diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 6b99dec..c36b187 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -30,6 +30,7 @@ template(`su_per_userdomain_template',` gen_require(` type su_exec_t; + bool secure_mode; ') type $1_su_t; diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index f202e08..fda3c0a 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -31,6 +31,7 @@ template(`sudo_per_userdomain_template',` gen_require(` type sudo_exec_t; + bool secure_mode; ') ############################## diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index bc558ec..b66ba87 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -10,10 +10,6 @@ ## # template(`apache_content_template',` - gen_require(` - attribute httpdcontent, httpd_script_domains; - ') - # allow write access to public file transfer # services files. gen_tunable(allow_httpd_$1_script_anon_write,false) @@ -251,6 +247,11 @@ template(`apache_content_template',` ## # template(`apache_per_userdomain_template', ` + gen_require(` + attribute httpdcontent, httpd_script_domains; + attribute httpd_exec_scripts; + type httpd_t, httpd_suexec_t, httpd_log_t; + ') apache_content_template($1) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 37edbc1..eade946 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -30,7 +30,7 @@ template(`cron_per_userdomain_template',` gen_require(` attribute cron_spool_type; - type crontab_exec_t; + type crond_t, cron_spool_t, crontab_exec_t; ') # Type of user crontabs once moved to cron spool. @@ -198,7 +198,7 @@ template(`cron_per_userdomain_template',` # create files in /var/spool/cron allow $1_crontab_t $1_cron_spool_t:file create_file_perms; allow $1_crontab_t cron_spool_t:dir rw_dir_perms; - type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t; + type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t; # crontab signals crond by updating the mtime on the spooldir allow $1_crontab_t cron_spool_t:dir setattr; @@ -270,6 +270,10 @@ template(`cron_per_userdomain_template',` ## # template(`cron_admin_template',` + gen_require(` + attribute cron_spool_type; + ') + # Allow our crontab domain to unlink a user cron spool file. allow $1_crontab_t cron_spool_type:file { getattr read unlink }; diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 8481397..cd712fe 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -27,6 +27,12 @@ ## # template(`dbus_per_userdomain_template',` + gen_require(` + type system_dbusd_t, dbusd_etc_t; + type system_dbusd_exec_t; + class dbus { send_msg acquire_svc }; + ') + ############################## # # Delcarations diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 1cac664..4ac148d 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -42,6 +42,11 @@ interface(`mta_stub',` ## # template(`mta_per_userdomain_template',` + gen_require(` + attribute mailserver_domain, mta_user_agent; + type sendmail_exec_t; + ') + type $1_mail_t; domain_type($1_mail_t) role $3 types $1_mail_t; diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if index 943221c..c2934b9 100644 --- a/refpolicy/policy/modules/services/portmap.if +++ b/refpolicy/policy/modules/services/portmap.if @@ -43,7 +43,7 @@ interface(`portmap_domtrans_helper',` # interface(`portmap_run_helper',` gen_require(` - type portmap_helper_t; + type portmap_t, portmap_helper_t; class chr_file { getattr read write ioctl }; ') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index ab35a65..12019d1 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -29,8 +29,10 @@ # template(`ssh_per_userdomain_template',` gen_require(` + attribute ssh_server; type ssh_exec_t, ssh_agent_exec_t; - type ssh_keysign_exec_t; + type sshd_key_t, ssh_keysign_exec_t; + type sshd_tmp_t, sshd_t; ') ############################## diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index be9077f..f8fe448 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -966,9 +966,11 @@ interface(`domain_unconfined',` ') # -# These next macros are not interfaces, but actually are +# These next macros are not templates, but actually are # support macros. Due to the domain_ prefix, they # are placed in this module, to try to prevent confusion. +# They are called templates since regular m4 defines +# wont work here. # ######################################## @@ -976,11 +978,6 @@ interface(`domain_unconfined',` # domain_trans(source_domain,entrypoint_file,target_domain) # template(`domain_trans',` - gen_require(` - class file rx_file_perms; - class process { transition noatsecure siginh rlimitinh }; - ') - allow $1 $2:file rx_file_perms; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 1aa37fb..dfe9c8b 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -240,7 +240,8 @@ ifdef(`targeted_policy',` seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal) seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) - optional_policy(`targeted_policy',`',` + + ifdef(`targeted_policy',`',` seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) ') ') diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt index d5e6194..de48b3b 100644 --- a/refpolicy/policy/support/loadable_module.spt +++ b/refpolicy/policy/support/loadable_module.spt @@ -12,7 +12,10 @@ define(`policy_module',` ifdef(`self_contained_policy',`',` module $1 $2; - require { all_kernel_class_perms } + require { + role system_r; + all_kernel_class_perms + } ') ')