - optional_policy(` -@@ -204,11 +307,12 @@ - ') - - optional_policy(` +-') +- +-optional_policy(` +- vpn_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- webalizer_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - wine_domtrans(unconfined_t) -+ wine_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - xserver_domtrans(unconfined_t) -+ xserver_run(unconfined_t, unconfined_r) -+ xserver_rw_shm(unconfined_t) - ') - - ######################################## -@@ -218,14 +322,61 @@ - - allow unconfined_execmem_t self:process { execstack execmem }; - unconfined_domain_noaudit(unconfined_execmem_t) -+allow unconfined_execmem_t unconfined_t:process transition; - - optional_policy(` +-') +- +-######################################## +-# +-# Unconfined Execmem Local policy +-# +- +-allow unconfined_execmem_t self:process { execstack execmem }; +-unconfined_domain_noaudit(unconfined_execmem_t) +- +-optional_policy(` - dbus_stub(unconfined_execmem_t) - - init_dbus_chat_script(unconfined_execmem_t) -+ dbus_system_bus_client(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) -+ unconfined_dbus_connect(unconfined_execmem_t) -+') -+ -+optional_policy(` -+ avahi_dbus_chat(unconfined_execmem_t) -+') - - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') -+ -+optional_policy(` -+ xserver_rw_shm(unconfined_execmem_t) -+') -+ -+######################################## -+# -+# Unconfined notrans Local policy -+# -+ -+allow unconfined_notrans_t self:process { execstack execmem }; -+unconfined_domain_noaudit(unconfined_notrans_t) -+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) -+# Allow SELinux aware applications to request rpm_script execution -+rpm_transition_script(unconfined_notrans_t) -+domain_ptrace_all_domains(unconfined_notrans_t) -+ -+optional_policy(` -+ gen_require(` -+ type mplayer_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) -+') -+ -+optional_policy(` -+tunable_policy(`allow_unconfined_nsplugin_transition',`', ` -+ gen_require(` -+ type mozilla_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) - ') -+') -+ -+optional_policy(` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) -+') -+ -+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+ +- init_dbus_chat_script(unconfined_execmem_t) +- unconfined_dbus_chat(unconfined_execmem_t) +- +- optional_policy(` +- hal_dbus_chat(unconfined_execmem_t) +- ') +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.12/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.fc 2009-04-07 16:01:44.000000000 -0400 @@ -27327,7 +28678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-11 07:13:54.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -27614,7 +28965,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -368,46 +373,41 @@ +@@ -322,6 +327,7 @@ + ') + + exec_files_pattern($1, user_tmp_t, user_tmp_t) ++ dontaudit $1 user_tmp_t:sock_file execute; + files_search_tmp($1) + ') + +@@ -368,46 +374,41 @@ ####################################### ## @@ -27681,7 +29040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +420,43 @@ +@@ -420,34 +421,43 @@ ## is the prefix for user_t). ## ## @@ -27743,7 +29102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -497,11 +506,7 @@ +@@ -497,11 +507,7 @@ attribute unpriv_userdomain; ') @@ -27756,7 +29115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +517,199 @@ +@@ -512,189 +518,199 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -28037,7 +29396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,13 +737,26 @@ +@@ -722,13 +738,26 @@ userdom_base_user_template($1) @@ -28069,7 +29428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -746,70 +774,71 @@ +@@ -746,70 +775,71 @@ allow $1_t self:context contains; @@ -28174,7 +29533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +875,28 @@ +@@ -846,6 +876,28 @@ # Local policy # @@ -28203,7 +29562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +927,7 @@ +@@ -876,7 +928,7 @@ userdom_restricted_user_template($1) @@ -28212,7 +29571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +935,19 @@ +@@ -884,14 +936,19 @@ # auth_role($1_r, $1_t) @@ -28237,7 +29596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +955,33 @@ +@@ -899,28 +956,33 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -28278,7 +29637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -954,8 +1015,8 @@ +@@ -954,8 +1016,8 @@ # Declarations # @@ -28288,7 +29647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1025,12 @@ +@@ -964,11 +1026,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -28303,7 +29662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1048,47 @@ +@@ -986,37 +1049,47 @@ ') ') @@ -28365,7 +29724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1122,7 @@ +@@ -1050,7 +1123,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -28374,7 +29733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1131,7 @@ +@@ -1059,8 +1132,7 @@ # # Inherit rules for ordinary users. @@ -28384,7 +29743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1154,8 @@ +@@ -1083,7 +1155,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -28394,7 +29753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1171,7 @@ +@@ -1099,6 +1172,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -28402,7 +29761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1179,6 @@ +@@ -1106,8 +1180,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -28411,7 +29770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1233,6 @@ +@@ -1162,20 +1234,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -28432,7 +29791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1278,7 @@ +@@ -1221,6 +1279,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -28440,7 +29799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1344,15 @@ +@@ -1286,11 +1345,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -28456,7 +29815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1449,7 @@ +@@ -1387,7 +1450,7 @@ ######################################## ## @@ -28465,7 +29824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1482,14 @@ +@@ -1420,6 +1483,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -28480,7 +29839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1505,11 @@ +@@ -1435,9 +1506,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -28492,7 +29851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1566,25 @@ +@@ -1494,6 +1567,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -28518,7 +29877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1568,6 +1659,8 @@ +@@ -1568,6 +1660,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -28527,7 +29886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1736,7 @@ +@@ -1643,6 +1737,7 @@ type user_home_dir_t, user_home_t; ') @@ -28535,7 +29894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,30 +1835,79 @@ +@@ -1741,30 +1836,80 @@ ######################################## ## @@ -28622,10 +29981,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + files_search_home($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ dontaudit $1 user_home_type:sock_file execute; ') ######################################## -@@ -1787,6 +1930,46 @@ +@@ -1787,6 +1932,46 @@ ######################################## ## @@ -28672,7 +30032,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1982,7 @@ +@@ -1799,6 +1984,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -28680,7 +30040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2328,7 +2512,7 @@ +@@ -2328,7 +2514,7 @@ ######################################## ## @@ -28689,7 +30049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2814,7 +2998,25 @@ +@@ -2814,7 +3000,25 @@ type user_tmp_t; ') @@ -28716,7 +30076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2851,6 +3053,7 @@ +@@ -2851,6 +3055,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -28724,7 +30084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3184,482 @@ +@@ -2981,3 +3186,482 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e66addf..cbbedf1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -167,7 +167,7 @@ fi %define loadminpolicy() \ ( cd /usr/share/selinux/%1; \ -semodule -b base.pp.bz2 -i unconfined.pp.bz2 -s %1; \ +semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \ ); \ %define loadpolicy() \ @@ -313,14 +313,10 @@ SELinux Reference policy targeted base module. %post targeted if [ $1 -eq 1 ]; then %loadpolicy targeted -#semanage -S targeted -i - << __eof -#login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ -#login -m -s unconfined_u -r s0-s0:c0.c1023 root -#__eof restorecon -R /root /var/log /var/run 2> /dev/null else semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null -%loadpolicy targeted +%loadpolicy targeted unconfined.pp unconfineduser.pp %relabel targeted fi exit 0 @@ -444,6 +440,9 @@ exit 0 %endif %changelog +* Thu Apr 9 2009 Dan Walsh 3.6.12-3 +- Separate out the ucnonfined user from the unconfined.pp package + * Wed Apr 7 2009 Dan Walsh 3.6.12-2 - Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.