diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls
index f46081d..cd8f5fd 100644
--- a/refpolicy/policy/mls
+++ b/refpolicy/policy/mls
@@ -22,6 +22,7 @@ sensitivity s9;
#
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
+
#
# Define the categories
#
@@ -207,7 +208,7 @@ level s9:c0.c127;
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
-# name_list : name | name_list name#
+# name_list : name | name_list name
#
#
@@ -218,7 +219,7 @@ level s9:c0.c127;
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
-# new file labels must be dominated by the relabling subject clearance
+# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
@@ -258,10 +259,10 @@ mlsconstrain dir { add_name remove_name reparent rmdir }
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
#
-# file { execute_no_trans entrypoint }
+# { file chr_file } { execute_no_trans entrypoint execmod }
# the file upgrade/downgrade rule
-mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
((( l1 eq l2 ) or
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
@@ -285,11 +286,13 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
(( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
+
+
#
# MLS policy for the filesystem class
#
-# new filesystem labels must be dominated by the relabling subject clearance
+# new filesystem labels must be dominated by the relabeling subject clearance
mlsconstrain filesystem relabelto
( h1 dom h2 );
@@ -309,50 +312,46 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
# filesystem { transition associate }
+
+
#
# MLS policy for the socket classes
#
-# new socket labels must be dominated by the relabling subject clearance
+# new socket labels must be dominated by the relabeling subject clearance
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
-# the socket "read" ops (note that the we check dominance of the low level)
+# the socket "read" ops (note the check is dominance of the low level)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
-mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsnetwrite ));
-
-mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
#
# { tcp_socket udp_socket rawip_socket } node_bind
#
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
+
+
#
# MLS policy for the ipc classes
#
@@ -393,6 +392,8 @@ mlsconstrain msg send
# { ipc sem msgq shm } associate
+
+
#
# MLS policy for the fd class
#
@@ -401,29 +402,38 @@ mlsconstrain msg send
# fd use
-#
-# MLS policy for the node class
-#
-
-# these access vectors have no MLS restrictions
-# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
#
-# MLS policy for the netif class
+# MLS policy for the network object classes
#
+# the netif/node "read" ops (implicit single level socket doing the read)
+# (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+ (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
+
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+ (( l1 dom l2 ) and ( l1 domby h2 ));
+
# these access vectors have no MLS restrictions
-# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+# { netif node } { enforce_dest }
+
+
#
# MLS policy for the process class
#
-# new process labels must be dominated by the relabling subject clearance and
-# sensitivity level changes require privilege
-mlsconstrain process { transition dyntransition }
+# new process labels must be dominated by the relabeling subject clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+ (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
@@ -440,7 +450,9 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
( t1 == mlsprocwrite ));
# these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
+
+
#
@@ -451,6 +463,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
# security *
+
+
#
# MLS policy for the system class
#
@@ -459,6 +473,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
# system *
+
+
#
# MLS policy for the capability class
#
@@ -468,6 +484,7 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
+
#
# MLS policy for the passwd class
#
@@ -476,6 +493,8 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
# passwd *
+
+
#
# MLS policy for the drawable class
#
@@ -493,6 +512,8 @@ mlsconstrain drawable { create destroy draw copy }
( t1 == mlsxwinwrite ));
+
+
#
# MLS policy for the gc class
#
@@ -510,6 +531,8 @@ mlsconstrain gc { create free setattr }
( t1 == mlsxwinwrite ));
+
+
#
# MLS policy for the window class
#
@@ -530,6 +553,8 @@ mlsconstrain window { addchild create destroy chstack chproplist chprop setattr
# window { map unmap }
+
+
#
# MLS policy for the font class
#
@@ -550,6 +575,8 @@ mlsconstrain font free
# font use
+
+
#
# MLS policy for the colormap class
#
@@ -567,6 +594,8 @@ mlsconstrain colormap { create free install uninstall store setattr }
( t1 == mlsxwinwrite ));
+
+
#
# MLS policy for the property class
#
@@ -583,6 +612,9 @@ mlsconstrain property { create free write }
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
+
+
+
#
# MLS policy for the cursor class
#
@@ -594,6 +626,8 @@ mlsconstrain cursor { create createglyph free assign setattr }
( t1 == mlsxwinwrite ));
+
+
#
# MLS policy for the xclient class
#
@@ -605,6 +639,8 @@ mlsconstrain xclient kill
( t1 == mlsxwinwrite ));
+
+
#
# MLS policy for the xinput class
#
@@ -641,6 +677,8 @@ mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
( t1 == mlsxwinwrite ));
+
+
#
# MLS policy for the xextension class
#
@@ -666,6 +704,8 @@ mlsconstrain xextension use
# pax { pageexec emutramp mprotect randmmap randexec segmexec }
+
+
#
# MLS policy for the dbus class
#
@@ -674,6 +714,8 @@ mlsconstrain xextension use
# dbus { acquire_svc send_msg }
+
+
#
# MLS policy for the nscd class
#
@@ -682,6 +724,8 @@ mlsconstrain xextension use
# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
+
+
#
# MLS policy for the association class
#
@@ -702,7 +746,7 @@ attribute mlsnetwrite;
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index f966524..9b21be4 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -11,7 +11,7 @@ type acct_exec_t;
init_daemon_domain(acct_t,acct_exec_t)
type acct_data_t;
-files_type(acct_data_t)
+logging_log_file(acct_data_t)
########################################
#
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index d52097b..c95e40f 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -84,8 +84,6 @@ files_read_all_pids(logrotate_t)
files_manage_generic_spools(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
-hostname_exec(logrotate_t)
-
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
@@ -124,6 +122,10 @@ optional_policy(`consoletype.te',`
')
+optional_policy(`hostname.te',`
+ hostname_exec(logrotate_t)
+')
+
optional_policy(`mysql.te',`
mysql_read_config(logrotate_t)
mysql_search_db_dir(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 7c95c5c..8674b74 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -172,6 +172,7 @@ corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t)
+corenet_tcp_connect_all_ports(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index a8864e3..8da01a7 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -106,6 +106,7 @@ corenet_tcp_sendrecv_all_ports(rpm_t)
corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_bind_all_nodes(rpm_t)
corenet_udp_bind_all_nodes(rpm_t)
+corenet_tcp_connect_all_ports(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
@@ -304,6 +305,10 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
+if (allow_execmem) {
+ allow rpm_script_t self:process execmem;
+}
+
# this should be tunable_policy, but
# typeattribute does not work in conditionals
ifdef(`unlimitedRPM',`
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index e9416e6..bdce124 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -718,6 +718,23 @@ interface(`corenet_udp_bind_all_ports',`
########################################
##
+## Connect TCP sockets to all ports.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`corenet_tcp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ class tcp_socket name_connect;
+ ')
+
+ allow $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+##
## Send and receive TCP network traffic on generic reserved ports.
##
##
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 8a6c789..582e9d9 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -37,6 +37,7 @@ sid port context_template(system_u:object_r:port_t,s0)
type reserved_port_t, port_type, reserved_port_type;
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(auth, tcp,113,s0)
dnl network_port(biff) # no defined portcon in current strict
network_port(dbskkd, tcp,1178,s0)
network_port(dhcpc, udp,68,s0)
@@ -50,7 +51,7 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
network_port(http, tcp,80,s0, tcp,443,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
dnl network_port(i18n_input) # no defined portcon in current strict
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,113,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
+network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 7674b7d..bda7016 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -68,8 +68,10 @@ corenet_tcp_sendrecv_all_ports(inetd_t)
corenet_udp_sendrecv_all_ports(inetd_t)
corenet_tcp_bind_all_nodes(inetd_t)
corenet_udp_bind_all_nodes(inetd_t)
+corenet_tcp_connect_all_ports(inetd_t)
# listen on service ports:
+corenet_tcp_bind_auth_port(inetd_t)
#corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 475788c..0ef9c9a 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -74,6 +74,7 @@ corenet_udp_sendrecv_all_ports(innd_t)
corenet_tcp_bind_all_nodes(innd_t)
corenet_udp_bind_all_nodes(innd_t)
corenet_tcp_bind_innd_port(innd_t)
+corenet_tcp_connect_all_ports(innd_t)
dev_read_sysfs(innd_t)
dev_read_urand(innd_t)
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 91f5b8e..a2d8d7e 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -32,7 +32,7 @@ files_pid_file(slapd_var_run_t)
# should not need kill
# cjp: why net_raw?
-allow slapd_t self:capability { kill setgid setuid net_raw };
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file { read write };
@@ -71,6 +71,7 @@ corenet_udp_sendrecv_all_ports(slapd_t)
corenet_tcp_bind_all_nodes(slapd_t)
corenet_udp_bind_all_nodes(slapd_t)
corenet_tcp_bind_ldap_port(slapd_t)
+corenet_tcp_connect_all_ports(slapd_t)
dev_read_urand(slapd_t)
dev_read_sysfs(slapd_t)
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 808e081..237bf30 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -73,6 +73,7 @@ corenet_tcp_bind_generic_port(ypbind_t)
corenet_udp_bind_generic_port(ypbind_t)
corenet_tcp_bind_reserved_port(ypbind_t)
corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_connect_all_ports(ypbind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
@@ -113,6 +114,10 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(ypbind_t)
')
+optional_policy(`portmap.te',`
+ portmap_udp_sendto(ypbind_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ypbind_t)
')
@@ -122,8 +127,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-can_udp_send(ypbind_t, portmap_t)
-
optional_policy(`rhgb.te', `
rhgb_domain(ypbind_t)
')
@@ -199,6 +202,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(ypserv_t)
')
+optional_policy(`portmap.te',`
+ portmap_udp_sendto(ypserv_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ypserv_t)
')
@@ -212,9 +219,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(ypserv_t)
')
-# Send to portmap and initrc.
-can_udp_send(ypserv_t, portmap_t)
-
# Read and write /var/yp.
ifdef(`rpcd.te', `
allow rpcd_t ypserv_conf_t:file { getattr read };
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 47ce143..0b1d97e 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -56,6 +56,7 @@ corenet_udp_sendrecv_all_ports(sendmail_t)
corenet_tcp_bind_all_nodes(sendmail_t)
corenet_udp_bind_all_nodes(sendmail_t)
corenet_tcp_bind_smtp_port(sendmail_t)
+corenet_tcp_connect_all_ports(sendmail_t)
dev_read_urand(sendmail_t)
dev_read_sysfs(sendmail_t)
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index ddba18a..90d85a1 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -28,7 +28,7 @@ files_pid_file(squid_var_run_t)
# Local policy
#
-allow squid_t self:capability { setgid setuid };
+allow squid_t self:capability { setgid setuid dac_override };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow squid_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index e85c077..a53c3bf 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -84,9 +84,4 @@ rhgb_domain(hwclock_t)
')
optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
-
-optional_policy(`apmd.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-')
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 1beb5de..125e95a 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -107,8 +107,6 @@ modutils_read_mods_deps(hotplug_t)
miscfiles_read_localization(hotplug_t)
-mount_domtrans(hotplug_t)
-
sysnet_read_config(hotplug_t)
userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
@@ -147,6 +145,10 @@ optional_policy(`iptables.te',`
iptables_domtrans(hotplug_t)
')
+optional_policy(`mount.te',`
+ mount_domtrans(hotplug_t)
+')
+
optional_policy(`mta.te', `
mta_send_mail(hotplug_t)
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c44c2c4..c9fa5c7 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -145,6 +145,10 @@ ifdef(`distro_redhat',`
fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
')
+ifdef(`targeted_policy',`
+ unconfined_domain_template(init_t)
+')
+
optional_policy(`authlogin.te',`
auth_rw_login_records(init_t)
')
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 6119e4b..3039425 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -31,7 +31,6 @@ interface(`seutil_domtrans_checkpol',`
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
-## Has a SIGCHLD signal backchannel.
##
##
## The type of the process performing this action.
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index fb66048..1a74046 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -94,6 +94,10 @@ role system_r types setfiles_t;
type setfiles_exec_t;
domain_entry_file(setfiles_t,setfiles_exec_t)
+ifdef(`distro_redhat',`
+ init_system_domain(setfiles_t,setfiles_exec_t)
+')
+
########################################
#
# Checkpolicy local policy
@@ -142,7 +146,8 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+allow load_policy_t policy_config_t:file r_file_perms;
+allow load_policy_t policy_config_t:lnk_file r_file_perms;
allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index fc717a6..2842c25 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -99,6 +99,7 @@ corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
+corenet_tcp_connect_all_ports(dhcpc_t)
dev_read_sysfs(dhcpc_t)
# for SSP:
@@ -216,7 +217,7 @@ rhgb_domain(dhcpc_t)
#
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_admin sys_tty_config };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
@@ -234,6 +235,7 @@ allow ifconfig_t self:msg { send receive };
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_etc_files(ifconfig_t);
@@ -246,6 +248,8 @@ kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
corenet_use_tun_tap_device(ifconfig_t)
+dev_read_sysfs(ifconfig_t)
+
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 1277194..7c3ec48 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -121,7 +121,6 @@ seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t)
userdom_use_sysadm_tty(udev_t)
-userdom_dontaudit_search_staff_home_dir(udev_t)
ifdef(`distro_redhat',`
fs_manage_tmpfs_symlinks(udev_t)
diff --git a/strict/attrib.te b/strict/attrib.te
index 4533bf7..cc79235 100644
--- a/strict/attrib.te
+++ b/strict/attrib.te
@@ -30,7 +30,7 @@ attribute mlsnetwrite;
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te
index 3a2447b..75f3074 100644
--- a/strict/domains/program/acct.te
+++ b/strict/domains/program/acct.te
@@ -21,7 +21,7 @@ file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
# for SSP
allow acct_t urandom_device_t:chr_file read;
-type acct_data_t, file_type, sysadmfile;
+type acct_data_t, file_type, logfile, sysadmfile;
allow acct_t self:capability sys_pacct;
diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te
index d95725e..2785acf 100644
--- a/strict/domains/program/amanda.te
+++ b/strict/domains/program/amanda.te
@@ -31,7 +31,7 @@
# General declarations
######################
-type amanda_t, domain, privlog, auth, nscd_client_domain ;
+type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
role system_r types amanda_t;
# type for the amanda executables
@@ -128,10 +128,7 @@ allow amanda_t amanda_usr_lib_t:dir search;
# access to device_t and similar
allow amanda_t device_t:dir search;
-allow amanda_t null_device_t:chr_file { getattr read write };
allow amanda_t devpts_t:dir getattr;
-allow amanda_t fixed_disk_device_t:blk_file getattr;
-allow amanda_t removable_device_t:blk_file getattr;
allow amanda_t devtty_t:chr_file { read write };
# access to boot_t
@@ -160,7 +157,7 @@ allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
allow amanda_t bin_t:file { execute execute_no_trans };
allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld };
+allow amanda_t self:process { fork sigchld setpgid signal };
allow amanda_t self:unix_dgram_socket create;
@@ -170,7 +167,8 @@ allow amanda_t self:unix_dgram_socket create;
can_network_server(amanda_t);
can_ypbind(amanda_t);
-
+can_exec(amanda_t, sbin_t);
+
allow amanda_t self:fifo_file { getattr read write ioctl lock };
allow amanda_t self:unix_stream_socket { connect create read write };
@@ -237,7 +235,7 @@ file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
uses_shlib(amanda_recover_t)
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
allow amanda_recover_t privfd:fd use;
@@ -251,6 +249,9 @@ can_ypbind(amanda_recover_t);
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write };
+allow amanda_t self:dir search;
+allow amanda_t self:file { getattr read };
+
# amrecover file permissions
############################
@@ -298,10 +299,24 @@ allow amanda_recover_t tmp_t:dir search;
#
# Rules to allow amanda to be run as a service in xinetd
#
-type amanda_port_t, port_type;
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
allow amanda_t file_type:dir {getattr read search };
-allow amanda_t file_type:file {getattr read };
+allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+allow amanda_t device_type:{ blk_file chr_file } getattr;
+allow amanda_t fixed_disk_device_t:blk_file read;
+domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
+dontaudit amanda_t file_type:sock_file getattr;
logdir_domain(amanda)
+dontaudit amanda_t autofs_t:dir { getattr read search };
+dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
+dontaudit amanda_t nfs_t:dir { getattr read };
+dontaudit amanda_t proc_t:dir read;
+dontaudit amanda_t proc_t:lnk_file read;
+dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
+dontaudit amanda_t security_t:dir { getattr read };
+dontaudit amanda_t sysfs_t:dir { getattr read };
+dontaudit amanda_t unlabeled_t:file getattr;
+dontaudit amanda_t usbfs_t:dir getattr;
diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te
index 981f852..3e7ef0a 100644
--- a/strict/domains/program/anaconda.te
+++ b/strict/domains/program/anaconda.te
@@ -17,13 +17,17 @@ unconfined_domain(anaconda_t)
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
+ifdef(`su.te', `
role system_r types sysadm_su_t;
domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
+')
# Run other rc scripts in the anaconda_t domain.
domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
+ifdef(`dmesg.te', `
domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
+')
ifdef(`distro_redhat', `
file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
@@ -44,4 +48,6 @@ ifdef(`ssh-agent.te', `
role system_r types sysadm_ssh_agent_t;
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
+ifdef(`passwd.te', `
domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
+')
diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te
index b01d3f3..72a708c 100644
--- a/strict/domains/program/apache.te
+++ b/strict/domains/program/apache.te
@@ -26,10 +26,11 @@ r_dir_file(httpd_suexec_t, $1)
can_exec(httpd_suexec_t, $1)
')
-type http_port_t, port_type, reserved_port_type;
-
bool httpd_unified false;
+# Allow httpd to use built in scripting (usually php)
+bool httpd_builtin_scripting false;
+
# Allow httpd cgi support
bool httpd_enable_cgi false;
@@ -42,6 +43,9 @@ bool httpd_ssi_exec false;
# Allow http daemon to communicate with the TTY
bool httpd_tty_comm false;
+# Allow http daemon to tcp connect
+bool httpd_can_network_connect false;
+
#########################################################
# Apache types
#########################################################
@@ -50,15 +54,6 @@ bool httpd_tty_comm false;
#
type httpd_config_t, file_type, sysadmfile;
-append_logdir_domain(httpd)
-#can read /etc/httpd/logs
-allow httpd_t httpd_log_t:lnk_file read;
-
-# For /etc/init.d/apache2 reload
-can_tcp_connect(httpd_t, httpd_t)
-
-can_tcp_connect(web_client_domain, httpd_t)
-
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
#
@@ -71,7 +66,16 @@ type httpd_cache_t, file_type, sysadmfile;
# httpd_exec_t is the type give to the httpd executable.
#
-daemon_domain(httpd, `, privmail')
+daemon_domain(httpd, `, privmail, nscd_client_domain')
+
+append_logdir_domain(httpd)
+#can read /etc/httpd/logs
+allow httpd_t httpd_log_t:lnk_file read;
+
+# For /etc/init.d/apache2 reload
+can_tcp_connect(httpd_t, httpd_t)
+
+can_tcp_connect(web_client_domain, httpd_t)
can_exec(httpd_t, httpd_exec_t)
file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
@@ -82,53 +86,11 @@ allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read
read_sysctl(httpd_t)
+allow httpd_t crypt_device_t:chr_file rw_file_perms;
+
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec)
-allow httpd_t httpd_suexec_exec_t:file read;
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir search;
-allow httpd_suexec_t httpd_log_t:file { append getattr };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-can_network(httpd_suexec_t)
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
uses_shlib(httpd_t)
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_t usr_t:lnk_file { getattr read };
@@ -144,12 +106,31 @@ allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
can_exec(httpd_t, { bin_t sbin_t })
allow httpd_t bin_t:lnk_file read;
-can_network(httpd_t)
+########################################
+# Set up networking
+########################################
+
+can_network_server(httpd_t)
+can_kerberos(httpd_t)
+can_resolve(httpd_t)
can_ypbind(httpd_t)
+can_ldap(httpd_t)
+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-###################
-# Allow httpd to search users diretories
-######################
+if (httpd_can_network_connect) {
+can_network_client(httpd_t)
+allow httpd_t port_type:tcp_socket name_connect;
+}
+
+##########################################
+# Legacy: remove when it's fixed #
+# Allow libphp5.so with text relocations #
+##########################################
+allow httpd_t texrel_shlib_t:file execmod;
+
+#########################################
+# Allow httpd to search users directories
+#########################################
allow httpd_t home_root_t:dir { getattr search };
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
@@ -163,7 +144,6 @@ dontaudit httpd_t self:capability net_admin;
# Allow the httpd_t to read the web servers config files
###################################################
r_dir_file(httpd_t, httpd_config_t)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
# allow logrotate to read the config files for restart
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, httpd_config_t)
@@ -173,11 +153,6 @@ allow logrotate_t httpd_t:process signull;
r_dir_file(initrc_t, httpd_config_t)
##################################################
-########################################
-# Allow httpd_t to bind to the HTTP port
-########################################
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-
###############################
# Allow httpd_t to put files in /var/cache/httpd etc
##############################
@@ -209,13 +184,14 @@ allow initrc_t httpd_modules_t:dir r_dir_perms;
allow httpd_t etc_t:file { read getattr ioctl };
allow httpd_t etc_t:lnk_file { getattr read };
+# setup the system domain for system CGI scripts
+apache_domain(sys)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
# Run SSI execs in system CGI script domain.
if (httpd_ssi_exec) {
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
}
-r_dir_file(httpd_t, httpd_sys_script_ro_t)
-create_dir_file(httpd_t, httpd_sys_script_rw_t)
-ra_dir_file(httpd_t, httpd_sys_script_ra_t)
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
##################################################
@@ -242,7 +218,6 @@ allow httpd_php_t httpd_log_t:file ra_file_perms;
# access to /tmp
tmp_domain(httpd)
tmp_domain(httpd_php)
-tmp_domain(httpd_suexec)
# Creation of lock files for apache2
lock_domain(httpd)
@@ -262,10 +237,11 @@ allow httpd_t bin_t:dir search;
allow httpd_t sbin_t:dir search;
allow httpd_t httpd_log_t:dir remove_name;
+read_fonts(httpd_t)
+
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_t autofs_t:dir { search getattr };
-allow httpd_suexec_t autofs_t:dir { search getattr };
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
@@ -273,33 +249,24 @@ httpd_home_dirs(nfs_t)
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
-r_dir_file(httpd_t, fonts_t)
#
# Allow users to mount additional directories as http_source
#
allow httpd_t mnt_t:dir r_dir_perms;
-########################################
-# When the admin starts the server, the server wants to acess
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-##################################################
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-
-can_kerberos(httpd_t)
-
ifdef(`targeted_policy', `
typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
if (httpd_enable_homedirs) {
-allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
-allow httpd_t user_home_dir_t:dir { getattr search };
+allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
}
') dnl targeted policy
+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+
ifdef(`distro_redhat', `
#
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
@@ -319,36 +286,118 @@ dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
dontaudit httpd_t usr_t:dir write;
')
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
-
application_domain(httpd_helper)
role system_r types httpd_helper_t;
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
allow httpd_helper_t httpd_log_t:file { append };
+########################################
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+##################################################
+
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir { search };
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
')
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+} else {
+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
read_sysctl(httpd_sys_script_t)
allow httpd_sys_script_t var_lib_t:dir search;
dontaudit httpd_t selinux_config_t:dir search;
r_dir_file(httpd_t, cert_t)
+
+#
+# unconfined domain for apache scripts. Only to be used as a last resort
+#
+type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
+type httpd_unconfined_script_t, domain, nscd_client_domain;
+role system_r types httpd_unconfined_script_t;
+unconfined_domain(httpd_unconfined_script_t)
+
+# The following are types for SUEXEC,which runs user scripts as their
+# own user ID
+#
+daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+#########################################################
+# Permissions for running child processes and scripts
+##########################################################
+
+allow httpd_suexec_t self:capability { setuid setgid };
+
+dontaudit httpd_suexec_t var_run_t:dir search;
+allow httpd_suexec_t { var_t var_log_t }:dir search;
+allow httpd_suexec_t home_root_t:dir search;
+
+allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
+allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+allow httpd_suexec_t httpd_t:fifo_file getattr;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+allow httpd_suexec_t etc_t:file { getattr read };
+read_locale(httpd_suexec_t)
+read_sysctl(httpd_suexec_t)
+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
+
+# for shell scripts
+allow httpd_suexec_t bin_t:dir search;
+allow httpd_suexec_t bin_t:lnk_file read;
+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
+
+if (httpd_can_network_connect) {
+can_network(httpd_suexec_t)
+allow httpd_suexec_t port_type:tcp_socket name_connect;
+}
+
+can_ypbind(httpd_suexec_t)
+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
+
+allow httpd_suexec_t autofs_t:dir { search getattr };
+tmp_domain(httpd_suexec)
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ifdef(`targeted_policy', `', `
+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+')
+}
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
+}
+if (httpd_enable_cgi) {
+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
+allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+}
+
+#
+# Types for squirrelmail
+#
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
+create_dir_file(httpd_t, squirrelmail_spool_t)
+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te
index 2f3cf09..dd08d41 100644
--- a/strict/domains/program/apmd.te
+++ b/strict/domains/program/apmd.te
@@ -21,17 +21,19 @@ uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
allow apm_t device_t:dir search;
-allow apm_t self:capability sys_admin;
+allow apm_t self:capability { dac_override sys_admin };
allow apm_t proc_t:dir search;
-allow apm_t proc_t:file { read getattr };
+allow apm_t proc_t:file r_file_perms;
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
role system_r types apm_t;
allow apmd_t device_t:lnk_file read;
-allow apmd_t proc_t:file { getattr read };
-read_sysctl(apmd_t)
+allow apmd_t proc_t:file { getattr read write };
+can_sysctl(apmd_t)
+allow apmd_t sysfs_t:file write;
+
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t self:fifo_file rw_file_perms;
@@ -52,7 +54,7 @@ allow apmd_t self:file { getattr read ioctl };
allow apmd_t self:process getsession;
# Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
# controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
@@ -67,7 +69,10 @@ can_exec_any(apmd_t)
# apmd calls hwclock.sh on suspend and resume
allow apmd_t clock_device_t:chr_file r_file_perms;
ifdef(`hwclock.te', `
+domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
allow apmd_t adjtime_t:file rw_file_perms;
+allow hwclock_t apmd_log_t:file append;
+allow hwclock_t apmd_t:unix_stream_socket { read write };
')
@@ -84,7 +89,7 @@ dontaudit apmd_t domain:dir search;
ifdef(`distro_redhat', `
can_exec(apmd_t, apmd_var_run_t)
# for /var/lock/subsys/network
-rw_dir_create_file(apmd_t, var_lock_t)
+lock_domain(apmd)
# ifconfig_exec_t needs to be run in its own domain for Red Hat
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
@@ -108,6 +113,7 @@ allow apmd_t initrc_var_run_t:file { read write lock };
#
# Allow it to run killof5 and pidof
#
+typeattribute apmd_t unrestricted;
r_dir_file(apmd_t, domain)
# Same for apm/acpid scripts
diff --git a/strict/domains/program/arpwatch.te b/strict/domains/program/arpwatch.te
index 936d985..3065800 100644
--- a/strict/domains/program/arpwatch.te
+++ b/strict/domains/program/arpwatch.te
@@ -40,3 +40,9 @@ allow initrc_t arpwatch_data_t:dir { add_name write };
allow initrc_t arpwatch_data_t:file create;
')dnl end distro_gentoo
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')
diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te
index dbbe8ef..d86e11d 100644
--- a/strict/domains/program/automount.te
+++ b/strict/domains/program/automount.te
@@ -25,8 +25,8 @@ allow automount_t fs_type:dir getattr;
allow automount_t { etc_t etc_runtime_t }:file { getattr read };
allow automount_t proc_t:file { getattr read };
-allow automount_t self:process { setpgid setsched };
-allow automount_t self:capability sys_nice;
+allow automount_t self:process { getpgid setpgid setsched };
+allow automount_t self:capability { sys_nice dac_override };
allow automount_t self:unix_stream_socket create_socket_perms;
allow automount_t self:unix_dgram_socket create_socket_perms;
@@ -63,7 +63,13 @@ dontaudit automount_t var_t:dir write;
allow userdomain autofs_t:dir r_dir_perms;
allow kernel_t autofs_t:dir { getattr ioctl read search };
-allow automount_t home_root_t:dir getattr;
+allow automount_t { boot_t home_root_t }:dir getattr;
allow automount_t mnt_t:dir { getattr search };
-allow initrc_t automount_etc_t:file { getattr read };
+can_exec(initrc_t, automount_etc_t)
+
+# Allow automount to create and delete directories in / and /home
+file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
+
+allow automount_t var_lib_t:dir search;
+allow automount_t var_lib_nfs_t:dir search;
diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te
index 15ef978..b2e3622 100644
--- a/strict/domains/program/bluetooth.te
+++ b/strict/domains/program/bluetooth.te
@@ -17,7 +17,7 @@ tmp_domain(bluetooth)
# Use capabilities.
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
-rw_dir_create_file(bluetooth_t, var_lock_t)
+lock_domain(bluetooth)
# Use the network.
can_network_server(bluetooth_t)
@@ -26,7 +26,8 @@ ifdef(`dbusd.te', `
dbusd_client(system, bluetooth)
allow bluetooth_t system_dbusd_t:dbus send_msg;
')
-allow bluetooth_t self:socket { create setopt ioctl bind listen };
+allow bluetooth_t self:socket create_stream_socket_perms;
+
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
@@ -39,4 +40,6 @@ type bluetooth_conf_t, file_type, sysadmfile;
allow bluetooth_t bluetooth_conf_t:dir search;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
#/usr/sbin/hid2hci causes the following
-allow initrc_t usbfs_t:file { read };
+allow initrc_t usbfs_t:file { getattr read };
+allow bluetooth_t usbfs_t:dir r_dir_perms;
+allow bluetooth_t usbfs_t:file rw_file_perms;
diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te
index 706945f..5046cd0 100644
--- a/strict/domains/program/bootloader.te
+++ b/strict/domains/program/bootloader.te
@@ -13,7 +13,6 @@
type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
type bootloader_exec_t, file_type, sysadmfile, exec_type;
etc_domain(bootloader)
-typealias bootloader_etc_t alias etc_bootloader_t;
role sysadm_r types bootloader_t;
role system_r types bootloader_t;
diff --git a/strict/domains/program/canna.te b/strict/domains/program/canna.te
index f629788..feb4e52 100644
--- a/strict/domains/program/canna.te
+++ b/strict/domains/program/canna.te
@@ -29,6 +29,7 @@ allow canna_t canna_var_lib_t:dir create;
rw_dir_create_file(canna_t, canna_var_lib_t)
can_network_tcp(canna_t)
+allow canna_t port_type:tcp_socket name_connect;
can_ypbind(canna_t)
allow userdomain canna_var_run_t:dir search;
@@ -41,3 +42,5 @@ allow i18n_input_t canna_var_run_t:sock_file write;
can_unix_connect(i18n_input_t, canna_t)
')
+dontaudit canna_t kernel_t:fd use;
+dontaudit canna_t root_t:file read;
diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te
index 97ea0bc..d75b4f8 100644
--- a/strict/domains/program/checkpolicy.te
+++ b/strict/domains/program/checkpolicy.te
@@ -50,8 +50,6 @@ allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read
uses_shlib(checkpolicy_t)
allow checkpolicy_t self:capability dac_override;
-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
-
##########################
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te
index 684f440..c1685db 100644
--- a/strict/domains/program/cups.te
+++ b/strict/domains/program/cups.te
@@ -11,17 +11,15 @@
# cupsd_t is the domain of cupsd.
# cupsd_exec_t is the type of the cupsd executable.
#
-type ipp_port_t, port_type, reserved_port_type;
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
etcdir_domain(cupsd)
-typealias cupsd_etc_t alias etc_cupsd_t;
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
-typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
can_network(cupsd_t)
+allow cupsd_t port_type:tcp_socket name_connect;
logdir_domain(cupsd)
-tmp_domain(cupsd)
+tmp_domain(cupsd, `', { file dir fifo_file })
allow cupsd_t devpts_t:dir search;
@@ -71,15 +69,22 @@ dontaudit cupsd_t etc_t:file write;
can_exec(cupsd_t, cupsd_exec_t)
allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t reserved_port_t:tcp_socket name_bind;
+dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
allow cupsd_t self:unix_stream_socket create_socket_perms;
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:fifo_file rw_file_perms;
# Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
dontaudit cupsd_t self:capability net_admin;
+#
+# /usr/lib/cups/backend/serial needs sys_admin
+# Need new context to run under???
+allow cupsd_t self:capability sys_admin;
+
allow cupsd_t self:process setsched;
# for /var/lib/defoma
@@ -109,7 +114,7 @@ allow cupsd_t bin_t:lnk_file read;
can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
# They will also invoke ghostscript, which needs to read fonts
-r_dir_file(cupsd_t, fonts_t)
+read_fonts(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
allow cupsd_t lib_t:file { read getattr };
@@ -120,7 +125,9 @@ allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
#
# lots of errors generated requiring the following
#
-allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+
#
# Satisfy readahead
#
@@ -140,18 +147,23 @@ dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
# PTAL
daemon_domain(ptal)
etcdir_domain(ptal)
-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
-allow ptal_t self:capability chown;
+
+file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
+allow ptal_t self:capability { chown sys_rawio };
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
+can_network_server_tcp(ptal_t)
+allow ptal_t ptal_port_t:tcp_socket name_bind;
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
+allow userdomain ptal_var_run_t:dir search;
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file { ioctl read write };
+allow ptal_t printer_device_t:chr_file rw_file_perms;
allow initrc_t printer_device_t:chr_file getattr;
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
-r_dir_file(ptal_t, usbfs_t)
+rw_dir_file(ptal_t, usbfs_t)
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket connectto;
allow cupsd_t ptal_var_run_t:dir search;
@@ -160,19 +172,47 @@ dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
allow initrc_t ptal_var_run_t:dir rmdir;
allow initrc_t ptal_var_run_t:fifo_file unlink;
+
+# HPLIP
+daemon_domain(hplip)
+etcdir_domain(hplip)
+allow hplip_t etc_t:file r_file_perms;
+allow hplip_t etc_runtime_t:file { read getattr };
+allow hplip_t printer_device_t:chr_file rw_file_perms;
+allow cupsd_t hplip_var_run_t:file { read getattr };
+allow hplip_t cupsd_etc_t:dir search;
+can_network(hplip_t)
+allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
+allow hplip_t hplip_port_t:tcp_socket name_bind;
+
+# Uses networking to talk to the daemons
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+
+# for python
+can_exec(hplip_t, bin_t)
+allow hplip_t { sbin_t bin_t }:dir search;
+allow hplip_t self:file { getattr read };
+allow hplip_t proc_t:file r_file_perms;
+allow hplip_t urandom_device_t:chr_file { getattr read };
+allow hplip_t usr_t:{ file lnk_file } r_file_perms;
+
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
allow cupsd_t printconf_t:file { getattr read };
+ifdef(`dbusd.te', `
dbusd_client(system, cupsd)
-
-ifdef(`hald.te', `
+allow cupsd_t system_dbusd_t:dbus send_msg;
+allow cupsd_t userdomain:dbus send_msg;
+')
# CUPS configuration daemon
daemon_domain(cupsd_config)
allow cupsd_config_t devpts_t:dir search;
+allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
@@ -196,8 +236,11 @@ allow cupsd_config_t self:capability chown;
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
can_network_tcp(cupsd_config_t)
+can_ypbind(cupsd_config_t)
+allow cupsd_config_t port_type:tcp_socket name_connect;
can_tcp_connect(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:fifo_file rw_file_perms;
@@ -206,15 +249,23 @@ ifdef(`dbusd.te', `
dbusd_client(system, cupsd_config)
allow cupsd_config_t userdomain:dbus send_msg;
allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow cupsd_t system_dbusd_t:dbus send_msg;
allow userdomain cupsd_config_t:dbus send_msg;
-allow cupsd_config_t hald_t:dbus send_msg;
-allow hald_t cupsd_config_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
+')dnl end if dbusd.te
+
+ifdef(`hald.te', `
+
+ifdef(`dbusd.te', `
allow cupsd_t hald_t:dbus send_msg;
+allow cupsd_config_t hald_t:dbus send_msg;
allow hald_t cupsd_t:dbus send_msg;
')dnl end if dbusd.te
+allow hald_t cupsd_config_t:process signal;
+domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+
+') dnl end if hald.te
+
+
can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(cupsd_t, hostname_exec_t)
@@ -235,23 +286,27 @@ allow cupsd_config_t printconf_t:file { getattr read };
allow cupsd_config_t urandom_device_t:chr_file { getattr read };
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
ifdef(`logrotate.te', `
allow cupsd_config_t logrotate_t:fd use;
')dnl end if logrotate.te
allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file read;
+allow cupsd_config_t crond_t:fifo_file r_file_perms;
allow cupsd_t crond_t:fifo_file read;
+allow cupsd_t crond_t:fd use;
# Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr;
-') dnl end if hald.te
ifdef(`targeted_policy', `
can_unix_connect(cupsd_t, initrc_t)
allow cupsd_t initrc_t:dbus send_msg;
allow initrc_t cupsd_t:dbus send_msg;
+allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+allow unconfined_t cupsd_config_t:dbus send_msg;
+allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
')
-
-ifdef(`targeted_policy', `
-allow cupsd_t unconfined_t:dbus send_msg;
-')
+typealias printer_port_t alias cupsd_lpd_port_t;
+inetd_child_domain(cupsd_lpd)
+allow inetd_t printer_port_t:tcp_socket name_bind;
+r_dir_file(cupsd_lpd_t, cupsd_etc_t)
+r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
+allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te
index d101c1a..a22fce9 100644
--- a/strict/domains/program/cyrus.te
+++ b/strict/domains/program/cyrus.te
@@ -15,9 +15,8 @@ type cyrus_var_lib_t, file_type, sysadmfile;
allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
allow cyrus_t self:process setrlimit;
-allow initrc_su_t cyrus_var_lib_t:dir search;
-
can_network(cyrus_t)
+allow cyrus_t port_type:tcp_socket name_connect;
can_ypbind(cyrus_t)
can_exec(cyrus_t, bin_t)
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
@@ -27,14 +26,11 @@ allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
read_locale(cyrus_t)
read_sysctl(cyrus_t)
tmp_domain(cyrus)
-ifdef(`use_pop', `
-allow cyrus_t pop_port_t:tcp_socket name_bind;
-')
+allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
allow cyrus_t proc_t:dir search;
allow cyrus_t proc_t:file { getattr read };
allow cyrus_t sysadm_devpts_t:chr_file { read write };
-allow cyrus_t staff_t:fd use;
allow cyrus_t var_lib_t:dir search;
allow cyrus_t etc_runtime_t:file { read getattr };
@@ -42,6 +38,7 @@ ifdef(`crond.te', `
system_crond_entry(cyrus_exec_t, cyrus_t)
allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
allow system_crond_t cyrus_var_lib_t:file create_file_perms;
-allow system_crond_su_t cyrus_var_lib_t:dir search;
')
-allow cyrus_t mail_port_t:tcp_socket name_bind;
+create_dir_file(cyrus_t, mail_spool_t)
+allow cyrus_t var_spool_t:dir search;
+
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
index 53f7de4..3703ce4 100644
--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@@ -15,14 +15,13 @@
# dhcpc_exec_t is the type of the dhcpcd executable.
# The dhcpc_t can be used for other DHCPC related files as well.
#
-type dhcpc_port_t, port_type, reserved_port_type;
-
daemon_domain(dhcpc)
# for SSP
allow dhcpc_t urandom_device_t:chr_file read;
can_network(dhcpc_t)
+allow dhcpc_t port_type:tcp_socket name_connect;
can_ypbind(dhcpc_t)
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
allow dhcpc_t self:unix_stream_socket create_socket_perms;
@@ -38,6 +37,7 @@ domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
')
ifdef(`nscd.te', `
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
+allow dhcpc_t nscd_var_run_t:file { getattr read };
')
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
@@ -69,7 +69,6 @@ allow ping_t cardmgr_t:fd use;
ifdef(`dhcpd.te', `', `
type dhcp_state_t, file_type, sysadmfile;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
')
type dhcpc_state_t, file_type, sysadmfile;
diff --git a/strict/domains/program/dictd.te b/strict/domains/program/dictd.te
index 39df03a..d610d07 100644
--- a/strict/domains/program/dictd.te
+++ b/strict/domains/program/dictd.te
@@ -10,11 +10,10 @@
#
# dictd_exec_t is the type of the dictd executable.
#
-type dict_port_t, port_type;
daemon_base_domain(dictd)
-type var_lib_dictd_t, file_type, sysadmfile;
+type dictd_var_lib_t, file_type, sysadmfile;
+typealias dictd_var_lib_t alias var_lib_dictd_t;
etc_domain(dictd)
-typealias dictd_etc_t alias etc_dictd_t;
# for checking for nscd
dontaudit dictd_t var_run_t:dir search;
@@ -25,8 +24,8 @@ allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
read_locale(dictd_t)
allow dictd_t { var_t var_lib_t }:dir search;
-allow dictd_t var_lib_dictd_t:dir r_dir_perms;
-allow dictd_t var_lib_dictd_t:file r_file_perms;
+allow dictd_t dictd_var_lib_t:dir r_dir_perms;
+allow dictd_t dictd_var_lib_t:file r_file_perms;
allow dictd_t self:capability { setuid setgid };
diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te
index 9d91688..07f0f6f 100644
--- a/strict/domains/program/dovecot.te
+++ b/strict/domains/program/dovecot.te
@@ -3,17 +3,24 @@
# Author: Russell Coker
# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
+#
+# Main dovecot daemon
+#
daemon_domain(dovecot, `, privhome')
+etc_domain(dovecot);
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
can_exec(dovecot_t, dovecot_exec_t)
type dovecot_cert_t, file_type, sysadmfile;
+type dovecot_passwd_t, file_type, sysadmfile;
+type dovecot_spool_t, file_type, sysadmfile;
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
allow dovecot_t self:process setrlimit;
can_network_tcp(dovecot_t)
+allow dovecot_t port_type:tcp_socket name_connect;
can_ypbind(dovecot_t)
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
@@ -25,9 +32,10 @@ allow dovecot_t bin_t:dir { getattr search };
can_exec(dovecot_t, bin_t)
allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t urandom_device_t:chr_file { getattr read };
allow dovecot_t cert_t:dir search;
-allow dovecot_t dovecot_cert_t:file { getattr read };
+r_dir_file(dovecot_t, dovecot_cert_t)
+r_dir_file(dovecot_t, cert_t)
allow dovecot_t { self proc_t }:file { getattr read };
allow dovecot_t self:fifo_file rw_file_perms;
@@ -36,11 +44,21 @@ can_kerberos(dovecot_t)
allow dovecot_t tmp_t:dir search;
rw_dir_file(dovecot_t, mail_spool_t)
+create_dir_file(dovecot_t, dovecot_spool_t)
+create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
allow dovecot_t var_spool_t:dir { search };
+#
+# Dovecot auth daemon
+#
daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
+can_ldap(dovecot_auth_t)
+can_ypbind(dovecot_auth_t)
+can_kerberos(dovecot_auth_t)
+can_resolve(dovecot_auth_t)
allow dovecot_auth_t self:process { fork signal_perms };
+allow dovecot_auth_t self:capability { setgid setuid };
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -50,6 +68,6 @@ allow dovecot_auth_t etc_t:file { getattr read };
allow dovecot_auth_t { self proc_t }:file { getattr read };
read_locale(dovecot_auth_t)
read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t sysctl_t:dir search;
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
dontaudit dovecot_auth_t selinux_config_t:dir search;
diff --git a/strict/domains/program/fetchmail.te b/strict/domains/program/fetchmail.te
index d87c11f..225f08e 100644
--- a/strict/domains/program/fetchmail.te
+++ b/strict/domains/program/fetchmail.te
@@ -2,6 +2,7 @@
#
# Author: Greg Norris
# X-Debian-Packages: fetchmail
+# Depends: mta.te
#
# Note: This policy is only required when running fetchmail in daemon mode.
@@ -17,7 +18,10 @@ type fetchmail_uidl_cache_t, file_type, sysadmfile;
allow fetchmail_t self:process setrlimit;
# network-related goodies
-can_network(fetchmail_t)
+can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
+can_network_udp(fetchmail_t, dns_port_t)
+allow fetchmail_t port_type:tcp_socket name_connect;
+
allow fetchmail_t self:unix_dgram_socket create_socket_perms;
allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/strict/domains/program/fingerd.te b/strict/domains/program/fingerd.te
index 86705eb..73fee16 100644
--- a/strict/domains/program/fingerd.te
+++ b/strict/domains/program/fingerd.te
@@ -12,9 +12,7 @@
#
daemon_domain(fingerd)
-type fingerd_port_t, port_type, reserved_port_type;
etcdir_domain(fingerd)
-typealias fingerd_etc_t alias etc_fingerd_t;
allow fingerd_t etc_t:lnk_file read;
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te
index 938899a..57d79f6 100644
--- a/strict/domains/program/ftpd.te
+++ b/strict/domains/program/ftpd.te
@@ -9,13 +9,11 @@
#
# Rules for the ftpd_t domain
#
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
-daemon_domain(ftpd, `, auth_chkpwd')
+daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
etc_domain(ftpd)
-typealias ftpd_etc_t alias etc_ftpd_t;
can_network(ftpd_t)
+allow ftpd_t port_type:tcp_socket name_connect;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -41,10 +39,13 @@ can_exec(ftpd_t, logrotate_exec_t)
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
allow ftpd_t port_t:tcp_socket name_bind;
+# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
+type ftpd_lock_t, file_type, sysadmfile, lockfile;
+
# Allow ftpd to run directly without inetd.
bool ftpd_is_daemon false;
if (ftpd_is_daemon) {
-rw_dir_create_file(ftpd_t, var_lock_t)
+file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
allow ftpd_t ftp_port_t:tcp_socket name_bind;
can_tcp_connect(userdomain, ftpd_t)
# Allows it to check exec privs on daemon
@@ -99,6 +100,8 @@ bool ftp_home_dir false;
if (ftp_home_dir) {
# allow access to /home
allow ftpd_t home_root_t:dir { getattr search };
+allow ftpd_t home_dir_type:dir r_dir_perms;
+create_dir_file(ftpd_t, home_type)
}
if (use_nfs_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, nfs_t)
@@ -110,7 +113,6 @@ dontaudit ftpd_t selinux_config_t:dir search;
#
# Type for access to anon ftp
#
-type ftpd_anon_t, file_type, sysadmfile, customizable;
r_dir_file(ftpd_t,ftpd_anon_t)
type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
create_dir_file(ftpd_t,ftpd_anon_rw_t)
diff --git a/strict/domains/program/games.te b/strict/domains/program/games.te
index 6129631..dee046c 100644
--- a/strict/domains/program/games.te
+++ b/strict/domains/program/games.te
@@ -13,5 +13,8 @@ daemon_domain(games,,nosysadm)
rw_dir_create_file(games_t, games_data_t)
r_dir_file(initrc_t, games_data_t)
+# Run in user_t
+bool disable_games_trans false;
+
# Everything else is in the x_client_domain macro in
# macros/program/x_client_macros.te.
diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te
index 745d52e..fc8a2bb 100644
--- a/strict/domains/program/getty.te
+++ b/strict/domains/program/getty.te
@@ -11,7 +11,6 @@
init_service_domain(getty, `, privfd')
etcdir_domain(getty)
-typealias getty_etc_t alias etc_getty_t;
allow getty_t console_device_t:chr_file setattr;
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 95ebff9..2bdd0b5 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -29,7 +29,6 @@ allow hald_t { self proc_t }:file { getattr read };
allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
-
allow hald_t bin_t:file getattr;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te
index 7fd6a39..65f5396 100644
--- a/strict/domains/program/hotplug.te
+++ b/strict/domains/program/hotplug.te
@@ -29,7 +29,7 @@ allow hotplug_t sysctl_net_t:file { getattr read };
# get info from /proc
r_dir_file(hotplug_t, proc_t)
-allow hotplug_t self:file { getattr read };
+allow hotplug_t self:file { getattr read ioctl };
allow hotplug_t devtty_t:chr_file rw_file_perms;
@@ -83,7 +83,9 @@ allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:file getattr;
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
+ifdef(`mount.te', `
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
+')
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`updfstab.te', `
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
diff --git a/strict/domains/program/howl.te b/strict/domains/program/howl.te
index 026790a..ccb2fb1 100644
--- a/strict/domains/program/howl.te
+++ b/strict/domains/program/howl.te
@@ -3,7 +3,7 @@
# Author: Russell Coker
#
-daemon_domain(howl)
+daemon_domain(howl, `, privsysmod')
r_dir_file(howl_t, proc_net_t)
can_network_server(howl_t)
can_ypbind(howl_t)
@@ -12,7 +12,6 @@ allow howl_t self:capability { kill net_admin sys_module };
allow howl_t self:fifo_file rw_file_perms;
-type howl_port_t, port_type;
allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
allow howl_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te
index 2af68ab..c4e3d77 100644
--- a/strict/domains/program/hwclock.te
+++ b/strict/domains/program/hwclock.te
@@ -19,9 +19,6 @@ daemon_base_domain(hwclock)
role sysadm_r types hwclock_t;
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
type adjtime_t, file_type, sysadmfile;
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-')
allow hwclock_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/i18n_input.te b/strict/domains/program/i18n_input.te
index 8de3839..cdff6ca 100644
--- a/strict/domains/program/i18n_input.te
+++ b/strict/domains/program/i18n_input.te
@@ -2,17 +2,16 @@
# Security Policy for IIIMF htt server
# Date: 2004, 12th April (Monday)
-# Types for server port
-type i18n_input_port_t, port_type;
-
# Establish i18n_input as a daemon
daemon_domain(i18n_input)
can_exec(i18n_input_t, i18n_input_exec_t)
can_network(i18n_input_t)
+allow i18n_input_t port_type:tcp_socket name_connect;
can_ypbind(i18n_input_t)
can_tcp_connect(userdomain, i18n_input_t)
+can_unix_connect(i18n_input_t, initrc_t)
allow i18n_input_t self:fifo_file rw_file_perms;
allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
@@ -21,9 +20,14 @@ allow i18n_input_t self:capability { kill setgid setuid };
allow i18n_input_t self:process { setsched setpgid };
allow i18n_input_t { bin_t sbin_t }:dir search;
+can_exec(i18n_input_t, bin_t)
allow i18n_input_t etc_t:file r_file_perms;
allow i18n_input_t self:unix_dgram_socket create_socket_perms;
allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
+allow i18n_input_t usr_t:file { getattr read };
+allow i18n_input_t home_root_t:dir search;
+allow i18n_input_t etc_runtime_t:file { getattr read };
+allow i18n_input_t proc_t:file { getattr read };
diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te
index b2039ac..48ffb7b 100644
--- a/strict/domains/program/ifconfig.te
+++ b/strict/domains/program/ifconfig.te
@@ -21,9 +21,12 @@ uses_shlib(ifconfig_t)
general_domain_access(ifconfig_t)
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
+')
# for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
allow ifconfig_t etc_t:file { getattr read };
@@ -33,6 +36,7 @@ allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
allow ifconfig_t self:capability net_admin;
dontaudit ifconfig_t self:capability sys_module;
+allow ifconfig_t self:capability sys_tty_config;
# Inherit and use descriptors from init.
allow ifconfig_t { kernel_t init_t }:fd use;
@@ -66,3 +70,4 @@ allow ifconfig_t lib_t:file { getattr read };
rhgb_domain(ifconfig_t)
allow ifconfig_t userdomain:fd use;
dontaudit ifconfig_t root_t:file read;
+r_dir_file(ifconfig_t, sysfs_t)
diff --git a/strict/domains/program/inetd.te b/strict/domains/program/inetd.te
index c0eed55..5c88ab3 100644
--- a/strict/domains/program/inetd.te
+++ b/strict/domains/program/inetd.te
@@ -10,16 +10,11 @@
# Rules for the inetd_t domain and
# the inetd_child_t domain.
#
-type biff_port_t, port_type, reserved_port_type;
-
-#################################
-#
-# Rules for the inetd_t domain.
-#
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
can_network(inetd_t)
+allow inetd_t port_type:tcp_socket name_connect;
allow inetd_t self:unix_dgram_socket create_socket_perms;
allow inetd_t self:unix_stream_socket create_socket_perms;
allow inetd_t self:fifo_file rw_file_perms;
@@ -50,6 +45,7 @@ allow inetd_t talk_port_t:tcp_socket name_bind;
allow inetd_t ntalk_port_t:tcp_socket name_bind;
')
+allow inetd_t auth_port_t:tcp_socket name_bind;
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te
index 3aeb04f..3fb67de 100644
--- a/strict/domains/program/init.te
+++ b/strict/domains/program/init.te
@@ -131,10 +131,8 @@ can_exec(init_t,etc_t)
allow init_t lib_t:file { getattr read };
-ifdef(`rhgb.te', `
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
-')
r_dir_file(init_t, sysfs_t)
r_dir_file(init_t, selinux_config_t)
@@ -142,6 +140,6 @@ r_dir_file(init_t, selinux_config_t)
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
ifdef(`targeted_policy', `
-typeattribute init_t unrestricted;
+unconfined_domain(init_t)
')
diff --git a/strict/domains/program/innd.te b/strict/domains/program/innd.te
index 09b7c06..25047df 100644
--- a/strict/domains/program/innd.te
+++ b/strict/domains/program/innd.te
@@ -7,7 +7,6 @@
# Types for the server port and news spool.
#
-type innd_port_t, port_type, reserved_port_type;
type news_spool_t, file_type, sysadmfile;
@@ -29,6 +28,7 @@ can_exec(innd_t, hostname_exec_t)
allow innd_t var_spool_t:dir { getattr search };
can_network(innd_t)
+allow innd_t port_type:tcp_socket name_connect;
can_ypbind(innd_t)
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te
index 257c587..7ec13fc 100644
--- a/strict/domains/program/kudzu.te
+++ b/strict/domains/program/kudzu.te
@@ -20,7 +20,7 @@ allow kudzu_t memory_device_t:chr_file { read write execute };
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read };
+allow kudzu_t modules_conf_t:file { getattr read unlink };
allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
@@ -38,7 +38,7 @@ allow kudzu_t usbdevfs_t:dir search;
allow kudzu_t usbdevfs_t:file { getattr read };
allow kudzu_t usbfs_t:dir search;
allow kudzu_t usbfs_t:file { getattr read };
-allow kudzu_t var_t:dir search;
+var_run_domain(kudzu)
allow kudzu_t kernel_t:system syslog_console;
allow kudzu_t self:udp_socket { create ioctl };
allow kudzu_t var_lock_t:dir search;
@@ -94,9 +94,19 @@ dontaudit kudzu_t file_t:dir search;
ifdef(`lpd.te', `
allow kudzu_t printconf_t:file { getattr read };
')
+ifdef(`cups.te', `
allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+')
dontaudit kudzu_t src_t:dir search;
ifdef(`xserver.te', `
allow kudzu_t xserver_exec_t:file getattr;
')
+ifdef(`userhelper.te', `
+role system_r types sysadm_userhelper_t;
+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+')
+
+allow kudzu_t initrc_t:unix_stream_socket connectto;
+allow kudzu_t net_conf_t:file { getattr read };
+
diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te
index 083063f..2ab5c48 100644
--- a/strict/domains/program/ldconfig.te
+++ b/strict/domains/program/ldconfig.te
@@ -39,7 +39,7 @@ dontaudit ldconfig_t httpd_modules_t:dir search;
')
allow ldconfig_t { var_t var_lib_t }:dir search;
-allow ldconfig_t proc_t:file read;
+allow ldconfig_t proc_t:file { getattr read };
ifdef(`hide_broken_symptoms', `
ifdef(`unconfined.te',`
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te
index f54c963..8276f58 100644
--- a/strict/domains/program/load_policy.te
+++ b/strict/domains/program/load_policy.te
@@ -37,8 +37,8 @@ can_setbool(load_policy_t)
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
+r_dir_file(load_policy_t, policy_config_t)
+r_dir_file(load_policy_t, selinux_config_t)
# directory search permissions for path to binary policy files
allow load_policy_t root_t:dir search;
@@ -56,6 +56,4 @@ allow load_policy_t { userdomain privfd initrc_t }:fd use;
allow load_policy_t fs_t:filesystem getattr;
-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
read_locale(load_policy_t)
-r_dir_file(load_policy_t, selinux_config_t)
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
index 569c755..540b68f 100644
--- a/strict/domains/program/login.te
+++ b/strict/domains/program/login.te
@@ -37,8 +37,7 @@ allow $1_login_t { var_t var_spool_t }:dir search;
allow $1_login_t var_t:lnk_file read;
# Read /etc.
-allow $1_login_t etc_t:dir r_dir_perms;
-allow $1_login_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_login_t, etc_t)
allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
read_locale($1_login_t)
@@ -109,7 +108,7 @@ allow $1_login_t wtmp_t:file rw_file_perms;
allow $1_login_t lastlog_t:file rw_file_perms;
# Write to /var/log/btmp
-allow $1_login_t faillog_t:file { append read write };
+allow $1_login_t faillog_t:file { lock append read write };
# Search for mail spool file.
allow $1_login_t mail_spool_t:dir r_dir_perms;
diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te
index 6340f28..9cdcf6f 100644
--- a/strict/domains/program/logrotate.te
+++ b/strict/domains/program/logrotate.te
@@ -128,7 +128,7 @@ read_locale(logrotate_t)
allow logrotate_t fs_t:filesystem getattr;
can_exec(logrotate_t, shell_exec_t)
-can_exec(logrotate_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
can_exec(logrotate_t,logfile)
allow logrotate_t net_conf_t:file { getattr read };
diff --git a/strict/domains/program/lpd.te b/strict/domains/program/lpd.te
index 75825a3..76cd44d 100644
--- a/strict/domains/program/lpd.te
+++ b/strict/domains/program/lpd.te
@@ -15,12 +15,11 @@
# printer_t is the type of the Unix domain socket created
# by lpd.
#
-type printer_port_t, port_type, reserved_port_type;
daemon_domain(lpd)
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
-r_dir_file(lpd_t, fonts_t)
+read_fonts(lpd_t)
type printer_t, file_type, sysadmfile, dev_fs;
@@ -37,6 +36,7 @@ type checkpc_t, domain, privlog;
role system_r types checkpc_t;
uses_shlib(checkpc_t)
can_network_client(checkpc_t)
+allow checkpc_t port_type:tcp_socket name_connect;
can_ypbind(checkpc_t)
log_domain(checkpc)
type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te
index 588459a..b2f593e 100644
--- a/strict/domains/program/mailman.te
+++ b/strict/domains/program/mailman.te
@@ -30,6 +30,7 @@ file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
+allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index 4643be1..ca8d7c1 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -30,7 +30,9 @@ type depmod_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
allow depmod_t { bin_t sbin_t }:dir search;
can_exec(depmod_t, depmod_exec_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
+')
# Inherit and use descriptors from init and login programs.
allow depmod_t { init_t privfd }:fd use;
@@ -94,7 +96,7 @@ allow insmod_t self:lnk_file read;
allow insmod_t usr_t:file { getattr read };
allow insmod_t privfd:fd use;
-allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write };
+allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
@@ -149,7 +151,7 @@ allow insmod_t proc_t:lnk_file read;
allow insmod_t mtrr_device_t:file write;
# Read /proc/sys/kernel/hotplug.
-allow insmod_t sysctl_hotplug_t:file read;
+allow insmod_t sysctl_hotplug_t:file { getattr read };
allow insmod_t device_t:dir read;
allow insmod_t devpts_t:dir { getattr search };
@@ -228,5 +230,3 @@ file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
tmp_domain(update_modules)
')dnl end IS_INITRD
-
-
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
index e79168b..8f1b7c1 100644
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@@ -37,19 +37,7 @@ allow mount_t file_t:file { getattr read unlink };
# Mount, remount and unmount file systems.
allow mount_t fs_type:filesystem mount_fs_perms;
-allow mount_t default_t:dir mounton;
-allow mount_t file_t:dir mounton;
-allow mount_t usr_t:dir mounton;
-allow mount_t var_t:dir mounton;
-allow mount_t proc_t:dir mounton;
-allow mount_t root_t:dir mounton;
-allow mount_t home_root_t:dir mounton;
-allow mount_t tmp_t:dir mounton;
-allow mount_t mnt_t:dir mounton;
-allow mount_t devpts_t:dir mounton;
-allow mount_t usbdevfs_t:dir mounton;
-allow mount_t sysfs_t:dir mounton;
-allow mount_t nfs_t:dir mounton;
+allow mount_t mount_point:dir mounton;
allow mount_t nfs_t:dir search;
# nfsv4 has a filesystem to mount for its userspace daemons
allow mount_t var_lib_nfs_t:dir mounton;
diff --git a/strict/domains/program/mozilla.te b/strict/domains/program/mozilla.te
index 3761e0d..f286ea0 100644
--- a/strict/domains/program/mozilla.te
+++ b/strict/domains/program/mozilla.te
@@ -8,11 +8,8 @@
type mozilla_exec_t, file_type, sysadmfile, exec_type;
type mozilla_conf_t, file_type, sysadmfile;
-# Allow mozilla to read files in the user home directory
-bool mozilla_readhome false;
-
-# Allow mozilla to write files in the user home directory
-bool mozilla_writehome false;
+# Run in user_t
+bool disable_mozilla_trans false;
# Everything else is in the mozilla_domain macro in
# macros/program/mozilla_macros.te.
diff --git a/strict/domains/program/mrtg.te b/strict/domains/program/mrtg.te
index 112b94d..e44889d 100644
--- a/strict/domains/program/mrtg.te
+++ b/strict/domains/program/mrtg.te
@@ -26,12 +26,14 @@ dontaudit mrtg_t usr_t:file ioctl;
logdir_domain(mrtg)
etcdir_domain(mrtg)
typealias mrtg_etc_t alias etc_mrtg_t;
-type var_lib_mrtg_t, file_type, sysadmfile;
+type mrtg_var_lib_t, file_type, sysadmfile;
+typealias mrtg_var_lib_t alias var_lib_mrtg_t;
type mrtg_lock_t, file_type, sysadmfile, lockfile;
r_dir_file(mrtg_t, lib_t)
# Use the network.
can_network_client(mrtg_t)
+allow mrtg_t port_type:tcp_socket name_connect;
can_ypbind(mrtg_t)
allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -58,7 +60,7 @@ allow mrtg_t { proc_t proc_net_t }:file { read getattr };
dontaudit mrtg_t proc_t:file ioctl;
allow mrtg_t { var_lock_t var_lib_t }:dir search;
-rw_dir_create_file(mrtg_t, var_lib_mrtg_t)
+rw_dir_create_file(mrtg_t, mrtg_var_lib_t)
rw_dir_create_file(mrtg_t, mrtg_lock_t)
ifdef(`distro_redhat', `
file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
@@ -79,7 +81,7 @@ read_sysctl(mrtg_t)
# for uptime
allow mrtg_t var_run_t:dir search;
-allow mrtg_t initrc_var_run_t:file read;
+allow mrtg_t initrc_var_run_t:file { getattr read };
dontaudit mrtg_t initrc_var_run_t:file { write lock };
allow mrtg_t etc_runtime_t:file { getattr read };
@@ -94,5 +96,5 @@ dontaudit mrtg_t quota_db_t:file getattr;
dontaudit mrtg_t root_t:lnk_file getattr;
allow mrtg_t self:capability { setgid setuid };
-can_exec(mrtg_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
allow mrtg_t var_spool_t:dir search;
diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te
index f664e03..e0c1ea2 100644
--- a/strict/domains/program/pppd.te
+++ b/strict/domains/program/pppd.te
@@ -32,14 +32,15 @@ allow pppd_t sysfs_t:dir search;
log_domain(pppd)
# Use the network.
-can_network_server(pppd_t)
+can_network(pppd_t)
can_ypbind(pppd_t)
-# Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid };
+allow pppd_t fingerd_port_t:tcp_socket name_connect;
+
-allow pppd_t var_lock_t:dir rw_dir_perms;
-allow pppd_t var_lock_t:file create_file_perms;
+# Use capabilities.
+allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+lock_domain(pppd)
# Access secret files
allow pppd_t pppd_secret_t:file r_file_perms;
@@ -47,15 +48,17 @@ allow pppd_t pppd_secret_t:file r_file_perms;
ifdef(`postfix.te', `
allow pppd_t postfix_etc_t:dir search;
allow pppd_t postfix_etc_t:file r_file_perms;
-allow pppd_t postfix_master_exec_t:file read;
+allow pppd_t postfix_master_exec_t:file { getattr read };
allow postfix_postqueue_t pppd_t:fd use;
allow postfix_postqueue_t pppd_t:process sigchld;
')
# allow running ip-up and ip-down scripts and running chat.
can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
+can_exec(pppd_t, pppd_etc_rw_t)
+can_exec(pppd_t, hostname_exec_t)
allow pppd_t { bin_t sbin_t }:dir search;
-allow pppd_t bin_t:lnk_file read;
+allow pppd_t { sbin_t bin_t }:lnk_file read;
# Access /dev/ppp.
allow pppd_t ppp_device_t:chr_file rw_file_perms;
@@ -66,6 +69,8 @@ allow pppd_t self:unix_stream_socket create_socket_perms;
allow pppd_t proc_t:dir search;
allow pppd_t proc_t:{ file lnk_file } r_file_perms;
+allow pppd_t proc_net_t:dir { read search };
+allow pppd_t proc_net_t:file r_file_perms;
allow pppd_t etc_runtime_t:file r_file_perms;
@@ -92,8 +97,43 @@ allow unpriv_userdomain pppd_t:process signal;
# for pppoe
can_create_pty(pppd)
allow pppd_t self:file { read getattr };
-allow pppd_t self:capability { fowner net_raw };
+
allow pppd_t self:packet_socket create_socket_perms;
file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
tmp_domain(pppd)
+allow pppd_t sysctl_net_t:dir search;
+allow pppd_t sysctl_net_t:file r_file_perms;
+allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+allow pppd_t initrc_var_run_t:file r_file_perms;
+dontaudit pppd_t initrc_var_run_t:file { lock write };
+
+# pppd needs to load kernel modules for certain modems
+bool pppd_can_insmod false;
+if (pppd_can_insmod) {
+ifdef(`modutil.te', `
+domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
+')
+}
+domain_auto_trans(pppd_t, named_exec_t, named_t)
+
+daemon_domain(pptp)
+can_network_client_tcp(pptp_t)
+allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
+can_exec(pptp_t, hostname_exec_t)
+domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+allow pptp_t devpts_t:chr_file ioctl;
+r_dir_file(pptp_t, pppd_etc_rw_t)
+r_dir_file(pptp_t, pppd_etc_t)
+allow pptp_t devpts_t:dir search;
+allow pppd_t devpts_t:chr_file ioctl;
+allow pppd_t pptp_t:process signal;
+allow pptp_t self:capability net_raw;
+allow pptp_t self:fifo_file { read write };
+allow pptp_t ptmx_t:chr_file rw_file_perms;
+log_domain(pptp)
+allow pptp_t pppd_log_t:file append;
diff --git a/strict/domains/program/prelink.te b/strict/domains/program/prelink.te
index 2d36473..3ffa0d7 100644
--- a/strict/domains/program/prelink.te
+++ b/strict/domains/program/prelink.te
@@ -9,15 +9,10 @@
#
# prelink_exec_t is the type of the prelink executable.
#
-daemon_base_domain(prelink, `, admin')
+daemon_base_domain(prelink, `, admin, privowner')
-if (allow_execmem) {
-allow prelink_t self:process execmem;
-}
-if (allow_execmod) {
+allow prelink_t self:process { execheap execmem execstack };
allow prelink_t texrel_shlib_t:file execmod;
-}
-
allow prelink_t fs_t:filesystem getattr;
ifdef(`crond.te', `
@@ -36,7 +31,7 @@ allow prelink_t etc_prelink_t:file { getattr read };
allow prelink_t file_type:dir rw_dir_perms;
allow prelink_t file_type:lnk_file r_file_perms;
allow prelink_t file_type:file getattr;
-allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `var_lib_xkb_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
allow prelink_t ld_so_t:file execute_no_trans;
allow prelink_t self:capability { chown dac_override fowner fsetid };
diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te
index 81af770..347587b 100644
--- a/strict/domains/program/procmail.te
+++ b/strict/domains/program/procmail.te
@@ -20,6 +20,7 @@ uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
can_network_server(procmail_t)
can_ypbind(procmail_t)
+can_winbind(procmail_t)
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
@@ -57,6 +58,9 @@ allow procmail_t { self proc_t }:lnk_file read;
# for spamassasin
allow procmail_t usr_t:file { getattr ioctl read };
+ifdef(`spamassassin.te', `
+can_exec(procmail_t, spamassassin_exec_t)
+')
# Search /var/run.
allow procmail_t var_run_t:dir { getattr search };
diff --git a/strict/domains/program/radius.te b/strict/domains/program/radius.te
index 4e7f194..5d02923 100644
--- a/strict/domains/program/radius.te
+++ b/strict/domains/program/radius.te
@@ -10,12 +10,9 @@
#
# radiusd_exec_t is the type of the radiusd executable.
#
-type radius_port_t, port_type;
-type radacct_port_t, port_type;
daemon_domain(radiusd, `, auth')
etcdir_domain(radiusd)
-typealias radiusd_etc_t alias etc_radiusd_t;
system_crond_entry(radiusd_exec_t, radiusd_t)
diff --git a/strict/domains/program/radvd.te b/strict/domains/program/radvd.te
index 1e8b3ff..868ef8b 100644
--- a/strict/domains/program/radvd.te
+++ b/strict/domains/program/radvd.te
@@ -15,14 +15,15 @@ allow radvd_t etc_t:file { getattr read };
allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
-allow radvd_t self:capability net_raw;
+allow radvd_t self:capability { setgid setuid net_raw };
allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
allow radvd_t self:unix_stream_socket create_socket_perms;
can_network_server(radvd_t)
+can_ypbind(radvd_t)
-allow radvd_t proc_t:dir r_dir_perms;
-allow radvd_t proc_t:file { getattr read };
+allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
+allow radvd_t { proc_t proc_net_t }:file { getattr read };
allow radvd_t etc_t:lnk_file read;
allow radvd_t sysctl_net_t:file r_file_perms;
diff --git a/strict/domains/program/rhgb.te b/strict/domains/program/rhgb.te
index cc15ff1..5d176e9 100644
--- a/strict/domains/program/rhgb.te
+++ b/strict/domains/program/rhgb.te
@@ -40,13 +40,13 @@ allow rhgb_t self:capability { sys_admin sys_tty_config };
dontaudit rhgb_t var_run_t:dir search;
can_network_client(rhgb_t)
+allow rhgb_t port_type:tcp_socket name_connect;
can_ypbind(rhgb_t)
-# for fonts
allow rhgb_t usr_t:{ file lnk_file } { getattr read };
# for running setxkbmap
-r_dir_file(rhgb_t, var_lib_xkb_t)
+r_dir_file(rhgb_t, xkb_var_lib_t)
# for localization
allow rhgb_t lib_t:file { getattr read };
@@ -67,8 +67,7 @@ can_unix_connect(initrc_t, rhgb_t)
tmpfs_domain(rhgb)
allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
-allow rhgb_t fonts_t:dir { getattr read search };
-allow rhgb_t fonts_t:file { getattr read };
+read_fonts(rhgb_t)
# for nscd
dontaudit rhgb_t var_t:dir search;
diff --git a/strict/domains/program/rpcd.te b/strict/domains/program/rpcd.te
index d921e3c..9fae932 100644
--- a/strict/domains/program/rpcd.te
+++ b/strict/domains/program/rpcd.te
@@ -11,8 +11,13 @@
# Rules for the rpcd_t and nfsd_t domain.
#
define(`rpc_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `, transitionbool')
+', `
daemon_base_domain($1)
+')
can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
can_ypbind($1_t)
allow $1_t etc_t:file { getattr read };
read_locale($1_t)
@@ -88,7 +93,8 @@ type nfsd_ro_t, file_type, sysadmfile, usercanread;
bool nfs_export_all_rw false;
if(nfs_export_all_rw) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t, noexattrfile)
create_dir_file(kernel_t,{ file_type -shadow_t })
}
@@ -97,8 +103,8 @@ dontaudit kernel_t shadow_t:file getattr;
bool nfs_export_all_ro false;
if(nfs_export_all_ro) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ file_type -shadow_t })
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
}
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
@@ -113,7 +119,7 @@ can_udp_send(nfsd_t, kernel_t)
allow nfsd_t var_run_t:dir search;
allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_t:filesystem getattr;
+allow nfsd_t fs_type:filesystem getattr;
can_udp_send(nfsd_t, portmap_t)
can_udp_send(portmap_t, nfsd_t)
@@ -131,7 +137,9 @@ allow rpcd_t proc_net_t:dir search;
rpc_domain(gssd)
can_kerberos(gssd_t)
+ifdef(`kerberos.te', `
allow gssd_t krb5_keytab_t:file r_file_perms;
+')
allow gssd_t urandom_device_t:chr_file { getattr read };
r_dir_file(gssd_t, tmp_t)
tmp_domain(gssd)
@@ -139,3 +147,7 @@ allow gssd_t self:fifo_file { read write };
r_dir_file(gssd_t, proc_net_t)
allow gssd_t rpc_pipefs_t:dir r_dir_perms;
allow gssd_t rpc_pipefs_t:sock_file { read write };
+allow gssd_t rpc_pipefs_t:file r_file_perms;
+allow gssd_t self:capability setuid;
+allow nfsd_t devtty_t:chr_file rw_file_perms;
+allow rpcd_t devtty_t:chr_file rw_file_perms;
diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te
index c964b14..0fc36f9 100644
--- a/strict/domains/program/rpm.te
+++ b/strict/domains/program/rpm.te
@@ -7,8 +7,8 @@
#
# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
# rpm_exec_t is the type of the rpm executables.
-# var_log_rpm_t is the type for rpm log files (/var/log/rpmpkgs*)
-# var_lib_rpm_t is the type for rpm files in /var/lib
+# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
+# rpm_var_lib_t is the type for rpm files in /var/lib
#
type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
role system_r types rpm_t;
@@ -252,4 +252,7 @@ unconfined_domain(rpm_t)
typeattribute rpm_script_t auth_write;
unconfined_domain(rpm_script_t)
')
+if (allow_execmem) {
+allow rpm_script_t self:process execmem;
+}
diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te
index f1da21e..33006bd 100644
--- a/strict/domains/program/rshd.te
+++ b/strict/domains/program/rshd.te
@@ -9,7 +9,6 @@
#
# Rules for the rshd_t domain.
#
-type rsh_port_t, port_type, reserved_port_type;
daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
ifdef(`tcpd.te', `
diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te
index f51ccd0..c10b03b 100644
--- a/strict/domains/program/saslauthd.te
+++ b/strict/domains/program/saslauthd.te
@@ -3,7 +3,7 @@
# Author: Colin Walters
#
-daemon_domain(saslauthd, `, auth_chkpwd')
+daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
allow saslauthd_t self:fifo_file { read write };
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
@@ -15,9 +15,17 @@ allow saslauthd_t etc_t:file r_file_perms;
allow saslauthd_t net_conf_t:file r_file_perms;
allow saslauthd_t self:file r_file_perms;
-allow saslauthd_t proc_t:file read;
+allow saslauthd_t proc_t:file { getattr read };
allow saslauthd_t urandom_device_t:chr_file { getattr read };
# Needs investigation
dontaudit saslauthd_t home_root_t:dir getattr;
+can_network_client_tcp(saslauthd_t)
+allow saslauthd_t pop_port_t:tcp_socket name_connect;
+
+bool allow_saslauthd_read_shadow false;
+
+if (allow_saslauthd_read_shadow) {
+allow saslauthd_t shadow_t:file r_file_perms;
+}
diff --git a/strict/domains/program/sendmail.te b/strict/domains/program/sendmail.te
index 958d13e..2ee8d2d 100644
--- a/strict/domains/program/sendmail.te
+++ b/strict/domains/program/sendmail.te
@@ -26,6 +26,7 @@ allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown
# Use the network.
can_network(sendmail_t)
+allow sendmail_t port_type:tcp_socket name_connect;
can_ypbind(sendmail_t)
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te
index 26c275f..f3bdbd9 100644
--- a/strict/domains/program/setfiles.te
+++ b/strict/domains/program/setfiles.te
@@ -18,6 +18,9 @@ type setfiles_exec_t, file_type, sysadmfile, exec_type;
role system_r types setfiles_t;
role sysadm_r types setfiles_t;
+ifdef(`distro_redhat', `
+domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
+')
allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
@@ -52,8 +55,8 @@ allow setfiles_t fs_type:dir r_dir_perms;
read_locale(setfiles_t)
-allow setfiles_t etc_runtime_t:file read;
-allow setfiles_t etc_t:file read;
+allow setfiles_t etc_runtime_t:file { getattr read };
+allow setfiles_t etc_t:file { getattr read };
allow setfiles_t proc_t:file { getattr read };
dontaudit setfiles_t proc_t:lnk_file { getattr read };
diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te
index bab118a..8cca78e 100644
--- a/strict/domains/program/slapd.te
+++ b/strict/domains/program/slapd.te
@@ -12,11 +12,9 @@
#
daemon_domain(slapd)
-type ldap_port_t, port_type, reserved_port_type;
allow slapd_t ldap_port_t:tcp_socket name_bind;
etc_domain(slapd)
-typealias slapd_etc_t alias etc_slapd_t;
type slapd_db_t, file_type, sysadmfile;
type slapd_replog_t, file_type, sysadmfile;
@@ -24,6 +22,7 @@ tmp_domain(slapd)
# Use the network.
can_network(slapd_t)
+allow slapd_t port_type:tcp_socket name_connect;
can_ypbind(slapd_t)
allow slapd_t self:fifo_file { read write };
allow slapd_t self:unix_stream_socket create_socket_perms;
@@ -32,7 +31,7 @@ allow slapd_t self:unix_dgram_socket create_socket_perms;
can_tcp_connect(domain, slapd_t)
# Use capabilities should not need kill...
-allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
+allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
allow slapd_t self:process setsched;
allow slapd_t proc_t:file r_file_perms;
@@ -50,7 +49,7 @@ allow slapd_t etc_t:{ file lnk_file } { getattr read };
allow slapd_t etc_runtime_t:file { getattr read };
# for startup script
-allow initrc_t slapd_etc_t:file read;
+allow initrc_t slapd_etc_t:file { getattr read };
allow slapd_t etc_t:dir r_dir_perms;
diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te
index da3219c..d854f59 100644
--- a/strict/domains/program/slocate.te
+++ b/strict/domains/program/slocate.te
@@ -2,7 +2,6 @@
#
# Author: Dan Walsh
#
-# Depends: inetd.te
#################################
#
@@ -36,11 +35,11 @@ allow locate_t unlabeled_t:dir read;
logdir_domain(locate)
etcdir_domain(locate)
-typealias locate_etc_t alias etc_locate_t;
-type var_lib_locate_t, file_type, sysadmfile;
+type locate_var_lib_t, file_type, sysadmfile;
+typealias locate_var_lib_t alias var_lib_locate_t;
-create_dir_file(locate_t, var_lib_locate_t)
+create_dir_file(locate_t, locate_var_lib_t)
dontaudit locate_t sysadmfile:file getattr;
allow locate_t proc_t:file { getattr read };
diff --git a/strict/domains/program/spamd.te b/strict/domains/program/spamd.te
index c54d771..01283ca 100644
--- a/strict/domains/program/spamd.te
+++ b/strict/domains/program/spamd.te
@@ -9,7 +9,6 @@ daemon_domain(spamd)
tmp_domain(spamd)
-type spamd_port_t, port_type, reserved_port_type;
allow spamd_t spamd_port_t:tcp_socket name_bind;
general_domain_access(spamd_t)
diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te
index b0810b1..06d411d 100644
--- a/strict/domains/program/squid.te
+++ b/strict/domains/program/squid.te
@@ -28,7 +28,7 @@ allow squid_t usr_t:file { getattr read };
# type for /var/cache/squid
type squid_cache_t, file_type, sysadmfile;
-allow squid_t self:capability { setgid setuid net_bind_service };
+allow squid_t self:capability { setgid setuid net_bind_service dac_override };
allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
allow squid_t etc_t:lnk_file read;
allow squid_t self:unix_stream_socket create_socket_perms;
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index d07b314..a1eb5ec 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -19,8 +19,6 @@ bool run_ssh_inetd false;
type sshd_exec_t, file_type, exec_type, sysadmfile;
type sshd_key_t, file_type, sysadmfile;
-type ssh_port_t, port_type, reserved_port_type;
-
define(`sshd_program_domain', `
# privowner is for changing the identity on the terminal device
# privfd is for passing the terminal file handle to the user process
diff --git a/strict/domains/program/stunnel.te b/strict/domains/program/stunnel.te
index 1b3a937..4dbfcec 100644
--- a/strict/domains/program/stunnel.te
+++ b/strict/domains/program/stunnel.te
@@ -3,11 +3,11 @@
# Author: petre rodan
#
ifdef(`distro_gentoo', `
-type stunnel_port_t, port_type;
daemon_domain(stunnel)
can_network(stunnel_t)
+allow stunnel_t port_type:tcp_socket name_connect;
allow stunnel_t self:capability { setgid setuid sys_chroot };
allow stunnel_t self:fifo_file { read write };
diff --git a/strict/domains/program/sysstat.te b/strict/domains/program/sysstat.te
index 4010c95..f01da4c 100644
--- a/strict/domains/program/sysstat.te
+++ b/strict/domains/program/sysstat.te
@@ -42,7 +42,6 @@ allow sysstat_t self:fifo_file rw_file_perms;
# Type for files created during execution of sysstatd.
logdir_domain(sysstat)
-typealias sysstat_log_t alias var_log_sysstat_t;
allow sysstat_t var_t:dir search;
allow sysstat_t etc_t:dir r_dir_perms;
diff --git a/strict/domains/program/tftpd.te b/strict/domains/program/tftpd.te
index 3e9de29..c749987 100644
--- a/strict/domains/program/tftpd.te
+++ b/strict/domains/program/tftpd.te
@@ -13,8 +13,6 @@
#
daemon_domain(tftpd)
-type tftp_port_t, port_type, reserved_port_type;
-
# tftpdir_t is the type of files in the /tftpboot directories.
type tftpdir_t, file_type, sysadmfile;
r_dir_file(tftpd_t, tftpdir_t)
diff --git a/strict/domains/program/traceroute.te b/strict/domains/program/traceroute.te
index ed9106a..af25e20 100644
--- a/strict/domains/program/traceroute.te
+++ b/strict/domains/program/traceroute.te
@@ -19,6 +19,7 @@ role system_r types traceroute_t;
in_user_role(traceroute_t)
uses_shlib(traceroute_t)
can_network_client(traceroute_t)
+allow traceroute_t port_type:tcp_socket name_connect;
can_ypbind(traceroute_t)
allow traceroute_t node_t:rawip_socket node_bind;
type traceroute_exec_t, file_type, sysadmfile, exec_type;
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
index 74c368d..eae23a2 100644
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@@ -19,7 +19,6 @@ allow udev_t self:process execmem;
}
etc_domain(udev)
-typealias udev_etc_t alias etc_udev_t;
type udev_helper_exec_t, file_type, sysadmfile, exec_type;
can_exec_any(udev_t)
@@ -75,7 +74,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;
-domain_auto_trans(initrc_t, udev_exec_t, udev_t)
domain_auto_trans(kernel_t, udev_exec_t, udev_t)
domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
ifdef(`hide_broken_symptoms', `
@@ -86,7 +84,6 @@ allow udev_t etc_runtime_t:file { getattr read };
ifdef(`xdm.te', `
allow udev_t xdm_var_run_t:file { getattr read };
')
-dontaudit udev_t staff_home_dir_t:dir search;
ifdef(`hotplug.te', `
r_dir_file(udev_t, hotplug_etc_t)
diff --git a/strict/domains/program/unused/NetworkManager.te b/strict/domains/program/unused/NetworkManager.te
new file mode 100644
index 0000000..1ef8916
--- /dev/null
+++ b/strict/domains/program/unused/NetworkManager.te
@@ -0,0 +1,108 @@
+#DESC NetworkManager -
+#
+# Authors: Dan Walsh
+#
+#
+
+#################################
+#
+# Rules for the NetworkManager_t domain.
+#
+# NetworkManager_t is the domain for the NetworkManager daemon.
+# NetworkManager_exec_t is the type of the NetworkManager executable.
+#
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' )
+
+can_network(NetworkManager_t)
+allow NetworkManager_t port_type:tcp_socket name_connect;
+allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
+allow NetworkManager_t dhcpc_t:process signal;
+
+can_ypbind(NetworkManager_t)
+uses_shlib(NetworkManager_t)
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
+
+allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
+allow NetworkManager_t self:process { setcap getsched };
+allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
+allow NetworkManager_t self:file { getattr read };
+allow NetworkManager_t self:packet_socket create_socket_perms;
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+
+
+#
+# Communicate with Caching Name Server
+#
+ifdef(`named.te', `
+allow NetworkManager_t named_zone_t:dir search;
+rw_dir_create_file(NetworkManager_t, named_cache_t)
+domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
+allow named_t NetworkManager_t:udp_socket { read write };
+allow named_t NetworkManager_t:netlink_route_socket { read write };
+allow NetworkManager_t named_t:process signal;
+allow named_t NetworkManager_t:packet_socket { read write };
+')
+
+allow NetworkManager_t selinux_config_t:dir search;
+allow NetworkManager_t selinux_config_t:file { getattr read };
+
+ifdef(`dbusd.te', `
+dbusd_client(system, NetworkManager)
+allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow NetworkManager_t self:dbus send_msg;
+ifdef(`hald.te', `
+allow NetworkManager_t hald_t:dbus send_msg;
+allow hald_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t initrc_t:dbus send_msg;
+allow initrc_t NetworkManager_t:dbus send_msg;
+ifdef(`targeted_policy', `
+allow NetworkManager_t unconfined_t:dbus send_msg;
+allow unconfined_t NetworkManager_t:dbus send_msg;
+')
+allow NetworkManager_t userdomain:dbus send_msg;
+allow userdomain NetworkManager_t:dbus send_msg;
+')
+
+allow NetworkManager_t usr_t:file { getattr read };
+
+ifdef(`ifconfig.te', `
+domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
+')dnl end if def ifconfig
+
+allow NetworkManager_t { sbin_t bin_t }:dir search;
+allow NetworkManager_t bin_t:lnk_file read;
+can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
+
+# in /etc created by NetworkManager will be labelled net_conf_t.
+file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
+
+allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
+allow NetworkManager_t proc_t:file { getattr read };
+r_dir_file(NetworkManager_t, proc_net_t)
+
+allow NetworkManager_t { domain -unrestricted }:dir search;
+allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+dontaudit NetworkManager_t unrestricted:dir search;
+dontaudit NetworkManager_t unrestricted:file { getattr read };
+
+allow NetworkManager_t howl_t:process signal;
+allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
+allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
+
+domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
+domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+ifdef(`vpnc.te', `
+domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
+')
+
+ifdef(`dhcpc.te', `
+allow NetworkManager_t dhcp_state_t:dir search;
+allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
+')
+allow NetworkManager_t var_lib_t:dir search;
+dontaudit NetworkManager_t user_tty_type:chr_file { read write };
diff --git a/strict/domains/program/unused/afs.te b/strict/domains/program/unused/afs.te
new file mode 100644
index 0000000..8bcab3b
--- /dev/null
+++ b/strict/domains/program/unused/afs.te
@@ -0,0 +1,166 @@
+#
+# Policy for AFS server
+#
+
+type afs_files_t, file_type;
+type afs_config_t, file_type, sysadmfile;
+type afs_logfile_t, file_type, logfile;
+type afs_dbdir_t, file_type;
+
+allow afs_files_t afs_files_t:filesystem associate;
+# df should show sizes
+allow sysadm_t afs_files_t:filesystem getattr;
+
+#
+# Macros for defining AFS server domains
+#
+
+define(`afs_server_domain',`
+type afs_$1server_t, domain $2;
+type afs_$1server_exec_t, file_type, sysadmfile;
+
+role system_r types afs_$1server_t;
+
+allow afs_$1server_t afs_config_t:file r_file_perms;
+allow afs_$1server_t afs_config_t:dir r_dir_perms;
+allow afs_$1server_t afs_logfile_t:file create_file_perms;
+allow afs_$1server_t afs_logfile_t:dir create_dir_perms;
+allow afs_$1server_t afs_$1_port_t:udp_socket name_bind;
+uses_shlib(afs_$1server_t)
+can_network(afs_$1server_t)
+read_locale(afs_$1server_t)
+
+dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms;
+dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms;
+dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms;
+')
+
+define(`afs_under_bos',`
+domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t)
+allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms;
+allow afs_$1server_t net_conf_t:file r_file_perms;
+allow afs_bosserver_t afs_$1server_t:process signal_perms;
+')
+
+define(`afs_server_db',`
+type afs_$1_db_t, file_type;
+
+allow afs_$1server_t afs_$1_db_t:file create_file_perms;
+file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file);
+')
+
+
+#
+# bosserver
+#
+
+afs_server_domain(`bos')
+base_file_read_access(afs_bosserver_t)
+
+domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t)
+
+allow afs_bosserver_t self:process { fork setsched signal_perms };
+allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms };
+allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
+allow afs_bosserver_t afs_config_t:file create_file_perms;
+allow afs_bosserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms;
+allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_bosserver_t device_t:dir r_dir_perms;
+
+# allow sysadm to use bos
+allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto };
+
+#
+# fileserver, volserver, and salvager
+#
+
+afs_server_domain(`fs',`,privlog')
+afs_under_bos(`fs')
+
+base_file_read_access(afs_fsserver_t)
+file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t)
+
+allow afs_fsserver_t self:process { fork sigchld setsched signal_perms };
+allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+allow afs_fsserver_t self:fifo_file { rw_file_perms };
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+allow afs_fsserver_t afs_files_t:file create_file_perms;
+allow afs_fsserver_t afs_files_t:dir create_dir_perms;
+allow afs_fsserver_t afs_config_t:file create_file_perms;
+allow afs_fsserver_t afs_config_t:dir create_dir_perms;
+
+allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind;
+allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr;
+
+allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
+allow afs_fsserver_t device_t:dir r_dir_perms;
+allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms;
+allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms;
+
+allow afs_fsserver_t proc_t:dir r_dir_perms;
+allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms;
+allow afs_fsserver_t { self proc_t } : dir r_dir_perms;
+
+# fs communicates with other servers
+allow afs_fsserver_t self:unix_dgram_socket create_socket_perms;
+allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom };
+allow afs_fsserver_t self:udp_socket { sendto recvfrom };
+allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom };
+allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto };
+
+dontaudit afs_fsserver_t self:capability fsetid;
+dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms;
+dontaudit afs_fsserver_t initrc_t:fd use;
+dontaudit afs_fsserver_t mnt_t:dir search;
+
+
+#
+# kaserver
+#
+
+afs_server_domain(`ka')
+afs_under_bos(`ka')
+afs_server_db(`ka')
+
+base_file_read_access(afs_kaserver_t)
+
+allow afs_kaserver_t kerberos_port_t:udp_socket name_bind;
+allow afs_kaserver_t self:capability { net_bind_service };
+allow afs_kaserver_t afs_config_t:file create_file_perms;
+allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
+
+# allow sysadm to use kas
+allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto };
+
+
+#
+# ptserver
+#
+
+afs_server_domain(`pt')
+afs_under_bos(`pt')
+afs_server_db(`pt')
+
+# allow users to use pts
+allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom };
+allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto };
+allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom };
+
+
+#
+# vlserver
+#
+
+afs_server_domain(`vl')
+afs_under_bos(`vl')
+afs_server_db(`vl')
+
+allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom };
+allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto };
+allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom };
diff --git a/strict/domains/program/unused/alsa.te b/strict/domains/program/unused/alsa.te
new file mode 100644
index 0000000..5717244
--- /dev/null
+++ b/strict/domains/program/unused/alsa.te
@@ -0,0 +1,17 @@
+#DESC ainit - configuration tool for ALSA
+#
+# Author: Dan Walsh
+#
+#
+type alsa_t, domain, privlog, daemon;
+type alsa_exec_t, file_type, sysadmfile, exec_type;
+uses_shlib(alsa_t)
+allow alsa_t self:sem create_sem_perms;
+allow alsa_t self:shm create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
+rw_dir_create_file(alsa_t,alsa_etc_rw_t)
+allow alsa_t self:capability { setgid setuid ipc_owner };
+allow alsa_t devpts_t:chr_file { read write };
+allow alsa_t etc_t:file { getattr read };
+domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
diff --git a/strict/domains/program/unused/amavis.te b/strict/domains/program/unused/amavis.te
index eb029f7..1e1752f 100644
--- a/strict/domains/program/unused/amavis.te
+++ b/strict/domains/program/unused/amavis.te
@@ -12,10 +12,13 @@
type amavisd_etc_t, file_type, sysadmfile;
type amavisd_lib_t, file_type, sysadmfile;
-type amavis_port_t, port_type;
+# Virus and spam found and quarantined.
+type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
+
daemon_domain(amavisd)
tmp_domain(amavisd)
+allow initrc_t amavisd_etc_t:file { getattr read };
allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
allow initrc_t amavisd_lib_t:file unlink;
allow initrc_t amavisd_var_run_t:dir setattr;
@@ -26,11 +29,17 @@ allow amavisd_t usr_t:{ file lnk_file } { getattr read };
dontaudit amavisd_t usr_t:file ioctl;
# networking
-can_network(amavisd_t)
+can_network_server_tcp(amavisd_t, amavisd_recv_port_t)
+allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;
+allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;
+# The next line doesn't work right so drop the port specification.
+#can_network_client_tcp(amavisd_t, amavisd_send_port_t)
+can_network_client_tcp(amavisd_t)
+allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;
+can_resolve(amavisd_t);
can_ypbind(amavisd_t);
can_tcp_connect(mail_server_sender, amavisd_t);
can_tcp_connect(amavisd_t, mail_server_domain)
-allow amavisd_t amavis_port_t:tcp_socket name_bind;
ifdef(`scannerdaemon.te', `
can_tcp_connect(amavisd_t, scannerdaemon_t);
@@ -49,6 +58,25 @@ allow clamd_t amavisd_lib_t:dir r_dir_perms;
allow clamd_t amavisd_lib_t:file r_file_perms;
')
+# DCC
+ifdef(`dcc.te', `
+allow dcc_client_t amavisd_lib_t:file r_file_perms;
+')
+
+# Pyzor
+ifdef(`pyzor.te',`
+domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)
+#allow pyzor_t amavisd_data_t:dir search;
+# Pyzor creates a temp file adjacent to the working file.
+create_dir_file(pyzor_t, amavisd_lib_t);
+')
+
+# SpamAssassin is executed from within amavisd, but needs to read its
+# config
+ifdef(`spamd.te', `
+r_dir_file(amavisd_t, etc_mail_t)
+')
+
# Can create unix sockets
allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
allow amavisd_t self:unix_dgram_socket create_socket_perms;
@@ -64,6 +92,9 @@ log_domain(amavisd)
# Access amavisd var/lib files.
create_dir_file(amavisd_t, amavisd_lib_t)
+# Access amavisd quarantined files.
+create_dir_file(amavisd_t, amavisd_quarantine_t)
+
# Run helper programs.
can_exec_any(amavisd_t,bin_t)
allow amavisd_t bin_t:dir { getattr search };
@@ -83,3 +114,4 @@ allow amavisd_t etc_runtime_t:file { getattr read };
dontaudit amavisd_t sysadm_home_dir_t:dir search;
dontaudit amavisd_t shadow_t:file { getattr read };
dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
+
diff --git a/strict/domains/program/unused/asterisk.te b/strict/domains/program/unused/asterisk.te
index c8d182d..7ae5ffc 100644
--- a/strict/domains/program/unused/asterisk.te
+++ b/strict/domains/program/unused/asterisk.te
@@ -4,8 +4,6 @@
#
# X-Debian-Packages: asterisk
-type asterisk_port_t, port_type;
-
daemon_domain(asterisk)
allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
allow initrc_t asterisk_var_run_t:fifo_file unlink;
diff --git a/strict/domains/program/unused/authbind.te b/strict/domains/program/unused/authbind.te
index d34e659..6aabc3e 100644
--- a/strict/domains/program/unused/authbind.te
+++ b/strict/domains/program/unused/authbind.te
@@ -16,7 +16,6 @@ type authbind_exec_t, file_type, sysadmfile, exec_type;
role system_r types authbind_t;
etcdir_domain(authbind)
-typealias authbind_etc_t alias etc_authbind_t;
can_exec(authbind_t, authbind_etc_t)
allow authbind_t etc_t:dir r_dir_perms;
diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te
index 211e761..89c5171 100644
--- a/strict/domains/program/unused/backup.te
+++ b/strict/domains/program/unused/backup.te
@@ -27,6 +27,7 @@ rw_dir_create_file(system_crond_t, backup_store_t)
allow backup_t urandom_device_t:chr_file read;
can_network_client(backup_t)
+allow backup_t port_type:tcp_socket name_connect;
can_ypbind(backup_t)
uses_shlib(backup_t)
diff --git a/strict/domains/program/unused/bonobo.te b/strict/domains/program/unused/bonobo.te
new file mode 100644
index 0000000..c23f1d2
--- /dev/null
+++ b/strict/domains/program/unused/bonobo.te
@@ -0,0 +1,9 @@
+# DESC - Bonobo Activation Server
+#
+# Author: Ivan Gyurdiev
+#
+
+# Type for executable
+type bonobo_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/bonobo_macros.te
diff --git a/strict/domains/program/unused/ciped.te b/strict/domains/program/unused/ciped.te
index 91ed9f3..6fddf97 100644
--- a/strict/domains/program/unused/ciped.te
+++ b/strict/domains/program/unused/ciped.te
@@ -5,11 +5,11 @@ daemon_base_domain(ciped)
# for SSP
allow ciped_t urandom_device_t:chr_file read;
-type cipe_port_t, port_type;
+# cipe uses the afs3-bos port (udp 7007)
+allow ciped_t afs_bos_port_t:udp_socket name_bind;
can_network_udp(ciped_t)
can_ypbind(ciped_t)
-allow ciped_t cipe_port_t:udp_socket name_bind;
allow ciped_t devpts_t:dir search;
allow ciped_t devtty_t:chr_file { read write };
diff --git a/strict/domains/program/unused/clamav.te b/strict/domains/program/unused/clamav.te
index 47407db..3ef34ee 100644
--- a/strict/domains/program/unused/clamav.te
+++ b/strict/domains/program/unused/clamav.te
@@ -15,13 +15,22 @@ type clamav_var_lib_t, file_type, sysadmfile;
# clamscan_t is the domain of the clamscan virus scanner
type clamscan_exec_t, file_type, sysadmfile, exec_type;
-daemon_base_domain(freshclam)
+##########
+##########
+
+#
+# Freshclam
+#
+
+daemon_base_domain(freshclam, `, web_client_domain')
read_locale(freshclam_t)
# not sure why it needs this
read_sysctl(freshclam_t)
-can_network_server(freshclam_t)
+can_network_client_tcp(freshclam_t, http_port_t);
+allow freshclam_t http_port_t:tcp_socket name_connect;
+can_resolve(freshclam_t)
can_ypbind(freshclam_t)
# Access virus signatures
@@ -56,24 +65,59 @@ allow freshclam_t self:fifo_file rw_file_perms;
logdir_domain(freshclam)
allow initrc_t freshclam_log_t:file append;
+# Pid files for freshclam
+allow initrc_t clamd_var_run_t:file { create setattr };
+
system_crond_entry(freshclam_exec_t, freshclam_t)
domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
role sysadm_r types freshclam_t;
+create_dir_file(freshclam_t, clamd_var_run_t)
+
+##########
+##########
+
+#
+# Clamscan
+#
+
# macros/program/clamav_macros.te.
user_clamscan_domain(sysadm)
+##########
+##########
+
+#
+# Clamd
+#
+
+type clamd_sock_t, file_type, sysadmfile;
+
# clamd executable
daemon_domain(clamd)
tmp_domain(clamd)
+
+# The dir containing the clamd log files is labelled freshclam_t
logdir_domain(clamd)
+allow clamd_t freshclam_log_t:dir search;
+
+allow clamd_t self:capability { kill setgid setuid dac_override };
-file_type_auto_trans(clamd_t, var_run_t, clamd_var_run_t, sock_file)
+# Give the clamd local communications socket a unique type
+ifdef(`distro_debian', `
+file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
+')
+ifdef(`distro_redhat', `
+file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
+')
-allow clamd_t self:capability { kill setgid setuid };
+# Clamd can be configured to listen on a TCP port.
+can_network_server_tcp(clamd_t, clamd_port_t)
+allow clamd_t clamd_port_t:tcp_socket name_bind;
+can_resolve(clamd_t);
allow clamd_t var_lib_t:dir search;
r_dir_file(clamd_t, clamav_var_lib_t)
@@ -86,3 +130,18 @@ allow clamd_t self:fifo_file rw_file_perms;
allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
+
+
+##########
+##########
+
+#
+# Interaction with external programs
+#
+
+ifdef(`amavis.te',`
+allow amavisd_t clamd_var_run_t:dir search;
+allow amavisd_t clamd_t:unix_stream_socket connectto;
+allow amavisd_t clamd_sock_t:sock_file write;
+')
+
diff --git a/strict/domains/program/unused/clockspeed.te b/strict/domains/program/unused/clockspeed.te
new file mode 100644
index 0000000..ef51d66
--- /dev/null
+++ b/strict/domains/program/unused/clockspeed.te
@@ -0,0 +1,25 @@
+#DESC clockspeed - Simple network time protocol client
+#
+# Author Petre Rodan
+#
+
+daemon_base_domain(clockspeed)
+var_lib_domain(clockspeed)
+can_network(clockspeed_t)
+allow clockspeed_t port_type:tcp_socket name_connect;
+read_locale(clockspeed_t)
+
+allow clockspeed_t self:capability { sys_time net_bind_service };
+allow clockspeed_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_t self:unix_stream_socket create_socket_perms;
+allow clockspeed_t clockspeed_port_t:udp_socket name_bind;
+allow clockspeed_t domain:packet_socket recvfrom;
+
+allow clockspeed_t var_t:dir search;
+allow clockspeed_t clockspeed_var_lib_t:file create_file_perms;
+allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
+
+# sysadm can play with clockspeed
+role sysadm_r types clockspeed_t;
+domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
+
diff --git a/strict/domains/program/unused/courier.te b/strict/domains/program/unused/courier.te
index d2e9ad0..75e42d3 100644
--- a/strict/domains/program/unused/courier.te
+++ b/strict/domains/program/unused/courier.te
@@ -9,7 +9,6 @@ type courier_var_run_t, file_type, sysadmfile, pidfile;
type courier_var_lib_t, file_type, sysadmfile;
type courier_etc_t, file_type, sysadmfile;
-typealias courier_etc_t alias etc_courier_t;
# allow start scripts to read the config
allow initrc_t courier_etc_t:file r_file_perms;
@@ -93,7 +92,7 @@ allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
allow courier_tcpd_t sbin_t:dir search;
allow courier_tcpd_t var_lib_t:dir search;
# for TLS
-allow courier_tcpd_t urandom_device_t:chr_file read;
+allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
read_locale(courier_tcpd_t)
can_exec(courier_tcpd_t, courier_exec_t)
allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
diff --git a/strict/domains/program/unused/cvs.te b/strict/domains/program/unused/cvs.te
new file mode 100644
index 0000000..ca089ed
--- /dev/null
+++ b/strict/domains/program/unused/cvs.te
@@ -0,0 +1,26 @@
+#DESC cvs - Concurrent Versions System
+#
+# Author: Dan Walsh
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the cvs_t domain.
+#
+# cvs_exec_t is the type of the cvs executable.
+#
+
+inetd_child_domain(cvs, tcp)
+typeattribute cvs_t privmail;
+typeattribute cvs_t auth_chkpwd;
+
+type cvs_data_t, file_type, sysadmfile;
+create_dir_file(cvs_t, cvs_data_t)
+can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t etc_runtime_t:file { getattr read };
+allow system_mail_t cvs_data_t:file { getattr read };
+dontaudit cvs_t devtty_t:chr_file { read write };
+allow cvs_t default_t:dir search;
+allow cvs_t default_t:lnk_file read;
+
diff --git a/strict/domains/program/unused/daemontools.te b/strict/domains/program/unused/daemontools.te
new file mode 100644
index 0000000..b24a58c
--- /dev/null
+++ b/strict/domains/program/unused/daemontools.te
@@ -0,0 +1,203 @@
+#DESC Daemontools - Tools for managing UNIX services
+#
+# Author: Petre Rodan
+# with the help of Chris PeBenito, Russell Coker and Tad Glines
+#
+
+#
+# selinux policy for daemontools
+# http://cr.yp.to/daemontools.html
+#
+# thanks for D. J. Bernstein and the NSA team for the great software
+# they provide
+#
+
+##############################################################
+# type definitions
+
+type svc_conf_t, file_type, sysadmfile;
+type svc_log_t, file_type, sysadmfile;
+type svc_svc_t, file_type, sysadmfile;
+
+
+##############################################################
+# Macros
+define(`svc_filedir_domain', `
+create_dir_file($1, svc_svc_t)
+file_type_auto_trans($1, svc_svc_t, svc_svc_t);
+')
+
+##############################################################
+# the domains
+daemon_base_domain(svc_script)
+svc_filedir_domain(svc_script_t)
+
+# part started by initrc_t
+daemon_base_domain(svc_start)
+domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
+svc_filedir_domain(svc_start_t)
+
+# also get here from svc_script_t
+domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
+
+# the domain for /service/*/run and /service/*/log/run
+daemon_sub_domain(svc_start_t, svc_run)
+r_dir_file(svc_run_t, svc_conf_t)
+
+# the logger
+daemon_sub_domain(svc_run_t, svc_multilog)
+file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
+
+######
+# rules for all those domains
+
+# sysadm can tweak svc_run_exec_t files
+allow sysadm_t svc_run_exec_t:file create_file_perms;
+
+# run_init can control svc_script_t and svc_start_t domains
+domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
+domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
+allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
+svc_filedir_domain(initrc_t)
+
+# svc_start_t
+allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
+allow svc_start_t { var_t var_run_t }:dir search;
+can_exec(svc_start_t, bin_t)
+can_exec(svc_start_t, shell_exec_t)
+allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_start_t svc_run_t:process signal;
+dontaudit svc_start_t proc_t:file r_file_perms;
+dontaudit svc_start_t devtty_t:chr_file { read write };
+
+# svc script
+allow svc_script_t self:capability sys_admin;
+allow svc_script_t self:fifo_file { getattr read write };
+allow svc_script_t self:file r_file_perms;
+allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
+allow svc_script_t bin_t:lnk_file r_file_perms;
+can_exec(svc_script_t, bin_t)
+can_exec(svc_script_t, shell_exec_t)
+allow svc_script_t proc_t:file r_file_perms;
+allow svc_script_t shell_exec_t:file rx_file_perms;
+allow svc_script_t devtty_t:chr_file rw_file_perms;
+allow svc_script_t etc_runtime_t:file r_file_perms;
+allow svc_script_t svc_run_exec_t:file r_file_perms;
+allow svc_script_t svc_script_exec_t:file execute_no_trans;
+allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_script_t sysctl_kernel_t:file r_file_perms;
+
+# svc_run_t
+allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:file r_file_perms;
+allow svc_run_t self:process { fork setrlimit };
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+allow svc_run_t svc_svc_t:dir r_dir_perms;
+allow svc_run_t svc_svc_t:file r_file_perms;
+allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
+allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
+allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_run_t { var_t var_run_t }:dir search;
+can_exec(svc_run_t, etc_t)
+can_exec(svc_run_t, lib_t)
+can_exec(svc_run_t, bin_t)
+can_exec(svc_run_t, sbin_t)
+can_exec(svc_run_t, ls_exec_t)
+can_exec(svc_run_t, shell_exec_t)
+allow svc_run_t devtty_t:chr_file rw_file_perms;
+allow svc_run_t etc_runtime_t:file r_file_perms;
+allow svc_run_t exec_type:{ file lnk_file } getattr;
+allow svc_run_t init_t:fd use;
+allow svc_run_t initrc_t:fd use;
+allow svc_run_t proc_t:file r_file_perms;
+allow svc_run_t sysctl_t:dir search;
+allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
+allow svc_run_t sysctl_kernel_t:file r_file_perms;
+allow svc_run_t var_lib_t:dir r_dir_perms;
+
+# multilog creates /service/*/log/status
+allow svc_multilog_t svc_svc_t:dir { read search };
+allow svc_multilog_t svc_svc_t:file { append write };
+# writes to /var/log/*/*
+allow svc_multilog_t var_t:dir search;
+allow svc_multilog_t var_log_t:dir create_dir_perms;
+allow svc_multilog_t var_log_t:file create_file_perms;
+# misc
+allow svc_multilog_t init_t:fd use;
+allow svc_start_t svc_multilog_t:process signal;
+svc_ipc_domain(svc_multilog_t)
+
+################################################################
+# scripts that can be started by daemontools
+# keep it sorted please.
+
+ifdef(`apache.te', `
+domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
+svc_ipc_domain(httpd_t)
+dontaudit httpd_t svc_svc_t:dir { search };
+')
+
+ifdef(`clamav.te', `
+domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
+svc_ipc_domain(clamd_t)
+')
+
+ifdef(`clockspeed.te', `
+domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
+svc_ipc_domain(clockspeed_t)
+r_dir_file(svc_run_t, clockspeed_var_lib_t)
+allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
+')
+
+ifdef(`dante.te', `
+domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
+svc_ipc_domain(dante_t)
+')
+
+ifdef(`publicfile.te', `
+svc_ipc_domain(publicfile_t)
+')
+
+ifdef(`qmail.te', `
+allow svc_run_t qmail_start_exec_t:file rx_file_perms;
+domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
+r_dir_file(svc_run_t, qmail_etc_t)
+svc_ipc_domain(qmail_send_t)
+svc_ipc_domain(qmail_start_t)
+svc_ipc_domain(qmail_queue_t)
+svc_ipc_domain(qmail_smtpd_t)
+')
+
+ifdef(`rsyncd.te', `
+domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
+svc_ipc_domain(rsyncd_t)
+')
+
+ifdef(`spamd.te', `
+domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
+svc_ipc_domain(spamd_t)
+')
+
+ifdef(`ssh.te', `
+domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
+svc_ipc_domain(sshd_t)
+')
+
+ifdef(`stunnel.te', `
+domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
+svc_ipc_domain(stunnel_t)
+')
+
+ifdef(`ucspi-tcp.te', `
+domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
+allow svc_run_t utcpserver_t:process { signal };
+svc_ipc_domain(utcpserver_t)
+')
+
diff --git a/strict/domains/program/unused/dante.te b/strict/domains/program/unused/dante.te
index ca1649a..70885ab 100644
--- a/strict/domains/program/unused/dante.te
+++ b/strict/domains/program/unused/dante.te
@@ -4,17 +4,20 @@
#
type dante_conf_t, file_type, sysadmfile;
-type socks_port_t, port_type;
daemon_domain(dante)
can_network_server(dante_t)
allow dante_t self:fifo_file { read write };
-allow dante_t self:capability { setuid };
+allow dante_t self:capability { setuid setgid };
allow dante_t self:unix_dgram_socket { connect create write };
allow dante_t self:unix_stream_socket { connect create read setopt write };
+allow dante_t self:tcp_socket connect;
allow dante_t socks_port_t:tcp_socket name_bind;
allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
r_dir_file(dante_t, dante_conf_t)
+
+allow dante_t initrc_var_run_t:file { getattr write };
+
diff --git a/strict/domains/program/unused/dcc.te b/strict/domains/program/unused/dcc.te
new file mode 100644
index 0000000..598d929
--- /dev/null
+++ b/strict/domains/program/unused/dcc.te
@@ -0,0 +1,252 @@
+#
+# DCC - Distributed Checksum Clearinghouse
+# Author: David Hampton
+#
+#
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc. For now this policy supports both directories being
+# writable.
+
+# Files common to all dcc programs
+type dcc_client_map_t, file_type, sysadmfile;
+type dcc_var_t, file_type, sysadmfile;
+type dcc_var_run_t, file_type, sysadmfile;
+
+
+##########
+##########
+
+#
+# common to all dcc variants
+#
+define(`dcc_common',`
+# Access files in /var/dcc. The map file can be updated
+r_dir_file($1_t, dcc_var_t)
+allow $1_t dcc_client_map_t:file rw_file_perms;
+
+# Read mtab, nsswitch and locale
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+
+#Networking
+can_resolve($1_t)
+ifelse($2, `server', `
+can_network_udp($1_t)
+', `
+can_network_udp($1_t, `dcc_port_t')
+')
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# Create private temp files
+tmp_domain($1)
+
+# Triggered by a call to gethostid(2) in dcc client libs
+allow $1_t self:unix_stream_socket { connect create };
+
+allow $1_t sysadm_su_t:process { sigchld };
+allow $1_t dcc_script_t:fd use;
+
+dontaudit $1_t kernel_t:fd use;
+dontaudit $1_t root_t:file read;
+')
+
+allow initrc_t dcc_var_run_t:dir rw_dir_perms;
+
+
+##########
+##########
+
+#
+# dccd - Server daemon that can be accessed over the net
+#
+daemon_domain(dccd, `, privlog, nscd_client_domain')
+dcc_common(dccd, server);
+
+# Runs the dbclean program
+allow dccd_t bin_t:dir search;
+domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+
+# The daemon needs to listen on the dcc ports
+allow dccd_t dcc_port_t:udp_socket name_bind;
+
+# Updating dcc_db, flod, ...
+create_dir_file(dccd_t, dcc_var_t);
+
+allow dccd_t self:capability net_admin;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+
+# Reading /proc/meminfo
+allow dccd_t proc_t:file { getattr read };
+
+
+#
+# cdcc - control dcc daemon
+#
+application_domain(cdcc, `, nscd_client_domain')
+role system_r types cdcc_t;
+dcc_common(cdcc)
+
+# suid program
+allow cdcc_t self:capability setuid;
+
+# Running from the command line
+allow cdcc_t sshd_t:fd use;
+allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+
+##########
+##########
+
+#
+# DCC Clients
+#
+
+#
+# dccifd - Spamassassin and general MTA persistent client
+#
+daemon_domain(dccifd, `, privlog, nscd_client_domain')
+dcc_common(dccifd);
+file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating dcc_db, flod, ...
+create_dir_notdevfile(dccifd_t, dcc_var_t);
+
+# Updating map, ...
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# dccifd communications socket
+type dccifd_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file)
+
+# Reading /proc/meminfo
+allow dccifd_t proc_t:file { getattr read };
+
+
+#
+# dccm - sendmail milter client
+#
+daemon_domain(dccm, `, privlog, nscd_client_domain')
+dcc_common(dccm);
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file)
+
+# Allow the domain to communicate with other processes
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+
+# Updating map, ...
+create_dir_notdevfile(dccm_t, dcc_var_t);
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+# dccm communications socket
+type dccm_sock_t, file_type, sysadmfile;
+file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file)
+
+
+#
+# dccproc - dcc procmail interface
+#
+application_domain(dcc_client, `, privlog, nscd_client_domain')
+role system_r types dcc_client_t;
+dcc_common(dcc_client)
+
+# suid program
+allow dcc_client_t self:capability setuid;
+
+# Running from the command line
+allow dcc_client_t sshd_t:fd use;
+allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms;
+
+
+##########
+##########
+
+#
+# DCC Utilities
+#
+
+#
+# dbclean - database cleanup tool
+#
+application_domain(dcc_dbclean, `, nscd_client_domain')
+role system_r types dcc_dbclean_t;
+dcc_common(dcc_dbclean)
+
+# Updating various files.
+create_dir_file(dcc_dbclean_t, dcc_var_t);
+
+# wants to look at /proc/meminfo
+allow dcc_dbclean_t proc_t:dir search;
+allow dcc_dbclean_t proc_t:file { getattr read };
+
+# Running from the command line
+allow dcc_dbclean_t sshd_t:fd use;
+allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms;
+
+##########
+##########
+
+#
+# DCC Startup scripts
+#
+# These are shell sccripts that start/stop/restart the various dcc
+# programs.
+#
+init_service_domain(dcc_script, `, nscd_client_domain')
+general_domain_access(dcc_script_t)
+general_proc_read_access(dcc_script_t)
+can_exec_any(dcc_script_t)
+dcc_common(dcc_script)
+
+# Allow calling the script from an init script (initrt_t) or from
+# rc.local (staff_t)
+domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t)
+
+# Start up the daemon process. These scripts run 'su' to change to
+# the dcc user (even though the default dcc user is root).
+allow dcc_script_t self:capability setuid;
+su_restricted_domain(dcc_script, system)
+role system_r types dcc_script_su_t;
+domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t)
+domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t)
+domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t)
+
+# Stop the daemon process
+allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal };
+
+# Access various DCC files
+allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search };
+allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read };
+
+allow { dcc_script_t dcc_script_su_t } initrc_t:fd use;
+allow { dcc_script_t dcc_script_su_t } devpts_t:dir search;
+allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms;
+allow dcc_script_t devtty_t:chr_file { read write };
+allow dcc_script_su_t sysadm_home_dir_t:dir search;
+allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition };
+allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto };
+
+dontaudit dcc_script_su_t kernel_t:fd use;
+dontaudit dcc_script_su_t root_t:file read;
+dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search };
+
+allow sysadm_t dcc_script_t:fd use;
+
+##########
+##########
+
+#
+# External spam checkers need to run and/or talk to DCC
+#
+define(`access_dcc',`
+domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t);
+allow $1_t dcc_var_t:dir search;
+allow $1_t dccifd_sock_t:sock_file { getattr write };
+allow $1_t dccifd_t:unix_stream_socket connectto;
+allow $1_t dcc_script_t:unix_stream_socket connectto;
+')
+
+ifdef(`amavis.te',`access_dcc(amavisd)')
+ifdef(`spamd.te',`access_dcc(spamd)')
diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te
index 8b134dc..21f1f8e 100644
--- a/strict/domains/program/unused/ddclient.te
+++ b/strict/domains/program/unused/ddclient.te
@@ -26,12 +26,13 @@ allow ddclient_t self:socket create_socket_perms;
allow ddclient_t etc_t:file { getattr read };
allow ddclient_t etc_runtime_t:file r_file_perms;
allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
-allow ddclient_t urandom_device_t:chr_file { read };
+allow ddclient_t urandom_device_t:chr_file read;
general_proc_read_access(ddclient_t)
-allow ddclient_t sysctl_net_t:dir { search };
+allow ddclient_t sysctl_net_t:dir search;
# network-related goodies
can_network_client(ddclient_t)
+allow ddclient_t port_type:tcp_socket name_connect;
allow ddclient_t self:unix_dgram_socket create_socket_perms;
allow ddclient_t self:unix_stream_socket create_socket_perms;
diff --git a/strict/domains/program/unused/ddcprobe.te b/strict/domains/program/unused/ddcprobe.te
new file mode 100644
index 0000000..4087126
--- /dev/null
+++ b/strict/domains/program/unused/ddcprobe.te
@@ -0,0 +1,42 @@
+#DESC ddcprobe - output ddcprobe results from kudzu
+#
+# Author: dan walsh
+#
+
+type ddcprobe_t, domain, privmem;
+type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
+
+# Allow execution by the sysadm
+role sysadm_r types ddcprobe_t;
+role system_r types ddcprobe_t;
+domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
+
+uses_shlib(ddcprobe_t)
+
+# Allow terminal access
+access_terminal(ddcprobe_t, sysadm)
+
+# Allow ddcprobe to read /dev/mem
+allow ddcprobe_t memory_device_t:chr_file read;
+allow ddcprobe_t memory_device_t:chr_file { execute write };
+allow ddcprobe_t self:process execmem;
+allow ddcprobe_t zero_device_t:chr_file { execute read };
+
+allow ddcprobe_t proc_t:dir search;
+allow ddcprobe_t proc_t:file { getattr read };
+can_exec(ddcprobe_t, sbin_t)
+allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
+allow ddcprobe_t userdomain:fd use;
+read_sysctl(ddcprobe_t)
+allow ddcprobe_t urandom_device_t:chr_file { getattr read };
+allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+
+allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
+allow ddcprobe_t kudzu_exec_t:file getattr;
+allow ddcprobe_t lib_t:file { getattr read };
+read_locale(ddcprobe_t)
+allow ddcprobe_t modules_object_t:dir search;
+allow ddcprobe_t modules_dep_t:file { getattr read };
+allow ddcprobe_t usr_t:file { getattr read };
+allow ddcprobe_t kernel_t:system syslog_console;
diff --git a/strict/domains/program/unused/devfsd.te b/strict/domains/program/unused/devfsd.te
deleted file mode 100644
index 7bbc314..0000000
--- a/strict/domains/program/unused/devfsd.te
+++ /dev/null
@@ -1,93 +0,0 @@
-#DESC Devfsd - Control daemon for devfs device file system
-#
-# Author: Russell Coker
-# X-Debian-Packages: devfsd
-#
-
-#################################
-#
-# Rules for the devfsd_t domain.
-#
-etcdir_domain(devfsd)
-typealias devfsd_etc_t alias etc_devfsd_t;
-
-allow kernel_t { device_t root_t }:dir mounton;
-
-daemon_domain(devfsd, `, privmodule')
-
-allow devfsd_t urandom_device_t:chr_file read;
-
-# for startup scripts
-can_exec(devfsd_t, bin_t)
-allow devfsd_t self:fifo_file rw_file_perms;
-allow devfsd_t proc_t:dir r_dir_perms;
-allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
-allow devfsd_t devtty_t:chr_file rw_file_perms;
-
-# for alsa
-allow devfsd_t proc_t:file setattr;
-
-# for /sbin/modprobe
-allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;
-
-ifdef(`distro_debian', `
-# for the makedev script - this may be a bad idea
-domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)
-
-# for package upgrade
-allow devfsd_t lib_t:file execute;
-')
-
-# mknod capability is for the startup scripts
-allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };
-
-# allow devfsd to change any object from type devfsd_t to any other type
-# also allow to unlink
-allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
-# allow devfsd to get and set attributes of any device node and to change the
-# type to any device type
-allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
-allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
-allow devfsd_t initctl_t:fifo_file getattr;
-allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
-allow devfsd_t device_t:dir { r_dir_perms setattr };
-
-allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
-allow devfsd_t devpts_t:chr_file { getattr setattr };
-allow devpts_t device_t:filesystem associate;
-allow initctl_t device_t:filesystem associate;
-allow device_t device_t:filesystem associate;
-allow devlog_t device_t:filesystem associate;
-
-# allow all devices to be under device_t
-allow { device_type ttyfile ptyfile } device_t:filesystem associate;
-
-allow domain device_t:lnk_file r_file_perms;
-
-# read the config files
-allow devfsd_t etc_t:dir r_dir_perms;
-
-# allow the permissions and symlinks to be done
-allow devfsd_t device_t:lnk_file create_file_perms;
-allow devfsd_t device_t:dir rw_dir_perms;
-allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
-allow devfsd_t file_type:lnk_file r_file_perms;
-
-allow devfsd_t self:unix_dgram_socket create_socket_perms;
-allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
-allow devfsd_t self:unix_dgram_socket sendto;
-allow devfsd_t self:unix_stream_socket connect;
-
-allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
-dontaudit userdomain devfs_control_t:chr_file getattr;
-
-# allow resolv.conf and UDP access for LDAP or other NSS data source
-allow devfsd_t self:udp_socket create_socket_perms;
-
-allow devfsd_t privfd:fd use;
-
-allow kernel_t device_t:filesystem mount;
-
-# for nss-ldap etc
-can_network_client_tcp(devfsd_t)
-can_ypbind(devfsd_t)
diff --git a/strict/domains/program/unused/distcc.te b/strict/domains/program/unused/distcc.te
index dee96a7..56034f9 100644
--- a/strict/domains/program/unused/distcc.te
+++ b/strict/domains/program/unused/distcc.te
@@ -9,7 +9,6 @@ can_ypbind(distccd_t)
log_domain(distccd)
tmp_domain(distccd)
-type distccd_port_t, port_type;
allow distccd_t distccd_port_t:tcp_socket name_bind;
allow distccd_t self:capability { setgid setuid };
diff --git a/strict/domains/program/unused/djbdns.te b/strict/domains/program/unused/djbdns.te
new file mode 100644
index 0000000..3e11395
--- /dev/null
+++ b/strict/domains/program/unused/djbdns.te
@@ -0,0 +1,46 @@
+# DESC selinux policy for djbdns
+# http://cr.yp.to/djbdns.html
+#
+# Author: petre rodan
+#
+# this policy depends on ucspi-tcp and daemontools policies
+#
+
+ifdef(`daemontools.te', `
+ifdef(`ucspi-tcp.te', `
+
+define(`djbdns_daemon_domain', `
+type djbdns_$1_conf_t, file_type, sysadmfile;
+daemon_domain(djbdns_$1)
+domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
+svc_ipc_domain(djbdns_$1_t)
+can_network(djbdns_$1_t)
+allow djbdns_$1_t port_type:tcp_socket name_connect;
+allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+allow djbdns_$1_t port_t:udp_socket name_bind;
+r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
+allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+allow djbdns_$1_t svc_svc_t:dir r_dir_perms;
+')
+
+define(`djbdns_tcpserver_domain', `
+type djbdns_$1_conf_t, file_type, sysadmfile;
+daemon_domain(djbdns_$1)
+domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)
+svc_ipc_domain(djbdns_$1_t)
+allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;
+r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
+allow djbdns_$1_t utcpserver_t:tcp_socket { read write };
+')
+
+djbdns_daemon_domain(dnscache)
+# read seed file
+allow djbdns_dnscache_t svc_svc_t:file r_file_perms;
+
+djbdns_daemon_domain(tinydns)
+
+djbdns_tcpserver_domain(axfrdns)
+r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)
+
+') dnl ifdef ucspi-tcp.te
+') dnl ifdef daemontools.te
diff --git a/strict/domains/program/unused/dmidecode.te b/strict/domains/program/unused/dmidecode.te
new file mode 100644
index 0000000..05b93f7
--- /dev/null
+++ b/strict/domains/program/unused/dmidecode.te
@@ -0,0 +1,22 @@
+#DESC dmidecode - decodes DMI data for x86/ia64 bioses
+#
+# Author: Ivan Gyurdiev
+#
+
+type dmidecode_t, domain, privmem;
+type dmidecode_exec_t, file_type, exec_type, sysadmfile;
+
+# Allow execution by the sysadm
+role sysadm_r types dmidecode_t;
+role system_r types dmidecode_t;
+domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
+
+uses_shlib(dmidecode_t)
+
+# Allow terminal access
+access_terminal(dmidecode_t, sysadm)
+
+# Allow dmidecode to read /dev/mem
+allow dmidecode_t memory_device_t:chr_file read;
+
+allow dmidecode_t self:capability sys_rawio;
diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te
index 89458ef..34ba329 100644
--- a/strict/domains/program/unused/dpkg.te
+++ b/strict/domains/program/unused/dpkg.te
@@ -12,7 +12,6 @@ type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
type dpkg_exec_t, file_type, sysadmfile, exec_type;
type dpkg_var_lib_t, file_type, sysadmfile;
type dpkg_etc_t, file_type, sysadmfile, usercanread;
-typealias dpkg_etc_t alias etc_dpkg_t;
type dpkg_lock_t, file_type, sysadmfile;
type debconf_cache_t, file_type, sysadmfile;
@@ -176,9 +175,7 @@ type apt_exec_t, file_type, sysadmfile, exec_type;
type apt_var_lib_t, file_type, sysadmfile;
type var_cache_apt_t, file_type, sysadmfile;
etcdir_domain(apt)
-typealias apt_etc_t alias etc_apt_t;
type apt_rw_etc_t, file_type, sysadmfile;
-typealias apt_rw_etc_t alias etc_apt_rw_t;
tmp_domain(apt, `', `{ dir file lnk_file }')
can_exec(apt_t, apt_tmp_t)
@@ -322,6 +319,7 @@ allow apt_t { bin_t sbin_t }:dir search;
allow apt_t self:process { signal sigchld fork };
allow apt_t sysadm_t:process sigchld;
can_network({ apt_t dpkg_t })
+allow { apt_t dpkg_t } port_type:tcp_socket name_connect;
can_ypbind({ apt_t dpkg_t })
allow { apt_t dpkg_t } var_t:dir { search getattr };
diff --git a/strict/domains/program/unused/ethereal.te b/strict/domains/program/unused/ethereal.te
new file mode 100644
index 0000000..a56d321
--- /dev/null
+++ b/strict/domains/program/unused/ethereal.te
@@ -0,0 +1,48 @@
+# DESC - Ethereal
+#
+# Author: Ivan Gyurdiev
+#
+
+# Type for executables
+type tethereal_exec_t, file_type, exec_type, sysadmfile;
+type ethereal_exec_t, file_type, exec_type, sysadmfile;
+
+########################################################
+# Tethereal
+#
+
+# Type for program
+type tethereal_t, domain, nscd_client_domain;
+
+# Transition from sysadm type
+domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t)
+role sysadm_r types tethereal_t;
+
+uses_shlib(tethereal_t)
+read_locale(tethereal_t)
+
+# Terminal output
+access_terminal(tethereal_t, sysadm)
+
+# /proc
+read_sysctl(tethereal_t)
+allow tethereal_t { self proc_t }:dir { read search getattr };
+allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr };
+
+# Access root
+allow tethereal_t root_t:dir search;
+
+# Read ethereal files in /usr
+allow tethereal_t usr_t:file { read getattr };
+
+# /etc/nsswitch.conf
+allow tethereal_t etc_t:file { read getattr };
+
+# Ethereal sysadm rules
+ethereal_networking(tethereal)
+
+# FIXME: policy is incomplete
+
+#####################################
+# Ethereal (GNOME) policy can be found
+# in ethereal_macros.te
diff --git a/strict/domains/program/unused/evolution.te b/strict/domains/program/unused/evolution.te
new file mode 100644
index 0000000..c8a045e
--- /dev/null
+++ b/strict/domains/program/unused/evolution.te
@@ -0,0 +1,14 @@
+# DESC - Evolution
+#
+# Author: Ivan Gyurdiev
+#
+
+# Type for executables
+type evolution_exec_t, file_type, exec_type, sysadmfile;
+type evolution_server_exec_t, file_type, exec_type, sysadmfile;
+type evolution_webcal_exec_t, file_type, exec_type, sysadmfile;
+type evolution_alarm_exec_t, file_type, exec_type, sysadmfile;
+type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/evolution_macros.te
+bool disable_evolution_trans false;
diff --git a/strict/domains/program/unused/fontconfig.te b/strict/domains/program/unused/fontconfig.te
new file mode 100644
index 0000000..836470a
--- /dev/null
+++ b/strict/domains/program/unused/fontconfig.te
@@ -0,0 +1,7 @@
+#
+# Fontconfig related types
+#
+# Author: Ivan Gyurdiev
+#
+
+# Look in fontconfig_macros.te
diff --git a/strict/domains/program/unused/gatekeeper.te b/strict/domains/program/unused/gatekeeper.te
index 161f474..a1b464e 100644
--- a/strict/domains/program/unused/gatekeeper.te
+++ b/strict/domains/program/unused/gatekeeper.te
@@ -15,9 +15,7 @@ daemon_domain(gatekeeper)
# for SSP
allow gatekeeper_t urandom_device_t:chr_file read;
-type gatekeeper_port_t, port_type;
etc_domain(gatekeeper)
-typealias gatekeeper_etc_t alias etc_gatekeeper_t;
allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
logdir_domain(gatekeeper)
diff --git a/strict/domains/program/unused/gconf.te b/strict/domains/program/unused/gconf.te
new file mode 100644
index 0000000..e4dfa4b
--- /dev/null
+++ b/strict/domains/program/unused/gconf.te
@@ -0,0 +1,12 @@
+# DESC - GConf preference daemon
+#
+# Author: Ivan Gyurdiev
+#
+
+# Type for executable
+type gconfd_exec_t, file_type, exec_type, sysadmfile;
+
+# Type for /etc files
+type gconf_etc_t, file_type, sysadmfile;
+
+# Everything else is in macros/gconfd_macros.te
diff --git a/strict/domains/program/unused/gift.te b/strict/domains/program/unused/gift.te
index 90e19ea..9e9786e 100644
--- a/strict/domains/program/unused/gift.te
+++ b/strict/domains/program/unused/gift.te
@@ -6,4 +6,4 @@
type gift_exec_t, file_type, exec_type, sysadmfile;
type giftd_exec_t, file_type, exec_type, sysadmfile;
-# Everything else is in macros/gift_macros.te
+# Everything else is in macros/program/gift_macros.te
diff --git a/strict/domains/program/unused/gnome.te b/strict/domains/program/unused/gnome.te
new file mode 100644
index 0000000..b45ea8e
--- /dev/null
+++ b/strict/domains/program/unused/gnome.te
@@ -0,0 +1,7 @@
+#
+# GNOME related types
+#
+# Author: Ivan Gyurdiev
+#
+
+# Look in gnome_macros.te
diff --git a/strict/domains/program/unused/gnome_vfs.te b/strict/domains/program/unused/gnome_vfs.te
new file mode 100644
index 0000000..d4cabb6
--- /dev/null
+++ b/strict/domains/program/unused/gnome_vfs.te
@@ -0,0 +1,9 @@
+# DESC - GNOME VFS Daemon
+#
+# Author: Ivan Gyurdiev
+#
+
+# Type for executable
+type gnome_vfs_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/gnome_vfs_macros.te
diff --git a/strict/domains/program/unused/iceauth.te b/strict/domains/program/unused/iceauth.te
new file mode 100644
index 0000000..f41ad9e
--- /dev/null
+++ b/strict/domains/program/unused/iceauth.te
@@ -0,0 +1,12 @@
+#DESC ICEauth - ICE authority file utility
+#
+# Domains for the iceauth program.
+#
+# Author: Ivan Gyurdiev
+#
+# iceauth_exec_t is the type of the xauth executable.
+#
+type iceauth_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in the iceauth_domain macro in
+# macros/program/iceauth_macros.te.
diff --git a/strict/domains/program/unused/imazesrv.te b/strict/domains/program/unused/imazesrv.te
index af18409..27bae3f 100644
--- a/strict/domains/program/unused/imazesrv.te
+++ b/strict/domains/program/unused/imazesrv.te
@@ -15,7 +15,6 @@ log_domain(imazesrv);
r_dir_file(imazesrv_t, imazesrv_data_t)
-type imaze_port_t, port_type;
allow imazesrv_t imaze_port_t:tcp_socket name_bind;
allow imazesrv_t imaze_port_t:udp_socket name_bind;
diff --git a/strict/domains/program/unused/ircd.te b/strict/domains/program/unused/ircd.te
index 1b9c5fd..c85390e 100644
--- a/strict/domains/program/unused/ircd.te
+++ b/strict/domains/program/unused/ircd.te
@@ -12,11 +12,9 @@
#
daemon_domain(ircd)
-type ircd_port_t, port_type;
allow ircd_t ircd_port_t:tcp_socket name_bind;
etcdir_domain(ircd)
-typealias ircd_etc_t alias etc_ircd_t;
logdir_domain(ircd)
diff --git a/strict/domains/program/unused/jabberd.te b/strict/domains/program/unused/jabberd.te
index 55f0819..aed3b81 100644
--- a/strict/domains/program/unused/jabberd.te
+++ b/strict/domains/program/unused/jabberd.te
@@ -7,9 +7,6 @@ daemon_domain(jabberd)
logdir_domain(jabberd)
var_lib_domain(jabberd)
-type jabber_client_port_t, port_type;
-type jabber_interserver_port_t, port_type;
-
allow jabberd_t jabber_client_port_t:tcp_socket name_bind;
allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind;
diff --git a/strict/domains/program/unused/lrrd.te b/strict/domains/program/unused/lrrd.te
index 3059c03..b1916f1 100644
--- a/strict/domains/program/unused/lrrd.te
+++ b/strict/domains/program/unused/lrrd.te
@@ -15,9 +15,7 @@ daemon_domain(lrrd)
allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
etcdir_domain(lrrd)
-typealias lrrd_etc_t alias etc_lrrd_t;
type lrrd_var_lib_t, file_type, sysadmfile;
-type lrrd_port_t, port_type;
log_domain(lrrd)
tmp_domain(lrrd)
diff --git a/strict/domains/program/unused/monopd.te b/strict/domains/program/unused/monopd.te
index 56ced81..3512592 100644
--- a/strict/domains/program/unused/monopd.te
+++ b/strict/domains/program/unused/monopd.te
@@ -10,18 +10,18 @@
# Rules for the monopd_t domain.
#
daemon_domain(monopd)
+etc_domain(monopd)
+typealias monopd_etc_t alias etc_monopd_t;
-type etc_monopd_t, file_type, sysadmfile;
-type share_monopd_t, file_type, sysadmfile;
+type monopd_share_t, file_type, sysadmfile;
+typealias monopd_share_t alias share_monopd_t;
# Use the network.
can_network_server(monopd_t)
can_ypbind(monopd_t)
-type monopd_port_t, port_type;
allow monopd_t monopd_port_t:tcp_socket name_bind;
-r_dir_file(monopd_t,etc_monopd_t)
r_dir_file(monopd_t,share_monopd_t)
allow monopd_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/unused/nagios.te b/strict/domains/program/unused/nagios.te
index fb5fd14..9d540c8 100644
--- a/strict/domains/program/unused/nagios.te
+++ b/strict/domains/program/unused/nagios.te
@@ -14,7 +14,6 @@
daemon_domain(nagios, `, privmail')
etcdir_domain(nagios)
-typealias nagios_etc_t alias etc_nagios_t;
logdir_domain(nagios)
allow nagios_t nagios_log_t:fifo_file create_file_perms;
diff --git a/strict/domains/program/unused/nessusd.te b/strict/domains/program/unused/nessusd.te
index e0f71fd..65d89e1 100644
--- a/strict/domains/program/unused/nessusd.te
+++ b/strict/domains/program/unused/nessusd.te
@@ -13,16 +13,15 @@
daemon_domain(nessusd)
etc_domain(nessusd)
-typealias nessusd_etc_t alias etc_nessusd_t;
type nessusd_db_t, file_type, sysadmfile;
-type nessus_port_t, port_type;
allow nessusd_t nessus_port_t:tcp_socket name_bind;
#tmp_domain(nessusd)
# Use the network.
can_network(nessusd_t)
+allow nessusd_t port_type:tcp_socket name_connect;
can_ypbind(nessusd_t)
allow nessusd_t self:unix_stream_socket create_socket_perms;
#allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/unused/nsd.te b/strict/domains/program/unused/nsd.te
index 2711cdd..2aa35c5 100644
--- a/strict/domains/program/unused/nsd.te
+++ b/strict/domains/program/unused/nsd.te
@@ -20,6 +20,7 @@ type nsd_crond_t, domain, privlog;
role system_r types nsd_crond_t;
uses_shlib(nsd_crond_t)
can_network_client(nsd_crond_t)
+allow nsd_crond_t port_type:tcp_socket name_connect;
can_ypbind(nsd_crond_t)
allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
allow nsd_crond_t self:process { fork signal_perms };
diff --git a/strict/domains/program/unused/nx_server.te b/strict/domains/program/unused/nx_server.te
new file mode 100644
index 0000000..a6e723a
--- /dev/null
+++ b/strict/domains/program/unused/nx_server.te
@@ -0,0 +1,70 @@
+# DESC NX - NX Server
+#
+# Author: Thomas Bleher
+#
+# Depends: sshd.te
+#
+
+# Type for the nxserver executable, called from ssh
+type nx_server_exec_t, file_type, sysadmfile, exec_type;
+
+# type of the nxserver; userdomain is needed so sshd can transition
+type nx_server_t, domain, userdomain;
+
+# we need an extra role because nxserver is called from sshd
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
+
+# not really sure if the additional attributes are needed, copied from userdomains
+can_create_pty(nx_server, `, userpty_type, user_tty_type')
+type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
+
+uses_shlib(nx_server_t)
+read_locale(nx_server_t)
+
+tmp_domain(nx_server)
+var_run_domain(nx_server)
+
+# nxserver is a shell script --> call other programs
+can_exec(nx_server_t, { bin_t shell_exec_t })
+allow nx_server_t self:process { fork sigchld };
+allow nx_server_t self:fifo_file { getattr ioctl read write };
+allow nx_server_t bin_t:dir { getattr read search };
+allow nx_server_t bin_t:lnk_file read;
+
+r_dir_file(nx_server_t, proc_t)
+allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
+
+# we do not actually need this attribute or the types defined here,
+# but otherwise we cannot call the ssh_domain-macro
+attribute nx_server_file_type;
+type nx_server_home_dir_t alias nx_server_home_t;
+type nx_server_xauth_home_t;
+type nx_server_tty_device_t;
+type nx_server_gph_t;
+type nx_server_fonts_cache_t;
+type nx_server_fonts_t;
+type nx_server_fonts_config_t;
+type nx_server_gnome_settings_t;
+
+ssh_domain(nx_server)
+
+can_network_client(nx_server_t)
+allow nx_server_t port_type:tcp_socket name_connect;
+
+allow nx_server_t devtty_t:chr_file { read write };
+allow nx_server_t sysctl_kernel_t:dir search;
+allow nx_server_t sysctl_kernel_t:file { getattr read };
+allow nx_server_t urandom_device_t:chr_file read;
+# for reading the config files; maybe a separate type,
+# but users need to be able to also read the config
+allow nx_server_t usr_t:file { getattr read };
+
+dontaudit nx_server_t selinux_config_t:dir search;
+
+# clients already have create permissions; the nxclient wants to also have unlink rights
+allow userdomain xdm_tmp_t:sock_file unlink;
+# for a lockfile created by the client process
+allow nx_server_t user_tmpfile:file getattr;
+
diff --git a/strict/domains/program/unused/openvpn.te b/strict/domains/program/unused/openvpn.te
index 241c8f2..0ab1317 100644
--- a/strict/domains/program/unused/openvpn.te
+++ b/strict/domains/program/unused/openvpn.te
@@ -8,8 +8,6 @@
daemon_domain(openvpn)
etcdir_domain(openvpn)
-type openvpn_port_t, port_type;
-
allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
diff --git a/strict/domains/program/unused/orbit.te b/strict/domains/program/unused/orbit.te
new file mode 100644
index 0000000..dad353b
--- /dev/null
+++ b/strict/domains/program/unused/orbit.te
@@ -0,0 +1,7 @@
+#
+# ORBit related types
+#
+# Author: Ivan Gyurdiev
+#
+
+# Look in orbit_macros.te
diff --git a/strict/domains/program/unused/perdition.te b/strict/domains/program/unused/perdition.te
index c75a8e9..b95cb75 100644
--- a/strict/domains/program/unused/perdition.te
+++ b/strict/domains/program/unused/perdition.te
@@ -13,7 +13,6 @@ daemon_domain(perdition)
allow perdition_t pop_port_t:tcp_socket name_bind;
etc_domain(perdition)
-typealias perdition_etc_t alias etc_perdition_t;
# Use the network.
can_network_server(perdition_t)
diff --git a/strict/domains/program/unused/portslave.te b/strict/domains/program/unused/portslave.te
index a70597f..55dfad6 100644
--- a/strict/domains/program/unused/portslave.te
+++ b/strict/domains/program/unused/portslave.te
@@ -79,7 +79,7 @@ allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
allow portslave_t ttyfile:chr_file rw_file_perms;
-rw_dir_create_file(portslave_t, var_lock_t)
+lock_domain(portslave)
can_exec(portslave_t, pppd_exec_t)
allow portslave_t { bin_t sbin_t }:dir search;
allow portslave_t bin_t:lnk_file read;
diff --git a/strict/domains/program/unused/postgrey.te b/strict/domains/program/unused/postgrey.te
index 5176665..f60e67b 100644
--- a/strict/domains/program/unused/postgrey.te
+++ b/strict/domains/program/unused/postgrey.te
@@ -3,14 +3,12 @@
# Author: Russell Coker
# X-Debian-Packages: postgrey
-type postgrey_port_t, port_type;
-
daemon_domain(postgrey)
allow postgrey_t urandom_device_t:chr_file { getattr read };
# for perl
-allow postgrey_t sbin_t:dir search;
+allow postgrey_t { bin_t sbin_t }:dir { getattr search };
allow postgrey_t usr_t:{ file lnk_file } { getattr read };
dontaudit postgrey_t usr_t:file ioctl;
diff --git a/strict/domains/program/unused/publicfile.te b/strict/domains/program/unused/publicfile.te
new file mode 100644
index 0000000..b6a206b
--- /dev/null
+++ b/strict/domains/program/unused/publicfile.te
@@ -0,0 +1,25 @@
+#DESC Publicfile - HTTP and FTP file services
+# http://cr.yp.to/publicfile.html
+#
+# Author: petre rodan
+#
+# this policy depends on ucspi-tcp
+#
+
+daemon_domain(publicfile)
+type publicfile_content_t, file_type, sysadmfile;
+domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
+
+ifdef(`ucspi-tcp.te', `
+domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t)
+allow publicfile_t utcpserver_t:tcp_socket { read write };
+allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind;
+')
+
+allow publicfile_t initrc_t:tcp_socket { read write };
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+
+r_dir_file(publicfile_t, publicfile_content_t)
+
+
diff --git a/strict/domains/program/unused/pump.te b/strict/domains/program/unused/pump.te
deleted file mode 100644
index e69de29..0000000
--- a/strict/domains/program/unused/pump.te
+++ /dev/null
diff --git a/strict/domains/program/unused/pxe.te b/strict/domains/program/unused/pxe.te
index 27d39d2..1515593 100644
--- a/strict/domains/program/unused/pxe.te
+++ b/strict/domains/program/unused/pxe.te
@@ -10,7 +10,6 @@
#
daemon_domain(pxe)
-type pxe_port_t, port_type;
allow pxe_t pxe_port_t:udp_socket name_bind;
allow pxe_t etc_t:file { getattr read };
diff --git a/strict/domains/program/unused/pyzor.te b/strict/domains/program/unused/pyzor.te
new file mode 100644
index 0000000..b0629ad
--- /dev/null
+++ b/strict/domains/program/unused/pyzor.te
@@ -0,0 +1,57 @@
+#
+# Pyzor - Pyzor is a collaborative, networked system to detect and
+# block spam using identifying digests of messages.
+#
+# Author: David Hampton
+#
+
+# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms.
+# Pyzor normally dumps everything into $HOME/.pyzor. By putting the
+# following line to the spamassassin config file:
+#
+# pyzor_options --homedir /etc/pyzor
+#
+# the various files will be put into appropriate directories.
+# (I.E. The log file into /var/log, etc.) This policy will work
+# either way.
+
+##########
+# pyzor daemon
+##########
+daemon_domain(pyzord, `, privlog, nscd_client_domain')
+pyzor_base_domain(pyzord)
+allow pyzord_t pyzor_port_t:udp_socket name_bind;
+home_domain_access(pyzord_t, sysadm, pyzor)
+log_domain(pyzord)
+
+# Read shared daemon/client config file
+r_dir_file(pyzord_t, pyzor_etc_t)
+
+# Write shared daemon/client data dir
+allow pyzord_t var_lib_t:dir search;
+create_dir_file(pyzord_t, pyzor_var_lib_t)
+
+##########
+# Pyzor query application - from system_r applictions
+##########
+type pyzor_t, domain, privlog, daemon;
+type pyzor_exec_t, file_type, sysadmfile, exec_type;
+role system_r types pyzor_t;
+
+pyzor_base_domain(pyzor)
+
+# System config/data files
+etcdir_domain(pyzor)
+var_lib_domain(pyzor)
+
+##########
+##########
+
+#
+# Some spam filters executes the pyzor code directly. Allow them access here.
+#
+ifdef(`spamd.te',`
+domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t);
+# pyzor needs access to the email spamassassin is checking
+allow pyzor_t spamd_tmp_t:file r_file_perms;
+')
diff --git a/strict/domains/program/unused/qmail.te b/strict/domains/program/unused/qmail.te
index b93321b..6c51cd7 100644
--- a/strict/domains/program/unused/qmail.te
+++ b/strict/domains/program/unused/qmail.te
@@ -10,7 +10,6 @@
type qmail_var_run_t, file_type, sysadmfile, pidfile;
type qmail_etc_t, file_type, sysadmfile;
-typealias qmail_etc_t alias etc_qmail_t;
allow inetd_t smtp_port_t:tcp_socket name_bind;
@@ -83,7 +82,7 @@ allow qmail_rspawn_t self:fifo_file read;
allow qmail_rspawn_t { bin_t sbin_t }:dir search;
qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
-allow qmail_rspawn_t qmail_remote_exec_t:file read;
+allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read };
can_network_server(qmail_remote_t)
can_ypbind(qmail_remote_t)
allow qmail_remote_t qmail_spool_t:dir search;
@@ -97,10 +96,10 @@ allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
# privhome will do until we get a separate maildir type
qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
-allow qmail_lspawn_t qmail_local_exec_t:file read;
+allow qmail_lspawn_t qmail_local_exec_t:file { getattr read };
allow qmail_local_t self:process { fork signal_perms };
domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_local_t qmail_queue_exec_t:file read;
+allow qmail_local_t qmail_queue_exec_t:file { getattr read };
allow qmail_local_t qmail_spool_t:file { ioctl read };
allow qmail_local_t self:fifo_file write;
allow qmail_local_t sbin_t:dir search;
@@ -129,7 +128,7 @@ can_network_server(qmail_tcp_env_t)
can_ypbind(qmail_tcp_env_t)
qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
-allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read };
can_network_server(qmail_smtpd_t)
can_ypbind(qmail_smtpd_t)
allow qmail_smtpd_t inetd_t:fd use;
@@ -140,7 +139,7 @@ allow qmail_smtpd_t self:fifo_file write;
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
allow qmail_smtpd_t sbin_t:dir search;
domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_smtpd_t qmail_queue_exec_t:file read;
+allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read };
qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
allow qmail_inject_t self:process { fork signal_perms };
@@ -159,7 +158,7 @@ allow qmail_qread_t privfd:fd use;
qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
role sysadm_r types qmail_queue_t;
in_user_role(qmail_queue_t)
-allow qmail_inject_t qmail_queue_exec_t:file read;
+allow qmail_inject_t qmail_queue_exec_t:file { getattr read };
rw_dir_create_file(qmail_queue_t, qmail_spool_t)
allow qmail_queue_t qmail_spool_t:fifo_file { read write };
allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
@@ -172,10 +171,10 @@ allow qmail_queue_t inetd_t:tcp_socket { read write };
allow qmail_queue_t sysadm_t:fd use;
allow qmail_queue_t sysadm_t:fifo_file write;
-allow user_crond_t qmail_etc_t:dir search;
-allow user_crond_t qmail_etc_t:file read;
+allow user_crond_domain qmail_etc_t:dir search;
+allow user_crond_domain qmail_etc_t:file { getattr read };
-qmaild_sub_domain(user_crond_t, qmail_serialmail)
+qmaild_sub_domain(user_crond_domain, qmail_serialmail)
in_user_role(qmail_serialmail_t)
can_network_server(qmail_serialmail_t)
can_ypbind(qmail_serialmail_t)
diff --git a/strict/domains/program/unused/razor.te b/strict/domains/program/unused/razor.te
new file mode 100644
index 0000000..e88bb49
--- /dev/null
+++ b/strict/domains/program/unused/razor.te
@@ -0,0 +1,53 @@
+#
+# Razor - Vipul's Razor is a distributed, collaborative, spam
+# detection and filtering network.
+#
+# Author: David Hampton
+#
+
+# NOTE: This policy will work with either the ATrpms provided config
+# file in /etc/razor, or with the default of dumping everything into
+# $HOME/.razor.
+
+##########
+# Razor query application - from system_r applictions
+##########
+type razor_t, domain, privlog, daemon;
+type razor_exec_t, file_type, sysadmfile, exec_type;
+role system_r types razor_t;
+
+razor_base_domain(razor)
+
+# Razor config file directory. When invoked as razor-admin, it can
+# update files in this directory.
+etcdir_domain(razor)
+create_dir_file(razor_t, razor_etc_t);
+
+# Shared razor files updated freuently
+var_lib_domain(razor)
+
+# Log files
+log_domain(razor)
+allow razor_t var_log_t:dir search;
+ifdef(`logrotate.te', `
+allow logrotate_t razor_log_t:file r_file_perms;
+')
+
+##########
+##########
+
+#
+# Some spam filters executes the razor code directly. Allow them access here.
+#
+define(`razor_access',`
+r_dir_file($1, razor_etc_t)
+allow $1 var_log_t:dir search;
+allow $1 razor_log_t:file ra_file_perms;
+r_dir_file($1, razor_var_lib_t)
+r_dir_file($1, sysadm_razor_home_t)
+can_network_client_tcp($1, razor_port_t)
+allow $1 razor_port_t:tcp_socket name_connect;
+')
+
+ifdef(`spamd.te', `razor_access(spamd_t)');
+ifdef(`amavis.te', `razor_access(amavisd_t)');
diff --git a/strict/domains/program/unused/rdisc.te b/strict/domains/program/unused/rdisc.te
new file mode 100644
index 0000000..79331fa
--- /dev/null
+++ b/strict/domains/program/unused/rdisc.te
@@ -0,0 +1,13 @@
+#DESC rdisc - network router discovery daemon
+#
+# Author: Russell Coker
+
+daemon_base_domain(rdisc)
+allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
+allow rdisc_t self:rawip_socket create_socket_perms;
+allow rdisc_t self:udp_socket create_socket_perms;
+allow rdisc_t self:capability net_raw;
+
+can_network_udp(rdisc_t)
+
+allow rdisc_t etc_t:file { getattr read };
diff --git a/strict/domains/program/unused/snort.te b/strict/domains/program/unused/snort.te
index d0ddd69..24188f6 100644
--- a/strict/domains/program/unused/snort.te
+++ b/strict/domains/program/unused/snort.te
@@ -28,6 +28,6 @@ allow snort_t self:unix_dgram_socket create_socket_perms;
allow snort_t self:unix_stream_socket create_socket_perms;
# for start script
-allow initrc_t snort_etc_t:file read;
+allow initrc_t snort_etc_t:file { getattr read };
-dontaudit snort_t { etc_runtime_t proc_t }:file read;
+dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
diff --git a/strict/domains/program/unused/sound-server.te b/strict/domains/program/unused/sound-server.te
index 09894f0..c84a1fa 100644
--- a/strict/domains/program/unused/sound-server.te
+++ b/strict/domains/program/unused/sound-server.te
@@ -11,7 +11,6 @@
#
daemon_domain(soundd)
-type soundd_port_t, port_type;
allow soundd_t soundd_port_t:tcp_socket name_bind;
type etc_soundd_t, file_type, sysadmfile;
diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te
index c827eae..3397b0b 100644
--- a/strict/domains/program/unused/sxid.te
+++ b/strict/domains/program/unused/sxid.te
@@ -31,7 +31,7 @@ allow sxid_t file_type:notdevfile_class_set getattr;
allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
allow sxid_t ttyfile:chr_file getattr;
allow sxid_t file_type:dir { getattr read search };
-allow sxid_t sysadmfile:file read;
+allow sxid_t sysadmfile:file { getattr read };
allow sxid_t fs_type:dir { getattr read search };
# Use the network.
diff --git a/strict/domains/program/unused/thunderbird.te b/strict/domains/program/unused/thunderbird.te
new file mode 100644
index 0000000..c640f87
--- /dev/null
+++ b/strict/domains/program/unused/thunderbird.te
@@ -0,0 +1,10 @@
+# DESC - Thunderbird
+#
+# Author: Ivan Gyurdiev
+#
+
+# Type for executables
+type thunderbird_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/thunderbird_macros.te
+bool disable_thunderbird_trans false;
diff --git a/strict/domains/program/unused/tinydns.te b/strict/domains/program/unused/tinydns.te
index a8c101a..a911b89 100644
--- a/strict/domains/program/unused/tinydns.te
+++ b/strict/domains/program/unused/tinydns.te
@@ -36,7 +36,7 @@ allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
can_udp_send(domain, tinydns_t)
can_udp_send(tinydns_t, domain)
# tinydns itself doesn't do zone transfers
-# so we don't need to have it tcp_connect
+# so we do not need to have it tcp_connect
#read configuration files
r_dir_file(tinydns_t, tinydns_conf_t)
diff --git a/strict/domains/program/unused/transproxy.te b/strict/domains/program/unused/transproxy.te
index fb0710f..e34b804 100644
--- a/strict/domains/program/unused/transproxy.te
+++ b/strict/domains/program/unused/transproxy.te
@@ -12,8 +12,6 @@
#
daemon_domain(transproxy)
-type transproxy_port_t, port_type;
-
# Use the network.
can_network_server_tcp(transproxy_t)
allow transproxy_t transproxy_port_t:tcp_socket name_bind;
diff --git a/strict/domains/program/unused/tripwire.te b/strict/domains/program/unused/tripwire.te
new file mode 100644
index 0000000..9ee61e8
--- /dev/null
+++ b/strict/domains/program/unused/tripwire.te
@@ -0,0 +1,139 @@
+# DESC tripwire
+#
+# Author: David Hampton
+#
+
+# NOTE: Tripwire creates temp file in its current working directory.
+# This policy does not allow write access to home directories, so
+# users will need to either cd to a directory where they have write
+# permission, or set the TEMPDIRECTORY variable in the tripwire config
+# file. The latter is preferable, as then the file_type_auto_trans
+# rules will kick in and label the files as private to tripwire.
+
+
+# Common definitions
+type tripwire_report_t, file_type, sysadmfile;
+etcdir_domain(tripwire)
+var_lib_domain(tripwire)
+tmp_domain(tripwire)
+
+
+# Macro for defining tripwire domains
+define(`tripwire_domain',`
+application_domain($1, `, auth')
+role system_r types $1_t;
+
+# Allow access to common tripwire files
+allow $1_t tripwire_etc_t:file r_file_perms;
+allow $1_t tripwire_etc_t:dir r_dir_perms;
+allow $1_t tripwire_etc_t:lnk_file { getattr read };
+file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
+allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
+file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')
+
+allow $1_t self:process { fork sigchld };
+allow $1_t self:capability { setgid setuid dac_override };
+
+# Tripwire needs to read all files on the system
+general_proc_read_access($1_t)
+allow $1_t file_type:dir { search getattr read};
+allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
+allow $1_t file_type:fifo_file { getattr };
+allow $1_t device_type:file { getattr read };
+allow $1_t sysctl_t:dir { getattr read };
+allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;
+
+# Tripwire report files
+create_dir_file($1_t, tripwire_report_t)
+
+# gethostid()?
+allow $1_t self:unix_stream_socket { connect create };
+
+# Running editor program (tripwire forks then runs bash which rins editor)
+can_exec($1_t, shell_exec_t)
+can_exec($1_t, bin_t)
+uses_shlib($1_t)
+
+allow $1_t self:dir search;
+allow $1_t self:file { getattr read };
+')
+
+
+##########
+##########
+
+#
+# When run by a user
+#
+tripwire_domain(`tripwire')
+
+# Running from the command line
+allow tripwire_t devpts_t:dir search;
+allow tripwire_t devtty_t:chr_file { read write };
+allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
+allow tripwire_t privfd:fd use;
+
+
+##########
+##########
+
+#
+# When run from cron
+#
+tripwire_domain(`tripwire_crond')
+system_crond_entry(tripwire_exec_t, tripwire_crond_t)
+domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)
+
+# Tripwire uses a temp file in the root home directory
+#create_dir_file(tripwire_crond_t, root_t)
+
+
+##########
+# Twadmin
+##########
+application_domain(twadmin)
+read_locale(twadmin_t)
+create_dir_file(twadmin_t, tripwire_etc_t)
+
+allow twadmin_t sysadm_tmp_t:file { getattr read write };
+
+# Running from the command line
+allow twadmin_t sshd_t:fd use;
+allow twadmin_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit twadmin_t { bin_t sbin_t }:dir search;
+dontaudit twadmin_t home_root_t:dir search;
+dontaudit twprint_t user_home_dir_t:dir search;
+
+
+##########
+# Twprint
+##########
+application_domain(twprint)
+read_locale(twprint_t)
+r_dir_file(twprint_t, tripwire_etc_t)
+allow twprint_t { var_t var_lib_t }:dir search;
+r_dir_file(twprint_t, tripwire_var_lib_t)
+r_dir_file(twprint_t, tripwire_report_t)
+
+# Running from the command line
+allow twprint_t sshd_t:fd use;
+allow twprint_t admin_tty_type:chr_file rw_file_perms;
+
+dontaudit twprint_t { bin_t sbin_t }:dir search;
+dontaudit twprint_t home_root_t:dir search;
+
+
+##########
+# Siggen
+##########
+application_domain(siggen, `, auth')
+read_locale(siggen_t)
+
+# Need permission to read files
+allow siggen_t file_type:dir { search getattr read};
+allow siggen_t file_type:file {getattr read};
+
+# Running from the command line
+allow siggen_t sshd_t:fd use;
+allow siggen_t admin_tty_type:chr_file rw_file_perms;
diff --git a/strict/domains/program/unused/ucspi-tcp.te b/strict/domains/program/unused/ucspi-tcp.te
new file mode 100644
index 0000000..b2eeb5c
--- /dev/null
+++ b/strict/domains/program/unused/ucspi-tcp.te
@@ -0,0 +1,49 @@
+#DESC ucspi-tcp - TCP Server and Client Tools
+#
+# Author Petre Rodan
+# Andy Dustman (rblsmtp-related policy)
+#
+
+# http://cr.yp.to/ucspi-tcp.html
+
+daemon_base_domain(utcpserver)
+can_network(utcpserver_t)
+
+allow utcpserver_t etc_t:file r_file_perms;
+allow utcpserver_t { bin_t sbin_t var_t }:dir search;
+
+allow utcpserver_t self:capability { net_bind_service setgid setuid };
+allow utcpserver_t self:fifo_file { read write };
+allow utcpserver_t self:process { fork sigchld };
+
+allow utcpserver_t port_t:udp_socket name_bind;
+
+ifdef(`qmail.te', `
+domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow utcpserver_t smtp_port_t:tcp_socket name_bind;
+allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr };
+allow utcpserver_t qmail_etc_t:dir r_dir_perms;
+allow utcpserver_t qmail_etc_t:file r_file_perms;
+')
+
+daemon_base_domain(rblsmtpd)
+can_network(rblsmtpd_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+allow rblsmtpd_t etc_t:file r_file_perms;
+allow rblsmtpd_t { bin_t var_t }:dir search;
+allow rblsmtpd_t port_t:udp_socket name_bind;
+allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr };
+
+ifdef(`qmail.te', `
+domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow qmail_queue_t rblsmtpd_t:fd use;
+')
+
+ifdef(`daemontools.te', `
+svc_ipc_domain(rblsmtpd_t)
+')
+
+domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t)
+
diff --git a/strict/domains/program/unused/uml_net.te b/strict/domains/program/unused/uml_net.te
index 63ae6b7..da3fe34 100644
--- a/strict/domains/program/unused/uml_net.te
+++ b/strict/domains/program/unused/uml_net.te
@@ -15,7 +15,7 @@ allow uml_net_t self:udp_socket { create ioctl };
uses_shlib(uml_net_t)
allow uml_net_t devtty_t:chr_file { read write };
allow uml_net_t etc_runtime_t:file { getattr read };
-allow uml_net_t etc_t:file read;
+allow uml_net_t etc_t:file { getattr read };
allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
allow uml_net_t proc_t:file { getattr read };
diff --git a/strict/domains/program/unused/uptimed.te b/strict/domains/program/unused/uptimed.te
index c4bd79e..0c9b1c7 100644
--- a/strict/domains/program/unused/uptimed.te
+++ b/strict/domains/program/unused/uptimed.te
@@ -10,7 +10,6 @@
# General Types
#
-type etc_uptimed_t, file_type, sysadmfile;
type uptimed_spool_t, file_type, sysadmfile;
#################################
@@ -18,8 +17,10 @@ type uptimed_spool_t, file_type, sysadmfile;
# Rules for the uptimed_t domain.
#
daemon_domain(uptimed, `,privmail')
+etc_domain(uptimed)
+typealias uptimed_etc_t alias etc_uptimed_t;
file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t)
-allow uptimed_t { etc_uptimed_t proc_t }:file { getattr read };
+allow uptimed_t proc_t:file { getattr read };
read_locale(uptimed_t)
allow uptimed_t uptimed_spool_t:file create_file_perms;
allow uptimed_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/unused/uucpd.te b/strict/domains/program/unused/uucpd.te
new file mode 100644
index 0000000..05791bd
--- /dev/null
+++ b/strict/domains/program/unused/uucpd.te
@@ -0,0 +1,24 @@
+#DESC uucpd - UUCP file transfer daemon
+#
+# Author: Dan Walsh
+#
+# Depends: inetd.te
+
+#################################
+#
+# Rules for the uucpd_t domain.
+#
+# uucpd_exec_t is the type of the uucpd executable.
+#
+
+inetd_child_domain(uucpd, tcp)
+type uucpd_rw_t, file_type, sysadmfile;
+type uucpd_ro_t, file_type, sysadmfile;
+type uucpd_spool_t, file_type, sysadmfile;
+create_dir_file(uucpd_t, uucpd_rw_t)
+r_dir_file(uucpd_t, uucpd_ro_t)
+allow uucpd_t sbin_t:dir search;
+can_exec(uucpd_t, sbin_t)
+logdir_domain(uucpd)
+allow uucpd_t var_spool_t:dir search;
+create_dir_file(uucpd_t, uucpd_spool_t)
diff --git a/strict/domains/program/unused/uwimapd.te b/strict/domains/program/unused/uwimapd.te
index 7274d38..f1f5831 100644
--- a/strict/domains/program/unused/uwimapd.te
+++ b/strict/domains/program/unused/uwimapd.te
@@ -9,6 +9,7 @@ daemon_domain(imapd, `, auth_chkpwd, privhome')
tmp_domain(imapd)
can_network_server_tcp(imapd_t)
+allow imapd_t port_type:tcp_socket name_connect;
#declare our own services
allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --git a/strict/domains/program/unused/watchdog.te b/strict/domains/program/unused/watchdog.te
index 2693382..01ceea8 100644
--- a/strict/domains/program/unused/watchdog.te
+++ b/strict/domains/program/unused/watchdog.te
@@ -12,6 +12,8 @@
daemon_domain(watchdog, `, privmail')
type watchdog_device_t, device_type, dev_fs;
+allow watchdog_t self:process setsched;
+
log_domain(watchdog)
allow watchdog_t etc_t:file r_file_perms;
@@ -24,6 +26,7 @@ allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
allow watchdog_t self:fifo_file rw_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
can_network(watchdog_t)
+allow watchdog_t port_type:tcp_socket name_connect;
can_ypbind(watchdog_t)
allow watchdog_t bin_t:dir search;
allow watchdog_t bin_t:lnk_file read;
diff --git a/strict/domains/program/unused/yam.te b/strict/domains/program/unused/yam.te
new file mode 100644
index 0000000..da85a8c
--- /dev/null
+++ b/strict/domains/program/unused/yam.te
@@ -0,0 +1,149 @@
+# DESC yam - Yum/Apt Mirroring
+#
+# Author: David Hampton
+#
+
+
+#
+# Yam downloads lots of files, indexes them, and makes them available
+# for upload. Define a type for these file.
+#
+type yam_content_t, file_type, sysadmfile, httpdcontent;
+
+
+#
+# Common definitions used by both the command line and the cron
+# invocation of yam.
+#
+define(`yam_common',`
+
+# Update the content being managed by yam.
+create_dir_file($1_t, yam_content_t)
+
+# Content can also be on ISO image files.
+r_dir_file($1_t, iso9660_t)
+
+# Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+allow $1_t var_t:dir { getattr search };
+allow $1_t httpd_sys_content_t:dir { getattr search };
+
+# Allow access to locale database, nsswitch, and mtab
+read_locale($1_t)
+allow $1_t etc_t:file { getattr read };
+allow $1_t etc_runtime_t:file { getattr read };
+
+# Python seems to need things from various places
+allow $1_t { bin_t sbin_t }:dir { search getattr };
+allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read };
+allow $1_t bin_t:lnk_file read;
+
+# Python works fine without reading /proc/meminfo
+dontaudit $1_t proc_t:dir search;
+dontaudit $1_t proc_t:file { getattr read };
+
+# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter
+# two here. Run rsync and lftp in the yam_t context so that we dont
+# have to give any other programs write access to the yam_t files.
+general_domain_access($1_t)
+can_exec($1_t, shell_exec_t)
+can_exec($1_t, rsync_exec_t)
+can_exec($1_t, bin_t)
+can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py
+ifdef(`mount.te', `
+domain_auto_trans($1_t, mount_exec_t, mount_t)
+')
+
+# Rsync and lftp need to network. They also set files attributes to
+# match whats on the remote server.
+can_network_client($1_t)
+allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect;
+allow $1_t self:capability { chown fowner fsetid dac_override };
+allow $1_t self:process execmem;
+
+# access to sysctl_kernel_t ( proc/sys/kernel/* )
+read_sysctl($1_t)
+
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+allow $1_t var_t:file { getattr read write };
+allow $1_t var_t:dir read;
+# mktemp
+allow $1_t urandom_device_t:chr_file read;
+# mv
+allow $1_t proc_t:lnk_file read;
+allow $1_t selinux_config_t:dir search;
+allow $1_t selinux_config_t:file { getattr read };
+')
+
+
+##########
+##########
+
+#
+# Runnig yam from the command line
+#
+application_domain(yam, `, nscd_client_domain')
+role system_r types yam_t;
+yam_common(yam)
+etc_domain(yam)
+tmp_domain(yam)
+
+# Terminal access
+allow yam_t devpts_t:dir search;
+allow yam_t devtty_t:chr_file { read write };
+allow yam_t sshd_t:fd use;
+allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+
+# Reading dotfiles...
+allow yam_t sysadm_home_dir_t:dir search; # /root
+allow yam_t sysadm_home_t:dir search; # /root/xxx
+allow yam_t home_root_t:dir search; # /home
+allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user
+
+
+##########
+##########
+
+#
+# Running yam from cron
+#
+application_domain(yam_crond, `, nscd_client_domain')
+role system_r types yam_crond_t;
+ifdef(`crond.te', `
+system_crond_entry(yam_exec_t, yam_crond_t)
+')
+
+yam_common(yam_crond)
+allow yam_crond_t yam_etc_t:file r_file_perms;
+file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
+
+allow yam_crond_t devtty_t:chr_file { read write };
+
+# Reading dotfiles...
+# LFTP uses a directory for its dotfiles
+allow yam_crond_t default_t:dir search;
+
+# Don't know why init tries to read this.
+allow initrc_t yam_etc_t:file { getattr read };
+
+
+##########
+##########
+
+# The whole point of this program is to make updates available on a
+# local web server. Allow apache access to these files.
+ifdef(`apache.te', `
+r_dir_file(httpd_t, yam_content_t)
+')
+
+ifdef(`webalizer.te', `
+dontaudit webalizer_t yam_content_t:dir search;
+')
+
+# Mount needs access to the yam directories in order to mount the ISO
+# files on a loobpack file system.
+ifdef(`mount.te', `
+allow mount_t yam_content_t:dir mounton;
+allow mount_t yam_content_t:file { read write };
+')
diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te
index 4ba342e..b2fff63 100644
--- a/strict/domains/program/vpnc.te
+++ b/strict/domains/program/vpnc.te
@@ -10,12 +10,15 @@
# vpnc_t is the domain for the vpnc program.
# vpnc_exec_t is the type of the vpnc executable.
#
-daemon_domain(vpnc)
+daemon_domain(vpnc, `, sysctl_net_writer')
allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
# Use the network.
can_network(vpnc_t)
+allow vpnc_t port_type:tcp_socket name_connect;
+allow vpnc_t isakmp_port_t:udp_socket name_bind;
+
can_ypbind(vpnc_t)
allow vpnc_t self:socket create_socket_perms;
@@ -28,14 +31,21 @@ allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
allow vpnc_t port_t:udp_socket name_bind;
allow vpnc_t etc_runtime_t:file { getattr read };
allow vpnc_t proc_t:file { getattr read };
dontaudit vpnc_t selinux_config_t:dir search;
can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
allow vpnc_t sysctl_net_t:dir search;
+allow vpnc_t sysctl_net_t:file write;
allow vpnc_t sbin_t:dir search;
allow vpnc_t bin_t:dir search;
allow vpnc_t bin_t:lnk_file read;
r_dir_file(vpnc_t, proc_net_t)
+tmp_domain(vpnc)
+allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:file { getattr read };
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
+allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
diff --git a/strict/domains/program/webalizer.te b/strict/domains/program/webalizer.te
index 73b1902..381f68b 100644
--- a/strict/domains/program/webalizer.te
+++ b/strict/domains/program/webalizer.te
@@ -4,7 +4,7 @@
#
# Depends: apache.te
-application_domain(webalizer)
+application_domain(webalizer, `, nscd_client_domain')
# to use from cron
system_crond_entry(webalizer_exec_t,webalizer_t)
role system_r types webalizer_t;
diff --git a/strict/domains/program/winbind.te b/strict/domains/program/winbind.te
index 36cef3e..aca9174 100644
--- a/strict/domains/program/winbind.te
+++ b/strict/domains/program/winbind.te
@@ -8,18 +8,22 @@
# Declarations for winbind
#
-daemon_domain(winbind, `, privhome, auth_chkpwd')
+daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
log_domain(winbind)
+tmp_domain(winbind)
allow winbind_t etc_t:file r_file_perms;
allow winbind_t etc_t:lnk_file read;
can_network(winbind_t)
+allow winbind_t smbd_port_t:tcp_socket name_connect;
+can_resolve(winbind_t)
+
ifdef(`samba.te', `', `
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
type samba_secrets_t, file_type, sysadmfile;
')
-rw_dir_file(winbind_t, samba_etc_t)
+file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
rw_dir_create_file(winbind_t, samba_log_t)
allow winbind_t samba_secrets_t:file rw_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
@@ -27,7 +31,19 @@ allow winbind_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_t urandom_device_t:chr_file { getattr read };
allow winbind_t self:fifo_file { read write };
rw_dir_create_file(winbind_t, samba_var_t)
-allow winbind_t krb5_conf_t:file { getattr read };
-dontaudit winbind_t krb5_conf_t:file { write };
+can_kerberos(winbind_t)
allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t winbind_var_run_t:sock_file create_file_perms;
+allow initrc_t winbind_var_run_t:file r_file_perms;
+
+application_domain(winbind_helper, `, nscd_client_domain')
+role system_r types winbind_helper_t;
+access_terminal(winbind_helper_t, sysadm)
+read_locale(winbind_helper_t)
+r_dir_file(winbind_helper_t, samba_etc_t)
+r_dir_file(winbind_t, samba_etc_t)
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
+can_winbind(winbind_helper_t)
+allow winbind_helper_t privfd:fd use;
diff --git a/strict/domains/program/xauth.te b/strict/domains/program/xauth.te
index 020aa8d..6382d77 100644
--- a/strict/domains/program/xauth.te
+++ b/strict/domains/program/xauth.te
@@ -9,7 +9,5 @@
#
type xauth_exec_t, file_type, sysadmfile, exec_type;
-file_type_auto_trans(sysadm_xauth_t, staff_home_dir_t, staff_home_xauth_t)
-
# Everything else is in the xauth_domain macro in
# macros/program/xauth_macros.te.
diff --git a/strict/domains/program/xdm.te b/strict/domains/program/xdm.te
index 4b116e4..3e9dba6 100644
--- a/strict/domains/program/xdm.te
+++ b/strict/domains/program/xdm.te
@@ -46,6 +46,7 @@ allow xdm_t default_context_t:dir search;
allow xdm_t default_context_t:{ file lnk_file } { read getattr };
can_network(xdm_t)
+allow xdm_t port_type:tcp_socket name_connect;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:fifo_file rw_file_perms;
@@ -77,7 +78,7 @@ domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
allow unpriv_userdomain xdm_xserver_t:fd use;
-allow unpriv_userdomain xdm_xserver_tmpfs_t:file read;
+allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
allow xdm_xserver_t unpriv_userdomain:fd use;
@@ -95,7 +96,7 @@ domain_trans(xdm_t, xsession_exec_t, sysadm_t)
allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
allow sysadm_t xdm_xserver_t:shm r_shm_perms;
allow sysadm_t xdm_xserver_t:fd use;
-allow sysadm_t xdm_xserver_tmpfs_t:file read;
+allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
allow xdm_xserver_t sysadm_t:fd use;
}
@@ -144,7 +145,7 @@ allow xdm_t self:shm create_shm_perms;
allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
-allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file read;
+allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
@@ -176,8 +177,8 @@ tmpfs_domain(xdm)
# perhaps define derived types.
allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
allow xdm_t var_lib_t:file { create write unlink };
-allow xdm_t var_lock_t:dir { write search add_name remove_name };
-allow xdm_t var_lock_t:file { create write unlink };
+
+lock_domain(xdm)
# Connect to xfs.
ifdef(`xfs.te', `
@@ -224,7 +225,9 @@ dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
allow xdm_t usr_t:{ lnk_file file } { getattr read };
-r_dir_file(xdm_t, fonts_t)
+
+# Read fonts
+read_fonts(xdm_t)
# Do not audit attempts to write to index files under /usr
dontaudit xdm_t usr_t:file write;
@@ -259,14 +262,13 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
# Run xkbcomp.
allow xdm_xserver_t var_lib_t:dir search;
-allow xdm_xserver_t var_lib_xkb_t:lnk_file read;
-can_exec(xdm_xserver_t, var_lib_xkb_t)
+allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xdm_xserver_t, xkb_var_lib_t)
# Insert video drivers.
allow xdm_xserver_t self:capability mknod;
-allow xdm_xserver_t sysctl_modprobe_t:file read;
+allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
-allow insmod_t xdm_t:fd use;
allow insmod_t xserver_log_t:file write;
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
@@ -276,6 +278,11 @@ allow xdm_xserver_t proc_t:dir { search read };
# Search /var/run.
allow xdm_xserver_t var_run_t:dir search;
+# FIXME: After per user fonts are properly working
+# xdm_xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+
# Search home directories.
allow xdm_xserver_t user_home_type:dir search;
allow xdm_xserver_t user_home_type:file { getattr read };
@@ -297,6 +304,16 @@ can_exec(xdm_t, cifs_t)
allow xdm_t user_home_dir_type:dir { getattr search };
allow xdm_t user_home_type:file { getattr read };
+ifdef(`support_polyinstatiation', `
+# xdm_t can polyinstantiate
+polyinstantiater(xdm_t)
+# xdm needs access for linking .X11-unix to poly /tmp
+allow xdm_t polymember:dir { add_name remove_name write };
+allow xdm_t polymember:lnk_file { create unlink };
+# xdm needs access for copying .Xauthority into new home
+allow xdm_t polymember:file { create getattr write };
+')
+
allow xdm_t mnt_t:dir { getattr read search };
#
# Wants to delete .xsession-errors file
@@ -306,34 +323,37 @@ allow xdm_t user_home_type:file unlink;
# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
#
ifdef(`pam.te', `
-dontaudit pam_t xdm_t:fd use;
allow xdm_t pam_var_run_t:dir create_dir_perms;
allow xdm_t pam_var_run_t:file create_file_perms;
allow pam_t xdm_t:fifo_file { getattr ioctl write };
+domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
can_exec(xdm_t, pam_exec_t)
# For pam_console
rw_dir_create_file(xdm_t, pam_var_console_t)
')
-allow xdm_t var_log_t:file read;
+# Pamconsole/alsa
+ifdef(`alsa.te', `
+domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
+') dnl ifdef
+
+allow xdm_t var_log_t:file { getattr read };
allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
allow xdm_t self:process setrlimit;
allow xdm_t wtmp_t:file { getattr read };
domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
#
-# Poweroff wants to create the /root/poweroff directory when run from xdm
-# Seems to work without it.
+# Poweroff wants to create the /poweroff file when run from xdm
#
-dontaudit xdm_t root_t:dir { add_name write };
-dontaudit xdm_t root_t:file create;
+file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
+
#
# xdm tries to bind to biff_port_t
#
dontaudit xdm_t port_type:tcp_socket name_bind;
# VNC v4 module in X server
-type vnc_port_t, port_type;
allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
ifdef(`crack.te', `
allow xdm_t crack_db_t:file r_file_perms;
@@ -342,3 +362,12 @@ r_dir_file(xdm_t, selinux_config_t)
# Run telinit->init to shutdown.
can_exec(xdm_t, init_exec_t)
+allow xdm_t self:sem create_sem_perms;
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+# Supress permission check on .ICE-unix
+dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+
+#### Also see xdm_macros.te
diff --git a/strict/domains/program/xserver.te b/strict/domains/program/xserver.te
index 7cfce4c..cc2c493 100644
--- a/strict/domains/program/xserver.te
+++ b/strict/domains/program/xserver.te
@@ -11,11 +11,10 @@ type xserver_exec_t, file_type, sysadmfile, exec_type;
type xserver_log_t, file_type, sysadmfile, logfile;
# type for /var/lib/xkb
-type var_lib_xkb_t, file_type, sysadmfile, usercanread;
-
-# Allow the xserver to check for fonts in ~/.gnome or ~/.kde
-bool allow_xserver_home_fonts false;
+type xkb_var_lib_t, file_type, sysadmfile, usercanread;
+typealias xkb_var_lib_t alias var_lib_xkb_t;
# Everything else is in the xserver_domain macro in
# macros/program/xserver_macros.te.
+allow initrc_t xserver_log_t:fifo_file { read write };
diff --git a/strict/domains/program/ypbind.te b/strict/domains/program/ypbind.te
index 605afd1..ed7c3f8 100644
--- a/strict/domains/program/ypbind.te
+++ b/strict/domains/program/ypbind.te
@@ -20,6 +20,7 @@ dontaudit ypbind_t self:capability net_admin;
# Use the network.
can_network(ypbind_t)
+allow ypbind_t port_type:tcp_socket name_connect;
allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
allow ypbind_t self:fifo_file rw_file_perms;
diff --git a/strict/domains/program/zebra.te b/strict/domains/program/zebra.te
index 12ef473..640c621 100644
--- a/strict/domains/program/zebra.te
+++ b/strict/domains/program/zebra.te
@@ -3,7 +3,6 @@
# Author: Russell Coker
# X-Debian-Packages: zebra
#
-type zebra_port_t, port_type;
daemon_domain(zebra, `, sysctl_net_writer')
type zebra_conf_t, file_type, sysadmfile;
diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc
index 2de04ab..6df147c 100644
--- a/strict/file_contexts/distros.fc
+++ b/strict/file_contexts/distros.fc
@@ -35,8 +35,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
-/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
-/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
#
# /emul/ia32-linux/usr
@@ -69,7 +68,7 @@ ifdef(`dbusd.te', `', `
# Some of them should be fixed and removed from this list
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
+# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t
/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t
@@ -85,23 +84,22 @@ ifdef(`dbusd.te', `', `
/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t
/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t
/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/libpthread\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgpreload_addrcheck\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgpreload_memcheck\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_addrcheck\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_cachegrind\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_callgrind\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_corecheck\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_helgrind\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_lackey\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vgskin_none\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ooo-.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
+/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program(/.*)? system_u:object_r:bin_t
+/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t
+/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t
+
# Fedora Extras packages: ladspa, imlib2, ocaml
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
@@ -123,6 +121,8 @@ ifdef(`dbusd.te', `', `
/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t
/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t
@@ -140,7 +140,16 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
+/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t
')
ifdef(`distro_suse', `
diff --git a/strict/file_contexts/program/NetworkManager.fc b/strict/file_contexts/program/NetworkManager.fc
new file mode 100644
index 0000000..99ea03d
--- /dev/null
+++ b/strict/file_contexts/program/NetworkManager.fc
@@ -0,0 +1,2 @@
+# NetworkManager
+/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t
diff --git a/strict/file_contexts/program/afs.fc b/strict/file_contexts/program/afs.fc
new file mode 100644
index 0000000..fb49f33
--- /dev/null
+++ b/strict/file_contexts/program/afs.fc
@@ -0,0 +1,20 @@
+# afs
+/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t
+/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t
+/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t
+/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t
+/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t
+/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t
+/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t
+
+/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t
+/usr/afs/etc(/.*)? system_u:object_r:afs_config_t
+/usr/afs/local(/.*)? system_u:object_r:afs_config_t
+/usr/afs/db -d system_u:object_r:afs_dbdir_t
+/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t
+/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t
+/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t
+
+/vicepa system_u:object_r:afs_files_t
+/vicepb system_u:object_r:afs_files_t
+/vicepc system_u:object_r:afs_files_t
diff --git a/strict/file_contexts/program/alsa.fc b/strict/file_contexts/program/alsa.fc
new file mode 100644
index 0000000..837b071
--- /dev/null
+++ b/strict/file_contexts/program/alsa.fc
@@ -0,0 +1,3 @@
+#DESC ainit - configuration tool for ALSA
+/usr/bin/ainit -- system_u:object_r:alsa_exec_t
+/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t
diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc
index 258ff2b..69fecd7 100644
--- a/strict/file_contexts/program/bluetooth.fc
+++ b/strict/file_contexts/program/bluetooth.fc
@@ -4,4 +4,5 @@
/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t
/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t
-/var/run/sdp -- system_u:object_r:bluetooth_var_run_t
+/var/run/sdp -s system_u:object_r:bluetooth_var_run_t
+/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t
diff --git a/strict/file_contexts/program/bonobo.fc b/strict/file_contexts/program/bonobo.fc
new file mode 100644
index 0000000..9c27b25
--- /dev/null
+++ b/strict/file_contexts/program/bonobo.fc
@@ -0,0 +1 @@
+/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t
diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc
index f08b276..4262e05 100644
--- a/strict/file_contexts/program/clamav.fc
+++ b/strict/file_contexts/program/clamav.fc
@@ -6,7 +6,10 @@
/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t
/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t
/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/run/clamd\.ctl -s system_u:object_r:clamd_var_run_t
+/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t
+/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t
+/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t
+/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
-/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t
/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
+/var/run/clamav/clamd.sock -s system_u:object_r:clamd_sock_t
diff --git a/strict/file_contexts/program/clockspeed.fc b/strict/file_contexts/program/clockspeed.fc
new file mode 100644
index 0000000..e00cd56
--- /dev/null
+++ b/strict/file_contexts/program/clockspeed.fc
@@ -0,0 +1,11 @@
+# clockspeed
+/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t
+/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t
+/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t
+/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t
+/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t
+/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t
+/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t
+
+/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t
+
diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc
index 2395746..d4c1eb2 100644
--- a/strict/file_contexts/program/cups.fc
+++ b/strict/file_contexts/program/cups.fc
@@ -17,6 +17,7 @@
/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t
/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
+/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t
/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
ifdef(`hald.te', `
# cupsd_config depends on hald
@@ -25,12 +26,20 @@ ifdef(`hald.te', `
/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t
')
/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
+/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t
/var/spool/cups(/.*)? system_u:object_r:print_spool_t
/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t
/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t
/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t
/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t
+/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t
/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
+/etc/hp(/.*)? system_u:object_r:hplip_etc_t
+/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t
+/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t
/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t
+/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
+/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t
+/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t
diff --git a/strict/file_contexts/program/cvs.fc b/strict/file_contexts/program/cvs.fc
new file mode 100644
index 0000000..ce38032
--- /dev/null
+++ b/strict/file_contexts/program/cvs.fc
@@ -0,0 +1,2 @@
+# cvs program
+/usr/bin/cvs -- system_u:object_r:cvs_exec_t
diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc
index 6129446..04b78be 100644
--- a/strict/file_contexts/program/cyrus.fc
+++ b/strict/file_contexts/program/cyrus.fc
@@ -2,3 +2,4 @@
/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t
/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t
/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t
+/var/spool/imap(/.*)? system_u:object_r:mail_spool_t
diff --git a/strict/file_contexts/program/daemontools.fc b/strict/file_contexts/program/daemontools.fc
new file mode 100644
index 0000000..c2642ed
--- /dev/null
+++ b/strict/file_contexts/program/daemontools.fc
@@ -0,0 +1,54 @@
+# daemontools
+
+/var/service/.* system_u:object_r:svc_svc_t
+
+# symlinks to /var/service/*
+/service(/.*)? system_u:object_r:svc_svc_t
+
+# supervise scripts
+/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t
+/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t
+
+# supervise init binaries
+# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/*
+/usr/bin/svc -- system_u:object_r:svc_start_exec_t
+/usr/bin/svscan -- system_u:object_r:svc_start_exec_t
+/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t
+/usr/bin/svok -- system_u:object_r:svc_start_exec_t
+/usr/bin/supervise -- system_u:object_r:svc_start_exec_t
+
+# starting scripts
+/var/service/.*/run.* system_u:object_r:svc_run_exec_t
+/var/service/.*/log/run system_u:object_r:svc_run_exec_t
+
+# configurations
+/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t
+
+# log
+/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t
+
+# programs that impose a given environment to daemons
+/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t
+/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t
+/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t
+/usr/bin/envdir -- system_u:object_r:svc_run_exec_t
+/usr/bin/setlock -- system_u:object_r:svc_run_exec_t
+
+# helper programs
+/usr/bin/fghack -- system_u:object_r:svc_run_exec_t
+/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t
+
+/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t
+# daemontools logger # writes to service/*/log/main/ and /var/log/*/
+/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t
+
+/sbin/svcinit -- system_u:object_r:initrc_exec_t
+/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t
+
diff --git a/strict/file_contexts/program/dcc.fc b/strict/file_contexts/program/dcc.fc
new file mode 100644
index 0000000..a6b1372
--- /dev/null
+++ b/strict/file_contexts/program/dcc.fc
@@ -0,0 +1,17 @@
+# DCC
+/etc/dcc(/.*)? system_u:object_r:dcc_var_t
+/etc/dcc/map -- system_u:object_r:dcc_client_map_t
+/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t
+/usr/bin/cdcc system_u:object_r:cdcc_exec_t
+/usr/bin/dccproc system_u:object_r:dcc_client_exec_t
+/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t
+/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t
+/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t
+/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t
+/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t
+/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t
+/var/dcc(/.*)? system_u:object_r:dcc_var_t
+/var/dcc/map -- system_u:object_r:dcc_client_map_t
+/var/run/dcc system_u:object_r:dcc_var_run_t
+/var/run/dcc/map -- system_u:object_r:dcc_client_map_t
+/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t
diff --git a/strict/file_contexts/program/ddclient.fc b/strict/file_contexts/program/ddclient.fc
index ba003c9..83ee3d2 100644
--- a/strict/file_contexts/program/ddclient.fc
+++ b/strict/file_contexts/program/ddclient.fc
@@ -7,5 +7,5 @@
/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t
/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t
/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t
-/var/lib/ddt-client(/.*)? system_u:object_r:var_lib_ddclient_t
+/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t
/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t
diff --git a/strict/file_contexts/program/ddcprobe.fc b/strict/file_contexts/program/ddcprobe.fc
new file mode 100644
index 0000000..4313349
--- /dev/null
+++ b/strict/file_contexts/program/ddcprobe.fc
@@ -0,0 +1 @@
+/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t
diff --git a/strict/file_contexts/program/devfsd.fc b/strict/file_contexts/program/devfsd.fc
deleted file mode 100644
index 7587e2e..0000000
--- a/strict/file_contexts/program/devfsd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# devfsd
-/etc/devfs(/.*)? system_u:object_r:devfsd_etc_t
-/sbin/devfsd.* -- system_u:object_r:devfsd_exec_t
-/etc/init\.d/makedev -- system_u:object_r:devfsd_exec_t
diff --git a/strict/file_contexts/program/dictd.fc b/strict/file_contexts/program/dictd.fc
index 75e4493..0d97d0a 100644
--- a/strict/file_contexts/program/dictd.fc
+++ b/strict/file_contexts/program/dictd.fc
@@ -1,4 +1,4 @@
# dictd
/etc/dictd\.conf -- system_u:object_r:dictd_etc_t
/usr/sbin/dictd -- system_u:object_r:dictd_exec_t
-/var/lib/dictd(/.*)? system_u:object_r:var_lib_dictd_t
+/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t
diff --git a/strict/file_contexts/program/djbdns.fc b/strict/file_contexts/program/djbdns.fc
new file mode 100644
index 0000000..6174b9f
--- /dev/null
+++ b/strict/file_contexts/program/djbdns.fc
@@ -0,0 +1,26 @@
+#djbdns
+/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t
+/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t
+/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t
+
+/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t
+/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t
+/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t
+/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t
+/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t
+/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t
+
+/var/tinydns(/.*)? system_u:object_r:svc_svc_t
+/var/tinydns/run -- system_u:object_r:svc_run_exec_t
+/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t
+/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t
+/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t
+/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t
+
+/var/axfrdns(/.*)? system_u:object_r:svc_svc_t
+/var/axfrdns/run -- system_u:object_r:svc_run_exec_t
+/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t
+/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t
+/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t
+/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t
+
diff --git a/strict/file_contexts/program/dmidecode.fc b/strict/file_contexts/program/dmidecode.fc
new file mode 100644
index 0000000..b5ce71b
--- /dev/null
+++ b/strict/file_contexts/program/dmidecode.fc
@@ -0,0 +1,4 @@
+# dmidecode
+/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t
+/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t
+/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t
diff --git a/strict/file_contexts/program/dovecot.fc b/strict/file_contexts/program/dovecot.fc
index 83fc652..75a65dd 100644
--- a/strict/file_contexts/program/dovecot.fc
+++ b/strict/file_contexts/program/dovecot.fc
@@ -1,4 +1,6 @@
# for Dovecot POP and IMAP server
+/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t
+/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t
/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t
@@ -8,5 +10,7 @@ ifdef(`distro_debian', `
')
/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t
/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t
+/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t
/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t
/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t
+/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t
diff --git a/strict/file_contexts/program/dpkg.fc b/strict/file_contexts/program/dpkg.fc
index 44f0f2c..f0f56f6 100644
--- a/strict/file_contexts/program/dpkg.fc
+++ b/strict/file_contexts/program/dpkg.fc
@@ -32,7 +32,6 @@
/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t
/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t
/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t
-/etc/kde2/.+\.sh -- system_u:object_r:install_menu_exec_t
/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t
/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t
/usr/share/dlint/digparse -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/ethereal.fc b/strict/file_contexts/program/ethereal.fc
new file mode 100644
index 0000000..abe9b02
--- /dev/null
+++ b/strict/file_contexts/program/ethereal.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t
+/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t
+HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t
diff --git a/strict/file_contexts/program/evolution.fc b/strict/file_contexts/program/evolution.fc
new file mode 100644
index 0000000..1a3bf38
--- /dev/null
+++ b/strict/file_contexts/program/evolution.fc
@@ -0,0 +1,8 @@
+/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t
+/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t
+/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t
+/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t
+/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t
+HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t
+HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t
+/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t
diff --git a/strict/file_contexts/program/fetchmail.fc b/strict/file_contexts/program/fetchmail.fc
index fe0fd08..5186172 100644
--- a/strict/file_contexts/program/fetchmail.fc
+++ b/strict/file_contexts/program/fetchmail.fc
@@ -1,5 +1,5 @@
# fetchmail
/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t
/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t
-/var/run/fetchmail(/.*)? -- system_u:object_r:fetchmail_var_run_t
+/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t
/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t
diff --git a/strict/file_contexts/program/fontconfig.fc b/strict/file_contexts/program/fontconfig.fc
new file mode 100644
index 0000000..d8a8dc9
--- /dev/null
+++ b/strict/file_contexts/program/fontconfig.fc
@@ -0,0 +1,4 @@
+HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t
+HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t
+HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t
diff --git a/strict/file_contexts/program/gconf.fc b/strict/file_contexts/program/gconf.fc
new file mode 100644
index 0000000..3ee63e0
--- /dev/null
+++ b/strict/file_contexts/program/gconf.fc
@@ -0,0 +1,5 @@
+/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t
+/etc/gconf(/.*)? system_u:object_r:gconf_etc_t
+HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t
+HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t
+/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t
diff --git a/strict/file_contexts/program/gnome.fc b/strict/file_contexts/program/gnome.fc
new file mode 100644
index 0000000..670c86f
--- /dev/null
+++ b/strict/file_contexts/program/gnome.fc
@@ -0,0 +1,8 @@
+# FIXME: add a lot more GNOME folders
+HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t
+HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t
+ifdef(`evolution.te', `
+HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t
+')
+HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t
diff --git a/strict/file_contexts/program/gnome_vfs.fc b/strict/file_contexts/program/gnome_vfs.fc
new file mode 100644
index 0000000..f945d59
--- /dev/null
+++ b/strict/file_contexts/program/gnome_vfs.fc
@@ -0,0 +1 @@
+/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t
diff --git a/strict/file_contexts/program/i18n_input.fc b/strict/file_contexts/program/i18n_input.fc
index 41379d0..5403e2b 100644
--- a/strict/file_contexts/program/i18n_input.fc
+++ b/strict/file_contexts/program/i18n_input.fc
@@ -1,7 +1,11 @@
# i18n_input.fc
/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t
/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t
/usr/bin/httx -- system_u:object_r:i18n_input_exec_t
/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t
+/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t
/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t
+/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t
/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t
diff --git a/strict/file_contexts/program/irc.fc b/strict/file_contexts/program/irc.fc
index 5086de7..9f52efb 100644
--- a/strict/file_contexts/program/irc.fc
+++ b/strict/file_contexts/program/irc.fc
@@ -2,4 +2,4 @@
/usr/bin/[st]irc -- system_u:object_r:irc_exec_t
/usr/bin/ircII -- system_u:object_r:irc_exec_t
/usr/bin/tinyirc -- system_u:object_r:irc_exec_t
-HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_home_irc_t
+HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t
diff --git a/strict/file_contexts/program/kudzu.fc b/strict/file_contexts/program/kudzu.fc
index eed8191..c75870a 100644
--- a/strict/file_contexts/program/kudzu.fc
+++ b/strict/file_contexts/program/kudzu.fc
@@ -1,3 +1,4 @@
# kudzu
/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
/sbin/kmodule -- system_u:object_r:kudzu_exec_t
+/var/run/Xconfig -- root:object_r:kudzu_var_run_t
diff --git a/strict/file_contexts/program/monopd.fc b/strict/file_contexts/program/monopd.fc
index 0c00ab6..457493e 100644
--- a/strict/file_contexts/program/monopd.fc
+++ b/strict/file_contexts/program/monopd.fc
@@ -1,4 +1,4 @@
# monopd
-/etc/monopd\.conf -- system_u:object_r:etc_monopd_t
+/etc/monopd\.conf -- system_u:object_r:monopd_etc_t
/usr/sbin/monopd -- system_u:object_r:monopd_exec_t
-/usr/share/monopd/games(/.*)? system_u:object_r:share_monopd_t
+/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t
diff --git a/strict/file_contexts/program/mozilla.fc b/strict/file_contexts/program/mozilla.fc
index 7a8c13c..2b533a6 100644
--- a/strict/file_contexts/program/mozilla.fc
+++ b/strict/file_contexts/program/mozilla.fc
@@ -3,10 +3,6 @@ HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t
HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.gnome2/epiphany(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/My.Downloads(/.*)? system_u:object_r:ROLE_mozilla_home_t
HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
diff --git a/strict/file_contexts/program/mrtg.fc b/strict/file_contexts/program/mrtg.fc
index 9d00476..adfecff 100644
--- a/strict/file_contexts/program/mrtg.fc
+++ b/strict/file_contexts/program/mrtg.fc
@@ -1,6 +1,6 @@
# mrtg - traffic grapher
/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t
-/var/lib/mrtg(/.*)? system_u:object_r:var_lib_mrtg_t
+/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t
/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t
/etc/mrtg.* system_u:object_r:mrtg_etc_t
/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t
diff --git a/strict/file_contexts/program/nrpe.fc b/strict/file_contexts/program/nrpe.fc
index be74d33..6523cc3 100644
--- a/strict/file_contexts/program/nrpe.fc
+++ b/strict/file_contexts/program/nrpe.fc
@@ -2,6 +2,6 @@
/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t
/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t
ifdef(`nagios.te', `', `
-/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t
-/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t
+/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
+/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
')
diff --git a/strict/file_contexts/program/nx_server.fc b/strict/file_contexts/program/nx_server.fc
new file mode 100644
index 0000000..d993646
--- /dev/null
+++ b/strict/file_contexts/program/nx_server.fc
@@ -0,0 +1,5 @@
+# nx
+/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t
+/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t
+/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t
+
diff --git a/strict/file_contexts/program/openvpn.fc b/strict/file_contexts/program/openvpn.fc
index ba84de2..34b2992 100644
--- a/strict/file_contexts/program/openvpn.fc
+++ b/strict/file_contexts/program/openvpn.fc
@@ -1,4 +1,4 @@
# OpenVPN
-/etc/openvpn(/.*)? -- system_u:object_r:openvpn_etc_t
+/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t
/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t
diff --git a/strict/file_contexts/program/orbit.fc b/strict/file_contexts/program/orbit.fc
new file mode 100644
index 0000000..4afbc83
--- /dev/null
+++ b/strict/file_contexts/program/orbit.fc
@@ -0,0 +1,3 @@
+/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t
+/tmp/orbit-USER(-.*)?/linc.* -s <>
+/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t
diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc
index 08b3c69..2a5850b 100644
--- a/strict/file_contexts/program/postfix.fc
+++ b/strict/file_contexts/program/postfix.fc
@@ -2,20 +2,32 @@
/etc/postfix(/.*)? system_u:object_r:postfix_etc_t
ifdef(`distro_redhat', `
/etc/postfix/aliases.* system_u:object_r:etc_aliases_t
+/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t
+/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t
+/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t
+/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t
+/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t
+/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
+/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t
+/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
+/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
+/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
+/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
+', `
+/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t
+/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t
+/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t
+/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t
+/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t
+/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
+/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t
+/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
+/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
+/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
+/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
')
/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t
/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t
-/usr/lib(exec)?/postfix/.* -- system_u:object_r:postfix_exec_t
-/usr/lib(exec)?/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t
-/usr/lib(exec)?/postfix/local -- system_u:object_r:postfix_local_exec_t
-/usr/lib(exec)?/postfix/master -- system_u:object_r:postfix_master_exec_t
-/usr/lib(exec)?/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t
-/usr/lib(exec)?/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
-/usr/lib(exec)?/postfix/showq -- system_u:object_r:postfix_showq_exec_t
-/usr/lib(exec)?/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
-/usr/lib(exec)?/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
-/usr/lib(exec)?/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
-/usr/lib(exec)?/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t
/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t
/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t
diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc
index 48e5b68..af9d512 100644
--- a/strict/file_contexts/program/pppd.fc
+++ b/strict/file_contexts/program/pppd.fc
@@ -1,17 +1,18 @@
# pppd
/usr/sbin/pppd -- system_u:object_r:pppd_exec_t
+/usr/sbin/pptp -- system_u:object_r:pptp_exec_t
/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t
/dev/ppp -c system_u:object_r:ppp_device_t
/dev/pppox.* -c system_u:object_r:ppp_device_t
/dev/ippp.* -c system_u:object_r:ppp_device_t
-/var/run/pppd\.tdb -- system_u:object_r:pppd_var_run_t
+/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t
/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t
/etc/ppp -d system_u:object_r:pppd_etc_t
/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t
/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t
/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t
/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
-/var/log/ppp(/.*)? -- system_u:object_r:pppd_log_t
+/var/log/ppp/.* -- system_u:object_r:pppd_log_t
/etc/ppp/ip-down.* -- system_u:object_r:bin_t
/etc/ppp/ip-up.* -- system_u:object_r:bin_t
/etc/ppp/ipv6-up -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/publicfile.fc b/strict/file_contexts/program/publicfile.fc
new file mode 100644
index 0000000..dc32249
--- /dev/null
+++ b/strict/file_contexts/program/publicfile.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t
+/usr/bin/httpd -- system_u:object_r:publicfile_exec_t
+/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)? system_u:object_r:publicfile_content_t
+
diff --git a/strict/file_contexts/program/pump.fc b/strict/file_contexts/program/pump.fc
deleted file mode 100644
index e69de29..0000000
--- a/strict/file_contexts/program/pump.fc
+++ /dev/null
diff --git a/strict/file_contexts/program/pyzor.fc b/strict/file_contexts/program/pyzor.fc
new file mode 100644
index 0000000..ff62295
--- /dev/null
+++ b/strict/file_contexts/program/pyzor.fc
@@ -0,0 +1,6 @@
+/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t
+/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t
+/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t
+/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t
+/var/log/pyzord.log -- system_u:object_r:pyzord_log_t
+HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t
diff --git a/strict/file_contexts/program/razor.fc b/strict/file_contexts/program/razor.fc
new file mode 100644
index 0000000..f3f1346
--- /dev/null
+++ b/strict/file_contexts/program/razor.fc
@@ -0,0 +1,6 @@
+# razor
+/etc/razor(/.*)? system_u:object_r:razor_etc_t
+/usr/bin/razor.* system_u:object_r:razor_exec_t
+/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t
+/var/log/razor-agent.log system_u:object_r:razor_log_t
+HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t
diff --git a/strict/file_contexts/program/rdisc.fc b/strict/file_contexts/program/rdisc.fc
new file mode 100644
index 0000000..d3f9dcf
--- /dev/null
+++ b/strict/file_contexts/program/rdisc.fc
@@ -0,0 +1,2 @@
+# rdisc
+/sbin/rdisc system_u:object_r:rdisc_exec_t
diff --git a/strict/file_contexts/program/rhgb.fc b/strict/file_contexts/program/rhgb.fc
index 5f7e63e..118972e 100644
--- a/strict/file_contexts/program/rhgb.fc
+++ b/strict/file_contexts/program/rhgb.fc
@@ -1,2 +1 @@
/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
-/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
diff --git a/strict/file_contexts/program/rpcd.fc b/strict/file_contexts/program/rpcd.fc
index 7608974..60bb3f3 100644
--- a/strict/file_contexts/program/rpcd.fc
+++ b/strict/file_contexts/program/rpcd.fc
@@ -1,6 +1,6 @@
# RPC daemons
/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
-/usr/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
+/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t
/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t
/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t
/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t
@@ -9,3 +9,4 @@
/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t
/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t
/etc/exports -- system_u:object_r:exports_t
+
diff --git a/strict/file_contexts/program/screen.fc b/strict/file_contexts/program/screen.fc
index f1afcf0..0e6e78d 100644
--- a/strict/file_contexts/program/screen.fc
+++ b/strict/file_contexts/program/screen.fc
@@ -1,5 +1,5 @@
# screen
/usr/bin/screen -- system_u:object_r:screen_exec_t
HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t
-/var/run/screen/S-[^/]+ -d system_u:object_r:screen_dir_t
-/var/run/screen/S-[^/]+/.* <>
+/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t
+/var/run/screens?/S-[^/]+/.* <>
diff --git a/strict/file_contexts/program/slocate.fc b/strict/file_contexts/program/slocate.fc
index 85ea5a4..1796c77 100644
--- a/strict/file_contexts/program/slocate.fc
+++ b/strict/file_contexts/program/slocate.fc
@@ -1,4 +1,4 @@
# locate - file locater
/usr/bin/slocate -- system_u:object_r:locate_exec_t
-/var/lib/slocate(/.*)? system_u:object_r:var_lib_locate_t
+/var/lib/slocate(/.*)? system_u:object_r:locate_var_lib_t
/etc/updatedb\.conf -- system_u:object_r:locate_etc_t
diff --git a/strict/file_contexts/program/thunderbird.fc b/strict/file_contexts/program/thunderbird.fc
new file mode 100644
index 0000000..ca37346
--- /dev/null
+++ b/strict/file_contexts/program/thunderbird.fc
@@ -0,0 +1,2 @@
+/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t
+HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t
diff --git a/strict/file_contexts/program/tripwire.fc b/strict/file_contexts/program/tripwire.fc
new file mode 100644
index 0000000..88afc34
--- /dev/null
+++ b/strict/file_contexts/program/tripwire.fc
@@ -0,0 +1,9 @@
+# tripwire
+/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t
+/usr/sbin/siggen system_u:object_r:siggen_exec_t
+/usr/sbin/tripwire system_u:object_r:tripwire_exec_t
+/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t
+/usr/sbin/twadmin system_u:object_r:twadmin_exec_t
+/usr/sbin/twprint system_u:object_r:twprint_exec_t
+/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t
+/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t
diff --git a/strict/file_contexts/program/ucspi-tcp.fc b/strict/file_contexts/program/ucspi-tcp.fc
new file mode 100644
index 0000000..448c1ab
--- /dev/null
+++ b/strict/file_contexts/program/ucspi-tcp.fc
@@ -0,0 +1,3 @@
+#ucspi-tcp
+/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t
+/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t
diff --git a/strict/file_contexts/program/uptimed.fc b/strict/file_contexts/program/uptimed.fc
index e33489c..f80ccb4 100644
--- a/strict/file_contexts/program/uptimed.fc
+++ b/strict/file_contexts/program/uptimed.fc
@@ -1,4 +1,4 @@
# uptimed
-/etc/uptimed\.conf -- system_u:object_r:etc_uptimed_t
+/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t
/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t
/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t
diff --git a/strict/file_contexts/program/uucpd.fc b/strict/file_contexts/program/uucpd.fc
new file mode 100644
index 0000000..db5a257
--- /dev/null
+++ b/strict/file_contexts/program/uucpd.fc
@@ -0,0 +1,5 @@
+# uucico program
+/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t
+/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t
+/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t
+/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t
diff --git a/strict/file_contexts/program/vpnc.fc b/strict/file_contexts/program/vpnc.fc
index 497bc20..afaea76 100644
--- a/strict/file_contexts/program/vpnc.fc
+++ b/strict/file_contexts/program/vpnc.fc
@@ -1,3 +1,4 @@
# vpnc
/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t
/sbin/vpnc -- system_u:object_r:vpnc_exec_t
+/etc/vpnc/vpnc-script -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/webalizer.fc b/strict/file_contexts/program/webalizer.fc
index 792d600..5c11bcf 100644
--- a/strict/file_contexts/program/webalizer.fc
+++ b/strict/file_contexts/program/webalizer.fc
@@ -1 +1,3 @@
#
+/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t
+/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t
diff --git a/strict/file_contexts/program/winbind.fc b/strict/file_contexts/program/winbind.fc
index adfbe8e..9486f91 100644
--- a/strict/file_contexts/program/winbind.fc
+++ b/strict/file_contexts/program/winbind.fc
@@ -8,3 +8,4 @@ ifdef(`samba.te', `', `
/var/cache/samba(/.*)? system_u:object_r:samba_var_t
')
/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t
+/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t
diff --git a/strict/file_contexts/program/xauth.fc b/strict/file_contexts/program/xauth.fc
index 935715e..055fc2f 100644
--- a/strict/file_contexts/program/xauth.fc
+++ b/strict/file_contexts/program/xauth.fc
@@ -1,3 +1,4 @@
# xauth
/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t
+HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t
HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t
diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc
index 5026407..6ee91a1 100644
--- a/strict/file_contexts/program/xdm.fc
+++ b/strict/file_contexts/program/xdm.fc
@@ -3,6 +3,7 @@
/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t
+/usr/bin/gdm-binary -- system_u:object_r:xdm_exec_t
/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
diff --git a/strict/file_contexts/program/xserver.fc b/strict/file_contexts/program/xserver.fc
index 3ef0263..3d48a6f 100644
--- a/strict/file_contexts/program/xserver.fc
+++ b/strict/file_contexts/program/xserver.fc
@@ -4,14 +4,14 @@
/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t
/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t
/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t
-/var/lib/xkb(/.*)? system_u:object_r:var_lib_xkb_t
-/usr/X11R6/lib/X11/xkb -d system_u:object_r:var_lib_xkb_t
-/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:var_lib_xkb_t
+/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t
+/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t
+/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
/var/log/XFree86.* -- system_u:object_r:xserver_log_t
/var/log/Xorg.* -- system_u:object_r:xserver_log_t
/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t
/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t
/tmp/\.X11-unix/.* -s <>
-/tmp/\.ICE-unix -d system_u:object_r:xdm_xserver_tmp_t
+/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t
/tmp/\.ICE-unix/.* -s <>
diff --git a/strict/file_contexts/program/yam.fc b/strict/file_contexts/program/yam.fc
new file mode 100644
index 0000000..023b740
--- /dev/null
+++ b/strict/file_contexts/program/yam.fc
@@ -0,0 +1,5 @@
+# yam
+/etc/yam.conf -- system_u:object_r:yam_etc_t
+/usr/bin/yam system_u:object_r:yam_exec_t
+/var/yam(/.*)? system_u:object_r:yam_content_t
+/var/www/yam(/.*)? system_u:object_r:yam_content_t
diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te
index 7e3521a..a363f7b 100644
--- a/strict/macros/program/apache_macros.te
+++ b/strict/macros/program/apache_macros.te
@@ -3,14 +3,12 @@ define(`apache_domain', `
#This type is for webpages
#
-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
-ifelse($1, sys, `
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
+type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
# This type is used for .htaccess files
#
-type httpd_$1_htaccess_t, file_type, sysadmfile;
+type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
# This type is used for executable scripts files
#
@@ -29,7 +27,6 @@ allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
-can_network(httpd_$1_script_t)
allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_$1_script_t usr_t:lnk_file { getattr read };
@@ -42,13 +39,19 @@ read_locale(httpd_$1_script_t)
allow httpd_$1_script_t fs_t:filesystem getattr;
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
-allow httpd_$1_script_t { self proc_t }:file { getattr read };
+allow httpd_$1_script_t { self proc_t }:file r_file_perms;
allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
allow httpd_$1_script_t { self proc_t }:lnk_file read;
allow httpd_$1_script_t device_t:dir { getattr search };
allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
}
+
+if (httpd_enable_cgi && httpd_can_network_connect) {
+can_network(httpd_$1_script_t)
+allow httpd_$1_script_t port_type:tcp_socket name_connect;
+}
+
ifdef(`ypbind.te', `
if (httpd_enable_cgi && allow_ypbind) {
uncond_can_ypbind(httpd_$1_script_t)
@@ -62,13 +65,6 @@ type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
-
#########################################################
# Permissions for running child processes and scripts
##########################################################
@@ -82,9 +78,6 @@ allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-# for nscd
-dontaudit httpd_$1_script_t var_t:dir search;
-
###########################################################################
# Allow the script interpreters to run the scripts. So
# the perl executable will be able to run a perl script
@@ -105,34 +98,58 @@ allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
# Allow the scripts to read, read/write, append to the specified directories
# or files
############################################################################
-r_dir_file(httpd_$1_script_t, fonts_t)
+read_fonts(httpd_$1_script_t)
r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-ifelse($1, sys, `
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-can_exec(httpd_t, httpdcontent )
-', `
-can_exec(httpd_$1_script_t, httpdcontent )
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-')
create_dir_file(httpd_$1_script_t, httpdcontent)
+can_exec(httpd_$1_script_t, httpdcontent)
}
-ifelse($1, sys, `
#
# If a user starts a script by hand it gets the proper context
#
-if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ifdef(`targeted_policy', `', `
+if (httpd_enable_cgi) {
domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
}
+')
role sysadm_r types httpd_$1_script_t;
-', `
+
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
+############################################
+# Allow scripts to append to http logs
+#########################################
+allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+# apache should set close-on-exec
+dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+################################################################
+# Allow the web server to run scripts and serve pages
+##############################################################
+if (httpd_builtin_scripting) {
+r_dir_file(httpd_t, httpd_$1_script_ro_t)
+create_dir_file(httpd_t, httpd_$1_script_rw_t)
+ra_dir_file(httpd_t, httpd_$1_script_ra_t)
+}
+r_dir_file(httpd_t, httpd_$1_content_t)
+
+')
+define(`apache_user_domain', `
+
+apache_domain($1)
+
+typeattribute httpd_$1_content_t $1_file_type;
+
+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
+}
if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
# If a user starts a script by hand it gets the proper context
@@ -145,11 +162,7 @@ role $1_r types httpd_$1_script_t;
#########################################
create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-create_dir_file($1_crond_t, httpd_$1_content_t)
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-ifdef(`mozilla.te', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
######################################################################
# Allow the user to create htaccess files
@@ -172,26 +185,8 @@ ifdef(`nfs_home_dirs', `
r_dir_file(httpd_$1_script_t, nfs_t)
')dnl end if nfs_home_dirs
}
-')dnl end ifelse sys
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-r_dir_file(httpd_t, httpd_$1_content_t)
-
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-r_dir_file(httpd_t, httpd_$1_script_rw_t)
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ifdef(`crond.te', `
+create_dir_file($1_crond_t, httpd_$1_content_t)
+')
')
diff --git a/strict/macros/program/bonobo_macros.te b/strict/macros/program/bonobo_macros.te
new file mode 100644
index 0000000..e76cf3a
--- /dev/null
+++ b/strict/macros/program/bonobo_macros.te
@@ -0,0 +1,119 @@
+#
+# Bonobo
+#
+# Author: Ivan Gyurdiev
+#
+# bonobo_domain(role_prefix) - invoke per role
+# bonobo_client(app_prefix, role_prefix) - invoke per client app
+# bonobo_connect(type1_prefix, type2_prefix) -
+# connect two bonobo clients, the channel is bidirectional
+
+######################
+
+define(`bonobo_domain', `
+
+# Protect against double inclusion for faster compile
+ifdef(`bonobo_domain_$1', `', `
+define(`bonobo_domain_$1')
+
+# Type for daemon
+type $1_bonobo_t, domain, nscd_client_domain;
+
+# Transition from caller
+domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t)
+role $1_r types $1_bonobo_t;
+
+# Shared libraries, gconv-modules
+uses_shlib($1_bonobo_t)
+allow $1_bonobo_t lib_t:file r_file_perms;
+
+read_locale($1_bonobo_t)
+read_sysctl($1_bonobo_t)
+
+# Session management
+# FIXME: More specific context is needed for gnome-session
+ice_connect($1_bonobo, $1)
+
+# nsswitch.conf
+allow $1_bonobo_t etc_t:file { read getattr };
+
+# Fork to start apps
+allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal };
+allow $1_bonobo_t self:fifo_file rw_file_perms;
+
+# ???
+allow $1_bonobo_t root_t:dir search;
+allow $1_bonobo_t home_root_t:dir search;
+allow $1_bonobo_t $1_home_dir_t:dir search;
+
+# libexec ???
+allow $1_bonobo_t bin_t:dir search;
+
+# ORBit sockets for bonobo
+orbit_domain($1_bonobo, $1)
+
+# Bonobo can launch evolution
+ifdef(`evolution.te', `
+domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t)
+domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
+domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t)
+domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
+')
+
+# Bonobo can launch GNOME vfs daemon
+ifdef(`gnome_vfs.te', `
+domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
+')
+
+# Transition to ROLE_t on bin_t apps
+# FIXME: The goal is to get rid of this rule, as it
+# defeats the purpose of a separate domain. It is only
+# here temporarily, since bonobo runs as ROLE_t by default anyway
+domain_auto_trans($1_bonobo_t, bin_t, $1_t)
+
+ifdef(`xdm.te', `
+can_pipe_xdm($1_bonobo_t)
+')
+
+') dnl ifdef bonobo_domain_args
+') dnl bonobo_domain
+
+#####################
+
+define(`bonobo_client', `
+
+# Protect against double inclusion for faster compile
+ifdef(`bonobo_client_$1_$2', `', `
+define(`bonobo_client_$1_$2')
+# Connect over bonobo
+bonobo_connect($1, $2_gconfd, $1)
+
+# Create ORBit sockets
+orbit_domain($1, $2)
+
+# Connect to bonobo
+orbit_connect($1, $2_bonobo)
+orbit_connect($2_bonobo, $1)
+
+# Lock /tmp/bonobo-activation-register.lock
+# Stat /tmp/bonobo-activation-server.ior
+# FIXME: this should probably be of type $2_bonobo..
+# Note that this is file, not sock_file
+allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
+
+domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t)
+
+') dnl ifdef bonobo_client_args
+') dnl bonobo_client
+
+#####################
+
+define(`bonobo_connect', `
+
+# FIXME: Should there be a macro for unidirectional conn. ?
+
+orbit_connect($1, $2)
+orbit_connect($2, $1)
+
+') dnl bonobo_connect
diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te
index 6af7ddc..aa9e1e5 100644
--- a/strict/macros/program/cdrecord_macros.te
+++ b/strict/macros/program/cdrecord_macros.te
@@ -40,15 +40,16 @@ r_dir_file($1_cdrecord_t, cifs_t)
allow $1_cdrecord_t etc_t:file { getattr read };
# allow searching for cdrom-drive
-allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:dir r_dir_perms;
allow $1_cdrecord_t device_t:lnk_file { getattr read };
# allow cdrecord to write the CD
allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
+allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-
+allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+read_content($1_cdrecord_t, $1)
')
diff --git a/strict/macros/program/chroot_macros.te b/strict/macros/program/chroot_macros.te
index d06e6f1..47ca86b 100644
--- a/strict/macros/program/chroot_macros.te
+++ b/strict/macros/program/chroot_macros.te
@@ -119,6 +119,7 @@ general_domain_access({ $2_t $2_super_t })
can_create_pty($2)
can_create_pty($2_super)
can_network({ $2_t $2_super_t })
+allow { $2_t $2_super_t } port_type:tcp_socket name_connect;
allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
allow { $2_t $2_super_t } self:capability { dac_override kill };
diff --git a/strict/macros/program/clamav_macros.te b/strict/macros/program/clamav_macros.te
index e5a4a37..bc15930 100644
--- a/strict/macros/program/clamav_macros.te
+++ b/strict/macros/program/clamav_macros.te
@@ -12,6 +12,7 @@
define(`can_clamd_connect',`
allow $1_t clamd_var_run_t:dir search;
allow $1_t clamd_var_run_t:sock_file write;
+allow $1_t clamd_sock_t:sock_file write;
can_unix_connect($1_t, clamd_t)
')
diff --git a/strict/macros/program/daemontools_macros.te b/strict/macros/program/daemontools_macros.te
new file mode 100644
index 0000000..94c4f8e
--- /dev/null
+++ b/strict/macros/program/daemontools_macros.te
@@ -0,0 +1,11 @@
+ifdef(`daemontools.te', `
+
+define(`svc_ipc_domain',`
+allow $1 svc_start_t:process sigchld;
+allow $1 svc_start_t:fd use;
+allow $1 svc_start_t:fifo_file { read write getattr };
+allow svc_start_t $1:process signal;
+')
+
+') dnl ifdef daemontools
+
diff --git a/strict/macros/program/ethereal_macros.te b/strict/macros/program/ethereal_macros.te
new file mode 100644
index 0000000..c546cb4
--- /dev/null
+++ b/strict/macros/program/ethereal_macros.te
@@ -0,0 +1,83 @@
+# DESC - Ethereal
+#
+# Author: Ivan Gyurdiev
+#
+
+#############################################################
+# ethereal_networking(app_prefix) -
+# restricted ethereal rules (sysadm only)
+#
+
+define(`ethereal_networking', `
+
+# Create various types of sockets
+allow $1_t self:netlink_route_socket create_netlink_socket_perms;
+allow $1_t self:udp_socket create_socket_perms;
+allow $1_t self:packet_socket create_socket_perms;
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:tcp_socket create_socket_perms;
+
+allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
+
+# Resolve names via DNS
+can_resolve($1_t)
+
+') dnl ethereal_networking
+
+########################################################
+# Ethereal (GNOME)
+#
+
+define(`ethereal_domain', `
+
+# Type for program
+type $1_ethereal_t, domain, nscd_client_domain;
+
+# Transition from sysadm type
+domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
+role $1_r types $1_ethereal_t;
+
+# Manual transition from userhelper
+# FIXME: Need to handle the fallback case, which requires userhelper support
+ifdef(`userhelper.te', `
+allow userhelperdomain sysadm_ethereal_t:process { transition siginh rlimitinh noatsecure };
+allow sysadm_ethereal_t userhelperdomain:fd use;
+allow sysadm_ethereal_t userhelperdomain:process sigchld;
+') dnl userhelper
+
+# X, GNOME
+x_client_domain($1_ethereal, $1)
+gnome_application($1_ethereal, $1)
+gnome_file_dialog($1_ethereal, $1)
+
+# Why does it write this?
+ifdef(`snmpd.te', `
+dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
+')
+
+# /home/.ethereal
+home_domain($1, ethereal)
+file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
+
+# Enable restricted networking rules for sysadm - this is shared w/ tethereal
+ifelse($1, `sysadm', `
+ethereal_networking($1_ethereal)
+
+# Ethereal tries to write to user terminal
+dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
+dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
+', `')
+
+# Store temporary files
+tmp_domain($1_ethereal)
+
+# Re-execute itself (why?)
+can_exec($1_ethereal_t, ethereal_exec_t)
+allow $1_ethereal_t sbin_t:dir search;
+
+# Supress .local denials until properly implemented
+dontaudit $1_ethereal_t $1_home_t:dir search;
+
+# FIXME: policy is incomplete
+
+') dnl ethereal_domain
diff --git a/strict/macros/program/evolution_macros.te b/strict/macros/program/evolution_macros.te
new file mode 100644
index 0000000..facfe7f
--- /dev/null
+++ b/strict/macros/program/evolution_macros.te
@@ -0,0 +1,234 @@
+#
+# Evolution
+#
+# Author: Ivan Gyurdiev
+#
+
+################################################
+# evolution_common(app_prefix,role_prefix)
+#
+define(`evolution_common', `
+
+# Gnome common stuff
+gnome_application($1, $2)
+
+# Stat root
+allow $1_t root_t:dir search;
+
+# Access null device
+allow $1_t null_device_t:chr_file rw_file_perms;
+
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+dontaudit $1_t $2_home_t:dir r_dir_perms;
+
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+dontaudit $1_t $2_home_t:file r_file_perms;
+
+') dnl evolution_common
+
+#######################################
+# evolution_data_server(role_prefix)
+#
+
+define(`evolution_data_server', `
+
+# Type for daemon
+type $1_evolution_server_t, domain, nscd_client_domain;
+
+# Transition from user type
+if (! disable_evolution_trans) {
+domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
+}
+role $1_r types $1_evolution_server_t;
+
+# Evolution common stuff
+evolution_common($1_evolution_server, $1)
+
+# Access evolution home
+home_domain_access($1_evolution_server_t, $1, evolution)
+
+# Talks to exchange
+bonobo_connect($1_evolution_server, $1_evolution_exchange)
+
+can_exec($1_evolution_server_t, shell_exec_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+allow $1_evolution_server_t usr_t:file r_file_perms;
+can_resolve($1_evolution_server_t)
+can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
+allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
+
+# Talk to ldap (address book)
+can_network_client_tcp($1_evolution_server_t, ldap_port_t)
+allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
+
+# Look in /etc/pki
+allow $1_evolution_server_t cert_t:dir r_dir_perms;
+
+') dnl evolution_data_server
+
+#######################################
+# evolution_webcal(role_prefix)
+#
+
+define(`evolution_webcal', `
+
+# Type for program
+type $1_evolution_webcal_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+role $1_r types $1_evolution_webcal_t;
+
+# X/evolution common stuff
+x_client_domain($1_evolution_webcal, $1)
+evolution_common($1_evolution_webcal, $1)
+
+# Search home directory (?)
+allow $1_evolution_webcal_t $1_home_dir_t:dir search;
+
+# Networking capability - connect to website and handle ics link
+# FIXME: is this necessary ?
+can_resolve($1_evolution_webcal_t);
+can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
+allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
+
+') dnl evolution_webcal
+
+#######################################
+# evolution_alarm(role_prefix)
+#
+define(`evolution_alarm', `
+
+# Type for program
+type $1_evolution_alarm_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
+role $1_r types $1_evolution_alarm_t;
+
+# Common evolution stuff, X
+evolution_common($1_evolution_alarm, $1)
+x_client_domain($1_evolution_alarm, $1)
+
+# Connect to exchange, e-d-s
+bonobo_connect($1_evolution_alarm, $1_evolution_server)
+bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
+
+# Access evolution home
+home_domain_access($1_evolution_alarm_t, $1, evolution)
+
+') dnl evolution_alarm
+
+########################################
+# evolution_exchange(role_prefix)
+#
+define(`evolution_exchange', `
+
+# Type for program
+type $1_evolution_exchange_t, domain, nscd_client_domain;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
+role $1_r types $1_evolution_exchange_t;
+
+# Common evolution stuff, X
+evolution_common($1_evolution_exchange, $1)
+x_client_domain($1_evolution_exchange, $1)
+
+# Access evolution home
+home_domain_access($1_evolution_exchange_t, $1, evolution)
+
+# /tmp/.exchange-$USER
+tmp_domain($1_evolution_exchange)
+
+# Allow netstat
+allow $1_evolution_exchange_t bin_t:dir search;
+can_exec($1_evolution_exchange_t, bin_t)
+r_dir_file($1_evolution_exchange_t, proc_net_t)
+allow $1_evolution_exchange_t sysctl_net_t:dir search;
+allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
+
+# Clock applet talks to exchange (FIXME: Needs policy)
+bonobo_connect($1, $1_evolution_exchange)
+
+# FIXME: policy incomplete
+
+') dnl evolution_exchange
+
+#######################################
+# evolution_domain(role_prefix)
+#
+
+define(`evolution_domain', `
+
+# Type for program
+type $1_evolution_t, domain, nscd_client_domain, privlog;
+
+# Transition from user type
+domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
+role $1_r types $1_evolution_t;
+
+# X, mail, evolution common stuff
+x_client_domain($1_evolution, $1)
+mail_client_domain($1_evolution, $1)
+gnome_file_dialog($1_evolution, $1)
+evolution_common($1_evolution, $1)
+
+# Connect to e-d-s, exchange, alarm
+bonobo_connect($1_evolution, $1_evolution_server)
+bonobo_connect($1_evolution, $1_evolution_exchange)
+bonobo_connect($1_evolution, $1_evolution_alarm)
+
+# Access .evolution
+home_domain($1, evolution)
+
+# Store passwords in .gnome2_private
+gnome_private_store($1_evolution, $1)
+
+# Run various programs
+allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
+allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
+
+### Junk mail filtering (start spamd)
+ifdef(`spamd.te', `
+# Start the spam daemon
+domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
+role $1_r types spamd_t;
+
+# Write pid file and socket in ~/.evolution/cache/tmp
+file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
+
+# Allow evolution to signal the daemon
+# FIXME: Now evolution can read spamd temp files
+allow $1_evolution_t spamd_tmp_t:file r_file_perms;
+allow $1_evolution_t spamd_t:process signal;
+dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
+') dnl spamd.te
+
+### Junk mail filtering (start spamc)
+ifdef(`spamc.te', `
+domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
+
+# Allow connection to spamd socket above
+allow $1_spamc_t $1_evolution_home_t:dir search;
+') dnl spamc.te
+
+### Junk mail filtering (start spamassassin)
+ifdef(`spamassassin.te', `
+domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
+') dnl spamassasin.te
+
+') dnl evolution_domain
+
+#################################
+# evolution_domains(role_prefix)
+
+define(`evolution_domains', `
+evolution_domain($1)
+evolution_data_server($1)
+evolution_webcal($1)
+evolution_alarm($1)
+evolution_exchange($1)
+') dnl end evolution_domains
diff --git a/strict/macros/program/fontconfig_macros.te b/strict/macros/program/fontconfig_macros.te
new file mode 100644
index 0000000..7f4a56d
--- /dev/null
+++ b/strict/macros/program/fontconfig_macros.te
@@ -0,0 +1,52 @@
+#
+# Fontconfig related types
+#
+# Author: Ivan Gyurdiev
+#
+# fontconfig_domain(role_prefix) - create fontconfig domain
+#
+# read_fonts(domain, role_prefix) -
+# allow domain to read fonts, optionally per/user
+#
+
+define(`fontconfig_domain', `
+
+type $1_fonts_t, file_type, $1_file_type, sysadmfile;
+type $1_fonts_config_t, file_type, $1_file_type, sysadmfile;
+type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
+
+create_dir_file($1_t, $1_fonts_t)
+allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom };
+
+create_dir_file($1_t, $1_fonts_config_t)
+allow $1_t $1_fonts_config_t:file { relabelto relabelfrom };
+
+# For startup relabel
+allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
+') dnl fontconfig_domain
+
+####################
+
+define(`read_fonts', `
+
+# Read global fonts and font config
+r_dir_file($1, fonts_t)
+r_dir_file($1, etc_t)
+
+ifelse(`$2', `', `', `
+
+# Manipulate the global font cache
+create_dir_file($1, $2_fonts_cache_t)
+
+# Read per user fonts and font config
+r_dir_file($1, $2_fonts_t)
+r_dir_file($1, $2_fonts_config_t)
+
+# There are some fonts in .gnome2
+ifdef(`gnome.te', `
+allow $1 $2_gnome_settings_t:dir { getattr search };
+')
+
+') dnl ifelse
+') dnl read_fonts
diff --git a/strict/macros/program/gconf_macros.te b/strict/macros/program/gconf_macros.te
new file mode 100644
index 0000000..5f34ea7
--- /dev/null
+++ b/strict/macros/program/gconf_macros.te
@@ -0,0 +1,57 @@
+#
+# GConfd daemon
+#
+# Author: Ivan Gyurdiev
+#
+
+#######################################
+# gconfd_domain(role_prefix)
+#
+
+define(`gconfd_domain', `
+
+# Type for daemon
+type $1_gconfd_t, domain, nscd_client_domain, privlog;
+
+gnome_application($1_gconfd, $1)
+
+# Transition from user type
+domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t)
+role $1_r types $1_gconfd_t;
+
+allow $1_gconfd_t self:process { signal getsched };
+
+# Access .gconfd and .gconf
+home_domain($1, gconfd)
+file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir)
+
+# Access /etc/gconf
+r_dir_file($1_gconfd_t, gconf_etc_t)
+
+# /tmp/gconfd-USER
+tmp_domain($1_gconfd)
+
+ifdef(`xdm.te', `
+can_pipe_xdm($1_gconfd_t)
+allow xdm_t $1_gconfd_t:process signal;
+')
+
+') dnl gconf_domain
+
+#####################################
+# gconf_client(prefix, role_prefix)
+#
+
+define(`gconf_client', `
+
+# Launch the daemon if necessary
+domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t)
+
+# Connect over bonobo
+bonobo_connect($1, $2_gconfd)
+
+# Read lock/ior
+allow $1_t $2_gconfd_tmp_t:dir { getattr search };
+allow $1_t $2_gconfd_tmp_t:file { getattr read };
+
+') dnl gconf_client
diff --git a/strict/macros/program/gnome_macros.te b/strict/macros/program/gnome_macros.te
new file mode 100644
index 0000000..5d31af5
--- /dev/null
+++ b/strict/macros/program/gnome_macros.te
@@ -0,0 +1,115 @@
+#
+# GNOME related types
+#
+# Author: Ivan Gyurdiev
+#
+# gnome_domain(role_prefix) - create GNOME domain (run for each role)
+# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps
+# gnome_file_dialog(role_prefix) - gnome file dialog rules
+# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private
+
+define(`gnome_domain', `
+
+# Types for .gnome2 and .gnome2_private.
+# For backwards compatibility, allow unrestricted
+# access from ROLE_t. However, content inside
+# *should* be labeled per application eventually.
+# For .gnome2_private, use the private_store macro below.
+
+type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
+create_dir_file($1_t, $1_gnome_settings_t)
+allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto };
+
+type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile;
+create_dir_file($1_t, $1_gnome_secret_t)
+allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto };
+
+# GConf domain
+gconfd_domain($1)
+gconf_client($1, $1)
+
+# Bonobo-activation-server
+bonobo_domain($1)
+bonobo_client($1, $1)
+
+# GNOME vfs daemon
+gnome_vfs_domain($1)
+gnome_vfs_client($1, $1)
+
+# ICE is necessary for session management
+ice_domain($1, $1)
+
+')
+
+#################################
+
+define(`gnome_application', `
+
+# If launched from a terminal
+access_terminal($1_t, $2)
+
+# Forking is generally okay
+allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork };
+allow $1_t self:fifo_file rw_file_perms;
+
+# Shlib, locale, sysctl, proc
+uses_shlib($1_t)
+read_locale($1_t)
+read_sysctl($1_t)
+
+allow $1_t { self proc_t }:dir { search read getattr };
+allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
+
+# Most gnome apps use bonobo
+bonobo_client($1, $2)
+
+# Within-process bonobo-activation of components
+bonobo_connect($1, $1)
+
+# Session management happens over ICE
+# FIXME: More specific context is needed for gnome-session
+ice_connect($1, $2)
+
+# Most talk to GConf
+gconf_client($1, $2)
+
+# Allow getattr/read/search of .gnome2 and .gnome2_private
+# Reading files should *not* be allowed - instead, more specific
+# types should be created to handle such requests
+allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms;
+
+# Access /etc/mtab, /etc/nsswitch.conf
+allow $1_t etc_t:file { read getattr };
+allow $1_t etc_runtime_t:file { read getattr };
+
+# Themes, gtkrc
+allow $1_t usr_t:{ file lnk_file } r_file_perms;
+
+') dnl gnome_application
+
+################################
+
+define(`gnome_file_dialog', `
+
+# GNOME Open/Save As dialogs
+dontaudit_getattr($1_t)
+dontaudit_search_dir($1_t)
+
+# Bonobo connection to gnome_vfs daemon
+bonobo_connect($1, $2_gnome_vfs)
+
+') dnl gnome_file_dialog
+
+################################
+
+define(`gnome_private_store', `
+
+# Type for storing secret data
+# (different from home, not directly accessible from ROLE_t)
+type $1_secret_t, file_type, $2_file_type, sysadmfile;
+
+# Put secret files in .gnome2_private
+file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file);
+allow $2_t $1_secret_t:file unlink;
+
+') dnl gnome_private_store
diff --git a/strict/macros/program/gnome_vfs_macros.te b/strict/macros/program/gnome_vfs_macros.te
new file mode 100644
index 0000000..8ff5c28
--- /dev/null
+++ b/strict/macros/program/gnome_vfs_macros.te
@@ -0,0 +1,55 @@
+#
+# GNOME VFS daemon
+#
+# Author: Ivan Gyurdiev
+#
+
+#######################################
+# gnome_vfs_domain(role_prefix)
+#
+
+define(`gnome_vfs_domain', `
+
+# Type for daemon
+type $1_gnome_vfs_t, domain, nscd_client_domain;
+
+# GNOME, dbus
+gnome_application($1_gnome_vfs, $1)
+dbusd_client(system, $1_gnome_vfs)
+allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
+ifdef(`hald.te', `
+allow $1_gnome_vfs_t hald_t:dbus send_msg;
+allow hald_t $1_gnome_vfs_t:dbus send_msg;
+')
+
+# Transition from user type
+domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
+role $1_r types $1_gnome_vfs_t;
+
+# Stat top level directories on mount_points (check free space?)
+allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr;
+
+# Search path to /home (??)
+allow $1_gnome_vfs_t home_root_t:dir search;
+allow $1_gnome_vfs_t $1_home_dir_t:dir search;
+
+# Search path to rpc_pipefs mount point (??)
+allow $1_gnome_vfs_t var_lib_nfs_t:dir search;
+allow $1_gnome_vfs_t var_lib_t:dir search;
+
+# Search libexec (??)
+allow $1_gnome_vfs_t bin_t:dir search;
+can_exec($1_gnome_vfs_t, bin_t)
+
+') dnl gnome_vfs_domain
+
+#####################################
+# gnome_vfs_client(prefix, role_prefix)
+#
+
+define(`gnome_vfs_client', `
+
+# Connect over bonobo
+bonobo_connect($1, $2_gnome_vfs)
+
+') dnl gnome_vfs_client
diff --git a/strict/macros/program/ice_macros.te b/strict/macros/program/ice_macros.te
new file mode 100644
index 0000000..b373496
--- /dev/null
+++ b/strict/macros/program/ice_macros.te
@@ -0,0 +1,38 @@
+#
+# ICE related types
+#
+# Author: Ivan Gyurdiev
+#
+# ice_domain(prefix, role) - create ICE sockets
+# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets
+
+define(`ice_domain', `
+ifdef(`$1_ice_tmp_t_defined',`', `
+define(`$1_ice_tmp_t_defined')
+
+# Type for ICE sockets
+type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile;
+file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t)
+
+# Create the sockets
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# FIXME: How does iceauth tie in?
+
+')
+')
+
+# FIXME: Should this be bidirectional?
+# Adding only unidirectional for now.
+
+define(`ice_connect', `
+
+# Read .ICEauthority file
+allow $1_t $2_iceauth_home_t:file { read getattr };
+
+can_unix_connect($1_t, $2_t)
+allow $1_t ice_tmp_t:dir r_dir_perms;
+allow $1_t $2_ice_tmp_t:sock_file { read write };
+allow $1_t $2_t:unix_stream_socket { read write };
+')
diff --git a/strict/macros/program/iceauth_macros.te b/strict/macros/program/iceauth_macros.te
new file mode 100644
index 0000000..cc7e804
--- /dev/null
+++ b/strict/macros/program/iceauth_macros.te
@@ -0,0 +1,40 @@
+#
+# Macros for iceauth domains.
+#
+# Author: Ivan Gyurdiev
+#
+# iceauth_domain(domain_prefix)
+
+define(`iceauth_domain',`
+
+# Program type
+type $1_iceauth_t, domain;
+
+# Transition from the user domain to this domain.
+domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t)
+role $1_r types $1_iceauth_t;
+
+# Store .ICEauthority files
+home_domain($1, iceauth)
+file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file)
+
+# Supress xdm trying to restore .ICEauthority permissions
+ifdef(`xdm.te', `
+dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
+')
+
+# /root
+allow $1_iceauth_t root_t:dir search;
+
+# Terminal output
+access_terminal($1_iceauth_t, $1)
+
+uses_shlib($1_iceauth_t)
+
+# ???
+allow $1_iceauth_t etc_t:dir search;
+allow $1_iceauth_t usr_t:dir search;
+
+# FIXME: policy is incomplete
+
+')dnl end xauth_domain macro
diff --git a/strict/macros/program/java_macros.te b/strict/macros/program/java_macros.te
index b7c2be4..874d6dc 100644
--- a/strict/macros/program/java_macros.te
+++ b/strict/macros/program/java_macros.te
@@ -4,7 +4,7 @@
# Macros for javaplugin (java plugin) domains.
#
#
-# javaplugin_domain(domain_prefix, user)
+# javaplugin_domain(domain_prefix, role)
#
# Define a derived domain for the javaplugin program when executed by
# a web browser.
@@ -29,9 +29,9 @@ allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
# This domain is granted permissions common to most domains (including can_net)
can_network_client($1_javaplugin_t)
+allow $1_javaplugin_t port_type:tcp_socket name_connect;
can_ypbind($1_javaplugin_t)
allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow $1_javaplugin_t self:fifo_file rw_file_perms;
allow $1_javaplugin_t etc_runtime_t:file { getattr read };
allow $1_javaplugin_t fs_t:filesystem getattr;
@@ -41,44 +41,24 @@ allow $1_javaplugin_t self:lnk_file read;
allow $1_javaplugin_t self:file { getattr read };
read_sysctl($1_javaplugin_t)
+allow $1_javaplugin_t sysctl_vm_t:dir search;
tmp_domain($1_javaplugin)
-r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
+read_fonts($1_javaplugin_t, $2)
+r_dir_file($1_javaplugin_t,{ usr_t etc_t })
# Search bin directory under javaplugin for javaplugin executable
allow $1_javaplugin_t bin_t:dir search;
can_exec($1_javaplugin_t, java_exec_t)
-# Allow connections to X server.
-ifdef(`xserver.te', `
-
-ifdef(`xdm.te', `
-# for when /tmp/.X11-unix is created by the system
-allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
-allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
-allow $1_javaplugin_t xdm_tmp_t:dir search;
-allow $1_javaplugin_t xdm_tmp_t:sock_file write;
-')
-
-ifdef(`startx.te', `
-# for when /tmp/.X11-unix is created by the X server
-allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
-
-# for /tmp/.X0-lock
-allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
-
-allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
-can_unix_connect($1_javaplugin_t, $2_xserver_t)
-')dnl end startx
-
-can_unix_connect($1_javaplugin_t, xdm_xserver_t)
-allow xdm_xserver_t $1_javaplugin_t:fd use;
-allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
-dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
-
-')dnl end xserver
+# libdeploy.so legacy
+allow $1_javaplugin_t texrel_shlib_t:file execmod;
+if (allow_execmem) {
+allow $1_javaplugin_t self:process execmem;
+}
-allow $1_javaplugin_t self:shm create_shm_perms;
+# Connect to X server
+x_client_domain($1_javaplugin, $2)
uses_shlib($1_javaplugin_t)
read_locale($1_javaplugin_t)
diff --git a/strict/macros/program/mail_client_macros.te b/strict/macros/program/mail_client_macros.te
new file mode 100644
index 0000000..90b9b1d
--- /dev/null
+++ b/strict/macros/program/mail_client_macros.te
@@ -0,0 +1,63 @@
+#
+# Shared macro for mail clients
+#
+# Author: Ivan Gyurdiev
+#
+
+########################################
+# mail_client_domain(client, role_prefix)
+#
+
+define(`mail_client_domain', `
+
+# Allow netstat
+# Startup shellscripts
+allow $1_t bin_t:dir r_dir_perms;
+allow $1_t bin_t:lnk_file r_file_perms;
+can_exec($1_t, bin_t)
+r_dir_file($1_t, proc_net_t)
+allow $1_t sysctl_net_t:dir search;
+
+# Allow DNS
+can_resolve($1_t)
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+can_ypbind($1_t)
+can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
+allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
+
+# Allow printing the mail
+ifdef(`cups.te',`
+allow $1_t cupsd_etc_t:dir r_dir_perms;
+allow $1_t cupsd_rw_etc_t:file r_file_perms;
+')
+ifdef(`lpr.te', `
+domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
+')
+
+# Attachments
+read_content($1_t, $2, mail)
+
+# Save mail
+write_untrusted($1_t, $2)
+
+# Encrypt mail
+ifdef(`gpg.te', `
+domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
+allow $1_t $2_gpg_t:process signal;
+')
+
+# Start links in web browser
+ifdef(`mozilla.te', `
+can_exec($1_t, shell_exec_t)
+domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
+')
+ifdef(`dbusd.te', `
+dbusd_client(system, $1)
+dbusd_client($2, $1)
+allow $1_t $2_dbusd_t:dbus send_msg;
+ifdef(`cups.te', `
+allow cupsd_t $1_t:dbus send_msg;
+')
+')
+')
diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te
index c53ab4f..3980122 100644
--- a/strict/macros/program/mozilla_macros.te
+++ b/strict/macros/program/mozilla_macros.te
@@ -15,123 +15,136 @@
# The type declaration for the executable type for this program is
# provided separately in domains/program/mozilla.te.
#
+
+# FIXME: Rules were removed to centralize policy in a gnome_app macro
+# A similar thing might be necessary for mozilla compiled without GNOME
+# support (is this possible?).
+
define(`mozilla_domain',`
-x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
-# Configuration
+type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
+
+# Type transition
+if (! disable_mozilla_trans) {
+domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
+}
+role $1_r types $1_mozilla_t;
+
+# X access, Home files
home_domain($1, mozilla)
+x_client_domain($1_mozilla, $1)
+
+# GNOME integration
+ifdef(`gnome.te', `
+gnome_application($1_mozilla, $1)
+gnome_file_dialog($1_mozilla, $1)
+')
-# Allow mozilla to browse files
-file_browse_domain($1_mozilla_t)
+# Look for plugins
+allow $1_mozilla_t bin_t:dir { getattr read search };
+
+# Browse the web, connect to printer
+can_resolve($1_mozilla_t)
+can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } )
+allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect;
+
+# Should not need other ports
+dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind };
allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
+dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
# Unrestricted inheritance from the caller.
allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
allow $1_mozilla_t $1_t:process signull;
-# Set resource limits and scheduling info.
-allow $1_mozilla_t self:process { setrlimit setsched };
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_mozilla_t)
+allow $1_t $1_mozilla_t:process signal_perms;
+
+# Access /proc, sysctl
+allow $1_mozilla_t proc_t:dir search;
+allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t proc_t:lnk_file read;
+allow $1_mozilla_t sysctl_net_t:dir search;
+allow $1_mozilla_t sysctl_t:dir search;
-allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
+# /var/lib
+allow $1_mozilla_t var_lib_t:dir search;
allow $1_mozilla_t var_lib_t:file { getattr read };
-allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
+
+# Self permissions
allow $1_mozilla_t self:socket create_socket_perms;
allow $1_mozilla_t self:file { getattr read };
+allow $1_mozilla_t self:sem create_sem_perms;
-# for bash
+# for bash - old mozilla binary
+can_exec($1_mozilla_t, mozilla_exec_t)
+can_exec($1_mozilla_t, shell_exec_t)
+can_exec($1_mozilla_t, bin_t)
+allow $1_mozilla_t bin_t:lnk_file read;
allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t devpts_t:dir r_dir_perms;
-allow $1_mozilla_t proc_t:file { getattr read };
+allow $1_mozilla_t self:dir search;
+allow $1_mozilla_t self:lnk_file read;
r_dir_file($1_mozilla_t, proc_net_t)
-allow $1_mozilla_t { var_t var_lib_t }:dir search;
-
# interacting with gstreamer
r_dir_file($1_mozilla_t, var_t)
-# Write files to tmp
-tmp_domain($1_mozilla)
+# Uploads, local html
+read_content($1_mozilla_t, $1, mozilla)
-# Execute downloaded programs.
-can_exec($1_mozilla_t, $1_mozilla_tmp_t)
+# Save web pages
+write_untrusted($1_mozilla_t, $1)
-# Use printer
-ifdef(`lpr.te', `
-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
-
-# Print document
-allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
-
-# Suppress history.fop denial
-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
-
-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
-dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
-')
-
-# ORBit sockets
-file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
-can_unix_connect($1_t, $1_mozilla_t)
-allow $1_t $1_mozilla_tmp_t:sock_file write;
-allow $1_mozilla_t $1_tmp_t:file { read write lock };
-allow $1_mozilla_t $1_tmp_t:sock_file { read write };
-dontaudit $1_mozilla_t $1_tmp_t:dir setattr;
-
-# Allow mozilla to read user home content
-if (mozilla_readhome || mozilla_writehome) {
-r_dir_file($1_mozilla_t, $1_home_t)
-} else {
-dontaudit $1_mozilla_t $1_home_t:dir setattr;
-dontaudit $1_mozilla_t $1_home_t:file setattr;
-}
+# Mozpluggerrc
+allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-if (mozilla_writehome) {
-file_type_auto_trans($1_mozilla_t, $1_home_t, $1_mozilla_home_t)
-allow $1_mozilla_t $1_home_t:dir setattr;
-allow $1_mozilla_t $1_home_t:{ file lnk_file } rw_file_perms;
-} dnl end if writehome
+######### Java plugin
+ifdef(`java.te', `
+javaplugin_domain($1_mozilla, $1)
+') dnl java.te
-allow $1_mozilla_t $1_t:unix_stream_socket connectto;
-allow $1_mozilla_t sysctl_net_t:dir search;
-allow $1_mozilla_t sysctl_t:dir search;
+######### Print web content
ifdef(`cups.te', `
allow $1_mozilla_t cupsd_etc_t:dir search;
allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
')
-allow $1_mozilla_t $1_t:tcp_socket { read write };
-
-allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
-dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
-# Mozilla tries to delete .fonts.cache-1
-dontaudit $1_mozilla_t $1_home_t:file unlink;
-allow $1_mozilla_t self:sem create_sem_perms;
-
-# Java plugin
-ifdef(`java.te', `
-javaplugin_domain($1_mozilla, $1)
-')
+ifdef(`lpr.te', `
+domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
+dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
+dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+') dnl if lpr.te
-# Mplayer plugin
+######### Launch mplayer
ifdef(`mplayer.te', `
domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+')dnl end if mplayer.te
-# Read mozilla content in /tmp
-r_dir_file($1_mplayer_t, $1_mozilla_tmp_t);
+######### Launch email client, and make webcal links work
+ifdef(`evolution.te', `
+domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
+domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+') dnl if evolution.te
-# FIXME: why does it need this?
-dontaudit $1_mplayer_t $1_mozilla_home_t:file write;
-allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
-')dnl end if mplayer.te
+ifdef(`thunderbird.te', `
+domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
+') dnl if evolution.te
if (allow_execmem) {
-allow $1_mozilla_t self:process { execmem };
+allow $1_mozilla_t self:process { execmem execstack };
}
-if (allow_execmod) {
allow $1_mozilla_t texrel_shlib_t:file execmod;
-}
+
dbusd_client(system, $1_mozilla)
+ifdef(`apache.te', `
+ifelse($1, sysadm, `', `
+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
+')
+')
')dnl end mozilla macro
diff --git a/strict/macros/program/mplayer_macros.te b/strict/macros/program/mplayer_macros.te
index 323edca..6d06757 100644
--- a/strict/macros/program/mplayer_macros.te
+++ b/strict/macros/program/mplayer_macros.te
@@ -6,15 +6,19 @@
# mplayer_domains(user) declares domains for mplayer, gmplayer,
# and mencoder
-##############################################
-# mplayer_common(user, mplayer domain) #
-##############################################
+#####################################################
+# mplayer_common(role_prefix, mplayer_domain) #
+#####################################################
define(`mplayer_common',`
# Read global config
r_dir_file($1_$2_t, mplayer_etc_t)
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_$2_t)
+allow $1_t $1_$2_t:process signal_perms;
+
# Read data in /usr/share (fonts, icons..)
r_dir_file($1_$2_t, usr_t)
@@ -40,8 +44,8 @@ allow $1_$2_t self:process execmem;
if (allow_execmod) {
allow $1_$2_t zero_device_t:chr_file execmod;
-allow $1_$2_t texrel_shlib_t:file execmod;
}
+allow $1_$2_t texrel_shlib_t:file execmod;
# Access to DVD/CD/V4L
allow $1_$2_t device_t:dir r_dir_perms;
@@ -58,64 +62,94 @@ allow $1_$2_t sound_device_t:chr_file execute;
}
')
-############################
-# mplayer_domain(user) #
-############################
+###################################
+# mplayer_domain(role_prefix) #
+###################################
define(`mplayer_domain',`
-# Derive from X client domain
-x_client_domain($1, `mplayer', `')
+type $1_mplayer_t, domain, nscd_client_domain;
-# Mplayer configuration here
-home_domain($1, mplayer)
+# Type transition
+domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
+role $1_r types $1_mplayer_t;
-# Allow mplayer to browse files
-file_browse_domain($1_mplayer_t)
+# Home access, X access
+home_domain($1, mplayer)
+x_client_domain($1_mplayer, $1)
# Mplayer common stuff
mplayer_common($1, mplayer)
-# Audio
+# Fork
+allow $1_mplayer_t self:process { fork signal_perms getsched };
+allow $1_mplayer_t self:fifo_file rw_file_perms;
+
+# Audio, alsa.conf
allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+allow $1_mplayer_t etc_t:file { getattr read };
+r_dir_file($1_mplayer_t, alsa_etc_rw_t);
# RTC clock
allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
-# Read home directory content
-r_dir_file($1_mplayer_t, $1_home_t);
-
# Legacy domain issues
if (allow_mplayer_execstack) {
allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
}
+#======gmplayer gui==========#
+# File dialogs
+dontaudit_getattr($1_mplayer_t)
+dontaudit_read_dir($1_mplayer_t)
+dontaudit_search_dir($1_mplayer_t)
+
+# Unfortunately the ancient file dialog starts in /
+allow $1_mplayer_t home_root_t:dir read;
+
+# Read /etc/mtab
+allow $1_mplayer_t etc_runtime_t:file { read getattr };
+
+# Run bash/sed (??)
+allow $1_mplayer_t bin_t:dir search;
+allow $1_mplayer_t bin_t:lnk_file read;
+can_exec($1_mplayer_t, bin_t)
+can_exec($1_mplayer_t, shell_exec_t)
+#============================#
+
+# Read songs
+read_content($1_mplayer_t, $1)
+
') dnl end mplayer_domain
-############################
-# mencoder_domain(user) #
-############################
+###################################
+# mencoder_domain(role_prefix) #
+###################################
define(`mencoder_domain',`
-# FIXME: privhome temporarily removed...
type $1_mencoder_t, domain;
-# Transition
+# Type transition
domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
-can_exec($1_mencoder_t, mencoder_exec_t)
role $1_r types $1_mencoder_t;
-# Read home config
+# Access mplayer home domain
home_domain_access($1_mencoder_t, $1, mplayer)
# Mplayer common stuff
mplayer_common($1, mencoder)
+# Read content to encode
+read_content($1_mencoder_t, $1)
+
+# Save encoded files
+write_trusted($1_mencoder_t, $1)
+
') dnl end mencoder_domain
#############################
-# mplayer_domains(user) #
+# mplayer_domains(role) #
#############################
define(`mplayer_domains', `
diff --git a/strict/macros/program/orbit_macros.te b/strict/macros/program/orbit_macros.te
new file mode 100644
index 0000000..b2dd5d1
--- /dev/null
+++ b/strict/macros/program/orbit_macros.te
@@ -0,0 +1,44 @@
+#
+# ORBit related types
+#
+# Author: Ivan Gyurdiev
+#
+# orbit_domain(prefix, role_prefix) - create ORBit sockets
+# orbit_connect(type1_prefix, type2_prefix)
+# - allow communication through ORBit sockets from type1 to type2
+
+define(`orbit_domain', `
+
+# Protect against double inclusion for speed and correctness
+ifdef(`orbit_domain_$1_$2', `', `
+define(`orbit_domain_$1_$2')
+
+# Relabel directory (startup script)
+allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
+
+# Type for ORBit sockets
+type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
+file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
+allow $1_t tmp_t:dir { read search getattr };
+
+# Create the sockets
+allow $1_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_t self:unix_dgram_socket create_socket_perms;
+
+# Use random device(s)
+allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
+
+# Why do they do that?
+dontaudit $1_t $2_orbit_tmp_t:dir setattr;
+
+') dnl ifdef orbit_domain_args
+') dnl orbit_domain
+
+##########################
+
+define(`orbit_connect', `
+
+can_unix_connect($1_t, $2_t)
+allow $1_t $2_orbit_tmp_t:sock_file write;
+
+') dnl orbit_connect
diff --git a/strict/macros/program/pyzor_macros.te b/strict/macros/program/pyzor_macros.te
new file mode 100644
index 0000000..36b4c54
--- /dev/null
+++ b/strict/macros/program/pyzor_macros.te
@@ -0,0 +1,69 @@
+#
+# Pyzor - Pyzor is a collaborative, networked system to detect and
+# block spam using identifying digests of messages.
+#
+# Author: David Hampton
+#
+
+##########
+# common definitions for pyzord and all flavors of pyzor
+##########
+define(`pyzor_base_domain',`
+
+# Networking
+can_network_client_tcp($1_t, http_port_t);
+can_network_udp($1_t, pyzor_port_t);
+can_resolve($1_t);
+
+general_proc_read_access($1_t)
+
+tmp_domain($1)
+
+allow $1_t bin_t:dir { getattr search };
+allow $1_t bin_t:file getattr;
+allow $1_t lib_t:file { getattr read };
+allow $1_t { var_t var_lib_t var_run_t }:dir search;
+uses_shlib($1_t)
+
+# Python does a getattr on this file
+allow $1_t pyzor_exec_t:file getattr;
+
+# mktemp and other randoms
+allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+# Allow access to various files in the /etc/directory including mtab
+# and nsswitch
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+')
+
+
+#
+# Define a user domain for a pyzor
+#
+# Note: expects to be called with an argument of user, sysadm
+
+define(`pyzor_domain',`
+type $1_pyzor_t, domain, privlog, nscd_client_domain;
+role $1_r types $1_pyzor_t;
+domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)
+
+pyzor_base_domain($1_pyzor)
+
+# Per-user config/data files
+home_domain($1, pyzor)
+file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir)
+
+# System config files
+r_dir_file($1_pyzor_t, pyzor_etc_t)
+
+# System data files
+r_dir_file($1_pyzor_t, pyzor_var_lib_t);
+
+allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow pyzor to be run by hand. Needed by any action other than
+# invocation from a spam filter.
+allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_pyzor_t sshd_t:fd use;
+')
diff --git a/strict/macros/program/razor_macros.te b/strict/macros/program/razor_macros.te
new file mode 100644
index 0000000..ca681f7
--- /dev/null
+++ b/strict/macros/program/razor_macros.te
@@ -0,0 +1,75 @@
+#
+# Razor - Razor is a collaborative, networked system to detect and
+# block spam using identifying digests of messages.
+#
+# Author: David Hampton
+#
+
+##########
+# common definitions for razord and all flavors of razor
+##########
+define(`razor_base_domain',`
+
+# Razor is one executable and several symlinks
+allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
+
+# Networking
+can_network_client_tcp($1_t, razor_port_t)
+can_resolve($1_t);
+
+general_proc_read_access($1_t)
+
+# Read system config file
+r_dir_file($1_t, razor_etc_t)
+
+# Update razor common files
+file_type_auto_trans($1_t, var_log_t, razor_log_t, file)
+create_dir_file($1_t, razor_log_t)
+allow $1_t var_lib_t:dir search;
+create_dir_file($1_t, razor_var_lib_t)
+
+allow $1_t bin_t:dir { getattr search };
+allow $1_t bin_t:file getattr;
+allow $1_t lib_t:file { getattr read };
+allow $1_t { var_t var_run_t }:dir search;
+uses_shlib($1_t)
+
+# Razor forks other programs to do part of its work.
+general_domain_access($1_t)
+can_exec($1_t, bin_t)
+
+# mktemp and other randoms
+allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
+
+# Allow access to various files in the /etc/directory including mtab
+# and nsswitch
+allow $1_t { etc_t etc_runtime_t }:file { getattr read };
+read_locale($1_t)
+')
+
+
+#
+# Define a user domain for a razor
+#
+# Note: expects to be called with an argument of user, sysadm
+
+define(`razor_domain',`
+type $1_razor_t, domain, privlog, nscd_client_domain;
+role $1_r types $1_razor_t;
+domain_auto_trans($1_t, razor_exec_t, $1_razor_t)
+
+razor_base_domain($1_razor)
+
+# Per-user config/data files
+home_domain($1, razor)
+file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir)
+
+tmp_domain($1_razor)
+
+allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow razor to be run by hand. Needed by any action other than
+# invocation from a spam filter.
+allow $1_razor_t $1_devpts_t:chr_file rw_file_perms;
+allow $1_razor_t sshd_t:fd use;
+')
diff --git a/strict/macros/program/screen_macros.te b/strict/macros/program/screen_macros.te
index ebfc619..e81a90a 100644
--- a/strict/macros/program/screen_macros.te
+++ b/strict/macros/program/screen_macros.te
@@ -21,7 +21,7 @@ undefine(`screen_domain')
ifdef(`screen.te', `
define(`screen_domain',`
# Derived domain based on the calling user domain and the program.
-type $1_screen_t, domain, privlog, privfd;
+type $1_screen_t, domain, privlog, privfd, nscd_client_domain;
# Transition from the user domain to this domain.
domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
@@ -81,6 +81,7 @@ dontaudit $1_screen_t shadow_t:file read;
allow $1_screen_t tmp_t:dir search;
can_network($1_screen_t)
+allow $1_screen_t port_type:tcp_socket name_connect;
can_ypbind($1_screen_t)
# get stats
diff --git a/strict/macros/program/slocate_macros.te b/strict/macros/program/slocate_macros.te
index acd6195..115022b 100644
--- a/strict/macros/program/slocate_macros.te
+++ b/strict/macros/program/slocate_macros.te
@@ -25,7 +25,7 @@ allow $1_locate_t self:process signal;
allow $1_locate_t etc_t:file { getattr read };
allow $1_locate_t self:unix_stream_socket create_socket_perms;
-r_dir_file($1_locate_t,var_lib_locate_t)
+r_dir_file($1_locate_t,locate_var_lib_t)
allow $1_locate_t var_lib_t:dir search;
# Transition from the user domain to this domain.
diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te
index 2ded42a..d7678f5 100644
--- a/strict/macros/program/spamassassin_macros.te
+++ b/strict/macros/program/spamassassin_macros.te
@@ -29,7 +29,7 @@ ifdef(`using_spamassassin',`
# Note: most of this should really be in a generic macro like
# base_user_program($1, foo)
define(`spamassassin_program_domain',`
-type $1_$2_t, domain, privlog;
+type $1_$2_t, domain, privlog $3;
domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
role $1_r types $1_$2_t;
@@ -44,7 +44,6 @@ allow $1_$2_t etc_runtime_t:file r_file_perms;
uses_shlib($1_$2_t)
read_locale($1_$2_t)
dontaudit $1_$2_t var_t:dir search;
-allow $1_$2_t $1_home_dir_t:dir r_dir_perms;
tmp_domain($1_$2)
allow $1_$2_t privfd:fd use;
allow $1_$2_t userpty_type:chr_file rw_file_perms;
@@ -76,16 +75,20 @@ spamassassin_program_domain($1, spamassassin)
allow $1_spamassassin_t lib_t:file rx_file_perms;
# Ignore perl digging in /proc and /var.
dontaudit $1_spamassassin_t proc_t:dir search;
+dontaudit $1_spamassassin_t proc_t:lnk_file read;
dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
# For ~/.spamassassin
home_domain($1, spamassassin)
+file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir)
spamassassin_agent_privs($1_spamassassin_t, $1)
-# set tunable if you have spamassassin do DNS lookups
+can_resolve($1_spamassassin_t)
+# set tunable if you give spamassassin full network access.
if (spamassasin_can_network) {
can_network($1_spamassassin_t)
+allow $1_spamassassin_t port_type:tcp_socket name_connect;
}
if (spamassasin_can_network && allow_ypbind) {
uncond_can_ypbind($1_spamassassin_t)
@@ -94,13 +97,16 @@ uncond_can_ypbind($1_spamassassin_t)
# Define the domain for /usr/bin/spamc
#
ifdef(`spamc.te',`
-spamassassin_program_domain($1, spamc)
+spamassassin_program_domain($1, spamc, `, nscd_client_domain')
can_network($1_spamc_t)
+allow $1_spamc_t port_type:tcp_socket name_connect;
can_ypbind($1_spamc_t)
# Allow connecting to a local spamd
ifdef(`spamd.te',`
can_tcp_connect($1_spamc_t, spamd_t)
+can_unix_connect($1_spamc_t, spamd_t)
+allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
') dnl endif spamd.te
') dnl endif spamc.te
diff --git a/strict/macros/program/thunderbird_macros.te b/strict/macros/program/thunderbird_macros.te
new file mode 100644
index 0000000..b84e41d
--- /dev/null
+++ b/strict/macros/program/thunderbird_macros.te
@@ -0,0 +1,62 @@
+#
+# Thunderbird
+#
+# Author: Ivan Gyurdiev
+#
+
+#######################################
+# thunderbird_domain(role_prefix)
+#
+
+# FIXME: Rules were removed to centralize policy in a gnome_app macro
+# A similar thing might be necessary for mozilla compiled without GNOME
+# support (is this possible?).
+
+define(`thunderbird_domain', `
+
+# Type for program
+type $1_thunderbird_t, domain, nscd_client_domain;
+
+# Transition from user type
+if (! disable_thunderbird_trans) {
+domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t)
+}
+role $1_r types $1_thunderbird_t;
+
+# FIXME: Why does it try to do that?
+dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
+
+# Why is thunderbird looking in .mozilla ?
+# FIXME: there are legitimate uses of invoking the browser - about -> release notes
+dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
+
+# .kde/....gtkrc
+# FIXME: support properly
+dontaudit $1_thunderbird_t $1_home_t:file { getattr read };
+
+# X, mail common stuff
+x_client_domain($1_thunderbird, $1)
+mail_client_domain($1_thunderbird, $1)
+
+allow $1_thunderbird_t fs_t:filesystem getattr;
+
+# GNOME support
+ifdef(`gnome.te', `
+gnome_application($1_thunderbird, $1)
+gnome_file_dialog($1_thunderbird, $1)
+allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
+')
+
+# Access ~/.thunderbird
+home_domain($1, thunderbird)
+
+# RSS feeds
+can_network_client_tcp($1_thunderbird_t, http_port_t)
+allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
+
+allow $1_thunderbird_t self:process { execheap execstack };
+if (allow_execmem) {
+allow $1_thunderbird_t self:process execmem;
+}
+
+')
diff --git a/strict/macros/program/tvtime_macros.te b/strict/macros/program/tvtime_macros.te
index acb45b1..d965ae1 100644
--- a/strict/macros/program/tvtime_macros.te
+++ b/strict/macros/program/tvtime_macros.te
@@ -19,16 +19,37 @@ undefine(`tvtime_domain')
ifdef(`tvtime.te', `
define(`tvtime_domain',`
+# Type transition
+type $1_tvtime_t, domain, nscd_client_domain;
+domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
+role $1_r types $1_tvtime_t;
+
+# X access, Home files
home_domain($1, tvtime)
-x_client_domain($1, tvtime)
+file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir)
+x_client_domain($1_tvtime, $1)
+
+uses_shlib($1_tvtime_t)
+read_locale($1_tvtime_t)
+read_sysctl($1_tvtime_t)
+access_terminal($1_tvtime_t, $1)
+
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_tvtime_t)
+allow $1_t $1_tvtime_t:process signal_perms;
+
+# Read /etc/tvtime
+allow $1_tvtime_t etc_t:file { getattr read };
+
+# Tmp files
+tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
allow $1_tvtime_t urandom_device_t:chr_file read;
allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
allow $1_tvtime_t kernel_t:system ipc_info;
-allow $1_tvtime_t sound_device_t:chr_file read;
+allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
allow $1_tvtime_t $1_home_t:dir { getattr read search };
allow $1_tvtime_t $1_home_t:file { getattr read };
-tmp_domain($1_tvtime)
allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
allow $1_tvtime_t self:process setsched;
allow $1_tvtime_t usr_t:file { getattr read };
diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te
index 654b794..9b87775 100644
--- a/strict/macros/program/uml_macros.te
+++ b/strict/macros/program/uml_macros.te
@@ -91,6 +91,7 @@ allow $1_uml_t $1_t:unix_dgram_socket sendto;
# Use the network.
can_network($1_uml_t)
+allow $1_uml_t port_type:tcp_socket name_connect;
can_ypbind($1_uml_t)
# for xterm
diff --git a/strict/macros/program/vmware_macros.te b/strict/macros/program/vmware_macros.te
index b306f08..bb0914a 100644
--- a/strict/macros/program/vmware_macros.te
+++ b/strict/macros/program/vmware_macros.te
@@ -28,11 +28,6 @@ type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
# The user file type for the VMWare configuration files
type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
-# for compatibility with older policy versions
-typealias $1_vmware_t alias vmware_$1_t;
-typealias $1_vmware_file_t alias vmware_$1_file_t;
-typealias $1_vmware_conf_t alias vmware_$1_conf_t;
-
#############################################################
# User rules for running VMWare
#
diff --git a/strict/macros/program/x_client_macros.te b/strict/macros/program/x_client_macros.te
index aef31ad..adce9f0 100644
--- a/strict/macros/program/x_client_macros.te
+++ b/strict/macros/program/x_client_macros.te
@@ -1,5 +1,5 @@
#
-# Macros for X client programs ($2 etc)
+# Macros for X client programs
#
#
@@ -8,152 +8,87 @@
# and Timothy Fraser
#
+# Allows clients to write to the X server's shm
+bool allow_write_xshm false;
+
define(`xsession_domain', `
# Connect to xserver
can_unix_connect($1_t, $2_xserver_t)
-# /tmp/.ICE_unix
-allow $1_t $2_xserver_tmp_t:dir search;
-allow $1_t $2_xserver_tmp_t:sock_file rw_file_perms;
-
-# Stat /tmp/.X0-lock
-allow $1_t $2_xserver_tmp_t:file getattr;
+# Read /tmp/.X0-lock
+allow $1_t $2_xserver_tmp_t:file { getattr read };
# Signal Xserver
allow $1_t $2_xserver_t:process signal;
-# Use file descriptors created by each other.
-allow $1_t $2_xserver_t:fd use;
+# Xserver read/write client shm
allow $2_xserver_t $1_t:fd use;
-
-# Xserver read/write parent shm
allow $2_xserver_t $1_t:shm rw_shm_perms;
allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
-# Parent read xserver shm
+# Client read xserver shm
+allow $1_t $2_xserver_t:fd use;
allow $1_t $2_xserver_t:shm r_shm_perms;
allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
+
+# Client write xserver shm
+if (allow_write_xshm) {
+allow $1_t $2_xserver_t:shm rw_shm_perms;
+allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
+}
+
')
#
-# x_client_domain(domain_prefix)
-#
-# Define a derived domain for an X program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program ($2_exec_t)
-# must be provided separately!
+# x_client_domain(client, role)
#
-# The first parameter is the base name for the domain/role (EG user or sysadm)
-# The second parameter is the program name (EG $2)
-# The third parameter is the attributes for the domain (if any)
+# Defines common X access rules for the client domain
#
define(`x_client_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_$2_t, domain, nscd_client_domain $3;
-
-ifelse(index(`$3', `transitionbool'), -1, `
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-', `
-# Only do it once
-ifelse($1, user, `
-bool disable_$2 false;
-')
-# Transition from the user domain to the derived domain.
-if (! disable_$2) {
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-}
-')
-# The user role is authorized for this domain.
-role $1_r types $1_$2_t;
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network($1_$2_t)
-can_ypbind($1_$2_t)
-allow $1_$2_t self:process { fork signal_perms getsched };
-allow $1_$2_t self:unix_dgram_socket create_socket_perms;
-allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow $1_$2_t self:fifo_file rw_file_perms;
-allow $1_$2_t etc_runtime_t:file { getattr read };
-allow $1_$2_t etc_t:lnk_file read;
-allow $1_$2_t fs_t:filesystem getattr;
-access_terminal($1_$2_t, $1)
-read_locale($1_$2_t)
-r_dir_file($1_$2_t, readable_t)
-allow $1_$2_t proc_t:dir search;
-allow $1_$2_t proc_t:lnk_file read;
-allow $1_$2_t self:dir search;
-allow $1_$2_t self:lnk_file read;
-read_sysctl($1_$2_t)
+# Create socket to communicate with X server
+allow $1_t self:unix_dgram_socket create_socket_perms;
+allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
+# Read .Xauthority file
ifdef(`xauth.te',`
-allow $1_$2_t $1_xauth_home_t:file { getattr read };
+allow $1_t home_root_t:dir { search getattr };
+allow $1_t $2_home_dir_t:dir { search getattr };
+allow $1_t $2_xauth_home_t:file { getattr read };
')
-# Allow the user domain to send any signal to the $2 process.
-allow $1_t $1_$2_t:process signal_perms;
-
-# Allow the user domain to read the /proc/PID directory for
-# the $2 process.
-allow $1_t $1_$2_t:dir r_dir_perms;
-allow $1_t $1_$2_t:notdevfile_class_set r_file_perms;
-
-# Allow use of /dev/zero by ld.so.
-allow $1_$2_t device_t:dir search;
-allow $1_$2_t zero_device_t:chr_file rw_file_perms;
-allow $1_$2_t zero_device_t:chr_file x_file_perms;
-
-# allow using shared libraries and running programs
-uses_shlib($1_$2_t)
-allow $1_$2_t { bin_t sbin_t }:dir search;
-allow $1_$2_t bin_t:lnk_file read;
-can_exec($1_$2_t, { shell_exec_t bin_t })
-allow $1_$2_t etc_t:file { getattr read };
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;')
-allow $1_$2_t privfd:fd use;
-
# for .xsession-errors
-dontaudit $1_$2_t $1_home_t:file write;
+dontaudit $1_t $2_home_t:file write;
# for X over a ssh tunnel
ifdef(`ssh.te', `
-can_tcp_connect($1_$2_t, sshd_t)
+can_tcp_connect($1_t, sshd_t)
')
-# Read the home directory, e.g. for .Xauthority and to get to config files
-allow $1_$2_t home_root_t:dir { search getattr };
-
# Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1_$2)
-
-allow $1_$2_t self:shm create_shm_perms;
+tmpfs_domain($1)
+allow $1_t self:shm create_shm_perms;
# allow X client to read all font files
-r_dir_file($1_$2_t, fonts_t)
+read_fonts($1_t, $2)
# Allow connections to X server.
ifdef(`xserver.te', `
-allow $1_$2_t tmp_t:dir search;
+allow $1_t tmp_t:dir search;
ifdef(`xdm.te', `
-xsession_domain($1_$2, xdm)
+xsession_domain($1, xdm)
# for when /tmp/.X11-unix is created by the system
-allow $1_$2_t xdm_t:fifo_file rw_file_perms;
-allow $1_$2_t xdm_tmp_t:dir search;
-allow $1_$2_t xdm_tmp_t:sock_file { read write };
-allow $1_$2_t xdm_t:fd use;
-dontaudit $1_$2_t xdm_t:tcp_socket { read write };
+can_pipe_xdm($1_t)
+allow $1_t xdm_tmp_t:dir search;
+allow $1_t xdm_tmp_t:sock_file { read write };
+dontaudit $1_t xdm_t:tcp_socket { read write };
')
ifdef(`startx.te', `
-xsession_domain($1_$2, $1)
+xsession_domain($1, $2)
')dnl end startx
')dnl end xserver
diff --git a/strict/macros/program/xauth_macros.te b/strict/macros/program/xauth_macros.te
index 405f151..ca7a5ee 100644
--- a/strict/macros/program/xauth_macros.te
+++ b/strict/macros/program/xauth_macros.te
@@ -24,6 +24,7 @@ type $1_xauth_t, domain;
allow $1_xauth_t self:process signal;
home_domain($1, xauth)
+file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file)
# Transition from the user domain to this domain.
domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
diff --git a/strict/macros/program/xdm_macros.te b/strict/macros/program/xdm_macros.te
new file mode 100644
index 0000000..404b877
--- /dev/null
+++ b/strict/macros/program/xdm_macros.te
@@ -0,0 +1,11 @@
+########################################
+#
+# can_pipe_xdm(domain)
+#
+# Allow communication to xdm over a pipe
+#
+
+define(`can_pipe_xdm', `
+allow $1 xdm_t:fd use;
+allow $1 xdm_t:fifo_file { getattr read write ioctl };
+') dnl can_pipe_xdm
diff --git a/strict/macros/program/xserver_macros.te b/strict/macros/program/xserver_macros.te
index adbe7f7..e2eaf82 100644
--- a/strict/macros/program/xserver_macros.te
+++ b/strict/macros/program/xserver_macros.te
@@ -52,20 +52,19 @@ can_exec($1_xserver_t, xserver_exec_t)
uses_shlib($1_xserver_t)
-if (allow_execmod) {
allow $1_xserver_t texrel_shlib_t:file execmod;
-}
can_network($1_xserver_t)
+allow $1_xserver_t port_type:tcp_socket name_connect;
can_ypbind($1_xserver_t)
allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
# for access within the domain
general_domain_access($1_xserver_t)
-if (allow_execmem) {
allow $1_xserver_t self:process execmem;
-}
+# Until the X module loader is fixed.
+allow $1_xserver_t self:process execheap;
allow $1_xserver_t etc_runtime_t:file { getattr read };
@@ -76,6 +75,12 @@ role system_r types xdm_xserver_t;
allow xdm_xserver_t init_t:fd use;
dontaudit xdm_xserver_t home_dir_type:dir { read search };
+
+# Read all global and per user fonts
+read_fonts($1_xserver_t, sysadm)
+read_fonts($1_xserver_t, staff)
+read_fonts($1_xserver_t, user)
+
', `
# The user role is authorized for this domain.
role $1_r types $1_xserver_t;
@@ -89,12 +94,13 @@ allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
can_unix_connect($1_t, $1_xserver_t)
+# Read fonts
+read_fonts($1_xserver_t, $1)
+
# Access the home directory.
allow $1_xserver_t home_root_t:dir search;
allow $1_xserver_t $1_home_dir_t:dir { getattr search };
-if (allow_xserver_home_fonts) {
-r_dir_file($1_xserver_t, $1_home_t)
-}
+
ifdef(`xauth.te', `
domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -171,8 +177,6 @@ allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
ifdef(`xdm.te', `
allow $1_t xdm_tmp_t:sock_file unlink;
allow $1_xserver_t xdm_var_run_t:dir search;
-# for /tmp/.ICE-unix
-file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
')
# Signal the user domain.
@@ -258,10 +262,8 @@ allow $1_xserver_t pam_var_console_t:dir search;
dontaudit $1_xserver_t selinux_config_t:dir search;
allow $1_xserver_t var_lib_t:dir search;
-rw_dir_create_file($1_xserver_t, var_lib_xkb_t)
+rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
-# for fonts
-r_dir_file($1_xserver_t, fonts_t)
')dnl end macro definition
', `
diff --git a/strict/mls b/strict/mls
index 3126db6..5f50906 100644
--- a/strict/mls
+++ b/strict/mls
@@ -160,16 +160,16 @@ category c127;
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
-level s0:c0 . c127;
-level s1:c0 . c127;
-level s2:c0 . c127;
-level s3:c0 . c127;
-level s4:c0 . c127;
-level s5:c0 . c127;
-level s6:c0 . c127;
-level s7:c0 . c127;
-level s8:c0 . c127;
-level s9:c0 . c127;
+level s0:c0.c127;
+level s1:c0.c127;
+level s2:c0.c127;
+level s3:c0.c127;
+level s4:c0.c127;
+level s5:c0.c127;
+level s6:c0.c127;
+level s7:c0.c127;
+level s8:c0.c127;
+level s9:c0.c127;
#
@@ -217,7 +217,7 @@ level s9:c0 . c127;
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
-# new file labels must be dominated by the relabeling subject's clearance
+# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
@@ -257,10 +257,10 @@ mlsconstrain dir { add_name remove_name reparent rmdir }
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
#
-# file { execute_no_trans entrypoint }
+# { file chr_file } { execute_no_trans entrypoint execmod }
# the file upgrade/downgrade rule
-mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
((( l1 eq l2 ) or
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
@@ -272,7 +272,7 @@ mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
# create can also require the upgrade/downgrade checks if the creating process
# has used setfscreate (note that both the high and low level of the object
-# default to the process' sensitivity level)
+# default to the process sensitivity level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
((( l1 eq l2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
@@ -290,7 +290,7 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
# MLS policy for the filesystem class
#
-# new filesystem labels must be dominated by the relabeling subject's clearance
+# new filesystem labels must be dominated by the relabeling subject clearance
mlsconstrain filesystem relabelto
( h1 dom h2 );
@@ -316,7 +316,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
# MLS policy for the socket classes
#
-# new socket labels must be dominated by the relabeling subject's clearance
+# new socket labels must be dominated by the relabeling subject clearance
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
@@ -326,32 +326,24 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
-mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsnetwrite ));
-
-mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
#
# { tcp_socket udp_socket rawip_socket } node_bind
#
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
@@ -411,21 +403,20 @@ mlsconstrain msg send
#
-# MLS policy for the node class
+# MLS policy for the network object classes
#
-# these access vectors have no MLS restrictions
-# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
-
-
+# the netif/node "read" ops (implicit single level socket doing the read)
+# (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+ (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
-
-#
-# MLS policy for the netif class
-#
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+ (( l1 dom l2 ) and ( l1 domby h2 ));
# these access vectors have no MLS restrictions
-# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+# { netif node } { enforce_dest }
@@ -457,7 +448,7 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
( t1 == mlsprocwrite ));
# these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
@@ -739,4 +730,3 @@ mlsconstrain xextension use
# these access vectors have no MLS restrictions
# association { sendto recvfrom }
-
diff --git a/strict/net_contexts b/strict/net_contexts
index acf0301..49f6862 100644
--- a/strict/net_contexts
+++ b/strict/net_contexts
@@ -28,7 +28,7 @@ portcon tcp 19 system_u:object_r:inetd_child_port_t
portcon udp 19 system_u:object_r:inetd_child_port_t
portcon tcp 37 system_u:object_r:inetd_child_port_t
portcon udp 37 system_u:object_r:inetd_child_port_t
-portcon tcp 113 system_u:object_r:inetd_child_port_t
+portcon tcp 113 system_u:object_r:auth_port_t
portcon tcp 512 system_u:object_r:inetd_child_port_t
portcon tcp 543 system_u:object_r:inetd_child_port_t
portcon tcp 544 system_u:object_r:inetd_child_port_t
diff --git a/strict/users b/strict/users
index dac2092..19e6842 100644
--- a/strict/users
+++ b/strict/users
@@ -47,4 +47,4 @@ user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
# sample for regular user
-#user jdoe roles { user_r };
+#user jdoe roles { user_r };