From e0ae206813122be0785457a1e19424c63e5a56f6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 23 2007 20:34:22 +0000 Subject: - Add ntpd_key_t to handle secret data --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 3fecf74..f529417 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1260,7 +1260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.3/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-23 11:05:01.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-23 14:19:32.000000000 -0400 @@ -33,6 +33,51 @@ ## # @@ -1417,9 +1417,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## manage gnome homedir content (.config) ## ## -@@ -193,3 +284,23 @@ - allow $2 $1_gnome_home_t:dir manage_dir_perms; - allow $2 $1_gnome_home_t:file manage_file_perms; +@@ -190,6 +281,26 @@ + type $1_gnome_home_t; + ') + +- allow $2 $1_gnome_home_t:dir manage_dir_perms; +- allow $2 $1_gnome_home_t:file manage_file_perms; ++ manage_dirs_pattern($2, $1_gnome_home_t, $1_gnome_home_t) ++ manage_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t) ') + +######################################## @@ -1455,7 +1460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te corecmd_executable_file(gconfd_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.3/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-07-03 07:05:43.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/java.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/apps/java.if 2007-07-23 16:11:58.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -1475,7 +1480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if allow $1_javaplugin_t $2:fd use; # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -@@ -168,6 +167,55 @@ +@@ -168,6 +167,53 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -1512,7 +1517,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if +template(`java_per_role_template',` + gen_require(` + type java_exec_t; -+ attribute $1_usertype; + ') + + type $1_java_t; @@ -1520,7 +1524,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + domain_entry_file($1_java_t,java_exec_t) + role $3 types $1_java_t; + -+ typeattribute $1_java_t $1_usertype; + allow $1_java_t self:process { execheap execmem }; + + domtrans_pattern($2, java_exec_t, $1_java_t) @@ -1531,7 +1534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -221,3 +269,66 @@ +@@ -221,3 +267,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -1623,8 +1626,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.3/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/mono.if 2007-07-17 15:46:25.000000000 -0400 -@@ -18,3 +18,100 @@ ++++ serefpolicy-3.0.3/policy/modules/apps/mono.if 2007-07-23 16:14:31.000000000 -0400 +@@ -18,3 +18,98 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') @@ -1708,7 +1711,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if +template(`mono_per_role_template',` + gen_require(` + type mono_exec_t; -+ attribute $1_usertype; + ') + + type $1_mono_t; @@ -1716,7 +1718,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + domain_entry_file($1_mono_t,mono_exec_t) + role $3 types $1_mono_t; + -+ typeattribute $1_mono_t $1_usertype; + allow $1_mono_t self:process { execheap execmem }; + + domtrans_pattern($2, mono_exec_t, $1_mono_t) @@ -1738,7 +1739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-20 17:26:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-23 16:25:26.000000000 -0400 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -1833,7 +1834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) -@@ -213,133 +244,6 @@ +@@ -213,131 +244,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -1962,12 +1963,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t) - userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t) - -- ') -- ++ optional_policy(` ++ alsa_read_rw_config($1_mozilla_t) + ') + optional_policy(` - apache_read_user_scripts($1,$1_mozilla_t) - apache_read_user_content($1,$1_mozilla_t) -@@ -352,21 +256,23 @@ +@@ -352,21 +260,28 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -1981,11 +1982,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - dbus_send_user_bus($1,$1_mozilla_t) +# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_send_user_bus($1,$1_mozilla_t) ++ ') ++ ++ optional_policy(` ++ gnome_exec_gconf($1_mozilla_t) ++ gnome_manage_user_gnome_config($1,$1_mozilla_t) ') optional_policy(` - gnome_stream_connect_gconf_template($1,$1_mozilla_t) + gnome_domtrans_user_gconf($1,$1_mozilla_t) + gnome_stream_connect_gconf_template($1,$1_mozilla_t) ') optional_policy(` @@ -1994,7 +2000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -386,25 +292,6 @@ +@@ -386,25 +301,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -2020,7 +2026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -577,3 +464,27 @@ +@@ -577,3 +473,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -3175,7 +3181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.3/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/apache.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/apache.te 2007-07-23 16:18:28.000000000 -0400 @@ -30,6 +30,13 @@ ## @@ -3499,7 +3505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_rotatelogs local policy # -@@ -728,3 +892,24 @@ +@@ -728,3 +892,26 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -3520,9 +3526,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') + + -+tunable_policy(`allow_httpd_dbus_avahi',` -+ avahi_dbus_chat(httpd_t) ++optional_policy(` + dbus_system_bus_client_template(httpd,httpd_t) ++ tunable_policy(`allow_httpd_dbus_avahi',` ++ avahi_dbus_chat(httpd_t) ++ ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.3/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-05-30 11:47:29.000000000 -0400 @@ -5610,10 +5618,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.3/policy/modules/services/ntp.fc +--- nsaserefpolicy/policy/modules/services/ntp.fc 2007-05-29 14:10:57.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/ntp.fc 2007-07-23 13:11:18.000000000 -0400 +@@ -17,3 +17,7 @@ + /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) + + /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) ++ ++/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) ++/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.3/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/ntp.te 2007-07-19 10:44:14.000000000 -0400 -@@ -36,6 +36,7 @@ ++++ serefpolicy-3.0.3/policy/modules/services/ntp.te 2007-07-23 13:36:54.000000000 -0400 +@@ -25,6 +25,9 @@ + type ntpdate_exec_t; + init_system_domain(ntpd_t,ntpdate_exec_t) + ++type ntpd_key_t; ++files_type(ntpd_key_t) ++ + ######################################## + # + # Local policy +@@ -36,6 +39,7 @@ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; @@ -5621,7 +5650,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -82,6 +83,8 @@ +@@ -49,6 +53,8 @@ + manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) + logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) + ++read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t) ++ + # for some reason it creates a file in /tmp + manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) + manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) +@@ -82,6 +88,8 @@ fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) @@ -5630,7 +5668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. auth_use_nsswitch(ntpd_t) -@@ -107,6 +110,8 @@ +@@ -107,6 +115,8 @@ sysnet_read_config(ntpd_t) @@ -5639,7 +5677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) -@@ -126,9 +131,14 @@ +@@ -126,9 +136,14 @@ ') optional_policy(` @@ -8886,7 +8924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.3/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/system/logging.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/system/logging.te 2007-07-23 15:43:28.000000000 -0400 @@ -7,10 +7,15 @@ # @@ -8989,7 +9027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -+allow syslogd_t syslog_conf_t:file read; ++allow syslogd_t syslog_conf_t:file r_file_perms; + # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; @@ -10369,178 +10407,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-23 11:53:11.000000000 -0400 -@@ -29,90 +29,99 @@ - ') ++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-23 16:30:24.000000000 -0400 +@@ -62,6 +62,10 @@ - attribute $1_file_type; -+ attribute $1_usertype; - -- type $1_t, userdomain; -+ type $1_t, userdomain, $1_usertype; - domain_type($1_t) -- corecmd_shell_entry_type($1_t) -- corecmd_bin_entry_type($1_t) -+ corecmd_shell_entry_type($1_usertype) -+ corecmd_bin_entry_type($1_usertype) - domain_user_exemption_target($1_t) - role $1_r types $1_t; - allow system_r $1_r; - - type $1_devpts_t; -- term_user_pty($1_t,$1_devpts_t) -+ term_user_pty($1_usertype,$1_devpts_t) - files_type($1_devpts_t) - - type $1_tty_device_t; -- term_user_tty($1_t,$1_tty_device_t) -+ term_user_tty($1_usertype,$1_tty_device_t) - -- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession }; -- allow $1_t self:fd use; -- allow $1_t self:fifo_file rw_fifo_file_perms; -- allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; -- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; -- allow $1_t self:shm create_shm_perms; -- allow $1_t self:sem create_sem_perms; -- allow $1_t self:msgq create_msgq_perms; -- allow $1_t self:msg { send receive }; -- allow $1_t self:context contains; -- dontaudit $1_t self:socket create; -- -- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -- term_create_pty($1_t,$1_devpts_t) -- -- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; -- -- kernel_read_kernel_sysctls($1_t) -- kernel_dontaudit_list_unlabeled($1_t) -- kernel_dontaudit_getattr_unlabeled_files($1_t) -- kernel_dontaudit_getattr_unlabeled_symlinks($1_t) -- kernel_dontaudit_getattr_unlabeled_pipes($1_t) -- kernel_dontaudit_getattr_unlabeled_sockets($1_t) -- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) -- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) -+ allow $1_usertype self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession }; -+ allow $1_usertype self:fd use; -+ allow $1_usertype self:fifo_file rw_fifo_file_perms; -+ allow $1_usertype self:unix_dgram_socket { create_socket_perms sendto }; -+ allow $1_usertype self:unix_stream_socket { create_stream_socket_perms connectto }; -+ allow $1_usertype self:shm create_shm_perms; -+ allow $1_usertype self:sem create_sem_perms; -+ allow $1_usertype self:msgq create_msgq_perms; -+ allow $1_usertype self:msg { send receive }; -+ allow $1_usertype self:context contains; -+ dontaudit $1_usertype self:socket create; -+ -+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; -+ term_create_pty($1_usertype,$1_devpts_t) -+ -+ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; -+ -+ application_exec_all($1_usertype) -+ -+ auth_use_nsswitch($1_usertype) -+ -+ kernel_read_kernel_sysctls($1_usertype) -+ kernel_dontaudit_list_unlabeled($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_files($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) -+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) - - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. -- domain_dontaudit_read_all_domains_state($1_t) -- domain_dontaudit_getattr_all_domains($1_t) -- domain_dontaudit_getsession_all_domains($1_t) -- -- files_read_etc_files($1_t) -- files_read_etc_runtime_files($1_t) -- files_read_usr_files($1_t) -+ domain_dontaudit_read_all_domains_state($1_usertype) -+ domain_dontaudit_getattr_all_domains($1_usertype) -+ domain_dontaudit_getsession_all_domains($1_usertype) -+ -+ files_read_etc_files($1_usertype) -+ files_read_etc_runtime_files($1_usertype) -+ files_read_usr_files($1_usertype) - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. -- files_list_world_readable($1_t) -- files_read_world_readable_files($1_t) -- files_read_world_readable_symlinks($1_t) -- files_read_world_readable_pipes($1_t) -- files_read_world_readable_sockets($1_t) -+ files_list_world_readable($1_usertype) -+ files_read_world_readable_files($1_usertype) -+ files_read_world_readable_symlinks($1_usertype) -+ files_read_world_readable_pipes($1_usertype) -+ files_read_world_readable_sockets($1_usertype) - # old broswer_domain(): -- files_dontaudit_list_non_security($1_t) -- files_dontaudit_getattr_non_security_files($1_t) -- files_dontaudit_getattr_non_security_symlinks($1_t) -- files_dontaudit_getattr_non_security_pipes($1_t) -- files_dontaudit_getattr_non_security_sockets($1_t) -- files_dontaudit_getattr_non_security_blk_files($1_t) -- files_dontaudit_getattr_non_security_chr_files($1_t) -- -- libs_use_ld_so($1_t) -- libs_use_shared_libs($1_t) -- libs_exec_ld_so($1_t) -+ files_dontaudit_list_non_security($1_usertype) -+ files_dontaudit_getattr_non_security_files($1_usertype) -+ files_dontaudit_getattr_non_security_symlinks($1_usertype) -+ files_dontaudit_getattr_non_security_pipes($1_usertype) -+ files_dontaudit_getattr_non_security_sockets($1_usertype) -+ files_dontaudit_getattr_non_security_blk_files($1_usertype) -+ files_dontaudit_getattr_non_security_chr_files($1_usertype) -+ -+ libs_use_ld_so($1_usertype) -+ libs_use_shared_libs($1_usertype) -+ libs_exec_ld_so($1_usertype) - -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) -+ miscfiles_read_localization($1_usertype) -+ miscfiles_read_certs($1_usertype) - -- sysnet_read_config($1_t) -+ sysnet_read_config($1_usertype) - - tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. -- allow $1_t self:process execmem; -+ allow $1_usertype self:process execmem; - ') + allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; - tunable_policy(`allow_execmem && allow_execstack',` ++ application_exec_all($1_t) ++ ++ auth_use_nsswitch($1_t) ++ + kernel_read_kernel_sysctls($1_t) + kernel_dontaudit_list_unlabeled($1_t) + kernel_dontaudit_getattr_unlabeled_files($1_t) +@@ -114,6 +118,10 @@ # Allow making the stack executable via mprotect. -- allow $1_t self:process execstack; -+ allow $1_usertype self:process execstack; -+ ') + allow $1_t self:process execstack; + ') + + optional_policy(` -+ ssh_rw_stream_sockets($1_usertype) - ') ++ ssh_rw_stream_sockets($1_t) ++ ') ') -@@ -174,43 +183,35 @@ - # + ####################################### +@@ -183,14 +191,6 @@ + read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) + files_list_home($1_t) - # read-only home directory -- allow $1_t $1_home_dir_t:dir list_dir_perms; -- allow $1_t $1_home_t:dir list_dir_perms; -- allow $1_t $1_home_t:file entrypoint; -- read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -- read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -- read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -- read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) -- files_list_home($1_t) -- - # privileged home directory writers - manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) @@ -10548,263 +10441,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) - filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) -+ allow $1_usertype $1_home_dir_t:dir list_dir_perms; -+ allow $1_usertype $1_home_t:dir list_dir_perms; -+ allow $1_usertype $1_home_t:file entrypoint; -+ read_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t) -+ read_lnk_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t) -+ read_fifo_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t) -+ read_sock_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t) -+ files_list_home($1_usertype) - - tunable_policy(`use_nfs_home_dirs',` -- fs_list_nfs_dirs($1_t) -- fs_read_nfs_files($1_t) -- fs_read_nfs_symlinks($1_t) -- fs_read_nfs_named_sockets($1_t) -- fs_read_nfs_named_pipes($1_t) -+ fs_list_nfs_dirs($1_usertype) -+ fs_read_nfs_files($1_usertype) -+ fs_read_nfs_symlinks($1_usertype) -+ fs_read_nfs_named_sockets($1_usertype) -+ fs_read_nfs_named_pipes($1_usertype) - ',` -- fs_dontaudit_read_nfs_dirs($1_t) -- fs_dontaudit_read_nfs_files($1_t) -+ fs_dontaudit_read_nfs_dirs($1_usertype) -+ fs_dontaudit_read_nfs_files($1_usertype) - ') - - tunable_policy(`use_samba_home_dirs',` -- fs_list_cifs_dirs($1_t) -- fs_read_cifs_files($1_t) -- fs_read_cifs_symlinks($1_t) -- fs_read_cifs_named_sockets($1_t) -- fs_read_cifs_named_pipes($1_t) -+ fs_list_cifs_dirs($1_usertype) -+ fs_read_cifs_files($1_usertype) -+ fs_read_cifs_symlinks($1_usertype) -+ fs_read_cifs_named_sockets($1_usertype) -+ fs_read_cifs_named_pipes($1_usertype) - ',` -- fs_dontaudit_list_cifs_dirs($1_t) -- fs_dontaudit_read_cifs_files($1_t) -+ fs_dontaudit_list_cifs_dirs($1_usertype) -+ fs_dontaudit_read_cifs_files($1_usertype) - ') - ') - -@@ -269,43 +270,43 @@ - # - - # full control of the home directory -- allow $1_t $1_home_t:file entrypoint; -- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) -- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) -- files_list_home($1_t) -+ allow $1_usertype $1_home_t:file entrypoint; -+ manage_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ manage_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ manage_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ manage_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ manage_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ relabel_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ relabel_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ relabel_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ relabel_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ relabel_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) -+ filetrans_pattern($1_usertype,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) -+ files_list_home($1_usertype) - - # cjp: this should probably be removed: -- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; -+ allow $1_usertype $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; - +- tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs($1_t) -- fs_manage_nfs_files($1_t) -- fs_manage_nfs_symlinks($1_t) -- fs_manage_nfs_named_sockets($1_t) -- fs_manage_nfs_named_pipes($1_t) -+ fs_manage_nfs_dirs($1_usertype) -+ fs_manage_nfs_files($1_usertype) -+ fs_manage_nfs_symlinks($1_usertype) -+ fs_manage_nfs_named_sockets($1_usertype) -+ fs_manage_nfs_named_pipes($1_usertype) - ',` -- fs_dontaudit_manage_nfs_dirs($1_t) -- fs_dontaudit_manage_nfs_files($1_t) -+ fs_dontaudit_manage_nfs_dirs($1_usertype) -+ fs_dontaudit_manage_nfs_files($1_usertype) - ') - - tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs($1_t) -- fs_manage_cifs_files($1_t) -- fs_manage_cifs_symlinks($1_t) -- fs_manage_cifs_named_sockets($1_t) -- fs_manage_cifs_named_pipes($1_t) -+ fs_manage_cifs_dirs($1_usertype) -+ fs_manage_cifs_files($1_usertype) -+ fs_manage_cifs_symlinks($1_usertype) -+ fs_manage_cifs_named_sockets($1_usertype) -+ fs_manage_cifs_named_pipes($1_usertype) - ',` -- fs_dontaudit_manage_cifs_dirs($1_t) -- fs_dontaudit_manage_cifs_files($1_t) -+ fs_dontaudit_manage_cifs_dirs($1_usertype) -+ fs_dontaudit_manage_cifs_files($1_usertype) - ') - ') - -@@ -323,14 +324,14 @@ + fs_list_nfs_dirs($1_t) + fs_read_nfs_files($1_t) +@@ -517,10 +517,6 @@ ## # - template(`userdom_exec_home_template',` -- can_exec($1_t,$1_home_t) -+ can_exec($1_usertype,$1_home_t) - - tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1_t) -+ fs_exec_nfs_files($1_usertype) - ') - - tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1_t) -+ fs_exec_cifs_files($1_usertype) - ') - ') - -@@ -348,7 +349,7 @@ - ## - # - template(`userdom_poly_home_template',` -- type_member $1_t $1_home_dir_t:dir $1_home_dir_t; -+ type_member $1_usertype $1_home_dir_t:dir $1_home_dir_t; - files_poly($1_home_dir_t) - files_poly_parent($1_home_dir_t) - files_poly_parent($1_home_t) -@@ -382,12 +383,12 @@ - type $1_tmp_t, $1_file_type; - files_tmp_file($1_tmp_t) - -- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern($1_usertype,$1_tmp_t,$1_tmp_t) -+ manage_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) -+ manage_lnk_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) -+ manage_sock_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) -+ manage_fifo_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) -+ files_tmp_filetrans($1_usertype, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) - ') - - ####################################### -@@ -403,7 +404,7 @@ - ## - # - template(`userdom_exec_tmp_template',` -- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) -+ exec_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) - ') - - ####################################### -@@ -419,7 +420,7 @@ - ## - # - template(`userdom_poly_tmp_template',` -- files_poly_member_tmp($1_t,tmp_t) -+ files_poly_member_tmp($1_usertype,tmp_t) - ') - - ####################################### -@@ -452,12 +453,12 @@ - type $1_tmpfs_t, $1_file_type; - files_tmpfs_file($1_tmpfs_t) - -- manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) -- fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_lnk_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_sock_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ manage_fifo_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t) -+ fs_tmpfs_filetrans($1_usertype,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - ') - - ####################################### -@@ -518,10 +519,10 @@ - # template(`userdom_exec_generic_pgms_template',` - gen_require(` +- gen_require(` - type $1_t; -+ attribute $1_usertype; - ') - -- corecmd_exec_bin($1_t) -+ corecmd_exec_bin($1_usertype) +- ') +- + corecmd_exec_bin($1_t) ') - ####################################### -@@ -539,22 +540,28 @@ +@@ -538,9 +534,6 @@ + ## # template(`userdom_basic_networking_template',` - gen_require(` +- gen_require(` - type $1_t; -+ attribute $1_usertype; - ') +- ') -- allow $1_t self:tcp_socket create_stream_socket_perms; -- allow $1_t self:udp_socket create_socket_perms; -+ allow $1_usertype self:tcp_socket create_stream_socket_perms; -+ allow $1_usertype self:udp_socket create_socket_perms; -+ -+ corenet_all_recvfrom_unlabeled($1_usertype) -+ corenet_all_recvfrom_netlabel($1_usertype) -+ corenet_tcp_sendrecv_all_if($1_usertype) -+ corenet_udp_sendrecv_all_if($1_usertype) -+ corenet_tcp_sendrecv_all_nodes($1_usertype) -+ corenet_udp_sendrecv_all_nodes($1_usertype) -+ corenet_tcp_sendrecv_all_ports($1_usertype) -+ corenet_udp_sendrecv_all_ports($1_usertype) -+ corenet_tcp_connect_all_ports($1_usertype) -+ corenet_sendrecv_all_client_packets($1_usertype) - -- corenet_all_recvfrom_unlabeled($1_t) -- corenet_all_recvfrom_netlabel($1_t) -- corenet_tcp_sendrecv_all_if($1_t) -- corenet_udp_sendrecv_all_if($1_t) -- corenet_tcp_sendrecv_all_nodes($1_t) -- corenet_udp_sendrecv_all_nodes($1_t) -- corenet_tcp_sendrecv_all_ports($1_t) -- corenet_udp_sendrecv_all_ports($1_t) -- corenet_tcp_connect_all_ports($1_t) -- corenet_sendrecv_all_client_packets($1_t) + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; +@@ -555,6 +548,12 @@ + corenet_udp_sendrecv_all_ports($1_t) + corenet_tcp_connect_all_ports($1_t) + corenet_sendrecv_all_client_packets($1_t) ++ + ifdef(`enable_mls',` + # netlabel/CIPSO labeled networking -+ corenet_tcp_recv_netlabel($1_usertype) -+ corenet_udp_recv_netlabel($1_usertype) ++ corenet_tcp_recv_netlabel($1_t) ++ corenet_udp_recv_netlabel($1_t) + ') ') ####################################### -@@ -571,32 +578,29 @@ +@@ -571,32 +570,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -10835,30 +10510,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($1_t) - ') -+ dev_rw_xserver_misc($1_usertype) -+ dev_rw_power_management($1_usertype) -+ dev_read_input($1_usertype) -+ dev_read_misc($1_usertype) -+ dev_write_misc($1_usertype) ++ dev_rw_xserver_misc($1_t) ++ dev_rw_power_management($1_t) ++ dev_read_input($1_t) ++ dev_read_misc($1_t) ++ dev_write_misc($1_t) + # open office is looking for the following -+ dev_getattr_agp_dev($1_usertype) -+ dev_dontaudit_rw_dri($1_usertype) ++ dev_getattr_agp_dev($1_t) ++ dev_dontaudit_rw_dri($1_t) + # GNOME checks for usb and other devices: -+ dev_rw_usbfs($1_usertype) -+ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t) -+ xserver_xsession_entry_type($1_usertype) -+ xserver_dontaudit_write_log($1_usertype) -+ xserver_stream_connect_xdm($1_usertype) ++ dev_rw_usbfs($1_t) ++ xserver_user_client_template($1,$1_t,$1_tmpfs_t) ++ xserver_xsession_entry_type($1_t) ++ xserver_dontaudit_write_log($1_t) ++ xserver_stream_connect_xdm($1_t) + # certain apps want to read xdm.pid file -+ xserver_read_xdm_pid($1_usertype) ++ xserver_read_xdm_pid($1_t) + # gnome-session creates socket under /tmp/.ICE-unix/ -+ xserver_create_xdm_tmp_sockets($1_usertype) ++ xserver_create_xdm_tmp_sockets($1_t) + # Needed for escd, remove if we get escd policy -+ xserver_manage_xdm_tmp_files($1_usertype) ++ xserver_manage_xdm_tmp_files($1_t) ') ####################################### -@@ -672,281 +676,335 @@ +@@ -672,67 +668,39 @@ attribute unpriv_userdomain; ') @@ -10898,95 +10573,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $1_t self:context contains; - # evolution and gnome-session try to create a netlink socket -- dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; -+ dontaudit $1_usertype self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; -+ dontaudit $1_usertype self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; -- allow $1_t unpriv_userdomain:fd use; -+ allow $1_usertype unpriv_userdomain:fd use; + allow $1_t unpriv_userdomain:fd use; - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_net_sysctls($1_t) # Very permissive allowing every domain to see every type: -- kernel_get_sysvipc_info($1_t) + kernel_get_sysvipc_info($1_t) - # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corenet_udp_bind_all_nodes($1_t) -- corenet_udp_bind_generic_port($1_t) -+ kernel_get_sysvipc_info($1_usertype) + + corenet_udp_bind_all_nodes($1_t) + corenet_udp_bind_generic_port($1_t) - dev_read_sysfs($1_t) -- dev_read_rand($1_t) + dev_read_rand($1_t) - dev_read_urand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -+ corenet_udp_bind_all_nodes($1_usertype) -+ corenet_udp_bind_generic_port($1_usertype) + dev_write_sound($1_t) + dev_read_sound($1_t) + dev_read_sound_mixer($1_t) + dev_write_sound_mixer($1_t) - domain_use_interactive_fds($1_t) - # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) -+ dev_read_rand($1_usertype) -+ dev_write_sound($1_usertype) -+ dev_read_sound($1_usertype) -+ dev_read_sound_mixer($1_usertype) -+ dev_write_sound_mixer($1_usertype) - -- files_exec_etc_files($1_t) -- files_search_locks($1_t) -+ files_exec_etc_files($1_usertype) -+ files_search_locks($1_usertype) +- + files_exec_etc_files($1_t) + files_search_locks($1_t) # Check to see if cdrom is mounted -- files_search_mnt($1_t) -+ files_search_mnt($1_usertype) - # cjp: perhaps should cut back on file reads: -- files_read_var_files($1_t) -- files_read_var_symlinks($1_t) -- files_read_generic_spool($1_t) -- files_read_var_lib_files($1_t) -+ files_read_var_files($1_usertype) -+ files_read_var_symlinks($1_usertype) -+ files_read_generic_spool($1_usertype) -+ files_read_var_lib_files($1_usertype) +@@ -745,12 +713,6 @@ # Stat lost+found. -- files_getattr_lost_found_dirs($1_t) -- + files_getattr_lost_found_dirs($1_t) + - fs_get_all_fs_quotas($1_t) - fs_getattr_all_fs($1_t) - fs_getattr_all_dirs($1_t) - fs_search_auto_mountpoints($1_t) - fs_list_inotifyfs($1_t) -+ files_getattr_lost_found_dirs($1_usertype) - - # cjp: some of this probably can be removed -- selinux_get_fs_mount($1_t) -- selinux_validate_context($1_t) -- selinux_compute_access_vector($1_t) -- selinux_compute_create_context($1_t) -- selinux_compute_relabel_context($1_t) -- selinux_compute_user_contexts($1_t) -+ selinux_get_fs_mount($1_usertype) -+ selinux_validate_context($1_usertype) -+ selinux_compute_access_vector($1_usertype) -+ selinux_compute_create_context($1_usertype) -+ selinux_compute_relabel_context($1_usertype) -+ selinux_compute_user_contexts($1_usertype) - - # for eject -- storage_getattr_fixed_disk_dev($1_t) - -- auth_read_login_records($1_t) + # cjp: some of this probably can be removed + selinux_get_fs_mount($1_t) + selinux_validate_context($1_t) +@@ -763,31 +725,16 @@ + storage_getattr_fixed_disk_dev($1_t) + + auth_read_login_records($1_t) - auth_dontaudit_write_login_records($1_t) -- auth_search_pam_console_data($1_t) -- auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -- auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -- -- init_read_utmp($1_t) + auth_search_pam_console_data($1_t) + auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ auth_run_upd_passwd($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ auth_read_key($1_t) + + init_read_utmp($1_t) - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. - init_dontaudit_write_utmp($1_t) @@ -10995,80 +10637,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - init_dontaudit_use_script_fds($1_t) - - libs_exec_lib_files($1_t) -+ storage_getattr_fixed_disk_dev($1_usertype) - +- - logging_dontaudit_getattr_all_logs($1_t) - - miscfiles_read_man_pages($1_t) - # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) -- -- seutil_read_file_contexts($1_t) -- seutil_read_default_contexts($1_t) + + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) - seutil_read_config($1_t) -- seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) -- seutil_exec_checkpolicy($1_t) -- seutil_exec_setfiles($1_t) -+ auth_read_login_records($1_usertype) -+ auth_search_pam_console_data($1_usertype) -+ auth_run_pam($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ auth_run_utempter($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ auth_run_upd_passwd($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ auth_read_key($1_usertype) -+ -+ init_read_utmp($1_usertype) -+ -+ seutil_read_file_contexts($1_usertype) -+ seutil_read_default_contexts($1_usertype) -+ seutil_run_newrole($1_usertype,$1_r,{ $1_devpts_t $1_tty_device_t }) -+ seutil_exec_checkpolicy($1_usertype) -+ seutil_exec_setfiles($1_usertype) - # for when the network connection is killed - # this is needed when a login role can change - # to this one. -- seutil_dontaudit_signal_newrole($1_t) -+ seutil_dontaudit_signal_newrole($1_usertype) - - tunable_policy(`read_default_t',` -- files_list_default($1_t) -- files_read_default_files($1_t) -- files_read_default_symlinks($1_t) -- files_read_default_sockets($1_t) -- files_read_default_pipes($1_t) + seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + seutil_exec_checkpolicy($1_t) + seutil_exec_setfiles($1_t) +@@ -802,19 +749,12 @@ + files_read_default_symlinks($1_t) + files_read_default_sockets($1_t) + files_read_default_pipes($1_t) - ',` - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) -+ files_list_default($1_usertype) -+ files_read_default_files($1_usertype) -+ files_read_default_symlinks($1_usertype) -+ files_read_default_sockets($1_usertype) -+ files_read_default_pipes($1_usertype) ') tunable_policy(`user_direct_mouse',` -- dev_read_mouse($1_t) -- ') -- -- tunable_policy(`user_ttyfile_stat',` -- term_getattr_all_user_ttys($1_t) -+ dev_read_mouse($1_usertype) - ') - - optional_policy(` -- alsa_read_rw_config($1_t) -+ alsa_read_rw_config($1_usertype) + dev_read_mouse($1_t) ') +- tunable_policy(`user_ttyfile_stat',` +- term_getattr_all_user_ttys($1_t) +- ') +- optional_policy(` - # Allow graphical boot to check battery lifespan -- apm_stream_connect($1_t) -+ apm_stream_connect($1_usertype) + alsa_read_rw_config($1_t) ') - - optional_policy(` -- canna_stream_connect($1_t) -+ canna_stream_connect($1_usertype) +@@ -829,34 +769,14 @@ ') optional_policy(` @@ -11077,23 +10680,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - ') - - optional_policy(` -- allow $1_t self:dbus send_msg; -- dbus_system_bus_client_template($1,$1_t) -+ allow $1_usertype self:dbus send_msg; -+ dbus_system_bus_client_template($1,$1_usertype) + allow $1_t self:dbus send_msg; + dbus_system_bus_client_template($1,$1_t) optional_policy(` - bluetooth_dbus_chat($1_t) -+ evolution_dbus_chat($1,$1_usertype) -+ evolution_alarm_dbus_chat($1,$1_usertype) - ') - -- optional_policy(` -- evolution_dbus_chat($1,$1_t) -- evolution_alarm_dbus_chat($1,$1_t) - ') - - optional_policy(` + evolution_dbus_chat($1,$1_t) + evolution_alarm_dbus_chat($1,$1_t) + ') + +- optional_policy(` - cups_dbus_chat_config($1_t) - ') - @@ -11107,45 +10706,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) - ') - - optional_policy(` -- inn_read_config($1_t) -- inn_read_news_lib($1_t) -- inn_read_news_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) - ') - - optional_policy(` -- locate_read_lib_files($1_t) -+ locate_read_lib_files($1_usertype) +@@ -884,17 +804,19 @@ ') - # for running depmod as part of the kernel packaging process optional_policy(` -- modutils_read_module_config($1_t) -+ modutils_read_module_config($1_usertype) - ') - - optional_policy(` -- mta_rw_spool($1_t) +- nis_use_ypbind($1_t) - ') - - optional_policy(` -- nis_use_ypbind($1_t) -+ mta_rw_spool($1_usertype) - ') - - optional_policy(` tunable_policy(`allow_user_mysql_connect',` -- mysql_stream_connect($1_t) -+ mysql_stream_connect($1_usertype) + mysql_stream_connect($1_t) ') ') @@ -11153,53 +10723,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - nscd_socket_use($1_t) + optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` -+ postgresql_stream_connect($1_usertype) ++ postgresql_stream_connect($1_t) + ') + ') + + tunable_policy(`user_ttyfile_stat',` -+ term_getattr_all_user_ttys($1_usertype) ++ term_getattr_all_user_ttys($1_t) ') optional_policy(` - # to allow monitoring of pcmcia status -- pcmcia_read_pid($1_t) -+ pcmcia_read_pid($1_usertype) - ') - - optional_policy(` -- pcscd_read_pub_files($1_t) -- pcscd_stream_connect($1_t) -+ pcscd_read_pub_files($1_usertype) -+ pcscd_stream_connect($1_usertype) +@@ -908,39 +830,210 @@ ') optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - ') -+ resmgr_stream_connect($1_usertype) ++ resmgr_stream_connect($1_t) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpc_dontaudit_getattr_exports($1_usertype) -+ rpc_manage_nfs_rw_content($1_usertype) ++ rpc_dontaudit_getattr_exports($1_t) ++ rpc_manage_nfs_rw_content($1_t) ') optional_policy(` - resmgr_stream_connect($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ samba_stream_connect_winbind($1_t) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ slrnpull_search_spool($1_usertype) -+ ') -+ -+ optional_policy(` -+ usernetctl_run($1_usertype,$1_r,{ $1_devpts_t $1_tty_device_t }) ++ slrnpull_search_spool($1_t) + ') + + optional_policy(` +- rpm_read_db($1_t) +- rpm_dontaudit_manage_db($1_t) ++ usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + ') +') + @@ -11224,8 +10787,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +template(`userdom_privhome_user_template',` + gen_require(` + type $1_home_dir_t, $1_home_t; - ') - ++ ') ++ + # privileged home directory writers + manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) + manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) @@ -11267,140 +10830,90 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + role $1_r types $1_t; + allow system_r $1_r; + -+ allow $1_usertype self:capability { setgid chown fowner }; -+ dontaudit $1_usertype self:capability { sys_nice fsetid }; ++ allow $1_t self:capability { setgid chown fowner }; ++ dontaudit $1_t self:capability { sys_nice fsetid }; + -+ allow $1_usertype self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; -+ dontaudit $1_usertype self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; ++ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; ++ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + -+ allow $1_usertype self:context contains; ++ allow $1_t self:context contains; + + ############################## + # + # User domain Local policy + # + -+ auth_dontaudit_write_login_records($1_usertype) ++ auth_dontaudit_write_login_records($1_t) + + # Find CDROM devices: -+ kernel_read_device_sysctls($1_usertype) -+ kernel_read_network_state($1_usertype) -+ kernel_read_net_sysctls($1_usertype) -+ kernel_read_system_state($1_usertype) ++ kernel_read_device_sysctls($1_t) ++ kernel_read_network_state($1_t) ++ kernel_read_net_sysctls($1_t) ++ kernel_read_system_state($1_t) + -+ dev_read_sysfs($1_usertype) -+ dev_read_urand($1_usertype) ++ dev_read_sysfs($1_t) ++ dev_read_urand($1_t) + + domain_use_interactive_fds($1_t) + # Command completion can fire hundreds of denials -+ domain_dontaudit_exec_all_entry_files($1_usertype) ++ domain_dontaudit_exec_all_entry_files($1_t) + + # Stat lost+found. -+ files_getattr_lost_found_dirs($1_usertype) ++ files_getattr_lost_found_dirs($1_t) + -+ fs_get_all_fs_quotas($1_usertype) -+ fs_getattr_all_fs($1_usertype) -+ fs_getattr_all_dirs($1_usertype) -+ fs_search_auto_mountpoints($1_usertype) -+ fs_list_inotifyfs($1_usertype) ++ fs_get_all_fs_quotas($1_t) ++ fs_getattr_all_fs($1_t) ++ fs_getattr_all_dirs($1_t) ++ fs_search_auto_mountpoints($1_t) ++ fs_list_inotifyfs($1_t) + + # Stop warnings about access to /dev/console -+ init_dontaudit_rw_utmp($1_usertype) -+ init_dontaudit_use_fds($1_usertype) -+ init_dontaudit_use_script_fds($1_usertype) ++ init_dontaudit_rw_utmp($1_t) ++ init_dontaudit_use_fds($1_t) ++ init_dontaudit_use_script_fds($1_t) + -+ libs_exec_lib_files($1_usertype) ++ libs_exec_lib_files($1_t) + -+ logging_dontaudit_getattr_all_logs($1_usertype) ++ logging_dontaudit_getattr_all_logs($1_t) + -+ miscfiles_read_man_pages($1_usertype) ++ miscfiles_read_man_pages($1_t) + # for running TeX programs -+ miscfiles_read_tetex_data($1_usertype) -+ miscfiles_exec_tetex_data($1_usertype) ++ miscfiles_read_tetex_data($1_t) ++ miscfiles_exec_tetex_data($1_t) + -+ seutil_read_config($1_usertype) ++ seutil_read_config($1_t) + -+ files_dontaudit_list_default($1_usertype) -+ files_dontaudit_read_default_files($1_usertype) ++ files_dontaudit_list_default($1_t) ++ files_dontaudit_read_default_files($1_t) + + userdom_poly_home_template($1) + userdom_poly_tmp_template($1) + - optional_policy(` -- rpm_read_db($1_t) -- rpm_dontaudit_manage_db($1_t) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) ++ optional_policy(` ++ cups_stream_connect($1_t) ++ cups_stream_connect_ptal($1_t) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ kerberos_use($1_usertype) ++ kerberos_use($1_t) ') optional_policy(` - slrnpull_search_spool($1_t) -+ quota_dontaudit_getattr_db($1_usertype) - ') - - optional_policy(` -- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) - ') - ') - -+ - ####################################### - ## --## The template for creating a unprivileged user. -+## The template for creating a unprivileged login user. - ## - ## - ##

-@@ -962,21 +1020,16 @@ - ## - ## - # --template(`userdom_unpriv_user_template', ` -- -+template(`userdom_unpriv_login_user', ` - gen_require(` -+ attribute unpriv_userdomain; - attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; - ') -- -- ############################## -- # -- # Declarations -- # -- -- # Inherit rules for ordinary users. -- userdom_common_user_template($1) -+ userdom_login_user_template($1) -+ userdom_privhome_user_template($1) - - typeattribute $1_t unpriv_userdomain; -+ - domain_interactive_fd($1_t) - - typeattribute $1_devpts_t user_ptynode; -@@ -985,36 +1038,68 @@ - typeattribute $1_tmp_t user_tmpfile; - typeattribute $1_tty_device_t user_ttynode; - -- userdom_poly_home_template($1) -- userdom_poly_tmp_template($1) -+ auth_exec_pam($1_t) ++ quota_dontaudit_getattr_db($1_t) ++ ') + + optional_policy(` -+ loadkeys_run($1_t,$1_r,$1_tty_device_t) -+ ') ++ rpm_read_db($1_t) ++ rpm_dontaudit_manage_db($1_t) + ') +') + ++ +####################################### +##

-+## The template for creating a unprivileged user. ++## The template for creating a unprivileged login user. +## +## +##

@@ -11416,78 +10929,85 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+template(`userdom_unpriv_user_template', ` ++template(`userdom_unpriv_login_user', ` ++ gen_require(` ++ attribute unpriv_userdomain; ++ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; ++ ') ++ userdom_login_user_template($1) ++ userdom_privhome_user_template($1) ++ ++ typeattribute $1_t unpriv_userdomain; ++ ++ domain_interactive_fd($1_t) + ++ typeattribute $1_devpts_t user_ptynode; ++ typeattribute $1_home_dir_t user_home_dir_type; ++ typeattribute $1_home_t user_home_type; ++ typeattribute $1_tmp_t user_tmpfile; ++ typeattribute $1_tty_device_t user_ttynode; ++ ++ auth_exec_pam($1_t) + + optional_policy(` +- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ++ loadkeys_run($1_t,$1_r,$1_tty_device_t) + ') + ') + +@@ -964,9 +1057,7 @@ + # + template(`userdom_unpriv_user_template', ` + +- gen_require(` +- attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; +- ') + userdom_unpriv_login_user($1) ############################## # -- # Local policy -+ # Declarations +@@ -976,25 +1067,11 @@ + # Inherit rules for ordinary users. + userdom_common_user_template($1) + +- typeattribute $1_t unpriv_userdomain; +- domain_interactive_fd($1_t) +- +- typeattribute $1_devpts_t user_ptynode; +- typeattribute $1_home_dir_t user_home_dir_type; +- typeattribute $1_home_t user_home_type; +- typeattribute $1_tmp_t user_tmpfile; +- typeattribute $1_tty_device_t user_ttynode; +- +- userdom_poly_home_template($1) +- userdom_poly_tmp_template($1) +- + ############################## + # + # Local policy # - corecmd_exec_all_executables($1_t) -+ # Inherit rules for ordinary users. -+ userdom_common_user_template($1) -+ -+ ############################## -+ # -+ # Local policy -+ # - +- # port access is audited even if dac would not have allowed it, so dontaudit it here -- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_usertype) + corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc -- corenet_tcp_bind_xserver_port($1_t) -+ corenet_tcp_bind_xserver_port($1_usertype) - -- files_exec_usr_files($1_t) -+ files_exec_usr_files($1_usertype) - # cjp: why? -- files_read_kernel_symbol_table($1_t) -+ files_read_kernel_symbol_table($1_usertype) - - ifndef(`enable_mls',` -- fs_exec_noxattr($1_t) -+ fs_exec_noxattr($1_usertype) - - tunable_policy(`user_rw_noexattrfile',` -- fs_manage_noxattr_fs_files($1_t) -- fs_manage_noxattr_fs_dirs($1_t) -+ fs_manage_noxattr_fs_files($1_usertype) -+ fs_manage_noxattr_fs_dirs($1_usertype) - # Write floppies -- storage_raw_read_removable_device($1_t) -- storage_raw_write_removable_device($1_t) -+ storage_raw_read_removable_device($1_usertype) -+ storage_raw_write_removable_device($1_usertype) - ',` -- storage_raw_read_removable_device($1_t) -+ storage_raw_read_removable_device($1_usertype) - ') +@@ -1033,14 +1110,6 @@ ') -@@ -1028,16 +1113,8 @@ - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols - tunable_policy(`user_tcp_server',` -- corenet_tcp_bind_all_nodes($1_t) -- corenet_tcp_bind_generic_port($1_t) + optional_policy(` +- kerberos_use($1_t) - ') - - optional_policy(` -- kerberos_use($1_t) +- loadkeys_run($1_t,$1_r,$1_tty_device_t) - ') - - optional_policy(` -- loadkeys_run($1_t,$1_r,$1_tty_device_t) -+ corenet_tcp_bind_all_nodes($1_usertype) -+ corenet_tcp_bind_generic_port($1_usertype) + netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') - - optional_policy(` -@@ -1054,17 +1131,6 @@ +@@ -1054,17 +1123,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -11505,7 +11025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1168,8 @@ +@@ -1102,6 +1160,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -11514,7 +11034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1195,7 @@ +@@ -1127,7 +1187,7 @@ # $1_t local policy # @@ -11523,7 +11043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,8 +1207,6 @@ +@@ -1139,8 +1199,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -11532,7 +11052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1902,6 +1968,41 @@ +@@ -1902,6 +1960,41 @@ ######################################## ##

@@ -11574,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -3078,7 +3179,7 @@ +@@ -3078,7 +3171,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -11583,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -5323,7 +5424,7 @@ +@@ -5323,7 +5416,7 @@ attribute user_tmpfile; ') @@ -11592,7 +11112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5548,6 +5649,26 @@ +@@ -5548,6 +5641,26 @@ ######################################## ## @@ -11619,7 +11139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Unconfined access to user domains. (Deprecated) ## ## -@@ -5559,3 +5680,234 @@ +@@ -5559,3 +5672,233 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -11788,14 +11308,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +# Should be optional but policy will not build because of compiler problems +# Must be before xwindows calls +#optional_policy(` -+ gnome_per_role_template($1, $1_usertype, $1_r) ++ gnome_per_role_template($1, $1_t, $1_r) + gnome_exec_gconf($1_t) +#') + +userdom_xwindows_client_template($1) -+allow xguest_usertype xguest_usertype:unix_stream_socket { create_stream_socket_perms connectto }; + -+logging_send_syslog_msg($1_usertype) ++logging_send_syslog_msg($1_t) + +optional_policy(` + alsa_read_rw_config($1_t) @@ -11803,13 +11322,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +authlogin_per_role_template($1, $1_t, $1_r) + -+dev_read_sound($1_usertype) -+dev_write_sound($1_usertype) ++dev_read_sound($1_t) ++dev_write_sound($1_t) + +optional_policy(` -+ dbus_per_role_template($1, $1_usertype, $1_r) -+ dbus_system_bus_client_template($1, $1_usertype) -+ allow $1_usertype self:dbus send_msg; ++ dbus_per_role_template($1, $1_t, $1_r) ++ dbus_system_bus_client_template($1, $1_t) ++ allow $1_t self:dbus send_msg; +') + +optional_policy(` @@ -11829,7 +11348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +# gnome keyring wants to read this. Needs to be exlicitly granted -+dev_dontaudit_read_rand($1_usertype) ++dev_dontaudit_read_rand($1_t) + +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index a52c8db..2c3b1f7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.3 -Release: 4%{?dist} +Release: 5%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -359,6 +359,9 @@ exit 0 %endif %changelog +* Mon Jul 23 2007 Dan Walsh 3.0.3-5 +- Add ntpd_key_t to handle secret data + * Fri Jul 20 2007 Dan Walsh 3.0.3-4 - Add anon_inodefs - Allow unpriv user exec pam_exec_t