diff --git a/policy-20070703.patch b/policy-20070703.patch index 2852a78..f2bdeb5 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -357,7 +357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-21 19:08:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-28 09:14:04.000000000 -0400 @@ -14,25 +14,36 @@ type alsa_etc_rw_t; files_type(alsa_etc_rw_t) @@ -398,11 +398,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) -@@ -43,7 +54,13 @@ +@@ -43,7 +54,14 @@ userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) +userdom_search_generic_user_home_dirs(alsa_t) ++userdom_dontaudit_search_sysadm_home_dirs(alsa_t) optional_policy(` nscd_socket_use(alsa_t) @@ -574,7 +575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t # Init script handling diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-09-28 09:01:45.000000000 -0400 @@ -8,9 +8,11 @@ type consoletype_t; @@ -610,13 +611,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console logrotate_dontaudit_use_fds(consoletype_t) ') -@@ -115,3 +121,7 @@ +@@ -115,3 +121,8 @@ xen_dontaudit_rw_unix_stream_sockets(consoletype_t) xen_dontaudit_use_fds(consoletype_t) ') + +optional_policy(` + unconfined_use_terminals(consoletype_t) ++ unconfined_dontaudit_rw_pipes(ifconfig_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.8/policy/modules/admin/dmidecode.te --- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-08-22 07:14:14.000000000 -0400 @@ -1255,6 +1257,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.0.8/policy/modules/admin/vpn.fc +--- nsaserefpolicy/policy/modules/admin/vpn.fc 2007-05-29 14:10:59.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/vpn.fc 2007-09-28 19:07:48.000000000 -0400 +@@ -7,3 +7,5 @@ + # sbin + # + /sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) ++ ++/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te +--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-07-25 10:37:43.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-01 10:53:17.000000000 -0400 +@@ -22,7 +22,7 @@ + # Local policy + # + +-allow vpnc_t self:capability { net_admin ipc_lock net_raw }; ++allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw }; + allow vpnc_t self:process getsched; + allow vpnc_t self:fifo_file { getattr ioctl read write }; + allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; +@@ -96,7 +96,7 @@ + seutil_dontaudit_search_config(vpnc_t) + seutil_use_newrole_fds(vpnc_t) + +-sysnet_exec_ifconfig(vpnc_t) ++sysnet_domtrans_ifconfig(vpnc_t) + sysnet_etc_filetrans_config(vpnc_t) + sysnet_manage_config(vpnc_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-3.0.8/policy/modules/apps/ada.if --- nsaserefpolicy/policy/modules/apps/ada.if 2007-05-29 14:10:48.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/apps/ada.if 2007-09-17 16:20:18.000000000 -0400 @@ -3457,7 +3489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-09-28 14:34:09.000000000 -0400 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -3833,7 +3865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## # -interface(`apache_cgi_domain',` -+template(`apache_admin',` ++interface(`apache_admin',` + gen_require(` - type httpd_t, httpd_sys_script_exec_t; @@ -4548,7 +4580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-09-27 08:26:37.000000000 -0400 @@ -87,6 +87,7 @@ kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) @@ -4557,7 +4589,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) -@@ -233,3 +234,7 @@ +@@ -127,6 +128,10 @@ + amavis_create_pid_files(clamd_t) + ') + ++optional_policy(` ++ exim_read_spool(clamd_t) ++') ++ + ######################################## + # + # Freshclam local policy +@@ -233,3 +238,7 @@ optional_policy(` apache_read_sys_content(clamscan_t) ') @@ -5070,7 +5113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-09-21 15:23:17.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-09-28 09:17:04.000000000 -0400 @@ -8,17 +8,14 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -5102,6 +5145,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) +@@ -33,7 +35,7 @@ + + /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) + /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/share/hplip/[^/]*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + + /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -52,3 +54,4 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -5117,8 +5169,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-25 15:01:58.000000000 -0400 -@@ -48,9 +48,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-28 09:19:25.000000000 -0400 +@@ -48,9 +48,8 @@ type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t,hplip_exec_t) @@ -5126,10 +5178,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups -type hplip_etc_t; -files_config_file(hplip_etc_t) +domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t) ++domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t) type hplip_var_run_t; files_pid_file(hplip_var_run_t) -@@ -81,12 +79,11 @@ +@@ -81,12 +80,11 @@ # /usr/lib/cups/backend/serial needs sys_admin(?!) allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; @@ -5143,7 +5196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -105,7 +102,7 @@ +@@ -105,7 +103,7 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -5152,7 +5205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) -@@ -122,13 +119,13 @@ +@@ -122,13 +120,13 @@ manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) @@ -5168,7 +5221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) -@@ -150,21 +147,26 @@ +@@ -150,21 +148,26 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -5196,7 +5249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) mls_file_read_all_levels(cupsd_t) -@@ -174,6 +176,7 @@ +@@ -174,6 +177,7 @@ term_search_ptys(cupsd_t) auth_domtrans_chk_passwd(cupsd_t) @@ -5204,7 +5257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_dontaudit_read_pam_pid(cupsd_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -@@ -187,7 +190,7 @@ +@@ -187,7 +191,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -5213,7 +5266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -202,6 +205,7 @@ +@@ -202,6 +206,7 @@ files_dontaudit_getattr_all_tmp_files(cupsd_t) selinux_compute_access_vector(cupsd_t) @@ -5221,7 +5274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_exec_script_files(cupsd_t) -@@ -221,17 +225,37 @@ +@@ -221,17 +226,37 @@ sysnet_read_config(cupsd_t) @@ -5259,7 +5312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups apm_domtrans_client(cupsd_t) ') -@@ -263,16 +287,16 @@ +@@ -263,16 +288,16 @@ ') optional_policy(` @@ -5280,7 +5333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -377,6 +401,14 @@ +@@ -377,6 +402,14 @@ ') optional_policy(` @@ -5295,7 +5348,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -525,11 +557,9 @@ +@@ -393,6 +426,7 @@ + optional_policy(` + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) ++ hal_dontaudit_use_fds(hplip_t) + ') + + optional_policy(` +@@ -525,11 +559,9 @@ allow hplip_t cupsd_etc_t:dir search; cups_stream_connect(hplip_t) @@ -5310,7 +5371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -560,7 +590,7 @@ +@@ -560,7 +592,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -5319,7 +5380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -587,8 +617,6 @@ +@@ -587,8 +619,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -5555,15 +5616,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-09-17 16:20:18.000000000 -0400 -@@ -94,3 +94,8 @@ ++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-09-27 15:39:17.000000000 -0400 +@@ -94,3 +94,7 @@ optional_policy(` udev_read_db(dnsmasq_t) ') + +optional_policy(` -+ virt_read_lib_files(dnsmasq_t) -+ virt_append_lib_files(dnsmasq_t) ++ virt_rw_lib_files(dnsmasq_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400 @@ -5794,353 +5854,196 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-09-17 16:20:18.000000000 -0400 -@@ -0,0 +1,6 @@ -+ -+/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0) -+/etc/rc.d/init.d/exim -- gen_context(system_u:object_r:exim_script_exec_t,s0) -+/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) -+/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0) -+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) ++++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-09-29 08:32:19.000000000 -0400 +@@ -0,0 +1,17 @@ ++# $Id$ ++# Draft SELinux refpolicy module for the Exim MTA ++# ++# Devin Carraway ++ ++/var/spool/exim4?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) ++/var/run/exim4?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) ++/var/log/exim4?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) ++/usr/sbin/exim4? gen_context(system_u:object_r:exim_exec_t,s0) ++/usr/sbin/eximstats gen_context(system_u:object_r:exim_stats_exec_t, s0) ++ifdef(`distro_debian', ` ++/usr/sbin/update-exim4\.conf gen_context(system_u:object_r:exim_conf_update_exec_t,s0) ++# work around a misparse if the word template appears without adjustment ++/usr/sbin/update-exim4\.conf\.[t]emplate gen_context(system_u:object_r:exim_conf_update_exec_t,s0) ++/var/lib/exim4?(/.*)? gen_context(system_u:object_r:exim_lib_t,s0) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-09-17 16:20:18.000000000 -0400 -@@ -0,0 +1,330 @@ -+ -+## policy for exim ++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-09-27 08:23:42.000000000 -0400 +@@ -0,0 +1,157 @@ ++## Exim service + +######################################## +## -+## Execute a domain transition to run exim. ++## Permit transitions to the exim domain +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`exim_domtrans',` + gen_require(` + type exim_t; -+ type exim_exec_t; -+ ') -+ -+ domain_auto_trans($1,exim_exec_t,exim_t) -+ -+ allow exim_t $1:fd use; -+ allow exim_t $1:fifo_file rw_file_perms; -+ allow exim_t $1:process sigchld; -+') -+ -+ -+######################################## -+## -+## Execute exim server in the exim domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`exim_script_domtrans',` -+ gen_require(` -+ type exim_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,exim_script_exec_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read, -+## exim tmp files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`exim_dontaudit_read_tmp_files',` -+ gen_require(` -+ type exim_tmp_t; -+ ') -+ -+ dontaudit $1 exim_tmp_t:file r_file_perms; -+') -+ -+######################################## -+## -+## Allow domain to read, exim tmp files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`exim_read_tmp_files',` -+ gen_require(` -+ type exim_tmp_t; -+ ') -+ -+ allow $1 exim_tmp_t:file r_file_perms; -+') -+ -+######################################## -+## -+## Allow domain to manage exim tmp files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`exim_manage_tmp',` -+ gen_require(` -+ type exim_tmp_t; ++ type exim_exec_t; + ') + -+ manage_dir_perms($1,exim_tmp_t,exim_tmp_t) -+ manage_file_perms($1,exim_tmp_t,exim_tmp_t) -+ manage_lnk_file_perms($1,exim_tmp_t,exim_tmp_t) ++ corecmd_search_sbin($1) ++ domtrans_pattern($1, exim_t, exim_exec_t) +') + +######################################## +## -+## Read exim PID files. ++## Read generated exim configuration +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_read_pid_files',` ++interface(`exim_read_lib',` + gen_require(` -+ type exim_var_run_t; ++ type exim_lib_t; + ') + -+ files_search_pids($1) -+ allow $1 exim_var_run_t:file r_file_perms; ++ files_search_var_lib($1) ++ read_files_pattern($1, exim_lib_t, exim_lib_t); +') + +######################################## +## -+## Manage exim var_run files. ++## Manage generated exim configuration +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_manage_var_run',` ++interface(`exim_manage_lib',` + gen_require(` -+ type exim_var_run_t; ++ type exim_lib_t; + ') + -+ manage_dir_perms($1,exim_var_run_t,exim_var_run_t) -+ manage_file_perms($1,exim_var_run_t,exim_var_run_t) -+ manage_lnk_file_perms($1,exim_var_run_t,exim_var_run_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, exim_lib_t, exim_lib_t); +') + -+ +######################################## +## -+## Allow the specified domain to read exim's log files. ++## Grants readonly access to Exim logs +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`exim_read_log',` ++interface(`exim_read_logs',` + gen_require(` + type exim_log_t; + ') + -+ logging_search_logs($1) -+ allow $1 exim_log_t:dir r_dir_perms; -+ allow $1 exim_log_t:file { read getattr lock }; ++ files_search_var($1) ++ read_files_pattern($1, exim_log_t, exim_log_t) +') + +######################################## +## -+## Allow the specified domain to append -+## exim log files. ++## Manage exim logs +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_append_log',` -+ gen_require(` -+ type var_log_t, exim_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 exim_log_t:dir r_dir_perms; -+ allow $1 exim_log_t:file { getattr append }; -+') -+ -+######################################## -+## -+## Allow domain to manage exim log files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`exim_manage_log',` ++interface(`exim_manage_logs',` + gen_require(` + type exim_log_t; + ') + -+ manage_dir_perms($1,exim_log_t,exim_log_t) -+ manage_file_perms($1,exim_log_t,exim_log_t) -+ manage_lnk_file_perms($1,exim_log_t,exim_log_t) ++ files_search_var($1) ++ manage_files_pattern($1, exim_log_t, exim_log_t) +') + +######################################## +## -+## Search exim spool directories. ++## Read contents of exim spool +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_search_spool',` ++interface(`exim_read_spool',` + gen_require(` + type exim_spool_t; + ') + -+ allow $1 exim_spool_t:dir search_dir_perms; + files_search_spool($1) ++ list_dirs_pattern($1, exim_spool_t, exim_spool_t) ++ read_files_pattern($1, exim_spool_t, exim_spool_t) +') + +######################################## +## -+## Read exim spool files. ++## Modify/delete contents of exim mail spool +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_read_spool_files',` -+ gen_require(` -+ type exim_spool_t; -+ ') -+ -+ allow $1 exim_spool_t:file r_file_perms; -+ allow $1 exim_spool_t:dir list_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## exim spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`exim_manage_spool_files',` ++interface(`exim_manage_spool',` + gen_require(` + type exim_spool_t; + ') + -+ allow $1 exim_spool_t:file manage_file_perms; -+ allow $1 exim_spool_t:dir rw_dir_perms; + files_search_spool($1) ++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) ++ manage_files_pattern($1, exim_spool_t, exim_spool_t) +') + +######################################## +## -+## Allow domain to manage exim spool files ++## Create an exim mail spool (implies creating dirs in var_spool_t). +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_manage_spool',` ++interface(`exim_create_spool',` + gen_require(` ++ type var_spool_t; + type exim_spool_t; + ') + -+ manage_dir_perms($1,exim_spool_t,exim_spool_t) -+ manage_file_perms($1,exim_spool_t,exim_spool_t) -+ manage_lnk_file_perms($1,exim_spool_t,exim_spool_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate an exim environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the exim domain. -+## -+## -+## -+## -+## The type of the terminal allow the dmidecode domain to use. -+## -+## -+## -+# -+interface(`exim_admin',` -+ gen_require(` -+ type exim_t; -+ ') -+ -+ allow $1 exim_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, exim_t, exim_t) -+ -+ -+ # Allow $1 to restart the apache service -+ exim_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 exim_script_exec_t system_r; -+ allow $2 system_r; -+ -+ exim_manage_tmp($1) -+ -+ exim_manage_var_run($1) -+ -+ exim_manage_log($1) -+ -+ exim_manage_spool($1) -+ ++ create_dirs_pattern($1, var_spool_t, exim_spool_t) ++ filetrans_pattern($1, var_spool_t, exim_spool_t, dir) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-09-17 16:20:18.000000000 -0400 -@@ -0,0 +1,108 @@ -+policy_module(exim,1.0.0) ++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-09-28 13:40:05.000000000 -0400 +@@ -0,0 +1,226 @@ ++# $Id: exim.te 687 2007-09-09 00:19:41Z aqua $ ++# Draft SELinux refpolicy module for the Exim MTA ++# ++# Devin Carraway ++ ++policy_module(exim, 1.0.0) + +######################################## +# @@ -6149,14 +6052,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + +type exim_t; +type exim_exec_t; -+domain_type(exim_t) -+init_daemon_domain(exim_t, exim_exec_t) ++mta_mailserver(exim_t, exim_exec_t) ++mta_mailserver_user_agent(exim_t) ++mta_mailclient(exim_exec_t) + +type exim_script_exec_t; +init_script_type(exim_script_exec_t) + -+type exim_tmp_t; -+files_tmp_file(exim_tmp_t) ++type exim_spool_t; ++files_type(exim_spool_t) + +type exim_var_run_t; +files_pid_file(exim_var_run_t) @@ -6164,78 +6068,151 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +type exim_log_t; +logging_log_file(exim_log_t) + -+type exim_spool_t; -+files_type(exim_spool_t) ++######################################## ++# ++# exim booleans ++# ++ ++## ++##

++## Allow exim to connect to databases (postgres, mysql) ++##

++## ++gen_tunable(exim_can_connect_db, false) ++ ++## ++##

++## Allow exim to read files in users homedirectories ++##

++## ++gen_tunable(exim_read_user_files, false) ++ ++## ++##

++## Allow exim to manage files in users homedirectories ++##

++## ++gen_tunable(exim_manage_user_files, false) + +######################################## +# +# exim local policy +# + -+allow exim_t self:capability { dac_override dac_read_search setuid setgid }; -+ -+## internal communication is often done using fifo and unix sockets. ++allow exim_t self:capability { sys_resource dac_override dac_read_search setuid setgid fowner chown }; ++allow exim_t self:process { setrlimit setpgid }; +allow exim_t self:fifo_file rw_file_perms; ++allow exim_t self:tcp_socket create_stream_socket_perms; ++allow exim_t self:udp_socket create_socket_perms; +allow exim_t self:unix_stream_socket create_stream_socket_perms; + -+allow exim_t exim_tmp_t:file manage_file_perms; -+allow exim_t exim_tmp_t:dir create_dir_perms; -+files_tmp_filetrans(exim_t,exim_tmp_t, { file dir }) ++corenet_all_recvfrom_unlabeled(exim_t) ++corenet_all_recvfrom_netlabel(exim_t) ++corenet_udp_sendrecv_all_if(exim_t) ++corenet_udp_sendrecv_all_nodes(exim_t) ++corenet_tcp_sendrecv_all_if(exim_t) ++corenet_tcp_sendrecv_all_nodes(exim_t) ++corenet_tcp_bind_all_nodes(exim_t) ++corenet_tcp_bind_amavisd_send_port(exim_t) ++corenet_tcp_bind_smtp_port(exim_t) ++corenet_tcp_connect_smtp_port(exim_t) ++corenet_tcp_sendrecv_smtp_port(exim_t) ++corenet_sendrecv_smtp_server_packets(exim_t) ++corenet_sendrecv_all_client_packets(exim_t) + -+allow exim_t exim_var_run_t:file manage_file_perms; -+allow exim_t exim_var_run_t:dir manage_dir_perms; -+files_pid_filetrans(exim_t,exim_var_run_t, { file dir }) ++# make identd connections ++corenet_tcp_connect_auth_port(exim_t) ++corenet_tcp_sendrecv_auth_port(exim_t) + -+allow exim_t exim_log_t:file manage_file_perms; -+allow exim_t exim_log_t:dir { rw_dir_perms setattr }; -+logging_log_filetrans(exim_t,exim_log_t,{ file dir }) ++# connect to spamassassin ++corenet_tcp_connect_spamd_port(exim_t) ++corenet_tcp_sendrecv_spamd_port(exim_t) + -+allow exim_t exim_spool_t:dir manage_dir_perms; -+allow exim_t exim_spool_t:file manage_file_perms; -+allow exim_t exim_spool_t:sock_file create_file_perms; -+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file }) ++libs_use_ld_so(exim_t) ++libs_read_lib_files(exim_t) ++libs_exec_lib_files(exim_t) ++libs_use_shared_libs(exim_t) ++libs_legacy_use_shared_libs(exim_t) ++ ++# PID files ++manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) ++files_pid_filetrans(exim_t, exim_var_run_t, file) + +auth_use_nsswitch(exim_t) + -+can_exec(exim_t,exim_exec_t) ++# Exim uses BerkeleyDB, which checks /var/tmp but doesn't actually use it ++files_dontaudit_getattr_tmp_dirs(exim_t) ++files_search_usr(exim_t) ++files_search_var(exim_t) ++files_read_etc_files(exim_t) ++ ++kernel_read_kernel_sysctls(exim_t) ++kernel_dontaudit_read_system_state(exim_t) ++ ++miscfiles_read_localization(exim_t) ++miscfiles_read_certs(exim_t) ++ ++mta_read_aliases(exim_t) ++mta_read_config(exim_t) ++mta_rw_spool(exim_t) ++mta_mailserver_delivery(exim_t) + +# Init script handling +domain_use_interactive_fds(exim_t) + -+files_read_etc_files(exim_t) ++can_exec(exim_t,exim_exec_t) + -+sysnet_dns_name_resolve(exim_t) -+corenet_all_recvfrom_unlabeled(exim_t) ++exim_create_spool(exim_t) ++exim_manage_spool(exim_t) ++allow exim_t exim_spool_t:sock_file create_file_perms; ++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file }) + -+allow exim_t self:tcp_socket create_stream_socket_perms; -+corenet_tcp_sendrecv_all_if(exim_t) -+corenet_tcp_sendrecv_all_nodes(exim_t) -+corenet_tcp_sendrecv_all_ports(exim_t) -+corenet_tcp_bind_all_nodes(exim_t) -+corenet_tcp_bind_smtp_port(exim_t) -+corenet_tcp_bind_amavisd_send_port(exim_t) -+corenet_tcp_connect_auth_port(exim_t) -+corenet_tcp_connect_inetd_child_port(exim_t) ++## logging ++logging_send_syslog_msg(exim_t) ++exim_manage_logs(exim_t) ++logging_log_filetrans(exim_t, exim_log_t, { file dir }) + +corecmd_search_bin(exim_t) + -+libs_use_ld_so(exim_t) -+libs_use_shared_libs(exim_t) -+logging_send_syslog_msg(exim_t) ++# TLS sessions need entropy ++dev_read_urand(exim_t) ++dev_read_rand(exim_t) + -+miscfiles_read_localization(exim_t) ++tunable_policy(`exim_can_connect_db',` ++ corenet_tcp_connect_mysqld_port(exim_t) ++ corenet_sendrecv_mysqld_client_packets(exim_t) ++ corenet_tcp_connect_postgresql_port(exim_t) ++ corenet_sendrecv_postgresql_client_packets(exim_t) ++') + -+kernel_read_kernel_sysctls(exim_t) ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ mysql_stream_connect(exim_t) ++ ') ++') + -+mta_mailclient(exim_exec_t) -+mta_read_aliases(exim_t) -+mta_rw_spool(exim_t) ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ postgresql_stream_connect(exim_t) ++ ') ++') ++ ++optional_policy(` ++ mailman_read_data_files(exim_t) ++ mailman_domtrans(exim_t) ++') ++ ++optional_policy(` ++ procmail_domtrans(exim_t) ++') + -+userdom_dontaudit_search_sysadm_home_dirs(exim_t) -+userdom_dontaudit_search_generic_user_home_dirs(exim_t) ++optional_policy(` ++ sasl_connect(exim_t) ++') + -+bool exim_read_user_files false; -+bool exim_manage_user_files false; ++optional_policy(` ++ cyrus_stream_connect(exim_t) ++') + +if (exim_read_user_files) { + userdom_read_unpriv_users_home_content_files(exim_t) @@ -6248,6 +6225,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + userdom_write_unpriv_users_tmp_files(exim_t) +} + ++## receipt & validation ++ ++optional_policy(` ++ clamav_domtrans_clamscan(exim_t) ++ clamav_stream_connect(exim_t) ++') ++ ++optional_policy(` ++ spamassassin_exec(exim_t) ++ spamassassin_exec_client(exim_t) ++') ++ ++# courier authdaemon; authdaemon doesn't have a type for its UNIX domain ++# socket, nor a public interface for it yet. ++ifdef(`TODO', ` ++optional_policy(` ++ gen_require(` ++ type courier_var_run_t; ++ ') ++ files_search_pids(exim_t) ++ stream_connect_pattern(exim_t, courier_var_run_t, courier_var_run_t) ++') ++') ++ ++# Debian uses a template based config generator which generates config ++# files under /var ++ifdef(`distro_debian',` ++ type exim_lib_t; ++ files_config_file(exim_lib_t) ++ exim_read_lib(exim_t) ++ ++ type exim_lib_update_t; ++ type exim_lib_update_exec_t; ++ init_domain(exim_lib_update_t, exim_lib_update_exec_t) ++ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t) ++ mta_read_lib(exim_lib_update_t) ++ exim_manage_var_lib(exim_lib_update_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.0.8/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/ftp.if 2007-09-24 15:42:55.000000000 -0400 @@ -6272,7 +6288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-09-24 15:47:19.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-09-27 15:13:40.000000000 -0400 @@ -88,6 +88,7 @@ allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; @@ -6281,7 +6297,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. allow ftpd_t ftpd_etc_t:file read_file_perms; -@@ -157,6 +158,7 @@ +@@ -122,6 +123,7 @@ + + kernel_read_kernel_sysctls(ftpd_t) + kernel_read_system_state(ftpd_t) ++kernel_search_network_state(ftpd_t) + + dev_read_sysfs(ftpd_t) + dev_read_urand(ftpd_t) +@@ -157,6 +159,7 @@ auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) @@ -6289,7 +6313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. # Append to /var/log/wtmp. auth_append_login_records(ftpd_t) #kerberized ftp requires the following -@@ -168,7 +170,9 @@ +@@ -168,7 +171,9 @@ libs_use_ld_so(ftpd_t) libs_use_shared_libs(ftpd_t) @@ -6299,7 +6323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. miscfiles_read_localization(ftpd_t) miscfiles_read_public_files(ftpd_t) -@@ -217,6 +221,11 @@ +@@ -217,6 +222,11 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) @@ -6311,7 +6335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -252,7 +261,10 @@ +@@ -252,7 +262,10 @@ ') optional_policy(` @@ -6922,7 +6946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.8/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2007-09-28 14:29:45.000000000 -0400 @@ -157,3 +157,79 @@ logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; @@ -6979,29 +7003,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq + type mysqld_script_exec_t; + ') + -+ allow $1 mysqld_t:process { ptrace signal_perms getattr }; ++ allow $2 mysqld_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, mysqld_t, mysqld_t) + -+ # Allow $1 to restart the apache service -+ mysql_script_domtrans($1) -+ domain_system_change_exemption($1) ++ # Allow $2 to restart the apache service ++ mysql_script_domtrans($2) ++ domain_system_change_exemption($2) + role_transition $2 mysqld_script_exec_t system_r; -+ allow $2 system_r; ++ allow $3 system_r; + -+ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t) -+ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t) ++ manage_dirs_pattern($2,mysqld_var_run_t,mysqld_var_run_t) ++ manage_files_pattern($2,mysqld_var_run_t,mysqld_var_run_t) + -+ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t) -+ manage_files_pattern($1,mysqld_db_t,mysqld_db_t) ++ manage_dirs_pattern($2,mysqld_db_t,mysqld_db_t) ++ manage_files_pattern($2,mysqld_db_t,mysqld_db_t) + -+ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t) -+ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t) ++ manage_dirs_pattern($2,mysqld_etc_t,mysqld_etc_t) ++ manage_files_pattern($2,mysqld_etc_t,mysqld_etc_t) + -+ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t) -+ manage_files_pattern($1,mysqld_log_t,mysqld_log_t) ++ manage_dirs_pattern($2,mysqld_log_t,mysqld_log_t) ++ manage_files_pattern($2,mysqld_log_t,mysqld_log_t) + -+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t) -+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t) ++ manage_dirs_pattern($2,mysqld_tmp_t,mysqld_tmp_t) ++ manage_files_pattern($2,mysqld_tmp_t,mysqld_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-07-25 10:37:42.000000000 -0400 @@ -7995,7 +8019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.8/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2007-09-28 14:30:18.000000000 -0400 @@ -113,3 +113,77 @@ # Some versions of postgresql put the sock file in /tmp allow $1 postgresql_tmp_t:sock_file write; @@ -8050,29 +8074,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postgresql_log_t; + ') + -+ allow $1 postgresql_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postgresql_t, postgresql_t) ++ allow $2 postgresql_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($2, postgresql_t, postgresql_t) + -+ # Allow $1 to restart the apache service -+ postgresql_script_domtrans($1) -+ domain_system_change_exemption($1) ++ # Allow $2 to restart the apache service ++ postgresql_script_domtrans($2) ++ domain_system_change_exemption($2) + role_transition $2 postgresql_script_exec_t system_r; -+ allow $2 system_r; ++ allow $3 system_r; + -+ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t) -+ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t) ++ manage_dirs_pattern($2,postgresql_var_run_t,postgresql_var_run_t) ++ manage_files_pattern($2,postgresql_var_run_t,postgresql_var_run_t) + -+ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t) -+ manage_files_pattern($1,postgresql_db_t,postgresql_db_t) ++ manage_dirs_pattern($2,postgresql_db_t,postgresql_db_t) ++ manage_files_pattern($2,postgresql_db_t,postgresql_db_t) + -+ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t) -+ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t) ++ manage_dirs_pattern($2,postgresql_etc_t,postgresql_etc_t) ++ manage_files_pattern($2,postgresql_etc_t,postgresql_etc_t) + -+ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t) -+ manage_files_pattern($1,postgresql_log_t,postgresql_log_t) ++ manage_dirs_pattern($2,postgresql_log_t,postgresql_log_t) ++ manage_files_pattern($2,postgresql_log_t,postgresql_log_t) + -+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t) -+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t) ++ manage_dirs_pattern($2,postgresql_tmp_t,postgresql_tmp_t) ++ manage_files_pattern($2,postgresql_tmp_t,postgresql_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-07-25 10:37:42.000000000 -0400 @@ -9347,7 +9371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-09-26 11:12:03.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-09-26 17:41:34.000000000 -0400 @@ -67,6 +67,7 @@ corenet_sendrecv_smtp_client_packets(setroubleshootd_t) @@ -10562,7 +10586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-25 10:59:20.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-27 15:46:41.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -10594,7 +10618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_type($1) domain_subj_id_change_exemption($1) -@@ -176,11 +178,28 @@ +@@ -176,11 +178,32 @@ domain_obj_id_change_exemption($1) role system_r types $1; @@ -10616,6 +10640,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) ++ # for fingerprint readers ++ dev_rw_input_dev($1) ++ dev_rw_generic_usb_dev($1) ++ files_read_etc_files($1) + fs_list_auto_mountpoints($1) @@ -10623,7 +10651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo selinux_get_fs_mount($1) selinux_validate_context($1) selinux_compute_access_vector($1) -@@ -196,22 +215,33 @@ +@@ -196,22 +219,33 @@ mls_fd_share_all_levels($1) auth_domtrans_chk_passwd($1) @@ -10658,7 +10686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -309,9 +339,6 @@ +@@ -309,9 +343,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -10668,7 +10696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -329,6 +356,8 @@ +@@ -329,6 +360,8 @@ optional_policy(` kerberos_use($1) @@ -10677,7 +10705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -347,6 +376,37 @@ +@@ -347,6 +380,37 @@ ######################################## ## @@ -10715,7 +10743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -695,6 +755,24 @@ +@@ -695,6 +759,24 @@ ######################################## ## @@ -10740,7 +10768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,14 +1396,9 @@ +@@ -1318,14 +1400,9 @@ ## # interface(`auth_use_nsswitch',` @@ -10755,7 +10783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) miscfiles_read_certs($1) -@@ -1347,6 +1420,8 @@ +@@ -1347,6 +1424,8 @@ optional_policy(` samba_stream_connect_winbind($1) @@ -10764,7 +10792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1381,3 +1456,163 @@ +@@ -1381,3 +1460,163 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -11628,7 +11656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-09-24 10:16:55.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-09-27 11:30:18.000000000 -0400 @@ -56,7 +56,6 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; dontaudit ipsec_t self:capability sys_tty_config; @@ -11676,7 +11704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # manage pid file manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -299,6 +294,8 @@ +@@ -299,11 +294,15 @@ allow racoon_t ipsec_spd_t:association setcontext; @@ -11685,6 +11713,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. kernel_read_network_state(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) + corenet_tcp_bind_all_nodes(racoon_t) + corenet_udp_bind_isakmp_port(racoon_t) ++corenet_udp_bind_all_nodes(racoon_t) ++corenet_udp_sendrecv_all_if(racoon_t) + + dev_read_urand(racoon_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.8/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2007-09-12 10:34:51.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/iptables.te 2007-09-17 16:20:18.000000000 -0400 @@ -11924,7 +11959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-20 15:21:10.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-28 14:33:08.000000000 -0400 @@ -33,8 +33,27 @@ ## # @@ -12018,16 +12053,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ## Create an object in the log directory, with a private ## type using a type transition. ## -@@ -470,7 +546,7 @@ +@@ -465,12 +541,11 @@ + interface(`logging_read_all_logs',` + gen_require(` + attribute logfile; +- type var_log_t; + ') files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; +- allow $1 var_log_t:dir list_dir_perms; - read_files_pattern($1,var_log_t,logfile) ++ allow $1 logfile:dir list_dir_perms; + read_files_pattern($1,logfile, logfile) ') ######################################## -@@ -514,6 +590,8 @@ +@@ -514,6 +589,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) @@ -12036,7 +12077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -597,3 +675,258 @@ +@@ -597,3 +674,258 @@ files_search_var($1) manage_files_pattern($1,var_log_t,var_log_t) ') @@ -12197,7 +12238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +## +## +# -+template(`logging_audit_admin',` ++interface(`logging_audit_admin',` + + gen_require(` + type auditd_t; @@ -12249,7 +12290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +## +## +# -+template(`logging_syslog_admin',` ++interface(`logging_syslog_admin',` + + gen_require(` + type syslogd_t; @@ -12297,7 +12338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-09-27 11:25:28.000000000 -0400 @@ -7,6 +7,10 @@ # @@ -12377,7 +12418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # -allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource }; -+allow auditd_t self:capability { fsetid sys_nice sys_resource }; ++allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file { getattr read write }; @@ -12452,7 +12493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-09-24 15:55:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-10-01 10:41:59.000000000 -0400 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -12543,7 +12584,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. -@@ -208,7 +218,6 @@ +@@ -160,6 +170,7 @@ + allow lvm_t self:unix_dgram_socket create_socket_perms; + allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; + ++allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow lvm_t clvmd_t:unix_stream_socket connectto; + + manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) +@@ -208,7 +219,6 @@ selinux_compute_user_contexts(lvm_t) dev_create_generic_chr_files(lvm_t) @@ -12551,7 +12600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) -@@ -228,6 +237,8 @@ +@@ -228,6 +238,8 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -12560,7 +12609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -246,6 +257,7 @@ +@@ -246,6 +258,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -12568,7 +12617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te term_getattr_all_user_ttys(lvm_t) term_list_ptys(lvm_t) -@@ -254,6 +266,7 @@ +@@ -254,6 +267,7 @@ domain_use_interactive_fds(lvm_t) @@ -12576,7 +12625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -@@ -275,6 +288,8 @@ +@@ -275,6 +289,8 @@ seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -12585,7 +12634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) -@@ -293,5 +308,14 @@ +@@ -293,5 +309,14 @@ ') optional_policy(` @@ -12600,6 +12649,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.0.8/policy/modules/system/miscfiles.if +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-05-29 14:10:58.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2007-09-27 15:33:47.000000000 -0400 +@@ -253,6 +253,8 @@ + files_search_usr($1) + + allow $1 man_t:dir setattr; ++ # 309351 ++ allow $1 man_t:dir list_dir_perms; + delete_dirs_pattern($1,man_t,man_t) + delete_files_pattern($1,man_t,man_t) + delete_lnk_files_pattern($1,man_t,man_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-09-17 16:20:18.000000000 -0400 @@ -13465,7 +13526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-09-28 09:01:32.000000000 -0400 @@ -45,7 +45,7 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat @@ -13494,7 +13555,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet optional_policy(` networkmanager_dbus_chat(dhcpc_t) ') -@@ -203,9 +208,7 @@ +@@ -177,6 +182,7 @@ + ') + ') + ++ + # for the dhcp client to run ping to check IP addresses + optional_policy(` + netutils_domtrans_ping(dhcpc_t) +@@ -203,9 +209,7 @@ ') optional_policy(` @@ -13505,7 +13574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -216,6 +219,7 @@ +@@ -216,6 +220,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -13513,7 +13582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -254,6 +258,7 @@ +@@ -254,6 +259,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -13521,7 +13590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; -@@ -280,6 +285,8 @@ +@@ -280,6 +286,8 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -13530,6 +13599,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t) +@@ -332,3 +340,7 @@ + xen_append_log(ifconfig_t) + xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) + ') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(ifconfig_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-09-25 15:03:25.000000000 -0400 @@ -13556,7 +13633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-24 15:31:00.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-28 09:00:54.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` diff --git a/selinux-policy.spec b/selinux-policy.spec index d9380c9..e13a886 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -298,13 +298,13 @@ fi exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.0.4-1 +%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-14-1 setsebool -P use_nfs_home_dirs=1 -restorecon -R /root /etc/selinux/targeted 2> /dev/null semanage login -m -s "system_u" __default__ 2> /dev/null semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 2> /dev/null -semanage user -a -P guest -R guest_r guest_u 2> /dev/null +semanage user -a -P guest -R guest_r guest_u 2> /dev/null semanage user -a -P xguest -R xguest_r xguest_u 2> /dev/null +restorecon -R /root /etc/selinux/targeted 2> /dev/null exit 0 %files targeted @@ -365,6 +365,11 @@ exit 0 %endif %changelog +* Thu Sep 24 2007 Dan Walsh 3.0.8-15 +- Allow tmpreadper to read man_t +- Allow racoon to bind to all nodes +- Fixes for finger print reader + * Tue Sep 24 2007 Dan Walsh 3.0.8-14 - Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java